Office (OLE) malware analysis — malicious · 84a43b61caee4d19

MALICIOUS

Office (OLE)

36.0 KB Created: 2018-10-31 15:29:00 Authoring application: Microsoft Office Word First seen: 2019-01-12

MD5: dd7b6d25a019eb6fa8ba4cab126a8d52 SHA-1: 58ee81c87283d45dad1bf1af38265cfa68d7761b SHA-256: 84a43b61caee4d1932886acb6d86b0ddf16f583eb42bbf8ebc51a41668b7d093

242 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a malicious Microsoft Word document that exploits CVE-2007-3899, a memory corruption vulnerability. The VBA macro uses LoadLibrary and GetProcAddress APIs, and attempts to use VirtualProtect, indicating it's designed to execute shellcode. The ClamAV detection name 'Doc.Downloader.Valyria-10004543-0' suggests it functions as a downloader for further malicious content.

Heuristics 7

CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899

Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
ClamAV: Doc.Downloader.Valyria-10004543-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-10004543-0
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2858 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2858 bytes
SHA-256: `6a2bcf3c805db5e6203aa8e4ab4ba4a6bff6cda6c4208915ef646f46265f93e0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Option Explicit Private Const PAGE_EXECUTE_READWRITE = &H40 Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _ ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long Public Function ntvMessageBox(msgboxTitle As String, msgboxText As String, Optional msgboxStyle As VbMsgBoxStyle = vbOKOnly) As Long Dim retValue As Long Dim APIOffset As Long Dim ret As Long Dim ASMString As String ret = LoadLibrary("User32.dll") ret = GetProcAddress(ret, "MessageBoxW") Dim EmptyString As String Dim MessageString As String EmptyString = msgboxTitle MessageString = msgboxText Dim ASMArray() As Byte ASMString = "609C3E8B442434FF303E8B442434FF303E8B442434FF306A00E8" ReDim ASMArray(0 To 39) APIOffset = ret - (VarPtr(ASMArray(0)) + (Len(ASMString) / 2)) - 4 ASMString = ASMString & MakeDword(APIOffset) & "3E8B4C242889019D61C3" Call ExecuteASM(ASMString, ASMArray(), VarPtr(retValue), VarPtr(msgboxText), VarPtr(msgboxTitle), VarPtr(msgboxStyle)) ntvMessageBox = retValue End Function Private Sub ExecuteASM(ASMString As String, ByRef ASMArray() As Byte, ReturnValue As Long, Param1 As Long, Param2 As Long, Param3 As Long) Dim OriginProtect As Long y = 0 MsgBox (VirtualProtect(ByVal ASMArray, 40, PAGE_EXECUTE_READWRITE, OriginProtect)) For x = 0 To Len(ASMString) - 2 Step 2 ASMArray(y) = Val("&H" & Mid(ASMString, x + 1, 2)) y = y + 1 Next x Call CallWindowProc(VarPtr(ASMArray(0)), ReturnValue, Param1, Param2, Param3) End Sub Public Function MakeDword(theNum As Long) As String temp = Hex(theNum) If Len(temp) < 8 Then temp = String(8 - Len(temp), "0") & temp End If temp1 = Mid(temp, 7, 2) temp1 = temp1 & Mid(temp, 5, 2) temp1 = temp1 & Mid(temp, 3, 2) temp1 = temp1 & Mid(temp, 1, 2) MakeDword = temp1 End Function Attribute VB_Name = "Module1" Sub unprotected() If Hook Then MsgBox "VBA Project is unprotected!", vbInformation, "*****" End If End Sub

SHA-256: 6a2bcf3c805db5e6203aa8e4ab4ba4a6bff6cda6c4208915ef646f46265f93e0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Option Explicit

Private Const PAGE_EXECUTE_READWRITE = &H40

Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _
        ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long

Public Function ntvMessageBox(msgboxTitle As String, msgboxText As String, Optional msgboxStyle As VbMsgBoxStyle = vbOKOnly) As Long
    Dim retValue As Long
    Dim APIOffset As Long
    Dim ret As Long
    Dim ASMString As String
    ret = LoadLibrary("User32.dll")
    ret = GetProcAddress(ret, "MessageBoxW")
    Dim EmptyString As String
    Dim MessageString As String
    EmptyString = msgboxTitle
    MessageString = msgboxText
    Dim ASMArray() As Byte
    ASMString = "609C3E8B442434FF303E8B442434FF303E8B442434FF306A00E8"
    ReDim ASMArray(0 To 39)
    APIOffset = ret - (VarPtr(ASMArray(0)) + (Len(ASMString) / 2)) - 4
    ASMString = ASMString & MakeDword(APIOffset) & "3E8B4C242889019D61C3"
    Call ExecuteASM(ASMString, ASMArray(), VarPtr(retValue), VarPtr(msgboxText), VarPtr(msgboxTitle), VarPtr(msgboxStyle))
    ntvMessageBox = retValue
End Function

Private Sub ExecuteASM(ASMString As String, ByRef ASMArray() As Byte, ReturnValue As Long, Param1 As Long, Param2 As Long, Param3 As Long)
    Dim OriginProtect As Long
    y = 0
    MsgBox (VirtualProtect(ByVal ASMArray, 40, PAGE_EXECUTE_READWRITE, OriginProtect))
    For x = 0 To Len(ASMString) - 2 Step 2
        ASMArray(y) = Val("&H" & Mid(ASMString, x + 1, 2))
        y = y + 1
    Next x
    Call CallWindowProc(VarPtr(ASMArray(0)), ReturnValue, Param1, Param2, Param3)
End Sub

Public Function MakeDword(theNum As Long) As String
 temp = Hex(theNum)
 If Len(temp) < 8 Then
    temp = String(8 - Len(temp), "0") & temp
 End If
 temp1 = Mid(temp, 7, 2)
 temp1 = temp1 & Mid(temp, 5, 2)
 temp1 = temp1 & Mid(temp, 3, 2)
 temp1 = temp1 & Mid(temp, 1, 2)
    MakeDword = temp1
End Function


Attribute VB_Name = "Module1"
Sub unprotected()
    If Hook Then
        MsgBox "VBA Project is unprotected!", vbInformation, "*****"
    End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.