Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b38cb3868ccaccec…

MALICIOUS

Office (OLE)

160.5 KB Created: 2020-02-04 18:10:00 Authoring application: Microsoft Office Word First seen: 2020-05-25
MD5: 537fcf0bd7b13489595c67792b7a5b2c SHA-1: f9dc767df9adde9d484659381ef60144273233a2 SHA-256: b38cb3868ccaccecc4d4d807f7183b9ac46102217b5c3f7ef2b97b1facca9449
264 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate

The sample is a malicious Office document containing VBA macros. The macros utilize obfuscation techniques, specifically reassembling the API name 'MSXML2' from split string literals, and trigger execution via the 'Document_Open' auto-exec macro using 'CreateObject'. This indicates the macro's intent is to download and execute a second-stage payload, a common dropper behavior.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-7611638-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7611638-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 86775 bytes
SHA-256: aa5477b87463e0585bc122fc3389227ee9d353e0f75b1430d9532234e8a26f64
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Win64 Then
Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As LongPtr, ByVal dwFlags As LongPtr, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As LongPtr, lpMultiByteStr As Any, ByVal cchMultiByte As LongPtr, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As LongPtr
Private Declare PtrSafe Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As LongPtr, ByVal dwFlags As LongPtr, lpMultiByteStr As Any, ByVal cchMultiByte As LongPtr, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As LongPtr) As Long
#Else
Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long
Private Declare Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long) As Long

#End If



 Dim BhyeKo As Variant
 Dim GreFvcAc As Variant
 Dim Gteres As Variant
 
 Private Sub UserForm_Initialize()
    popDepth = -1
    LBxFontSize = 11#
End Sub

Private Sub UserForm_Activate()

    ' Must have the config values set
    If catAddStr = "" Then
        MsgBox "Category string not set!", vbOKOnly + vbCritical, "Error"
        Unload UFAutoFile
        Exit Sub
    End If
    If baseFldPath = "" Then
        MsgBox "Base folder path not set!", vbOKOnly + vbCritical, "Error"
        Unload UFAutoFile
        Exit Sub
    End If
    If storeName = "" Then
        MsgBox "Email store name not set!", vbOKOnly + vbCritical, "Error"
        Unload UFAutoFile
        Exit Sub
    End If
    If popDepth = -1 Then
        MsgBox "Folder depth-to-populate not set!", vbOKOnly + vbCritical, "Error"
        Unload UFAutoFile
        Exit Sub
    End If
    
    Set rootFld = Application.Session.Folders(storeName)
    Set rootFld = folderNavigate(rootFld, baseFldPath)
    
    ' Drop out if target folder not found
    If rootFld Is Nothing Then
        MsgBox "Target folder not found!", vbOKOnly + vbCritical, "Error"
        Unload UFAutoFile
    End If
    
    ' Populate and configure the ListBox
    LBxDests.Font.Size = LBxFontSize
    populateListBox rootFld, popDepth
    
    ' For the first load, move to the top item
    LBxDests.ListIndex = 0
    
End Sub

' =======================  BUTTONS  ========================

Private Sub BtnCancel_Click()
    Unload UFAutoFile
End Sub

Private Sub BtnFile_Click()
    Dim itOb As Object, dstFld As String
    Dim row As Long, catStr As String

    If LBxDests.ListIndex < 0 Then Exit Sub
    
    row = LBxDests.ListIndex
    
    If LBxDests.List(row, 1) = "" Then
        ' No subfoldering needed
        Set dstFld = rootFld.Folders(LBxDests.List(row, 0))
    Else
        ' Must dig to subfolders, then find the destination
        Set dstFld = folderNavigate(rootFld, LBxDests.List(row, 1)) _
                            .Folders(LBxDests.List(row, 0))
    End If
    
'    Set dstFld = rootFld.Folders(LBxDests.List(row, 1)) _
'                            .Folders(LBxDests.List(row, 0))
    
    If tgtObj Is Nothing Then
        For Each itOb In ActiveExplorer.Selection
            doMove itOb, dstFld
        Next itOb
    Else
        doMove tgtObj, dstFld
    End If
    
    Unload UFAutoFile
    
End Sub

Private Function folderNavigate(rootFld As String, fldPath As String) As String
    ' Given a path and a root folder, return the folder at that path
    ' Or, return Nothing it can't be reached/found
    
    Dim wor
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.