Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b11ba0e7661f470e…

MALICIOUS

Office (OLE)

969.0 KB Created: 2018-05-02 02:57:00 Authoring application: Microsoft Office Word First seen: 2018-11-05
MD5: 955d2e3f9506c09d113dea820ca5f39d SHA-1: acebff574fdc338c30e8e71bc213930db972ffba SHA-256: b11ba0e7661f470ef82b632094faa0c289c34db05970be67addd9e3e94453aa5
624 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1059.003 Windows Command Shell T1203 Exploitation for Client Execution

The sample leverages an Ole10Native package to drop and execute a payload, indicated by critical heuristics like 'OFFICE_PACKAGE_SCRIPT_DROPPER' and 'OFFICE_PACKAGE_RISKY_FILE'. The document body contains lures for clipboard command execution and requests for recovery secrets, suggesting a phishing or social engineering attack. The embedded Ole10Native package likely downloads and executes a second-stage payload from URLs such as http://llvm.org/git/clang.git, which is a common dropper behavior.

Heuristics 16

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • ClamAV: Doc.Dropper.Agent-6527183-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6527183-0
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • PEB access via GS segment (x64) high SC_PEB_ACCESS_X64
    PEB access via GS segment (x64)
    Disassembly
    x86 disassembly · validity: code (0.969) — 5/5 branch targets land on an instruction boundary (100% coherence)
    000C7892  65488b042560000000  mov rax, qword ptr gs:[0x60]
    000C789B  8b90bc000000      mov edx, dword ptr [rax + 0xbc]
    000C78A1  c1ea08            shr edx, 8
    000C78A4  f6c201            test dl, 1
    000C78A7  7511              jne 0xc78ba
    000C78A9  ff15bef10100      call qword ptr [rip + 0x1f1be]
    000C78AF  488bc8            mov rcx, rax
    000C78B2  8bd3              mov edx, ebx
    000C78B4  ff1543f40100      call qword ptr [rip + 0x1f443]
    000C78BA  8bcb              mov ecx, ebx
    000C78BC  e80c000000        call 0xc78cd
    000C78C1  8bcb              mov ecx, ebx
    000C78C3  ff151cf10100      call qword ptr [rip + 0x1f11c]
    000C78C9  cc                int3
    000C78CA  cc                int3
    000C78CB  cc                int3
    000C78CC  cc                int3
    000C78CD  48895c2408        mov qword ptr [rsp + 8], rbx
    000C78D2  57                push rdi
    000C78D3  4883ec20          sub rsp, 0x20
    000C78D7  488364243800      and qword ptr [rsp + 0x38], 0
    000C78DD  4c8d442438        lea r8, [rsp + 0x38]
    000C78E2  8bf9              mov edi, ecx
    000C78E4  488d1526d9f6ff    lea rdx, [rip - 0x926da]
    000C78EB  33c9              xor ecx, ecx
    000C78ED  ff                .byte 0xff
    000C78EE  15                .byte 0x15
    000C78EF  ea                .byte 0xea
    000C78F0  f1                int1
    000C78F1  01                .byte 0x01
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project contains no executable statements info OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://malware-click.in/ In document text (OLE body)
    • http://ocsp.usertrust.com0Embedded OLE package script
    • https://secure.comodo.net/CPS0FEmbedded OLE package script
    • http://ocsp.comodoca.com0In document text (OLE body)
    • http://www.usertrust.com1In document text (OLE body)
    • https://www.bdc.ca/PublishingImages/sections/header_section_home_en.pngIn document text (OLE body)
    • http://llvm.org/git/clang.gitEmbedded OLE package script
    • http://llvm.org/git/llvm.gitEmbedded OLE package script
    • https://www.chiark.greenend.org.uk/~sgtatham/putty/Embedded OLE package script
    • http://schemas.microsoft.com/SMI/2005/WindowsSettingsEmbedded OLE package script
    • http://crl.usertrust.com/AddTrustExternalCARoot.crl05Embedded OLE package script
    • http://crl.comodoca.com/COMODOSHA256CodeSigningCA.crl0wEmbedded OLE package script
    • http://crt.comodoca.com/COMODOSHA256CodeSigningCA.crt0$In document text (OLE body)
    • http://crl.usertrust.com/UTN-USERFirst-Object.crl05In document text (OLE body)
    • https://www.chiark.greenend.org.uk/~sgtatham/putty/0In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 381 bytes
SHA-256: 31ab247ed62fba8b597fa2164d1395b7aeab6274697a3e6aaf9e15951143c0c2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CheckBox1, 0, 0, MSForms, CheckBox"

Attribute VB_Name = "NewMacros"
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1586760197/Ole10Native 854357 bytes
SHA-256: da9f6e6b05a81287501afab52df843bf82a2fffeaeda2b48d4c9964fd89b6724
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS_X64, SC_STR_SHELLEXEC, SC_STR_CREATEPROCESS Static shellcode analysis recovered API/import strings: ShellExecuteA, CreateProcessA, ExitProcess, CreateFileW, CreateThread, GetProcAddress
ole10native_00_putty.exe ole-package-payload OLE Ole10Native payload: ObjectPool/_1586760197/Ole10Native; display_name=putty.exe; full_path=C:\Users\vlam\AppData\Local\Temp\putty.exe; temp_path=; def_file= 854072 bytes
SHA-256: 7afb56dd48565c3c9804f683c80ef47e5333f847f2d3211ec11ed13ad36061e1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS_X64, SC_STR_SHELLEXEC, SC_STR_CREATEPROCESS Static shellcode analysis recovered API/import strings: ShellExecuteA, CreateProcessA, ExitProcess, CreateFileW, CreateThread, GetProcAddress