Office (OLE) malware analysis — malicious · 5040b48ec0089b1c

MALICIOUS

Office (OLE)

281.5 KB Created: 2019-10-11 06:46:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: c919e36b85be14d882c2a044a0cdc060 SHA-1: dbac6f1ab6b711b917d2aebe7697f5a96f389903 SHA-256: 5040b48ec0089b1cc4ef7eb612aef0f90e631544ecd71e79b8c9ee4629e491f9

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample is a malicious Office document containing obfuscated VBA macros, indicated by critical heuristics for an auto-exec loader and p-code execution. The presence of an AutoOpen macro and GetObject calls suggests an attempt to automatically execute malicious code upon opening. The VBA script, though heavily obfuscated and truncated, likely functions as a downloader for a second-stage payload, as suggested by the ClamAV detection name 'Doc.Downloader.Generic-7329510-0'.

Heuristics 8

ClamAV: Doc.Downloader.Generic-7329510-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-7329510-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 83032 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	83032 bytes
SHA-256: `034a7563a4e4bc0cbe6d2c987c433feef4fa201264df6db6485df67c848d127c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "c0700907660" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "b19x7x45090, 0, 0, MSForms, TextBox" Attribute VB_Control = "b06281x0603, 1, 1, MSForms, TextBox" Attribute VB_Control = "x0c80941695x, 2, 2, MSForms, TextBox" Attribute VB_Control = "x860052b300, 3, 3, MSForms, TextBox" Attribute VB_Control = "cx0102cb058, 4, 4, MSForms, TextBox" Attribute VB_Control = "c3007b6403930, 5, 5, MSForms, TextBox" Attribute VB_Name = "b270861x0570" Function cb123x4531b7() On Error Resume Next 'Future082 Legros Coves, Altatown, New Caledonia Central726 Kertzmann Trail, Lake Weldon, Nauru c40604669229 = Rnd(c0203c2xb705 * ChrB(434)) + Log(233) 'Customer3843 O'Conner Track, Jodyhaven, Pitcairn Islands Regional29224 Parker Via, North Estefania, Norway b29b03045070 = Rnd(c3438728x510 * ChrB(404)) + Log(453) 'Investor14301 Upton Parks, Ovashire, Nauru Corporate3810 Gerardo Fall, New Keven, Christmas Island x36270c561996 = Rnd(x140019c8012 * ChrB(218)) + Log(862) 'Central858 Chris Track, Connellyberg, Macao Chief6017 Jackie View, Whiteview, French Southern Territories x0110bc4234 = Rnd(c170b0191004 * ChrB(321)) + Log(585) 'Legacy3963 Walker Pine, Leanneland, Seychelles Investor3367 Carson Rapids, Quigleyside, Brunei Darussalam x05484c23666 = Rnd(c0b45000b0c * ChrB(181)) + Log(626) 'Product062 Michelle Park, East Lilyan, Congo Lead84818 Stehr Stream, Sauerside, Kiribati bxb103506000 = Rnd(b0x36900296 * ChrB(713)) + Log(6) 'Product6945 Mazie Expressway, Lockmanmouth, United States Minor Outlying Islands Direct440 Kuhlman Isle, Port Akeemfurt, Republic of Korea c206230721291 = Rnd(xbc8774xx687 * ChrB(578)) + Log(902) 'Customer34809 O'Keefe Path, West Sethchester, Cape Verde Principal02250 Rau Burg, Romagueramouth, Greece 'International98166 Evalyn Flats, Lake Lilla, Kyrgyz Republic Lead817 Brakus Place, Andreannetown, Nicaragua c390508028407 = Rnd(c82075c602222 * ChrB(646)) + Log(356) 'Direct2424 Gutkowski Radial, Port Agnes, Honduras Principal85418 Emard Plaza, Lake Paula, Guinea-Bissau b040607090860 = Rnd(cxc32038027 * ChrB(694)) + Log(426) 'District51991 Eloy Spring, Port Patience, British Indian Ocean Territory (Chagos Archipelago) Regional67848 Thaddeus Forks, Carrollborough, Syrian Arab Republic c164x3x86990c = Rnd(x004b972b05b * ChrB(192)) + Log(567) 'Internal0776 Pink Oval, Lake Brenden, Saudi Arabia Senior835 Gusikowski Shoals, Breitenbergchester, Burkina Faso b70b0b64265 = Rnd(x256bb980319 * ChrB(125)) + Log(430) 'District0129 Haley Spur, Zboncakmouth, Ethiopia Future9710 Lang Orchard, Strackestad, Antarctica (the territory South of 60 deg S) c457196xb09 = Rnd(x78407c40833x * ChrB(376)) + Log(388) 'Global6924 Anissa Lakes, Wizaton, Pakistan Human599 Renner Manor, New Cierra, Cayman Islands b2930x600019 = Rnd(x90038x202b * ChrB(630)) + Log(220) 'Dynamic0673 Karson Divide, Walterland, Namibia Future39801 Lesch Meadows, North Howellmouth, Malaysia c0c11cb50x479 = Rnd(c580c2006790 * ChrB(707)) + Log(398) 'Dynamic714 Zoey Light, Altenwerthton, Bhutan Chief878 Stracke Inlet, New Russmouth, Palau 'District2140 Leonel Circle, Morarfort, Iceland Lead992 Darrick Station, Duaneton, Pitcairn Islands c860x07064b = Rnd(c00000461673 * ChrB(907)) + Log(54) 'Forward7390 Green Forges, Jacobsshire, Taiwan Forward477 Friesen Mountains, East Lilliana, United Arab Emirates b800b030590c0 = Rnd(c90x30c06bc * ChrB(286)) + Log(65) 'International347 Roberts Mount, Port Jessborough, Austria Senior91358 Bode Ford, South Ebonytown, Palau bb048103660b = Rnd(bb080011003b0 * ChrB(25)) + Log(543) 'Lead010 Alexander Turnpike, Nienowview, Azerbaijan Global66413 Kub Island, Manteton, Guyana b005923065050 = Rnd(c0xb9074c34 * ChrB(610)) + Log(657) 'Principal097 Gustave Causeway, North Caspershire, Timor-Leste Human6610 Bradtke Stravenue, Hellertown, Montse ... (truncated)

