Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8e1761947c459799…

MALICIOUS

Office (OLE)

77.0 KB First seen: 2015-09-24
MD5: 7d27a5b89d1bbfc3d28d9b20baec7580 SHA-1: 02cc63fa297c1854a2badf50a7f465c4ba9928dc SHA-256: 8e1761947c45979939bd1fc497b9f8159b452c3e24d3a344c7e2003af86f2785
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains VBA macros that execute upon opening the document. The Document_Open subroutine initializes a class that, in the FileSave subroutine, checks for a specific custom document property. If present, it saves the document locally and then calls a function 'ConnectWebService' with the local file path. This function likely attempts to upload the document to a web service, as indicated by the URLs 'http://tempuri.org/' and 'http://tempuri.org/UploadFile'. The use of WScript.Shell and CreateObject further suggests malicious scripting activity.

Heuristics 7

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set WshShell = CreateObject("WScript.Shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set objXmlhttp = CreateObject("MSXML2.xmlhttp")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tempuri.org/ In document text (OLE body)
    • http://tempuri.org/UploadFileIn document text (OLE body)
    • http://www.w3.org/2001/XMLSchema-instanceIn document text (OLE body)
    • http://www.w3.org/2001/XMLSchemaIn document text (OLE body)
    • http://schemas.xmlsoap.org/soap/envelope/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14314 bytes
SHA-256: bc88d1443bcf8c34744803fa06dbf370f3efea9470506fe0beb3fdcdf285c7c4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()

    Set cc = New closeClass
    Set cc.appWord = Application

End Sub


Attribute VB_Name = "ConnectWebService"
Public cc As closeClass

Public Sub FileSave()

On Error GoTo ErreurEnregistrementClassique

    If ActiveDocument.CustomDocumentProperties("Source").Value = "ParcoursH" _
    Then
        If Not (Len(ActiveDocument.FullName) < 6 Or _
                (Left(UCase(ActiveDocument.FullName), 4) <> "HTTP" And _
                InStr(1, UCase(ActiveDocument.FullName), "DATA\") = False And _
                InStr(1, UCase(ActiveDocument.FullName), "\LOCAL") = False)) Or _
                InStr(1, UCase(ActiveDocument.FullName), "Downloads") = False _
            Or GetTagTemp = "oui" Then
        
            On Error GoTo ErreurEnregistrementWebService
            
            If ActiveDocument.CustomDocumentProperties("WebServiceURL").Value = "" Then GoTo ErreurEnregistrementWebService
            
            Dim LocalFilePath As String
            
            LocalFilePath = GetMyDocumentsFolder() & "\" & ActiveDocument.Name
            GestionTagTemp True
                        
            ActiveDocument.SaveAs (LocalFilePath)
            ConnectWebService (LocalFilePath)
            
            Call MsgBox("Le document a bien été enregistré sous ParcoursH.")
            Exit Sub
            
ErreurEnregistrementWebService:
            On Error GoTo 0
            Err.Clear
            Call MsgBox("Ce document ne peut pas être enregistré directement sous ParcoursH. Vous n'avez pas les droits nécessaires ou il existe un problème sur le serveur.")
        Else
            If Not (ActiveDocument.ReadOnly) Then
                On Error GoTo ErreurEnregistrementClassique
                ActiveDocument.Save
                Exit Sub
            End If
        End If

    End If
    
ErreurEnregistrementClassique:
        On Error GoTo 0
        Err.Clear
    
End Sub

Public Sub GestionTagTemp(Activer As Boolean)

    If Activer Then
        On Error GoTo ErreurActivation
        
        ActiveDocument.CustomDocumentProperties("FichierTempParcoursH").Value = "oui"
       
        Exit Sub
        
ErreurActivation:

        ActiveDocument.CustomDocumentProperties.Add Name:="FichierTempParcoursH", LinkToContent:=False, Type:=msoPropertyTypeString, Value:="oui"

