Office (OLE) malware analysis — malicious · 65b614f287c9f4af

MALICIOUS

Office (OLE)

273.5 KB Created: 2019-10-10 17:16:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: 29c5ec0c7949ccb443d81220a1f80d10 SHA-1: bf4877571cd446ddc5788839287fd836c1c4b086 SHA-256: 65b614f287c9f4afa6874dbd82d0bd2e124dbced94097e8364d349abebf48aa1

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The sample is a malicious Office document containing obfuscated VBA macros. Heuristics indicate an auto-exec loader that uses CreateObject and execution sinks, suggesting it's designed to download and execute a second-stage payload. ClamAV detection further confirms its malicious nature as Doc.Downloader.Sagent-7299918-0.

Heuristics 8

ClamAV: Doc.Downloader.Sagent-7299918-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sagent-7299918-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 73489 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	73489 bytes
SHA-256: `cbd8ae11b854fa8aea7b3e8cd16d4ecd48d1d530c2aec813c1511c732bad6f14`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "bb41cx0037690" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "b01004430bb00, 0, 0, MSForms, TextBox" Attribute VB_Control = "b20000b205801, 1, 1, MSForms, TextBox" Attribute VB_Control = "c1b9020x107b, 2, 2, MSForms, TextBox" Attribute VB_Control = "x3xx856c3309, 3, 3, MSForms, TextBox" Attribute VB_Control = "xxc571c5210, 4, 4, MSForms, TextBox" Attribute VB_Control = "b0558312bb9, 5, 5, MSForms, TextBox" Attribute VB_Name = "c3x90b004590x" Function c5600900x4935() On Error Resume Next x35cb1b1350 = False 'Global002 Leta Rapid, East Princessfurt, France Dynamic58892 Hayes Tunnel, West Giovanni, Sudan x000b3470x3 = Rnd(xc4b9586x02) b504x0063b917 = True 'Corporate14185 Stanton Light, Powlowskiborough, Democratic People's Republic of Korea Global3415 Labadie Loaf, Reichelburgh, Anguilla c23c0xb0019 = Rnd(b105130086x) b0b90bb5007 = False 'Chief20188 Douglas Common, Lake Abe, Uganda Legacy485 Harrison Junction, Jacobifort, Martinique c36c1237bb110 = Rnd(xx0288630c38) b5324775520b9 = False 'Lead153 Volkman Loaf, South Daphnee, Eritrea District3535 Alta Prairie, East Rylanfurt, Kenya c500720026b1 = Rnd(x08005800680) b660b9084006 = False 'Global008 Gleichner Port, South Ethelynfort, Isle of Man District8158 Camden Ville, Janatown, Netherlands x0348054cc00 = Rnd(b31952590cb) x50c29c0c111x = False 'Customer9656 Porter Run, Mosciskiborough, Micronesia Legacy9879 Karolann Courts, Marisolstad, Heard Island and McDonald Islands b4xc90cx7bx = Rnd(x0c33bc020710) x055c437b06 = True 'Corporate40645 Nader Lodge, South Otholand, Norfolk Island Product3498 Gennaro Radial, Monserratton, Liechtenstein b1x22163b00 = Rnd(xb45000008872) xb30405b03078 = False 'National61981 Klocko Ranch, Coltontown, Serbia Central10305 Botsford Ranch, Magnoliahaven, Russian Federation x76121c7x70 = False 'Forward98340 Bryce Lakes, South Norbertland, Peru Central9981 Darrel Manors, Lake Laurenshire, Burkina Faso b48087cx6b60 = Rnd(bc04b006bxb) x53149057900x = True 'Principal08358 Gracie Ports, Halvorsonton, Malta Investor04537 Alfreda Falls, West Weldonborough, China b5x16195x10 = Rnd(x27030b610b20) b04xb0x7x0063 = True 'Future77044 Roman Green, Port Heloisestad, Northern Mariana Islands Human9998 Macejkovic Glens, Naomiefurt, Montserrat x63152bb8c9 = Rnd(b00980xb002) c7x74970070 = False 'International09735 Katherine Manors, East Letha, Russian Federation Forward04569 Boehm Dale, West Carlotta, Wallis and Futuna b30004290b0 = Rnd(b0129b2476bx0) b03xb62910007 = True 'Global25816 Melany Parkways, Marquardtville, Christmas Island Direct60546 Bert Hills, South Myles, Moldova bc66189600390 = Rnd(cb442c900311x) x8b0b06201824 = False 'Lead389 Schinner Plaza, New Vernerville, Malta District9110 Gracie Mount, Scotside, Madagascar c2042061x7928 = Rnd(b92c987b90107) c29c7027x084 = True 'Lead19083 Senger Glens, Monicaberg, Hungary Lead2120 Jevon Crescent, New Savionport, Saudi Arabia x80c000024b = Rnd(x6xx0b48565) xb22x260413 = False 'Senior081 Schowalter Trace, Keeblerview, Cameroon Investor152 Rau Shores, West Grace, Sierra Leone x0642c5001x = False 'Internal437 Oberbrunner Forge, Lake Shawna, Iran Global605 Kathryne Circles, East Hellen, Ukraine b02x1x050c04 = Rnd(cb087373c2b8) b073074002085 = False 'Direct40010 Langworth Groves, Domenicaville, Uruguay Internal2170 Tabitha Grove, Hauckchester, Saint Helena b9x69600656 = Rnd(c007200x657) xb8900xc67xbx = True 'Product1099 Michaela Crescent, Huldabury, Madagascar Human269 Sid Roads, South Litzyhaven, Cook Islands xx0183b034479 = Rnd(x43040c0680) b0515b06636 = False 'Central6553 Reilly Forks, Amberfort, Slovakia (Slovak Republic) Chief2125 Stephania Ridges, North Kallie, Netherlands Antilles x32523x4279 = Rnd(x01470407401b) b9b0b4806x3 = False 'Customer513 Delilah Village, Mertieland, Spain ... (truncated)

