Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 83c9c9beaca0a147…

MALICIOUS

Office (OLE)

343.0 KB Created: 2015-06-05 18:17:20
MD5: 97538e922b86b2ae95625d1e11e6aaf1 SHA-1: 928e4d89b379bdd7c894787431a8d0b42f28a5a4 SHA-256: 83c9c9beaca0a147e23995b84792f56cd130ccf262147374bd1114c2ac698fee
508 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a Workbook_Open VBA macro that is configured to execute an embedded PE executable. The macro uses ShellExecuteA via a PtrDeclare to run 'rundll32' with the embedded DLL, which is then renamed to 'omsh.dll' in the temporary directory. The embedded executable is also placed in the temporary directory. The lure involves instructing the user to copy and paste content into a shell, indicating a social engineering attempt to bypass security controls.

Heuristics 15

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d2233606c870b49b0cb48a4294912a57af28cda30621f31fbca9eaa7c4cdc249		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2074 bytes
embedded_office_00001265.exe
10e3eff9b4914bba1e0630e26b55efdf3ecd23f22db53069c28d9c3e96beb216		 embedded-pe Office MZ+PE at offset 0x1265 346523 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin
9d3027d937dbbc4b6c7d85c4c82e08654d1bc7c2787c7c4e9d8a4cbf11356580		 ole-package OLE Ole10Native stream: MBD0132A5F4/Ole10Native 205073 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.