        On Error GoTo 0
        Err.Clear
    Else
    
        On Error GoTo ErreurActivation2
        
        ActiveDocument.CustomDocumentProperties("FichierTempParcoursH").Value = "non"
       
        Exit Sub
        
ErreurActivation2:

        ActiveDocument.CustomDocumentProperties.Add Name:="FichierTempParcoursH", LinkToContent:=False, Type:=msoPropertyTypeString, Value:="non"

        On Error GoTo 0
        Err.Clear
    
    End If

End Sub

Public Function GetTagTemp() As String

    Dim strRetour As String

    On Error Resume Next
    
    strRetour = ActiveDocument.CustomDocumentProperties("FichierTempParcoursH").Value
    
    On Error GoTo 0
    
    GetTagTemp = strRetour

End Function

Private Sub ConnectWebService(LocalFilePath As String)

    CopyFileByChunk ActiveDocument.CustomDocumentProperties("CheminDoc").Value, LocalFilePath, ActiveDocument.CustomDocumentProperties("User").Value, ActiveDocument.CustomDocumentProperties("IsDocumentType").Value

End Sub

Function CopyFileByChunk(fileName As String, sSource As String, sUser As String, isDocumentType As Boolean) As Boolean

    Dim FileSize As Long, OddSize As Long, SoFar As Long
    Dim Buffer() As Byte, f1 As Integer, ChunkSize As Long
    
    On Error GoTo CopyFileByChunk_Error
    
    f1 = FreeFile: Open sSource For Binary Access Read As #f1
    
    FileSize = LOF(f1)
    
    If FileSize = 0 Then GoTo Exit_CopyFileByChunk ' -- done!
    
    ChunkSize = 1000000 '5505024 -> 5.25MB
    OddSize = FileSize Mod ChunkSize
    
    Dim index As Integer
    index = 0
    
    If OddSize Then
        ReDim Buffer(1 To OddSize)
        Get #f1, , Buffer
        index = index + 1
        SoFar = OddSize
        
        If UploadFileViaWebService(Buffer, fileName, index, SoFar = FileSize, sUser, isDocumentType) Then
            DoEvents
        Else
            GoTo CopyFileByChunk_Error
        End If
        
    End If
    
    If ChunkSize Then
    
        ReDim Buffer(1 To ChunkSize)
    
        Do While SoFar < FileSize
            Get #f1, , Buffer
            index = index + 1
            SoFar = SoFar + ChunkSize
            
            If UploadFileViaWebService(Buffer, fileName, index, SoFar = FileSize, sUser, isDocumentType) Then
                'g_frmProgress.lblProgress = "Percent uploaded: " & Format(SoFar / FileSize, "0.0%")
                'Debug.Print SoFar, Format(SoFar / FileSize, "0.0%")
                DoEvents
            Else
                GoTo CopyFileByChunk_Error
            End If
            
            Loop
    End If
    
    CopyFileByChunk = True
    
Exit_CopyFileByChunk:
        Close #f1
        Exit Function
    
CopyFileByChunk_Error:
        CopyFileByChunk = False
        Resume Exit_CopyFileByChunk
    
End Function

Public Function UploadFileViaWebService(dataChunk() As Byte, fileName As String, index As Integer, lastChunk As Boolean, sUser As String, isDocumentType As Boolean) As Boolean

    On Error GoTo ErrHand
    
    Dim blnResult As Boolean
    blnResult = False
    'mdlConvert.SetProgressInfo "Connecting to the web server:" & vbNewLine & _
        DQUOT & server_title() & DQUOT
        