SHA-256: 034a7563a4e4bc0cbe6d2c987c433feef4fa201264df6db6485df67c848d127c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "c0700907660"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "b19x7x45090, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b06281x0603, 1, 1, MSForms, TextBox"
Attribute VB_Control = "x0c80941695x, 2, 2, MSForms, TextBox"
Attribute VB_Control = "x860052b300, 3, 3, MSForms, TextBox"
Attribute VB_Control = "cx0102cb058, 4, 4, MSForms, TextBox"
Attribute VB_Control = "c3007b6403930, 5, 5, MSForms, TextBox"

Attribute VB_Name = "b270861x0570"
Function cb123x4531b7()
On Error Resume Next
   'Future082 Legros Coves, Altatown, New Caledonia Central726 Kertzmann Trail, Lake Weldon, Nauru
c40604669229 = Rnd(c0203c2xb705 * ChrB(434)) + Log(233)
'Customer3843 O'Conner Track, Jodyhaven, Pitcairn Islands Regional29224 Parker Via, North Estefania, Norway
b29b03045070 = Rnd(c3438728x510 * ChrB(404)) + Log(453)
'Investor14301 Upton Parks, Ovashire, Nauru Corporate3810 Gerardo Fall, New Keven, Christmas Island
x36270c561996 = Rnd(x140019c8012 * ChrB(218)) + Log(862)
'Central858 Chris Track, Connellyberg, Macao Chief6017 Jackie View, Whiteview, French Southern Territories
x0110bc4234 = Rnd(c170b0191004 * ChrB(321)) + Log(585)
'Legacy3963 Walker Pine, Leanneland, Seychelles Investor3367 Carson Rapids, Quigleyside, Brunei Darussalam
x05484c23666 = Rnd(c0b45000b0c * ChrB(181)) + Log(626)
'Product062 Michelle Park, East Lilyan, Congo Lead84818 Stehr Stream, Sauerside, Kiribati
bxb103506000 = Rnd(b0x36900296 * ChrB(713)) + Log(6)
'Product6945 Mazie Expressway, Lockmanmouth, United States Minor Outlying Islands Direct440 Kuhlman Isle, Port Akeemfurt, Republic of Korea
c206230721291 = Rnd(xbc8774xx687 * ChrB(578)) + Log(902)
'Customer34809 O'Keefe Path, West Sethchester, Cape Verde Principal02250 Rau Burg, Romagueramouth, Greece
'International98166 Evalyn Flats, Lake Lilla, Kyrgyz Republic Lead817 Brakus Place, Andreannetown, Nicaragua
c390508028407 = Rnd(c82075c602222 * ChrB(646)) + Log(356)
'Direct2424 Gutkowski Radial, Port Agnes, Honduras Principal85418 Emard Plaza, Lake Paula, Guinea-Bissau
b040607090860 = Rnd(cxc32038027 * ChrB(694)) + Log(426)
'District51991 Eloy Spring, Port Patience, British Indian Ocean Territory (Chagos Archipelago) Regional67848 Thaddeus Forks, Carrollborough, Syrian Arab Republic
c164x3x86990c = Rnd(x004b972b05b * ChrB(192)) + Log(567)
'Internal0776 Pink Oval, Lake Brenden, Saudi Arabia Senior835 Gusikowski Shoals, Breitenbergchester, Burkina Faso
b70b0b64265 = Rnd(x256bb980319 * ChrB(125)) + Log(430)
'District0129 Haley Spur, Zboncakmouth, Ethiopia Future9710 Lang Orchard, Strackestad, Antarctica (the territory South of 60 deg S)
c457196xb09 = Rnd(x78407c40833x * ChrB(376)) + Log(388)
'Global6924 Anissa Lakes, Wizaton, Pakistan Human599 Renner Manor, New Cierra, Cayman Islands
b2930x600019 = Rnd(x90038x202b * ChrB(630)) + Log(220)
'Dynamic0673 Karson Divide, Walterland, Namibia Future39801 Lesch Meadows, North Howellmouth, Malaysia
c0c11cb50x479 = Rnd(c580c2006790 * ChrB(707)) + Log(398)
'Dynamic714 Zoey Light, Altenwerthton, Bhutan Chief878 Stracke Inlet, New Russmouth, Palau
   'District2140 Leonel Circle, Morarfort, Iceland Lead992 Darrick Station, Duaneton, Pitcairn Islands
c860x07064b = Rnd(c00000461673 * ChrB(907)) + Log(54)
'Forward7390 Green Forges, Jacobsshire, Taiwan Forward477 Friesen Mountains, East Lilliana, United Arab Emirates
b800b030590c0 = Rnd(c90x30c06bc * ChrB(286)) + Log(65)
'International347 Roberts Mount, Port Jessborough, Austria Senior91358 Bode Ford, South Ebonytown, Palau
bb048103660b = Rnd(bb080011003b0 * ChrB(25)) + Log(543)
'Lead010 Alexander Turnpike, Nienowview, Azerbaijan Global66413 Kub Island, Manteton, Guyana
b005923065050 = Rnd(c0xb9074c34 * ChrB(610)) + Log(657)
'Principal097 Gustave Causeway, North Caspershire, Timor-Leste Human6610 Bradtke Stravenue, Hellertown, Montse
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.