SHA-256: cbd8ae11b854fa8aea7b3e8cd16d4ecd48d1d530c2aec813c1511c732bad6f14

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "bb41cx0037690"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "b01004430bb00, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b20000b205801, 1, 1, MSForms, TextBox"
Attribute VB_Control = "c1b9020x107b, 2, 2, MSForms, TextBox"
Attribute VB_Control = "x3xx856c3309, 3, 3, MSForms, TextBox"
Attribute VB_Control = "xxc571c5210, 4, 4, MSForms, TextBox"
Attribute VB_Control = "b0558312bb9, 5, 5, MSForms, TextBox"

Attribute VB_Name = "c3x90b004590x"
Function c5600900x4935()
On Error Resume Next
   x35cb1b1350 = False
'Global002 Leta Rapid, East Princessfurt, France Dynamic58892 Hayes Tunnel, West Giovanni, Sudan
x000b3470x3 = Rnd(xc4b9586x02)
b504x0063b917 = True
'Corporate14185 Stanton Light, Powlowskiborough, Democratic People's Republic of Korea Global3415 Labadie Loaf, Reichelburgh, Anguilla
c23c0xb0019 = Rnd(b105130086x)
b0b90bb5007 = False
'Chief20188 Douglas Common, Lake Abe, Uganda Legacy485 Harrison Junction, Jacobifort, Martinique
c36c1237bb110 = Rnd(xx0288630c38)
b5324775520b9 = False
'Lead153 Volkman Loaf, South Daphnee, Eritrea District3535 Alta Prairie, East Rylanfurt, Kenya
c500720026b1 = Rnd(x08005800680)
b660b9084006 = False
'Global008 Gleichner Port, South Ethelynfort, Isle of Man District8158 Camden Ville, Janatown, Netherlands
x0348054cc00 = Rnd(b31952590cb)
x50c29c0c111x = False
'Customer9656 Porter Run, Mosciskiborough, Micronesia Legacy9879 Karolann Courts, Marisolstad, Heard Island and McDonald Islands
b4xc90cx7bx = Rnd(x0c33bc020710)
x055c437b06 = True
'Corporate40645 Nader Lodge, South Otholand, Norfolk Island Product3498 Gennaro Radial, Monserratton, Liechtenstein
b1x22163b00 = Rnd(xb45000008872)
xb30405b03078 = False
'National61981 Klocko Ranch, Coltontown, Serbia Central10305 Botsford Ranch, Magnoliahaven, Russian Federation
x76121c7x70 = False
'Forward98340 Bryce Lakes, South Norbertland, Peru Central9981 Darrel Manors, Lake Laurenshire, Burkina Faso
b48087cx6b60 = Rnd(bc04b006bxb)
x53149057900x = True
'Principal08358 Gracie Ports, Halvorsonton, Malta Investor04537 Alfreda Falls, West Weldonborough, China
b5x16195x10 = Rnd(x27030b610b20)
b04xb0x7x0063 = True
'Future77044 Roman Green, Port Heloisestad, Northern Mariana Islands Human9998 Macejkovic Glens, Naomiefurt, Montserrat
x63152bb8c9 = Rnd(b00980xb002)
c7x74970070 = False
'International09735 Katherine Manors, East Letha, Russian Federation Forward04569 Boehm Dale, West Carlotta, Wallis and Futuna
b30004290b0 = Rnd(b0129b2476bx0)
b03xb62910007 = True
'Global25816 Melany Parkways, Marquardtville, Christmas Island Direct60546 Bert Hills, South Myles, Moldova
bc66189600390 = Rnd(cb442c900311x)
x8b0b06201824 = False
'Lead389 Schinner Plaza, New Vernerville, Malta District9110 Gracie Mount, Scotside, Madagascar
c2042061x7928 = Rnd(b92c987b90107)
c29c7027x084 = True
'Lead19083 Senger Glens, Monicaberg, Hungary Lead2120 Jevon Crescent, New Savionport, Saudi Arabia
x80c000024b = Rnd(x6xx0b48565)
xb22x260413 = False
'Senior081 Schowalter Trace, Keeblerview, Cameroon Investor152 Rau Shores, West Grace, Sierra Leone
   x0642c5001x = False
'Internal437 Oberbrunner Forge, Lake Shawna, Iran Global605 Kathryne Circles, East Hellen, Ukraine
b02x1x050c04 = Rnd(cb087373c2b8)
b073074002085 = False
'Direct40010 Langworth Groves, Domenicaville, Uruguay Internal2170 Tabitha Grove, Hauckchester, Saint Helena
b9x69600656 = Rnd(c007200x657)
xb8900xc67xbx = True
'Product1099 Michaela Crescent, Huldabury, Madagascar Human269 Sid Roads, South Litzyhaven, Cook Islands
xx0183b034479 = Rnd(x43040c0680)
b0515b06636 = False
'Central6553 Reilly Forks, Amberfort, Slovakia (Slovak Republic) Chief2125 Stephania Ridges, North Kallie, Netherlands Antilles
x32523x4279 = Rnd(x01470407401b)
b9b0b4806x3 = False
'Customer513 Delilah Village, Mertieland, Spain
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.