    On Error Resume Next
    
    Dim strSoapAction As String
    Dim strXml As String
    
    If isDocumentType Then
    
        strXml = "<?xml version=""1.0"" encoding=""utf-8""?>" & _
        "<soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/"">" & _
        "<soap:Body>" & _
        "<UploadFile xmlns=""http://tempuri.org/"">" & _
        "<fileName>" & fileName & "</fileName>" & _
        "<bytes></bytes>" & _
        "<index>" & index & "</index>" & _
        "<isLastChunk>" & IIf(lastChunk, 1, 0) & "</isLastChunk>" & _
        "<userName>" & sUser & "</userName>" & _
        "<isDocumentType>true</isDocumentType>" & _
        "</UploadFile>" & _
        "</soap:Body>" & _
        "</soap:Envelope>"
    
    Else
    
        strXml = "<?xml version=""1.0"" encoding=""utf-8""?>" & _
        "<soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/"">" & _
        "<soap:Body>" & _
        "<UploadFile xmlns=""http://tempuri.org/"">" & _
        "<fileName>" & fileName & "</fileName>" & _
        "<bytes></bytes>" & _
        "<index>" & index & "</index>" & _
        "<isLastChunk>" & IIf(lastChunk, 1, 0) & "</isLastChunk>" & _
        "<userName>" & sUser & "</userName>" & _
        "<isDocumentType>false</isDocumentType>" & _
        "</UploadFile>" & _
        "</soap:Body>" & _
        "</soap:Envelope>"
        
    End If

    Dim objXmlhttp As Object
    Dim objDom As Object
    
    Set objXmlhttp = CreateObject("MSXML2.xmlhttp")
    ' Load XML
    Set objDom = CreateObject("MSXML2.DOMDocument")
    objDom.LoadXML strXml
    'insert data chunk into XML doc
    objDom.SelectSingleNode("//bytes").dataType = "bin.base64"
    objDom.SelectSingleNode("//bytes").nodeTypedValue = dataChunk
    ' Open the webservice
    
    
'POST /WebServiceDocuments.asmx HTTP/1.1
'Host: localhost
'Content-Type: text/xml; charset=utf-8
'Content -Length: Length
'SOAPAction: "http://tempuri.org/UploadFile"

    objXmlhttp.Open "POST", ActiveDocument.CustomDocumentProperties("WebServiceURL").Value, False
    ' Create headings
    strSoapAction = "http://tempuri.org/UploadFile"
    objXmlhttp.setRequestHeader "Content-Type", "text/xml; charset=utf-8"
    objXmlhttp.setRequestHeader "SOAPAction", strSoapAction
    ' Send XML command
    objXmlhttp.send objDom.XML
    ' Get all response text from webservice
    Dim strRet
    strRet = objXmlhttp.responseText
    ' Close object
    Set objXmlhttp = Nothing
    Set objDom = Nothing
    'get the error if any
    Set objDom = CreateObject("MSXML2.DOMDocument")
    objDom.LoadXML strRet
    
    Dim isSoapResponse As Boolean
    isSoapResponse = Not (objDom.SelectSingleNode("//soap:Envelope") Is Nothing)
    
    Dim error As String
    
    If Not isSoapResponse Then
        error = "Woops, not a web service"
    Else
        error = objDom.SelectSingleNode("//soap:Envelope/soap:Body/soap:Fault/faultstring").Text
    End If
    
    If error <> "" Then
        MsgBox error, True
        blnResult = False
    Else
        Err.Clear 'clear the error caused in the XPath query above
        blnResult = True
    End If
    
    'close dom object
    Set objDom = Nothing
    
ErrHand:
    If Err.Number <> 0 Then
        MsgBox Err, "UploadFileViaWebService"
        blnResult = False
    End If
    UploadFileViaWebService = blnResult
    
End Function
 
Private Function CompteFichier(dossier)
    
    Dim NomFichier As String
    NomFichier = Dir(dossier, MacID("W8BN"))
 
    Do While Len(NomFichier) > 0
        NbFichiers = NbFichiers + 1
        NomFichier = Dir()
    Loop
    CompteFichier = NbFichiers
End Function

Private Function FichierSupprimer(dossier, NbFichiers)
    
    Dim NomFichier As String
    Dim myArray() As String
    ReDim Preserve myArray(1 To NbFichiers, 1 To 2)
 
    NomFichier = Dir(dossier, MacID("W8BN"))
 
    Do While Len(NomFichier) > 0
        Kill dossier & ":" & NomFichier
        NomFichier = Dir()
    Loop
    CompteFichier = NbFichiers
End Function


Function GetDossierExist(dossier)
On Error GoTo erreurDossierExist

Dim retour As Boolean
retour = True

If (Not Dir(dossier) = "") Then
    retour = True
End If
    
erreurDossierExist:
    If Err = 68 Then
        retour = False
    End If
    Err.Clear
    On Error GoTo 0

GetDossierExist = retour

End Function

Function GetMyDocumentsFolder()
     
    Dim WshShell As Object
    Dim NbFichiers As Integer
    Dim myArray() As String

On Error GoTo ErreurMAC

    Set WshShell = CreateObject("WScript.Shell")
    SpecialPath = WshShell.SpecialFolders("MyDocuments") & "\Documents temporaires ParcoursH"
   
    Set fso = CreateObject("scripting.filesystemobject")

    If fso.FolderExists(SpecialPath) = False Then
        fso.CreateFolder (SpecialPath)
    Else
        On Error GoTo ErreurSuppression
        
        NbFichiers = fso.GetFolder(SpecialPath).Files.Count
        ReDim Preserve myArray(1 To NbFichiers, 1 To 2)
        
        If (NbFichiers >= 20) Then
            For Each file In fso.GetFolder(SpecialPath).Files
                For i = 1 To NbFichiers
                    If (myArray(i, 1) = "") Then
                        myArray(i, 1) = file.Path
                        myArray(i, 2) = file.DateLastModified
                        Exit For
                    Else
                        If (myArray(i, 2) > CDate(file.DateLastModified)) Then
                            For j = NbFichiers - 1 To i
                                If (myArray(j, 1) <> "") Then
                                    myArray(j + 1, 1) = myArray(j, 1)
                                    myArray(j + 1, 2) = myArray(j, 2)
                                End If
                            Next
                            myArray(i, 1) = file.Path
                            myArray(i, 2) = file.DateLastModified
                            Exit For
                        End If
                    End If
                Next
            Next
            
            For index = 1 To NbFichiers - 19
                fso.DeleteFile (myArray(index, 1))
            Next
        End If
        
ErreurSuppression:
        Err.Clear
        On Error GoTo 0
    End If
    
ErreurMAC:
    If SpecialPath = "" Then
        SpecialPath = Left(ActiveDocument.Path, Len(ActiveDocument.Path) - Len(ActiveDocument.Name) - 1)
        
        If (Not GetDossierExist(SpecialPath & ":Documents temporaires ParcoursH")) Then
            ChDir SpecialPath
            MkDir "Documents temporaires ParcoursH"
        Else
            On Error GoTo ErreurSuppressionMAC
                SpecialPath = SpecialPath & ":Documents temporaires ParcoursH"
                NbFichiers = CompteFichier(SpecialPath)
            
                If (NbFichiers >= 20) Then
                    Kill MacID("W8BN")
                End If
        
ErreurSuppressionMAC:
            Err.Clear
            On Error GoTo 0
        End If
    End If
GetMyDocumentsFolder = SpecialPath
End Function



Attribute VB_Name = "closeClass"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public WithEvents appWord As Application
Attribute appWord.VB_VarHelpID = -1

Private Sub appWord_DocumentBeforeClose(ByVal Doc As Document, Cancel As Boolean)

On Error GoTo ErreurClose

    If GetTagTemp <> "" Then

        GestionTagTemp False

        LocalFilePath = GetMyDocumentsFolder() & "\" & ActiveDocument.Name

        ActiveDocument.Saved = False

        'ActiveDocument.SaveAs (LocalFilePath)
        ActiveDocument.Save
        
        'Cancel = True

    End If

    Exit Sub

ErreurClose:

    MsgBox Err.Description

End Sub